Question in asa site-site vpn about "ident" ??
hi all ,
i have a topology as
(192.168.0.0/24)LAN1----------------asa1---------------internet-----------------------asa2------------------LAN2(192.168.2.0/24)
now , lan 1 can reach lan 2 by site to site vpn
but i have a question :
when i have
#sh crypto ipsec sa
====================================================================
interface: outside
Crypto map tag: Azure_IPSecCryptoMap, seq num: 2, local addr: xxxx
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: xxxxx
#pkts encaps: 294823, #pkts encrypt: 294823, #pkts digest: 294823
#pkts decaps: 208795, #pkts decrypt: 208795, #pkts verify: 208795
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 294823, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxxxxxxxxx/0, remote crypto endpt.: xxxxxxxx/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 81F3ABF6
current inbound spi : FAE91312
inbound esp sas:
spi: 0xFAE91312 (4209578770)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap
sa timing: remaining key lifetime (kB/sec): (4373327/621)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x81F3ABF6 (2180230134)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 10670080, crypto-map: Azure_IPSecCryptoMap
sa timing: remaining key lifetime (kB/sec): (4370375/621)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
================================================================================
my problem is ,
that my asa1 lan1 only reach asa2 if its destination was to subnet 192.168.2.0/24 , i mean if requested internet i cant reach it !!!
note that the crypto_map acl says destination "any" will go to asa2 , but why when i requested the destioantion of lan2 it responce , and if i requested 8.8.8.8 it dont reach asa2 ??
i used packet tracer to investigate , it seems as a stuck !!!
how to change the remote idnet as in the red line above ??? i think it is the issue that preventing mefrom reaching internet by asa2
agian ,
what issue in the asa has relation to the remote idnet and how i can change it ?
any help ?
regards
CSCO,
The lines below, match the interesting traffic for this VPN. You will not see a specific host address unless, you configure that within you crypto ACL. Basically you have some host in network 192.168.0.0/24(LOCAL) going to 192.168.2.0/24(REMOTE). The REMOTE IDENT is the remote network where the remote host relies, which matches your interesting traffic.
So lon story short, you have some local host in the 192.168.1.0/24 range going to some host in the 192.168.2.0/24 range.
This ACL has to do with the address you map to the match address line of you crypto map.
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 any
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
Similar Messages
-
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
Cisco ASA 5510 site to site VPN only
Hi,
Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks allThanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks. -
ASA 5505 Site to Site IPSec VPN WILL NOT CONNECT
I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS.
ASA 1 Config
ASA Version 8.3(2)
hostname VIC
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.97.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
boot system disk0:/asa832-k8.bin
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.97.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
ASA2 Config
ASA Version 8.3(2)
hostname QLD
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 50.1.1.2 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
object network SITEA
subnet 192.168.97.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object SITEA
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static SITEA SITEA
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 50.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 50.1.1.1 type ipsec-l2l
tunnel-group 50.1.1.1 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
: endHello Mitchell,
Thank you for letting us know the resolution of this topic.
Please answer the question as answered so future users can learn from this topic.
Regards,
Julio -
ASA site-site VPN error using Microsoft Digital Certificates.
Hi,
I configured site-site between ASA's with authentication type as RSA-SIG for Phase1. I got manual certificates from Microsoft CA Server but not able to form the tunnel. Need someones help badly on this issue.
