L2L vpn with Palo Alto Firewall

Similar Messages

• WLC Guest Setup thru Palo Alto Firewall

  We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out.  it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA.  We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses.  When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us.  We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck.  Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.  Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work?  I've attached a diagram of the basic topology we have setup.
  Thanks

  Hi Rod
  You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
  I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
  I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
  Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
  Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC?

• L2L VPN with source and destination NAT

  Hello,
  i am new with the ASA 8.4 and was wondering how to tackle the following scenario.
  The diagram is
  Customer ---->>> Firewall --->> L2L VPN --->> Me --->> MPLS ---> Server
  The server is accessible by other tunnels in place but there is no NAT needed. For the tunnel we are talking about it is
  The Customer connects the following way
  Source: 198.1.1.1
  Destination: 192.168.1.1
  It gets to the outside ASA interface which should translate the packets to:
  Source: 10.110.110.1
  Destination: 10.120.110.1
  On the way back, 10.120.110.1 should be translated to 192.168.1.1 only when going to 198.1.1.1
  I did the following configuration which I am not able to test but tomorrow during the migration
  object network obj-198.1.1.1
  host 198.1.1.1
  object network obj-198.1.1.1
  nat (outside,inside) dynamic 10.110.110.1
  For the inside to outside NAT depending on the destination:
  object network Real-IP
    host 10.120.110.1
  object-group network PE-VPN-src
  network-object host 198.1.1.1
  object network Destination-NAT
  host 192.168.1.1
  nat (inside,outside) source static Real-IP Destination-NAT destination static PE-VPN-src PE-VPN-src
  Question is if I should create also the following or not for the outside to inside flow NAT? Or the NAT is done from the inside to outside estatement even if the traffic is always initiated from outside interface?
  object network obj-192.168.1.1
  host 192.168.1.1
  object network obj-192.168.1.1
  nat (outside,inside) dynamic 10.120.110.1

  Let's use a spare ip address in the same subnet as the ASA inside interface for the NAT (assuming that 10.10.10.251 is free (pls kindly double check and use a free IP Address accordingly):
  object network obj-10.10.10.243
    host 10.10.10.243
  object network obj-77.x.x.24
    host 77.x.x.24
  object network obj-10.10.10.251
    host 10.10.10.251
  object network obj-pcA
    host 86.x.x.253
  nat (inside,outside) source static obj-10.10.10.243 obj-77.x.x.24 destination static obj-10.10.10.251 obj-86.x.x.253
  Hope that helps.

• Converting a Palo Alto Firewall to a Cisco ASA - recommendations?

  I've seen some tools for converting ASA's to PA... but not the other way around. Anyone come up with a good method? (scripts, tools, etc?)
  Thanks in advance!

  Hi,
  I couldn't find any. May be someone else has it but google didn't show up anything for me:) nor did internal search. I would suggest contacting your account team and see if they can assist you with migration.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ASA with Multiple dynamic L2L VPN

  I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
  I need also some L2L-VPN with dynamic remote peer.
  While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
  Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
  But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
  tunnel-group ABCD ipsec-attributes
  pre-shared-key *
  Is this configuration correct ?
  Best regards
  Claudio

  Hi,
  Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
  Hope this helps
  - Jouni

