Traffic block on IPSEC tunnal
I'v allowd one private IP address to sepcific machine on tunnal ACL. My problem is when ever there is no acitivity from client side -- pix will block the traffic.
To enable the traffic I need ping client IP from specefic machine.
Any idea what's wrong
Your question is vague. If I understand. the symptom is that if you are not doing anything, when your allowed machine tries to communicate, it cannot at first but if you ping, it will work after...
If that is the case, then you are observing normal behavior in that the tunnel will go down after a period of time. To bring it back up, you simply have to send it interesting traffic..
The ping works but any traffic destined for that remote side (that's allowed of course) should bring it up.
Chris
Similar Messages
-
All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255 -
How to pass ra vpn subnet traffic through an ipsec tunnel
Dear geeks,
I have two sites lets call it main and dr connected via ipsec site to site vpn from cisco asa to cisco asa at both the ends. I also have Remote access vpn on both the ends to the main site as well as on the dr site.
Now the question is if i connect to the ra vpn to the dr site can i pass the traffic from the ra subnet through the ipsec site to site to the main site so from the ra vpn connected pc i can directly access the servers in the main site also. the ra subnet traffic can it be included in the crypto access-list in the site to site .
is there any drawbacks for this ..
please do let me know if you need more details.
thanks
ManekThis is a common implementation and described in numerous articles - it is often referred to as "hairpinning" or "U-Turn" as the traffic from RA VPN comes in via outside interface and then back out same interface to the peer site.
Three things are generally required:
1. the appropriate access-list entries (referenced by the crypto map associated with the tunnel)
2. NAT exemption for the RA subnet traffic headed to the peer site
3. permitting traffic via same-security-interface.
(You'll generally get better visibility for this sort of question on the VPN forum. You can recategorize your original post via the widget in the top right.) -
ASA5500: TCP state bypass for traffic, coming from IPsec tunnel
Hello!
We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
All branch offices are connected to central asa though IPsec.
The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
According to the sheme:
172.16.1.0/24 is on of the branch office LANs
10.1.1.0/24 and 10.2.2.0/24 are central office LAN
The crypto ACL looks like permit ip 172.16.1.0/24 10.0.0.0/8
The aim is to
restrict access from 172.16.1.0/24 to 10.1.1.0/24
When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok - they are dropped by acl2
When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
class-map tcp_bypass_map
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass_acl
policy-map tcp_bypass_policy
class tcp_bypass_map
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface outside
service-policy tcp_bypass_policy interface inside
Does anyone know, how to make TCP State Bypass works properly?I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
You can still control access on center site by using vpn-filters.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Ajay -
Incoming RTP traffic blocked by SPA112 ATA: UDP port unreachable
Hi folks,
I'm using a Cisco SPA112 ATA behind a NAT, where port 5060,5061 and 16384-16482 are forwarded. Registration to the SIP proxy also works fine. However, I'm struggling with audio issues, meaning that the RTP session is not setup properly.
When investigating this issue at the packet-level, I found that the ATA itself is blocking traffic:
21:00:21.857655 IP 192.168.x.y > 82.197.a.b: ICMP 192.168.x.y udp port 16452 unreachable, length 208
The blocked port number depends per session, but is always between 16384 and 16482.
Actually, the issue sounds very much like in [1]. However, the proposed solution (disabling CDP) is not of any help to me, since it's disabled on my ATA by default. Any clue what could be the reason for this behaviour? Your help is greatly appreciated.
[1] https://supportforums.cisco.com/discussion/11470321/spa-962-intermittently-no-audio-rtp-port-closedunreachableHi,
You can try this packet Tracer:-
packet input outside udp <External Source Ip on the internet> 45657 <Outside interface IP> 43139 det
For the captures , you just need to verify that the ASA device is passing the traffic through as this is UDP traffic , we would not be able to find much.
For more information on captures:-
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
Let me know if you have any further queries.
Thanks and Regards,
Vibhor Amrodia -
Tunnel Traffic going inside IPSEC tunnel
Hi Everyone,
Site A has IP Sec Tunnel to Site B via ASA.
Now Switch on Site A has GRE tunnel and destination of that tunnel is going inside the IPSEC tunnel.
In other words IPSEC tunnel between 2 sites is also carrying the GRE Tunnel Traffic.
Which command i can run on ASA to know if IPSEC is carrying GRE tunnel traffic or
What line in ASA config will tell me that this IPSEC is also carrying GRE tunnel traffic?
Thanks
MAheshHi Jouni,
I can not put config here.
But here is the info
sh crypto map shows ASA outside interface say GGG this interface has ipsec connection to other site.
also sh conn all | inc GRE shows bunch of output.
It shows ASA outside inetrface which is to WAN say GGG 8 times and it has say subnet range
GRE GGG 10.22.31.4 XY 10.x.x.x.x
GRE GGG 10.22.31.4 XY 10.x.x.x
GRE GGG 10.22.31.3
GRE GGG 10.22.31.3
GRE GGG 10.22.31.3
GRE GGG 10.22.31.4
GRE GGG 10.22.31.4
GRE GGG 10.22.31.4
Where XY is interface of ASA which is next hop to tunnel destination.
IP 10.x.x.x is the tunnel source IP which is loopback on the switch.
Do you know why it has 2 entries for same ASA interface XY ?
Also it has other entries for other ASA interface.
So does number of entries tell us number of GRE connections running ?
Thanks
MAhesh
Message was edited by: mahesh parmar -
NAT traffic over a IPSec tunnel (ISR)
Hi.
I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
IPSec tunnel is created using the 10.10.1.1 IP-address.
The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
Anyone who could shed some light? Any insight appreciated.
Sheers!
/Johan ChristenssonThanks jjohnston1127!
Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
If i change it to something like this, the tunnel negotiation get triggerd.
access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
Can this behavior be changed?
Best regards,
Johan Christensson -
Does cisco router support "tcp reset" mesg when the traffic blocked by access lit ?
hi ,
im trying to know if i blocked a destination with an access list on cisco.
can i make "tcp-rest " to that connection instead on dropping it ??
i belive it supported on ASA appliance , but not sure if supported on cisco routers.
im trying to migrate from linux router to cisco router and apply the same config , one of the challenging task is , i have
"reject-with=tcp-reset"
im wondering if i can do it on cisco router
waiting ur responce
regardsOne of the things that keeps me engaged with these forums is that they challenge me and give me opportunities to learn new things. My initial reaction to your question about IPS on IOS router was to say that this is not supported. But I did some research and find that apparently IPS functionality is now supported on some (but not all) of Cisco IOS routers. See this link for additional detail:
http://www.cisco.com/c/en/us/products/collateral/security/ios-intrusion-prevention-system-ips/product_data_sheet0900aecd803137cf.html
HTH
Rick -
I am running VPN Client Version 5.0.00.0340. I have internal and external nics on the server. Once I have the tunnel established (inside internal nic) I seem to be dropping the inbound packets between the external and internal nics. Any suggestions?
Well no - not really. The VPN client will establish the connection to the remote end using the local routing table it has. From that point onwards - that is the terminating IP address of the vpn session. From the machine itself mit should be assigned an IP address from the remote VPN server - this IP address will be used the recevie and send encrypted traffic from the central end.
If you have an internal NIC in the server you also have the VPN client on....do you want to send traffic from your LAN thu the VPN client to the remote end? If so - the external & internal NIC's must be on the same IP subnet. As the remote VPN client cannot be used as a pass thru devices from 2 different subnets....unless you perform NAT on the device with the VPN client.....if you are doing that - you may as well just by a firewall or router!
HTH. -
Hi ,
Can someone please explain me why a trunk link, between two cisco switch, not allow a vlan x traffic if vlan x is not locally configured ?
In my lab I have three switch (2950 but it is the same with 2960 3750 etc).
Switch 1 is connected by trunk to switch 2 and switch 2 is connected by trunk to switch 3.
Switch 1 and switch 3 has configured vlan 10 and interfaces vlan 10 instead Switch 2 has not configured vlan 10
Vtp is disabled (transparent mode) in all switch
Switch 2 not permit switch1 to ping switch3 until I not configure vlan 10.
