Site to Site ASA to Sonic Wall
Currently, my ASA can send packets to the SonicWall VPN. But when SW attempts to respond in phase 2, they get an error "NO_PROPOSAL_CHOSEN". Our settings appear to be identical. Any ideas?
Thank you,
Mar 20 2013 09:56:14: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping
Mar 20 2013 09:56:15: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping
Mar 20 2013 09:56:31: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping
Mar 20 2013 09:56:32: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping
Mar 20 2013 09:56:55: %ASA-5-111008: User 'burgesfl' executed the 'terminal no monitor' command.
Mar 20 2013 09:56:55: %ASA-5-111010: User 'burgesfl', running 'CLI' from IP 10.55.6.5, executed 'terminal no monitor'
Mar 20 2013 09:57:00: %ASA-5-111008: User 'burgesfl' executed the 'debug crypto ipsec 190' command.
Mar 20 2013 09:57:00: %ASA-5-111010: User 'burgesfl', running 'CLI' from IP 10.55.6.5, executed 'debug crypto ipsec 190'
Mar 20 2013 09:57:05: %ASA-5-111008: User 'burgesfl' executed the 'terminal monitor' command.
Mar 20 2013 09:57:05: %ASA-5-111010: User 'burgesfl', running 'CLI' from IP 10.55.6.5, executed 'terminal monitor'
VPN#
Similar output each time for both commands.
Similar Messages
-
Sonic Wall NetExtender stuck on "processing"
Sonic Wall NetExtender 7.0.203 is not getting past "processing" when connecting. Works fine in Windows 8.1. Have tried re-installing to no avail.
I'm having the same problem with Sonic Wall NetExtender on Windows 10 stops on processing and then the problem just becomes non responsive.
-
Hi,
I cant connect to work via Sonic Wall VPN using AEBS as router. Right now my AEBS is only used for connecting AirDisks and Internet is via my old Linksys router. Using Linksys for VPN is no problem. Tried Apple support but it's like hitting a brick wall. They do not support VPN they say...??
Arghh..I'm not looking for VPN support but a solution to a faulty Router device.
Does anyone have an idea of what to do?Hi,
Setup AD authentication in a Sonicwall Firewall
1. Create a security group in Active Directory or select a pre-defined group
2. Add the appropriate members to the security group for content filtering.
3. Import Group
4. Assign CFS Policy
5. Edit CFS Policy
6. Force authentication
Original post
Setup authentication in Sonicwall.
Hope this helps. -
Multiple sites ASA's connected to Cable modems with same DHCP address
I have several locations with an ASA 5505 installed behind a cable modem. The cable modem is issuing DHCP for the same network address range in these locations. I have the outside interface obtaining DHCP from the cable moden network and the asa's are receiving the same outside address. I have the remotes set to use EZVPN to create the VPN tunnel back to the head end ASA 5540. I am seeing constant rekeying for phase 2 for those remote sites. is there any thing I can do short of assigning each asa a unique outside address?
Dave
The Linksys doing NAT is the reason why the ASA sees all the traffic as having source address as 192.168.2.1. The only way for the ASA to see the original 192.168.1.x address is to change the Linksys to not do NAT.
One thing that I notice is that there is not a route statement in what you posted for the 192.168.1.0 network. It is not clear whether the route does exist and you did not post it or whether the route does not exist. But if it does not exist it would certainly be a reason why you lose Internet connectivity when you change the Linksys to not perform NAT. (the ASA would have no knowledge of how to forward to the network and would drop all the traffic). Try adding the route to the ASA and changing the Linksys to not perform NAT and let us know if it works.
HTH
Rick -
Site-to-site ASA and Router IOS
Hi everyone! I am trying to connect a site-to-site between an ASA and a router 3900 series. My question is what should I have to configure in the router site to protect my LAN from any external attack?
ThanksCheck the below posting...
https://supportforums.cisco.com/thread/70943
Also, make sure to allow site-to-site tunnel related ports from ASA IP only.
hth
MS -
Where did Sonic Wall come from, & how do i get rid of it?
I've just installed Firefox 5, & now i'm being blocked from some sites by '''SonicWall Content Filtering Service''. I dont know where this program came from, & i want it off my 'puta ASAP. It's not affecting Internet Explorer. Can anyone help me?
http://www.sonicguard.com/ContentFilteringService.asp
That isn't related to the installation of Firefox. Are you using a school or business network?
http://answers.yahoo.com/question/index?qid=20080225084757AAxUMXC -
VOIP over VPN need clarification
Hi,
Recently I have implemented Site-to-Site VPN between ASA and sonic wall firewall.
Problem: I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
Tried below mentioned t’shot steps:
From ASA side we had two subnets (10.20.1.x/24 – Data and 10.20.2.x/24 – Voice ) and one subnet (192.168.x.x/24 ) from sonic wall side as interesting traffic ( lan to lan). When I configured site-to-site configuration on both ends my phase-1 and phase-2 came UP and can able to communicate between each other. (In interesting traffic I created two objects and bind those objects as one object-group for source i.e. ASA side lan subnet and one object for remote-Lan as destination)
My call manager is rest behind ASA and Ip phones needs to communicate from sonic wall side to inside ASA.
I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
So, I done supernetting the data subnet and voice subnet into single network i.e. 10.20.x.x/16 at ASA side and applied the configuration changes (changed ACL, nonat rule, Voice QOS ACL accordingly), and I’m able to hear voice both end and I can communicate properly from ASA inside Ip phone to Sonic wall inside Ip phone and vice versa.
My question: I’m not understanding the logic how this supernetting resolved dead voice issue.
Pls clarify my question I’m bit confused on this.It's not recommended. Although VPNs guarantee a secure pipe end-to-end, they don't guarantee latency and variations in latency (Jitter).
-
ASA 5505 Site to Site and Web VPN
Hello all, I need to add a site to site tunnel from a an ASA 5505 (ver 8.05) to a Sonic wall appliance. The problem is, the ASA already has remote access VPN and anyconnect VPN configured. I'm not sure if its possible to add another secured tunnel to the device. Ive already got one NAT 0 statement.
Thanks for your expert opinions!Hi,
There should be no problem adding a Site to Site VPN on the ASA even if it has Client VPN configured.
If you for example have an "inside" interface which has NAT0 configuration like
nat (inside) 0 access-list NAT0
You just add the needed ACL lines to that existing ACL for the L2L VPN.
On the basis of the information you provided I dont see any problem configuring the L2L VPN on the ASA.
- Jouni -
ASA 5505 Isolated Networks with Site-to-Site VPN Access
I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.
Remote Site ASA 5505 Interfaces:
Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway)
AMI (Interface 1) (VLAN 742) - 10.40.31.129/25
SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30
I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.
ASA will need to have three IPsec tunnels:
Tunnel 1 to SCADA Firewall
Remote Site - 10.70.0.4/30 Subnet
Central Site - 10.101.41.0/24 Subnet
Tunnel 2 to Corporate Firewall
Remote Site - 10.40.31.129/25 Subnet
Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet
Tunnel 3 to Partner Firewall
Remote Site - 10.40.31.129/25 Subnet
Partner Site Subnets
The ASA is running 9.1(5) and ASDM 7.1(6).
I've attached a diagram of what the connections look like between sites.I reviewed your diagram attached and trying to give you as much as I can.
other gurus, pls correct me if I am missing anything.
if I remember correctly, with base license, you can set up vpn peers.
interface Ethernet0/0
nameif outside
security-level 0
ip address public ip, subnet mask
int e0/1
nameif AMI
security-level 100
ip add 10.40.31.129 255.255.255.128
int e0/2
nameif SCADA
security-level 10
ip add 10.70.0.5 255.255.255.252
route outside 0.0.0.0 0.0.0.0 public IP
tunnel-group 173.8.244.181 type ipsec-l2l
tunnel-group 173.8.244.181 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyScAdA
tunnel-group 173.8.244.189 type ipsec-l2l
tunnel-group 173.8.244.189 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyC0Rp
tunnel-group 148.80.252.60 type ipsec-l2l
tunnel-group 148.80.252.60 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEypArTN3R
crypto ikev1 enable outside -- enabling for outside interface
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 86400
crypto ipsec ikev1 transform-set kerseyami esp-aes-256 esp-sha-hmac
crypto map VPN 10 match address SCADA
crypto map VPN 10 set peer 173.8.244.181
crypto map VPN 10 set ikev1 transform-set kerseyami
crypto map VPN 10 set security-association lifetime seconds 86400
crypto map VPN 20 match address CORP
crypto map VPN 20 set peer 173.8.244.189
crypto map VPN 20 set ikev1 transform-set kerseyami
crypto map VPN 20 set security-association lifetime seconds 86400
crypto map VPN 30 match address PARTNER-FW
crypto map VPN 30 set peer 148.80.252.60
crypto map VPN 30 set ikev1 transform-set kerseyami
crypto map VPN 30 set security-association lifetime seconds 86400
access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0
access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0
access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW
Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.
let us know how this works.