ASA1 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
tunnel-group 200.160.126.30 type ipsec-l2l
tunnel-group 200.160.126.30 ipsec-attributes
peer-id-validate cert
trust-point CA1
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 200.160.126.30
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa1.cisco.com
keypair my.ca.key
crl configure
ASA-2 Config:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address vpn
crypto map outside_map 1 set peer 59.160.128.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set trustpoint CA1
crypto map outside_map interface outside
tunnel-group 59.160.128.50 type ipsec-l2l
tunnel-group 59.160.128.50 ipsec-attributes
peer-id-validate cert
trust-point CA1
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto ca trustpoint CA1
enrollment terminal
fqdn asa2.cisco.com
keypair my.ca.key
crl configure
Debug Output:
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 59.160.128.50, IKE Initiator: New Phase 1, Intf inside, IKE Peer 59.160.128.50 local Proxy Address 172.16.1.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map)
%ASA-7-715046: IP = 59.160.128.50, constructing ISAKMP SA payload
%ASA-7-715046: IP = 59.160.128.50, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-609001: Built local-host NP Identity Ifc:200.160.126.30
%ASA-7-609001: Built local-host outside:59.160.128.50
%ASA-6-302015: Built outbound UDP connection 122 for outside:59.160.128.50/500 (59.160.128.50/500) to NP Identity Ifc:200.160.126.30/500 (200.160.126.30/500)
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-715047: IP = 59.160.128.50, processing SA payload
%ASA-7-713906: IP = 59.160.128.50, Oakley proposal is acceptable
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Fragmentation VID
%ASA-7-715064: IP = 59.160.128.50, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
%ASA-7-715046: IP = 59.160.128.50, constructing ke payload
%ASA-7-715046: IP = 59.160.128.50, constructing nonce payload
%ASA-7-715046: IP = 59.160.128.50, constructing certreq payload
%ASA-7-715046: IP = 59.160.128.50, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 59.160.128.50, constructing xauth V6 VID payload
%ASA-7-715048: IP = 59.160.128.50, Send IOS VID
%ASA-7-715038: IP = 59.160.128.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 59.160.128.50, constructing VID payload
%ASA-7-715048: IP = 59.160.128.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322
%ASA-7-715047: IP = 59.160.128.50, processing ke payload
%ASA-7-715047: IP = 59.160.128.50, processing ISA_KE payload
%ASA-7-715047: IP = 59.160.128.50, processing nonce payload
%ASA-7-715047: IP = 59.160.128.50, processing cert request payload
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Cisco Unity client VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received xauth V6 VID
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715038: IP = 59.160.128.50, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715047: IP = 59.160.128.50, processing VID payload
%ASA-7-715049: IP = 59.160.128.50, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713906: IP = 59.160.128.50, Generating keys for Initiator...
%ASA-7-715046: IP = 59.160.128.50, constructing ID payload
%ASA-7-715046: IP = 59.160.128.50, constructing cert payload
%ASA-7-715001: IP = 59.160.128.50, constructing RSA signature
%ASA-7-715076: IP = 59.160.128.50, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 128
%ASA-7-713906: Constructed Signature:
0000: 4FB66432 FCA9DA52 5420E6C1 DF8293AC O.d2...RT ......
0010: DE3533F1 7036E5C8 40B11A9D 5C68C884 .53.p6..@...\h..
0020: D4BCA531 BAE87710 09D1AD06 7994CD1B ...1..w.....y...
0030: DCEDB9CE E971F21B 0104C06A 1901FACE .....q.....j....
0040: D1E8AED1 7684DFDA 40E98BC2 E195F3C8 ....v...@.......
0050: 3625E936 E35F47A3 F44BC326 62E99135 6%.6._G..K.&b..5
0060: 88EB90FF 10938CC3 0FFAA576 A9DBD9AD ...........v....
0070: 65592C71 5A13C4C5 8EBA60F6%ASA-7-715034: IP = 59.160.128.50, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: IP = 59.160.128.50, constructing dpd vid payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1668
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-609001: Built local-host inside:172.16.1.10
%ASA-7-609001: Built local-host outside:192.168.1.10
%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed
%ASA-7-715065: IP = 59.160.128.50, IKE MM Initiator FSM error history (struct &0xd8a30d08) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
%ASA-7-713906: IP = 59.160.128.50, IKE SA MM:f2cbbafa terminating: flags 0x0100c022, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 59.160.128.50, sending delete/delete with reason message
%ASA-7-715046: IP = 59.160.128.50, constructing blank hash payload
%ASA-7-715046: IP = 59.160.128.50, constructing IKE delete payload
%ASA-7-715046: IP = 59.160.128.50, constructing qm hash payload
%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=372e03ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-3-713902: IP = 59.160.128.50, Removing peer from peer table failed, no match!
%ASA-4-713903: IP = 59.160.128.50, Error: Unable to remove PeerTblEntry
Kindly suggest me for further steps.
Regards,
MonHI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad. -
ASA 5505 Site-to-Site VPN dropping at end of lifetime
I have 4 ASA 5505's with Site-to-Site IPSEC VPN tunnels built between them. One of the tunnels stays up just fine but the other 2 drop at the end of the SA lifetime for a period of time equal to 10% of the SA lifetime.
