Remote VPN between ASA5505 and Netscreen SSG140

Similar Messages

• VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

  Hello,
  I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
  881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
  When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
  VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
  Can you help me, how can I debug or troubleshoot this problem ?
  I am unable to update software on ASA5505 side.

  Hello,
  Hire is what my config look like:
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 120 set pfs
  crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 140 set pfs
  crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
  crypto dynamic-map outside_dyn_map 160 set pfs
  crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 180 set pfs
  crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 200 set pfs
  crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 2
   authentication pre-share
   encryption 3des
   hash sha
   group 1
   lifetime 86400
  crypto isakmp policy 3
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  tunnel-group HW-CLIENT-GROUPR type ipsec-ra
  tunnel-group HW-CLIENT-GROUP general-attributes
   address-pool HW-CLIENT-GROUP-POOL
   default-group-policy HW-CLIENT-GROUP
  tunnel-group HW-CLIENT-GROUP ipsec-attributes
   pre-shared-key *******
  group-policy HW-CLIENT-GROUP internal
  group-policy HW-CLIENT-GROUP attributes
   password-storage enable
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value cisco_splitTunnelAcl
   nem enable

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• VPN between Mac and Windows? share printer and USB drive

  Hey everyone, I'm out at college and have a Windows SP2 desktop set up in my room with the printer and our external hard drive. I travel around campus with my macbook pro (10.5), and it'd be really nice to access the printer and my external hard drive.
  Problem is that since its a huge vast network, I think its near impossible to do a direct "IP" connect to it. So the next option is to use a VPN, which I have experience with Windows and Hamachi, but I have no idea how to incorporate a VPN between a mac and a windows computer.
  Thanks!

  Hi Eric and welcome to Discussions and the Apple world.
  Mac OSX can read and write from Windows partitions (like the BootCamp Windows partition you are about to create) when using FAT32 as file system for Windows.
  However with FAT32 you are limited to a partition size of 32GB.
  Mac OSX can also read from Windows partitions that uses the NTFS file system, but it can not write to them unless you use a third-party helper like either Paragons NTFS for Mac http://www.paragon-software.com/home/ntfs-mac/ or NTFS-3G http://www.ntfs-3g.org/
  Windows can not even see or use a Mac OSX partition without additional help by MacDrive http://www.mediafour.com/products/macdrive/
  Regards
  Stefan

• Remote span between Extreme and Cisco switches

  Hello,
  I need to configure remote span between Extreme Networks X460-24p and Cisco Cataylst 2960X switches. 2 IP phones are connected to ports 15 and 17 on Extreme switch, and should be monitored to port 1/0/47 on Cisco switch. Extreme and Cisco switches are interconnected with trunk (port 28 on Extreme with port 1/0/51 on Cisco).
  I configured the following:
  On Extreme switch:
  configure mirror mode enhanced
  enable mirroring to port 28 remote-tag 1000
  configure mirroring add port 17 ingress-and-egress
  configure mirroring add port 15 ingress-and-egress
  On Cisco switch:
  vlan 1000
   name RemoteSPAN
   remote-span
  monitor session 1 destination interface Gi1/0/47
  monitor session 1 source remote vlan 1000
  But this is not working :(
  Does enyone have experience with this? I really need help to make this work.
  Thanks.

  OK, this configuration is actually working :)

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution. 

• Routable VPN Between ASA and Windows RRAS

  Hi all,
  I'm trying to figure out the best way to create a routable VPN between my production network and a small DR server that I have colo'd offsite.
  On the production side I have an ASA 5515-X (10.1.0.0/23) and on the DR side I have a Windows Server 2012 R2 server running RRAS, DHCP, NAT, and Hyper-V.  The DR server has a virtual environment with a subnet of 10.5.0.0/24 behind NAT (diagram attached for a visual).  I've seen some tutorials online for how to create a routable VPN between the two, some utilizing the Windows Advanced Firwall to create an IPSec tunnel.  So far, I've not been able to get the tunnel to come up.
  Before I spend even more time trying to troubleshoot this, I was wondering what the best way to create a secure connection between these two subnets is and if anybody has done something similar successfully.
  Thanks,
  Jason

  None yet, I've been stuck on this for a while now.  My latest attempt caused the DR site to go offline and required hands-on at the colo site to get it back online due to a bad ipsec policy, so I've backed off a bit on trying things.

