L2L VPN Decrypted Traffic Not Exiting ASA
Hi,
I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
Here is the remote ASAs config:
GigabitEthernet0/0 outside x.x.x.123 255.255.255.192GigabitEthernet0/1.701 dev_1 10.140.0.1 255.255.255.0crypto map VPN-Z 10 match address acl_temp_vpncrypto map VPN-Z 10 set pfs crypto map VPN-Z 10 set peer x.x.x.67 crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHAcrypto map VPN-Z 10 set security-association lifetime seconds 28800crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000crypto map VPN-Z 10 set nat-t-disablecrypto map VPN-Z interface outsideaccess-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1tunnel-group x.x.x.67 type ipsec-l2ltunnel-group x.x.x.67 ipsec-attributes ikev1 pre-shared-key *****nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Here is the ipsec sa stats
Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0) current_peer: x.x.x.67 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
With a dump on the dev_1 interface
capture dev type raw-data interface dev_1 [Capturing - 0 bytes] match tcp any any
With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
Thanks
James
Hi Javier,
Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22Phase: 1Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:NAT divert to egress interface dev_1Untranslate 10.140.0.10/22 to 10.140.0.10/22Phase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 0.0.0.0 0.0.0.0 outsidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group acl_outside in interface outsideaccess-list acl_outside extended permit ip any any access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem InternetAdditional Information:Phase: 4Type: CONN-SETTINGSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: NATSubtype: Result: ALLOWConfig:nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subsAdditional Information:Static translate 172.22.0.90/1234 to 172.22.0.90/1234Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig: Additional Information:Phase: 7Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 8Type: VPNSubtype: ipsec-tunnel-flowResult: DROPConfig:Additional Information:Result:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: dev_1output-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule
This is the same result from another site that has an L2L VPN configured.
ASP drop capture to follow...
Similar Messages
-
L2L VPN Issue - one subnet not reachable
Hi Folks,
I have a strange issue with a new VPN connection and would appreciate any help.
I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).
I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets. There's a basic network diagram attached.
VPN 1 - is for traffic from the customer subnet 10.2.1.0/24. Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN works correctly.
VPN 2 - is for traffic from the customer subnet 192.168.1.0/24. Devices in this subnet should be able to access the same 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
There are isakmp and ipsec SAs for both VPNs. I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211. This counter does increment when they send test traffic to DMZ144. I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA. I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
There is a route to both customer subnets via the same next hop.
There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
I suspect that this may be an issue on the customer end, but I'd like to be able to prove that. Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
Here is the relevant vpn configuration:
crypto map MY_CRYPTO_MAP 90 match address VPN_2
crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP 100 match address VPN_1
crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP interface isp
ASA# sh access-list VPN_2
access-list VPN_2; 6 elements; name hash: 0xa902d2f4
access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
ASA# sh access-list VPN_1
access-list VPN_1; 3 elements; name hash: 0x30168cce
access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
nat (dmz144) 0 access-list nonatdmz144
nat (dmz211) 0 access-list nonatdmz211
ASA# sh access-list nonatdmz144
access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
ASA# sh access-list nonatdmz211 | in 192.168\.1\.
access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
ASA# sh access-list nonatdmz211 | in 10.2.1.