Orignially, I had the the lifetime set to 1 hour and the tunnels would drop for 6 minutes. I changed the lifetime to 8 hours (480 minutes) and they dropped for 48 minutes. I've gone over the configurations and the only differences I can find is that the sites where the tunnel drops have the outside interface forwarded to an VOIP server and all ports but SIP blocked.Can you post the configs?
-
how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
before ver 8.3 and after version 8.3 ...8.4.. 9 versions..Hi,
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
- Jouni -
Cannot establish site-site vpn tunnel through ASA 9.1(2)
Hi,
We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
The site-site VPN tunnel fails to establish.
The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
Regards>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
UDP/500
UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
IP/50
for testing ICMP/Echo
If you allowed full IP-access between these two endpoints, it is more than enough.
When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
Can the two gateways ping each other? -
Cisco ASA 5505 site to site Multiple subnet.
Hi. I need some help configuring my cisco asa 5505.
I've set up a VPN tunnel between two ASA 5505
Site 1:
Subnet 192.168.77.0
Site 2:
Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0
What I need help with:
From site 1 i need to be able to reach another vlan on site 2. vlan480 - 192.168.20.0
And from site 1 I need to reach 192.168.77.0 subnet from vlan480 - 192.168.20.0
Vlan480 is used for phones. In vlan480 we have a PABX central.
Is this possible to do?
Any help would be greatfully appreciated!
Config site 2:
: Saved
ASA Version 7.2(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password x encrypted
names
name 192.168.1.250 DomeneServer
name 192.168.1.10 NotesServer
name 192.168.1.90 OvServer
name 192.168.1.97 TerminalServer
name 192.168.1.98 w8-eyeshare
name 192.168.50.10 w8-print
name 192.168.1.94 w8-app
name 192.168.1.89 FonnaFlyMedia
interface Vlan1
nameif Vlan1
security-level 100
ip address 192.168.200.100 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address 79.x.x.226 255.255.255.224
ospf cost 10
interface Vlan400
nameif vlan400
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan450
nameif Vlan450
security-level 100
ip address 192.168.210.1 255.255.255.0
ospf cost 10
interface Vlan460
nameif Vlan460-SuldalHotell
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
interface Vlan461
nameif Vlan461-SuldalHotellGjest
security-level 100
ip address 192.168.3.1 255.255.255.0
ospf cost 10
interface Vlan462
nameif Vlan462-Suldalsposten
security-level 100
ip address 192.168.4.1 255.255.255.0
ospf cost 10
interface Vlan470
nameif vlan470-Kyrkjekontoret
security-level 100
ip address 192.168.202.1 255.255.255.0
ospf cost 10
interface Vlan480
nameif vlan480-Telefoni
security-level 100
ip address 192.168.20.1 255.255.255.0
ospf cost 10
interface Vlan490
nameif Vlan490-QNapBackup
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
interface Vlan500
nameif Vlan500-HellandBadlands
security-level 100
ip address 192.168.30.1 255.255.255.0
ospf cost 10
interface Vlan510
nameif Vlan510-IsTak
security-level 100
ip address 192.168.40.1 255.255.255.0
ospf cost 10
interface Vlan600
nameif Vlan600-SafeQ
security-level 100
ip address 192.168.50.1 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 500
switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
switchport mode trunk
interface Ethernet0/3
switchport access vlan 490
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd x encrypted
ftp mode passive
clock timezone WAT 1
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Lotus_Notes_Utgaaande tcp
description Frim Notes og ut til alle
port-object eq domain
port-object eq ftp
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq pop3
port-object eq pptp
port-object eq smtp
object-group service Lotus_Notes_inn tcp
description From alle og inn til Notes
port-object eq www
port-object eq lotusnotes
port-object eq pop3
port-object eq smtp
object-group service Reisebyraa tcp-udp
port-object range 3702 3702
port-object range 5500 5500
port-object range 9876 9876
object-group service Remote_Desktop tcp-udp
description Tilgang til Remote Desktop
port-object range 3389 3389
object-group service Sand_Servicenter_50000 tcp-udp
description Program tilgang til Sand Servicenter AS
port-object range 50000 50000
object-group service VNC_Remote_Admin tcp
description Frå oss til alle
port-object range 5900 5900
object-group service Printer_Accept tcp-udp
port-object range 9100 9100
port-object eq echo
object-group icmp-type Echo_Ping
icmp-object echo
icmp-object echo-reply
object-group service Print tcp
port-object range 9100 9100
object-group service FTP_NADA tcp
description Suldalsposten NADA tilgang
port-object eq ftp
port-object eq ftp-data
object-group service Telefonsentral tcp
description Hoftun
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq telnet
object-group service Printer_inn_800 tcp
description Fra 800 nettet og inn til 400 port 7777
port-object range 7777 7777
object-group service Suldalsposten tcp
description Sending av mail vha Mac Mail programmet - åpner smtp
port-object eq pop3
port-object eq smtp
object-group service http2 tcp
port-object range 81 81
object-group service DMZ_FTP_PASSIVE tcp-udp
port-object range 55536 56559
object-group service DMZ_FTP tcp-udp
port-object range 20 21
object-group service DMZ_HTTPS tcp-udp
port-object range 443 443
object-group service DMZ_HTTP tcp-udp
port-object range 8080 8080
object-group service DNS_Query tcp
port-object range domain domain
object-group service DUETT_SQL_PORT tcp-udp
description For kobling mellom andre nett og duett server
port-object range 54659 54659
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list vlan400_access_in extended deny ip any host 149.20.56.34
access-list vlan400_access_in extended deny ip any host 149.20.56.32
access-list vlan400_access_in extended permit ip any any
access-list Vlan450_access_in extended deny ip any host 149.20.56.34
access-list Vlan450_access_in extended deny ip any host 149.20.56.32
access-list Vlan450_access_in extended permit ip any any
access-list Vlan460_access_in extended deny ip any host 149.20.56.34
access-list Vlan460_access_in extended deny ip any host 149.20.56.32
access-list Vlan460_access_in extended permit ip any any
access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
access-list Vlan500_access_in extended deny ip any host 149.20.56.34
access-list Vlan500_access_in extended deny ip any host 149.20.56.32
access-list Vlan500_access_in extended permit ip any any
access-list vlan470_access_in extended deny ip any host 149.20.56.34
access-list vlan470_access_in extended deny ip any host 149.20.56.32
access-list vlan470_access_in extended permit ip any any
access-list Vlan490_access_in extended deny ip any host 149.20.56.34
access-list Vlan490_access_in extended deny ip any host 149.20.56.32
access-list Vlan490_access_in extended permit ip any any
access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan1_access_out extended permit ip any any
access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan1_access_out extended deny ip any any
access-list Vlan1_access_out extended permit icmp any any echo-reply
access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan480_access_out extended permit ip any any
access-list Vlan510_access_in extended permit ip any any
access-list Vlan600_access_in extended permit ip any any
access-list Vlan600_access_out extended permit icmp any any
access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_in_1 extended permit ip any any
access-list Vlan461_access_in extended permit ip any any
access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list Vlan462-Suldalsposten_access_in extended permit ip any any
access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Vlan1 1500
mtu outside 1500
mtu vlan400 1500
mtu Vlan450 1500
mtu Vlan460-SuldalHotell 1500
mtu Vlan461-SuldalHotellGjest 1500
mtu vlan470-Kyrkjekontoret 1500
mtu vlan480-Telefoni 1500
mtu Vlan490-QNapBackup 1500
mtu Vlan500-HellandBadlands 1500
mtu Vlan510-IsTak 1500
mtu Vlan600-SafeQ 1500
mtu Vlan462-Suldalsposten 1500
no failover
monitor-interface Vlan1
monitor-interface outside
monitor-interface vlan400
monitor-interface Vlan450
monitor-interface Vlan460-SuldalHotell
monitor-interface Vlan461-SuldalHotellGjest
monitor-interface vlan470-Kyrkjekontoret
monitor-interface vlan480-Telefoni
monitor-interface Vlan490-QNapBackup
monitor-interface Vlan500-HellandBadlands
monitor-interface Vlan510-IsTak
monitor-interface Vlan600-SafeQ
monitor-interface Vlan462-Suldalsposten
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan400) 0 access-list vlan400_nat0_outbound
nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
access-group Vlan1_access_out out interface Vlan1
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan400_access_in in interface vlan400
access-group vlan400_access_out out interface vlan400
access-group Vlan450_access_in in interface Vlan450
access-group Vlan450_access_out out interface Vlan450
access-group Vlan460_access_in in interface Vlan460-SuldalHotell
access-group Vlan460_access_out out interface Vlan460-SuldalHotell
access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
access-group vlan480_access_out out interface vlan480-Telefoni
access-group Vlan490_access_in in interface Vlan490-QNapBackup
access-group Vlan490_access_out out interface Vlan490-QNapBackup
access-group Vlan500_access_in in interface Vlan500-HellandBadlands
access-group Vlan500_access_out out interface Vlan500-HellandBadlands
access-group Vlan510_access_in in interface Vlan510-IsTak
access-group Vlan510_access_out out interface Vlan510-IsTak
access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
access-group Vlan600_access_out out interface Vlan600-SafeQ
access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username x password x encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 Vlan450
http 192.168.200.0 255.255.255.0 Vlan1
http 192.168.1.0 255.255.255.0 vlan400
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 62.92.159.137
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable vlan400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 62.92.159.137 type ipsec-l2l
tunnel-group 62.92.159.137 ipsec-attributes
pre-shared-key *
telnet 192.168.200.0 255.255.255.0 Vlan1
telnet 192.168.1.0 255.255.255.0 vlan400
telnet timeout 5
ssh 171.68.225.216 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd update dns both
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
dhcpd address 192.168.1.100-192.168.1.225 vlan400
dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
dhcpd option 3 ip 192.168.1.1 interface vlan400
dhcpd enable vlan400
dhcpd address 192.168.210.100-192.168.210.200 Vlan450
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
dhcpd option 3 ip 192.168.210.1 interface Vlan450
dhcpd enable Vlan450
dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
dhcpd enable Vlan460-SuldalHotell
dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
dhcpd enable Vlan461-SuldalHotellGjest
dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
dhcpd enable vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
dhcpd enable Vlan500-HellandBadlands
dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
dhcpd enable Vlan510-IsTak
dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
dhcpd enable Vlan600-SafeQ
dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
dhcpd enable Vlan462-Suldalsposten
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
prompt hostname context
Cryptochecksum:x
: end
Config site 1:
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password x encrypted
passwd x encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.77.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Telenor
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 15
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any echo-reply log disable
access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.77.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 79.160.252.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.77.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Telenor request dialout pppoe
vpdn group Telenor localname x
vpdn group Telenor ppp authentication chap
vpdn username x password x store-local
dhcpd auto_config outside
dhcpd address 192.168.77.100-192.168.77.130 inside
dhcpd dns 192.168.77.1 interface inside
dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside
dhcpd enable inside
dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface outside
tunnel-group 79.160.252.226 type ipsec-l2l
tunnel-group 79.160.252.226 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:x
: endHi,
The addition of a new network to the existing L2L VPN should be a pretty simple process.
Essentially you will have to add the network to the Crypto ACL present in the "crypto map" configurations. You will also have to configure the NAT0 configuration for it in the proper interfaces of the ASA. These configurations are all done on both ends of the L2L VPN connection.
Looking at your above configurations it would seem that you will need the following configurations
SITE 1
We add the new network to both the crypto ACL and the NAT0 ACL
access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
SITE 2
We add the new network to the crypto ACL
We create a new NAT0 configuration for the Vlan480 interface as it has no previous NAT0 configuration
access-list outside_20_cryptomap_1 extended permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list VLAN480-NAT0 remark NAT0 for VPN
access-list VLAN480-NAT0 permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
nat (vlan480-Telefoni) 0 access-list VLAN480-NAT0
These configurations should pretty much do the trick.
Let me know if it worked
- Jouni -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
Today, when I tried to open web sites in Firefox from my Bookmarks, I could not. I continually received the following error message: This web site does not supply identity information.
I noticed that when I put the cursor on the box to the left of the address, that message appears. There is also '''no''' https:// before the address.
Can anyone help correct this problem? I believe sometime last week I may have fiddled with the Secutity settings in the Tools/Security option box and may have screwed up something trying not to have sites use cookies to track me?
Thanks,
BobYou can set the pref <b>browser.urlbar.trimURLs</b> to <i>false</i> on the <b>about:config</b> page to see the http: protocol.
You can set the pref <b>browser.urlbar.formatting.enabled</b> to <i>false</i> on the <b>about:config</b> page to disable the highlighting of the domain and see the full URL more clearly.