2950#sh int fa 0/9 status
Port Name Status Vlan Duplex Speed Type
Fa0/9 connected trunk a-full a-100 10/100BaseTX
2950#sh int fa 0/9 trun
Port Mode Encapsulation Status Native vlan
Fa0/9 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/9 1-4094
Port Vlans allowed and active in management domain
Fa0/9 1-2,11,101
Port Vlans in spanning tree forwarding state and not pruned
Fa0/9 1-2,11,101
2950#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 128
Number of existing VLANs : 8
VTP Operating Mode : Transparent
VTP Domain Name : daniele
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x63 0x6C 0xF9 0xF6 0xB9 0xDC 0xBE 0xF3
Configuration last modified by 192.168.0.103 at 0-0-00 00:00:00
2950#
It seem that vlan 10 is pruned but I don't understand why (vtp is disabled)
Thanks a lot for you help
DanieleHi lnrdnl78d,
so will give this ago not quite sure how a uploaded images looks,
i have mocked up what i have understood from your explanation so feel free to correct me if i have got this wrong :)
however assuming in this situation that VTP is enabled (which i know you have disabled in yours, but hoping this helps)
in this situation client 1 sends a broadcast to client two.
with VTP pruning enable switch 2 will learn that switch 4 has no ports connected to VLAN 2
so the trunk link to Switch 4 will have VLAN 2 pruned from the trunk link
but 2 and 3 will receive the broadcast and switch 3 will be the only one to forward it out the connected port
from my understanding this is what you have configured in your lab apart from switch 4 but added it to fit the example
does this help demonstrate it at all or am i way off ? -
SMTP traffic blocked by ISP how do you handle it ?
I have recently installed the OCFO 10.1.3.07. We were using POP account previously and i had 2 account created in outlook (one using my SMTP server as outgoing mail server and the 2nd using the user ISP SMTP server) to let users send emails from home by letting them select the account in outlook before sending their mail without having them to configure anything.
I am now stuck here. I tried replicating the same kind of setup using OCFO and a secondary IMAP4 account but it doesnt work. The mail stays in the outbox. The only way to send from their homes is to run the configuration wizard and change the SMTP server adress.
How do you handle this? am i taking the wrong approach here?
Thanks for any inputs.For anyone who might be interested,
I have submited a SR to oracle support and the workaround to this issue is to Create a 2nd mail profile and configure the OCFO with a different SMTP server within that profile. -
RVL200 IPSEC: Channel all or some data traffic through tunnel, possible?
Is it at all possible to channel all/some data traffic through an established ipsec tunneled connection using the RVL200?
I have successfully established an ipsec connection through RVL200 and RV042 routers and are able to connect to servers/computers behind it.
Now I want to channel all or some traffic through the ipsec-tunnel for computers that reside on 192.168.1.0 subnet of RVL200 network.
Main office - RV042 router - 10.200.62.1
Remote office - RVL200 router - 192.168.1.1
I am trying to use the Advanced Routing option to add static routes but I am not 100% sure if I am configuring the routes correctly.
To give an example of routing DNS requests for HOTMAIL.COM [65.55.72.183]:
Destination IP - 65.55.0.0
SM - 255.255.0.0
GW - 10.200.62.1
Hop - 1
Interface - LAN
For some reason this does not appear to work. I have also tried using the interface setting of WAN and tested - this also does not work.
Can this be done? If anyone has tried doing this I would be very interested in finding out how to configure this.
Cheers.
MPFor some reason the DNS IP settings does not seem to work.
I started looking at the option of using the Quick VPN client which appears to have a setting for enabling Remote DNS.
I have setup a test user on both the RV042 and RVL200 to test if I can overcome the Split DNS limitation. But for some reason I can't connect to either of the two routers. I have installed the client on a 64bit Windows 7 client machine which has the Windows Firewall service enabled.
I keep getting the below error, there is no conflict with the IP address scheme and the password is correct.
