VPN between PIX 515 Version 6.3(3) and CheckPoint NGX R70.10

Similar Messages

• What is the differences between the older version of Oracle Financials and the 11 i

  What is the differences between the older version of Oracle Financials and 11i?

  Vijay,Thanks for your answer,but I am still not clear about it,I have a instance to describe my question at detail.
      If there is a final product A, and the planning strategy for A is 20(MTO), the procurement type of A is F(external procurement) at the view mrp2 in the material master datas.
  step1: I creat a sales order.
  step2: run MRP for A.
  step3: transfer the purchase requistion into a purchase order,and the field of acc.***.cat. in the purchase order will be filled out M automatically, because the acc.***.cat. in the planning strategy 20(MTO) is set with E.
      Well, the purchase order is created, what is the relationship between the sales order and the purchase order? What will be happened about costing between the SO and the PO?
      If I delete the E, I make the PO become a standard PO, what is difference between standard PO and the PO including E?
  Best Regards
  Bob

• Difference between Hyperion Essbase Version 6.1.4 and 7.1.3

  Hi All,
  Can anyone give me some information on differences between Hyperion Essbase version 6.1.4 and version 7.1.3.
  TIA,
  KRIS.

  Have a look at :- https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1092114.1
  and "Legacy Essbase Cumulative Feature Overview Tool"
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Persistent VPN between PIX 501 and ASA 5505

  I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?

  No problems whatsoever :-)
  There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?

• PPTP VPN to PIX 515

  I have a PIX 515 configured to accept w2000 VPN PPTP.
  The point is , when appears ' Verifying user/pass' the error that appears next is 'the remote computer is not responding'
  Can anyone help me on this
  Regards
  Sérgio Sousa

  Sergio,
  I have just tested the following configuration on my lab PIX 515. I connected to the PIX using a dialup to the ineternet from my laptop and setup a PPTP connection from it to the PIX and it works with no problem.
  access-list pptp permit ip 10.x.x.x 255.255.255.0 172.x.x.x 255.255.255.128
  ip local pool pptp_dial_in 172.x.x.1-172.x.x.10
  nat (inside) 0 access-list pptp
  sysopt connection permit-pptp
  vpdn group PPTP-VPDN-GROUP accept dialin pptp
  vpdn group PPTP-VPDN-GROUP ppp authentication chap
  vpdn group PPTP-VPDN-GROUP ppp authentication mschap
  vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
  vpdn group PPTP-VPDN-GROUP client configuration address local pptp_dial_in
  vpdn group PPTP-VPDN-GROUP client configuration dns
  vpdn group PPTP-VPDN-GROUP client configuration wins
  vpdn group PPTP-VPDN-GROUP pptp echo 60
  vpdn group PPTP-VPDN-GROUP client authentication local
  vpdn username password
  vpdn enable outside
  I hope this helps.
  Jay

• Issues between R/3 Version 4.6.C and CRM version 5.0.

  Good Morning dear colleagues,
  Somebody has any idea where can I find what kind of issues I have to face in order to install / configure R/3 version 4.6.C versus CRM 5.0.???
  I really appreciate any help.
  Best Regards ... Carlos Lacruz.

  Hi
    Please check the following components CRM 5.0 supports
  Prerequisites
  SAP Application Component
  Configuration
  SAP SEM 3.5
  SAP ECC 6.0
  SAP NetWeaver 04
  SAP APO 3.1
  SAP FSCM 3.0
  SAP CRM 5.0
  Regards

• Is there a difference between the early version of Airport Extreme and the current model?

  I have an Airport Extreme I purchased in 2008.  It has a flat top.  Are the new models of Airport Extreme any improvement?