JD... -
Site-to-site VPN with dual ASA 5510s
Hi,
I have recently been asked to configure a VPN between two sites using an ASA 5510 at each end. I used the VPN Site-to-site wizard in ASDM on both devices and followed the instructions for the wizard to the letter. However I don't seem able to get any kind of VPN up and running. If anyone could point out where I'm going wrong then I would very much appreciate it.Here is the sanitised running config of SiteA:
ASA Version 8.0(2)
hostname MCRASA
domain-name isal.local
enable password xxx
names
interface Ethernet0/0
description External WAN
nameif outside
security-level 0
ip address 81.*.*.82 255.255.255.240
interface Ethernet0/1
description Internal LAN
nameif inside
security-level 100
ip address 192.168.254.2 255.255.255.0
interface Ethernet0/2
description Demarcation zone
nameif dmz
security-level 50
ip address 10.30.30.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
description MCRASA management
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name isal.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81.*.*.82 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.254.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 82.*.*.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.254.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.2.2-192.168.2.5 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
webvpn
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
username fraser password xxx encrypted privilege 15
username fraser attributes
memberof LOCAL
tunnel-group 82.*.*.50 type ipsec-l2l
tunnel-group 82.*.*.50 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxx -
Site to Site VPN issues between PIX506 and ASA5505
Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
Corporate
PIX Version 6.3(5)
access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
ip address outside xxx.yyy.170.160 255.255.255.0
ip address inside 192.168.119.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set pfs group2
crypto map mymap 20 set peer aaa.bbb.175.218
crypto map mymap 20 set transform-set ESP-3DES-SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication w2k3
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup vpners address-pool ippool
vpngroup vpners dns-server 192.168.119.11
vpngroup vpners default-domain mydomain.local
vpngroup vpners split-tunnel split_tunnel
vpngroup vpners idle-time 1800
vpngroup vpners password ********
Remote Site
ASA Version 7.2(2)
interface Vlan1
nameif inside
security-level 100
ip address 172.16.2.1 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.175.218 255.255.128.0
access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer xxx.yyy.170.160
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group xxx.yyy.170.160 type ipsec-l2l
tunnel-group xxx.yyy.170.160 ipsec-attributes
pre-shared-key *I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.
-
Hi,
I have an active connection vpn site to site with one remote site (ASA to ASA) i want to configure another one on same interface;
Main site is 1.1.1.1
Remote site 1 : 2.2.2.2
Main site and Remote site 1 has active connection,
i want to add another one:
Main site is :1.1.1.1
Remote site 2 : 3.3.3.3
both tunnels should be active what should i do to configure this connection also i want differenet preshared key for each connection ( i dont want to share pershared key of active connection)
how can i achieve thisHello alkabeer alkabeer,
you can build the second VPN tunnel as how you have created the first one.
crypto map outside_map (Order number) match address outside_cryptomap_20
crypto map outside_map (Order number) set peer X.X.X.X
crypto map outside_map (Order number) set transform-set (Eg:ESP-3DES-MD5)
use the transform set correctly on both the firewall
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *************
access-list outside_cryptomap_20 extended permit ip (Inside IP) X.X.X.X (outside ip) X.X.X.X
access-list inside_nat0_outbound extended permit ip (Inside IP) X.X.X.X object-(outside ip) X.X.X.Xp
nat (inside) 0 access-list inside_nat0_outbound (this statement would already be there in the firewall the no nat statement)
based on your firewall version the NAT statement differes.
and now your tunnel should be working.
checking show commands:
sh cry isa sa
sh cry ipsec sa
Please let us know if this is working for you.
Potha -
Communicate Directly Between VPN Tunnel Sites
I have an ASA 5505 in the main office and at several remote sites. I have setup a site to site vpn tunnel between the main office and each remote site, "Hub and Spoke". I can ping between the main office through each tunnel to the respective remote site. I need to be able to ping directly from each remote site to all other remote sites. Please note I am using ASDM to configure the ASA 5505's. tks
There are a few things you need to do here.
Main ASA
1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.
2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
Remote ASA's
1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.
access-list crypto1 extended permit ip
access-list crypto1 extended permit ip
access-list crypto2 extended permit ip
access-list crypto2 extended permit ip
2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip -
Cannot ping inside IP behind sonicwall from Cisco ASA 5500
I have a sonicwall at site B and the cisco asa5500 at the main office. (site A)
The site to site VPN is working, but I can not ping the inside ip (10.1.5.2) of the sonic wall from Site A. I need this only to access the computers behind the sonicwall for remote desktop and dameware.
I have another office that also has a sonicwall (same config) and I can ping that inside IP from Site A.
I can not see why I can ping one site and not the other.
What needs to be configured on the ASA 5500 to be able to ping inside the sonicwall at site B?
I prefer the wizard over the CLI.
Thanks,Hi
AFAIK No you can not make vpn, transparent and routing in the same unit.
I would not want the DMZ and the outside interface to have overlapping ip address ranges.
logging and trying to keep track of it all would be way to confusing for me.
so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.
The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25
This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.
Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.
Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)
With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.
good luck
HTH -
Hello,
I have two ASA-sites, Site A and Site B. ASA type is 5512-X. In Site A there is a router behind ASA which I try to ping.
When I try to ping from Site B (192.168.11.11 laptop) to Site A Cisco router's management address (192.168.100.1)
Site B ASA tells that
"the ASA deny inbound icmp src 192.168.11.11 ip address destination management 192.168.100.1."
Here is Site B ACL's, is there some errors or missing something? How ACL and NAT should be configured that traffic between these two LAN would success?
access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 object site-SiteB object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 object site-SiteB
nat (inside,outside) source static site-SiteB site-SiteB destination static SiteA SiteA no-proxy-arp route-lookup inactive
access-group outside_access_in in interface outside
Thnx for help.OK, here...
It seems that tunnel between my LAN-to-LAN network 11.0 <-> 20.0 works?
But I would like to use my management network 100.0 at Site A and also at Site B.
How this should be configured that from Site B (management address 100.5) can have management access to Site A (100.1) through this tunnel?
Address 100.1 is located behind SiteA ASA and address 100.5 is located behind SiteB ASA.
ASA01# show isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.0.1.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA01# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 10.0.1.1
access-list outside_cryptomap extended permit icmp 192.168.20.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr/mask/prot): (192.168.20.0/255.255.255.0/1)
remote ident (addr/mask/prot): (192.168.11.0/255.255.255.0/1)
current_peer: 10.0.1.2
#pkts encaps: 9218, #pkts encrypt: 9218, #pkts digest: 9218
#pkts decaps: 9218, #pkts decrypt: 9218, #pkts verify: 9218
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9218, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.1.1/0, remote crypto endpt.: 10.0.1.2/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A9B7358F
current inbound spi : 41511E3F
inbound esp sas:
spi: 0x41511E3F (1095835199)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1945600, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914987/9138)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA9B7358F (2847356303)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1945600, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914987/9138)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
BR,
Terno
Maybe you are looking for
-
"Invalid DOS version" error message when installing Tomcat in Windows98
I tried to install Tomcat 5.0 in Windows 98. At first, it produced "Out of Environment Space" error message. I then changed the "Initial Environment" from Auto to other values (bigger than 2816) for both startup.bat and shutdown.bat. When I restarted
-
What's the maximum digital I/O frequency for the NI LabVIEW RIO Evaluation Kit ?
Hi! I'm trying to analyze some sort of sine signal at the frequency of about 3 MHz. Because the analysis should be very precise and fast (about 10 samples per period), I'm needing the maximum digital I/O frequency of the NI LabVIEW RIO Evaluation Kit
-
Using data tab causes SD users to be black-listed! Why is this happening?
Several SQL Developer users in our workgroup were recently black-listed by our IT department for submitting queries that ran for hours against large tables. Many of these users emphatically stated that they had not submitted ANY queries. Finally some
-
I watch sport, ships in June 2015, what generation of iwatch is this?
I watch sport, ships in June 2015, what generation of iwatch is this?
-
How to Deploy 2012 RDS Licenses
http://blogs.msdn.com/b/rds/archive/2014/01/29/remote-desktop-services-upgrade-and-migration-guideli... Check the link i posted