• L2L VPN not coming up

  I am using GNS3 to build a tunnel between an ASA and a router.
  Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?
  ciscoasa# sho running-config crypto
  crypto ipsec transform-set MySET esp-aes esp-sha-hmac
  access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
  crypto map SampleVPN 100 match address VPN_Traffic
  crypto map SampleVPN 100 set peer 10.123.5.2
  crypto map SampleVPN 100 set transform-set MySET
  crypto map SampleVPN interface outside
  crypto isakmp enable outside
  crypto isakmp policy 100
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group VPN type ipsec-l2l
  tunnel-group VPN ipsec-attributes
  pre-shared-key 1234
  R1#sho run | sec crypto
  crypto isakmp policy 100
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key 1234 address 12.152.45.2 no-xauth
  crypto ipsec transform-set MySET esp-aes esp-sha-hmac
  ip access-list extended VPN_Traffic
  permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
  crypto map VPN 100 ipsec-isakmp
  set peer 12.152.45.2
  set transform-set MySET
  match address VPN_Traffic
  interface f0/0
  crypto map VPN
  Here are the debugs from the router...
  *Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
  *Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
  *Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
  *Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
  *Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
  *Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
  *Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
  *Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  *Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
  *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
  *Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
  *Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
  *Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  *Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  *Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
  *Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
  *Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
  Success rate is 0 percent (0/5)
  R1#
  *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  *Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  *Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
  *Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
  *Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  *Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
  *Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
  *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
  *Feb 18 15:59:14.055: ISAKMP:(0)
  R1#: processing vendor id payload
  *Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  *Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
  *Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
  *Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
  *Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
  *Feb 18 15:59:14.063: ISAKMP:      encryption 3DES-CBC
  *Feb 18 15:59:14.063: ISAKMP:      hash MD5
  *Feb 18 15:59:14.063: ISAKMP:      default group 2
  *Feb 18 15:59:14.063: ISAKMP:      auth pre-share
  *Feb 18 15:59:14.063: ISAKMP:      life type in seconds
  *Feb 18 15:59:14.067: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  *Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
  *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
  *Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Feb 18 15:59:14.071: ISAK
  R1#
  R1#MP:(0): vendor ID is NAT-T v2
  *Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
  *Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  *Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  *Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
  *Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  R1#
  *Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
  *Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
  *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
  *Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
  *Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
  *Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
  *Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
  *Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
  *Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  *Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM3
  R1#ping ip 12.123.15.2 source loo0
  *Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
  R1#ping ip 12.123.15.2 source loo0
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
  Packet sent with a source address of 192.168.10.1
  *Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
  *Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
  *Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
  *Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
  *Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
  Success rate is 0 percent (0/5)
  R1#
  *Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
  *Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
  *Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.
  *Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
  *Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
  *Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
  *Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
  R1#
  *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
  *Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
  *Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_DEST_SA
  R1#
  *Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
  *Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
  R1#
  *Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26C

  Hi,
  when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.
  Mashal

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• AnyConnect VPN with Built-in Client Firewall on Windows 7

  Hi
  I've searched the forums and documentation and can't seem to find a definitive answer to my scenario.
  We have an ASA5510 with SecPlus running 8.3.2
  We currently use VPN client on XP to invoke the built-in firewall to prevent incoming connections to the PC when the tunnel is established – the Cisco built-in client is not supported on Win7.
  We’re looking to provide similar functionality with the AnyConnect client, i.e.
  Full network access over the AnyConnect client (connection can be established manually)
  AnyConnect client enforcing a local policy on the PC preventing incoming connections when the tunnel is established
  No clientless requirements
  No mobile requirements (apple, android etc)
  No secure desktop requirements
  I’d like to ascertain if:-
  Does the AnyConnect client include a firewall that is supported on Windows 7 (32 and 64 bit)?
  Will the Essential licence give me the functionality I require, or do I need a Premium?
  Thanks

  Hi Prashanth,
  I think you can only use per-app VPN with SSL VPN.
  Hope this helps,
  Julien

• Site to Site VPN with 2 ASA 5510's

  Hello guys,
  Im hoping yall can help me with the following objective. I have been tasked to make a site to site VPN between two networks. We are both using an ASA 5510.
  This is the scenario:
  SiteA has an wan adress of (example) 20.20.20.20  - The firewall is connected to a DMZ range : 192.168.0.0 255.255.255.0. In this range there is another firewall which grants/blocks acces to the internal range. 10.20.0.0 255.255.0.0
  SiteB has an wan adress of (example) 21.21.21.21 - The internal range is 10.0.0.0 255.0.0.0 No DMZ.
  How can i connect these 2 devices since there is an overlap. I am gonna need to use nat right? Can someone give me readable  Access rule/Nat Rule and maybe advice / some other things i need to think of.
  Hope to hear from yall. Any advice is highly appriciated.
  Thanks in advance

