L2L VPN Decrypted Traffic Not Exiting ASA

Hi,
I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
Here is the remote ASAs config:
GigabitEthernet0/0       outside                x.x.x.123       255.255.255.192GigabitEthernet0/1.701   dev_1                  10.140.0.1      255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Here is the ipsec sa stats
Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0       local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)      remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)      current_peer: x.x.x.67      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
With a dump on the dev_1 interface
capture dev type raw-data interface dev_1 [Capturing - 0 bytes]   match tcp any any
With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
Thanks
James

Hi Javier,
Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   0.0.0.0         0.0.0.0         outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig:       Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
This is the same result from another site that has an L2L VPN configured.
ASP drop capture to follow...

Similar Messages

  • L2L VPN Issue - one subnet not reachable

    Hi Folks,
    I have a strange issue with a new VPN connection and would appreciate any help.
    I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).   
    I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets.    There's a basic network diagram attached.
    VPN 1 - is for traffic from the customer subnet 10.2.1.0/24.    Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN works correctly.
    VPN 2 - is for traffic from the customer subnet 192.168.1.0/24.    Devices in  this subnet should be able to access the same 2 subnets on my network - DMZ 211  (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
    There are isakmp and ipsec SAs for both VPNs.    I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211.  This counter does increment when they send test traffic to DMZ144.   I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA.   I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
    Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
    There is a route to both customer subnets via the same next hop.
    There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
    I suspect that this may be an issue on the customer end, but I'd like to be able to prove that.   Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
    Here is the relevant vpn configuration:
    crypto map MY_CRYPTO_MAP 90 match address VPN_2
    crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
    crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
    crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
    crypto map MY_CRYPTO_MAP 100 match address VPN_1
    crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
    crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
    crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
    crypto map MY_CRYPTO_MAP interface isp
    ASA# sh access-list VPN_2
    access-list VPN_2; 6 elements; name hash: 0xa902d2f4
    access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
      access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
      access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
      access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
    ASA# sh access-list VPN_1
    access-list VPN_1; 3 elements; name hash: 0x30168cce
    access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
    access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
    access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
    nat (dmz144) 0 access-list nonatdmz144
    nat (dmz211) 0 access-list nonatdmz211
    ASA# sh access-list nonatdmz144
    access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
    access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
    access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
    access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
    access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
    access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
    ASA# sh access-list nonatdmz211 | in 192.168\.1\.
    access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
    ASA# sh access-list nonatdmz211 | in 10.2.1.
    access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
    route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
    route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
    Thanks in advance to anyone who gets this far!

    Darragh
    Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
    It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
    Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
    HTH
    Rick

  • Public-to-Public L2L VPN no return traffic

    Hello all,
    I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
    Local Network - 10.10.9.0/24
    Remote Network - 20.20.41.0/24
    Remote Peer - 20.20.60.193
    ASA Version 8.2(5)
    hostname ciscoasa
    domain-name
    names
    name 10.10.9.3 VPN description VPN Server
    name 10.10.9.4 IntranetMySQL description MySQL For Webserver
    name 192.168.0.100 IIS_Webserver
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.10.9.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 71.***.***.162 255.255.255.0
    interface Vlan3
    nameif dmz
    security-level 50
    ip address 192.168.0.254 255.255.255.0
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 10.10.9.1
      domain-name
    same-security-traffic permit inter-interface
    object-group service VPN_TCP
    description VPN TCP Connection
    service-object tcp eq 1195
    object-group service VPN_UDP
    description VPN UDP Port
    service-object udp eq 1194
    object-group service VPN_HTTPS
    description VPN HTTPS Web Server
    service-object tcp eq 943
    service-object udp eq 943
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service WebServer
    service-object tcp eq 8001
    object-group service DM_INLINE_SERVICE_1
    service-object tcp-udp eq www
    service-object tcp eq https
    object-group service VPN_HTTPS_UDP udp
    port-object eq 943
    object-group service WCF_WebService tcp
    port-object eq 808
    object-group service RDP tcp
    port-object eq 3389
    object-group service RDP_UDP udp
    port-object eq 3389
    object-group service DM_INLINE_SERVICE_2
    service-object tcp-udp eq www
    service-object tcp eq https
    object-group service *_Apache tcp
    port-object eq 8001
    object-group service *_ApacheUDP udp
    port-object eq 8001
    object-group service IIS_SQL_Server tcp
    port-object eq 1433
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq www
    port-object eq https
    object-group service File_Sharing tcp
    port-object eq 445
    object-group service File_Sharing_UDP udp
    port-object eq 445
    object-group service MySQL tcp
    port-object eq 3306
    object-group service Http_Claims_Portal tcp
    port-object eq 8080
    object-group service Http_Claims_PortalUDP udp
    port-object eq 8080
    object-group service RTR_Portal tcp
      description Real Time Rating Portal
    port-object eq 8081
    object-group service RTR_PortalUDP udp
    port-object eq 8081
    object-group service DM_INLINE_SERVICE_3
    service-object tcp-udp eq www
    service-object tcp eq https
    access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
    access-list outside_access_in extended permit tcp any any eq 1195
    access-list outside_access_in extended permit object-group VPN_HTTPS any any
    access-list outside_access_in extended permit tcp any interface outside eq 943
    access-list outside_access_in extended permit tcp any any eq 8001
    access-list inside_access_in extended permit tcp any any
    access-list outside_access_in_1 extended permit tcp any interface outside eq 943
    access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
    access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
    access-list outside_access_in_2 extended permit icmp any any
    access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
    access-list outside_access_in_2 remark VPN TCP Ports
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
    access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
    access-list outside_access_in_2 remark Palm Insure Apache Server
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
    access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
    access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
    access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
    access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
    access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
    access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
    access-list outside_access_in_2 remark RTR Access rule for internal VMs
    access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
    access-list inside_access_in_1 extended permit object-group TCPUDP any any
    access-list inside_access_in_1 extended permit icmp any any
    access-list inside_access_in_1 extended permit esp any any
    access-list inside_access_in_1 extended permit udp any any eq isakmp
    access-list dmz_access_in extended permit ip any any
    access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
    access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
    access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
    access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
    access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
    access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
    access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
    access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
    access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    global (dmz) 1 interface
    nat (inside) 1 10.10.9.0 255.255.255.0
    static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
    static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
    static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
    static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
    static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
    static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
    static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
    static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
    static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
    static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
    static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
    static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
    static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
    static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
    static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
    static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
    static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
    static (inside,outside) interface  access-list inside_nat_static
    access-group inside_access_in_1 in interface inside
    access-group outside_access_in_2 in interface outside
    access-group dmz_access_in_1 in interface dmz
    route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 10.10.9.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 20.20.60.193
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set reverse-route
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh 10.10.9.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    tunnel-group 20.20.60.193 type ipsec-l2l
    tunnel-group 20.20.60.193 ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous

    Hi,
    If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
    static (inside,outside) interface  access-list inside_nat_static
    This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
    Did you try the connectivity without the "static" configuration?
    For ICMP testing I would add the command
    fixup protocol icmp
    or
    policy-map global_policy
      class inspection_default
       inspect icmp
    Should do the same thing
    - Jouni

  • L2L VPN not coming up

    I am using GNS3 to build a tunnel between an ASA and a router.
    Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?
    ciscoasa# sho running-config crypto
    crypto ipsec transform-set MySET esp-aes esp-sha-hmac
    access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
    crypto map SampleVPN 100 match address VPN_Traffic
    crypto map SampleVPN 100 set peer 10.123.5.2
    crypto map SampleVPN 100 set transform-set MySET
    crypto map SampleVPN interface outside
    crypto isakmp enable outside
    crypto isakmp policy 100
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    tunnel-group VPN type ipsec-l2l
    tunnel-group VPN ipsec-attributes
    pre-shared-key 1234
    R1#sho run | sec crypto
    crypto isakmp policy 100
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key 1234 address 12.152.45.2 no-xauth
    crypto ipsec transform-set MySET esp-aes esp-sha-hmac
    ip access-list extended VPN_Traffic
    permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
    crypto map VPN 100 ipsec-isakmp
    set peer 12.152.45.2
    set transform-set MySET
    match address VPN_Traffic
    interface f0/0
    crypto map VPN
    Here are the debugs from the router...
    *Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
    *Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
    *Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
    *Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
    *Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
    *Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
    *Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
    *Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    *Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
    *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
    *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
    *Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
    *Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    *Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    *Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
    *Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
    *Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
    Success rate is 0 percent (0/5)
    R1#
    *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
    *Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
    *Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
    *Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
    *Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    *Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
    *Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
    *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
    *Feb 18 15:59:14.055: ISAKMP:(0)
    R1#: processing vendor id payload
    *Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    *Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
    *Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
    *Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
    *Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
    *Feb 18 15:59:14.063: ISAKMP:      encryption 3DES-CBC
    *Feb 18 15:59:14.063: ISAKMP:      hash MD5
    *Feb 18 15:59:14.063: ISAKMP:      default group 2
    *Feb 18 15:59:14.063: ISAKMP:      auth pre-share
    *Feb 18 15:59:14.063: ISAKMP:      life type in seconds
    *Feb 18 15:59:14.067: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    *Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
    *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
    *Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    *Feb 18 15:59:14.071: ISAK
    R1#
    R1#MP:(0): vendor ID is NAT-T v2
    *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
    *Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
    *Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    *Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
    *Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    R1#
    *Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
    *Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
    *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
    *Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
    *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
    *Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
    *Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
    *Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
    *Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
    *Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    *Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM3
    R1#ping ip 12.123.15.2 source loo0
    *Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
    R1#ping ip 12.123.15.2 source loo0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
    Packet sent with a source address of 192.168.10.1
    *Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
    *Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
    *Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
    *Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
    *Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
    Success rate is 0 percent (0/5)
    R1#
    *Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
    *Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
    *Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.
    *Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
    *Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
    *Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
    *Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
    R1#
    *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
    *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
    *Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    *Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_DEST_SA
    R1#
    *Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
    *Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
    R1#
    *Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26C

    Hi,
    when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.
    Mashal

  • Can not access ASAs inside interface via VPN tunnels

    Hi there,
    I have a funny problem.
    I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
    All tunnels and the RAS VPN access are working fine.
    I use the tunnels for Voip, terminal server access and a few other services.
    The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
    No problem when I connect to the interface via a host inside the network.
    All telnet statments in the config are ending with the INSIDE command.
    On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
    For the RAS client access I use the Cisco 5.1 VPN client.
    Did anybody have any suggestions?
    Regards
    Marcel

    Marcel,
    Simply add on the asas you want to administer through the tunnels
    management-access
    http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
    for asa5505
    management-access inside
    for all others if you have management interface management0/0 defined then:
    management-access management
    then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
    telnet 10.20.20.0 255.255.255.0 inside
    http 10.20.20.0 255.255.255.0 inside
    same principle for l2l vpns
    Regards

  • Can't get L2L VPN up between ASA and Fortinet (IKEv2)

    Hi,
    I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
    The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
    Configuration from the ASA:
    crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
     protocol esp encryption 3des
     protocol esp integrity sha-1
    crypto map VPN 100 match address ABC
    crypto map VPN 100 set pfs group5
    crypto map VPN 100 set peer x.x.x.x
    crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
    crypto map VPN 100 set security-association lifetime seconds 28800
    crypto map VPN interface outside
    crypto ikev2 policy 10
     encryption aes-256 3des
     integrity sha256 sha
     group 5
     prf sha256
     lifetime seconds 86400
    crypto ikev2 enable outside
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x ipsec-attributes
     ikev2 remote-authentication pre-shared-key blablabla
     ikev2 local-authentication pre-shared-key blablabla
    Debugs say that there is no matching policy:
    IKEv2-PROTO-3: (97): Get peer authentication method
    IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
    IKEv2-PROTO-3: (97): Verify authentication data
    IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
    IKEv2-PROTO-2: (97): Processing auth message
    IKEv2-PROTO-1: (97): Failed to find a matching policy
    IKEv2-PROTO-1: (97): Received Policies:
    ESP: Proposal 1:  3DES SHA96
    IKEv2-PROTO-1: (97): Failed to find a matching policy
    IKEv2-PROTO-1: (97): Expected Policies:
    IKEv2-PROTO-5: (97): Failed to verify the proposed policies
    IKEv2-PROTO-1: (97): Failed to find a matching policy

    Dear Robert,
    The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
    1. sh crypto ipsec sa
    2. sh crypto isakmp sa
    3. debug crypto isa 255
    4. debug crypto ipsec 255

  • ASA with Multiple dynamic L2L VPN

    I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
    I need also some L2L-VPN with dynamic remote peer.
    While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
    Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
    But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
    tunnel-group ABCD ipsec-attributes
    pre-shared-key *
    Is this configuration correct ?
    Best regards
    Claudio

    Hi,
    Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
    Hope this helps
    - Jouni

  • AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

    Hi,
    I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
    Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
    The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
    I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
    ping inside 10.10.10.56
    However when I configure the ASA for the AAA group with commands:
    aaa-server ACSAuth protocol radius
    aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
    Then when I do the show run, here is the result:
    aaa-server ACSAuth protocol radius
    aaa-server host 10.10.10.56
    key AcsSecret123
    From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
    (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
    Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
    Your help will be really appreciated!
    Thanks.
    Best Regards,
    Jo

    AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
    http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

  • L2L VPN with source and destination NAT

    Hello,
    i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
    The diagram is
    Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
    The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
    The Customer connects the following way
    Source: 198.1.1.1
    Destination: 192.168.1.1
    It gets to the outside ASA interface which should translate the packets to:
    Source: 10.110.110.1
    Destination: 10.120.110.1
    On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
    I did the following configuration which I am not able to test but tomorrow during the migration
    object network obj-198.1.1.1
    host 198.1.1.1
    object network obj-198.1.1.1
    nat (outside,inside) dynamic 10.110.110.1
    For the inside to outside NAT depending on the destination:
    object network Real-IP
      host 10.120.110.1
    object-group network PE-VPN-src
    network-object host 198.1.1.1
    object network Destination-NAT
    host 192.168.1.1
    nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
    Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
    object network obj-192.168.1.1
    host 192.168.1.1
    object network obj-192.168.1.1
    nat (outside,inside) dynamic 10.120.110.1

    Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
    object network obj-10.10.10.243
      host 10.10.10.243
    object network obj-77.x.x.24
      host 77.x.x.24
    object network obj-10.10.10.251
      host 10.10.10.251
    object network obj-pcA
      host 86.x.x.253
    nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
    Hope that helps.

  • L2L VPN-8.4(3)

    Hi,
    We are setting up IPSec L2L tunnel with our client.  Client will access some of our internal servers through vpn tunnel. Client are natting his internal networks with public ip 121.16.141.x. We have below servers IPs which client would access.
    10.150.20.131
    10.150.20.132
    I have prepared config for VPN tunnel but not preety sure that it is correct so looking for your help on this.
    ======================================
    object-group network server_IP
    network-object host 10.150.20.131
    network-object host 10.150.20.132
    object network client_IP
    host 121.16.141.x
    nat (inside,outside) source static server_IP server_IP destination static client_IP client_IP no-proxy-arp
    access-list VPN extended permit ip object-group server_IP object client_IP
    crypto map outside_map 6 match address VPN
    crypto map outside_map 6 set peer <<client FW outside interface ip(y.y.y.y) >>
    crypto map outside_map 6 set ikev1 transform-set ESP-3DES-MD5
    crypto map outside_map 6 set security-association lifetime seconds 28800
    crypto map outside_map 6 set security-association lifetime kilobytes 4608000
    tunnel-group y.y.y.y type ipsec-l2l
    tunnel-group y.y.y.y ipsec-attributes
    ikev1 pre-shared-key *****
    =========================================================
    Pls confirm if this config is correct..

    Hi,
    Well there is couple of options
    You can configure Filter ACL for the L2L VPN.
    You can configure "no sysopt connection permit-vpn".
    While configuring the VPN Filter is the easiest way to restrict connections coming from VPNs WHEN you have a lot of existing VPN connections, I still wouldnt recommend it as a first choice as it can get a bit complicated.
    The second option is something that I personally like BUT using it depends on your current environment.
    If you were to add the command "no sysopt connection permit-vpn" THEN ANY connection coming through VPN connections through the "outside" interface of your ASA would need to have a permitting ACL rule on the "outside" interface ACL.
    So judging by your number in the "crypto map" configuration which is "6" I assume you have multiple L2L VPN configurations atleast, possibly remote access VPN also?
    If this is the case then you would have to first create ACL rules to define what connections can be initiated behind VPN connections on each of those connections BEFORE enabling the command I mention. If you didnt then all connections from the direction of the remote host or remote network would start to get blocked by the ASA.
    When you enable that command you could basically use the "outside" interface ACL to allow and deny traffic that is coming through VPN just like it was coming through Internet.
    So if you are able to preconfigure the ACL rules for all of your existing VPN connections THEN I would recommend using the "no sysopt connection permit-vpn" to BLOCK ALL connections coming through VPN connections UNLESS they are allowed in the interface ACL of "outside" interface.
    Hope I made any sense
    Naturally ask more if needed
    - Jouni

  • Please gives sample configure VPN site to site on ASA 5512-x v.9.1!

    Dear All,
    Could you gave sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure.
    my is use that i dont know to how to configure nonat.
    i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.
    http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_site2site.html
    Best Regards,
    HK

    Hi,
    The new configuration format for NAT0 / NAT Exemption / Identity NAT is the following
    object network SOURCE-NETWORK
    subnet
    object network DESTINATION-NETWORK
    subnet
    nat (inside,outside) source static SOURCE-NETWORK SOURCE-NETWORK destination static DESTINATION-NETWORK DESTINATION-NETWORK
    In the above
    SOURCE-NETWORK contains the network on your side of the network
    DESTINATION-NETWORK contains the network on the remote side of the L2L VPN
    The NAT configuration presumes that you are using interfaces with the name of "inside" and "outside"
    The reason you see 2 of each "object" in the NAT configuration is that there is no NAT performed for them. You would have option to do NAT for both source and destination but in this case we dont want that.
    Depending how many source and destination networks we are talking about, this might need some modifying.
    Hopefully this helps
    - Jouni

  • 2811:connecting two ASA5505 l2l VPN's

    Hello,
    We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
    I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
    A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
    Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
    Thanks,
    Jason

    Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
    The original, VPN1 is still connected though.
    I've varified the preshared keys on both ends match.
    Here's an error from the debug of the second ASA, VPN2
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
    Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
    As far as the ASA configs, everything is the exactly the same, except;
    NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
    I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.26.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_2
    network-object 192.168.26.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_3
    network-object 192.168.27.0 255.255.255.0
    network-object 192.168.1.0 255.255.255.0
    Working ASA VPN1  - not sure exactly how the bolded line works
    no crypto isakmp nat-traversal
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    HQ 2811 -----------------------------------------------------------------------
    Hope I included enough of the router config. Again, VPN1 is working.
    crypto isakmp key VPN1PW address 99.x.x.x
    crypto isakmp key VPN2PW address 108.x.x.x
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec df-bit clear
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to 99.x.x.x VPN1
    set peer 99.x.x.x
    set transform-set ESP-AES-128-SHA
    match address 103
    crypto map SDM_CMAP_1 2 ipsec-isakmp
    description Tunnel to 108.x.x.x VPN2
    set peer 108.x.x.x
    set transform-set ESP-AES-128-SHA
    match address 105
    ****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2.  I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
    class-map type inspect match-all sdm-nat-user-protocol--2-1
    match access-group 105
    match protocol user-protocol--2
    interface FastEthernet0/1
    description T1 to  Internet$FW_OUTSIDE$
    ip address 64.x.x.x 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map SDM_CMAP_1

  • ASA IPSEC VPN Design Question; ARP Between ASA

    I"ve a requirement to put two ASA between two sites. The second site has hosts within the same network as the first site (conflict of fundamental routing principles). Can you put an ASA inline between the router and distribution switch at each site, setup an IPSEC VPN and not have issue? I thought we could have the distro switch terminate in the DMZ interface setup as a layer 2 interface in a vlan with a vlan int in the same network as the vlan int on the ASA DMZ interface on the ASA at the other site. Will this work? I guess the biggest concern is how to get layer 2 (arp) to work so hosts/servers can find each other between buildings and not get dropped on a layer 3 interface that doesn't see the distant network on a different egress interface.
    Thanks!
    Matt

    Matt,
    AFAIK - what you are describing is layer 2 tunneling, providing layer 2 networks from two speperate locations.
    The only way I am aware of how to provide this - does NOT invlove ASA's or VPN's suing layer 3. You could do this over MPLS or a transparent layer 2 pt-pt circuit.
    Perhaps another netpro has done this or knows how - I did hear of someone bridging thru a GRE tunnel, not sure if that is a viable option or actually works.
    HTH>

  • No ACL deny logs for Traffic not matched by Static Object NATs and ACL. Need Help.

    I start noticing that I do not see any denied traffic coming in on my ACL.  To better explain, lets say I have this config.
    ### Sample Config ###
    object network webserver
    host 192.168.1.50
    nat (dmz, outside) static X.X.X.X service tcp www www
    access-list inbound extended permit ip any4 object webserver eq www
    If I generate a traffic from the outside let's say a traffic that is trying to access X.X.X.X via TCP Port 8080 which obviously does not have any NAT entry to it going to my DMZ, I don't see the ACL denies it anymore but instead comes back with a Drop Reason: (nat-no-xlate-to-pat-pool) . On the packet trace I got this. (Below) it seems that does not even hit the ACL as there is no xlate found for it, at least to what the drop reason says.
    Phase: 1
    Type: CAPTURE
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         Outside
    Result:
    input-interface: Outside
    input-status: up
    input-line-status: up
    output-interface: Outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
    Before, using a regular Static PAT on ASA Versions 8.2(5) below, I could get the deny logs (ASA-4-106023). Generally, I use these logs, and are quite important for us specially during auditing.
    My question is how can I generate logs for these type of dropped traffic on the ASA 9.1 Version? 
    Any comments/suggestions are gladly appreciated :)
    Regards,
    John

    I believe, but am not 100% sure, that the reason you are not seeing the ACL drop but a no NAT matched is because of the changes from 8.2 to 8.3 in the order of how things are done.  In 8.3 and later you need to secify the real IP address when allowing packets in, and this is because NAT happens before the ACL is matched.  So since there is no match on the NAT the packet is dropped then and there, never reaching the stage where ACLs are checked.
    As to seeing drops in the ACL log...You might want to try adding an ACL that matches the NATed IP...but I don't think you will have much success with that either.  My guess is that there is no way around this...at least no way I know of.
    Please remember to select a correct answer and rate helpful posts

  • HA between Dedicated T1 and L2L VPN

    I'm looking for ideas on how to have complete HA between a dedicated T1 and an L2L VPN over the internet.
    We had discussed routing protocol OSPF but would like to avoid the converge issues that could rise and affect other customers in the same DMZ.
    What would be our options if we do not want to use a routing protocol? How could we fail over to the backup line, the L2L, should the T1 fail. I had mentioned changing the metrics but this will not identify a problem on the line should the customers ethernet link goe down.
    Feel free to include an ideas that would use routing protocols.

    I had to revisit this configuration. I had decided since we are not going to use a routing protocol that a floating route between the T1 router and VPN is the best solution. although this should work if the router or Ethernet of the router goes down it should fail if the the Ethernet interface of the router, which has OSPF running between their network and our LAN, does not fail.
    But it is not failing?
    I have attached a diagram.

Maybe you are looking for

  • After Creation of PO Release strategy is missing

    Hi Experts, We have a problem that we have created a PO but we found after that release strategy is getting missed out. What could be the possible causes for this? Note: We have checked in CL20N everything seems to be in place. Cheers,Kumar.S///

  • How do i turn ON digital out port on appleTV

    Just got my new apple tv ( latest version). I have connected hdmi out to the tv and optical out to my old A/V receiver. I have also appropriately made all the assignments on my receiver for optical in. Not getting any sound from digital out of apple

  • The itunes store won't load on my computer

    The store won't load; it loads halfway and then the screen goes white. I can still get to my library but i can't access the store. I've updated to the latest itunes and I'm pretty sure my computer is up to date too ( i've run two system updates and r

  • Adjusting printer settings to disallow the printing of an additional page of "descripti​ve" informati

    With each page I print on my HP Officejet Pro 8500, Series 909a, (whether email messages or selected page(s) of projects) an additional page prints giving this list of descriptive info:  Filename, diretory, template, title, subject, author, keywords,

  • BAPI for the transaction VCH1 and VCH2 (Batch Search strategy)

    Hi Experts, I need to create a new condition record or change a condition records using the transactions VCH1 and VCH2 respectively. But BDC recording should not be used at any cost (acc to Client). So next go for me is to search for a BAPI or any Fu