Help on establishing Ipsec tunnel btw 1941 and ASA

Similar Messages

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• IPSEC tunnel Phase 1 and 2

  Guys was checking ASA config and we have many IPSEC tunnels
  one of the IPSEC tunnel has follwoing
  crypto map clientmap 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
  whats does the second means normally oter IPSEC has
  crypto map clientmap 14 set transform-set ESP-3DES-MD5
  what is a clientmap anyway will appriciate if someone plz explain

  Hi,
  The "crypto map" settings belong to the Phase II portion of your VPN tunnel (with some exceptions).
  Here you usually define the following paratemers (most common):
  1- Protected traffic, "match address" command.
  2- Transform-set, integrity and authentication.
  3- VPN peer.
  So the transform-set "ESP-3DES-SHA" probably is "esp-3des esp-sha-hmac" which means:
  ESP with the 3DES encryption algorithm.
  ESP with the SHA (HMAC variant) authentication algorithm,
  Now, you can have many valid combinations like "ESP-3DES-SHA" and "ESP-3DES-MD5", this would be useful in case you do not know which transform-set the other side of the tunnel has configured (there must be at least one perfect match).
  Here is good link to set up L2L tunnels on ASAs:
  Configuring LAN-to-LAN VPNs
  Hope to help.
  Portu.
  Please rate any helpful posts

• Help getting GRE IPsec tunnel setup

  We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
  There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.   
  I have attached a PDF that shows a general overview. 
  Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
  Main Office
  The external address     198.40.227.50.
  The loopback address   10.254.10.6
  The tunnel address        10.2.60.1
  Offsite Datacenter
  The external address     198.40.254.178
  The loopback address   10.254.60.6
  The tunnel address        10.2.60.2
  The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
  PIX Version 7.2(2)
  interface Ethernet0
  mac-address 5475.d0ba.5012
  nameif outside
  security-level 0
  ip address 198.40.227.50 255.255.255.240
  interface Ethernet1
  nameif inside
  security-level 100
  ip address 10.10.10.3 255.255.0.0
  access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
  access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
  global (outside) 1 interface
  nat (outside) 1 10.60.0.0 255.255.0.0
  nat (inside) 0 access-list noNat
  route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
  route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
  route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 match address outside_cryptomap_60
  crypto map cr-lakeavemap 10 set peer 198.40.254.178
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  tunnel-group DefaultRAGroup ipsec-attributes
  isakmp keepalive threshold 10 retry 2
  tunnel-group 198.40.254.178 type ipsec-l2l
  tunnel-group 198.40.254.178 ipsec-attributes
  The offsite datacenter PIX501 config (again edited)
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
  access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
  mtu outside 1500
  mtu inside 1500
  ip address outside 198.40.254.178 255.255.255.240
  ip address inside 10.60.10.2 255.255.0.0
  route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
  route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
  route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 ipsec-isakmp
  crypto map cr-lakeavemap 10 match address crvpn
  crypto map cr-lakeavemap 10 set peer 198.40.227.50
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap client authentication LOCAL
  crypto map cr-lakeavemap interface outside
  isakmp enable outside
  isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  Output of the “show crypto ipsec sa” command
  From the main office
  Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
         access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
         local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
         remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
         current_peer: 198.40.254.178
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
         #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
         #pkts compressed: 0, #pkts decompressed: 0
         #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
         #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
         #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
         #send errors: 0, #recv errors: 0
         local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
         path mtu 1500, ipsec overhead 58, media mtu 1500
         current outbound spi: D78E63C9
        inbound esp sas:
        spi: 0x5D63434C (1566786380)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4274801/7527)
           IV size: 8 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xD78E63C9 (3616433097)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4275000/7527)
           IV size: 8 bytes
           replay detection support: Y
  From the offsite datacenter
     local  ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
     current_peer: 198.40.227.50:500
     dynamic allocated peer ip: 0.0.0.0
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
      #send errors 1156, #recv errors 0
       local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
       path mtu 1500, ipsec overhead 56, media mtu 1500
       current outbound spi: 5d63434c
       inbound esp sas:
        spi: 0xd78e63c9(3616433097)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 1, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4608000/6604)
          IV size: 8 bytes
          replay detection support: Y
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x5d63434c(1566786380)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4607792/6596)
          IV size: 8 bytes
          replay detection support: Y
       outbound ah sas:
       outbound pcp sas:
  I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.  If there is anything else you'd like to see please let me know. 

  Hi Joe,
  This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
  If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
  Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
  Let me know.
  Mike Rojas.

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• IPSec Tunnel established but not able to reach remote Local subnet

  Hi,
  We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.
  1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
  2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
  3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)
  Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)
  Additionally Tunnel only established if active traffice send from site B.
  Thanks & Rgds,
  Dhaval Dikshit

  Thanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.
  When I'm doing packet tracer from site B I got following massage.
  ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959c928, priority=1, domain=permit, deny=false
          hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8
          src mac=0000.0000.0000, mask=0000.0000.0000
          dst mac=0000.0000.0000, mask=0100.0000.0000
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   155.220.21.175  255.255.255.255 inside
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log
  object-group network Tas_Tunnel
  network-object host 192.168.50.50
  network-object host 192.168.50.65
  network-object host 192.168.50.220
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xca246310, priority=12, domain=permit, deny=false
          hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0
          src ip=192.168.50.220, mask=255.255.255.255, port=0
          dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true
          hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 5
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false
          hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
  Phase: 6
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true
          hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 7
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false
          hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip=192.168.50.220, mask=255.255.255.255, port=0
          dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0
  Phase: 8
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  in  id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true
          hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
  Phase: 9
  Type: VPN
  Subtype: encrypt
  Result: DROP
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  out id=0xca2f4c98, priority=70, domain=encrypt, deny=false
          hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0
          src ip=155.220.21.175, mask=255.255.255.255, port=0
          dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Thanks & Rgrds,
  Dhaval Dikshit

