RV082 IPSec Tunnel

Similar Messages

• IPsec tunnel with two RV180W in LAN

  Hi all,
  I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
  Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
  I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
  Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
  Here the configurations of both devices:
  device 1:
  device 2:
  Thanks in advance for your ideas and help.
  Best regards, Lars

  I'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established.  I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)

• IPSec tunnel on sub-interface on ASA 5510

  Hello All,
  I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
  I would be greatul if someone please reply post this with some details.
  Regards,
  Muds

  Hi Jennifer,
  Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
  Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
  Regards,
  Muds 

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• Multiple site to site IPSec tunnels to one ASA5510

  Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

  Hi,
  Regarding setting up the new L2L VPN connection..
  Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
  I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
  If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
  Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
  - Jouni

• Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

  I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
  Any assistance would be appreciated.
  ASA Version 8.2(1)
  hostname KRPS-FW
  domain-name lottonline.org
  enable password uniQue
  passwd uniQue
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.20.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  description Inside Network on VLAN1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  description Inside Network on VLAN1
  ftp mode passive
  dns server-group DefaultDNS
  domain-name lottonline.org
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDE_ACCESS_IN in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.20.30.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 1 match address KWPS-BITP
  crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
  crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
  crypto map VPNMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  ssh timeout 5
  console timeout 0
  management-access inside
  tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
  tunnel-group xxx.xxx.xxx.001 ipsec-attributes
  pre-shared-key somekey

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• The tale of two IPSec Tunnels...

  I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point.  I have two sites I'm working with, a test site on my bench and the other actual site at another location.  Both are ASA 5510's, both are running ASA v8.2(5).  The test site has a 3560 off of it, and the production site has a 3750 stack off it.  I don't think that part should matter, though.
  I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare.  The test site connects and I can ssh to the 3560 behind it just fine.  The production site, however, cannot connect to that 3750 or ping it to save my life.  I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
  At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group.  When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
  Then I thought it may be a routing issue.  The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes.  But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
  I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies.  Oon the production site I only see requests, no replies.  My encap counters don't increment during pings, but the decap counters do, which make sense.
  Other things to note:  The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well.  Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
  I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems.  I'd appreciate it!  Thanks
  Test Site that works
  Production Site that Doesn't
  testasa01-5510# sh run
  : Saved
  ASA Version 8.2(5)
  hostname testasa01-5510
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address <outsideif> 255.255.255.240
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.39.194.2 255.255.255.248
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
  access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
  access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
  access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
  tcp-map WSOptions
    tcp-options range 24 31 allow
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-713.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 100 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 100 10.39.0.0 255.255.0.0
  access-group inside_access_in in interface inside
  router eigrp 100
  network 10.0.0.0 255.0.0.0
  passive-interface default
  no passive-interface inside
  route outside 0.0.0.0 0.0.0.0 <outsideif> 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 management
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map1 1 match address outside_cryptomap
  crypto map outside_map1 1 set pfs group1
  crypto map outside_map1 1 set peer 209.242.145.200
  crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha    
  group 2
  lifetime 86400
  crypto isakmp policy 170
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 86400
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 management
  ssh timeout 60
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server <server> source inside
  webvpn
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol IPSec
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  dns-server value 8.8.8.8
  vpn-filter value remoteaccess
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteAccess_splitTunnelAcl
  split-tunnel-all-dns disable
  vlan none
  tunnel-group RemoteAccess type remote-access
  tunnel-group RemoteAccess general-attributes
  address-pool vpn_ip_pool
  default-group-policy RemoteAccess
  tunnel-group RemoteAccess ipsec-attributes
  pre-shared-key *****
  tunnel-group 111.222.333.444 type ipsec-l2l
  tunnel-group 111.222.333.444
  general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 111.222.333.444
  ipsec-attributes
  pre-shared-key *****
  class-map WSOptions-class
  match any
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  class WSOptions-class
    set connection advanced-options WSOptions
  policy-map type inspect ip-options ip-options-map
  parameters
    eool action allow
    nop action allow
    router-alert action allow
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  : end
  mp01-5510asa# sh run
  : Saved
  ASA Version 8.2(5)
  hostname mp01-5510asa
  names
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 10.29.194.2 255.255.255.252
  interface Ethernet0/1
  nameif dmz
  security-level 50
  ip address 172.16.29.1 255.255.255.0
  interface Ethernet0/2
  description
  nameif backup
  security-level 0
  ip address <backupif> 255.255.255.252
  interface Ethernet0/3
  description
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address <outsideif> 255.255.255.248
  interface Management0/0
  nameif management
  security-level 100
  ip address 10.29.199.11 255.255.255.0
  management-only
  banner login Authorized Use Only
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  object-group network DM_INLINE_NETWORK_1
  network-object 10.29.1.0 255.255.255.0
  network-object 10.29.15.0 255.255.255.0
  network-object 10.29.199.0 255.255.255.0
  network-object 10.29.200.0 255.255.255.0
  network-object 10.29.31.0 255.255.255.0
  access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
  access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
  access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
  access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
  access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
  access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
  access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
  access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging list acl-messages message 106023
  logging buffered acl-messages
  logging asdm acl-messages
  mtu inside 1500
  mtu dmz 1500
  mtu backup 1500
  mtu outside 1500
  mtu management 1500
  ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  asdm history enable
  arp timeout 14400
  global (inside) 201 interface
  global (dmz) 101 interface
  global (backup) 101 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 10.29.1.0 255.255.255.0
  nat (inside) 101 10.29.15.0 255.255.255.0
  nat (inside) 101 10.29.31.0 255.255.255.0
  nat (inside) 101 10.29.32.0 255.255.255.0
  nat (inside) 101 10.29.199.0 255.255.255.0
  nat (inside) 101 10.29.200.0 255.255.255.0
  nat (inside) 101 192.168.29.0 255.255.255.0
  static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
  route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
  route management 10.0.0.0 255.0.0.0 10.29.199.1 1
  route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
  route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 management
  http 10.0.0.0 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 100
  type echo protocol ipIcmpEcho 74.125.239.16 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 100 life forever start-time now
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  track 1 rtr 100 reachability
  telnet timeout 5
  ssh 10.0.0.0 255.0.0.0 inside
  ssh 10.0.0.0 255.0.0.0 management
  ssh timeout 60
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 10.200.1.41 source inside
  webvpn
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  dns-server value 8.8.8.8
  vpn-filter value remoteaccess
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteAccess_splitTunnelAcl
  split-tunnel-all-dns disable
  vlan none
  tunnel-group RemoteAccess type remote-access
  tunnel-group RemoteAccess general-attributes
  address-pool vpn_ip_pool3
  default-group-policy RemoteAccess
  tunnel-group RemoteAccess ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect icmp
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  testasa01-5510# sh crypto ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
        local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
        current_peer: <peer ip>, username: blah
        dynamic allocated peer ip: 172.16.139.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 0A7F396F
        current inbound spi : E87AF806
      inbound esp sas:
        spi: 0xE87AF806 (3900372998)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3587
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x7FFFFFFF
      outbound esp sas:
        spi: 0x0A7F396F (176109935)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3587
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  mp01-5510asa# sh crypto ipsec sa
  interface: outside
      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
        local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
        current_peer: <peer ip>, username: blah
        dynamic allocated peer ip: 10.254.29.1
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
        path mtu 1500, ipsec overhead 82, media mtu 1500
        current outbound spi: 096265D4
        current inbound spi : F5E4780C
      inbound esp sas:
        spi: 0xF5E4780C (4125390860)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3576
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x001FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x096265D4 (157443540)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
           sa timing: remaining key lifetime (sec): 3576
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Config (non working site) looks fine(unless I missed something:)) . You may want to add :
  access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
  Try by taking out vpnfilter :  vpn-filter value remoteaccess
  To further t-shoot, try using packet tracer from ASA to the client...
  https://supportforums.cisco.com/docs/DOC-5796
  Thx
  MS

• Static NAT with IPSec tunnel

  Hi,
  I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
  I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
  There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
  From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
  The configuration can be seen below for the NAT part;
  ! Denies vpn interesting traffic but permits all other
  ip access-list extended NAT-Traffic
  deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
  deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
  deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
  deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
  permit ip any any
  ! create route map
  route-map POLICY-NAT 10
  match ip address NAT-Traffic
  ! static nat
  ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
  Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
  Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
  Many thanks in advance
  Brian

  Hi,
  Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
  Thanks
  Brian

• Multiple IPSEC tunnels on ASA 5505

  Configuring Multiple IPSEC tunnels on ASA 5505
  Hi,
  I  need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505.  1st one is static ipsec tunnel already  configured between HO to site A and  2nd one is dynamic  to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
  I have following  clarification
  1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
  2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
  3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
  kindly help me on this
  Thanks in advance
  Subhan Shaikh
  France Telecom

  Configuring Multiple IPSEC tunnels on ASA 5505
  Hi,
  I  need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505.  1st one is static ipsec tunnel already  configured between HO to site A and  2nd one is dynamic  to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
  I have following  clarification
  1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
  2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
  3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
  kindly help me on this
  Thanks in advance
  Subhan Shaikh
  France Telecom

• IPsec tunnel to a windows 2008 R2 server

  I have an application that uses FTP to a win2k8r2 server. I'd like to setup an IPSEC tunnel to the windows server to encapsulate this traffic.
  I've configured IPSEC in Solaris before, but not in LINUX. The implementation eludes me. I've searched online and not found anything that appears to work.
  anyone got any ideas or secret documents that lines out how to do this?

  yes, but not very helpful educationally. What I am trying to do is establish a permanent tunnel to a win2k8r2 server. I've got it to the point where it will establish a tunnel if the windows box initiates the transaction but my attempts fail. addtionally, the connection is not permanent. it drops every so often.
  I keep getting the following errors over and over again until the windows box tries to send something.
  Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #29: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #27 {using isakmp#14 msgid:41efece2 proposal=defaults pfsgroup=no-pfs}
  Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
  Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
  Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
  Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
  Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
  Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
  Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received Delete SA payload: replace IPSEC State #16 in 10 seconds
  Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
  Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
  Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
  Apr 16 13:47:36 LINUXHOST pluto[12025]: "WINHOST_Conn" #30: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #16 {using isakmp#14 msgid:219d57e8 proposal=defaults pfsgroup=no-pfs}
  problem is the windows server is the recipient in these transactions.

• ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

  Hello!
  We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
  All branch offices are connected to central asa though IPsec.
  The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
  According to the sheme:
  172.16.1.0/24 is on of the branch office LANs
  10.1.1.0/24 and 10.2.2.0/24 are central office LAN
  The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
  The aim is to
  restrict access from 172.16.1.0/24 to 10.1.1.0/24
  When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
  When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
  I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
  The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
  access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
  class-map tcp_bypass_map
  description "TCP traffic that bypasses stateful firewall"
  match access-list tcp_bypass_acl
  policy-map tcp_bypass_policy
  class tcp_bypass_map
  set connection advanced-options tcp-state-bypass
  service-policy tcp_bypass_policy interface outside
  service-policy tcp_bypass_policy interface inside
  Does anyone know, how to make TCP State Bypass works properly?

  I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
  You can still control access on center site by using vpn-filters.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Ajay

• GRE traffic can not pass through LRT224 IPSec Tunnel

  Hi,
  We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
  We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
  Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
  please help. I had tried to upgrade to latest firmware version.
  Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46) 
  A-END:
  interface Tunnel1
  ip address 10.216.80.105 255.255.255.252
  ip mtu 1400
  ip nat outside
  ip virtual-reassembly in
  ip tcp adjust-mss 1360
  ip ospf network point-to-point
  ip ospf hello-interval 3
  ip ospf cost 10000
  tunnel source 10.216.81.2
  tunnel destination 10.216.80.90
  end
  B-END:
  interface Tunnel11
  ip address 10.216.80.110 255.255.255.252
  ip mtu 1400
  ip tcp adjust-mss 1360
  ip ospf network point-to-point
  ip ospf cost 10000
  ip ospf hello-interval 3
  tunnel source 10.216.80.91
  tunnel destination 10.216.81.3
  end
  CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
  San

  Can you post the results from the below command for the Cisco Routers?
  IOS Command: "sh version"
  Why not static route without NAT through the LRT224 IPSec VPN?
  Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Tunnel Traffic going inside IPSEC tunnel

  Hi Everyone,
  Site A  has IP Sec Tunnel to Site B via ASA.
  Now Switch on Site A has GRE tunnel and destination of that tunnel is going inside the IPSEC tunnel.
  In other words IPSEC tunnel between 2 sites is also carrying the GRE Tunnel Traffic.
  Which command i can run on ASA to know if IPSEC is carrying GRE tunnel traffic  or
  What line in ASA config will tell me that this IPSEC is also carrying GRE tunnel traffic?
  Thanks
  MAhesh

  Hi Jouni,
  I can not put config here.
  But here is the info
  sh crypto map shows ASA  outside interface say GGG this interface has ipsec connection to other site.
  also sh conn all | inc GRE shows bunch of output.
  It shows ASA outside inetrface which is to WAN say GGG   8 times and it has say subnet range
  GRE GGG  10.22.31.4  XY 10.x.x.x.x
  GRE GGG  10.22.31.4  XY  10.x.x.x
  GRE GGG  10.22.31.3
  GRE GGG  10.22.31.3
  GRE GGG  10.22.31.3
  GRE GGG  10.22.31.4
  GRE GGG  10.22.31.4
  GRE GGG  10.22.31.4
  Where XY is interface of ASA which is next hop to tunnel destination.
  IP 10.x.x.x  is the tunnel source IP which is loopback on the switch.
  Do you know why it has 2 entries for same ASA  interface XY ?
  Also it has other entries for other ASA  interface.
  So does number of entries tell us number of GRE connections running ?
  Thanks
  MAhesh
  Message was edited by: mahesh parmar

• Can ASA send it's syslogs over it's own IPsec tunnel?

  I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
  I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
  Appreciate any pointers

  * Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
  * For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
  * You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
  * You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
  * When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
  * you specific the interface off which the syslog server resides in the 'logging host' command.
  In other words:
  * say your syslog server has IP address 1.1.1.1 which resides on the Internet.
  * say your outside interface on your ASA has an ip address of 200.200.200.200
  * say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
  * you will specify the outside interface in your 'logging host' command.
  THINGS YOU DON'T NEED:
  Because the syslog traffic is not transitting from one interface to another interface:
  * you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
  * you do not need to configure NAT. An xlate is not required.
  Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
  Regards,
  Troy