VPN between cisco WRVS4400N and EdgeMarc

Hi Experts
Please help me.
Is it possible to create VPN between cisco WRVS4400N and EdgeMarc appliance.
Regards,
Ejaz

Hi Ejaz
I don't expect any cisco folks that answer this community to be expert on EdgeMarc, but i may be wrong..
We employ a open standard IPSec implementation.
Here is the open source document that relates to the RV220W.
http://www.cisco.com/en/US/docs/routers/csbr/rv220w/open_source/OSD_RV220W_78-19892-02.pdf
The question could have been, have you asked EsgeMarc if they wiork with open standard based IPSec implemations on our routers.
I would prefer you look at the RV220W if possible, which is a relatively young product.
I am guessing since you can source a product from Disti, try one and see if it works.
The beauty of buying from a Cisco Disti Partner, is they they have a returns policy. Check out that policy, if you wish and keep the packaging and try out your application.
Answered a question with someone trying to form a IPSec link to a OEM firewall/ IPSec gateway ..it worked. so give your application a try
regards Dave.

Similar Messages

Trying to bring up a VPN between a WRVS4400N and a BEFSX41

Hi, we replaced an older LinkSys wired router (BEFVP41) by a WRVS4400N. The BEFSX41 used to connect a VPN tunnel with the older wired LinkSys router. We redefined the tunnel on the WRVS4400N but it does not come up. The handshake stops after exchanging the preshared key: Jul 19 13:59:36 - [VPN Log]: "khaled"[4] 70.53.245.45 #70: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 19 13:59:37 - [VPN Log]: "khaled"[4] 70.53.245.45 #70: Main mode peer ID is ID_IPV4_ADDR: '70.53.245.45' Jul 19 13:59:37 - [VPN Log]: "khaled"[4] 70.53.245.45 #70: I did not send a certificate because I do not have one. Jul 19 13:59:37 - [VPN Log]: "khaled"[4] 70.53.245.45 #70: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jul 19 13:59:37 - [VPN Log]: "khaled"[4] 70.53.245.45 #70: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp768} Jul 19 13:59:37 - [VPN Log]: "khaled"[4] 70.53.245.45 #70: cannot respond to IPsec SA request because no connection is known for 10.30.1.0/24===69.159.114.86[S?C]...70.53.245.45[S?C]===10.30.10.0/24 Jul 19 13:59:37 - [VPN Log]: "khaled"[4] 70.53.245.45 #70: sending encrypted notification INVALID_ID_INFORMATION to 70.53.245.45:500 The preshared key is correct on both sides. In the advanced settings for this tunnel on the WRVS4400N we left the selection of local identity to local ip, ignoring the warning about using the name option. We are not using quickvpn. What puzzles us is this "cannot respond to IPsec..." message. The lan 10.30.1.0 is the subnet on the WRVS4400N side while the 10.30.10 lan is the subnet on the BEFSX41. They match the local and remote security groups so what is missing ? Switching back to older router (BEFVP41), the tunnel connects without any changes on the BEFSX41. We are changing the router because of stability problems, the BEFSX41 drops the connexion too frequently. Any compatibility issues ? Some setup we did not provide ? The documentation about the Advanced settings is minimal (nice word for none ) and the knowledge base search did not return anything meaningful. Any suggestions ?

Hi Broccoli! Are you using FQDN or IP address? What firmware is loaded on your WRVS4400N? I had this problem before with WRVS4400N, I can’t establish VPN connection with other router when I’m using FQDN, according to Linksys tech support, if I’m using FQDN with WRVS4400N, then I also have to use the same model on the other side. I encountered this using 1.00.14 firmware. Have you tried the latest firmware (1.00.15)?