Could it be this new client does not support the older Linksys badged RV0xx routers? Because Split DNS is only supported on v3 hardware. The firmware on my RVL200 is v1.1.12 .1.
What should I check to enable connectivity using this client? Or is because it does not support 64bit WIndows 7? I have even exported the certificates for both Admin and User into the C:\Program Files (x86)\Cisco Small Business\QuickVPN Client folder. -
Security zone for IPSec traffic
Hi.
Suppose i have classic static IPSec with remote site like this:
crypto map CRYPTOMAP 10 ipsec-isakmp set peer x.x.x.x set transform-set TS match address crypto_aclip access-list extended crypto_acl permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255interface Fas0/0 ip address <some internet address> crypto map CRYPTOMAP !interface Fas0/1 ip address 10.1.0.1 255.255.0.0!ip route 10.2.0.0 255.255.0.0 <ISP address>
Now i want to establish zone-based-firewall.
I create zones
zone security INETzone security REMOTE_SITEzone security LAN!zone-pair blah-blah...!interface Fas0/0 zone-member INET!interface Fas0/1 zone-member LAN
How do i put traffic passing through IPSec tunnel to zone REMOTE_SITE ???
Note: this is NOT ASA, this is IOS.
Note2: remote site is not Cisco and i connot create Tunnel interface.Hello Utair,
You need only 2 interfaces,
The one that connects to the internal devices
The one that connects to the outside interface (where the crypto-map is usually applied)
Just match the traffic from the internal interface to the outside interface and apply the right action
Same thing for the traffic that will be generated in the other site to the Local Area Network
Do you follow me?
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura -
ZBF self zone and IPSec/L2TP dialin
Hi,
I have a router that has a IPSec / L2TP dial in VPN and uses zbf for firewalling, including the self zone.
The same router also has VTI gre/ipsec tunnels to other sites.
For the static VTI GRE/IPsec tunnel, I had to allow isakmp and esp to/from the routers, but I didn't have to allow GRE. It appears that since the GRE traffic is 'encapsulated' within IP sec and belongs to a SA, the GRE to/from the router is 'passed' without any more intervention. (which is fine by me, because I only want IPSec encapsulated gre traffic and _not_ 'raw' one).
Now for the L2TP VPN that's not the case. I have to allow connection from my WAN zone to self on the L2TP UDP port ... and I find it annoying because I can't differentiate between L2TP traffic that _was_ IPSec protected and L2TP traffic that wasn't IPSec protected (and so someone could start a L2TP session without setuping a IPSec protection).
So in ZBF is there a way to allow L2TP traffic only when it was encapsulated in IPSec ?
Cheers,
SylvainFor anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
lcp:interface-config=zone security <zonename>
I also had to add:
aaa policy interface-config allow-subinterface
Once I did this it worked a treat. -
Monitoring IPSec Tunnel Bandwidth Utilization
We have a Cisco ASA 5520 supporting multiple VPNs - both remote-access and Lan-to-Lan. We would like to monitor the bandwidth utilization of the IPSec Lan-to-Lan tunnels. How can we do that?
Thanks,
SprHi Spr,
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
For more information about VPNTTG please visit www.vpnttg.com
Maybe you are looking for
-
I have several questions on iPhoto. 1. When printing photos, Is there a way to have the existing captions retained? Everything prints fine, but without the captions. 2. How do I enlarge a photo when printing? 2. When backing up the photo library, spe
-
Question says it all.
-
Please can someone help me here, my Kernal Panic attack frequency is becoming very consistent at least 1 every 1 hr. Below are my last few attack reports, can someone please help me? Thanks. Interval Since Last Panic Report: -102 sec Panics Since La
-
Apple's new 10.4.9 supports USB UVC Cameras
Apple's new Operating System update 0.4.9 supports USB UVC webcams. My question is which of your USB cameras are UVC and will they in fact work in the iChat program in OSX 0.4.9?
-
i have a mac pro. when i try to connet to a vedio call. the call doesnt connet. the person on the other side can see me but i cant see them. i updated the new version for adobe flash. but the camra stiil doesnt work.