Ping IP addresses thru VPN Tunnel
Is it possible to ping an address thru a VPN tunnel? I have a Panasonic system with IP phones located at the far end of a tunnel I cannot ping them or ping a computer at the far end uning the private address.
Did you check any firewalls that might be hindering your connection both in your network and the remote network? I saw a link that has worked with a gateway topology for Quick VPN. Try to look go to this link:
http://forums.linksysbycisco.com/linksys/board/message?board.id=Wireless_Routers&message.id=97196&qu...
If that still didn’t work, please elaborate the network topology of your network and remote network to further understand the cause of the problem.
Similar Messages
-
Cluster IP address thru L2L tunnel
I have 3 windows 2003 terminal servers setup for load balance using Windows Network Load Balance Manager. IP addresses 192.168.1.14, 192.168.1.15, 192.168.1.16 Cluster IP 192.168.1.40 multicast.
I have a remote site connected via site to site VPN tunnel using Cisco ASA5510 devices, subnet 192.168.100.1. On the local LAN(192.168.1.0) I can get connected to terminal servers using the cluster IP, at the remote site I can not. At the remote site I can connect to each TS using the actual IP address, I can ping the cluster IP address or the dns name and get a response. Can anybody think of any reason why I can not connect using the cluster IP address?
ThanksI have setup wireshark on my 192.168.1.0 subnet and setup a packet capture on the ASA5510. On the wireshark I see SYN packets coming in from my machine 192.168.100.102 to the cluster IP and I see SYN,ACK packets Src the cluster IP with the mac address of one of the terminal servers and the dst my IP address with the mac address of the ASA 5510. On the ASA5510 packet capture I only see the SYN packets from my machine coming in but no SYN,ACK packets going out. What happened to the SYN,ACK packets?
I did a packet capture when connecting to the actual IP address of the terminal server (Which Works) and compared the SYN,ACK packets from both and saw no difference. -
Cannot ping ip address through vpn
Hi All
Im having trouble pinging an IP address through my router to rouetr vpn tunnel, im matching traffic both sides and it seems setup properly, the user says they can access the pc they want but i cannot ping it. is there any debug commands I can use on the router to make sure the packet is matched and going through the tunnel?
cheers
CarlMostly the host that you are trying to ping have firewall that might be blocking incoming ping from different subnet.
OR/ its default gateway might not be routing to the correct router where you terminate the VPN tunnel -
7942s randomly lose connection to CUCM Thru VPN Tunnel
One of my remote branches has 7 7942s plugged into a 2960 POE and then to a 2901. The computer are connected to the telephone tandum.
1.All the phones dont drop at the same time (maybe 2 or 3 together)
2.The VPN Tunnel never drops when the phones lose the CUCM.(Computers are still online and able to see the network on other side of tunnel)
3.The computer that is connected to the dropped phone does not lose connectivity to the inside network or thru the vpn tunnel (whether in fallback mode or connected or in transit)
4. when a couple of phones are down, I can reach both CUCMs. (Publisher and Subscriber)
Any help would be appreciated.Hi Earl,
Try to do wire shark and see if you can capture anything.
Its looks like keep live message dropping some where before they reaching phones. Is there high utilization on site?
Check if any firewall filtering packets.
Phone reboots itself and tries to register again. Check interface if there is any watchdog timers error.
Please do rate if the given information helps
Thanks -
Exclude 1 host (IP Address) from VPN Tunnel
Hi Experts,
May I ask your help on this?
Current setup:
L2L VPN between site1 and site2
[site1]--------------------[internet]-------------------[site2]
10.0.100.0/24-----------------------------10.0.1.0/24
Planned setup:
L2L VPN between site1 and site2
[site1]--------------------[internet]-------------------[site2]
10.0.100.0/24-----------------------------10.0.1.0/24
with 1 host (10.0.100.50) excluded on the NAT Process for Site-to-site VPN thus NATting him directly to the internet.
Has someone done this before?
I'm planning to add 10.0.100.50 to be denied on the access-list from the VPN Traffic.
Dunno if that will work though.
Hope someone could give their thoughts on this.
Thank you.
Regards,
JemHi,
I would imagine that it would be the easiest to simply block this hosts traffic towards the remote site in the interface ACL of this hosts local firewall/vpn device rather than doing this with NAT.
I am not sure what software level you are running and what devices you are using.
If I dont remember wrong, I think you could use "deny" statements in the 8.2 (and below) software levels which would essentially ignore the NAT0 for some hosts while do it for others.
Something like
access-list INSIDE-NAT0 deny ip host 10.0.100.50 10.0.1.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 10.0.100.0 255.255.255.0 10.0.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
The above is just an example.
I dont think this is even possible in the newer 8.3 (and above) software levels as they dont use ACLs for NAT rules anymore.
But again, if limiting access is your aim I would suggest using interface ACL
- Jouni -
VPN Tunnel setup - can't ping either endpoint
So I was given the task to set up a new VPN tunnel for a client and even though I've basically made it open, we still cannot ping each other's endpoints. I troubleshooted for over an hour with one of their techs, still to no avail. I included the config of this router. The tunnel can build out, completes phase 1 and 2, but still doesn't allow traffic or ability to connect to either endpoint. Please help.
Result of the command: "sh run"
: Saved
ASA Version 8.0(3)6
hostname RBPASA01
domain-name rbmc.org
enable password *removed* encrypted
passwd *removed* encrypted
names
name 10.20.10.0 OBD-DHCP-10.20.10.x description DHCP Scopes for VLAN20
name 10.20.11.0 OBD-DHCP-10.20.11.x description DHCP Scopes for VLAN20
name 10.20.12.0 OBD-DHCP-10.20.12.x description DHCP Scopes for VLAN20
name 10.10.14.0 PAD-DHCP-10.10.14.X description DHCP Scopes for VLAN10
name 128.127.0.0 Millennium-Remote
name 10.10.0.0 Pad-10.10-network
name 10.11.0.0 Pad-10.11-network
name 10.12.0.0 Pad-10.12-network
name 10.100.91.0 Pad-10.100-network
name 10.30.13.0 Millennium-nat
name 10.100.91.200 Maxsys-Server
name 65.171.123.34 Maxsys-Remote description Landacorp remote access
name 65.211.65.21 FTP-External-Address
name 172.31.0.15 FTP-Internal-Address description FTP Server in DMZ
name 10.100.91.201 RBPMAXYS02 description Landacorp Access
name 10.10.10.231 c05407
name 192.168.55.4 c05407Nat
name 192.168.55.3 c057017Nat
name 10.10.13.50 c05744
name 192.168.55.5 c05744Nat
name 151.198.253.253 VPN-External
name 10.13.102.30 NBI20610 description Viewpoint Server SBHCS
name 10.100.90.51 RBPASA01 description PRI ASA
name 10.100.90.52 RBPASA02 description SECASA
name 151.198.253.254 VPN02External
name 10.10.7.189 RBMHIS description AergoVPN(Local)
name 10.10.7.43 RBMHIS1 description AergoVPN(Local)
name 10.10.7.44 RBMHIS2 description AergoVPN(Local)
name 10.100.98.21 RBMS2 description AergoVPN(Local)
name 10.1.6.0 AergoVPN-Remote description AergoVPN-Remote
name 216.167.127.4 Lynx-PicisHost1 description Lynx Encryption Domain
name 216.167.127.30 Lynx-PicisHost10 description Lynx Encryption Domain
name 216.167.127.31 Lynx-PicisHost11 description Lynx Encryption Domain
name 216.167.127.32 Lynx-PicisHost12 description Lynx Encryption Domain
name 216.167.127.33 Lynx-PicisHost13 description Lynx Encryption Domain
name 216.167.127.34 Lynx-PicisHost14 description Lynx Encryption Domain
name 216.167.127.35 Lynx-PicisHost15 description Lynx Encryption Domain
name 216.167.127.5 Lynx-PicisHost2 description Lynx Encryption Domain
name 216.167.127.6 Lynx-PicisHost3 description Lynx Encryption Domain
name 216.167.127.7 Lynx-PicisHost4 description Lynx Encryption Domain
name 216.167.127.8 Lynx-PicisHost5 description Lynx Encryption Domain
name 216.167.127.9 Lynx-PicisHost6 description Lynx Encryption Domain
name 216.167.127.10 Lynx-PicisHost7 description Lynx Encryption Domain
name 216.167.127.28 Lynx-PicisHost8 description Lynx Encryption Domain
name 216.167.127.29 Lynx-PicisHost9 description Lynx Encryption Domain
name 216.167.119.208 Lynx-PicisNtwk description Lynx-PicisNtwk
name 10.10.7.152 OLSRV2RED description Picis-LynxLocal
name 10.100.91.14 RBPPICISTST description Lynx-PicisLocal
name 10.100.98.20 RBPAERGO1 description AERGO
name 10.50.1.141 PACSHost1 description GE PACS Local
name 10.50.1.149 PACSHost2 description GE PACS Local
name 10.50.1.151 PACSHost3 description GE PACS Local
name 10.50.1.38 PACSHost4 description GE PACS Local
name 10.50.1.39 PACSHost5 description GE PACS Local
name 10.50.1.41 PACSHost6 description GE PACS Local
name 10.50.1.42 PACSHost7 description GE PACS Local
name 10.50.1.43 PACSHost8 description GE PACS Local
name 10.50.1.64 PACSHost10 description GE PACS Local
name 10.50.1.67 PACSHost11 description GE PACS Local
name 10.50.1.68 PACSHost12 description GE PACS Local
name 10.50.1.69 PACSHost13 description GE PACS Local
name 10.50.1.44 PACSHost9 description GE PACS Local
name 10.50.1.70 PACSHost14 description GE PACS Local
name 10.50.1.71 PACSHost15 description GE PACS Local
name 10.50.1.72 PACSHost16 description GE PACS Local
name 10.50.1.73 PACSHost17 description GE PACS Local
name 10.50.1.74 PACSHost18 description GE PACS Local
name 10.50.1.75 PACSHost19 description GE PACS Local
name 10.50.1.76 PACSHost20 description GE PACS Local
name 10.50.1.77 PACSHost21 description GE PACS Local
name 10.50.1.91 PACSHost22 description GE PACS Local
name 10.50.1.92 PACSHost23 description GE PACS Local
name 10.60.1.42 PACSHost24 description GE PACS Local
name 10.60.1.43 PACSHost25 description GE PACS Local
name 10.60.1.44 PACSHost26 description GE PACS Local
name 10.60.1.45 PACSHost27 description GE PACS Local
name 10.60.1.46 PACSHost28 description GE PACS Local
name 10.60.1.47 PACSHost29 description GE PACS Local
name 10.60.1.48 PACSHost30 description GE PACS Local
name 10.60.1.49 PACSHost31 description GE PACS Local
name 10.60.1.51 PACSHost32 description GE PACS Local
name 10.60.1.52 PACSHost33 description GE PACS Local
name 10.60.1.53 PACSHost34 description GE PACS Local
name 10.60.1.80 PACSHost35 description GE PACS Local
name 10.50.1.30 PACSHost36 description GE PACS Local
name 10.50.1.200 PACSHost37 description GE PACS Local
name 10.50.1.137 PACSHost38 description GE PACS Local
name 10.50.1.203 PACSHost39 description GE PACS Local
name 10.50.1.206 PACSHost40 description GE PACS Local
name 10.50.1.209 PACSHost41 description GE PACS Local
name 10.60.1.215 PACSHost42 description GE PACS Local
name 10.60.1.23 PACSHost43 description GE PACS Local
name 10.60.1.21 PACSHost44 description GE PACS Local
name 10.50.1.36 PACSHost45 description GE PACS Local
name 10.50.1.34 PACSHost46 description GE PACS Local
name 10.50.1.10 PACSHost47 description GE PACS Local
name 150.2.0.0 GE_PACS_NET description GE PACS Remote
name 10.50.1.19 PACSHost49 description GE PACS Local
name 10.50.1.28 PACSHost50 description GE PACS Local
name 10.50.1.29 PACSHost51 description GE PACS Local
name 10.50.1.140 PACSHost52 description GE PACS Local
name 10.60.1.161 PACSHost53 description GE PACS Local
name 10.50.1.31 PACSHost54 description GE PACS Local
name 10.50.1.32 PACSHost55 description GE PACS Local