• Site to site vpn between RV215W and ASA5510

  Hello,
  We're trying to establish a site to site vpn between a RV215W (firmware version 1.0.0.16) and an ASA5510 (ASA 8.2(3)).  The ASA currently has 5 other IPSec VPN tunnels running.  It sure does look like I've dotted all my "i's" and crossed all my "t's" with respect to both sides of the tunnel.  What I'm seeing from the 5510 is that there is some sort of communication between the two devices but there is no IPSec tunnel established and no traffic is getting beyond either device.  It shows the RV215W connected but 0 bytes Tx and 0 bytes Rx.
  From the RV215W side of things it shows an IPSec SA not established.  The protocol is IKE and the encryption used is 3des.  Both sides have the same preshare key and are using the same settings.  From each device I can ping the public IP address of the other, but I get no further.  I believe I have ACL's set up to allow traffic from both internal networks.  (although I may not - I'm hardly a Cisco guru, just fumbling my way through this...)
  Any guidance/direction would be greatly appreciated.
  Thank you in advance!

  Hello,
  I have found an article that may provide some assistance with your VPN. It has information on more advanced settings on VPNs for the RV215W. I hope that it may be of some use to you.
  Advanced VPN Setup on RV215W
  Hope it helps,
  Andrew Mayfield

• VPN between RV042 and Cisco 2801

  HI
  Kindly help me out. I'm configuring a p2p vpn between a cisco 2801 with IOS 12.3 and a linksys RV042. I'm getting following error on Linksys and Cisco respectively.
  [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
  Dec 19 02:40:42 2011
       VPN Log
      Received informational payload, type NO_PROPOSAL_CHOSEN
  dst             src             state               conn-id     slot    status
  x.x.x.x       x.x.x.x   MM_NO_STATE          0        0       ACTIVE
  Below are my config:
  Linksys RV042:
  Keying Mode: IKE with Preshared Key
  Phase1 DH Group: Group2
  Phase1 Encryption: 3DES
  Phase1 Authentication: MD5
  Phase1 SA Life Time: 28800
  Perfect forward secrecy : enabled
  Phase2 DH Group: Group2
  Phase2 Encryption: 3DES
  Phase2 Authentication: MD5
  Phase2 SA Life Time: 28800
  Preshared Key: xxxxxx
  Cisco 2801:
  crypto isakmp policy 11
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxxxxx address xxxxxx
  no crypto isakmp ccm
  crypto ipsec transform-set STRONGER esp-3des esp-md5-hmac
  crypto map myvpn 10 ipsec-isakmp
  set peer xxxxxx
  set transform-set STRONGER
  set pfs group2
  match address 103
  interface FastEthernet0/0
  ip address 10.0.0.56 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  no ip route-cache
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  ip address xxxx xxxx
  ip nat outside
  ip virtual-reassembly
  no ip route-cache
  duplex auto
  speed auto
  crypto map myvpn
  ip nat pool branch xxxxxx xxxxx netmask 255.255.255.240
  ip nat inside source route-map nonat pool branch overload
  access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 permit ip 10.0.0.0 0.0.0.255 any
  snmp-server community public RO
  route-map nonat permit 10
  match ip address 110
  Rgards
  SAM

  Hi,
  It looks like you are using the default hash for the crypto isakmp policy and that your connection is failing on the phase 1 negotiation.  The default hash on the crypto isakmp policy is sha.  On the 2801 try adding hash md5.
  crypto isakmp policy 11
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  Let me know if that helps.
  Thank you,
  Jason NIckle

• VPN between WRVS4400N and CISCO 857 router

  Hi ALL,
  Am trying to VPN the two and have setup the WRVS4400N side using IPSec (seems easy enough). Has anyone any experience on the 857 router side? Would you kindly show how that can be configured? Or just point me to any good source doing it will be good too. Thanks!

  ip nat inside source route-map nonat interface FastEthernet0 overload
  access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 110 permit ip 10.20.10.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 110
  or better (if you have for example the IP public 1.2.3.5)
  ip nat pool 1.2.3.5 1.2.3.5 1.2.3.5 prefix-length 30
  ip nat inside source list nat-to-internet pool 1.2.3.5 overload
  ip access-list extended nat-to-internet
  deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  permit ip 10.20.10.0 0.0.0.255 any
  deny   ip any any