  Hi,
  Well regarding the remote site I suppose if they are using hosts from ranges 10.0.1.0/24 and 10.0.2.0/24 they could simply NAT these portions of the network towards the L2L VPN connection. For example NAT them to subnets 192.168.101.0/24 and 192.168.102.0/24
  But you also seem to have a large subnet on your side since its 10.20.0.0/16. Because of this I would suggest narrowing it down to the hosts or smaller subnets like above with the remote site because simply NATing the whole subnet 10.20.0.0/16 to some other private range that is NOT from the 10.0.0.0/8 range would probably cause problems in the long run.
  Lets presume that on your side the network that needs to access the L2L VPN is 10.20.1.0/24 and we would NAT that to 192.168.201.0/24 then your NAT configuration could look like this
  object network DMZ-INTERNAL
    subnet 10.20.1.0 255.255.255.0
  object network DMZ-INTERNAL-NAT
   subnet 192.168.201.0 255.255.255.0
  object-group network REMOTE-NETWORKS
   network-object 192.168.101.0 255.255.255.0
   network-object 192.168.102.0 255.255.255.0
  nat (dmz,outside) 1 source static DMZ-INTERNAL DMZ-INTERNAL-NAT destination static REMOTE-NETWORKS REMOTE-NETWORKS
  In the above configuration we first create an "object" for both the actual internal DMZ subnet and the subnet that we will NAT it to. Then we create an "object-group" that will have inside it both of the remote NATed networks (NAT performed at the remote site).
  Finally the "nat" command itself will perform NAT between "dmz" and "outside" interface and it will NAT "DMZ-INTERNAL" to "DMZ-INTERNAL-NAT" when the destination is "REMOTE-NETWORKS". The NAT configuration is bidirectional so it naturally handles which ever directin the connection is attempted. The names of the objects are up to the user.
  The ACL that defines the local and remote networks for the L2L VPN should use the NAT subnets of each site.
  If you want to restrict the traffic from the remote site then this can be done in a couple of ways. At its default settings the ASA will allow ALL traffic from the remote site behind the L2L VPN connection.
  You can use the command "show run all sysopt" to list some configurations that will tell us how your ASA has been set to handle VPN related traffic. The command we are looking for is "sysopt connection permit-vpn". This is the default setting that allows all traffic from VPN connections. If you were to change this to "no sysopt connection permit-vpn" then you could simply use the interface ACL of the interface that terminates the L2L VPN connection on your side to select what traffic is allowed. You would allow traffic the same way as if you were allowing traffic from Internet to your servers.
  The problem with this setup is if you have other existing VPN connections (VPN Client and L2L VPN) because they would also require their traffic to be allowed in your external interfaces ACL if you changed the above mentioned global setting.
  The other option is to configure a VPN Filter ACL that you will then attach to a "group-policy". You will then attach that "group-policy" to the "tunnel-group" of the L2L VPN connection.
  The actual ACL used for the VPN Filter purpose is a norma ACL but you will always have to configure the remote network as the source in the ACL and this usually causes some confusion.
  - Jouni

• Site-to-site VPN with remote access

  Hello friends,
  Company has a few remote offices and goal is connect all in yhe VPN.
  I have one IPSec VPN tunnel between remote1 and central office.
  Tunnel status is active and everything is ok.
  Other remote offices access to central server over remote desktop public IP address.
  When I add this NAT command to central router configuration:
  ip nat inside source static 192.168.0.10 public_ip_address
  there is no ping in VPN tunnel!!!
  There is problem that at the same moment work station from VPN tunnel and work station of remote office (without VPN tunnel) cant access to central server.
  I have no idea...
  Here is the sh run config from central router>
  hostname ROUTER
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  no aaa new-model
  dot11 syslog
  ip source-route
  ip cef
  ip domain name XXXXXXXXXXXXXXXX.net
  multilink bundle-name authenticated
  username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  archive
  log config
  hidekeys
  crypto isakmp policy 1
  encr cccc
  cccccccc
  authentication pre-share
  group 2
  crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address AA.AA.AA.AA
  crypto ipsec transform-set TS XXXXXX XXXXXXXXX
  crypto map CMAP 10 ipsec-isakmp
  set peer AA.AA.AA.AA
  set transform-set TS
  match address VPN-TRAFFIC
  interface FastEthernet0/1
  description INTERNET
  ip address BB.BB.BB.BB 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map CMAP
  interface FastEthernet0/0/0
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  description LAN_MREZA
  ip address 192.168.0.5 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 BB.BB.BB.BB
  no ip http server
  no ip http secure-server
  ip nat pool NAT_POOL CC.CC.CC.CC netmask 255.255.255.252
  ip nat inside source list 100 pool NAT_POOL overload
  ip nat inside source static 192.168.0.10 FF.Ff.FF.FF
  ip access-list extended VPN-TRAFFIC
  permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.0.0 0.0.0.255 any
  control-plane
  line con 0
  password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  login
  line aux 0
  line vty 0 4
  login local
  transport input ssh
  scheduler allocate 20000 1000
  end

