Tunnel Traffic going inside IPSEC tunnel

Hi Everyone,
Site A has IP Sec Tunnel to Site B via ASA.
Now Switch on Site A has GRE tunnel and destination of that tunnel is going inside the IPSEC tunnel.
In other words IPSEC tunnel between 2 sites is also carrying the GRE Tunnel Traffic.
Which command i can run on ASA to know if IPSEC is carrying GRE tunnel traffic or
What line in ASA config will tell me that this IPSEC is also carrying GRE tunnel traffic?
Thanks
MAhesh

Hi Jouni,
I can not put config here.
But here is the info
sh crypto map shows ASA outside interface say GGG this interface has ipsec connection to other site.
also sh conn all | inc GRE shows bunch of output.
It shows ASA outside inetrface which is to WAN say GGG 8 times and it has say subnet range
GRE GGG 10.22.31.4 XY 10.x.x.x.x
GRE GGG 10.22.31.4 XY 10.x.x.x
GRE GGG 10.22.31.3
GRE GGG 10.22.31.3
GRE GGG 10.22.31.3
GRE GGG 10.22.31.4
GRE GGG 10.22.31.4
GRE GGG 10.22.31.4
Where XY is interface of ASA which is next hop to tunnel destination.
IP 10.x.x.x is the tunnel source IP which is loopback on the switch.
Do you know why it has 2 entries for same ASA interface XY ?
Also it has other entries for other ASA interface.
So does number of entries tell us number of GRE connections running ?
Thanks
MAhesh
Message was edited by: mahesh parmar

Similar Messages

ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

Hello!
We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
All branch offices are connected to central asa though IPsec.
The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
According to the sheme:
172.16.1.0/24 is on of the branch office LANs
10.1.1.0/24 and 10.2.2.0/24 are central office LAN
The crypto ACL looks like permit ip 172.16.1.0/24 10.0.0.0/8
The aim is to
restrict access from 172.16.1.0/24 to 10.1.1.0/24
When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok - they are dropped by acl2
When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
class-map tcp_bypass_map
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass_acl
policy-map tcp_bypass_policy
class tcp_bypass_map
set connection advanced-options tcp-state-bypass
service-policy tcp_bypass_policy interface outside
service-policy tcp_bypass_policy interface inside
Does anyone know, how to make TCP State Bypass works properly?

I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
You can still control access on center site by using vpn-filters.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Ajay

NAT traffic over a IPSec tunnel (ISR)

Hi.
I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
IPSec tunnel is created using the 10.10.1.1 IP-address.
The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
Anyone who could shed some light? Any insight appreciated.
Sheers!
/Johan Christensson

Thanks jjohnston1127!
Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
If i change it to something like this, the tunnel negotiation get triggerd.
access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
Can this behavior be changed?
Best regards,
Johan Christensson

All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.

Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255

How to pass ra vpn subnet traffic through an ipsec tunnel

Dear geeks,
I have two sites lets call it main and dr connected via ipsec site to site vpn from cisco asa to cisco asa at both the ends. I also have Remote access vpn on both the ends to the main site as well as on the dr site.
Now the question is if i connect to the ra vpn to the dr site can i pass the traffic from the ra subnet through the ipsec site to site to the main site so from the ra vpn connected pc i can directly access the servers in the main site also. the ra subnet traffic can it be included in the crypto access-list in the site to site .
is there any drawbacks for this ..
please do let me know if you need more details.
thanks
Manek

This is a common implementation and described in numerous articles - it is often referred to as "hairpinning" or "U-Turn" as the traffic from RA VPN comes in via outside interface and then back out same interface to the peer site.
Three things are generally required:
1. the appropriate access-list entries (referenced by the crypto map associated with the tunnel)
2. NAT exemption for the RA subnet traffic headed to the peer site
3. permitting traffic via same-security-interface.
(You'll generally get better visibility for this sort of question on the VPN forum. You can recategorize your original post via the widget in the top right.)

