VLAN's over Internet/IPSec Tunnel

Similar Messages

• NAT traffic over a IPSec tunnel (ISR)

  Hi.
  I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
  So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
  IPSec tunnel is created using the 10.10.1.1 IP-address.
  The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
  Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
  Anyone who could shed some light? Any insight appreciated.
  Sheers!
  /Johan Christensson

  Thanks jjohnston1127!
  Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
  How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
  access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
  If i change it to something like this, the tunnel negotiation get triggerd.
  access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
  How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
  Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
  Can this behavior be changed?
  Best regards,
  Johan Christensson

• VLAN data over a DMVPN tunnel to a spoke site

  I need to send the VLANS across my DMVPN tunnels to the remote spoke sites. We are routing EIGRP across the tunnels.
  Do I have to encapsulate it using L2TP??? If I do ...how do i do that?

  bros u VLAN is a layer two and DMVPN is layer three you cant vlan over the WAN except layer 2 WAN like MPLS and ther rest
  Posted by WebUser Olatunji Jamiu from Cisco Support Community App

• Machine authentication over Client IPSEC tunnel

  I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
  I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
  What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.
  Thanks,
  Ron

  I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
  But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
  I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

• Can ASA send it's syslogs over it's own IPsec tunnel?

  I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
  I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
  Appreciate any pointers

  * Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
  * For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
  * You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
  * You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
  * When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
  * you specific the interface off which the syslog server resides in the 'logging host' command.
  In other words:
  * say your syslog server has IP address 1.1.1.1 which resides on the Internet.
  * say your outside interface on your ASA has an ip address of 200.200.200.200
  * say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
  * you will specify the outside interface in your 'logging host' command.
  THINGS YOU DON'T NEED:
  Because the syslog traffic is not transitting from one interface to another interface:
  * you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
  * you do not need to configure NAT. An xlate is not required.
  Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
  Regards,
  Troy

• AP registration over IPSEC Tunnel(ASA)

  Guys, 
  I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
  WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
  Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
  Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
  Please let me know if some one has faced this issue before.

  Hi,
  I hope you have already allowed the below mentioned ports as per your requirement.
  You must enable these ports:
  Enable these UDP ports for LWAPP traffic:
  Data - 12222
  Control - 12223
  Enable these UDP ports for mobility traffic:
  16666 - 16666
  16667 - 16667
  Enable UDP ports 5246 and 5247 for CAPWAP traffic.
  TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
  These ports are optional (depending on your requirements):
  UDP 69 for TFTP
  TCP 80 and/or 443 for HTTP or HTTPS for GUI access
  TCP 23 and/or 22 for Telnet or SSH for CLI access
  Also if it goes over the IPSec VPN, MTU size  for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
  Can you get me your WLC and ASA OS versions?
  Regards
  Karthik

• "Discoverying Proxy" across a IPSEC Tunnel over wireless

  Bear with me here, there are lot of moving parts in this puzzle, and I'm unsure where to look.
  Users are using IE7 (some IE8's), group policy has "Automatically Detect Settings", and we have published a WPAD DNS entry, and are hosting the PAC file on the S370 box.  We're very early in our deployment, so we're still functioning in "Monitor mode", till management has some information, and will direct us on what traffic they will allow .
  The majority of users are located at our main site, the same site our Proxy is at, these users are having zero problems.  For all intents and purposes, they don't even know the proxy is there.
  about 30% of our users are located at remote sites.  They are connected via an IPSEC L2L VPN tunnel  (ASA5505 at remote site, connecting to an ASA5550 at main site)
  The users using a wired connection work fine
  Wireless users, connecting via LWAPP accesspoints (Wireless LAN controller version 4.2.176.0) at the remote sites, experience a delay connecting to the proxy, usually a few minutes.  I actually believe that they are bypassing the proxy, since it takes two minutes.  Unfortually, most of my users at the remote sites are wireless.
  Thing's I'm immediately going to try are upgrading to the latest version of WLAN controller software, and then open a TAC case on the wireless LAN controller, but before I do this,  has anyone run across something similar to this before?  (Proxy discovery having issues across an IPSEC tunnel)
  Mike

  Hi Javier,
  Please explain to me how I should explain this technically elaborate issue to either ISP tech support? :-P
  Well, I tried my best and ended up on the phone for 5 hours with 6 different techs between Verizon and TWC BC. I should get paid for explaining them the basics of networking.
  Anyhow, my last desperate attempt was to ask the tech to reboot my ONT so I'd get a new IP. Maybe some traffic balancer or filter didn't like my source and destination IP combination. Maybe it was cursed.
  Ring. Ring. I finally got an awesome tech (John) from Verizon who actually knew what he was talking about. I connected my Verizon supplied router again and asked if he could log into it or run pings from it remotely (to show him that I'm not crazy). Though other techs told me that was not possible, he did in just a few seconds without much pain. He saw the pings failing as well. Then he said pings from the Verizon ONT gateway were successful, so I assumed it must have been an issue somewhere in Verizon's neck of the (network) woods where the problem persisted.
  Long story short: The new IP address worked like a charm and no more packet drops.

• Cisco ASA 5505 IPSec tunnel won't establish until remote site attempts to connect

  I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
  Any assistance would be appreciated.
  ASA Version 8.2(1)
  hostname KRPS-FW
  domain-name lottonline.org
  enable password uniQue
  passwd uniQue
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.20.30.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  description Inside Network on VLAN1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  description Inside Network on VLAN1
  ftp mode passive
  dns server-group DefaultDNS
  domain-name lottonline.org
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list NONAT extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list KWPS-BITP extended permit ip 10.20.30.0 255.255.255.0 192.168.15.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDE_ACCESS_IN in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.20.30.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DYNMAP 65535 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 1 match address KWPS-BITP
  crypto map VPNMAP 1 set peer xxx.xxx.xxx.001
  crypto map VPNMAP 1 set transform-set ESP-AES-256-SHA
  crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
  crypto map VPNMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  ssh timeout 5
  console timeout 0
  management-access inside
  tunnel-group xxx.xxx.xxx.001 type ipsec-l2l
  tunnel-group xxx.xxx.xxx.001 ipsec-attributes
  pre-shared-key somekey

  Hi there,
  I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
  I don't know, the device is too old to stay alive.
  thanks

• Static NAT with IPSec tunnel

  Hi,
  I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
  I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
  There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
  From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
  The configuration can be seen below for the NAT part;
  ! Denies vpn interesting traffic but permits all other
  ip access-list extended NAT-Traffic
  deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
  deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
  deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
  deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
  permit ip any any
  ! create route map
  route-map POLICY-NAT 10
  match ip address NAT-Traffic
  ! static nat
  ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
  Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
  Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
  Many thanks in advance
  Brian

  Hi,
  Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
  Thanks
  Brian

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• IPSEC Tunnel Redundancy

  I've got two ASA5510's, I have SITE-A and SITE-B
  SITE-A connects to the INTERNET on one circuit and an MPLS circuit on different interfaces on the router.
  SITE-B connects to the INTERNET and MPLS on the same circuit.
  My outside interface on the ASA at SITE-A has a public address of: 1.2.3.4. On the router, it NAT's that address to 10.25.25.5/29 when going out the MPLS interface.
  At SITE-B, the outside interface on the ASA is 10.25.25.13/30 which has public ip address 4.3.2.1 nat'ed to it.
  Currently, I am able to create two distinct (one at a time) tunnels which route the appropriate traffic through them. One tunnel is done completely over the MPLS circuit from site to site. The other tunnel goes out of SITE-A's internet connection, and jumps on the MPLS providers public network, then onto the MPLS network to get to SITE-B.
  These both work marvelously. I am trying to accomplish haveing the IPSEC tunnel go over the MPLS circuit by default, but in the event that SITE-A loses MPLS connectivity, the tunnel will go over the internet.
  These tunnels are currently landing on the ASA's and are not originating or landing on the routers, so I can't use (that I know of) routing on the router to determine which site to connect to.
  TUNNEL-A = 10.25.25.5 to 10.25.25.13
  TUNNEL-B = 1.2.3.4 to 4.3.2.1
  Any information, or advice about this configuration would be greatly appreciated.
  Thank you.

  I don't know if this will solve your issue, but have you tried static route tracking?
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

• IPSEC Tunnel Failover MPLS

  Thank you all for your help. I've been looking through the threads and found a few good ideas however my search found things I had already gotten to work. So here is my task.
  Main Office
  Backup Office
  Small Remote Offices (20+)
  All IPSEC VPN's come into the main office. When the main office internet fails we route all of the main office traffic to our Backup office that has a large internet connection that we can see over our MPLS network.
  This back up works for basic internet connections. However the "non MPLS" offices loose access to email and our corporate resources that they see via IPSec.
  How do I set up the ASA(or networks) so that the Corporate network can automatically be seen via the IPSec tunnels coming out of the Backup Office.

  This link shows the process of creating and applying a profile to an IPSec tunnel. The necessary preliminary steps are also shown. You must first define a transform set and then create a profile before configuring the IPSec tunnel.
  http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/interfaces/configuration/guide/hc3tunne.html#wp1356228

• Help on establishing Ipsec tunnel btw 1941 and ASA

     We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
  My config:
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname XXXX
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable XXXXX
  enable password XXXXXX
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  ip domain name yourdomain.com
  ip name-server XXX.XXX.XXX.XXX
  ip name-server XXX.XXX.XXX.XXX
  multilink bundle-name authenticated
  password encryption aes
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-4075439344
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4075439344
  revocation-check none
  rsakeypair TP-self-signed-4075439344
  crypto pki certificate chain TP-self-signed-4075439344
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
    34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
    33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
    269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
    89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
    22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
    049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
    03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
    2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
    E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
    238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
    DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
    DD9950CB A40FC91B 4BCDE0DC 1B217A
          quit
  license udi pid CISCO1941/K9 sn FTX1539816K
  license boot module c1900 technology-package securityk9
  username XXXXXXXXXXXXXX
  redundancy
  crypto isakmp policy 60
  encr aes
  authentication pre-share
  group 2
  crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
  crypto isakmp profile mode
     keyring default
     self-identity address
     match identity host XXX.XXX.XXX.XXX
     initiate mode aggressive
  crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
  crypto map outside 60 ipsec-isakmp
  set peer XXX.XXX.XXX.XXX
  set transform-set VPNbrasil
  set pfs group2
  match address vpnbrazil
  interface Tunnel0
  ip unnumbered GigabitEthernet0/1
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description WAN
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  ip nat outside
  no ip virtual-reassembly in
  duplex full
  speed 100
  crypto map outside
  interface GigabitEthernet0/1
  description Intercon_LAN
  ip address XXX.XXX.XXX.XXX 255.255.255.252
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map outside
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 2 interface GigabitEthernet0/1 overload
  ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
  ip access-list extended natvpnout
  permit ip host XXX.XXX.XXX.XXX any
  permit ip any any
  ip access-list extended vpnbrazil
  permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
  permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
  permit ip any any
  access-list 1 permit any
  access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
  access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
  access-list 3 permit XXX.XXX.XXX.XXX
  access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
  access-list 23 permit any log
  control-plane
  b!
  line con 0
  login local
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  access-class 23 in
  privilege level 15
  login local
  transport input all
  telnet transparent
  line vty 5
  access-class 23 in
  privilege level 15
  login
  transport input all
  telnet transparent
  line vty 6 15
  access-class 23 in
  access-class 23 out
  privilege level 15
  login local
  transport input telnet ssh
  transport output all
  Could someone please help me on what could be wrong? and What tests should I do?
  Rds,
  Luiz

  try a simple configuration w/o isakmp proflies
  have a look at this link:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

• Multiple site to site IPSec tunnels to one ASA5510

  Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

  Hi,
  Regarding setting up the new L2L VPN connection..
  Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
  I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
  If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
  Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
  - Jouni