L2l vpn between cisco pix and vpn concentrator 3030

l2l completes phase 1 but cannot seem to complete phase 2. A portion of the debug from the Pix is attached. Anyone got any ideas?

possible transform set mismatch on phase 2.
in the pix, this will be the command's related to something like:
crypto map VPN 20 set transform-set 3desSHA
in the concentrator, it will be found on the main config page for a L2L setup under:
Encryption and Authentication (not the IKE Proposal setting)
or, in the concentrator
configuration--> policy mgmt -->traffic mgmt - SA's--> find the IPSEC SA for this connection and modify

Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: end

Thanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help.

Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

Hi,
So you have N7k acting as L3 with servers connected to 4510?.
Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
This will help narrow down if issue is between server to 4510 or 4510 to N7k.
Thanks,
Nagendra

The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

Hello
I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
Is it possible to integrate into Cisco Router such as Cisco 891F ?
In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
I think there might be any unsupported feature on Cisco 891F.
I appreciate any information. thank you very much in advance.
Best Regards,
Masanobu Hiyoshi

Many time in interviews asked comaprison between cisco routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
Ummmm ... The most common question I get is "what is the difference between a router and a switch".
However, if you get a question like this, then my impression to this line of questioning are:
1. The candidate they are looking for has in-depth knowledge of routers and switches. And I mean IN-DEPTH!;
2. They are not looking for a candidate. They just want to stroke their ego. There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger. And if you do happen to know the answer, then and there, then expect a tougher follow-up question.

Mobility between Cisco WLC and Meraki(other vendor)

Is it possible that users can roam between Cisco WLC and other vendor wireless gear? Meraki keeps saying it is possible.
They keep saying it is a IEEE feature and everone should support but I do not understand how?

While theoretically possible with the adoption of capwap, it would require all the manufacturers to follow the specs exactly the same. Kind of like hearding cats, not impossible, but highly unlikely.. That's just my opinion
Sent from Cisco Technical Support iPad App

Difference between Cisco DCNM and CISCO Fabric Manager

Hello Everyone,
I am new to Cisco SAN and just would like to know the differences between cisco DCNM and Cisco Fabric manager and which one is latest as of now.
regards
VINAY

Hi Viany,
Fabric Manager was renamed DCNM starting at 5.2.
Fabric Manager only monitors SAN Fabrics, while DCNM 5.2 and above can monitor both SAN Fabrics and Ethernet LANs.
Regards,
David

VPN between Juniper ScreenOS and Cisco issue

We are facing the issue between cisco and juniper after implementing GRE over IPSec with OSPF. According to Juniper the packets sending from one Branch to another are not encapsulated by Cisco. Below attached are the logs of cisco. As i am reading the forums over internet, most of them recommended to create Static VTI between cisco and juniper.
Is Static VTI are recommaded or not ?
We have 400 Branch offices, each Branches has point to point GRE Tunnel, can we use single VTI Profile and apply on all 400 Tunnel interfaces or its has some limitation?
Can we enable netflow on Static VTI
Can we pass Voice Traffic over it.
Qos also implemented over it.
Can we apply rate limit over it.
All Traffic will be encrypted. ACL limitation ( permit ip any any)

From the output of show cry ipsec sa, the encrypts are a lot more than decrypts, which means traffic is actually getting encrypted and getting sent through the VPN tunnel, and reply is probably not getting back towards the 2801 router.
Can you check the output on the Linksys as well. And also make sure that the Linksys end knows how to route back towards the 2800 router.

VPN between ASA 5500 and Cisco 871

Hello.
I recently bought a Cisco 871 and an ASA 5500 device. I would like to configure a VPN connection (LAN-to-LAN), and I would like some help about the ports that need to be opened into both firewalls, ASA and 871.
Thank you.

Thank you. The routers where not syncronized.
I have installed on my CA server also an NTP server and everything works now.
I have one more question: how can I connect the CA server to separate zone on my ASA device? Let's say a DMZ zone?
I have 2 public IPs and I want to use one (let's say PRIMARY_IP) for the VPN tunnels, and the other one (let's call it SECONDARY_IP) for the CA server...In other words I want the SECONDARY_IP to be ?assigned? to the CA server; if someone wants to make requests for NTP, or SCEP, or ...let's say TFTP to the SECONDARY_IP, those requests to be forwarded behind the ASA, to the CA.
Can you help me?

Persistent VPN between PIX 501 and ASA 5505

I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

No problems whatsoever :-)
There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

VPN with Cisco 877 and ASA 5505

Hi Experts
this is my scenario :
remote clients ----> Internet----> Cisco 877---> ASA5505---->LAN
i would like to allow remote users to connect to my LAN to chek their mails and work as they are in the office. Actually i have configured Cisco877 as VPN Server this is working Fine. but now i'm trying to use ASA with the router because it permit 25 connections at the same time.
i'm connected to internet using a public ISDN IP.i have heard that i need a second IP adresse for ASA ! and the ASA must act as VPN server and the router as Client, is that right ?
if i need to configure the link between the router and ASA how can i do it ? i can't find any document or example in the net :/
please i need your support to make this dream real lol.
i will poste my configuration step by step following your help.
many thanks.

ASA need public ip address that is sure and also ASA acts as vpn. Client server will be remote not router. For that you can use any Ethernet. Trying to make a remote VPN connection via the cisco client, authenticate against an RSA Secure Token server and provide the client an IP address via DHCP.

Inline Posture between Cisco ISE and Wireless LAN Controller

Hi,
I was looking into Cisco ISE solution for deploying NAC.
I have a question about the network topology.
In the user guide documents of cisco ISE, it is written that for Wireless LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
https://supportforums.cisco.com/docs/DOC-18121
I want to know if Inline Posture is a requirement, if not a requirement, what are the benefits of having it between Cisco ISE Server and WLC.
Thanks & Regards
Sinan

Hello,
Please go through below mentioned links which might be helpful for you.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
Best Regards,

Routing issue between Cisco device and Virtual machine

Hi Guys,
We have two local subnets in a virtualized environment, subnet 1 has a VM operating as a firewall, we would like all traffic for subnet 2 to go via VM on subnet 1, this will police traffic on subnet 2 and then reroute.
The infrastructure involved comprises,
Internet Edge Switch -> ASA -> Core Switch -> IBM Flex chassis
The Internet edge switch is directly connected between the ISP routers and the Cisco ASA firewall pair (A/S). The ASA is then connected to the Core switch. Connected from the core switch is an IBM Flex chassis, via a port channel (all vlans allowed)
The local subnets in question are as follows:
Vlan 101 (10.1.1.0/24)
Vlan 102 (10.2.1.0/24)
The VM in question has two NIC cards having IP address of both subnets.
NIC 1: 10.1.1.1
NIC 2: 10.2.1.1
We would like packets destined for 10.2.1.1 to land on 10.1.1.1 IP address. At the moment traffic for each vlan routes from the outside to their respective local subnets successfully, what we are having difficulty with is directing traffic for subnet 2 via subnet 1 VM firewall.
At the moment we have tried adding a static route on the core switch but it didn’t work
ip route 10.2.0.0 255.255.255.0 10.1.1.1
I will appreciate if you could share your knowledge and guide me how to achieve this goal.
Thanks in advance :-)

Hi,
I think for this to work you need a transit vlan between the VMs and the core switch. So, if you have 2 vlans on the VM (101 and 102) you use the VM switch to route between the vlans and in order to go outside the local vlans you would use the core switch. In this scenario you would not have an SVI (layer-3) interface on the core. The only thing that core will have is the layer-2 vlans (101 and102). You would than need a static route on the core switch to point to the transit vlan on the VM side.
so, for example, if the transit vlan is vlan 110 and the ip is 192.168.1.0/24
on the core you have static routes:
ip route 10.1.1.0/24 192.168.1.2 (VM side)
ip route 10.1.2.0/24 192.168.1.2 (VM side)
You also need an SVI for vlan 110 with ip address 192.168.1.1/24 on the core.
on the VM you need a default route to point to the core (192.168.1.1).
Is this what you are trying to do?
HTH

Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic

interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/3
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/4
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/5
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/6
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/7
switchport access vlan 250
interface Vlan2
nameif outside
security-level 0
ip address 81.XXX.XXX.XXX 255.255.255.252
interface Vlan3
nameif OUTSIDE_BACK
security-level 0
ip address 41.XXX.XXX.XXX 255.255.255.248
interface Vlan20
nameif XXX
security-level 80
ip address 10.143.0.1 255.255.255.0 standby 10.143.0.2
interface Vlan21
nameif XXX
security-level 90
ip address 10.143.1.1 255.255.255.0 standby 10.143.1.2
interface Vlan24
nameif XXX
security-level 80
ip address 10.143.4.1 255.255.255.0 standby 10.143.4.2
interface Vlan28
nameif XXX
security-level 80
ip address 10.143.8.1 255.255.255.0 standby 10.143.8.2
interface Vlan212
nameif SELF
security-level 80
ip address 10.143.12.1 255.255.255.0 standby 10.143.12.2
interface Vlan213
nameif XXX
security-level 80
ip address 10.143.13.1 255.255.255.0 standby 10.143.13.2
interface Vlan214
nameif BIOFR
security-level 80
ip address 10.143.14.1 255.255.255.0 standby 10.143.14.2
interface Vlan232
nameif MNGT
security-level 80
ip address 10.143.32.1 255.255.255.0 standby 10.143.32.2
interface Vlan233
nameif XXX
security-level 80
ip address 10.143.33.1 255.255.255.0 standby 10.143.33.2
interface Vlan234
nameif XXX
security-level 80
ip address 10.143.34.1 255.255.255.0 standby 10.143.34.2
interface Vlan235
nameif XX
security-level 80
ip address 10.143.35.1 255.255.255.0 standby 10.143.35.2
interface Vlan236
nameif XXX
security-level 80
ip address 10.143.36.1 255.255.255.0 standby 10.143.36.2
interface Vlan250
description LAN Failover Interface
interface Vlan254
nameif TEST
security-level 80
ip address 10.143.254.1 255.255.255.0 standby 10.143.254.2
interface Vlan255
nameif XXX
security-level 100
ip address 10.143.255.1 255.255.255.0 standby 10.143.255.2
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network XXX
subnet 10.143.14.0 255.255.255.0
object network XXX
subnet 10.143.35.0 255.255.255.0
object network XXX
subnet 10.143.1.0 255.255.255.0
object network MGMT
subnet 10.143.32.0 255.255.255.0
object network XXX
subnet 10.143.36.0 255.255.255.0
object network XXX
subnet 10.143.4.0 255.255.252.0
object network XXX
subnet 10.143.33.0 255.255.255.0
object network ACCT
subnet 10.143.34.0 255.255.255.0
object network XXX
subnet 10.143.0.0 255.255.255.0
object network XXX
subnet 10.143.8.0 255.255.255.0
object network XXX
subnet 10.143.12.0 255.255.255.0
object network XXX
subnet 10.143.37.0 255.255.255.0
object network TEST
subnet 10.143.254.0 255.255.255.0
object network XXX
subnet 10.143.255.0 255.255.255.0
object network NETWORK_OBJ_10.143.0.0_16
subnet 10.143.0.0 255.255.0.0
object network NETWORK_OBJ_10.91.0.0_16
subnet 10.91.0.0 255.255.0.0
object-group network vpn-local-network
network-object 10.143.14.0 255.255.255.0
network-object 10.143.35.0 255.255.255.0
network-object 10.143.1.0 255.255.255.0
network-object 10.143.32.0 255.255.255.0
network-object 10.143.36.0 255.255.255.0
network-object 10.143.4.0 255.255.255.0
network-object 10.143.33.0 255.255.255.0
network-object 10.143.34.0 255.255.255.0
object-group network vpn-remote-network
network-object 10.112.0.0 255.255.0.0
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list ACL_INSIDE_NONAT extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list PING extended permit icmp any any
access-list PING extended permit icmp any any object-group ALLOW_PING
pager lines 24
logging asdm informational
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan250
failover interface ip FAILOVER 10.143.250.1 255.255.255.0 standby 10.143.250.2
no monitor-interface outside
no monitor-interface OUTSIDE_BACK
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XX interface
nat(IT,outside) source dynamic IT interface
nat (TEST,outside) source dynamic TEST interface
nat ( IT,outside) source dynamic IT interface
nat (TEST,outside) source static vpn-local-network vpn-local-network destination static vpn-remote-network vpn-remote-network no-proxy-arp route-lookup
access-group PING in interface outside
access-group PING in interface OUTSIDE_BACK
route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.XXX.XXX 1 track 1
route OUTSIDE_BACK 0.0.0.0 0.0.0.0 41.XXXX
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
sysopt connection preserve-vpn-flows
sla monitor 123
type echo protocol ipIcmpEcho 41.xxx.xxx.xxx interface outside
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map TEST 1 match address ACL_VPN
crypto map TEST 1 set peer 194.XXX.XXX.XXX
crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
crypto map TEST 1 set security-association lifetime seconds 86400
crypto map TEST 1 set security-association lifetime kilobytes 2147483647
crypto map TEST interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.143.255.0 255.255.255.0 IT
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access IT
dhcpd lease 60000
dhcpd ping_timeout 20
dhcpd domain tls.ad
dhcpd auto_config outside
dhcpd address 10.143.4.10-10.143.4.200 XXX
dhcpd dns 10.91.0.34 8.8.8.8 interface XXX
dhcpd option 3 ip 10.143.4.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.12.10-10.143.12.200 XXX
dhcpd option 3 ip 10.143.12.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.14.10-10.143.14.200 XXX
dhcpd option 3 ip 10.143.14.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.32.10-10.143.32.100 MNGT
dhcpd option 3 ip 10.143.32.1 interface MNGT
dhcpd enable MNGT
dhcpd address 10.143.33.10-10.143.33.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.34.10-10.143.34.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.36.10-10.143.36.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.255.10-10.143.255.200 XXX
dhcpd option 3 ip 10.143.255.1 interface XXX
dhcpd enable IT
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.90.0.34
ntp server 10.91.0.34
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
username tlsnimda password OW03yrp6/wvkyg6E encrypted
tunnel-group 194.XXX.XXX.XXX type ipsec-l2l
tunnel-group 194.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
class-map icmp
match default-inspection-traffic
policy-map icmppolicy
class icmp
inspect icmp
service-policy icmppolicy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e820e629c3cbaf67478c065440ac8138
VPN is up but not passing any traffing
Crypto map tag: TEST, seq num: 1, local addr: 81.xxx.xxx.xxx
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.143.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)
current_peer: 194.xxx.xxx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 10
local crypto endpt.: 81.xxx.xxx.xxx/0, remote crypto endpt.: 194.xxx.xxx.xx/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CC4FACB7
current inbound spi : D8C0AC76
inbound esp sas:
spi: 0xD8C0AC76 (3636505718)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 9367552, crypto-map: TEST
sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xCC4FACB7 (3427773623)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 9367552, crypto-map: TEST
sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
VPN is unstable
Connection terminated for peer 194.XXX.XXX.XX. Reason: Peer Terminate Remote Proxy 10.112.0.0, Local Proxy 10.143.0.0
I cannot pass any traffic through the vpn when it's UP, or ping the other side.
ASA VERSION 9.2

I do not think that'll be any problem. Here at work we also use Cisco ADSL 800 Series with vpn between customers' sites without any issues. The ASA should vpn for sure.

VPN between cisco WRVS4400N and EdgeMarc

Similar Messages

Maybe you are looking for