  Hi,
  Do you mean that you have
  A VPN Pool of 192.168.111.0/24
  You want it to be able to connect to networks behind a new L2L VPN
  If so, then I see no problem with it.
  You will naturally require NAT configurations and define the interesting traffic
  You will also need to make sure you have "same-security-traffic permit intra-interface" on the firewall with the VPN Client and L2L VPN configuration. This would enable the traffic to enter and leave the same interface which in this case is probably "outside" or something similiar
  - Jouni

• L2L VPN Issue - one subnet not reachable

  Hi Folks,
  I have a strange issue with a new VPN connection and would appreciate any help.
  I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).   
  I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets.    There's a basic network diagram attached.
  VPN 1 - is for traffic from the customer subnet 10.2.1.0/24.    Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN works correctly.
  VPN 2 - is for traffic from the customer subnet 192.168.1.0/24.    Devices in  this subnet should be able to access the same 2 subnets on my network - DMZ 211  (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
  There are isakmp and ipsec SAs for both VPNs.    I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211.  This counter does increment when they send test traffic to DMZ144.   I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA.   I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
  Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
  There is a route to both customer subnets via the same next hop.
  There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
  I suspect that this may be an issue on the customer end, but I'd like to be able to prove that.   Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
  Here is the relevant vpn configuration:
  crypto map MY_CRYPTO_MAP 90 match address VPN_2
  crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
  crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP 100 match address VPN_1
  crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
  crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
  crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
  crypto map MY_CRYPTO_MAP interface isp
  ASA# sh access-list VPN_2
  access-list VPN_2; 6 elements; name hash: 0xa902d2f4
  access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
    access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
    access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
    access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
  ASA# sh access-list VPN_1
  access-list VPN_1; 3 elements; name hash: 0x30168cce
  access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
  access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
  access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
  nat (dmz144) 0 access-list nonatdmz144
  nat (dmz211) 0 access-list nonatdmz211
  ASA# sh access-list nonatdmz144
  access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
  access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
  access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
  access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
  access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
  access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
  ASA# sh access-list nonatdmz211 | in 192.168\.1\.
  access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
  ASA# sh access-list nonatdmz211 | in 10.2.1.
  access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
  route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
  route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
  Thanks in advance to anyone who gets this far!

  Darragh
  Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
  It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
  Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
  HTH
  Rick

• Palo Alto NetConect not working in Mountain Lion, anyone else having this issue?

  I use Palo Alto NetConnect to access a VPN and it always worked fine with Mac OS X 10.6 & 10.7. I updated to Mountain Lion almost immediately after release and the client no longer connects. Is there anyone who has encountered an issue and knows how to fix it? Its very important for my daily use and without it I'll have to downgrade back to Lion.
  -Chris

  Hi 2themax11
  Still no update from PA Networks - it is like they are in total denial that Mountain Lion exists!
  The Cisco app works but only just and is very slow, i think that may be more to do with us than the use of the app. Bear in mind we used to use the Cisco service and so it is not something I had to set up from scratch but it is not something our network team are happy about as this service was buried and was not supposed to be supported any more.
  I am also using a Cisco SSL webvpn for accessing our intranet etc. it is a quicker fix for a few things. Like you I am now using 2 laptops...one is an old Dell...it is horrible!