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• Restrict certain IP addresses for establishing IPSec

  Is it possible on Cisco ASA 55xx to restrict (to filter) certain public IP addresses which would be THE ONLY addresses able to establish Remote Access IPSec VPN using Cisco VPN client? Let's assume that Cisco VPN client establishes VPN connection from fix public IP address (always the same).
  So, I am not talking about ACL actions on VPN traffic. I'm asking about establishing IPSec tunnel and preventing some public IPs of even trying that.
  Thanks.

  Hi Ivan,
  Yes, the "ssh 0 0 outside" overrides the control-plane ACL and allows the SSH connections to the ASA.
  Actually this statement creates  the following implicit ACL to permit the SSH traffic:
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x732d57e8, priority=121, domain=permit, deny=false
          hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=22, dscp=0x0
          input_ifc=outside, output_ifc=identity
  Hope this helps
  Mashal Shboul

• Multiple site to site IPSec tunnels to one ASA5510

  Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

  Hi,
  Regarding setting up the new L2L VPN connection..
  Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
  I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
  If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
  Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
  - Jouni

• IPsec tunnel without a private network

  I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520.  Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with.  Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel.  My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic.  Is this scenario even possible?  If so, what configuration options should I consider?
  Thanks!

  I got to say I have never tried this or had any situation where I would want to use the ASA like this.
  This would be something I would have to test as I can't say for sure if its possible or not.
  For one I would atleast make sure the following things
  Make sure you have the configuration "same-security-traffic permit intra-interfaceThis will permit the traffic to enter and leave the same interface which in this case is "outside"
  That the host default route points to the ASA
  Consider configuring NAT0 for the "outside" /29 network on the "outside" interface when the destination network is the remote site network
  Use the command "packet-tracer" command to simulate a packet coming from the "outside" host towards the remote site and see what the output ispacket-tracer input outside tcp
  How do you confirm the ASA is rejecting the traffic? Do you see some log message?
  Have you seen any traffic get encapsulated/encrypted at this site OR is there only traffic incoming from the remote site?
  - Jouni

• Two separate L2L tunnels between same two ASA

  I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access.  I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
  I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels.  I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
  Is there a way of creating two separate L2L tunnels between the two ASA's?  Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
  Does anyone have another possible solution to the problem? 
  Gene

  You should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
  Hope this helps.

• Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

  I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
  Any assistance would be appreciated.
  ASA Version 8.2(1)
  hostname KRPS-FW
  domain-name lottonline.org
  enable password uniQue
  passwd uniQue
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.20.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  description Inside Network on VLAN1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  description Inside Network on VLAN1
  ftp mode passive
  dns server-group DefaultDNS
  domain-name lottonline.org
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDE_ACCESS_IN in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.20.30.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 1 match address KWPS-BITP
  crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
  crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
  crypto map VPNMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  ssh timeout 5
  console timeout 0
  management-access inside
  tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
  tunnel-group xxx.xxx.xxx.001 ipsec-attributes
  pre-shared-key somekey

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks

• My Iphone 4s Will not delete the songs I want it to. I've tried Turning off "Show All Music" and then swiping left on the song to delete it, but it wont give me the option to delete the songs. Please help. (this is iOS.7 btw)

  I've tried Turning off "Show All Music" and then swiping left on the song to delete it, but it wont give me the option to delete the songs. Please help. (this is iOS.7 btw) It only does this for some of the songs, but the rest of them I can delete. This is really annoying, please help me ASAP. Thank yall for your time

  I've tried Turning off "Show All Music" and then swiping left on the song to delete it, but it wont give me the option to delete the songs. Please help. (this is iOS.7 btw) It only does this for some of the songs, but the rest of them I can delete. This is really annoying, please help me ASAP. Thank yall for your time

• Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

  Hi Gurus,
  I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
  I am planning to have just 1 ISR (ISR1) and ISP1  being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
  is this possible with the ISRs?
  Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
  BGP won't be used.
  I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2.  Please correct me if I am wrong....many thanks.
  Any ideas will be greatly appreciated..
  Civicfan

  I found the problem but dont know how to fix it now!
  Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
  crypto map outside_map 9 match address SiteA
  crypto map outside_map 9 set peer 212.89.229.xx
  crypto map outside_map 9 set transform-set ESP-AES-256-SHA
  crypto map outside_map 9 set security-association lifetime seconds 28800
  crypto map outside_map 9 set security-association lifetime kilobytes 4608000
  crypto map outside_map 10 match address SiteA
  crypto map outside_map 10 set peer 212.89.235.yy
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 10 set security-association lifetime seconds 28800
  crypto map outside_map 10 set security-association lifetime kilobytes 4608000
  If I remove:
  no crypto map outside_map 9 match address SiteA
  the IPSEC through 2nd ISP on siteA is working correct

• IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

  I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

  Dear Mr.
  The same problem has occured with me.