Setting up Site-to-Site VPN and nat on IOS

I have a senario I am looking to setup. I have a Cisco 3825 router that handles roughly 50 site-to-site VPN's. I have a particular VPN where I would like to nat (actually overload) off an interface for a specific VPN site-to-site tunnel. I know when you are doing nat you of course have an inside and an outside interface which I do on the router but how would you overload (pat) on an interface for just a specific VPN tunnel? Say you wanted to overload your entire internal supernet to a single private (RFC 1918) interface addess? Typically the outside interface (nat outside) what you would overload off of has a public ip address, but in this case you want to use a private RFC 1918 address as the source of the overload interface?
Any help is appreciated.

hi ,
did you think of using a normal statment and use a route map with that statment that only permit the VPN traffic to be natted using that statment and deny any other translation , and for the crypto access-list you should use the source as the pattted ip address and the destination as the the remote proxies .
regards.

Similar Messages

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • IpSec VPN and NAT don't work togheter on HP MSR 20 20

    Hi People,
    I'm getting several issues, let me explain:
    I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
    I'm missing something but i don't know what it is !!!!, See below the configuration.
    Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
    Note: I just have only One public Ip address.
    version 5.20, Release 2207P41, Standard
    sysname HP
    nat address-group 1 186.177.159.93 186.177.159.93
    domain default enable system
    dns proxy enable
    telnet server enable
    dar p2p signature-file cfa0:/p2p_default.mtd
    port-security enable
    acl number 2001
    rule 0 permit source 192.168.100.0 0.0.0.255
    rule 5 deny
    acl number 3000
    rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
    vlan 1
    domain system
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    ike proposal 1
    encryption-algorithm 3des-cbc
    dh group2
    ike proposal 10
    encryption-algorithm 3des-cbc
    dh group2
    ike peer vpn-test
    proposal 1
    pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
    remote-address <Public Ip from VPN Peer>
    local-address 186.177.159.93
    nat traversal
    ipsec proposal vpn-test
    esp authentication-algorithm sha1
    esp encryption-algorithm 3des
    ipsec policy vpntest 30 isakmp
    connection-name vpntest.30
    security acl 3000
    pfs dh-group2
    ike-peer vpn-test
    proposal vpn-test
    dhcp server ip-pool vlan1 extended
    network mask 255.255.255.0
    user-group system
    group-attribute allow-guest
    local-user admin
    password cipher .]@USE=B,53Q=^Q`MAF4<1!!
    authorization-attribute level 3
    service-type telnet
    service-type web
    cwmp
    undo cwmp enable
    interface Aux0
    async mode flow
    link-protocol ppp
    interface Cellular0/0
    async mode protocol
    link-protocol ppp
    interface Ethernet0/0
    port link-mode route
    nat outbound 2001 address-group 1
    nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
    ip address dhcp-alloc
    ipsec policy vpntest
    interface Ethernet0/1
    port link-mode route
    ip address 192.168.100.1 255.255.255.0
    interface NULL0
    interface Vlan-interface1
    undo dhcp select server global-pool
    dhcp server apply ip-pool vlan1

    ewaller wrote:
    What is under the switches tab?
    Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay.  I'll let it slide.  Watch the bumping as well.
    If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original)  back here, and you are golden.
    I had a bear of a time getting the microphone working on my HP DV4, but it does work.  I'll look at the set up when I get home tonight [USA-PDT].
    Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
    So here is what it is under the switches tab

  • Site to Site VPN with Natting Internal IP address range?

    This is our actual Internal LAN address: 10.40.120.0/26 (Internal Range) and I want to translate to
    Translated address: 10.254.9.64.255.255.255.192(Internal)
    Our remote local address is: 10.254.5.64 255.255.255.192(Remote site Internal Ip add range)
    Based on above parameters I done this configuration
    access-list outside_cryptomap permit ip 10.254.9.64 255.255.255.192 10.254.5.64 255.255.255.192
    access-list policy-nat permit ip 10.40.120.0 255.255.255.192 10.254.5.64 255.255.255.192
    static (inside,outside) 10.254.9.64 access-list policy-nat
    I got all the Phase1 and Phase 2 parameters required and peer public ip add,
    I had set up vpn using ASDM before but this scenario is new for me, all I am wondering is there anything I need to configure to succesfully setup VPN

    Hi mate,
    yeah issue on far site they arent allowing access to the port we are trying to access, and they made it up and we are good to g now,
    One thing I am worried is only one IP add is able to access the resources, I mean i created an add range of 192.168.x.0/26, however only 192.168.x.3 one of our server is able to access the far site, havent got a clue
    config is as folllows:
    access-list pp-vpn extended permit ip 10.254.7.64 255.255.255.192 10.254.6.64 255.255.255.192
    access-list policy-nat---- extended permit ip 192.168.x.0 255.255.255.192 10.254.6.64 255.255.255.192
    static (inside,outside) 10.254.7.64 access-list policy-nat
    crypto ipsec transform-set esp-aes256-sha esp-md5-hmac
    crypto map outside_map 20 match address pp-vpn
    crypto map outside_map 20 set peer 172.162.1.2
    crypto map outside_map 20 set transform-set vpn1
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp policy 65 encyptio
    authentication pre-share         
    encryption des
    hash md5
    group 2
    lifetime 86400
    tunnel type ipsec-l2l
    tunnel-group 172.162.1.2 ipsec-attributes
    pre-shared-key *
    Thank you immensly for all your assitance
    ven

  • I dont know how to set a site setup and edit some ready html files

    how to set up a site in dreamweaver when using a WAMP SERVER and edit some html files

    Is it a PHP or ASP site or does it have SSI components?
    If not you don't need to seet up a server. You can preview pages offline in a browser window.
    If it IS a PHP, ASP or SSI site, you need to copy it (the site folder)  to your "www" folder of the WAMP folder and then define the site using the folder you placed in the "www" folder as the root.

  • Remote Access VPN and NAT inside interface

    Hi everyone,
    I have configured Remote VPN access.
    Inside interface and vpn pool is 10.0.0.0 subnet.
    ASA inside interface has NAT exempt as per config below
    nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
    object network NETWORK_OBJ_10.0.0.0_24
    subnet 10.0.0.0 255.255.255.0
    object network NETWORK_OBJ_10.0.0.0_25
    subnet 10.0.0.0 255.255.255.128
    Also i have ASA inside interface connected to R1 as below
    R1 ---10.0.0.2------------inside int  IP 10.0.0.1--------ASA
    R1 has loopback int 192.168.50.1 and ASA has static route to it.
    When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
    This ping works fine.
    Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user                                                                                        )
    Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
    Need to understand how this ping works without exempting 192.168.50.0 from natiing
    or
    how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
    Regards
    Mahesh

    Hi Jouni,
    IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
    Leting you  know that i have removed the NAT below config from inside to outside interface 
    ASA inside interface has NAT exempt as per config below
    nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
    object network NETWORK_OBJ_10.0.0.0_24
    subnet 10.0.0.0 255.255.255.0
    object network NETWORK_OBJ_10.0.0.0_25
    subnet 10.0.0.0 255.255.255.128
    Still ping works fine from VPN client PC to IP 192.168.50.1
    Packet tracer output
    ASA1# packet-tracer input outside  icmp 10.0.0.52 8 0 192.168.50.1
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.50.1    255.255.255.255 inside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside_access_in in interface outside
    access-list outside_access_in extended permit ip any host 192.168.50.1 log
    access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: DROP
    Config:
    Additional Information:
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    I can ping from PC command prompt to IP 192.168.50.1 fine.
    Here is second packet tracer
    ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: DEBUG-ICMP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 11
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 18033, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    So question is how ping from outside is working without nat exempt from inside to outside?
    So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
    Regards
    Mahesh
    Message was edited by: mahesh parmar

  • Need help determining why my nothing is showing up after setting up site to site vpn

    Ok, so I'm am trying to figure out why I can't get nothing to show up when I do sh crypto isakmp sa or sh crypto ipsec sa. I did the basic setup for a site to site vpn and I can ping across both networks just fine no problem. So when I ping from a pc in the 172.16.0.0 network to 192.168.0.0 network there is no problem at all because the pings are recieved just fine. But when I go to sh crypto isakmp sa, there is just nothing there and I can't for the life of me figure out why. I looked at my sh run for both routers and everything looks fine, but I guess I may be overlooking something. If someone could help me diagnose this problem I would truely appreciate.   I have attached my packet tracer file and both routers are using the password binary. I put the password on there for the sake of it and to have a more real feel.