• VPN between IOS and ASA

  Hello my friends,
  I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.
  Here are my configuration commands:
  Router:
  crypto isakmp policy 20
  encryption 3des
  auth pre-share
  hash md5
  group 2
  crypto isakmp key XXX address 103.252.AAA.AAA
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map MAP 5 ipsec-isakmp
  set transform 3DES-MD5
  match address VPN
  set peer 103.252.AAA.AAA
  ip access-list extended VPN
   permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
   permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
  ASA commands:
  sysopt connection permit-vpn
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  tunnel-group 203.167.BBB.BBB type ipsec-l2l
  tunnel-group 203.167.BBB.BBB ipsec-attributes
  pre-shared-key XXX
  access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 set transform-set 3DES-MD5
  crypto map VPN 10 match address LIST
  crypto map VPN 10 set peer 203.167.BBB.BBB
  crypto map VPN interface outside
  Do you have any idea what is wrong? Thank you a lot in advance.

  I managed to get this from the show crypto ipsec sa
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
       local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
  And  details from show crypto session detail
  Interface: GigabitEthernet0/1
  Session status: DOWN
  Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

• VPN between ASA and IOS router

  We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

  Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
  It should help fix any problems.
  HTH and please rate.

• VPN for Mac. Want to create VPN between Mac and Windows XP

  Hey everyone, I'm looking to try and create a VPN for when I'm in college between my Desktop I'll have in my dorm (running Windows XP) and my Macbook Pro (running Mac 10.5). I have a printer and an external hard drive hooked up to my desktop, and I want to make it so that only I can access it through the VPN.
  Is this possible?

  Hi soccerdude21490-
  +Is this possible?+
  Theoretically yes. However, it would be up to the school to allow you access through their network.
  The first step would be to contact the school's IT department and ask them if they will allow such a connection, and if so, could they please provide you with the settings (ip address etc.).
  Luck-
  -DP

• S-S VPN between ASA and ASR1001

  Hello
  we have 2 ASR routers at HQ connected to ISP and there are new remote sites that needs to be connected to HQ via site to site VPN. Each remote branch will have ASA, The outside IPs of both ASRs are in same subnet. 
  1. Is it possible to acheive redudancy in HQ side in this design ? 
  2. Can i create L2L tunnels to both ASRs ? If yes how can i make 1 tunnel active and other secondary ?
                                                                                                                      |ASR1
    Users--------L3SW--------ASA---------------ISP----------CPE---------------|
                                                                                                                      |ASR2
  Any suggestions are welcome
  Thanks

  There are two ways:
  Stateful Failover for IPsec
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html
  http://packetlife.net/blog/2009/aug/17/fun-ipsec-stateful-failover/
  VPN-config with two peers an the ASA.
  Here you have two individual gateways on the HQ and the ASA has two tunnel-groups fr both gateways but only one sequence in the crypto-map. The peer-statement has both HQ-IPs configured.

• VPN between ASA5520 and Checkpoint r55

  Hello all,
  i hope that you will help me on this strange issue .
  we are trying to configure the vpn with our provider we are on Asa and the use Checkpoint , vpn seem to be established on phase 1 and phase 2 too.
  bur when i send ping packets seem to los on tunnel and other side do not see them.
  Asa is after a onother firewall and outside interface of this asa is nated on this perimeter firewall
  when we send ping i see that there are encapsulated but no packed back to be decapsulated.
  is there any known issue to consider in my case.
  regards

  hello,
  phase 1 of VPN is established normaly and i see tunnel normaly as other tunnels when sh crypto isakmp Sa writen
  als o phase 2 is established , encapsulation is in place but decapsulation has no count, it seems that packet is loss in tulen and is not delivered in other end. see below sh crypto ipsec sa comand output
  please let me know what you else will need.
  regards
  access-list TOFORTINET-DMZ_3_cryptomap extended permit ip host 192.168.7.5 host X.X.x.x
        local ident (addr/mask/prot/port): (192.168.7.5/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)
        current_peer: y.y.y.y
        #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 192.168.2.1, remote crypto endpt.: x.x.x.x.
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: 48DCB726
        current inbound spi : D418BB15
      inbound esp sas:
        spi: 0xD418BB15 (3558390549)
           transform: esp-3des esp-md5-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 5906432, crypto-map: TOFORTINET-DMZ_map
           sa timing: remaining key lifetime (kB/sec): (4374000/28738)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0x48DCB726 (1222424358)
           transform: esp-3des esp-md5-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 5906432, crypto-map: TOFORTINET-DMZ_map
           sa timing: remaining key lifetime (kB/sec): (4373999/28733)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap: