L2L VPN-8.4(3)
Hi,
We are setting up IPSec L2L tunnel with our client. Client will access some of our internal servers through vpn tunnel. Client are natting his internal networks with public ip 121.16.141.x. We have below servers IPs which client would access.
10.150.20.131
10.150.20.132
I have prepared config for VPN tunnel but not preety sure that it is correct so looking for your help on this.
======================================
object-group network server_IP
network-object host 10.150.20.131
network-object host 10.150.20.132
object network client_IP
host 121.16.141.x
nat (inside,outside) source static server_IP server_IP destination static client_IP client_IP no-proxy-arp
access-list VPN extended permit ip object-group server_IP object client_IP
crypto map outside_map 6 match address VPN
crypto map outside_map 6 set peer <<client FW outside interface ip(y.y.y.y) >>
crypto map outside_map 6 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key *****
=========================================================
Pls confirm if this config is correct..
Hi,
Well there is couple of options
You can configure Filter ACL for the L2L VPN.
You can configure "no sysopt connection permit-vpn".
While configuring the VPN Filter is the easiest way to restrict connections coming from VPNs WHEN you have a lot of existing VPN connections, I still wouldnt recommend it as a first choice as it can get a bit complicated.
The second option is something that I personally like BUT using it depends on your current environment.
If you were to add the command "no sysopt connection permit-vpn" THEN ANY connection coming through VPN connections through the "outside" interface of your ASA would need to have a permitting ACL rule on the "outside" interface ACL.
So judging by your number in the "crypto map" configuration which is "6" I assume you have multiple L2L VPN configurations atleast, possibly remote access VPN also?
If this is the case then you would have to first create ACL rules to define what connections can be initiated behind VPN connections on each of those connections BEFORE enabling the command I mention. If you didnt then all connections from the direction of the remote host or remote network would start to get blocked by the ASA.
When you enable that command you could basically use the "outside" interface ACL to allow and deny traffic that is coming through VPN just like it was coming through Internet.
So if you are able to preconfigure the ACL rules for all of your existing VPN connections THEN I would recommend using the "no sysopt connection permit-vpn" to BLOCK ALL connections coming through VPN connections UNLESS they are allowed in the interface ACL of "outside" interface.
Hope I made any sense
Naturally ask more if needed
- Jouni
Similar Messages
-
L2L VPN Issue - one subnet not reachable
Hi Folks,
I have a strange issue with a new VPN connection and would appreciate any help.
I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).
I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets. There's a basic network diagram attached.
VPN 1 - is for traffic from the customer subnet 10.2.1.0/24. Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN works correctly.
VPN 2 - is for traffic from the customer subnet 192.168.1.0/24. Devices in this subnet should be able to access the same 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
There are isakmp and ipsec SAs for both VPNs. I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211. This counter does increment when they send test traffic to DMZ144. I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA. I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
There is a route to both customer subnets via the same next hop.
There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
I suspect that this may be an issue on the customer end, but I'd like to be able to prove that. Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
Here is the relevant vpn configuration:
crypto map MY_CRYPTO_MAP 90 match address VPN_2
crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP 100 match address VPN_1
crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP interface isp
ASA# sh access-list VPN_2
access-list VPN_2; 6 elements; name hash: 0xa902d2f4
access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
ASA# sh access-list VPN_1
access-list VPN_1; 3 elements; name hash: 0x30168cce
access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
nat (dmz144) 0 access-list nonatdmz144
nat (dmz211) 0 access-list nonatdmz211
ASA# sh access-list nonatdmz144
access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
ASA# sh access-list nonatdmz211 | in 192.168\.1\.
access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
ASA# sh access-list nonatdmz211 | in 10.2.1.
access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
Thanks in advance to anyone who gets this far!Darragh
Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
HTH
Rick -
Public-to-Public L2L VPN no return traffic
Hello all,
I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
ASA Version 8.2(5)
hostname ciscoasa
domain-name
names
name 10.10.9.3 VPN description VPN Server
name 10.10.9.4 IntranetMySQL description MySQL For Webserver
name 192.168.0.100 IIS_Webserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.9.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 71.***.***.162 255.255.255.0
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.9.1
domain-name
same-security-traffic permit inter-interface
object-group service VPN_TCP
description VPN TCP Connection
service-object tcp eq 1195
object-group service VPN_UDP
description VPN UDP Port
service-object udp eq 1194
object-group service VPN_HTTPS
description VPN HTTPS Web Server
service-object tcp eq 943
service-object udp eq 943
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service WebServer
service-object tcp eq 8001
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
object-group service VPN_HTTPS_UDP udp
port-object eq 943
object-group service WCF_WebService tcp
port-object eq 808
object-group service RDP tcp
port-object eq 3389
object-group service RDP_UDP udp
port-object eq 3389
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp eq www
service-object tcp eq https
object-group service *_Apache tcp
port-object eq 8001
object-group service *_ApacheUDP udp
port-object eq 8001
object-group service IIS_SQL_Server tcp
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service File_Sharing tcp
port-object eq 445
object-group service File_Sharing_UDP udp
port-object eq 445
object-group service MySQL tcp
port-object eq 3306
object-group service Http_Claims_Portal tcp
port-object eq 8080
object-group service Http_Claims_PortalUDP udp
port-object eq 8080
object-group service RTR_Portal tcp
description Real Time Rating Portal
port-object eq 8081
object-group service RTR_PortalUDP udp
port-object eq 8081
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
access-list outside_access_in extended permit tcp any any eq 1195
access-list outside_access_in extended permit object-group VPN_HTTPS any any
access-list outside_access_in extended permit tcp any interface outside eq 943
access-list outside_access_in extended permit tcp any any eq 8001
access-list inside_access_in extended permit tcp any any
access-list outside_access_in_1 extended permit tcp any interface outside eq 943
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
access-list outside_access_in_2 extended permit icmp any any
access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
access-list outside_access_in_2 remark VPN TCP Ports
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
access-list outside_access_in_2 remark Palm Insure Apache Server
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
access-list outside_access_in_2 remark RTR Access rule for internal VMs
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
access-list inside_access_in_1 extended permit object-group TCPUDP any any
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit esp any any
access-list inside_access_in_1 extended permit udp any any eq isakmp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.9.0 255.255.255.0
static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
static (inside,outside) interface access-list inside_nat_static
access-group inside_access_in_1 in interface inside
access-group outside_access_in_2 in interface outside
access-group dmz_access_in_1 in interface dmz
route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 20.20.60.193
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 10.10.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 20.20.60.193 type ipsec-l2l
tunnel-group 20.20.60.193 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi,
If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
static (inside,outside) interface access-list inside_nat_static
This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
Did you try the connectivity without the "static" configuration?
For ICMP testing I would add the command
fixup protocol icmp
or
policy-map global_policy
class inspection_default
inspect icmp
Should do the same thing
- Jouni -
I am using GNS3 to build a tunnel between an ASA and a router.
Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?
ciscoasa# sho running-config crypto
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto map SampleVPN 100 match address VPN_Traffic
crypto map SampleVPN 100 set peer 10.123.5.2
crypto map SampleVPN 100 set transform-set MySET
crypto map SampleVPN interface outside
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group VPN type ipsec-l2l
tunnel-group VPN ipsec-attributes
pre-shared-key 1234
R1#sho run | sec crypto
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 12.152.45.2 no-xauth
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
ip access-list extended VPN_Traffic
permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
crypto map VPN 100 ipsec-isakmp
set peer 12.152.45.2
set transform-set MySET
match address VPN_Traffic
interface f0/0
crypto map VPN
Here are the debugs from the router...
*Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
*Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
*Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
*Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
*Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
*Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
*Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
*Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.055: ISAKMP:(0)
R1#: processing vendor id payload
*Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
*Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
*Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*Feb 18 15:59:14.063: ISAKMP: encryption 3DES-CBC
*Feb 18 15:59:14.063: ISAKMP: hash MD5
*Feb 18 15:59:14.063: ISAKMP: default group 2
*Feb 18 15:59:14.063: ISAKMP: auth pre-share
*Feb 18 15:59:14.063: ISAKMP: life type in seconds
*Feb 18 15:59:14.067: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.071: ISAK
R1#
R1#MP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
R1#
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
*Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM3
*Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM3
R1#ping ip 12.123.15.2 source loo0
*Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
R1#ping ip 12.123.15.2 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
*Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
*Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
*Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
Success rate is 0 percent (0/5)
R1#
*Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
*Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
*Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.
*Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
*Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
R1#
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_DEST_SA
R1#
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
R1#
*Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26CHi,
when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.
Mashal -
AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN
Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
JoAAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html -
HA between Dedicated T1 and L2L VPN
I'm looking for ideas on how to have complete HA between a dedicated T1 and an L2L VPN over the internet.
We had discussed routing protocol OSPF but would like to avoid the converge issues that could rise and affect other customers in the same DMZ.
What would be our options if we do not want to use a routing protocol? How could we fail over to the backup line, the L2L, should the T1 fail. I had mentioned changing the metrics but this will not identify a problem on the line should the customers ethernet link goe down.
Feel free to include an ideas that would use routing protocols.I had to revisit this configuration. I had decided since we are not going to use a routing protocol that a floating route between the T1 router and VPN is the best solution. although this should work if the router or Ethernet of the router goes down it should fail if the the Ethernet interface of the router, which has OSPF running between their network and our LAN, does not fail.
But it is not failing?
I have attached a diagram. -
MAPI latency/slowness over L2L VPN
We recently implented an email archiving solution (Symantec Enterprise Vault) that sends the archives to a vendor across a L2L VPN on an ASA 5510. EV apparently uses MAPI during the archive process.
We're experencing slowness during the archive process, and the slowness seems to originate with the VPN tunnel.
I'm reaching out to see if anyone has had any experience with MAPI over VPN or if anyone has seen a similar issue.
The vendor is saying it's a "network issue", which I seriously doubt.
Thanks.We recently implented an email archiving solution (Symantec Enterprise Vault) that sends the archives to a vendor across a L2L VPN on an ASA 5510. EV apparently uses MAPI during the archive process.
We're experencing slowness during the archive process, and the slowness seems to originate with the VPN tunnel.
I'm reaching out to see if anyone has had any experience with MAPI over VPN or if anyone has seen a similar issue.
The vendor is saying it's a "network issue", which I seriously doubt.
Thanks. -
Hi,
I have cisco ASA 5520 and two L2L VPN are configured in that box.Now if any time I want to reinitiate or reestablished the tunnel what command I have to give.I want to reestablish the IKE and IPSec SA.
Please guide wht command i have to give to reestablish all the L2L tunnel or a single tunnel.
Regards,
som1. ASA5510# clear crypto ipsec sa ?
counters Clear IPsec SA counters
entry Clear IPsec SAs by entry
map Clear IPsec SAs by map
peer Clear IPsec SA by peer
2. ASA5510# clear crypto isakmp sa -
Add a new L2L VPN tunnel URGENT
Hi,
I have a ASA5520 deviceand already 2 L2L VPN is running on that. I want to add a new VPN tuuel to connect other branch.
In the configuration when i have given
crypto map toremote 50 match address SINGAPORE this command...it's showing WARNING incomplete command !
what is the problem for that..please help me in the issue.
Thanks
somnathHi Somnath
This is a normal prompt. You will get this prompt untill you complete your cryptomap.
crypto map toremote 50 match address SINGAPORE
crypto map toremote 50 set peer SINGAPOREIP
crypto map toremote 50 set transform-set yoursetnamehere
As you issue the last line above, cryptomap will be complete and you wont receive Warning anymore.
Regards -
2811:connecting two ASA5505 l2l VPN's
Hello,
We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
Thanks,
JasonOk, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
The original, VPN1 is still connected though.
I've varified the preshared keys on both ends match.
Here's an error from the debug of the second ASA, VPN2
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
As far as the ASA configs, everything is the exactly the same, except;
NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
object-group network DM_INLINE_NETWORK_1
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 192.168.27.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
Working ASA VPN1 - not sure exactly how the bolded line works
no crypto isakmp nat-traversal
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
HQ 2811 -----------------------------------------------------------------------
Hope I included enough of the router config. Again, VPN1 is working.
crypto isakmp key VPN1PW address 99.x.x.x
crypto isakmp key VPN2PW address 108.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 99.x.x.x VPN1
set peer 99.x.x.x
set transform-set ESP-AES-128-SHA
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 108.x.x.x VPN2
set peer 108.x.x.x
set transform-set ESP-AES-128-SHA
match address 105
****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2. I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2
interface FastEthernet0/1
description T1 to Internet$FW_OUTSIDE$
ip address 64.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1 -
L2L VPN with source and destination NAT
Hello,
i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
The diagram is
Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
The Customer connects the following way
Source: 198.1.1.1
Destination: 192.168.1.1
It gets to the outside ASA interface which should translate the packets to:
Source: 10.110.110.1
Destination: 10.120.110.1
On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
I did the following configuration which I am not able to test but tomorrow during the migration
object network obj-198.1.1.1
host 198.1.1.1
object network obj-198.1.1.1
nat (outside,inside) dynamic 10.110.110.1
For the inside to outside NAT depending on the destination:
object network Real-IP
host 10.120.110.1
object-group network PE-VPN-src
network-object host 198.1.1.1
object network Destination-NAT
host 192.168.1.1
nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
object network obj-192.168.1.1
host 192.168.1.1
object network obj-192.168.1.1
nat (outside,inside) dynamic 10.120.110.1Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
object network obj-10.10.10.243
host 10.10.10.243
object network obj-77.x.x.24
host 77.x.x.24
object network obj-10.10.10.251
host 10.10.10.251
object network obj-pcA
host 86.x.x.253
nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
Hope that helps. -
L2L VPN Decrypted Traffic Not Exiting ASA
Hi,
I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
Here is the remote ASAs config:
GigabitEthernet0/0 outside x.x.x.123 255.255.255.192GigabitEthernet0/1.701 dev_1 10.140.0.1 255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Here is the ipsec sa stats
Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0) current_peer: x.x.x.67 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
With a dump on the dev_1 interface
capture dev type raw-data interface dev_1 [Capturing - 0 bytes] match tcp any any
With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
Thanks
JamesHi Javier,
Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 0.0.0.0 0.0.0.0 outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig: Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
This is the same result from another site that has an L2L VPN configured.
ASP drop capture to follow... -
ASA with Multiple dynamic L2L VPN
I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
I need also some L2L-VPN with dynamic remote peer.
While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
tunnel-group ABCD ipsec-attributes
pre-shared-key *
Is this configuration correct ?
Best regards
ClaudioHi,
Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
- Jouni -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
ASA5505 L2L VPN does not function after move and reconfiguration
I have an ASA5505 that had multiple VPNs to both Cisco5505's and other Vendor security appliances. The one in question that moved to a new IP address checks out on isa sa, ipsec sa and nat, yet there is no communication accross the tunnel. This behavior is consistent accross all remote sites. The remote sites function normally. Below is the output with some show commands.
ASA Version 8.4(4)
hostname RitterBars
names
name 67.231.37.42 RitterLAB-ASA
name 67.231.37.45 RitterLAB-LB-WAN1
name 64.233.131.94 RitterLAB-LB-WAN3
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
description Port 7 on 9108
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan2
nameif CoreNetwork
security-level 0
ip address 172.20.10.22 255.255.255.128
boot system disk0:/asa844-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.85.0
subnet 192.168.85.0 255.255.255.0
object network obj-10.200.1.0
subnet 10.200.1.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.1.2
host 192.168.1.2
object service obj-tcp-source-eq-22
service tcp source eq ssh
object service obj-tcp-source-eq-5922
service tcp source eq 5922
object network obj-192.168.1.10
host 192.168.1.10
object service obj-tcp-source-eq-5125
service tcp source eq 5125
object service obj-tcp-source-eq-80
service tcp source eq www
object network obj-192.168.1.119
host 192.168.1.119
object service obj-udp-source-eq-69
service udp source eq tftp
object network obj-192.168.1.51
host 192.168.1.51
object service obj-tcp-source-eq-443
service tcp source eq https
object service obj-tcp-source-eq-5980
service tcp source eq 5980
object network obj-192.168.1.114
host 192.168.1.114
object network obj-96.43.39.27
host 96.43.39.27
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object-group network Inside
network-object 192.168.1.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inat extended permit ip 192.168.1.0 255.255.255.0 any
access-list vnat extended permit ip 192.168.1.0 255.255.255.0 host 216.163.29.244
access-list out2in extended permit tcp host 64.233.128.6 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq 5125
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq www
access-list out2in extended permit udp 64.233.128.0 255.255.255.0 host 192.168.1.119 eq tftp
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.51 eq https
access-list out2in extended permit ip 64.233.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out2in extended permit tcp any host 192.168.1.10 eq 5125
access-list out2in extended permit tcp any host 192.168.1.10 eq www
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp-data
access-list out2in extended permit udp any host 192.168.1.119 eq tftp
access-list out2in extended permit tcp any host 192.168.1.51 eq https
access-list out2in extended permit icmp any any
pager lines 24
logging console alerts
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CoreNetwork 1500
ip local pool vpn-pool 192.168.9.10-192.168.9.250
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
nat (inside,outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
nat (inside,outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
nat (inside,outside) source static obj-192.168.1.114 obj-96.43.39.27
nat (inside,CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-xxx.xxx.xxx.xxx obj-xxx.xxx.xxx.xxx
nat (inside,outside) source dynamic Inside interface
nat (inside,outside) after-auto source dynamic any interface
access-group out2in in interface outside
route CoreNetwork 172.20.30.0 255.255.255.248 172.20.10.1 1
route CoreNetwork 216.163.29.244 255.255.255.255 172.20.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set psset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map samap 1 match address VPN2LAB
crypto map samap 1 set peer RitterLAB-ASA
crypto map samap 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map samap 2 match address Barracudalab
crypto map samap 2 set peer RitterLAB-LB-WAN1 RitterLAB-LB-WAN3
crypto map samap 2 set ikev1 transform-set ESP-3DES-SHA
crypto map samap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 64.233.128.10 64.233.128.11
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.187.233.4 source outside
ntp server 64.99.80.30 source outside
webvpn
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
tunnel-group 67.231.37.42 type ipsec-l2l
tunnel-group 67.231.37.42 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 67.231.37.45 type ipsec-l2l
tunnel-group 67.231.37.45 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 64.233.131.94 type ipsec-l2l
tunnel-group 64.233.131.94 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect ip-options
inspect tftp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bcdf7281cbf323ff6af7457149529a5b
: end
RitterBars# sh isa sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 67.231.37.45
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 67.231.37.42
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
RitterBars# sh ipsec sa
interface: outside
Crypto map tag: samap, seq num: 1, local addr: 96.43.41.168
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.85.0/255.255.255.0/0/0)
current_peer: 67.231.37.42
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.42/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6F98A015
current inbound spi : 6DD466F0
inbound esp sas:
spi: 0x6DD466F0 (1842636528)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4374000/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6F98A015 (1872273429)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4373999/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: samap, seq num: 2, local addr: 96.43.41.168
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 67.231.37.45
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.45/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 51AF17EA
current inbound spi : 859BC586
inbound esp sas:
spi: 0x859BC586 (2241578374)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x51AF17EA (1370429418)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
RitterBars# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
2 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
translate_hits = 18, untranslate_hits = 0
3 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
4 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
translate_hits = 0, untranslate_hits = 9094
7 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
translate_hits = 0, untranslate_hits = 126
8 (inside) to (outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
translate_hits = 0, untranslate_hits = 0
9 (inside) to (outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
translate_hits = 0, untranslate_hits = 195
10 (inside) to (outside) source static obj-192.168.1.114 obj-96.43.39.27
translate_hits = 0, untranslate_hits = 0
11 (inside) to (CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-216.163.29.244 obj-216.163.29.244
translate_hits = 107, untranslate_hits = 0
12 (inside) to (outside) source dynamic Inside interface
translate_hits = 35387, untranslate_hits = 2940
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 291, untranslate_hits = 78I just recently got the triple play package from verizon with fios too. And of course the Actiontec is total crap. The very first night it rebooted over and over again. What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
Anyways, had the same problem. First I setup my router to bridge the connetion from the Actiontec to my router. So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port. This worked great, except now my vod didn't work. So then I found this article....
http://www.dslreports.com/forum/r19559467-How-To-MI424WR-Network-Bridge-working-FIOS-TV
It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca. And then put DHCP relay on the bridge. Everything worked again, hooray. then I added an access list, and there went my vod again.
So then I spent about two hours turning ports on and off and such, finally I figured it out. You'll need to allow inbound established tcp connections that internal hosts create. This will get back your guide and allow the vod menu to work again. then you have to allow inbound connections on udp port 21310. I applied it and lo and behold vod is back. Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well. I'll upgrade one of these days to an 851 or 871.
Here's what the access lists should look like in IOS:
permit tcp any host (your external IP address) established
permit udp any host (your external IP address) eq 21310
probably is going to be a little bit different since you have an ASA but I think you get the idea.
Maybe you are looking for
-
Hi friends screen object already transported to QA1 by some othe user and i have changed one of the screen field properties and trying to transport my changes to QA. i am getting below transport error . Main import Transport request___: D10K94513
-
Yes, it's me, the annoying beginner with very beginner questions. My HelloWorld can't execute, and I have no idea why! JDK is installed, classpath is set. I compile using javac HelloWorld.java Everything is good so far, I can even see a new file in d
-
Can't activate a formatted iphone 3g
Yesterday afternoon I've tried to format my Iphone 3g whith the last version of Itunes; The downloading and installing process did not cause any problem, but when Itunes tried to activate my Iphone it says "Sorry, I can't continue whith the activatio
-
HT4528 How do I get back into my locked phone?
I just changed my password and now I've locked myself out. How can I get back in?
-
Full custom web page on WLC? Not possible?
Hello Guys! I created a custom web authentication page, and successfully loaded this page on the WLC. This is working fine But ... when the user press "submit" button and authenticates, the "Default WLC Web Authentication" Pop-up shows up! "You are