GRE Through ASA - No IPSec
I have an ASA connected to the Internet running PAT. A CME (3745) is sitting behind the ASA. I wish to create a GRE tunnel between the 3745 and a 2600 on the Internet.
Is it possible to pass GRE traffic through an ASA/PAT?
Thanks!
Tom
Yes,
You can permit gre traffic through the router if not already permitted and set up the tunnels on the routers. Does the remote rouer support VPN, or is it sitting behind a device that does? You should configure a l2l tunnel between the devices to encrypt the gre traffic as you don't want the TCP traffic between the sites to be captured and reassembled.
Similar Messages
-
GRE tunnel through asa no pptp, l2tp, ipsec
Hello!
can't understand how to configure GRE tunnel through ASA
i have one router with public ip, connected to internet
ASA 8.4 with public ip connected to internet
router with private ip behind ASA.
have only one public ip on ASA with /30 mask
have no crypto
have network behind ASA and PAT for internet users.
can't nat GRE? cause only TCP/UDP nated(?)
with packet-tracer i see flow already created but tunnel doesn't workA "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
Feb 16 2011 15:12:57 725002 85.132.43.67 52684 Device completed SSL handshake with client vpn:85.132.*.*/52684
Feb 16 2011 15:17:26 725007 85.132.43.67 52745 SSL session with client vpn:85.132.*.*/52745 terminated.
What does it mean? How can I turn on debugging to see what is going on?
Thank you in advance!Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
Cisco ASA 5505 Ipsec VPN and random connection dropping issues.
Hello,
We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks. For some reason, the VPN tends to randomly disconnect any user clients connected a lot. Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server. We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem. Sometimes users close out of VPN client completely, reopen several times and then it works. However it's never really consistent enough and hasn't been the last few weeks. No configuration changes have been made to ASA at all. Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
Directly below is our current running config (modded for public). Any help or ideas would be greatly appreciated. Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
: Saved
ASA Version 8.4(2)
hostname domainasa
domain-name adomain.local
enable password cTfsR84pqF5Xohw. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 205.101.1.240 255.255.255.248
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.60
domain-name adomain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SBS_2011
host 192.168.2.60
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.192_
27
subnet 192.168.5.192 255.255.255.224
object network Https_Access
host 192.168.2.90
description Spam Hero
object-group network DM_INLINE_NETWORK_1
network-object object SPAM1
network-object object SPAM2
network-object object SPAM3
network-object object SPAM4
network-object object SPAM5
network-object object SPAM6
network-object object SPAM7
network-object object SPAM8
object-group service RDP tcp
description Microsoft RDP
port-object eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
access-list outside_access_in extended permit tcp any object SBS_2011 eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in remark External RDP Access
access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
ip local pool VPN_Users 192.168.5.194-192.168.5.22
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.5.192_
27 NETWORK_OBJ_192.168.5.192_
27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SBS_2011
nat (inside,outside) static interface service tcp smtp smtp
object network Https_Access
nat (inside,outside) static interface service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.160-192.168.2.19
9 inside
dhcpd dns 192.168.2.60 24.29.99.36 interface inside
dhcpd wins 192.168.2.60 24.29.99.36 interface inside
dhcpd domain adomain interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy domain internal
group-policy domain attributes
wins-server value 192.168.2.60
dns-server value 192.168.2.60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value adomain.local
username ben password zWCAaitV3CB.GA87 encrypted privilege 0
username ben attributes
vpn-group-policy domain
username sdomain password FATqd4I1ZoqyQ/MN encrypted
username sdomain attributes
vpn-group-policy domain
username adomain password V5.hvhZU4S8NwGg/ encrypted
username adomain attributes
vpn-group-policy domain
service-type admin
username jdomain password uODal3Mlensb8d.t encrypted privilege 0
username jdomain attributes
vpn-group-policy domain
service-type admin
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool VPN_Users
default-group-policy domain
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2466a5b754
eebcdb0cef
f051bef91d
9
: end
no asdm history enable
Thanks againHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Tracing a route passing through ASA
Hi Everyone,
Need help on tracing a route IP 192.168.27.0 that is passing through ASA
i did sh route on ASA
S 192.168.27.0 255.255.255.0 [1/0] via 192.168.101.14, Xnet
so this means that this ASA is learning this route statically through int Xnet right ?
when i do sh int on ASA it shows Xnet as interface.
what should be my next step?
also i am able to ping this IP from ASA but whne i do sh arp it does not show this IP 192.168.27.251 and mac address
Thanks
Mahesh
Message was edited by: mahesh parmarSo I presume you have ASA5550 or you have bought addiotional 4 GigabitEthernet module.
When you look at the ASA from the side where the physical ports are
The usual ports (without the module) should be in the Right side
The modules ports should be on the Left side
The module should contain 8 ports
4 Ports are for SFP slots (usually for fiber connections)
4 Ports are for basic Ethernet connectivity
The configuration should have some line "media-type" which defines which type is used "rj45" of "sfp"
rj45 for Ethernet
sfp for SFP module
So GigabitEthernet 1/2 port should be to my understanding either the Third Ethernet or Third SFP port of the module depending on the above port configuration mentioned (media-type rj45/sfp)
The ports GigabitEthernet0/0 - x are the ports that are in every ASA, Ports GigabitEthernet1/0 - x are the expansion modules ports
Hope this helps. Hopefully I remembered that right.
- Jouni -
Cannot establish site-site vpn tunnel through ASA 9.1(2)
Hi,
We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
The site-site VPN tunnel fails to establish.
The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
Regards>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
UDP/500
UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
IP/50
for testing ICMP/Echo
If you allowed full IP-access between these two endpoints, it is more than enough.
When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
Can the two gateways ping each other? -
Securely Access Exchange Server 2007 through ASA 5510 using Outlook
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510? Any help is much appreciated!
~JohnHi John,
For that scenario, a remote access VPN is probably the best way to go (either the traditional IPSec client or SSL VPN/AnyConnect). This config guide lists your options on the ASA:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html
-Mike -
Unable to browse internet on a domain user's computer through ASA 5503 Firewall
Dear All,
I am trying to configure my new firewall for the last one month but still unable to fix it. I have a domain in windows 2012 standard edition and the firewall with unlimited license. Here is the output of show startup-config. Please note that prpgb.org is my local domain.
prpgbasa# show startup-config
: Saved
: Written by enable_15 at 02:50:45.169 PKT Thu Nov 20 2014
ASA Version 8.2(5)
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 202.142.XXX.YY 255.255.255.252
ftp mode passive
clock timezone PKT 5
dns server-group DefaultDNS
domain-name prpgb.org
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YZ 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 10.0.0.2 255.0.0.0
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:23c0af4b2ddf9e925f83ce13909ab900
prpgbasa#
You all are requested to have a look into the problem and suggest me the modifications.
ThanksDear All,
I have solved the issue. I have done the following in-order to browse internet on domain user computers. Here are the steps
1. I have disabled my internal DHCP server in the domain.
2. Then I have configured the ASA DHCP server in the default IP address scheme i.e. 192.168.1.100-200
3. I have Connected my ASA to a switch first then from there I connected a cable to my Domain's Server WAN interface. The LAN (192.168.1.2)interface of the Domain server is also plugged into the same switch.
4. I am using my Domain Server's DNS for name resolution and forward queries which are not served by my domain to open dns server.
It works perfectly so far but before applying or setting up the entire netowrk i want your help to look into the configuration file for corrections if i am making any mistakes. Thanks again for your help and here is the output of show confing.
prpgbasa# show startup
: Saved
: Written by Ghaffar at 02:11:24.319 PKT Mon Dec 8 2014
ASA Version 8.2(5)
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname PRPGB.ORG
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 202.142.XXX.YY 255.255.255.252
ftp mode passive
clock timezone PKT 5
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.2
domain-name prpgb.org
object-group network obj_any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 192.168.1.2 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
dhcpd update dns both interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ABC password FL01QCj0LaLWTID0 encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c4930a079158c0cb10a42813d3690cd
prpgbasa#
Please suggest me if there are any recomendations.
Thanks in advance.
Ghaffar -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts
I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enableHi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair -
ASA 5505 IPSEC VPN connected but can't access to LAN
ASA : 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
VPN Pool: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
Below is my configure, do I mis-configure anything?
