Two ASAs together in network
How can i install two ASAs one with AIP-SSM and other with CSC-SSM in the same network
You'll have to put one of the firewalls in transparent mode.
Similar Messages
-
Connecting Two ASAs together via local interface
Hi
I have two cisco ASA routers & wish to connect them together so that traffic between is permitted with out going outside interface.
Two asa are located at in ONE office and two have separate internet connection (ISP) configured.
So here is what I did so far.
configure one of the interface on each ASA with some IP adddress.
ASA 1 ------- interface 0/6 10.1.1.1 (ASA X 1512)
ASA 2 --------- interface 0/5 10.2.2.2 (ASA 5055)
now connected a Ethernet cable to these inferface.
I was able to addd a route on asa 2.
route add interface0/5 10.1.1.0/24 10.2.2.2
but when I add route on ASA 1 I get the following error.
route add interface0/6 10.2.2.2/24 10.1.1.1
%invalid next hop address it belongs to one of our interface.Sorry if I was not clear
I have two separate ISPs connecting two two separate ASAs.. Two asa are now connecting separate LANs.
Now I want to communicate between LANs.
So I connected an ethernet cable bw ASAs and trying to configure the route.
But not able to establish
Here is the configuration of ASA where I am faceing problem, while trying to add route
route add voice-interface 10.1.1.1/24 255.255.255.0 10.2.2.2 1
I get error says
route already exsists
interface GigabitEthernet0/0
nameif outside0
security-level 0
ip address 0.2.5.2 255.255.255.252
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
nameif inside2
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/5
nameif voice-interface
security-level 100
ip address 10.1.1.1 255.255.255.0
object network NETWORK_OBJ_12.1.3.0_2
subnet 12.1.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network OBJ_ALL_NETWORK
subnet 0.0.0.0 0.0.0.0
description Any Network
object network voice-asa-network
subnet 10.2.2.0 255.255.255.0
object network 10.1.1.1
host 10.1.1.1
access-list outside0_cryptomap extended permit ip 192.168.1.0 255.255.255.0 12.1.3.0 255.255.255.0
access-list inside2_access_in extended permit ip 192.168.1.0 255.255.255.0 any
nat (inside2,outside0) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_12.1.3.0_24 NETWORK_OBJ_12.1.3.0_24 no-proxy-arp route-lookup
object network OBJ_ALL_NETWORK
nat (any,outside0) dynamic interface
route outside0 0.0.0.0 0.0.0.0 0.2.5.2 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside0_map 1 match address outside0_cryptomap
crypto map outside0_map 1 set pfs
crypto map outside0_map 1 set peer 9.2.5.1
crypto map outside0_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside0_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside0_map interface outside0
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
group-policy GroupPolicy_6.2.5.1 internal
group-policy GroupPolicy_6.2.5.1 attributes
vpn-tunnel-protocol ikev1 ikev2
class-map inspection_default
match default-inspection-traffic -
Hello,
Please i have a router series of 1700's. i have fixed the voice card.Please can you put me through with the configuration to connect the two site together,pleease help.All your is highly appreciatedHi Will
Can you post out the output of the show version command taken out from both the routers ..
That will help us to understand the exact card model installed in the router and will be easy to suggest on configuring the same..
regds -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
ASA VPN - Overlapping networks
Hello.
I have a problem that I have a small branch with ASA-5505 using the VPN connects to two branches and headquarters, unfortunately, even though I used the crypto-map priority, in this configuration, it does not work.
I mean, first to move traffic to Lodz network with accurate mask 10.57.0.0/255.255.240.0 and then to the Head Office (Warsaw) network with the overlying network mask Lodz network 10.0.0.0/255.0.0.0
I also wanted to add that if I configure the same VPN to other networks without overlapping then this work properly, so I know that the problem is related with overlapping.
How to configure ASA when last network with big mask /8 overlapping with other networks with smaller masks /14 or /20 bits.
Please find attached diagram and configuration part.
access-list Wan1_cryptomap extended permit ip object LocalNetworkVPN object VPNRemoteLodz (10.57.0.0 255.255.240.0)
access-list Wan1_cryptomap_1 extended permit ip object LocalNetworkVPN object VPNRemoteWarszawa (10.0.0.0 255.0.0.0)
crypto ipsec security-association pmtu-aging infinite
crypto map Wan1_map 20 match address Wan1_cryptomap
crypto map Wan1_map 20 set peer 107.x.x.41
crypto map Wan1_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map Wan1_map 600 match address Wan1_cryptomap_1
crypto map Wan1_map 600 set peer 107.x.x.70
crypto map Wan1_map 600 set ikev1 transform-set ESP-3DES-SHA
crypto map Wan1_map interface Wan1
crypto map Wan1_map interface Wan2
Thank you.Hello, Tomasz Hinz.