name 10.50.1.4 PACSHost56 description GE PACS Local
name 10.50.1.35 PACSHost57 description GE PACS Local
name 10.50.1.37 PACSHost58 description GE PACS Local
name 10.60.1.22 PACSHost59 description GE PACS Local
name 10.60.1.24 PACSHost60 description GE PACS Local
name 10.60.1.218 PACSHost61 description GE PACS Local
name 10.60.1.221 PACSHost62 description GE PACS Local
name 10.50.1.16 PACSHost63 description GE PACS Local
name 10.50.1.15 PACSHost64 description GE PACS Local
name 10.50.1.106 PACSHost65 description GE PACS Local
name 10.50.1.33 PACSHost66 description GE PACS Local
name 10.20.7.160 PACSHost67 description GE PACS Local
name 10.50.1.135 PACSHost68 description GE PACS Local
name 10.60.1.141 PACSHost69 description GE PACS Local
name 10.60.1.150 PACSHost70 description GE PACS Local
name 10.60.1.154 PACSHost71 description GE PACS Local
name 10.50.1.136 PACSHost72 description GE PACS Local
name 10.50.1.147 PACSHost73 description GE PACS Local
name 10.50.1.161 PACSHost74 description GE PACS Local
name 10.60.1.155 PACSHost75 description GE PACS Local
name 10.30.0.0 Throckmorton_Net1 description Internal
name 108.58.104.208 Throckmorton_Net2 description External
name 10.0.0.0 PAD_Internal description PAD INternal
name 172.16.100.16 LandaCorp_Remote description LandaCorp
name 192.168.55.6 C05817Nat description ViewPoint Computer
name 10.10.13.71 C05817 description ViewPoint Computer
name 10.50.1.189 RBMCCCG description GE PACS Local
name 10.50.1.21 RBMCDAS21 description GE PACS Local
name 10.50.1.22 RBMCDAS22 description GE PACS Local
name 10.50.1.23 RBMCDAS23 description GE PACS Local
name 10.50.1.24 RBMCDAS24 description GE PACS Local
name 10.50.1.248 RBMCNAS_BACKUP description GE PACS Local
name 10.50.1.243 RBMCNAS_STS description GE PACS Local
name 10.50.1.186 RBMCSPS description GE PACS Local
name 10.50.1.188 RBMCTESTCCG description GE PACS Local
name 10.50.1.252 RBMCTESTIMS description GE PACS Local
name 10.50.1.249 RBMICISU2 description GE PACS Local
name 10.50.1.191 RBMC1DAS32ILO description GE PACS Local
name 10.50.1.192 RBMC1DAS33ILO description GE PACS Local
name 10.50.1.193 RBMC1DAS34ILO description GE PACS Local
name 10.50.1.194 RBMC1DAS35ILO description GE PACS Local
name 10.50.1.195 RBMC1DAS36ILO description GE PACS Local
name 10.50.1.197 RBMC1DAS38ILO description GE PACS Local
name 10.50.1.190 RBMC1DPS106ILO description GE PACS Local
name 10.50.1.196 RBMCCWEBILO description GE PACS Local
name 10.50.1.17 RBMCEACA description GE PACS Local
name 10.50.1.247 RBMCNAS_BACKUPILO description GE PACS Local
name 10.50.1.254 RBMICISU2ILO description GE PACS Local
name 10.50.1.187 RBMC1DAS31_ILO description GE PACS Local
name 10.50.1.253 RBMCTESTDAS description GE PACS Local
name 12.145.95.0 LabCorp_Test_Remote description LabCorp VPN TEST
name 38.107.151.110 ClearSea_Server description DeafTalk External Server
name 10.100.90.15 DeafTalk1
name 10.10.10.155 Dennis
name 10.10.7.81 RBPMAM description SunQuest Lab Server
dns-guard
interface GigabitEthernet0/0
description External Interface
speed 1000
duplex full
nameif Verizon-ISP
security-level 0
ip address VPN-External 255.255.255.224 standby VPN02External
ospf cost 10
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
description INTERNAL-NET
nameif Internal
security-level 100
ip address RBPASA01 255.255.255.0 standby RBPASA02
ospf cost 10
interface GigabitEthernet0/3
description DMZ Zone
nameif DMZ
security-level 10
ip address 172.31.0.51 255.255.255.0
interface Management0/0
shutdown
no nameif
no security-level
no ip address
time-range Vendor-Access
periodic Monday 9:00 to Friday 16:00
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Verizon-ISP
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 10.100.91.5
name-server 10.10.7.149
domain-name rbmc.org
object-group service VPN_Tunnel tcp
description Ports used for Site to Site VPN Tunnel
port-object eq 10000
port-object eq 2746
port-object eq 4500
port-object eq 50
port-object eq 500
port-object eq 51
object-group network Millennium-Local-Network
description Pad networks that connect to millennium
network-object Pad-10.10-network 255.255.0.0
network-object Throckmorton_Net1 255.255.0.0
object-group icmp-type ICMP-Request-Group
icmp-object echo
icmp-object information-request
icmp-object mask-request
icmp-object timestamp-request
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network Viewpoint
description OB Viewpoint Clients
network-object host 10.10.10.220
network-object host c05407
network-object host c05744
network-object host 192.168.55.2
network-object host c057017Nat
network-object host c05407Nat
network-object host c05744Nat
network-object host C05817Nat
network-object host C05817
object-group service ConnectionPorts tcp-udp
port-object eq 3872
port-object eq 4890
port-object eq 4898
object-group service TCP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
group-object ConnectionPorts
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object tcp
object-group network AergoVPN-Local
description Aergo VPN Local HIS Servers
network-object host RBMHIS
network-object host RBMHIS1
network-object host RBMHIS2
network-object host RBMS2
network-object host RBPAERGO1
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network Lynx-PicisRemote
description Lynx-Picis Remote Encryption Domain
network-object Lynx-PicisNtwk 255.255.255.240
network-object host Lynx-PicisHost7
network-object host Lynx-PicisHost8
network-object host Lynx-PicisHost9
network-object host Lynx-PicisHost10
network-object host Lynx-PicisHost11
network-object host Lynx-PicisHost12
network-object host Lynx-PicisHost13
network-object host Lynx-PicisHost14
network-object host Lynx-PicisHost15
network-object host Lynx-PicisHost1
network-object host Lynx-PicisHost2
network-object host Lynx-PicisHost3
network-object host Lynx-PicisHost4
network-object host Lynx-PicisHost5
network-object host Lynx-PicisHost6
object-group network DM_INLINE_NETWORK_1
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group network DM_INLINE_NETWORK_2
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_3 tcp
group-object ConnectionPorts
port-object eq 3389
object-group network GE_PACS_Local
description GE PACS Local Hosts
network-object host PACSHost67
network-object host PACSHost65
network-object host PACSHost47
network-object host PACSHost68
network-object host PACSHost72
network-object host PACSHost38
network-object host PACSHost52
network-object host PACSHost1
network-object host PACSHost73
network-object host PACSHost2
network-object host PACSHost3
network-object host PACSHost64
network-object host PACSHost74
network-object host PACSHost63
network-object host PACSHost49
network-object host PACSHost37
network-object host PACSHost39
network-object host PACSHost40
network-object host PACSHost41
network-object host PACSHost50
network-object host PACSHost51
network-object host PACSHost36
network-object host PACSHost54
network-object host PACSHost55
network-object host PACSHost66
network-object host PACSHost46
network-object host PACSHost57
network-object host PACSHost45
network-object host PACSHost58
network-object host PACSHost4
network-object host PACSHost5
network-object host PACSHost6
network-object host PACSHost7
network-object host PACSHost8
network-object host PACSHost9
network-object host PACSHost56
network-object host PACSHost10
network-object host PACSHost11
network-object host PACSHost12
network-object host PACSHost13
network-object host PACSHost14
network-object host PACSHost15
network-object host PACSHost16
network-object host PACSHost17
network-object host PACSHost18
network-object host PACSHost19
network-object host PACSHost20
network-object host PACSHost21
network-object host PACSHost22
network-object host PACSHost23
network-object host PACSHost69
network-object host PACSHost70
network-object host PACSHost71
network-object host PACSHost75
network-object host PACSHost53
network-object host PACSHost42
network-object host PACSHost61
network-object host PACSHost44
network-object host PACSHost62
network-object host PACSHost59
network-object host PACSHost43
network-object host PACSHost60
network-object host PACSHost24
network-object host PACSHost25
network-object host PACSHost26
network-object host PACSHost27
network-object host PACSHost28
network-object host PACSHost29
network-object host PACSHost30
network-object host PACSHost31
network-object host PACSHost32
network-object host PACSHost33
network-object host PACSHost34
network-object host PACSHost35
network-object host RBMCSPS
network-object host RBMCTESTCCG
network-object host RBMCCCG
network-object host RBMCDAS21
network-object host RBMCDAS22
network-object host RBMCDAS23
network-object host RBMCNAS_STS
network-object host RBMCNAS_BACKUP
network-object host RBMICISU2
network-object host RBMCDAS24
network-object host RBMCTESTIMS
network-object host RBMCEACA
network-object host RBMC1DAS31_ILO
network-object host RBMC1DPS106ILO
network-object host RBMC1DAS32ILO
network-object host RBMC1DAS33ILO
network-object host RBMC1DAS34ILO
network-object host RBMC1DAS35ILO
network-object host RBMC1DAS36ILO
network-object host RBMCCWEBILO
network-object host RBMC1DAS38ILO
network-object host RBMCNAS_BACKUPILO
network-object host RBMCTESTDAS
network-object host RBMICISU2ILO
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_4
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_5
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_6
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_7
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_8
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_9
network-object host RBMCEACA
group-object GE_PACS_Local
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group service ClearSea tcp-udp
description DeafTalk
port-object range 10000 19999
port-object eq 35060
object-group service ClearSeaUDP udp
description DeafTalk
port-object range 10000 19999
object-group service DM_INLINE_TCP_4 tcp
group-object ClearSea
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_11
network-object 0.0.0.0 0.0.0.0
network-object host DeafTalk1
object-group protocol DM_INLINE_PROTOCOL_10
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_11
protocol-object ip
protocol-object icmp
access-list RBMCVPNCL_splitTunnelAcl standard permit Pad-10.100-network 255.255.255.0
access-list Verizon-ISP_Internal extended permit tcp any host FTP-External-Address eq ftp
access-list dmz_internal extended permit tcp host FTP-Internal-Address any eq ftp
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 object-group Lynx-PicisRemote
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object-group Viewpoint host NBI20610
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_7 host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_access_in extended permit tcp host RBPMAXYS02 host LandaCorp_Remote object-group DM_INLINE_TCP_3
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_4 Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_7
access-list Internal_access_in remark Permit to connect to DeafTalk Server
access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 host ClearSea_Server object-group DM_INLINE_TCP_4
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_10 any LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_2_cryptomap extended permit tcp host Maxsys-Server host Maxsys-Remote object-group VPN_Tunnel
access-list Internal_nat0_outbound extended permit tcp Pad-10.100-network 255.255.255.0 host Maxsys-Remote object-group VPN_Tunnel