ASA Version 8.2(5)
hostname asatest
domain-name XXX.com
enable password 8Fw1QFqthX2n4uD3 encrypted
passwd g9NiG6oUPjkYrHNt encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.253 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name vff.com
access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside 10.1.1.230
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (inside) host 10.1.1.108
nt-auth-domain-controller 10.1.1.108
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.0.0 255.255.252.0 inside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpntest internal
group-policy vpntest attributes
wins-server value 10.1.1.108
dns-server value 10.1.1.108
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntest_splitTunnelAcl
default-domain value XXX.com
split-tunnel-all-dns disable
backup-servers keep-client-config
address-pools value vpnpool
username admin password WeiepwREwT66BhE9 encrypted privilege 15
username user5 password yIWniWfceAUz1sUb encrypted privilege 5
username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
tunnel-group vpntest type remote-access
tunnel-group vpntest general-attributes
address-pool vpnpool
authentication-server-group AD
authentication-server-group (inside) AD
default-group-policy vpntest
strip-realm
tunnel-group vpntest ipsec-attributes
pre-shared-key BEKey123456
peer-id-validate nocheck
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: endI change a Machine's gateway to this ASA and capture again, now we can see some reply.
All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
add two gateways to all PCs and swtichwes?
1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request -
Asa 5505 Ipsec/ipad configuration
Hey Got some issues when setting up IPSEC/VPN on the asa 5505. I want to connect from the ipad with the built in IPSec client..
Get these errors when i run the debug crypto isakmp
Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, QM FSM error (P2 struct &0xd5d5f3d8, mess id 0x295bc3a)!
Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Removing peer from correlator table failed, no match!
There is a bunch of vpn site-to-site and ipsec vpn profiles setup and those works fine..?
Here is the running config sh run crypto:
crypto ipsec transform-set DES esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-TRANS mode transport
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto ipsec transform-set IPAD-IPSEC esp-3des esp-sha-hmac
crypto ipsec transform-set IPAD-IPSEC mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Plandent 10 set transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-256-MD5 DES 3des 3DES-TRANS
crypto dynamic-map Plandent 10 set security-association lifetime seconds 84600
crypto dynamic-map Plandent 10 set security-association lifetime kilobytes 300000
crypto dynamic-map IPAD-MAP 5 set transform-set IPAD-IPSEC
crypto dynamic-map IPAD-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map IPAD-MAP 5 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 10 match address ToGoteborg
crypto map PD_VPN 10 set peer PixGoteborg
crypto map PD_VPN 10 set transform-set DES
crypto map PD_VPN 10 set security-association lifetime seconds 84600
crypto map PD_VPN 10 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 20 match address ToMalmo
crypto map PD_VPN 20 set peer PixMalmo
crypto map PD_VPN 20 set transform-set DES
crypto map PD_VPN 20 set security-association lifetime seconds 84600
crypto map PD_VPN 20 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 30 match address ToPlanmeca
crypto map PD_VPN 30 set peer ASA_HKI ASA_HKI_BACKUP
crypto map PD_VPN 30 set transform-set AES
crypto map PD_VPN 30 set security-association lifetime seconds 86400
crypto map PD_VPN 30 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 100 ipsec-isakmp dynamic Plandent
crypto map PD_VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Anyone have any tips and tricks on what can be wrong here, will really be appreciated
Thanks
ShaneWell i created a new tunnel-group and a new group policy its still give me this error? that the tunnel is rejected:
Conflicting protocols specified by tunnel-group and group-policy
But as you can see the ipsec is allowed?
tunnel-group PLANDENT_IPAD type remote-access
tunnel-group PLANDENT_IPAD general-attributes
address-pool IPAD_VPN
default-group-policy PLANDENT_IPAD_Policy
tunnel-group PLANDENT_IPAD ipsec-attributes
pre-shared-key *
group-policy PLANDENT_IPAD_Policy internal
group-policy PLANDENT_IPAD_Policy attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ipad_splitTunnelAcl
/Shane -
I have a number of ASA 5505 boxes which I need to reconfigure to work with a Watchguard XTM 850 over IPsec. The 5505s were previously configured to connect back to a 5510 Firewall using EasyVPN. With EasyVPN still enabled, the remote boxes attempt to make a connection back, but there are a few settings such as Identity and Encryption types I need to modify to connect to the Watchguard firewalls. It appears that these settings cannot be changed with EasyVPN enabled. If I disable it, and change the identity and authentication settings, the boxes do not attempt to make a connection back. I'm not sure if what I am trying to do is even possible at this point, and I am in dire need of some direction.
It is not clear from this description what is the problem and it sounds like either some part of your config changes is not correct or that there is some mismatch between your config and the config of the remote device. A starting place would be to post your config (masking off sensitive information such as public addresses and passwords.
HTH
Rick -
Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
Any assistance would be appreciated.
ASA Version 8.2(1)
hostname KRPS-FW
domain-name lottonline.org
enable password uniQue
passwd uniQue
names
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description Inside Network on VLAN1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
description Inside Network on VLAN1
ftp mode passive
dns server-group DefaultDNS
domain-name lottonline.org
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.20.30.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 1 match address KWPS-BITP
crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ssh timeout 5
console timeout 0
management-access inside
tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
tunnel-group xxx.xxx.xxx.001 ipsec-attributes
pre-shared-key somekeyHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Problem transfer TFTP through ASA 5505
Hello,
I have a problem with my ASA 5505, I am not able to transfer files bigger than 100ko using TFTP. Below my archiecture:
CME<->ASA5505<->SW3650
Here is what I get when I try to download a file located on the 3650 on my CME:
CME#copy tftp flash
Address or name of remote host [X.X.X.X]?
Source filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?
Destination filename [cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar]?
Accessing tftp://X.X.X.X/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar...
Loading cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar from 10.52.199.126 (via GigabitEthernet0/0): !... [timed out]
Error reading tftp://10.52.199.126/cmterm-7942_7962-sccp.9-3-1SR4-1[1].tar (Connection timed out)
When I look on the ASA monitoring page, I see that a UDP connection is built between the ASA and the SW3650 but 2 minutes later there are "Teardown UDP connection" messages.
Can you please help me? Due to this transfer issue, I am not able to upgrade my IP Phones (the phones only download the first 2 files because there are smaller than 100ko).
Thank you in advance for your help.
Regards.
Thomas.Default UDP connection time out is 2 minutes through the ASA.
You can modify the timeout values for the specific flow from a particular source to destination . Try changing the default connection timeout of UDP
ASA(config)# access-list CONNS permit udp host CME ip tftp serverip port
ASA(config)# class-map CONNS
ASA(config-cmap)#match access-list CONNS
ASA(config)# policy-map CONNS
ASA(config-pmap)# class CONNS
ASA(config-pmap-c)# set connection timeout idle 00:30:00
ASA(config)# service-policy CONNS {global | interface interface_name}
you can also globally change the timeout value of UDP using:
ASA(config)# timeout udp 00:30:00
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html#wp1080774
HTH
"Please rate helpful posts"
Maybe you are looking for
-
How to change the name of column in ActionScript?
I possibly know how to change the name of the column in DataGrid using mxml but dont know how to change the name of column in DataGrid using ActionScript. var newDataGrid:DataGrid=new DataGrid(); newDataGrid.dataProvider=arrayCollection(): It
-
Portal error on KM Content tab
Hi Friends, We added new patch nw2004s sp10.then we got error in km content tab.Plz help regarding this Portal Runtime Error An exception occurred while processing a request for : iView : pcd:portal_content/super_admin/com.sap.portal.content_admini
-
Speed 700mhz too low for iPhoto 8?
I would like to upgrade to iPhoto 8 from my present iPhoto 4, but notice the minimum speed is 733mhz. As I only have 700mhz, does this mean iPhoto 8 would not work at all? Would I be better to go to something between 4 and 8? Would appreciate comment
-
Has anyone else had a problem or issue with their earpiece on the Q10 not working at all. I can make phone calls but only on speaker phone, or through the headphone jack. Phone hasn't been put in water or anything else, just stopped working one day l
-
Could we adjust the dBPa of a wav file by equalizer and then save the dBPa modified file to the other wav file for play? The equalizer should be controlled under 1/3 octave frequency band.