Unidirectional IPSec tunnel

I have 3 routers (2 x 2811, 1 x 1841 all with hardware encryption) on 12.4(17) code. Customer was using GRE tunnels inside IPSec tunnels (using crypto maps) for the purpose of enabling dynamic routing between the sites. The DR router was moved to a new location with a different Internet IP address. Since then we have had issues with the IPSec tunnels (which makes me suspect there were issues before, even though the customer claims it was working ok). IOS code was 12.4(4)T, we have upgraded due to the issues we had. Also configured PSK instead of certs to eliminate that as an issue. Will go back to using certs once we get it all working.
Now HO to DR and HO to MSt works fine. DR to MSt is a one way tunnel. Traffic from MSt is never received on the DR router. "Sh crypto ipsec sa" on the MSt router shows packets being encrypted and decrypted. On the DR router it only shows packets being encrypted, but zero packets being decrypted.
All services are DSL. On HO and MSt the DSL service is terminated on the router. At DR it is terminated on an ISP device and connected to the DR router via ethernet.
I reconfigured DR and MSt routers to use a GRE tunnel with the 'tunnel protection ipsec profile' feature and we have the same issue. The GRE tunnel works fine unencrypted, but is only one way when encrypted.
I have tried disabling NAT and access lists, though with these enabled the GRE tunnel works ok unencrypted. I have also tried disabling the hardware encryption.
I have done a lot of IOS IPSec work and never been unable to get things working so this one has me stumped.
Any suggestions would be appreciated.

Hi,
Thanks for your input.
I have already tried the following between DR and MSt:
int tunnel
ip address private_ip subnet_mask
tunnel source outside_interface_name
tunnel destination peer_address
tunnel protection ipsec profile blah
We get the same symptoms as in the original config. If I remove the tunnel protection command, and leave the tunnel unencrypted, it works fine. In the original config the tunnel source and destination addresses are loopbacks on each router:
int tunnel
ip address private_ip subnet_mask
tunnel source loopback0
tunnel destination remote-router-loopback0
The crypto map was matching all traffic between the tunnel source/destination addresses. A static route for the remote loopback0 points out the interface with the crypto map. I wondered if I'd have trouble using a crypto map for HO to DR while using the tunnel protection feature for DR to MSt, but the symptoms are identical. Also, the IPSec SA's for the tunnel interface are created correctly.

IPSEC tunnel Phase 1 and 2

Guys was checking ASA config and we have many IPSEC tunnels
one of the IPSEC tunnel has follwoing
crypto map clientmap 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
whats does the second means normally oter IPSEC has
crypto map clientmap 14 set transform-set ESP-3DES-MD5
what is a clientmap anyway will appriciate if someone plz explain

Hi,
The "crypto map" settings belong to the Phase II portion of your VPN tunnel (with some exceptions).
Here you usually define the following paratemers (most common):
1- Protected traffic, "match address" command.
2- Transform-set, integrity and authentication.
3- VPN peer.
So the transform-set "ESP-3DES-SHA" probably is "esp-3des esp-sha-hmac" which means:
ESP with the 3DES encryption algorithm.
ESP with the SHA (HMAC variant) authentication algorithm,
Now, you can have many valid combinations like "ESP-3DES-SHA" and "ESP-3DES-MD5", this would be useful in case you do not know which transform-set the other side of the tunnel has configured (there must be at least one perfect match).
Here is good link to set up L2L tunnels on ASAs:
Configuring LAN-to-LAN VPNs
Hope to help.
Portu.
Please rate any helpful posts

Tunnel traffic only goes in one direction

I have established the VPN tunnel, verified with show isakmp and ipsec commands as well as watching the real time log in ASDM. The catch is the VPN tunnel can only be initiated from the remote end (Fortigate VPN Firewall) and I can ping from a remote computer, see the ICMP packet enter the tunnel, and see in the log on the ASA the ICMP with the remote source IP and no echo reply is sent back over the tunnel. If I try to ping from behind the local ASA and the tunnel isn't up, it never goes up. I am not sure what the problem is. I setup a different tunnel to my home ASA to ASA and everything works fine between the local ASA (192.168.150.1) and my home ASA (192.168.1.1).
I have been going through the "Most common L2L and Remote Access VPN" troubleshooting doc form Cisco and will turn on NAT-T on both ends, but what else do I need to do?
: Saved
ASA Version 8.2(1)
hostname <HIDDEN>
domain-name <HIDDEN>.com
enable password <HIDDEN> encrypted
passwd <HIDDEN> encrypted
names
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address 192.168.150.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner motd [WARNING]
banner motd If you are not authorised to access this system exit immediately.
banner motd Unauthorised access to this system is forbidden by company policies, national, and
international laws.
banner motd Unauthorised users are subject to criminal and civil penalties as well as company
initiated disciplinary proceedings.
banner motd By entry into this system you acknowledge that you are authorised to access it and
have the level of privilege at which you subsequently operate on this system.
banner motd You consent by entry into this system to the monitoring of your activities.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.1
name-server <hidden>
domain-name <hidden>.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
description used for windows remote desktop
port-object eq 3389
object-group service vnc tcp
description used for vnc remote control software
port-object eq 5900
access-list outside_1_cryptomap extended permit ip 192.168.150.0 255.255.255.0 1.2.0.0
255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 1.2.0.0
255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0
255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.150.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 120
http 192.168.1.0 255.255.255.0 inside
http 192.168.150.0 255.255.255.0 inside
http 1.2.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.200.0 255.255.255.0 inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <hiddenpublicip1>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer <hiddenpublicip2>
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email <hidden>
subject-name CN=<hidden>
serial-number
ip-address 192.168.150.1
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 9f49814d
    3082026d 308201d6 a0030201 0202049f 49814d30 0d06092a 864886f7 0d010104
    0500307b 31173015 06035504 03130e49 6e656f73 2d44656c 61776172 65316030
    12060355 0405130b 4a4d5831 35303434 32394330 1a06092a 864886f7 0d010908
    130d3139 322e3136 382e3135 302e3130 2e06092a 864886f7 0d010902 1621496e
    656f732d 44656c61 77617265 2e496e65 6f732d44 656c6177 6172652e 636f6d30
    1e170d31 31303331 36323333 3730335a 170d3231 30333133 32333337 30335a30
    7b311730 15060355 0403130e 496e656f 732d4465 6c617761 72653160 30120603
    55040513 0b4a4d58 31353034 34323943 301a0609 2a864886 f70d0109 08130d31
    39322e31 36382e31 35302e31 302e0609 2a864886 f70d0109 02162149 6e656f73
    2d44656c 61776172 652e496e 656f732d 44656c61 77617265 2e636f6d 30819f30
    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008bc900 70d74224
    d5b0dd7f e3ee482d a236c04e 91f237f3 842198d3 30283a64 029d0ac3 19a40674
    dd5faa07 ff5cbd76 62183f13 7903bb92 cb69c600 c87fec4e 7c420f55 86b2c3e0
    fc948c5e b06e59ee dd9c1500 7578ef88 a06b3395 8f3040a0 71017df0 8e935f2f
    fbd83fa0 f7413498 bd36d95e dd00386e 4344f483 2b68174f 9d020301 0001300d
    06092a86 4886f70d 01010405 00038181 00275371 8660da69 ebcea01d 5fe969e8
    919d0b96 3044f6c6 0052a4cc 14c89ec4 6d89b2e3 05069550 84740f26 6a03f28c
    290cba8e 4d339abc a14db63e acc2e041 1a8fc569 fd3fd443 b9f73a6e 4e405cba
    a77a4613 5c4c2f76 c861476c d7f4a404 5456c296 964614c2 4e69d02f a8b30c8e
    845117de d21d7794 aaaf5866 160ee2bd de
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.150.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 60
management-access inside
dhcpd address 192.168.150.100-192.168.150.131 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18 source outside prefer
webvpn
tunnel-group <hiddenpublicip1> type ipsec-l2l
tunnel-group <hiddenpublicip1> ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group <hiddenpublicip2> type ipsec-l2l
tunnel-group <hiddenpublicip2> ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:34326277fd2eb3caaa97e939b52ce4f2
: end
no asdm history enable

Thanks for your help. There are no NAT devices between the endpoints (the ASA has NAT but I have exempted this traffic from it, don't think I would still need NAT-T).
Here are the results when I try to initiate the VPN from the ASA to the Fortigate, just sits there (if I initiated from the Fortigate it was be State:ACTIVE).
sho crypto isakmp sa
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: x.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
sho crypto ipsec sa
There are no ipsec sas
debug crypto isakmp
HOSTNAME# debug crypto ipsec
HOSTNAME# Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Removing peer from p
eer table failed, no match!
Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed
, no match!
Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntr

Can I terminate, then rebuild, an IPsec Tunnel inside an ASA

My user in Reno wants to send data to Vermont, but has to go through the Kansas ASA.
The Reno to Kansas hop must be AES-128.
The Kansas to Vermont hop must be AES-256.
Can the firewall in Kansas terminate one tunnel, then build a second tunnel, without having to leave the ASA?
In other words, I do not bent-pipe it to a server via the Inside address.
Thanks
jc

Hi,
So if I understood you correctly, you would want to build 2 L2L VPN connections from Kansas. One to Reno and one to Vermont? And you want users from Reno to be able to connect to Vermont through these connections?
There should be no problem doing this. There is no need for the traffic from Reno to go through the local network of Kansas. It will simply take a turn at the "outside" interface of Kansas and head out towards Vermont through the other L2L VPN connection.
Some things you have to take into considerations when configuring are
Reno will need to define that the traffic destined to Kansas and Vermont LANs is defined on the L2L VPN connection towards Kansas
Reno will need to define NAT0 configurations for the above mentioned traffic from Reno to Kansas and Reno to Vermont
Kansas will need to have 2 L2L VPN configurations.
Kansas will need to define that traffic between the Reno and Vermont networks is defined on both of the above mentioned L2L VPN configurations
Kansas will need to have NAT0 configurations on its "outside" interface for the Reno and Vermont networks so that traffic between them will flow
Kansas will also need the "same-security-traffic permit intra-interface" configuration. This will permit the traffic from Reno to head to Vermont through the same interface it entered from. This is because the traffic will enter from "outside" and will also leave from "outside"
Vermont will naturally have the same kind of needs as Reno as its a spoke in the topology also.
Also I guess you always have the option to configure a L2L VPN directly between Reno and Vermont without Kansas having anything to do with that setup.
Hopefully the information was helpfull I am not sure if this is just at planning stages or if you had already tried to configure it and had some problems?
- Jouni

GRE traffic can not pass through LRT224 IPSec Tunnel

Hi,
We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
please help. I had tried to upgrade to latest firmware version.
Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46)
A-END:
interface Tunnel1
ip address 10.216.80.105 255.255.255.252
ip mtu 1400
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf hello-interval 3
ip ospf cost 10000
tunnel source 10.216.81.2
tunnel destination 10.216.80.90
end
B-END:
interface Tunnel11
ip address 10.216.80.110 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf network point-to-point
ip ospf cost 10000
ip ospf hello-interval 3
tunnel source 10.216.80.91
tunnel destination 10.216.81.3
end
CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
San

Can you post the results from the below command for the Cisco Routers?
IOS Command: "sh version"
Why not static route without NAT through the LRT224 IPSec VPN?
Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
Please remember to Kudo those that help you.
Linksys
Communities Technical Support

Multiple site to site IPSec tunnels to one ASA5510

Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

Hi,
Regarding setting up the new L2L VPN connection..
Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
- Jouni

Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
Any assistance would be appreciated.
ASA Version 8.2(1)
hostname KRPS-FW
domain-name lottonline.org
enable password uniQue
passwd uniQue
names
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description Inside Network on VLAN1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
description Inside Network on VLAN1
ftp mode passive
dns server-group DefaultDNS
domain-name lottonline.org
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.20.30.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 1 match address KWPS-BITP
crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ssh timeout 5
console timeout 0
management-access inside
tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
tunnel-group xxx.xxx.xxx.001 ipsec-attributes
pre-shared-key somekey

Hi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks

The tale of two IPSec Tunnels...

I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
      current_peer: <peer ip>, username: blah
      dynamic allocated peer ip: 172.16.139.1
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 0A7F396F
      current inbound spi : E87AF806
    inbound esp sas:
      spi: 0xE87AF806 (3900372998)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3587
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x7FFFFFFF
    outbound esp sas:
      spi: 0x0A7F396F (176109935)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3587
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
      current_peer: <peer ip>, username: blah
      dynamic allocated peer ip: 10.254.29.1
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 096265D4
      current inbound spi : F5E4780C
    inbound esp sas:
      spi: 0xF5E4780C (4125390860)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3576
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x001FFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x096265D4 (157443540)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3576
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS

Static NAT with IPSec tunnel

Hi,
I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other
ip access-list extended NAT-Traffic
deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
permit ip any any
! create route map
route-map POLICY-NAT 10
match ip address NAT-Traffic
! static nat
ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Many thanks in advance
Brian

Hi,
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
Thanks
Brian

Can ASA send it's syslogs over it's own IPsec tunnel?

I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
Appreciate any pointers

* Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
* For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
* You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
* You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
* When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
* you specific the interface off which the syslog server resides in the 'logging host' command.
In other words:
* say your syslog server has IP address 1.1.1.1 which resides on the Internet.
* say your outside interface on your ASA has an ip address of 200.200.200.200
* say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
* you will specify the outside interface in your 'logging host' command.
THINGS YOU DON'T NEED:
Because the syslog traffic is not transitting from one interface to another interface:
* you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
* you do not need to configure NAT. An xlate is not required.
Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
Regards,
Troy

Tunnel Traffic going inside IPSEC tunnel

Similar Messages

Maybe you are looking for