access-list DMZ_access_in extended permit ip Pad-10.10-network 255.255.0.0 172.31.0.0 255.255.255.0
access-list Verizon-ISP_access_in extended permit tcp any host FTP-External-Address object-group DM_INLINE_TCP_2
access-list Verizon-ISP_access_in extended permit tcp host LandaCorp_Remote host RBPMAXYS02 object-group DM_INLINE_TCP_1
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host NBI20610 object-group Viewpoint
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_3 AergoVPN-Remote 255.255.255.0 object-group AergoVPN-Local
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group Lynx-PicisRemote object-group DM_INLINE_NETWORK_2
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host LandaCorp_Remote host RBPMAXYS02
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_3 GE_PACS_NET 255.255.0.0 object-group DM_INLINE_NETWORK_9
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_9 LabCorp_Test_Remote 255.255.255.0 any
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_8 Pad-10.10-network 255.255.0.0
access-list Verizon-ISP_3_cryptomap extended permit ip host Maxsys-Server host Maxsys-Remote
access-list Internal_nat0_outbound_1 extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_nat0_outbound_1 extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip host OLSRV2RED object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip any 10.100.99.0 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_nat0_outbound_1 extended permit ip Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_4
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Internal_nat0_outbound_1 extended permit ip object-group Millennium-Local-Network Millennium-Remote 255.255.0.0
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
access-list Verizon-ISP_5_cryptomap extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Verizon-ISP_6_cryptomap extended permit ip object-group Viewpoint host NBI20610
access-list Verizon-ISP_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Verizon-ISP_7_cryptomap extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Verizon-ISP_8_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Verizon-ISP_9_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Verizon-ISP_cryptomap extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
pager lines 24
logging enable
logging buffer-size 32000
logging buffered debugging
logging asdm debugging
mtu Verizon-ISP 1500
mtu Internal 1500
mtu DMZ 1500
ip local pool CiscoClient-IPPool-192.168.55.x 192.168.45.1-192.168.45.25 mask 255.255.255.0
ip local pool VLAN99VPNUsers 10.100.99.6-10.100.99.255 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/1
failover key *****
failover replication http
failover link Failover GigabitEthernet0/1
failover interface ip Failover 172.16.90.17 255.255.255.248 standby 172.16.90.18
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 173.72.107.26 Verizon-ISP
icmp deny any Verizon-ISP
icmp permit host 192.168.10.2 Internal
icmp permit host 192.168.10.3 Internal
icmp permit host 192.168.10.4 Internal
icmp permit host 192.168.10.5 Internal
icmp permit host 10.10.10.96 Internal
icmp permit host 10.10.13.20 Internal
icmp permit host 10.10.12.162 Internal
icmp deny any Internal
icmp permit host Dennis Internal
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
global (Verizon-ISP) 1 65.211.65.6-65.211.65.29 netmask 255.255.255.224
global (Verizon-ISP) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound_1
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,DMZ) Pad-10.10-network Pad-10.10-network netmask 255.255.0.0
static (Verizon-ISP,DMZ) FTP-Internal-Address FTP-External-Address netmask 255.255.255.255
static (DMZ,Verizon-ISP) FTP-External-Address FTP-Internal-Address netmask 255.255.255.255
static (Internal,Verizon-ISP) c05407Nat c05407 netmask 255.255.255.255
static (Internal,Verizon-ISP) c057017Nat 10.10.10.220 netmask 255.255.255.255
static (Internal,Verizon-ISP) c05744Nat c05744 netmask 255.255.255.255
static (Verizon-ISP,Internal) Maxsys-Server VPN-External netmask 255.255.255.255
static (Internal,Verizon-ISP) C05817Nat C05817 netmask 255.255.255.255
access-group Verizon-ISP_access_in in interface Verizon-ISP
access-group Internal_access_in in interface Internal
access-group dmz_internal in interface DMZ
route Verizon-ISP 0.0.0.0 0.0.0.0 65.211.65.2 1
route Internal Pad-10.10-network 255.255.0.0 10.10.0.1 1
route Internal 10.20.0.0 255.255.0.0 10.10.0.1 1
route Internal Throckmorton_Net1 255.255.0.0 10.10.0.1 1
route Internal 10.50.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.60.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.70.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.100.0.0 255.255.0.0 10.10.0.1 1
route Internal 64.46.192.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.193.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.194.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.195.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.196.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.201.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.246.0 255.255.255.0 10.10.0.1 1
route Verizon-ISP 65.51.206.130 255.255.255.255 65.211.65.2 255
route Verizon-ISP Millennium-Remote 255.255.0.0 65.211.65.2 1
route Internal Millennium-Remote 255.255.0.0 10.10.0.1 255
route Internal 172.31.1.0 255.255.255.0 10.10.0.1 1
route Internal 192.168.55.0 255.255.255.0 10.10.0.1 1
route Internal 195.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.27.0 255.255.255.0 10.10.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RadiusServer protocol radius
aaa-server RadiusServer (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
radius-common-pw r8mcvpngr0up!
aaa-server SafeNetOTP protocol radius
max-failed-attempts 1
aaa-server SafeNetOTP (Internal) host 10.100.91.13
key test
radius-common-pw test
aaa-server VPN-FW protocol radius
aaa-server VPN-FW (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http Dennis 255.255.255.255 Internal
http 10.10.11.108 255.255.255.255 Internal
http 10.10.10.194 255.255.255.255 Internal
http 10.10.10.195 255.255.255.255 Internal
http 10.10.12.162 255.255.255.255 Internal
http 10.10.13.20 255.255.255.255 Internal
snmp-server location BRN2 Data Center
snmp-server contact Crystal Holmes
snmp-server community r8mc0rg
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
auth-prompt prompt Your credentials have been verified
auth-prompt accept Your credentials have been accepted
auth-prompt reject Your credentials have been rejected. Contact your system administrator
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Verizon-ISP_map 1 match address Verizon-ISP_cryptomap
crypto map Verizon-ISP_map 1 set peer 65.51.154.66
crypto map Verizon-ISP_map 1 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 2 match address Verizon-ISP_2_cryptomap
crypto map Verizon-ISP_map 2 set peer Maxsys-Remote
crypto map Verizon-ISP_map 2 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 2 set nat-t-disable
crypto map Verizon-ISP_map 3 match address Verizon-ISP_3_cryptomap
crypto map Verizon-ISP_map 3 set peer Maxsys-Remote
crypto map Verizon-ISP_map 3 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 3 set nat-t-disable
crypto map Verizon-ISP_map 4 match address Verizon-ISP_4_cryptomap
crypto map Verizon-ISP_map 4 set peer 198.65.114.68
crypto map Verizon-ISP_map 4 set transform-set ESP-AES-256-SHA
crypto map Verizon-ISP_map 4 set nat-t-disable
crypto map Verizon-ISP_map 5 match address Verizon-ISP_5_cryptomap
crypto map Verizon-ISP_map 5 set peer 12.195.130.2
crypto map Verizon-ISP_map 5 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 5 set nat-t-disable
crypto map Verizon-ISP_map 6 match address Verizon-ISP_6_cryptomap
crypto map Verizon-ISP_map 6 set peer 208.68.22.250
crypto map Verizon-ISP_map 6 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 6 set nat-t-disable
crypto map Verizon-ISP_map 7 match address Verizon-ISP_7_cryptomap
crypto map Verizon-ISP_map 7 set peer 208.51.30.227
crypto map Verizon-ISP_map 7 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 8 match address Verizon-ISP_8_cryptomap
crypto map Verizon-ISP_map 8 set peer Throckmorton_Net2
crypto map Verizon-ISP_map 8 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 9 match address Verizon-ISP_9_cryptomap
crypto map Verizon-ISP_map 9 set peer 108.58.104.210
crypto map Verizon-ISP_map 9 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 10 match address Verizon-ISP_cryptomap_1
crypto map Verizon-ISP_map 10 set peer 162.134.70.20
crypto map Verizon-ISP_map 10 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Verizon-ISP_map interface Verizon-ISP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn vpn.rbmc.org
subject-name CN=vpn.rbmc.org
keypair sslvpnkeypair
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201dc 30820145 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
34311530 13060355 0403130c 76706e2e 72626d63 2e6f7267 311b3019 06092a86
4886f70d 01090216 0c76706e 2e72626d 632e6f72 67301e17 0d303830 38323030
34313134 345a170d 31383038 31383034 31313434 5a303431 15301306 03550403
130c7670 6e2e7262 6d632e6f 7267311b 30190609 2a864886 f70d0109 02160c76
706e2e72 626d632e 6f726730 819f300d 06092a86 4886f70d 01010105 0003818d
00308189 02818100 a1664806 3a378c37 a55b2cd7 86c1fb5a de884ec3 6d5652e3
953e9c01 37f4593c a6b61c31 80f87a51 c0ccfe65 e5ca3d33 216dea84 0eeeecf3
394505ea 231b0a5f 3c0b59d9 b7c9ba4e 1da130fc cf0159bf 537282e4 e34c2442
beffc258 a8d8edf9 59412e87 c5f819d0 2d233ecc 214cea8b 3a3922e5 2718ef6a
87c340a3 d3a0ae21 02030100 01300d06 092a8648 86f70d01 01040500 03818100
33902c9e 54dc8574 13084948 a21390a2 7000648a a9c7ad0b 3ffaeae6 c0fc4e6c
60b6a60a ac89c3da 869d103d af409a8a e2d43387 a4fa2278 5a105773 a8d6b5c3
c13a743c 8a42c34a e6859f6e 760a81c7 5116f42d b3d81b83 11fafae7 b541fad1
f9bc1cb0 5ed77033 6cab9c90 0a14a841 fc30d8e4 9c85c0e0 d2cca126 fd449e39
quit
crypto isakmp identity address
crypto isakmp enable Verizon-ISP
crypto isakmp enable Internal
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 173.72.107.26 255.255.255.255 Verizon-ISP
ssh 10.10.12.162 255.255.255.255 Internal
ssh 10.100.91.53 255.255.255.255 Internal
ssh Dennis 255.255.255.255 Internal
ssh timeout 60
console timeout 2
management-access Internal
vpn load-balancing
interface lbpublic Verizon-ISP
interface lbprivate Internal
cluster key r8mcl0adbalanc3
cluster encryption
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
ntp server 207.5.137.133 source Verizon-ISP prefer
ntp server 10.100.91.5 source Internal prefer
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 Verizon-ISP
webvpn
enable Verizon-ISP
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 3
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.100.91.5
dns-server value 10.100.91.5
vpn-simultaneous-logins 1
vpn-idle-timeout 15
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask none default webvpn
group-policy VPNUsers internal
group-policy VPNUsers attributes
dns-server value 10.100.91.6 10.100.91.5
vpn-tunnel-protocol IPSec
default-domain value RBMC
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group 65.51.154.66 type ipsec-l2l
tunnel-group 65.51.154.66 ipsec-attributes
pre-shared-key *
tunnel-group 65.171.123.34 type ipsec-l2l
tunnel-group 65.171.123.34 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group 12.195.130.2 type ipsec-l2l
tunnel-group 12.195.130.2 ipsec-attributes
pre-shared-key *
tunnel-group 208.68.22.250 type ipsec-l2l
tunnel-group 208.68.22.250 ipsec-attributes
pre-shared-key *
tunnel-group 198.65.114.68 type ipsec-l2l
tunnel-group 198.65.114.68 ipsec-attributes
pre-shared-key *
tunnel-group VPNUsers type remote-access
tunnel-group VPNUsers general-attributes
address-pool VLAN99VPNUsers
authentication-server-group VPN-FW
default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group 208.51.30.227 type ipsec-l2l
tunnel-group 208.51.30.227 ipsec-attributes
pre-shared-key *
tunnel-group 108.58.104.210 type ipsec-l2l
tunnel-group 108.58.104.210 ipsec-attributes
pre-shared-key *
tunnel-group 162.134.70.20 type ipsec-l2l
tunnel-group 162.134.70.20 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect sunrpc
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d17ad8684073cb9f3707547e684007f
: end
Message was edited by: Dennis FarrellHi Dennis,
Your tunnel to "12.145.95.0 LabCorp_Test_Remote" segment can only be initiated from host: RBPMAM is due to your crytp-acl below.
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
Secondly your no-nat on internal interface is denying the traffic that must enter into crytp engine, therefore your tunnel never going to come up.
Therefore please turn it to a "permit" instead.
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
Please update,
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed -
Can i use same address pool for different remote access VPN tunnel groups and policy
Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
ShnailThanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx -
Customer wants a public IP address for RDP after VPN Tunnel
I have a customer that wants to set up a VPN tunnel with me with a Public IP address and a Public address for the host. I am completely at a loss as to how to accomplish this. The customer states that it against his company policy to have a remote host to connect to that is not in the public address space. I have given him a public Peer address to connect to for the establishment of the VPN Tunnel. However he states that he needs the host to be in the public address space as well.
What is my customer asking for? Surely he does not want me to put RDP on a public address?The motive of your customer is not very clear. If the motive is to hide the remote (RDP) addressess then we can do it by natting (Static or Dynamic). We can allow the natted IP as interested traffic over the VPN tunnel. Because if we are getting the local IP into the public pool then it we don't need VPN tunnel. We can access it directly over internet too.
-
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic
Thanks to a previous thread, I do have a 5505 up and running, and passing data....
https://supportforums.cisco.com/message/3900751
Now I am trying to get a IPSEC VPN tunnel working.
I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned:
name 10.0.0.0 Eventual (HQ Site behind Firewall)
name 1.1.1.0 CFS (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
name 2.2.2.0 T1 (Remote site - Outside interface of 5505: 2.2.2.2)
name 10.209.0.0 Local (Remote Network - internal interface of 5505: 10.209.0.3)
On a ping to the HQ network from behind the ASA, I get....
portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
Below is the config.
Can anyone see if there is something sticking out?
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 2.2.2.0 T1
name 1.1.1.0 CFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object CFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location CFS 255.255.255.240 inside
asdm history enable
Thank You.I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
Here's the output requested:
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : AM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8FC06BD1
current inbound spi : 42EC16F4
inbound esp sas:
spi: 0x42EC16F4 (1122768628)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62207/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8FC06BD1 (2411752401)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (62201/28464)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Here's the current config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
name 1.1.1.0 IntegraCFS
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object Eventual 255.0.0.0
network-object T1 255.255.255.248
network-object IntegraCFS 255.255.255.240
access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list No_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
route outside Eventual 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes 65535
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy FTMGP internal
group-policy FTMGP attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy FTMGP
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm location IntegraCFS 255.255.255.240 inside
asdm history enable -
How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520
Hello,
I just deployed one Cisco SA540 and three SA520s.
The SA540 is at the Main Site.
The three SA520s are the the spoke sites.
Main Site:
Downstream Speed: 32 Mbps
Upstream Speed: 9.4 Mbps
Spoke Site#1:
Downstream Speed: 3.6 Mbps
Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
The SA tunnels are "Established"
I see packets being tranmsitted and received.
Pinging across the tunnel has an average speed of 32 ms (which is good).
DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
It takes about 15 minutes to print across the vpn tunnel.
The remedy this, we have implemented Terminal Services across the Internet.
Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
Logging on to the network takes about 10 minutes over the vpn tunnel.
Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
I have used ASAs before in other implementation without any issues at all.
I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
I just know that my experience with the Cisco TAC has been great for the last 10 years.
My short experience with the Cisco Small Business Support Center has not been as great at all.
Bottom Line:
I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
Please help.
I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.Hi Anthony,
I agree!. My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
But I want to know WHY this is happening too.
I will definitely run a sniffer trace to see what is happening.
Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
1. Upgrade the SA540 at the Main Site to 2.1.45.
2a. For cable connections, use the standard MTU of 1500 bytes.
2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
ping -f -l packetsize
Perform the items below to see if this increases performance:
I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
3a. Lower the IKE encryption algorithm from "AES-128" to DES.
3b. Lower the IKE authentication algorithm to MD5
3c. Also do the above for the VPN Policy
Any input is welcome! -
Unable to access vpn box internal address after vpn
Hi all. My office network is protected by asa5510 firewall with vpn configured. When i vpn into my office network i could not access the firewall via the firewall's internal address using telnet etc even though i have already enable telnet. The firewall is my office network gateway. Below is my config. Pls advise. Thks in advance. Access to my office network is fine using vpn.
hostname firewall
domain-name default.domain.invalid
enable password xxx
names
dns-guard
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.x 255.255.255.0
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.x 255.255.255.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.x.x.x 255.255.255.240
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
username ciscoadm password xxx encrypted privilege 15
username ciscoadm attributes
vpn-group-policy vpn
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool addpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet 192.168.1x.x 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.254 255.255.255.0
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.254 255.255.255.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.xx.xx.xx 255.255.255.240
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list inside_access_in extended permit esp any any
access-list inside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
access-list prod standard permit host 192.168.1x.x
access-list prod standard deny any
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnuser internal
group-policy vpnuser attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value prod
default-domain value mm.com
webvpn
username user password xxx encrypted privilege 15
username user attributes
vpn-group-policy vpnuser
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpnuser type ipsec-ra
tunnel-group vpnuser general-attributes
address-pool pool
default-group-policy vpnuser
tunnel-group vpnuser ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 8x.x.1x.x 8x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management -
Cannot establish site-site vpn tunnel through ASA 9.1(2)
Hi,
We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
The site-site VPN tunnel fails to establish.
The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
Regards>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
UDP/500
UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
IP/50
for testing ICMP/Echo
If you allowed full IP-access between these two endpoints, it is more than enough.
When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
Can the two gateways ping each other? -
VPN Tunnel w/ 802.1X port authentication against remote RADIUS server
I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
endI have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.
-
Site-2-Site IPSEC VPN tunnel will not come up.
Hello Experts,
Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
show run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
mode transport
crypto map ICQ-2-ILAND 1 ipsec-isakmp
set peer A.A.A.A
set transform-set ESP-AES128-SHA
match address iland_london_s2s_vpn
crypto map ICQ-2-ILAND
The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
The command Sh crypto isakmp sa displays the following
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
A.A.A.A B.B.B.B MM_NO_STATE 1231 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: A.A.A.A port 500
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
The debug logs from the debug crypto isakmp command are listed below.
ISAKMP:(0): local preshared key found
Dec 6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
Dec 6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Dec 6 08:51:52.019: ISAKMP: encryption AES-CBC
Dec 6 08:51:52.019: ISAKMP: keylength of 128
Dec 6 08:51:52.019: ISAKMP: hash SHA
Dec 6 08:51:52.019: ISAKMP: default group 2
Dec 6 08:51:52.019: ISAKMP: auth pre-share
Dec 6 08:51:52.019: ISAKMP: life type in seconds
Dec 6 08:51:52.019: ISAKMP: life duration (basic) of 28800
Dec 6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
Dec 6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
Dec 6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Dec 6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
Dec 6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Dec 6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
Dec 6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Dec 6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
Dec 6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM4
Dec 6 08:51:52.179: ISAKMP:(1227):Send initial contact
Dec 6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Dec 6 08:51:52.179: ISAKMP (1227): ID payload
next-payload : 8
type : 1
address : B.B.B.B
protocol : 17
port : 500
length : 12
Dec 6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
Dec 6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM5
Dec 6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP (1227): ID payload
next-payload : 8
type : 1
address : A.A.A.A
protocol : 17
port : 0
length : 12
Dec 6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
Dec 6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP:received payload type 17
Dec 6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
Dec 6 08:51:52.315: ISAKMP:(1227):SA authentication status:
authenticated
Dec 6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
Dec 6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/, and inserted successfully 2B79E8BC.
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
Dec 6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
Dec 6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
Dec 6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = 2554750723, sa = 0x2B78D574
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
Dec 6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA New State = IKE_DEST_SA
would appreciate any help you can provide.
Regards,
Sidney DsouzaHi Anuj,
thanks for responding. Here are the logs from the debug crypto ipsec
Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
thats all that appeared after pinging the remote subnet.
Maybe you are looking for
-
Report to show all purchase invoices in B1
Is it possible via a standard report in B1 to pull a list of all purchase invoices in the system (open and closed)?? Purchase analysis will only show open invoices as far as i know.
-
I split my hard drive using Bootcamp and created a small partition for windows. The sole purpose of this was to play an mmorpg. When playing the game, the computer seems to get extremely hot, and will completely and without warning shut off. I have a
-
At one times had tactile indication when I typed. Noe I don't . Why?
At one times had tactile indication when I typed. Noe I don't . Why?
-
Backlit Keyboard malfunction ? Keyboard is changed, then the logicboard ?
Hi, The backlit of my MacBook Pro is broken, so I went to a technical center in order to change it, nevertheless it does not work... Could the logic board be the part which causes this trouble ? What can I do ?
-
My online college class site puts up a disclaimer when I log on to it with my iPad or iPhone, that I am using an unsupported browser and some features may not work, and the important ones dont. But the site also lists supported browsers to download a