Not sure that this helps but can you try add line:
access-list Wan1_cryptomap_1 extended deny ip object LocalNetworkVPN object VPNRemoteLodz
Best Regards. -
Two separate L2L tunnels between same two ASA
I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access. I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels. I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
Is there a way of creating two separate L2L tunnels between the two ASA's? Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
Does anyone have another possible solution to the problem?
GeneYou should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
Hope this helps. -
Hi,
I have a 13" MacBook Air Mid 2013, 128GB, 4GB RAM, 1.3 GHz, OS X 10.10 Yosemite.
When I put a folder in iCloud Drive, the folder is in iCloud Drive and on my Desktop. What I want to do is link the two folders together so when I save a file in the folder on my desktop, it puts it in the folder that's in iCloud Drive too. I hope I have explained this good enough.
Please help.
ThanksIf you own both and have admin accounts on them, yes. On the "other" computer, go to System Preferences, Sharing, and turn on File Sharing.
When the two computers are on the same network, you should see the other computer appear in your sidebar in Finder. Click it, authenticate with your admin details (from the other computer), and you now have access to its files.
Matt -
Linking two computers together
Can I link two macs together so I have access to both but the other computer doesn't have access to mine?
If you own both and have admin accounts on them, yes. On the "other" computer, go to System Preferences, Sharing, and turn on File Sharing.
When the two computers are on the same network, you should see the other computer appear in your sidebar in Finder. Click it, authenticate with your admin details (from the other computer), and you now have access to its files.
Matt -
Two ASAs one webvpn licence in HA failover
What will happen in case when i have two ASAs in active/standby failover mode and on one of them ssl vpn licence for 50 user.Is the HA failover on ASA possible at all for ssl vpn? What will happen in this scenario if i put licence with 50 users on first ASA which is active, and if it failes, are the standby going to takeover everything or just two user in default settings, because standby does not have a licence for additional users.
Just saw your post while I was searching for an answer to another question. The answer is that HA will fail all together. I have been down this path with Cisco early on in the ASA life cycle and they have stuck to their Guns.
For 2 ASA to be in HA of any type the must have identical licenses, identical hardware and supposedly identical memory (although we have found that flash can be off by at least 64 MB as long as your image still fits.
Hope this helps you out.
http://www.staticnat.com -
I cannot ping two ASA firewalls connected on the same swicth
Any help please?
I have two ASA firewalls connected to same layer 2 Switch and with different subnet on Inside interface .
ASA-1 ================>[ layer 2 Switch]<====================ASA-2
||
||
||
(DHCP-ROUTER)
ASA- 1 :
Public IP address; 100.100.1. 2x /32
LAN ( Inside Interface) IP address; 10.10.41.1
route outside 0.0.0.0 0.0.0.0 100.100.1.1x.
route inside 10.10.42.0 255.255.255.0 10.10.10.2 ( DHCP-Router)
=================================================================
ASA-2:
Public IP address; 200.200.1,2x /32
LAN ( Inside Interface ) IP address ; 10.10.42. 1
route outside 0.0.0.0 0.0.0.0 200.200.1.1x
route inside 10.10.41.0 255.255.255.0 10.10.10.2 ( DHCP-Router)
================================================================
DHCP Router ;
ip dhcp pool ASA1_SUBNET
network 10.10.41.0 255.255.255.0
default-router 10.10.41.2
domain-name me.com
dns-server 10.10.41.10
ip dhcp pool ASA2_SUBNET
network 10.10.42.0 255.255.255.0
default-router 10.10.42.2
domain-name me.com
dns-server 10.10.41.10
ip route 0.0.0.0 0.0.0.0 10.10.41.1
ip route 10.10.42.0 255.255.255.0 10.10.42.1
=================================================
LAYER 2 SWITCH;
Int vlan 41
Ip address 10.10.41.0 255.255.255.0
no shut
Int vlan 42
Ip address 10.10.42.0 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.10.41.1
ip route 10.10.42.0 255.255.255.0 10.10.42.1
Any help please ?
DaKHi davy,
Rtr Rtr
| |
ASA ASA
| /
Switch ----> DHCP Rtr
|
Vlan 41 & 42
This would be your design right. As per my understanding you are not able to ping the ASA from one segment to the other from the LAN. Please correct me if my statement is wrong.
10.10.41.1 (ASA 1 Inside) - 10.10.42.1 (ASA 2 Inside).
Let me explain how we will make this communication. -
Two separate enterprise WiFi networks in the same building
I work in a building that currently has Cisco controller based access points. The access points aren't managed by us and are actually part of another campus. We are given access to them but they don't work quite like we want them to. So we are wanting to bring in our own Cisco WLC 2504 with 3702 APs. But when we brought this up with the main campus they said we can't have two separate enterprise wireless networks in the same building. That their APs will mark our APs as rogues and try to shut them down. There was also mention that they can't share the same channel and that the radios will negotiate with each other to determine how much power they need for coverage. But from what I've read none of that is true. So maybe I misunderstanding something and hoping someone here with more experience can shed some light on this. The only reason we would want to keep their wireless in the building is so when their staff come to our office they can use it.
So can two separate WLC/AP systems on different subnets and broadcasting different SSIDs exist in the same building with out causing any issues?By default, the WLC code does not try to contain rogue AP's. Just lots of alarm's and unclassified rogue's.
In this case you hosts may have actually enabled containment but would have also received a screen full of warning about the public nature of the unlicensed wifi band.
Here the Superior Court system is side by side with the County system even to the extent that the AP's are next to each other. Gets fun. Since each SSID constitutes a rogue, each unit represents a LOT of rogues to report.
Good Luck -
Can I have two Domain in one network?
I have two Server in my office in same network.
Server A is Active Directory / Domain Server. Certain user join domain and connect to this server.
Server B is File Server. The other user just use Workgroup. But now this server want to Up Domain to be Domain Server.
But user that connect to the domain Server A will not connect to domain server B and user connect to domain server B will not connect to domain server A.
Is there any problem if I setup two domain in one network?
Please Advise.Domains are logical structure of your network. Yes you can create two domains in the same network. One thing you should consider in this scenario is trusts between your domains. By default separate domains have not any trusts between each other and you should
establish trust manually if you would like to have users in A authenticated in domain B.
Regards.
Mahdi Tehrani Loves Powershell
Please kindly click on Propose As Answer or to mark this post as
and helpfull to other poeple. -
How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?
Hi
The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
How to setup MARS to monitor ASA with IPS with active standby topology?
Thanks!Hi,
The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
Don't forget that you have to manually replicate all IPS configuration every time you make a change.
HTH
Andrew. -
I have two printers on my network. Does anyone know how to change the printer nomenclature - Officejet Pro 8600 (0B54AF) to a recognizable name...like Brad's Office when you use Airprint?
You would have to change that in the printer's settings on the printer, if that option is offered by the manufacturer. The iPhone just finds printers on the network and uses the name they have given themselves or that were given to them when they were set up.
-
How do I connect two lines together.
I have two lines at an angle but where the corner of the angle is supposed to be there is a little triangle missing. I tried joining the two lines together but when I hit join one line goes past the other.
Before Joining:
After Joining:There is no need to lock one of the paths, because you do not have to tediously select endpoints just to join paths. Doing so was necessary in Illustrator for most of its history, but it finally (decades behind other drawing programs) gained the ability to join paths at their nearest endpoints by just selecting the paths.
Undo (or cut) the unwanted join.
Black pointer: Select the left and right paths.
Join.
Alternativley, when drawing line art, it is not uncommon to set your default Graphic Style to use rounded endcaps. That negates the problem of the "missing triangle" (as you call it) appearance of coincident straight end caps.
JET
Maybe you are looking for
-
How do i add another device to my iTunes account 'devices'?
when i go to my account in iTunes i see the devices i have thats authorised to play my purchases. Now with Match and the multiple devices i want to add my partners phone to those devices, and share Match with her phone. How do i get that device to sh
-
Dear Expert, I used BAPI_PO_Change for add the item text. text = 'Completed'. s_bapimepotext-TEXT_LINE = text. call function 'BAPI_PO_CHANGE' exporting purchaseorder = p_ebeln TABLES RETURN = i_return
-
COPA DOCUMENT NOT CREATED AFTER BILLING
HI COPA document is not created while doing the sale order cycle Ive carried a standard sales cycle that contains sales order (VA01), Delivery (VL01n) and billing document (VF01). System should generate 4 documents as follows 1) FI Document 2) CO Do
-
Need a B/W Laser Printer suggestion
We have a G5 Intel (no wireless) and a G4/1.5 Mini Mac (with Airport) in the office. We are in need of a new laser printer that will be compatible with both of our computers. Don't want to spend a fortune, but we need one that will que some large doc
-
Webkit2 process.exe has stopped working
every time i load up facebook a pop up saying "webkit2 process.exe has stoppped working" comes up and wont go away