• Seeing duplicate hops for L2L VPN?

  With a site to site VPN is it normal to see the destination twice in the results of a traceroute?
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1    <1 ms     1 ms     1 ms  10.170.2.2
    2     *       39 ms    40 ms  10.32.1.101
    3    38 ms    39 ms    40 ms  10.32.1.101
  Trace complete.
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1     5 ms    17 ms     7 ms  10.170.2.2
    2    39 ms    38 ms    39 ms  10.32.1.101
    3    39 ms    38 ms    38 ms  10.32.1.101
  Trace complete.
  H:\>
  10.170.2.2 is the core, which then has a route that states to get to this network (10.32.1.101) go to my ASA firewall, which then crosses a L2L tunnel.

  With a site to site VPN is it normal to see the destination twice in the results of a traceroute?
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1    <1 ms     1 ms     1 ms  10.170.2.2
    2     *       39 ms    40 ms  10.32.1.101
    3    38 ms    39 ms    40 ms  10.32.1.101
  Trace complete.
  H:\>tracert -d 10.32.1.101
  Tracing route to 10.32.1.101 over a maximum of 30 hops
    1     5 ms    17 ms     7 ms  10.170.2.2
    2    39 ms    38 ms    39 ms  10.32.1.101
    3    39 ms    38 ms    38 ms  10.32.1.101
  Trace complete.
  H:\>
  10.170.2.2 is the core, which then has a route that states to get to this network (10.32.1.101) go to my ASA firewall, which then crosses a L2L tunnel.

• 2811:connecting two ASA5505 l2l VPN's

  Hello,
  We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.
  I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.
  A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?
  Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?
  Thanks,
  Jason

  Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
  The original, VPN1 is still connected though.
  I've varified the preshared keys on both ends match.
  Here's an error from the debug of the second ASA, VPN2
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
  Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
  As far as the ASA configs, everything is the exactly the same, except;
  NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
  I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.26.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_2
  network-object 192.168.26.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_3
  network-object 192.168.27.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  Working ASA VPN1  - not sure exactly how the bolded line works
  no crypto isakmp nat-traversal
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  HQ 2811 -----------------------------------------------------------------------
  Hope I included enough of the router config. Again, VPN1 is working.
  crypto isakmp key VPN1PW address 99.x.x.x
  crypto isakmp key VPN2PW address 108.x.x.x
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec df-bit clear
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to 99.x.x.x VPN1
  set peer 99.x.x.x
  set transform-set ESP-AES-128-SHA
  match address 103
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to 108.x.x.x VPN2
  set peer 108.x.x.x
  set transform-set ESP-AES-128-SHA
  match address 105
  ****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2.  I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
  class-map type inspect match-all sdm-nat-user-protocol--2-1
  match access-group 105
  match protocol user-protocol--2
  interface FastEthernet0/1
  description T1 to  Internet$FW_OUTSIDE$
  ip address 64.x.x.x 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map SDM_CMAP_1

• Site-to-Site VPN with Sophos Software-Based UTM

  I'm looking to build out a cloud environment with a vendor, and need a site-to-site VPN to be established between the vendor's environment and my environment. Since I am using a Cisco ASA 5510, they have suggested the use of the software-based Sophos UTM firewall on their end to establish the tunnel.
  Has anyone had any experience with configuring VPN tunnels between Sophos and Cisco firewalls? If so, what are your experiences? Any drawbacks or shortcomings?

  Go over these links, best way is to do them through cli, it is easier to understand the implementation flow.
  Pix to PIx Static Dynamic ( L2L Vpn)
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
  Router to Router Ipsec Static and Dynamic
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
  You may want to also hit this link for IPsec basics to understand the statndard and syntax in Ipsec implementation and what command does, it comes it handy when doing Ipsec through cli.
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml