Novell Client / IPSec Tunnel

Similar Messages

• Machine authentication over Client IPSEC tunnel

  I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
  I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
  What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.
  Thanks,
  Ron

  I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
  But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
  I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

• IPSec tunnel on sub-interface on ASA 5510

  Hello All,
  I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
  I would be greatul if someone please reply post this with some details.
  Regards,
  Muds

  Hi Jennifer,
  Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
  Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
  Regards,
  Muds 

• Multiple site to site IPSec tunnels to one ASA5510

  Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

  Hi,
  Regarding setting up the new L2L VPN connection..
  Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
  I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
  If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
  Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
  - Jouni

• Help with Easy VPN client split tunneling.

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

  Can someone please help me with my config for Easy VPN Client split tunneling. At the moment when the VPN is up I have NO access to the Internet from any host.
  Here's what I am attempting to do. I want only certain host to route all there traffic thou the tunnel and the remaining host to use the default route.
  I created an object-group and access list with the hosts I want to route thou the VPN :-
  object-group network VNPCLIENTS
  description HOSTS ALLOWED ACCESS TO THE VPN
  host 192.168.3.204
  host 192.168.3.42
  host 192.168.3.44
  host 192.168.3.202
  host 192.168.3.43
  access-list 1 remark Internet access list
  access-list 1 permit 192.168.3.0 0.0.0.255
  access-list 101 remark Hosts allowed access to VPN
  access-list 101 permit ip object-group VNPCLIENTS any
  access-list 111 permit udp any any eq 3074
  access-list 111 permit tcp any any eq 3074
  access-list 111 permit udp any any eq 88
  I Then applied the access list to the Virtual interface of the VPN in both directions:-
  interface Virtual-Template1 type tunnel
  no ip address
  ip access-group 101 in
  ip access-group 101 out
  tunnel mode ipsec ipv4
  Now when I connect to the VPN I have no access from any host to the Internet either thought the tunnel or not.
  I must be doing something very wrong. Much appreciate any help.
  Thanks
  Gordon

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• The tale of two IPSec Tunnels...

  I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point.  I have two sites I'm working with, a test site on my bench and the other actual site at another location.  Both are ASA 5510's, both are running ASA v8.2(5).  The test site has a 3560 off of it, and the production site has a 3750 stack off it.  I don't think that part should matter, though.
  I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare.  The test site connects and I can ssh to the 3560 behind it just fine.  The production site, however, cannot connect to that 3750 or ping it to save my life.  I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
  At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group.  When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
  Then I thought it may be a routing issue.  The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes.  But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
  I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies.  Oon the production site I only see requests, no replies.  My encap counters don't increment during pings, but the decap counters do, which make sense.
  Other things to note:  The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well.  Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
  I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems.  I'd appreciate it!  Thanks
  Test Site that works
  Production Site that Doesn't
  testasa01-5510# sh run
  : Saved
  ASA Version 8.2(5)
  hostname testasa01-5510
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address <outsideif> 255.255.255.240
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.39.194.2 255.255.255.248
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
  access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
  access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
  access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
  tcp-map WSOptions
    tcp-options range 24 31 allow
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 100 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 100 10.39.0.0 255.255.0.0
  access-group inside_access_in in interface inside
  router eigrp 100
  network 10.0.0.0 255.0.0.0
  passive-interface default
  no passive-interface inside
  route outside 0.0.0.0 0.0.0.0 <outsideif> 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 management
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map1 1 match address outside_cryptomap
  crypto map outside_map1 1 set pfs group1
  crypto map outside_map1 1 set peer 209.242.145.200
  crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 170
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 86400
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 management
  ssh timeout 60
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server <server> source inside
  webvpn
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol IPSec
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  dns-server value 8.8.8.8
  vpn-filter value remoteaccess
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteAccess_splitTunnelAcl
  split-tunnel-all-dns disable
  vlan none
  tunnel-group RemoteAccess type remote-access
  tunnel-group RemoteAccess general-attributes
  address-pool vpn_ip_pool
  default-group-policy RemoteAccess
  tunnel-group RemoteAccess ipsec-attributes
  pre-shared-key *****
  tunnel-group 111.222.333.444 type ipsec-l2l
  tunnel-group 111.222.333.444
  general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 111.222.333.444
  ipsec-attributes
  pre-shared-key *****
  class-map WSOptions-class
  match any
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  class WSOptions-class
    set connection advanced-options WSOptions
  policy-map type inspect ip-options ip-options-map
  parameters
    eool action allow
    nop action allow
    router-alert action allow
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  mp01-5510asa# sh run
  : Saved
  ASA Version 8.2(5)
  hostname mp01-5510asa
  names
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 10.29.194.2 255.255.255.252
  interface Ethernet0/1
  nameif dmz
  security-level 50
  ip address 172.16.29.1 255.255.255.0
  interface Ethernet0/2
  description
  nameif backup
  security-level 0
  ip address <backupif> 255.255.255.252
  interface Ethernet0/3
  description
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address <outsideif> 255.255.255.248
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.29.199.11 255.255.255.0
  management-only
  banner login Authorized Use Only
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  object-group network DM_INLINE_NETWORK_1
  network-object 10.29.1.0 255.255.255.0
  network-object 10.29.15.0 255.255.255.0
  network-object 10.29.199.0 255.255.255.0
  network-object 10.29.200.0 255.255.255.0
  network-object 10.29.31.0 255.255.255.0
  access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
  access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
  access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
  access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
  access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
  access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
  access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
  access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging list acl-messages message 106023
  logging buffered acl-messages
  logging asdm acl-messages
  mtu inside 1500
  mtu dmz 1500
  mtu backup 1500
  mtu outside 1500
  mtu management 1500
  ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  asdm history enable
  arp timeout 14400
  global (inside) 201 interface
  global (dmz) 101 interface
  global (backup) 101 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 10.29.1.0 255.255.255.0
  nat (inside) 101 10.29.15.0 255.255.255.0
  nat (inside) 101 10.29.31.0 255.255.255.0
  nat (inside) 101 10.29.32.0 255.255.255.0
  nat (inside) 101 10.29.199.0 255.255.255.0
  nat (inside) 101 10.29.200.0 255.255.255.0
  nat (inside) 101 192.168.29.0 255.255.255.0
  static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
  route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
  route management 10.0.0.0 255.0.0.0 10.29.199.1 1
  route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
  route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 management
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 100
  type echo protocol ipIcmpEcho 74.125.239.16 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 100 life forever start-time now
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  track 1 rtr 100 reachability
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh 10.0.0.0 255.0.0.0 management
  ssh timeout 60
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 10.200.1.41 source inside
  webvpn
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  dns-server value 8.8.8.8
  vpn-filter value remoteaccess
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteAccess_splitTunnelAcl
  split-tunnel-all-dns disable
  vlan none
  tunnel-group RemoteAccess type remote-access
  tunnel-group RemoteAccess general-attributes
  address-pool vpn_ip_pool3
  default-group-policy RemoteAccess
  tunnel-group RemoteAccess ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect icmp
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  testasa01-5510# sh crypto ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
        local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
        current_peer: <peer ip>, username: blah
        dynamic allocated peer ip: 172.16.139.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 0A7F396F
        current inbound spi : E87AF806
      inbound esp sas:
        spi: 0xE87AF806 (3900372998)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3587
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x7FFFFFFF
      outbound esp sas:
        spi: 0x0A7F396F (176109935)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3587
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  mp01-5510asa# sh crypto ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
        local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
        current_peer: <peer ip>, username: blah
        dynamic allocated peer ip: 10.254.29.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 096265D4
        current inbound spi : F5E4780C
      inbound esp sas:
        spi: 0xF5E4780C (4125390860)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3576
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x001FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x096265D4 (157443540)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3576
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Config (non working site) looks fine(unless I missed something:)) . You may want to add :
  access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
  Try by taking out vpnfilter :  vpn-filter value remoteaccess
  To further t-shoot, try using packet tracer from ASA to the client...
  https://supportforums.cisco.com/docs/DOC-5796
  Thx
  MS

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?

  Hi
  Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
  Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
  The tunnel goes form the 881 to the Windows server (not from the client...).
  Thanks
  Roland

  Hi Federico
  Thanks for your help! Much appreciated.
  In my case this should be transparent to the client - I would like not to initiate the connection from the client.
  Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
  Regards
  Roland

• NAT traffic over a IPSec tunnel (ISR)

  Hi.
  I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
  So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
  IPSec tunnel is created using the 10.10.1.1 IP-address.
  The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
  Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
  Anyone who could shed some light? Any insight appreciated.
  Sheers!
  /Johan Christensson

  Thanks jjohnston1127!
  Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
  How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
  access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
  If i change it to something like this, the tunnel negotiation get triggerd.
  access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
  How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
  Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
  Can this behavior be changed?
  Best regards,
  Johan Christensson

• Ipsec tunnel across Avaya 4620 phone terminating to cisco vpn concentrator

  I have been asked to test out an avaya 4620 phone with the vpn remote client installed on it for our home users.
  Here is my problem. The phone connects fine to my concentrator and I have a successful ipsec tunnel built, however, the phone cannot route back to the corportate network. When I look at the tunnel stats, I see bytes received and none transferred. Also, for the ip address of the remote end, I see the ip address that was assigned to it from my local dsl router. My concentrator is supposed to forward dhcp requests on to my internal dhcp server, but this is not occurring. Has anyone seen this before or know where I should start here? any input will be greatly appreciated, thank you all for your time.

  Hello Andrew, I know this thread is a bit old, but I am in the process of trying to setup some 9630's to VPN into my Corp. HQ.  which is behind a 5510.  the problem I am having is with IKE Phase 2, I keep getting an IKE Phase 2 no Response on the phone and this is what Im getting in the ASA log.
  4|Feb 18 2010|09:05:04|113019|||||Group = test, Username = user, IP = 71.161.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
  3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
  3|Feb 18 2010|09:05:04|713902|||||Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc259568, mess id 0x8b0aed6d)!
  5|Feb 18 2010|09:05:04|713904|||||Group = test, Username = user, IP = 71.161.x.x, All IPSec SA proposals found unacceptable!
  5|Feb 18 2010|09:05:04|713119|||||Group = test, Username = user, IP = 71.161.x.x, PHASE 1 COMPLETED
  6|Feb 18 2010|09:05:03|713228|||||Group = test, Username = user, IP = 71.161.x.x, Assigned private IP address 5.5.5.1 to remote user
  6|Feb 18 2010|09:05:03|713184|||||Group = test, Username = user, IP = 71.161.x.x, Client Type:   Client Application Version:
  5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161.x.x, Received unsupported transaction mode attribute: 6
  5|Feb 18 2010|09:05:03|713130|||||Group = test, Username = user, IP = 71.161x.x, Received unsupported transaction mode attribute: 5
  6|Feb 18 2010|09:05:03|734001|||||DAP: User user, Addr 71.161.x.x, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
  and this is what I get when I debug cyrpto isakmp
  RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, QM FSM error (P2 struct &0xcc4d4748, mess id 0x519ff252)!
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.212.49, IKE QM Responder FSM error history (struct &0xcc4d4748)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
  Feb 18 11:51:10 [IKEv1]: Group = test, Username = user, IP = 71.161.x.x, Removing peer from correlator table failed, no match!
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 rcv'd Terminate: state AM_ACTIVE  flags 0x00418041, refcnt 1, tuncnt 0
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, IKE SA AM:18543029 terminating:  flags 0x01418001, refcnt 0, tuncnt 0
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, sending delete/delete with reason message
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing blank hash payload
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing IKE delete payload
  Feb 18 11:51:10 [IKEv1 DEBUG]: Group = test, Username = user, IP = 71.161.x.x, constructing qm hash payload
  Feb 18 11:51:10 [IKEv1]: IP = 71.161.x.x, IKE_DECODE SENDING Message (msgid=2b900ae) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
  BEFORE ENCRYPTION
  ISAKMP Header
    Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
    Responder COOKIE: 29 30 54 18 84 da aa d2
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Informational
    Flags: (none)
    MessageID: AE00B902
    Length: 469762048
    Payload Hash
      Next Payload: Delete
      Reserved: 00
      Payload Length: 24
      Data:
        08 4b dc 3d 7c 2b 1b 99 c9 6d 6d 36 14 b9 d1 27
        47 e1 0d d6
    Payload Delete
      Next Payload: None
      Reserved: 00
      Payload Length: 28
      DOI: IPsec
      Protocol-ID: PROTO_ISAKMP
      Spi Size: 16
      # of SPIs: 1
      SPI (Hex dump):
        68 fb e0 7a 90 5c d7 10 29 30 54 18 84 da aa d2
  ISAKMP Header
    Initiator COOKIE: 68 fb e0 7a 90 5c d7 10
    Responder COOKIE: 29 30 54 18 84 da aa d2
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Informational
    Flags: (Encryption)
    MessageID: 02B900AE
    Length: 84
  RESERVED != 0, PACKET MAY BE CORRUPTFeb 18 11:51:10 [IKEv1]: Ignoring msg to mark SA with dsID 1380352 dead because SA deleted
  if you could provide any help it would be greatly appreciated as I have been battling this for a few days now.
  thanks,
  Paul

• IPSec Tunnel (reform) examples

  Would it be possible to use Solaris 10u4 new IPSec tunnel (reform) feature to build Solaris VPN server, where I have a list of remote systems (each with different dynamic IP) and Solaris server which allows them to connect to internal network ?
  Thanks.

  This link ( http://docs.sun.com/app/docs/doc/816-4554/6maoq0228?a=view ) has an overview of how IPsec Tunnel Mode policy works with a VPN. You should examine these for more examples.
  A simple single-node remote access case would look like the following.
  Assume:
  C == client's external-network IP address
  S == server's external-network IP address
  c == client's internal IP address
  s == server's internal-network IP address
  On the server side:
  Configure (but do not enable) an IP-in-IP tunnel once you've assigned the client's IP address (assume there are no other tunnels for now...):
  ifconfig ip.tun0 plumb s c tsrc S tdst C
  Now add policy for that tunnel, enabling JUST the single internal IP address for the client to go through. Add this line via ipsecconf(1M), let's use AES and HMAC-SHA-1
  # When the "tunnel" keyword is present, inner-addresses are the selectors.
  {tunnel ip.tun0 negotiate tunnel raddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
  Then bring the tunnel up:
  ifconfig ip.tun0 up
  I assume you have IKE properly configured between S and C.
  On the client side, it's pretty much the same but with local/remote or src/dst reversed:
  ifconfig ip.tun0 plumb c s tsrc C tdst S
  then feed this into ipsecconf(1M):
  { tunnel ip.tun0 negotiate tunnel laddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
  and finally:
  ifconfig ip.tun0 up.
  The docs pointer shows office-to-office examples where you may wish to protect one or more subnets.
  Hope this helps,
  Dan
  Edited by: danmcd on Sep 18, 2007 2:27 PM

• SNMP per-ipsec tunnel bandwidth monitoring

  Whish oid can be used for monitoring bandwidth (bps, kbps...) per ipsec  tunnel, assuming there is now logical tunel interface configured?
  ios supports CISCO-IPSEC-FLOW-MONITOR-MIB, but cannot find oid in ftp://ftp.cisco.com/pub/mibs/oid/CISCO-IPSEC-FLOW-MONITOR-MIB.oid.
  Tnx!           

  Hi Spr,
  Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec  (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN  tunnel over time in graphical form.
  Advantage of VPNTTG over other SNMP based monitoring software's is  following: Other (commonly used) software's are working with static OID  numbers, i.e. whenever tunnel disconnects and reconnects, it gets  assigned a new OID number. This means that the historical data, gathered  on the connection, is lost each time. However, VPNTTG works with VPN  peer's IP address and it stores for each VPN tunnel historical  monitoring data into the Database.
  For more information about VPNTTG please visit www.vpnttg.com

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

  I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
  Any assistance would be appreciated.
  ASA Version 8.2(1)
  hostname KRPS-FW
  domain-name lottonline.org
  enable password uniQue
  passwd uniQue
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.20.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  description Inside Network on VLAN1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  description Inside Network on VLAN1
  ftp mode passive
  dns server-group DefaultDNS
  domain-name lottonline.org
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDE_ACCESS_IN in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.20.30.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 1 match address KWPS-BITP
  crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
  crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
  crypto map VPNMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  ssh timeout 5
  console timeout 0
  management-access inside
  tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
  tunnel-group xxx.xxx.xxx.001 ipsec-attributes
  pre-shared-key somekey

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks