Reverse Routing
Hi below i am enclosing basic view of my network.
I configured Nat Exemption in my ASA 5520
nat (inside) 0 172.20.0.0 255.255.0.0
route in ASA as
route outside 0.0.0.0 0.0.0.0 122.x.x.33 1
route inside 172.0.0.0 255.0.0.0 172.x.x.1 1
and configured PAT over my 2801 router inside interface where there is a route as follows
ip route 0.0.0.0 0.0.0.0 122.x.x.50
ip route 172.16.0.0 255.240.0.0 122.x.x.44
and my doubt is i want to configure PAT over my ASA 5520 and remove NAT in 2801 router how can i change the ROute commands in both ASA and Router
Please Help me in this regard
As far as i see, you do not need to change any route's commands.
however you may remove
ip route 172.16.0.0 255.240.0.0 122.x.x.44
as the firewall outside and router inside are directly connected, which consideration i made after reading the following statement "configured PAT over my 2801 router *inside* interface"
Keeping the route wouldn't cause any problem anyway.
Remember to Rate me if helpful.
Similar Messages
-
Adding Reverse Route causes 50% loss
I am building some IPSEC tunnels where thje remote locations have Dynamic IP addresses. It works fine, but I need to add more sites, right now I just have the one. When I add the reverse route statement, i start getting 50% packet loss based on ping responses "!.!.!.!.!.!.!.!" If I remove the RR it works fine. "!!!!!!!!!!" Question is, what am I doing wrong or do I really need the reverse route? Right now the ACL is for the one subnet for current location, but I will be adding more sites. How would I adjust the ACL for more remote subnets if the remote sites are doing split tunneling and the ACLs must match?
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 7200
crypto isakmp key (PASSWORD) address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 20 periodic
crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set NAMECRYPTset esp-3des esp-md5-hmac
crypto dynamic-map NAMECRYPTmap 10
set transform-set NAMECRYPTset
match address 115I removed the reverse route, and also removed "
match address 115" as neither is needed in this scenario
I think this will be what I am needing, but still curious as to why the RR appears to drop packets> I don;t need it now because I will not be advertising those routes, but still wondering. -
Firewall reverse routing issue:
Dear Friends,
I am using ASA 5505 with base license and ISP connected directly on the firewall.While L# switch is connected through firewall also.
my configuration is :
ASA Version 7.2(4)
hostname CiscoFirewall03316
domain-name default.domain.invalid
enable password Ko5SCsPM2YQ1wt2G encrypted
passwd Ko5SCsPM2YQ1wt2G encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.192.32.11 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 112.23.24.25 255.255.255.248
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
<--- More --->
interface Vlan50
no nameif
security-level 80
ip address 10.195.32.15 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 50
interface Ethernet0/6
interface Ethernet0/7
<--- More --->
ftp mode passive
clock timezone IST 5 30
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 121.242.190.181
name-server 121.242.190.210
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list in_out extended permit ip any any
access-list out_in extended permit ip any any
access-list out_in extended permit ip any 112.23.24.25 255.255.255.248
access-list cisco_splitTunnelAcl standard permit 0.0.0.0 255.255.255.0
access-list cisco_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ciscouser 10.10.10.240-10.10.10.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
<--- More --->
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group in_out in interface inside
access-group out_in in interface outside
route inside 192.168.0.0 255.255.240.0 192.168.0.2 1
route outside 0.0.0.0 0.0.0.0 112.23.24.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.192.32.0 255.255.255.0 inside
http 112.23.24.0 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
<--- More --->
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
<--- More --->
telnet 10.192.32.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet 112.23.24.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server none
vpn-tunnel-protocol l2tp-ipsec
group-policy cisco internal
group-policy cisco attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl_1
username test password tFqxsrS5ErBk4STW encrypted privilege 0
username test attributes
vpn-group-policy cisco
username admin password V5OS2TRb/vQZ7oZ9 encrypted
username ciscouser password 6aU35/UOvPoumpKWCFYSig== nt-encrypted privilege 0
username ciscouser attributes
vpn-group-policy DefaultRAGroup
<--- More --->
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
address-pool ciscouser
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
<--- More --->
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect im Google
parameters
match protocol msn-im yahoo-im
drop-connection log
service-policy global_policy global
prompt hostname context
Cryptochecksum:a883391680fa205ee31f05881761958c
: end
Everything is running fine on vlan 1 but vlan 10 is not running from user end.there is no ping from inside of 192.168.0.2
Please advise me.ThanksThere are 2 conflicting configuration:
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
and "route inside 192.168.0.0 255.255.240.0 192.168.0.2 1"
How do you want to connect VLAN 10? is it on its own interface on the firewall? if it is, then you would need to configure a name for it, via the nameif command, and remove the above route inside
if it is going to be a routed subnet via the inside interface, then the above route needs to be modified as follows:
route inside 192.168.0.0 255.255.240.0 10.192.32.x
--> 10.192.32.x needs to be the next hop which is your L3 switch vlan 1 interface ip
and you would also need to shutdown interface vlan 10 on the ASA and remove the IP Address. -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
S2S VPN - ASA 5505 to ASA 5540 - Routing Problems
I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
Current running config:
ASA Version 8.2(5)
hostname asa15
enable password XXXXX encrypted
passwd XXXXX encrypted
names
name 10.0.0.0 remote-network
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location remote-network 255.0.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 99.X.X.7
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.5.100-172.16.5.130 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 99.X.X.7 type ipsec-l2l
tunnel-group 99.X.X.7 ipsec-attributes
pre-shared-key XXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: endjust out of curiosity, why do you have
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
You already set your default route through DHCP setroute under the interface. this could be the issue.
If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
Does the remote device have the correct default gateway?
May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
Patrick -
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: endHi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB -
I have a problem I can not connect to the remote router, how can you fix that?
is is the current running config
! Last configuration change at 20:35:58 UTC Tue Mar 27 2012 by Tim
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
clock timezone UTC 1
clock summer-time UTC recurring
clock calendar-valid
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1543950434
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1543950434
revocation-check none
rsakeypair TP-self-signed-1543950434
crypto pki certificate chain TP-self-signed-1543950434
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353433 39353034 3334301E 170D3132 30333036 31393539
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35343339
35303433 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C36F 8A3BAC71 481BC354 EB274105 07D37E4F BD9CE8AA 7A5D60A4 974AB4AE
6E4D60A2 60067AB8 0F63A755 0C6D8357 7BFB4F9E 00C01D4F EEE921C1 784B5780
810C7D56 D3047AE5 25353CF8 72248830 FAB69DAA F1F0DC42 901E9B34 33D70CD9
E3F584F2 CF0E4BF0 DD6212E3 6600923E E55F63A7 0FF4E900 EF486B0D 2F4929A2
4F530203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 1052312E 63757273 6973742E 6C6F6361 6C301F06 03551D23
04183016 80141244 691E3E8D 2F8A97D9 6863DA46 663A149C 7C34301D 0603551D
0E041604 14124469 1E3E8D2F 8A97D968 63DA4666 3A149C7C 34300D06 092A8648
86F70D01 01040500 03818100 4FB84303 1528BD91 B524C2E5 94A2C9CD 244F9452
91373F09 25743A4B EB6CC809 3AA80E47 12F60A4F 3D4CB5E9 F00F99F5 84B9BD6C
0F6741C2 C9CE299C 9785DFCF FDFCB220 BFABA24D 88A9F976 F6844240 CF4B3879
53A30024 804758C8 D325930A 23112429 A74188F2 245950A0 7BD117A0 66D8C9EA
DA483FDC 89949E0D 9CA99F73
quit
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1
ip dhcp excluded-address 10.10.30.1
ip dhcp excluded-address 10.10.40.1
ip dhcp excluded-address 10.10.50.1
ip dhcp excluded-address 10.10.60.1
ip dhcp excluded-address 10.10.70.1
ip dhcp excluded-address 10.10.80.1
ip dhcp excluded-address 10.10.90.1
ip dhcp excluded-address 10.10.100.1
ip dhcp excluded-address 10.10.101.1
ip dhcp excluded-address 10.10.102.1
ip dhcp pool Wired-CISCO_R1_100Mbps_Home
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
lease infinite
ip dhcp pool Wireless-CISCO_R1_2.4GHZ_Private
import all
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 10.10.20.1
lease infinite
ip cef
ip domain name cursist.local
ip name-server 195.130.130.131
ip name-server 195.130.131.4
ip dhcp-server 195.130.137.3
ip dhcp-client update dns
no ipv6 cef
username Tim privilege 15 secret 5 $1$4rte$gH2/BK9Z3mKQI.owGI8eL.
username Cisco privilege 14 secret 5 $1$aLzA$TmjIxA44ohxtJMB9iccZZ/
ip ssh rsa keypair-name R1.cursist.local
ip ssh version 2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 16
crypto isakmp key Cisco12345 address 84.197.160.170
crypto isakmp client configuration group vpn
key sdmsdm
pool SDM_POOL_1
netmask 255.255.255.0
crypto ipsec transform-set T1 ah-sha-hmac esp-aes 256 esp-sha-hmac comp-lzs
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile P1
set transform-set T1
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface Tunnel0
no ip address
interface Tunnel1
ip address 10.11.11.1 255.255.255.0
shutdown
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination 84.197.160.170
tunnel protection ipsec profile P1
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
ip address 84.196.169.102 255.255.240.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp client-id GigabitEthernet0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description Wired CISCO_R1_100Mbps
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
interface Vlan2
description Wireless CISCO_R1_2.4GHZ_Private
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACLG interface GigabitEthernet0 overload
ip nat inside source static tcp 10.10.20.1 513 interface GigabitEthernet0 6000
ip nat inside source static tcp 10.10.20.1 22 interface GigabitEthernet0 5000
ip nat inside source static tcp 10.10.10.1 23 interface GigabitEthernet0 8000
ip access-list extended ACLG
permit ip 10.10.10.0 0.0.0.255 any
permit ip 10.10.20.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
permit ip 10.10.40.0 0.0.0.255 any
permit ip 10.10.50.0 0.0.0.255 any
permit ip 10.10.60.0 0.0.0.255 any
permit ip 10.10.70.0 0.0.0.255 any
permit ip 10.10.80.0 0.0.0.255 any
permit ip 10.10.90.0 0.0.0.255 any
permit ip 10.10.100.0 0.0.0.255 any
permit ip 10.10.101.0 0.0.0.255 any
permit ip 10.10.102.0 0.0.0.255 any
deny ip host 10.10.255.1 host 10.20.255.1
logging 10.11.11.2
logging 10.20.10.1
no cdp run
control-plane
banner login
This router is property of :
Tim Mees
Any unauthorized access or attempt to access is explicitly forbidden.
Contact:
Tim Mees
Pctechnician Networkadministrator Webmaster
line con 0
line 2
no activation-character
no exec
transport preferred none
transport input telnet ssh
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
privilege level 15
transport input telnet rlogin ssh
line vty 5 15
privilege level 15
transport input telnet rlogin ssh
scheduler max-task-time 5000
ntp update-calendar
ntp server 65.55.21.16
endAdd the following
Config t
Line vty 0 15
Login local
Sent from Cisco Technical Support iPad App -
hello,
i use blackberry maps on my 8310 curve. if a choose route everything is fine until my route has nodes with special chars like äöü or ß in it like böhmissche straße or berlin-neukölln. these are correct in the xml-file (that i see if i use the simulator, extract see below)
// start of extract
_routeXMLstring=<?xml version='1.0' encoding='UTF-8'?>
<location-document>
<route distance='842375' time='32103'>
<instruction x='1344945' y='5247355' a='3' i='14' d='43' n='Böhmische Straße' />
</route>
</location-document>
_routeXMLstring=<?xml version='1.0' encoding='UTF-8'?>
<location-document>
// end of extract
... but are not correct dsiplayed on the display of the device where
straße becomes stra?e and
Böhmische B?hmische.
is there a point are an interface to intrude something like utfdecode or some other string-methode to correct this?
thank you very much for your answer.
christoph rappHere is one way to do it.
Search on the address or touch location on map. Tap to get place details. Tap 3 dot icon bottom right. Tap plan route. Tap the reverse route icon. Tap My Location. Enter search term or address.....
I don't see an easier way to do it.
- Ira -
Hi all, I have a 2811 [Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(11)XJ, RELEASE SOFTWARE (fc1)] and I don´t know why, sometimes the router just stop routing. I perform a "show ip route" or "show arp" and seems to be everything ok. Interfaces are all up, and a site-to-site vpn active but no traffic between the sites.
Does anybody know what could be happening or what command should I execute the next time?
Best regards
Carlos
PD: Sorry for my english :-)!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key **** address **** no-xauth
crypto isakmp client configuration group vpn
key voicentersdm
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 11 ipsec-isakmp
description ****
set peer ****
set transform-set esp-aes256-sha
match address 102
interface FastEthernet0/0
description Internet$ETH-WAN$
ip address ****
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
crypto map SDM_CMAP_1
interface FastEthernet0/1
description ****
ip address 172.16.156.2 2555.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface FastEthernet0/0/0
description LAN
interface FastEthernet0/0/1
description mpls
switchport access vlan 100
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
description $ES_LAN$
ip address ****
ip nat inside
ip virtual-reassembly
interface Vlan100
description mpls
ip address ****
ip nat inside
ip virtual-reassembly
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 **** name default_route
ip route 10.0.0.0 255.255.254.0 190.3.65.57
ip route 10.0.2.0 255.255.255.0 10.0.254.9
ip route 10.0.3.0 255.255.255.0 10.0.254.9
ip route 10.0.254.0 255.255.255.248 10.0.254.9
ip route 10.48.25.0 255.255.255.0 172.16.156.1
ip route 10.92.16.0 255.255.255.0 172.16.156.1
ip route 10.92.17.0 255.255.255.0 172.16.156.1
ip route 10.92.24.0 255.255.255.0 172.16.156.1
ip route 10.92.48.0 255.255.255.0 172.16.156.1
ip route 10.92.49.0 255.255.255.0 172.16.156.1
ip route 10.92.50.0 255.255.255.0 172.16.156.1
ip route 10.92.55.0 255.255.255.0 172.16.156.1
ip route 170.51.242.0 255.255.255.0 172.16.156.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool nat-claro 172.16.156.2 172.16.156.200 netmask 255.255.255.0
ip nat pool nat-claro-chaco 172.16.157.2 172.16.157.200 netmask 255.255.255.0
ip nat inside source route-map ****
ip nat inside source route-map ****
logging trap notifications
logging 10.20.1.234
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.20.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.156.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=18
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.80
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.177
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.17.234
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.4
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.51
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.52
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.243
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.242
access-list 101 permit ip 10.20.0.0 0.0.255.255 10.92.48.0 0.0.0.255
access-list 101 permit ip 10.20.0.0 0.0.255.255 10.92.49.0 0.0.0.255
access-list 101 permit ip 10.20.0.0 0.0.255.255 10.92.50.0 0.0.0.255
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.55.11
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 170.51.242.162
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.55.12
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.55.13
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.55.21
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.55.15
access-list 101 permit ip 10.20.0.0 0.0.255.255 host 10.92.16.86
access-list 101 permit ip 10.0.0.0 0.255.255.255 host 10.92.55.16
access-list 102 permit ip 10.20.0.0 0.0.255.255 10.0.0.0 0.0.1.255
access-list 102 permit ip 10.92.0.0 0.0.255.255 10.0.0.0 0.0.1.255
access-list 102 permit ip 10.20.0.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 10.92.0.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.1.255
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.16.80
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.16.177
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.17.234
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.16.4
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.16.51
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.16.52
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.16.243
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.16.242
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.16.80
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.16.243
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.16.242
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.55.15
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.55.15
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.16.80
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.16.177
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.17.234
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.16.177
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.17.234
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.16.4
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.16.51
access-list 103 permit ip 10.0.2.0 0.0.0.255 host 10.92.16.52
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.16.4
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.16.51
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.16.52
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.16.243
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.16.242
access-list 103 permit ip 10.0.3.0 0.0.0.255 host 10.92.55.15
access-list 103 permit ip 10.0.0.0 0.0.1.255 host 10.92.55.21
access-list 104 permit ip 10.20.0.0 0.0.255.255 10.0.2.0 0.0.0.255
access-list 104 permit ip 10.92.0.0 0.0.255.255 10.0.2.0 0.0.0.255
no cdp run
route-map *** permit 10
match ip address 101
route-map *** permit 20
match ip address 103
! -
EAZYVPN and DMVPN on the same router,same interface
Hi all,
First of all, thanks in advance for the help. I have setup DMVPN and EAZYVPN on one router. Tunnel interface on Spoke one and Spoke two are up/up and show crypto ISakmp sa shows both tunnels are in idle. However, tunnel to Spoke one(10.10.1.1) keep bouncing on and off(see below). Every 30 sec or so, the tunnel gone back to IKE phase while tunnel for spoke two(5.5.5.1) still leave active. THe configuration on the HUB side is the same for both spoke!! show crypto ipsec sec shows both side has the same life time(IOS default). Could that be an IOS debug on the spoke one?
Hub :
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
HUB#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
Spoke one:
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
SPOKE1#sh crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.5.5.1 5.5.5.2 QM_IDLE 1002 ACTIVE
10.10.1.1 10.10.1.2 MM_NO_STATE 1134 ACTIVE (deleted)
10.10.1.1 1.1.1.10 QM_IDLE 1126 ACTIVE
10.10.1.1 1.1.1.10 QM_IDLE 1076 ACTIVE
HUB#sh crypto se
HUB#sh crypto session
Crypto session current status
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.1
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 60201
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/60201 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.1
Active SAs: 2, origin: dynamic crypto map
Interface: Serial0/1/1
Username: testuser
Profile: AccountingPro
Group: Accounting
Assigned address: 20.20.20.2
Session status: UP-ACTIVE
Peer: 1.1.1.10 port 49768
IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/49768 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.2
Active SAs: 2, origin: dynamic crypto map
Interface: FastEthernet0/1
Profile: DMVPN
Session status: UP-IDLE
Peer: 5.5.5.2 port 500
IKEv1 SA: local 5.5.5.1/500 remote 5.5.5.2/500 Active
Interface: Serial0/1/1
Profile: DMVPN
Session status: DOWN-NEGOTIATING
Peer: 10.10.1.2 port 500
IKEv1 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Inactive
HUB#
2. My second issue is, I use the same interface(s0/1/1=10.10.1.1) for eazyvpn access. The client from eazyvpn is connected fine,but does not receive traffric back(statics window show no decrypted=0 and reeiced=0). The eazy vpn can't even ping the IP address assigned to the vpn client(20.20.20.2), and the client can only pin 10.10.1.1 address. Reverse router is able but the 20.20.20.0/24 network didn't show up in the ip table of the HUB router!!!
DMVPN AND EAZYVPN SERVER config..
crypto keyring dmvpnkey
pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPNLAB
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 40
authentication pre-share
crypto isakmp keepalive 30
crypto isakmp xauth timeout 90
crypto isakmp client configuration group Accounting
key eazypvn
dns 4.2.2.2
wins 4.2.2.2
domain bigBois.com
pool dmAccouting
crypto isakmp profile AccountingPro
match identity group Accounting
client authentication list access_in
isakmp authorization list my_vpn
client configuration address respond
crypto isakmp profile DMVPN
keyring dmvpnkey
match identity address 0.0.0.0
crypto ipsec transform-set DMVPN ah-sha-hmac esp-aes
mode transport
crypto ipsec transform-set EAZYVPN esp-3des esp-md5-hmac
crypto ipsec profile dmvpnlab
set transform-set DMVPN
set isakmp-profile AccountingPro
crypto dynamic-map Remote_Acc 20
set transform-set EAZYVPN
set isakmp-profile AccountingPro
reverse-route
crypto map RemoteAcc client authentication list access_in
crypto map Remote_Acc client authentication list my_vpn
crypto map Remote_Acc 20 ipsec-isakmp dynamic Remote_Acc
interface Loopback0
ip address 192.168.200.1 255.255.255.0
interface Loopback2
ip address 172.16.10.1 255.255.255.0
interface Loopback3
ip address 172.16.15.1 255.255.255.0
interface Tunnel1
bandwidth 10000
ip address 4.4.4.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 7940
ip nhrp registration timeout 10
ip tcp adjust-mss 1360
tunnel source Serial0/1/1
tunnel mode gre multipoint
tunnel key 7940
tunnel protection ipsec profile dmvpnlab
interface FastEthernet0/0
description OUTSIDE
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
description INSIDE
ip address 5.5.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
interface Serial0/1/1
description to SPOKE1
ip address 10.10.1.1 255.255.255.0
crypto map Remote_Acc
interface Serial0/3/0
no ip address
shutdown
router eigrp 10
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
network 10.0.0.0
network 10.10.10.0 0.0.0.3
network 172.16.0.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.10.0 0.0.0.255
network 172.16.15.0 0.0.0.255
network 192.168.200.0
ip local pool dmAccouting 20.20.20.1 20.20.20.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
THanks a bunch for the help,
ErnestAny ideas why devices keep renewing phase 1?
Thanks, -
Can ASA check the health of a site-to-site VPN for route tracking
The ASA "track" command can use an SLA, but it looks like SLA monitor only supports ICMP type as a health check. We would like to redistribute and use a static route only if the appropriate VPN link is up.
We have multiple sites, each with an OSPF area 0, so we don't want to enable OSPF routing over the VPN links. With IOS routers, we use tunnel interfaces with IPSEC encapsulation. Since each end of the tunnel has an IP, pinging the tunnel IP of the other end is a good indication that the tunnel is up.
Is there a way to get this functionality on an ASA?You can enable DPD (dead peer detection) feature and use RRI (reverse route injection) to install static routes to remote VPN subnets. Than you can redistribute it to the OSPF.
HTH. Please rate if it was helpful. Thank you. -
I have a question how can you GRE tunnel on a cisco router 800 series set for a site to site vpn ipsec + gre who can help me?
Please change highlighted line below.
R1
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address 84.197.161.59 <<<<<<<<< I assume, this is your R2 public address.
Please copy the highlighted line on Router R1.
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp
set peer 84.197.161.59 <<<<<<<<<< Do the same, and make sure you put the R2 public address.
set transform-set ESP-AES-128-SHA
set pfs group5
match address 100
reverse-route
access-list 100 permit ip host xxx.xxx.xxx.xxx host 84.197.161.59 < x is on acl 100 is public address of the R1.
interface Tunnel0
ip address 11.11.11.1 255.255.255.252
ip ospf mtu-ignore
keepalive 3 2
tunnel source GigabitEthernet0
tunnel destination 84.197.161.59 <<<<<<<<<<<<<<<<<< this is router R2's public address.
ip mtu 1400
interface GigabitEthernet0
crypto map OUTSIDE-CRYTPO
Please change highlighted line below R2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key key address xxx.xxx.xxx.xxx <<<<<<<<<<<<< R1 public address.
Please copy the highlighted line on R2.
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx <<<<<<<<<<<<<<<<< R1 public address.
set transform-set ESP-AES-128-SHA
set pfs group5
match address 100
reverse-route
access-list 100 permit ip host 84.197.161.59 host xxx.xxx.xxx.xxx << X is R1 public ip address.
interface Tunnel0
ip address 11.11.11.2 255.255.255.252
ip ospf mtu-ignore
keepalive 3 2
ip mtu 1400
tunnel source GigabitEthernet0
tunnel destination xxx.xxx.xxx.xxx <<<<<<<<<<< X is public address of the R1.
interface GigabitEthernet0
crypto map OUTSIDE-CRYTPO
Hope that helps.
thanks -
Overwrite dynamic (eigrp) route when external dials into router
Hi
I would like to find a way to overwrite a dynamic (eigrp) route with a routing entry pointing to a dialer interface, when someone has dialed into this dialer interface.
Does someone of you knows a way how this can be done?
Thanks in advance and kind regards
MarkThanks tor you reply.
Until now I have heard of reverse route injection only in conjunction with setting up vpn connections. And a quick search doesn't shows much. But I keep on searching.
Maybe I should tell something more about my setup. There are 2 routers (both 2612). On the LAN side the do hsrp. And on the WAN side each of them has 2 BRI interfaces connected to a multi-line-hunting-group for dialin and dialout. On the LAN I do eigrp and so overwrite a static route pointing to the dialer on the second router because of an administrativ distance of 200 at the static route.
When dialing out everything works fine. But when someone dials in to the second router (which is the hsrp standby one) the routing table of this router isn't changed/updated. I Bad expected something like a "directly connected" event puts a new entry in the routing table pointing to the now connected dialer Interface. But this does not happen.
What I'm looking for is a way how this can be done, so that these is a backward pointing route on the hsrp standby router for the dialed in sides.
Is there a way to do this?
Regards
Mark -
Windows 2012 VPN Server - Routing
Hi community,
I hope you can help me out with my problem.
Following situation:
I have a Win 2012 Server as VPN Server configured.
Connecting a VPN Client works fine and the VPN Client gets a IP address from a static IP range. The ip address it gets is 192.168.200.x
It works fine to ping to all devices in the 192.168.200.0/24 net. But I have a second net - 192.168.202.0/24. My VPN Server is connected to both nets. (2 NICs)
What I want to achieve is that the vpn clients can connect to devices in the 192.168.202.0 net as well.
When I put the following route into the clients ip table, it works:
#route add 192.168.202.0 mask 255.255.255.0 192.168.200.1
For me thats fine, but I have a bunch of other users, also connecting to this vpn server.
So the best would be if automatically when the user connects to the vpn, it also creates a static route like the one above.
Is this somehow possible?
I tried static route in the "Routing and Remote Access" Tool and static routes in the Dial-In config of the user in Active Directory - nothing workedHi Made1990 ,
When VPN is connected ,the clients will use VPN server as default gateway .
As a result ,clients will be able to connect the two subnets that VPN server is connected to .
We can use
Network Monitor on VPN server and the device on subnet 192.168.202.0 to find the problem :
Install and open
Network Monitor on the two devices .
Ping the device on subnet 192.168.202.0 from VPN client .
If the device on subnet 192.168.202.0 get ICMP Echo Request packet ,that means the routes to 192.168.202.0 is OK .
If the device sends ICMP Echo Reply packet and VPN client doesn’t get ,thar means reverse routes are wrong.Analyze the data on both devices can help to find the problem of routes .
Here is the guide for using
Network Monitor :
Network Monitor :
https://technet.microsoft.com/en-us/library/cc938655.aspx?f=255&MSPPError=-2147217396
Best Regards,
Leo
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Adsense not showing up on my live website
Hi, ive just launched my website www.thefrig.co.uk its supposed to have ads at the bottom of each page. Its there on iweb but not on the live site. Why is it not working? anyone know how to fix it? thanks
-
How do i pass a daqmx task from labview to matlab using the math interface toolkit?
I want to use DAQMX functions from Matlab using the Math Interface Toolkit (MIT). How can I have a labview function output (return) the DAQMX task to matlab via the MIT? I want to do this so I can start a DAQMX task in Labview from a matlab function
-
Most websites view correctly, however there are a few which show portions of site overlaying other portions. E.g., on Craigslist, when I view a category page such as "for sale-auto parts", the heading "auto parts" is partially over the "search for" b
-
Camera icon does not appear in my message option after download
Dowloaded latest version to send pics to phones, etc. and the camera icon does not show up as it does in other people's phones that have downloaded. Tried to re-sync and no change. Do i need to re-download? Each time i hook up with the mac it says la
-
HP Pavilion DV7 Battery, 4400mAh, 6600mAh ,8800mAh, which capacity is better for my hp laptop? Home >> HP/Compaq >> HP Pavilion DV7 Battery HP Pavilion DV7 Battery 30 day money back ! 1 year warranty ! Product Name :HP Pavilion DV7 Battery The replac