*http://kb.mozillazine.org/about:config
A possible cause is security software (firewall) that blocks or restricts Firefox or the plugin-container process without informing you, possibly after detecting changes (update) to the Firefox program.
Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process and the updater process.
See:
*https://support.mozilla.org/kb/Server+not+found
*https://support.mozilla.org/kb/Firewalls -
This might be a simple question. On those sites that do not differentiate between CRT, laptop, tablet etc. such as an iPad Mini and using the Facebook site fir example when going to post a comment and you do not have a enter button on the IPad and the speed is slow how do you get your comments to post if we do not have a enter button?
<Email Edited By Host>I don't have facebook so I cannot answer but for your personal security, I have asked the hosts to remove your e-mail address. It is very unwise to publish this.
-
Can A Site Have Multiple ABOUT Pages
Given the fact that iWeb's layout looks awesome if used in a 'singular' form - for one individual. What if I want to build a site with 'multiple' about pages, per say one for each client. Is there a way to have one 'about button' lead to a page with multiple buttons - that can direct a surfer to one specific page? In other words.
click 'about' -- next page 'multiple selections' -- click 'one selection' -- be lead to one 'about' page.You can use the About page as a template and change anything you want. Add hyper links or let iWeb add the links ontop of the pages.
You'll be able to do what you want.
CaptM -
2 site-site VPNS, PING behaves differently
Site-Site VPNs on an ASA5510, trying to ping between the Local Hosts. One VPN the PING gets reply, the other it doesn't.
Where it works the Log Viewer shows me traffic btween LocalHost/512 and LocalHost/0 - using port 512? Where it does not work I see traffic between LocalHost/1 and LocalHost/0 - using port 1? I think some unwanted translation, or something, is leading the traffic astray, and these port(?) differnences are pointing to it. Any ideas? thanks.I don't control the far end local host. An institution supports many client vpn's at that end, their support says it's ready for me to PING. I ping my local host (locally, of course, not from the tunnel) successfully, I've disabled its firewall long enough to test the VPN. What my ASA5510 firewall log says I'm missing is a "Built Inbound ICMP connection for foreign\0 \ global/1 \ local/1". I get the "Built outbound ICMP connection for foreign/0 \ global/1 \ local\1", and the "Teardown ICMP connection for foreign/0 \ global/1 \ local/1"
On my other VPN, where PING works, I the global and local addresses are always showing global/512 and local/512 instead of global/1 and local/1. -
I submitted a question on the help site and it hasn't shown up in my Dashboard
I was signed in , asked a question on the help site a couple days ago and the question still hasn't shown up in my Dashboard. Please tell me how to get it there and more importantly, how to avoid this in the future.
Try:
iTunes Store: Transferring purchases from your iOS device or iPod to a computer
Are you saying that it is not listed here:
Downloading past purchases from the App Store, iBookstore, and iTunes Store
Is the computer signed into the same iTunes account that purchased the song?
Is it listd in your Purchases History? iTunes>Store>View Accountc>login>Purchase History?
Maybe you are looking for
-
I keep running into this error (-53) when loading music or movies onto my iPod Classic. Any ideas? I have reset the iPod 3 times and still continue to have issues
-
4600 video capturing stuttering on picture using mpeg
Good afternoon. I'm new to video capturing but seem to have a bit of a problem. I can capture fine in the bundled WinProducer when I use the AVI setting but it generates some rather large files, 300meg/minute or so. When i set it to capture at the mp
-
How to open .dbf Files (xBase) in Crystal Report V14?
Hey, I try to open a .DBF File (XBASE) with SAP Crystal Report V14. As result an error message appears: "Datenbank-Connector-Fehler: " followed by a lot of chinese signs. What can I do? Opening the same File with Crystal Report V10 worked fine. --> F
-
Help, im using the acrobat 9 standard now and im facing some problem about the Chinese Language. when i open a file that contain Chinese Language, it will show the Words as below. any solution to solve this problem?? Please help me~~ "The Simplified
-
Invoke a subclass method via Superclass reference variable.
Hello, I need to invoke 'subclass' methods from a superclass reference variable as each subclass has a different methods and behaviour. My query is In the Main, when I invoke product.getProductType(),I get a reference back to the Product. I need a re