access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
Thanks in advance to anyone who gets this far!Darragh
Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
HTH
Rick -
Public-to-Public L2L VPN no return traffic
Hello all,
I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
ASA Version 8.2(5)
hostname ciscoasa
domain-name
names
name 10.10.9.3 VPN description VPN Server
name 10.10.9.4 IntranetMySQL description MySQL For Webserver
name 192.168.0.100 IIS_Webserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.9.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 71.***.***.162 255.255.255.0
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.9.1
domain-name
same-security-traffic permit inter-interface
object-group service VPN_TCP
description VPN TCP Connection
service-object tcp eq 1195
object-group service VPN_UDP
description VPN UDP Port
service-object udp eq 1194
object-group service VPN_HTTPS
description VPN HTTPS Web Server
service-object tcp eq 943
service-object udp eq 943
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service WebServer
service-object tcp eq 8001
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
object-group service VPN_HTTPS_UDP udp
port-object eq 943
object-group service WCF_WebService tcp
port-object eq 808
object-group service RDP tcp
port-object eq 3389
object-group service RDP_UDP udp
port-object eq 3389
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp eq www
service-object tcp eq https
object-group service *_Apache tcp
port-object eq 8001
object-group service *_ApacheUDP udp
port-object eq 8001
object-group service IIS_SQL_Server tcp
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service File_Sharing tcp
port-object eq 445
object-group service File_Sharing_UDP udp
port-object eq 445
object-group service MySQL tcp
port-object eq 3306
object-group service Http_Claims_Portal tcp
port-object eq 8080
object-group service Http_Claims_PortalUDP udp
port-object eq 8080
object-group service RTR_Portal tcp
description Real Time Rating Portal
port-object eq 8081
object-group service RTR_PortalUDP udp
port-object eq 8081
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
access-list outside_access_in extended permit tcp any any eq 1195
access-list outside_access_in extended permit object-group VPN_HTTPS any any
access-list outside_access_in extended permit tcp any interface outside eq 943
access-list outside_access_in extended permit tcp any any eq 8001
access-list inside_access_in extended permit tcp any any
access-list outside_access_in_1 extended permit tcp any interface outside eq 943
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
access-list outside_access_in_2 extended permit icmp any any
access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
access-list outside_access_in_2 remark VPN TCP Ports
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
access-list outside_access_in_2 remark Palm Insure Apache Server
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
access-list outside_access_in_2 remark RTR Access rule for internal VMs
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
access-list inside_access_in_1 extended permit object-group TCPUDP any any
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit esp any any
access-list inside_access_in_1 extended permit udp any any eq isakmp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.9.0 255.255.255.0
static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
static (inside,outside) interface access-list inside_nat_static
access-group inside_access_in_1 in interface inside
access-group outside_access_in_2 in interface outside
access-group dmz_access_in_1 in interface dmz
route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 20.20.60.193
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 10.10.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 20.20.60.193 type ipsec-l2l
tunnel-group 20.20.60.193 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi,
If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
static (inside,outside) interface access-list inside_nat_static
This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
Did you try the connectivity without the "static" configuration?
For ICMP testing I would add the command
fixup protocol icmp
or
policy-map global_policy
class inspection_default
inspect icmp
Should do the same thing
- Jouni -
I am using GNS3 to build a tunnel between an ASA and a router.
Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?
ciscoasa# sho running-config crypto
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto map SampleVPN 100 match address VPN_Traffic
crypto map SampleVPN 100 set peer 10.123.5.2
crypto map SampleVPN 100 set transform-set MySET
crypto map SampleVPN interface outside
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group VPN type ipsec-l2l
tunnel-group VPN ipsec-attributes
pre-shared-key 1234
R1#sho run | sec crypto
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 12.152.45.2 no-xauth
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
ip access-list extended VPN_Traffic
permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
crypto map VPN 100 ipsec-isakmp
set peer 12.152.45.2
set transform-set MySET
match address VPN_Traffic
interface f0/0
crypto map VPN
Here are the debugs from the router...
*Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
*Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
*Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
*Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
*Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
*Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
*Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
*Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.055: ISAKMP:(0)
R1#: processing vendor id payload
*Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
*Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
*Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*Feb 18 15:59:14.063: ISAKMP: encryption 3DES-CBC
*Feb 18 15:59:14.063: ISAKMP: hash MD5
*Feb 18 15:59:14.063: ISAKMP: default group 2
*Feb 18 15:59:14.063: ISAKMP: auth pre-share
*Feb 18 15:59:14.063: ISAKMP: life type in seconds
*Feb 18 15:59:14.067: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.071: ISAK
R1#
R1#MP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
R1#
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
*Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM3
*Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM3
R1#ping ip 12.123.15.2 source loo0
*Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
R1#ping ip 12.123.15.2 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
*Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
*Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
*Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
Success rate is 0 percent (0/5)
R1#
*Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
*Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
*Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.
*Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
*Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
R1#
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_DEST_SA
R1#
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
R1#
*Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26CHi,
when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.
Mashal -
Can not access ASAs inside interface via VPN tunnels
Hi there,
I have a funny problem.
I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
All tunnels and the RAS VPN access are working fine.
I use the tunnels for Voip, terminal server access and a few other services.
The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
No problem when I connect to the interface via a host inside the network.
All telnet statments in the config are ending with the INSIDE command.
On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
For the RAS client access I use the Cisco 5.1 VPN client.
Did anybody have any suggestions?
Regards
MarcelMarcel,
Simply add on the asas you want to administer through the tunnels
management-access
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
for asa5505
management-access inside
for all others if you have management interface management0/0 defined then:
management-access management
then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
telnet 10.20.20.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
same principle for l2l vpns
Regards -
Can't get L2L VPN up between ASA and Fortinet (IKEv2)
Hi,
I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
Configuration from the ASA:
crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map VPN 100 match address ABC
crypto map VPN 100 set pfs group5
crypto map VPN 100 set peer x.x.x.x
crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
crypto map VPN 100 set security-association lifetime seconds 28800
crypto map VPN interface outside
crypto ikev2 policy 10
encryption aes-256 3des
integrity sha256 sha
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key blablabla
ikev2 local-authentication pre-shared-key blablabla
Debugs say that there is no matching policy:
IKEv2-PROTO-3: (97): Get peer authentication method
IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
IKEv2-PROTO-3: (97): Verify authentication data
IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
IKEv2-PROTO-2: (97): Processing auth message
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Received Policies:
ESP: Proposal 1: 3DES SHA96
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Expected Policies:
IKEv2-PROTO-5: (97): Failed to verify the proposed policies
IKEv2-PROTO-1: (97): Failed to find a matching policyDear Robert,
The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
1. sh crypto ipsec sa
2. sh crypto isakmp sa
3. debug crypto isa 255
4. debug crypto ipsec 255 -
ASA with Multiple dynamic L2L VPN
I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
I need also some L2L-VPN with dynamic remote peer.
While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
tunnel-group ABCD ipsec-attributes
pre-shared-key *
Is this configuration correct ?
Best regards
ClaudioHi,
Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
- Jouni -
AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN
Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
JoAAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html -
L2L VPN with source and destination NAT
Hello,
i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
The diagram is
Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
The Customer connects the following way
Source: 198.1.1.1
Destination: 192.168.1.1
It gets to the outside ASA interface which should translate the packets to:
Source: 10.110.110.1
Destination: 10.120.110.1
On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
I did the following configuration which I am not able to test but tomorrow during the migration
object network obj-198.1.1.1
host 198.1.1.1
object network obj-198.1.1.1
nat (outside,inside) dynamic 10.110.110.1
For the inside to outside NAT depending on the destination:
object network Real-IP
host 10.120.110.1
object-group network PE-VPN-src
network-object host 198.1.1.1
object network Destination-NAT
host 192.168.1.1
nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
object network obj-192.168.1.1
host 192.168.1.1
object network obj-192.168.1.1
nat (outside,inside) dynamic 10.120.110.1Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
object network obj-10.10.10.243
host 10.10.10.243
object network obj-77.x.x.24
host 77.x.x.24
object network obj-10.10.10.251
host 10.10.10.251
object network obj-pcA
host 86.x.x.253
nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
Hope that helps. -
L2L VPN-8.4(3)
Hi,
We are setting up IPSec L2L tunnel with our client. Client will access some of our internal servers through vpn tunnel. Client are natting his internal networks with public ip 121.16.141.x. We have below servers IPs which client would access.
10.150.20.131
10.150.20.132
I have prepared config for VPN tunnel but not preety sure that it is correct so looking for your help on this.
======================================
object-group network server_IP
network-object host 10.150.20.131
network-object host 10.150.20.132
object network client_IP
host 121.16.141.x
nat (inside,outside) source static server_IP server_IP destination static client_IP client_IP no-proxy-arp
access-list VPN extended permit ip object-group server_IP object client_IP
crypto map outside_map 6 match address VPN
crypto map outside_map 6 set peer <<client FW outside interface ip(y.y.y.y) >>
crypto map outside_map 6 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key *****
=========================================================
Pls confirm if this config is correct..Hi,
Well there is couple of options
You can configure Filter ACL for the L2L VPN.
You can configure "no sysopt connection permit-vpn".
While configuring the VPN Filter is the easiest way to restrict connections coming from VPNs WHEN you have a lot of existing VPN connections, I still wouldnt recommend it as a first choice as it can get a bit complicated.
The second option is something that I personally like BUT using it depends on your current environment.
If you were to add the command "no sysopt connection permit-vpn" THEN ANY connection coming through VPN connections through the "outside" interface of your ASA would need to have a permitting ACL rule on the "outside" interface ACL.
So judging by your number in the "crypto map" configuration which is "6" I assume you have multiple L2L VPN configurations atleast, possibly remote access VPN also?
If this is the case then you would have to first create ACL rules to define what connections can be initiated behind VPN connections on each of those connections BEFORE enabling the command I mention. If you didnt then all connections from the direction of the remote host or remote network would start to get blocked by the ASA.
When you enable that command you could basically use the "outside" interface ACL to allow and deny traffic that is coming through VPN just like it was coming through Internet.
So if you are able to preconfigure the ACL rules for all of your existing VPN connections THEN I would recommend using the "no sysopt connection permit-vpn" to BLOCK ALL connections coming through VPN connections UNLESS they are allowed in the interface ACL of "outside" interface.
Hope I made any sense
Naturally ask more if needed
- Jouni -
Please gives sample configure VPN site to site on ASA 5512-x v.9.1!
Dear All,
Could you gave sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure.
my is use that i dont know to how to configure nonat.
i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_site2site.html
Best Regards,
HKHi,
The new configuration format for NAT0 / NAT Exemption / Identity NAT is the following
object network SOURCE-NETWORK
subnet
object network DESTINATION-NETWORK
subnet
nat (inside,outside) source static SOURCE-NETWORK SOURCE-NETWORK destination static DESTINATION-NETWORK DESTINATION-NETWORK
In the above
SOURCE-NETWORK contains the network on your side of the network
DESTINATION-NETWORK contains the network on the remote side of the L2L VPN
The NAT configuration presumes that you are using interfaces with the name of "inside" and "outside"
The reason you see 2 of each "object" in the NAT configuration is that there is no NAT performed for them. You would have option to do NAT for both source and destination but in this case we dont want that.
Depending how many source and destination networks we are talking about, this might need some modifying.
Hopefully this helps
- Jouni -
2811:connecting two ASA5505 l2l VPN's
Hello,
We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
Thanks,
JasonOk, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
The original, VPN1 is still connected though.
I've varified the preshared keys on both ends match.
Here's an error from the debug of the second ASA, VPN2
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
As far as the ASA configs, everything is the exactly the same, except;
NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
object-group network DM_INLINE_NETWORK_1
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 192.168.27.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
Working ASA VPN1 - not sure exactly how the bolded line works
no crypto isakmp nat-traversal
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
HQ 2811 -----------------------------------------------------------------------
Hope I included enough of the router config. Again, VPN1 is working.
crypto isakmp key VPN1PW address 99.x.x.x
crypto isakmp key VPN2PW address 108.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 99.x.x.x VPN1
set peer 99.x.x.x
set transform-set ESP-AES-128-SHA
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 108.x.x.x VPN2
set peer 108.x.x.x
set transform-set ESP-AES-128-SHA
match address 105
****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2. I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2
interface FastEthernet0/1
description T1 to Internet$FW_OUTSIDE$
ip address 64.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1 -
ASA IPSEC VPN Design Question; ARP Between ASA
I"ve a requirement to put two ASA between two sites. The second site has hosts within the same network as the first site (conflict of fundamental routing principles). Can you put an ASA inline between the router and distribution switch at each site, setup an IPSEC VPN and not have issue? I thought we could have the distro switch terminate in the DMZ interface setup as a layer 2 interface in a vlan with a vlan int in the same network as the vlan int on the ASA DMZ interface on the ASA at the other site. Will this work? I guess the biggest concern is how to get layer 2 (arp) to work so hosts/servers can find each other between buildings and not get dropped on a layer 3 interface that doesn't see the distant network on a different egress interface.
Thanks!
MattMatt,
AFAIK - what you are describing is layer 2 tunneling, providing layer 2 networks from two speperate locations.
The only way I am aware of how to provide this - does NOT invlove ASA's or VPN's suing layer 3. You could do this over MPLS or a transparent layer 2 pt-pt circuit.
Perhaps another netpro has done this or knows how - I did hear of someone bridging thru a GRE tunnel, not sure if that is a viable option or actually works.
HTH> -
No ACL deny logs for Traffic not matched by Static Object NATs and ACL. Need Help.
I start noticing that I do not see any denied traffic coming in on my ACL. To better explain, lets say I have this config.
### Sample Config ###
object network webserver
host 192.168.1.50
nat (dmz, outside) static X.X.X.X service tcp www www
access-list inbound extended permit ip any4 object webserver eq www
If I generate a traffic from the outside let's say a traffic that is trying to access X.X.X.X via TCP Port 8080 which obviously does not have any NAT entry to it going to my DMZ, I don't see the ACL denies it anymore but instead comes back with a Drop Reason: (nat-no-xlate-to-pat-pool) . On the packet trace I got this. (Below) it seems that does not even hit the ACL as there is no xlate found for it, at least to what the drop reason says.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
Before, using a regular Static PAT on ASA Versions 8.2(5) below, I could get the deny logs (ASA-4-106023). Generally, I use these logs, and are quite important for us specially during auditing.
My question is how can I generate logs for these type of dropped traffic on the ASA 9.1 Version?
Any comments/suggestions are gladly appreciated :)
Regards,
JohnI believe, but am not 100% sure, that the reason you are not seeing the ACL drop but a no NAT matched is because of the changes from 8.2 to 8.3 in the order of how things are done. In 8.3 and later you need to secify the real IP address when allowing packets in, and this is because NAT happens before the ACL is matched. So since there is no match on the NAT the packet is dropped then and there, never reaching the stage where ACLs are checked.
As to seeing drops in the ACL log...You might want to try adding an ACL that matches the NATed IP...but I don't think you will have much success with that either. My guess is that there is no way around this...at least no way I know of.
Please remember to select a correct answer and rate helpful posts -
HA between Dedicated T1 and L2L VPN
I'm looking for ideas on how to have complete HA between a dedicated T1 and an L2L VPN over the internet.
We had discussed routing protocol OSPF but would like to avoid the converge issues that could rise and affect other customers in the same DMZ.
What would be our options if we do not want to use a routing protocol? How could we fail over to the backup line, the L2L, should the T1 fail. I had mentioned changing the metrics but this will not identify a problem on the line should the customers ethernet link goe down.
Feel free to include an ideas that would use routing protocols.I had to revisit this configuration. I had decided since we are not going to use a routing protocol that a floating route between the T1 router and VPN is the best solution. although this should work if the router or Ethernet of the router goes down it should fail if the the Ethernet interface of the router, which has OSPF running between their network and our LAN, does not fail.
But it is not failing?
I have attached a diagram.
Maybe you are looking for
-
After Creation of PO Release strategy is missing
Hi Experts, We have a problem that we have created a PO but we found after that release strategy is getting missed out. What could be the possible causes for this? Note: We have checked in CL20N everything seems to be in place. Cheers,Kumar.S///
-
How do i turn ON digital out port on appleTV
Just got my new apple tv ( latest version). I have connected hdmi out to the tv and optical out to my old A/V receiver. I have also appropriately made all the assignments on my receiver for optical in. Not getting any sound from digital out of apple
-
The itunes store won't load on my computer
The store won't load; it loads halfway and then the screen goes white. I can still get to my library but i can't access the store. I've updated to the latest itunes and I'm pretty sure my computer is up to date too ( i've run two system updates and r
-
With each page I print on my HP Officejet Pro 8500, Series 909a, (whether email messages or selected page(s) of projects) an additional page prints giving this list of descriptive info: Filename, diretory, template, title, subject, author, keywords,
-
BAPI for the transaction VCH1 and VCH2 (Batch Search strategy)
Hi Experts, I need to create a new condition record or change a condition records using the transactions VCH1 and VCH2 respectively. But BDC recording should not be used at any cost (acc to Client). So next go for me is to search for a BAPI or any Fu