    Here are the show runs for both routers
    Router Main A
    hostname RmainA
    ip dhcp pool ITS
    network 172.16.150.0 255.255.255.0
    default-router 172.16.150.1
    option 150 ip 172.16.150.1
    username ciscosdm privilege 15 password 0 ciscosdm
    crypto isakmp policy 2
    encr aes 128
    authentication pre-share
    group 2
    crypto isakmp key binary address 192.0.2.27
    crypto ipsec transform-set yasser esp-aes 128 esp-sha-hmac
    crypto map vader 100 ipsec-isakmp
    set peer 192.0.2.27
    set pfs group2
    set transform-set yasser
    match address S2S-VPN-TRAFFIC
    no ip domain-lookup
    spanning-tree mode pvst
    interface Loopback0
    ip address 172.16.95.100 255.255.255.255
    interface FastEthernet0/0
    ip address 192.0.2.25 255.255.255.248
    duplex auto
    speed auto
    crypto map vader
    interface FastEthernet0/0.1
    no ip address
    interface FastEthernet0/1
    description TRUNK TO MAIN SWITCH A
    no ip address
    duplex auto
    speed auto
    interface FastEthernet0/1.10
    encapsulation dot1Q 10
    ip address 172.16.10.1 255.255.255.240
    interface FastEthernet0/1.20
    encapsulation dot1Q 20
    ip address 172.16.20.1 255.255.255.0
    interface FastEthernet0/1.30
    encapsulation dot1Q 30
    ip address 172.16.30.1 255.255.255.0
    interface FastEthernet0/1.40
    encapsulation dot1Q 40
    ip address 172.16.40.1 255.255.255.0
    interface FastEthernet0/1.70
    encapsulation dot1Q 70
    ip address 172.16.70.1 255.255.255.0
    interface FastEthernet0/1.95
    encapsulation dot1Q 95
    ip address 172.16.95.1 255.255.255.240
    interface FastEthernet0/1.100
    encapsulation dot1Q 100
    ip address 172.16.100.1 255.255.255.0
    shutdown
    interface FastEthernet0/1.150
    encapsulation dot1Q 150
    ip address 172.16.150.1 255.255.255.0
    interface Serial0/0/0
    description TO BRANCH
    ip address 10.0.0.1 255.255.255.252
    clock rate 64000
    shutdown
    interface Serial0/0/1
    no ip address
    clock rate 125000
    shutdown
    interface Serial0/1/0
    no ip address
    clock rate 2000000
    shutdown
    interface Serial0/1/1
    no ip address
    clock rate 2000000
    shutdown
    interface FastEthernet1/0
    switchport mode access
    shutdown
    interface FastEthernet1/1
    switchport mode access
    shutdown
    interface FastEthernet1/2
    switchport mode access
    shutdown
    interface FastEthernet1/3
    switchport mode access
    shutdown
    interface FastEthernet1/4
    switchport mode access
    shutdown
    interface FastEthernet1/5
    switchport mode access
    shutdown
    interface FastEthernet1/6
    switchport mode access
    shutdown
    interface FastEthernet1/7
    switchport mode access
    shutdown
    interface FastEthernet1/8
    switchport mode access
    shutdown
    interface FastEthernet1/9
    switchport mode access
    shutdown
    interface FastEthernet1/10
    switchport mode access
    shutdown
    interface FastEthernet1/11
    switchport mode access
    shutdown
    interface FastEthernet1/12
    switchport mode access
    shutdown
    interface FastEthernet1/13
    switchport mode access
    shutdown
    interface FastEthernet1/14
    switchport mode access
    shutdown
    interface FastEthernet1/15
    switchport mode access
    shutdown
    interface Vlan1
    no ip address
    shutdown
    router ospf 1
    log-adjacency-changes
    network 10.0.0.0 0.0.0.3 area 0
    network 192.0.2.24 0.0.0.7 area 0
    network 172.16.0.0 0.0.0.255 area 1
    network 172.16.1.0 0.0.0.255 area 1
    network 172.16.10.0 0.0.0.255 area 1
    network 172.16.20.0 0.0.0.255 area 1
    network 172.16.30.0 0.0.0.255 area 1
    network 172.16.70.0 0.0.0.255 area 1
    network 172.16.95.1 0.0.0.0 area 1
    network 172.16.95.0 0.0.0.15 area 1
    network 172.16.100.0 0.0.0.3 area 1
    network 172.16.150.0 0.0.0.255 area 1
    network 0.0.0.0 255.255.255.255 area 1
    default-information originate
    ip classless
    ip default-network 10.0.0.0
    ip access-list extended S2S-VPN-TRAFFIC
    permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
    dial-peer voice 150 voip
    destination-pattern 20..
    session target ipv4:192.168.150.1
    telephony-service
    max-ephones 30
    max-dn 30
    ip source-address 172.16.150.1 port 2000
    auto assign 1 to 30
    ephone 1
    device-security-mode none
    mac-address 0014.6AAC.2355
    type 7960
    ephone 2
    device-security-mode none
    ephone 3
    device-security-mode none
    ephone 4
    device-security-mode none
    ephone 5
    device-security-mode none
    ephone 6
    device-security-mode none
    ephone 7
    device-security-mode none
    ephone 8
    device-security-mode none
    ephone 9
    device-security-mode none
    ephone 10
    device-security-mode none
    ephone 11
    device-security-mode none
    ephone 12
    device-security-mode none
    ephone 13
    device-security-mode none
    ephone 14
    device-security-mode none
    ephone 15
    device-security-mode none
    ephone 16
    device-security-mode none
    ephone 17
    device-security-mode none
    ephone 18
    device-security-mode none
    ephone 19
    device-security-mode none
    ephone 20
    device-security-mode none
    ephone 21
    device-security-mode none
    ephone 22
    device-security-mode none
    ephone 23
    device-security-mode none
    ephone 24
    device-security-mode none
    ephone 25
    device-security-mode none
    ephone 26
    device-security-mode none
    ephone 27
    device-security-mode none
    ephone 28
    device-security-mode none
    ephone 29
    device-security-mode none
    ephone 30
    device-security-mode none
    line con 0
    exec-timeout 90 0
    password binary
    logging synchronous
    login
    line vty 0 4
    password binary
    login local
    end

  • CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

    I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
    The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
    My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
    I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
    Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

    Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
    access list rule:
    access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
    nat rule:
    nat (inside,outside) source static server interface service voip-range voip-range
    - 'server' is a network object *
    - 'voip-range' is a service group range
    I'd assume you can do something similar here in combination with my earlier comment:
    access-list incoming extended permit tcp any any eq 5900
    Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

  • New BM3.9 Install - Site 2 Site via PAT/NAT/DMZ?

    We are setting up 2 new BM3.9 VMs (initially for Site 2 Site VPN) for a client but there ADSL Routers at each site only have Single Static IPs which are bound to the Router's Public address. I believe the Routers are also providing 'Dynamic NAT' for outbound traffic.
    Would it be possible to set-up a Site 2 Site VPN and perhaps get the Routers to pass all VPN traffic (either using PAT or an all traffic DMZ LAN scenario) to the BM Servers. I am presuming within the Site 2 Site config of VPN Server - Site A you would point it at the Public address of Router - Site B (instead of the BM Server Public).....and vice versa.
    Any comments would be greatly appreciated.
    Cheers,
    Richard.

    In article <[email protected]>, Rsargeant wrote:
    > Would it be possible to set-up a Site 2 Site VPN and perhaps get the
    > Routers to pass all VPN traffic (either using PAT or an all traffic DMZ
    > LAN scenario) to the BM Servers. I am presuming within the Site 2 Site
    > config of VPN Server - Site A you would point it at the Public address
    > of Router - Site B (instead of the BM Server Public).....and vice
    > versa.
    >
    Yes, it should work. While I've only configured one end of this (example
    in my book of one BM server behind a Linksys port-forwarding router), it
    should be ok to do on both ends. As long as you forward the proper ports
    (or ALL traffic) to the BM, it will get the VPN traffic. The VPN
    responses from the server tell the other side what public IP address to
    use, which as you have surmised should be the public address of the
    router in this case.
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • Cisco ASA 5510 site to site VPN only

    Hi,
    Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

    Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
    So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
    As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

  • Site to site VPN timing out

    I have a printer as the sole client on one end of a site-to-site VPN, and the tunnel times out. There is no ability to generate traffic from the printer, so I am looking for anyone that may have a solution to this problem.
    Printer end - ASA5505
    Other end - Cisco VPN router.
    TIA !!
    Dave

    Hi Dave,
    You can try enabling  IKE DPD  deap peer detection (Keepalives )  on the router , in ASA   is enable by default , Im not sure on the routers. This feature must  be enable on both ends to work.
    Isakmp keepalive
    http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution07
    http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/i3.html#wp1842584
    If the above does not do the trick you could try to snmp monitor the printer fomr the far end , if you have  a snmp  network monitoring tools such as Network Performance monitor or others out there  , and the printer supports SNMP you could  setup snmp monitoring . The snmp monitoring tool  pools regulartly from the device  on its  status  thus maintaining  your L2L tunnel up at all times while the printer is iddle.
    Regards

  • Site to Site VPN working without Crypto Map (ASA 8.2(1))

    Hi All,
    Found a strange situation on our ASA5540 firewall :
    We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
    I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
    I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
    How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
    Is it the bug ?
    Thanks in advance,

    It might be an easy vpn setup.
    Could you post a running config output remove any sensitive info.  This could help us answer your question more exactly.

  • Manually editing NetworkConfig.xml for multi-site VPN

    I'm designing a network comprised of on-premise, Azure East US VNet and Azure North Central US VNet. East will be my production VNet and North Central will be backup/dev. I want them routed together as well and accessible via on premise-VPN with RRAS and
    using point-to-site. I have successfully made all these connections individually in test scenarios but never simultaneously as the portal only has one field for a site-to-site VPN and this scenario requires two.
    I understand it's possible to create this design by editing the NetworkConfig.xml file. However, it's confusing to me why even when making small or no edits to the NetworkConfig.xml file the portal tells me my existing networks will be deleted and re-created.
    Does that take out my gateway IPs, etc as well? If so, I'll have to re-enter all the new IPs in RRAS and basically start from scratch. I have a few test VMs in each VNet as well to test connectivity between sites. I'm guessing those would have to go too or
    the VNets wouldn't be able to be deleted in the first place.
    Also, an unrelated static network that I make no changes to in the xml file says it will be updated when I upload even an unchanged NetworkConfig.xml. This is concerning as it's hard to know what downtime and issues I'm going to cause if I save the new file.
    Any tips would be appreciated. My sense is you have to have your whole design in your head first, get it into the NetworkConfig.xml and then move forward with creating the gateways and entering your IPs into RRAS or whatever your VPN tool my be. Being able
    to edit existing VNets, specifically adding additional site-to-site VPNs after they are in use would really be helpful. Perhaps this is possible and I'm missing something.

    Hi,
    Firstly, you need to delete the gateway and all resources in the virtual network before you delete it.
    In addition, based on my experience, you just need to add the local network sites parts into the network configuration file for a multi-site VPN connection. If you are afraid that the virtual
    network configuration would be wrong after importing, I recommend you to keep the previous network configuration file as a backup. In addition, I am glad to help you with the network configuration file, you can also share me the whole network configuration
    file and tell me some more detailed information about your requirement. (Please hide the Public IP addresses for your VPN gateways and VPN device.)
    Meanwhile, you can also refer to the link below for reference:
    https://msdn.microsoft.com/en-us/library/azure/dn690124.aspx
    Best regards,
    Susie
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Setting up site-to-site and remote vpn on isa570w

    Hi folks...
    I have 2 new isa570w's....
    I'm setting up two offices with dedicated site-to-site VPN. Have that working great, but the office needs remote access as well to either of the offices. I have been unsuccessful so far in getting this to work. The remote access needs to include iPad access as well.
    Any pointers would be most appreciated! Thanks!
    Kim

    Hi,
    Just as Bill mentioned, the site to site VPN have may steps to deploy because it close bond your current environment, about how to deploy the site to site VPN on Windows Server
    please refer the following KB:
    Deploying VPN Site-to-Site Access
    http://technet.microsoft.com/zh-cn/library/ff687658(v=ws.10).aspx
    More about how to deploy the RRAS on TMG please post in the TMG forum:
    Forefront support forum
    http://social.technet.microsoft.com/Forums/forefront/en-us/home?category=forefront
    More information:
    TMG Configuring site-to-site VPN access
    http://technet.microsoft.com/en-us/library/bb838949.aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Setting up site to site vpn with cisco asa 5505

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
    IP of remote office router is 71.37.178.142
    IP of the main office firewall is 209.117.141.82
    Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
    ciscoasa# show run
    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password TMACBloMlcBsq1kp encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 209.117.141.82
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
    : end
    ciscoasa#
    Thanks!

    Hi Mandy,
    By using following access list define Peer IP as source and destination
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    you are not defining the interesting traffic / subnets from both ends.
    Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
    !.1..source subnet(called local encryption domain) at your end  192.168.200.0
    !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
    !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
    !...at your end  192.168.200.0
    !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
    !...at other end 192.168.100.0
    Please use Baisc Steps as follows:
    A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
    Step 1.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    Step 2.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 3.
    Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 71.37.178.142
    or , but not both
    crypto isakmp key 6 CISCO123 address71.37.178.142
    step 4.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 5.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 6.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Configure the same but just change ACL on other end in step one  by reversing source and destination
    and also set the peer IP of this router in other end.
    So other side config should look as follows:
    B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
    Step 7.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    Step 8.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 9.
    Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 209.117.141.82
    or , but not both
    crypto isakmp key 6 CISCO123 address 209.117.141.82
    step 10.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 11.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map    ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set, only one is permissible
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 12.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Now initite a ping
    Here is for your summary:
    IPSec: Site to Site - Routers
    Configuration Steps
    Phase 1
    Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    Step 2: Configure ISAKMP Policy
    Step 3: Configure ISAKMP Key
    Phase 2
    Step 4: Configure Transform Set
    Step 5: Configure Crypto Map
    Step 6: Apply Crypto Map to an Interface
    To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
    Router#debug crpyto isakmp
    Router#debug crpyto ipsec
    Router(config)# logging buffer 7
    Router(config)# logging buffer 99999
    Router(config)# logging console 6
    Router# clear logging
    Configuration
    In R1:
    (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
    (config)# crypto isakmp policy 10
    (config-policy)# encryption 3des
    (config-policy)# authentication pre-share
    (config-policy)# group 2
    (config-policy)# hash sha1
    (config)# crypto isakmp key 0 cisco address 2.2.2.1
    (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
    (config)# crypto map CMAP 10 ipsec-isakmp
    (config-crypto-map)# set peer 2.2.2.1
    (config-crypto-map)# match address 101
    (config-crypto-map)# set transform-set TSET
    (config)# int f0/0
    (config-if)# crypto map CMAP
    Similarly in R2
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Change to Transport Mode, add the following command in Step 4:
    (config-tranform-set)# mode transport
    Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
    Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
    (config)# crypto isakmp peer address 2.2.2.1
    (config-peer)# set aggressive-mode password cisco
    (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
    Similarly on R2.
    The below process is for the negotiation using RSA-SIG (PKI) as authentication type
    Debug Process:
    After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
    R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
    Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
    Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
    Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
    Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
    Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
    Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
    Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
    Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
    Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947:.!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
    R2(config)# ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
    Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
    Mar  2 16:18:42.947: ISAKMP:      hash SHA
    Mar  2 16:18:42.947: ISAKMP:      default group 2
    Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
    Mar  2 16:18:42.947: ISAKMP:      life type in seconds
    Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
    Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
    Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
    Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
    Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
    Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
    Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
    Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
    Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
    Mar  2 16:18:43.011: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : R2
              protocol     : 17
              port         : 500
              length       : 10
    Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
    Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
    Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
    Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
    // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : ASA1
              protocol     : 0
              port         : 0
              length       : 12
    Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
    Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
    Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
    Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
    Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
    Mar  2 16:18:43.067: ISAKMP:received payload type 17
    Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
    Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
              authenticated
    Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
    Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
    Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
    Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
    Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
    Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
    Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
    Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
    Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
    Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
    Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
    Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
    Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
              (proxy 1.1.1.1 to 2.2.2.2)
    Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
              (proxy 2.2.2.2 to 1.1.1.1)
    Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
    Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Kindly rate if you find the explanation useful !!
    Best Regards
    Sachin Garg

Maybe you are looking for

  • Possible to use iMovie HD with Yosemite?

    Just upgraded to Yosemite and was extremely bummed to find that iMovie HD is not compatible. I much prefer it for simple projects.  Any way to use it in Yosemite?

  • Problem with Fill tool in Windows 7 Paint

    I've seen variations on this question (such as http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/8afa9277-686a-44e0-b488-e5bee4611cb5/ ), but none seem to address the specific problem I'm having; namely, that the Fill tool in MS-

  • Help by date format in UIX/XML

    In UIX/XML I would like to indicate the date fields in the format to 'DD.MM.YYYY '. I modify the properties of my view object and entity object in the window "structure window". It does not change view for anything. What wrong do I make? Who can help

  • Flash & XML ... Please help me !!??

    hi, i have flash document & i want to write some data one my xml docyment with flash. Plase help me. but i want to do it with flash and not to do with .Net or something like that ... if any one can help please mail me . My email address: [email prote

  • Media sync won't install

    I have the BB Curve 8330 from Boost Mobile & I have routinely installed, deleted, & reinstalled the BB Desktop Software because I could never get the Media Sync to work. It wouldn't install. So finally I went online & downloaded the newest version of