  Your model is able to produce a 2.4 GHz wireless network....OR.....a 5 GHz wireless network, but not both at the same time.
  Generation 2 through 5 of the AirPort Extreme feature simultaneous dual band operation, so both a 2.4 GHz and 5 GHz network are produced at the same time. Your newer faster devices will connect to the 5 GHz band and the older slower, or mobile devices like an iPhone will connect to the slower 2.4 GHz band.
  This way, the slower devices will not slow down the faster devices as they normally would on a single band router like your Generation 1 model.
  In addition, Generation 2 through 5 also have a Guest Network feature, which allows you to set up a separate network just for "guests'. This way, the guests can connect to the Internet, but they cannot "see" any of the devices on your "main" or private network.
  The latest Generation 5 model incorporates a new antenna design which seems to provide better range and signal penetration as well.

• Site-to-Site VPN between ASA & PIX

  Hi everyone,
  If this has been posted before, which it probably has, I apologize in advance.
  Basically, I have to configure a VPN between our NY ASA and a PIX we shipped to our LA office. The PIX is replacing an old Cisco router. The ASA is our main device which is configured for multiple VPN connections (and I have not touched this) and still has the old VPN config from that old Cisco router.
  On my part, I configured the PIX with the same pre-share key, and security protocols as the old router. When I checked the log files of the ASA I see the error message: "tunnel manager has failed to establish an l2l sa all configured ike versions failed to establish the tunnel."
  Since this is my first time setting up a PIX, I'm thinking there might be something the matter with my config, though I'm not exactly sure. The PIX config is as follows:
  interface Ethernet0
    nameif Outside
    security-level 0
    ip address 173.xxx.xxx.xxx 255.255.255.224
  interface Ethernet1
    nameif Inside
    security-level 100
    ip address 192.168.xxx.xxx 255.255.255.0
  interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
  ftp mode passive
  dns server-group DefaultDNS
    domain-name xxxxxx.xxxxx.org
  access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
  access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
  access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
  access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
  access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
  pager lines 24
  mtu Outside 1500
  mtu Inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any Outside
  no asdm history enable
  arp timeout 14400
  global (Outside) 1 173.xxx.xxx.xxx netmask 255.255.255.224
  nat (Inside) 2 192.168.0.0 255.0.0.0
  nat (Inside) 1 0.0.0.0 0.0.0.0
  route Outside 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ipsec df-bit clear-df Outside
  crypto map mymap 1 match address acl_vpn
  crypto map mymap 1 set pfs
  crypto map mymap 1 set peer 69.18.xxx.xxx
  crypto map mymap 1 set transform-set myset
  crypto map mymap 1 set security-association lifetime seconds 28800
  crypto map mymap 1 set security-association lifetime kilobytes 4608000
  crypto isakmp identity address
  crypto isakmp enable Outside
  crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 5000
  crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 10000
  crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  tunnel-group 69.18.xxx.xxx type ipsec-l2l
  tunnel-group 69.18.xxx.xxx ipsec-attributes
    pre-shared-key *
  class-map inspection_default
    match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
    parameters
    parameters
  policy-map global_policy
    class inspection_default
     inspect dns preset_dns_map
     inspect ftp
     inspect h323 h225
     inspect h323 ras
     inspect netbios
     inspect rsh
     inspect rtsp
     inspect skinny
     inspect esmtp
     inspect sqlnet
     inspect sunrpc
     inspect tftp
     inspect sip
     inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:ff5fe6ea51385f0d3f6580a5fdd73d40
  : end
  If you need further information, please let me know. Also any feedback would be greatly appreciated.
  Thanks,
  -Sasha

  Also,
  It would seem to me that you have not configured NAT0 for the VPN traffic
  This in most cases matches exactly the ACL used in the Crypto Map configurations.
  I suggest that you use another ACL for this purpose though to avoid any future problems
  access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
  access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
  access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
  access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
  access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
  nat (inside) 0 access-list NAT0
  The below command seems to be useless since it doesnt have a match "global" configuration for ID 2
  nat (Inside) 2 192.168.0.0 255.0.0.0
  - Jouni

• Connection issue between Cisco 515 Pix and Cisco 1841 router

  Hi,
  I am having a problem getting a Cisco Pix 515 communicating to a Cisco 1841. I am currently studying for CCNA so forgive me if it's obvious to the rest of you where the problem lies.
  The client currently has an ISDN service which is being moved over to a 2MB E1 connection.
  I have configured the 1841 router with G.703 WIC according to the information given to me by the ISP. I have configured the 1841 to have the same internal IP as the ISDN Cisco 800 series router, hoping for a simple swap over. The Pix 515 sits behind the ISDN at present and will be behind the 1841 when it is active.
  Once I unplug the 800 series ISDN router and plug the 1841 into the pix, I cannot get any response what so ever. I have tried changing the ethernet connection speeds between the pix and 1841 hoping it would be as simple as that without success. Can't get ping responses from either end but I can when the ISDN service is plugged in. Both ISDN and E1 link are supplied by the same ISP, Telstra Australia and the fixed IP's are able to move over to the E1 service.
  I have not touched the pix in any way. A seperate company configured the router a couple of years ago.
  I have included the configurations of the existing ISDN, Pix and the 1841 for you to review. Any advise/solutions would be greatly appreciated.
  Thanks in Advance,

  Hi,
  The outside interface on your PIX is configured as 10BaseT which would be fine when using the original 800 series ISDN router.
  Now with your new 1841, the interface that the PIX connects to is Fast Ethernet so you need to change your outside interface on the PIX to the same
  If you want to use auto negotiation between the PIX and router then the command to do this on the PIX is
  interface ethernet0 auto
  I recommend using hard coded settings between the PIX and router and the command to do this on this PIX is
  interface ethernet0 100full
  You will also need to change your router as:
  interface FastEthernet0/0
  speed 100
  duplex full
  If you can't configure the PIX as you mentioned an external company did it, then i guess you could change your Fast Ethernet interface to "speed 10", "duplex half".
  This won't create a bottleneck as you only have a 2 MB connection to your ISP
  Everything else looks good, don't worry about asking questions on the forum, this is what its for.
  HTH
  Paddy

• Need help, VPN between 1841 router & PIX 501

  Trying to setup a VPN between an 1841 router at HQ with static IP connecting to remote office with a PIX 501 and a persistent IP (not static, but Mediacom has mapped PIX MAC this IP so I always get same public IP even on equip reboot). I have configured both sides but tunnel will not come up, must be missing something.
  See attached configs.
  THANK YOU!

  Sorry.
  interface: outside
  Crypto map tag: IPSEC, local addr. 12.206.137.5
  local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
  current_peer: 216.203.117.82:500
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 659, #pkts encrypt: 659, #pkts digest 659
  #pkts decaps: 462, #pkts decrypt: 462, #pkts verify 462
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 124, #recv errors 0
  local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
  path mtu 1500, ipsec overhead 56, media mtu 1500
  current outbound spi: 793ff99e
  inbound esp sas:
  spi: 0xcbd5b096(3419779222)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 4, crypto map: IPSEC
  IV size: 8 bytes
  replay detection support: Y
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  spi: 0x793ff99e(2034235806)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 3, crypto map: IPSEC
  sa timing: remaining key lifetime (k/sec): (4607996/1929)
  IV size: 8 bytes
  replay detection support: Y
  outbound ah sas:
  local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)
  current_peer: 216.203.117.82:500
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691
  #pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0
  local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82
  path mtu 1500, ipsec overhead 56, media mtu 1500
  current outbound spi: c6d3ea5c
  inbound esp sas:
  spi: 0x55d659c5(1440111045)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 1, crypto map: IPSEC
  sa timing: remaining key lifetime (k/sec): (4607097/1917)
  replay detection support: Y
  inbound ah sas:
  inbound pcp sas:
  outbound esp sas:
  spi: 0xc6d3ea5c(3335776860)
  transform: esp-des esp-md5-hmac ,
  in use settings ={Tunnel, }
  slot: 0, conn id: 2, crypto map: IPSEC
  sa timing: remaining key lifetime (k/sec): (4607743/1890)
  IV size: 8 bytes
  replay detection support: Y
  outbound ah sas:
  outbound pcp sas:

• PIX 515 & Zywall Site to Site VPN

  I would like to setup IPSEC Tunnel Between PIX and Zywall 70
  Tunnel can't be established. :(
  When I check the log, it stops after return [return status is IKMP_NO_ERR_NO_TRANS]
  What's wrong?
  Would you mind to help me to fix it?

  MY PIX Config

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic

  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
   switchport access vlan 3
  interface Ethernet0/2
   switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
   switchport mode trunk
  interface Ethernet0/3
   switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
   switchport mode trunk
  interface Ethernet0/4
   switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
   switchport mode trunk
  interface Ethernet0/5
   switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
   switchport mode trunk
  interface Ethernet0/6
   switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
   switchport mode trunk
  interface Ethernet0/7
   switchport access vlan 250
  interface Vlan2
   nameif outside
   security-level 0
   ip address 81.XXX.XXX.XXX 255.255.255.252
  interface Vlan3
   nameif OUTSIDE_BACK
   security-level 0
   ip address 41.XXX.XXX.XXX 255.255.255.248
  interface Vlan20
   nameif XXX
   security-level 80
   ip address 10.143.0.1 255.255.255.0 standby 10.143.0.2
  interface Vlan21
   nameif XXX
   security-level 90
   ip address 10.143.1.1 255.255.255.0 standby 10.143.1.2
  interface Vlan24
   nameif XXX
   security-level 80
   ip address 10.143.4.1 255.255.255.0 standby 10.143.4.2
  interface Vlan28
   nameif XXX
   security-level 80
   ip address 10.143.8.1 255.255.255.0 standby 10.143.8.2
  interface Vlan212
   nameif SELF
   security-level 80
   ip address 10.143.12.1 255.255.255.0 standby 10.143.12.2
  interface Vlan213
   nameif XXX
   security-level 80
   ip address 10.143.13.1 255.255.255.0 standby 10.143.13.2
  interface Vlan214
   nameif BIOFR
   security-level 80
   ip address 10.143.14.1 255.255.255.0 standby 10.143.14.2
  interface Vlan232
   nameif MNGT
   security-level 80
   ip address 10.143.32.1 255.255.255.0 standby 10.143.32.2
  interface Vlan233
   nameif XXX
   security-level 80
   ip address 10.143.33.1 255.255.255.0 standby 10.143.33.2
  interface Vlan234
   nameif XXX
   security-level 80
   ip address 10.143.34.1 255.255.255.0 standby 10.143.34.2
  interface Vlan235
   nameif XX
   security-level 80
   ip address 10.143.35.1 255.255.255.0 standby 10.143.35.2
  interface Vlan236
   nameif XXX
   security-level 80
   ip address 10.143.36.1 255.255.255.0 standby 10.143.36.2
  interface Vlan250
  description LAN Failover Interface
  interface Vlan254
   nameif TEST
   security-level 80
   ip address 10.143.254.1 255.255.255.0 standby 10.143.254.2
  interface Vlan255
   nameif XXX
   security-level 100
   ip address 10.143.255.1 255.255.255.0 standby 10.143.255.2
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network XXX
   subnet 10.143.14.0 255.255.255.0
  object network XXX
   subnet 10.143.35.0 255.255.255.0
  object network XXX
   subnet 10.143.1.0 255.255.255.0
  object network MGMT
   subnet 10.143.32.0 255.255.255.0
  object network XXX
   subnet 10.143.36.0 255.255.255.0
  object network XXX
   subnet 10.143.4.0 255.255.252.0
  object network XXX
   subnet 10.143.33.0 255.255.255.0
  object network ACCT
   subnet 10.143.34.0 255.255.255.0
  object network XXX
   subnet 10.143.0.0 255.255.255.0
  object network XXX
   subnet 10.143.8.0 255.255.255.0
  object network XXX
   subnet 10.143.12.0 255.255.255.0
  object network XXX
   subnet 10.143.37.0 255.255.255.0
  object network TEST
   subnet 10.143.254.0 255.255.255.0
  object network XXX
   subnet 10.143.255.0 255.255.255.0
  object network NETWORK_OBJ_10.143.0.0_16
   subnet 10.143.0.0 255.255.0.0
  object network NETWORK_OBJ_10.91.0.0_16
   subnet 10.91.0.0 255.255.0.0
  object-group network vpn-local-network
   network-object 10.143.14.0 255.255.255.0
   network-object 10.143.35.0 255.255.255.0
   network-object 10.143.1.0 255.255.255.0
   network-object 10.143.32.0 255.255.255.0
   network-object 10.143.36.0 255.255.255.0
   network-object 10.143.4.0 255.255.255.0
   network-object 10.143.33.0 255.255.255.0
   network-object 10.143.34.0 255.255.255.0
  object-group network vpn-remote-network
   network-object 10.112.0.0 255.255.0.0
  access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
  access-list ACL_INSIDE_NONAT extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
  access-list PING extended permit icmp any any
  access-list PING extended permit icmp any any object-group ALLOW_PING
  pager lines 24
  logging asdm informational
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER Vlan250
  failover interface ip FAILOVER 10.143.250.1 255.255.255.0 standby 10.143.250.2
  no monitor-interface outside
  no monitor-interface OUTSIDE_BACK
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-721.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (XXX,outside) source dynamic XXX interface
  nat (XXX,outside) source dynamic XXX interface
  nat (XXX,outside) source dynamic XXX interface
  nat (XXX,outside) source dynamic XXX interface
  nat (XXX,outside) source dynamic XXX interface
  nat (XXX,outside) source dynamic XXX interface
  nat (XX,outside) source dynamic XXX interface
  nat (XXX,outside) source dynamic XXX interface
  nat (XXX,outside) source dynamic XX interface
  nat(IT,outside) source dynamic IT interface
  nat (TEST,outside) source dynamic TEST interface
  nat ( IT,outside) source dynamic IT interface
  nat (TEST,outside) source static vpn-local-network vpn-local-network destination static vpn-remote-network vpn-remote-network no-proxy-arp route-lookup
  access-group PING in interface outside
  access-group PING in interface OUTSIDE_BACK
  route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.XXX.XXX 1 track 1
  route OUTSIDE_BACK 0.0.0.0 0.0.0.0 41.XXXX
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  sysopt connection preserve-vpn-flows
  sla monitor 123
   type echo protocol ipIcmpEcho 41.xxx.xxx.xxx interface outside
   frequency 10
  sla monitor schedule 123 life forever start-time now
  crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto map TEST 1 match address ACL_VPN
  crypto map TEST 1 set peer 194.XXX.XXX.XXX
  crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
  crypto map TEST 1 set security-association lifetime seconds 86400
  crypto map TEST 1 set security-association lifetime kilobytes 2147483647
  crypto map TEST interface outside
  crypto ca trustpool policy
  no crypto isakmp nat-traversal
  crypto ikev1 enable outside
  crypto ikev1 policy 1
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  track 1 rtr 123 reachability
  telnet timeout 5
  ssh stricthostkeycheck
  ssh 10.143.255.0 255.255.255.0 IT
  ssh timeout 10
  ssh key-exchange group dh-group1-sha1
  console timeout 60
  management-access IT
  dhcpd lease 60000
  dhcpd ping_timeout 20
  dhcpd domain tls.ad
  dhcpd auto_config outside
  dhcpd address 10.143.4.10-10.143.4.200 XXX
  dhcpd dns 10.91.0.34 8.8.8.8 interface XXX
  dhcpd option 3 ip 10.143.4.1 interface XXX
  dhcpd enable XXX
  dhcpd address 10.143.12.10-10.143.12.200 XXX
  dhcpd option 3 ip 10.143.12.1 interface XXX
  dhcpd enable XXX
  dhcpd address 10.143.14.10-10.143.14.200 XXX
  dhcpd option 3 ip 10.143.14.1 interface XXX
  dhcpd enable XXX
  dhcpd address 10.143.32.10-10.143.32.100 MNGT
  dhcpd option 3 ip 10.143.32.1 interface MNGT
  dhcpd enable MNGT
  dhcpd address 10.143.33.10-10.143.33.100 XXX
  dhcpd option 3 ip 10.143.32.1 interface XXX
  dhcpd enable XXX
  dhcpd address 10.143.34.10-10.143.34.100 XXX
  dhcpd option 3 ip 10.143.32.1 interface XXX
  dhcpd enable XXX
  dhcpd address 10.143.36.10-10.143.36.100 XXX
  dhcpd option 3 ip 10.143.32.1 interface XXX
  dhcpd enable XXX
  dhcpd address 10.143.255.10-10.143.255.200 XXX
  dhcpd option 3 ip 10.143.255.1 interface XXX
  dhcpd enable IT
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp authenticate
  ntp server 10.90.0.34
  ntp server 10.91.0.34
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  group-policy DfltGrpPolicy attributes
   vpn-idle-timeout none
   vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  username tlsnimda password OW03yrp6/wvkyg6E encrypted
  tunnel-group 194.XXX.XXX.XXX type ipsec-l2l
  tunnel-group 194.XXX.XXX.XXX ipsec-attributes
   ikev1 pre-shared-key *****
  class-map icmp
   match default-inspection-traffic
  policy-map icmppolicy
   class icmp
    inspect icmp
  service-policy icmppolicy interface outside
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e820e629c3cbaf67478c065440ac8138
  VPN is up but not passing any traffing
    Crypto map tag: TEST, seq num: 1, local addr: 81.xxx.xxx.xxx
        access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
        local ident (addr/mask/prot/port): (10.143.0.0/255.255.0.0/0/0)
        remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)
        current_peer: 194.xxx.xxx.xxx
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 10, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 10
        local crypto endpt.: 81.xxx.xxx.xxx/0, remote crypto endpt.: 194.xxx.xxx.xx/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: CC4FACB7
        current inbound spi : D8C0AC76
      inbound esp sas:
        spi: 0xD8C0AC76 (3636505718)
           transform: esp-3des esp-md5-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 9367552, crypto-map: TEST
           sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      outbound esp sas:
        spi: 0xCC4FACB7 (3427773623)
           transform: esp-3des esp-md5-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 9367552, crypto-map: TEST
           sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  VPN is unstable 
  Connection terminated for peer 194.XXX.XXX.XX.  Reason: Peer Terminate  Remote Proxy 10.112.0.0, Local Proxy 10.143.0.0
  I cannot pass any traffic through the vpn when it's UP, or ping the other side.
  ASA VERSION 9.2

  I do not think that'll be any problem. Here at work we also use Cisco ADSL 800 Series with vpn between customers' sites without any issues. The ASA should vpn for sure.

• Phase 2 tunnel is not going up between PIX 525 and Watchguard

  Hi Folks,
  Can you please help me in knowing where is the problem liying, currently I am trying to establish a VPN tunnel between PIX firewall and Watchguard , all the parameters of both devices are the same though Phase two tunnel is not coming up.
  here is the debug :
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500
  OAK_MM exchange
  ISAKMP (0): processing KE payload. message ID = 0
  ISAKMP (0): processing NONCE payload. message ID = 0
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match MINE hash
  hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
  my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match HIS hash
  hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
  his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
  ISAKMP (0:0): constructed HIS NAT-D
  ISAKMP (0:0): constructed MINE NAT-D
  return status is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  OAK_MM exchange
  ISAKMP (0): processing ID payload. message ID = 0
  ISAKMP (0): processing HASH payload. message ID = 0
  ISAKMP (0): SA has been authenticated
  ISAKMP: Created a peer struct for 212.37.17.43, peer port 37905
  ISAKMP: Locking UDP_ENC struct 0x3cbb634 from crypto_ikmp_udp_enc_ike_init, count 1
  ISAKMP (0): ID payload
  next-payload : 8
  type : 2
  protocol : 17
  port : 0
  length : 23
  ISAKMP (0): Total payload length: 27
  return status is IKMP_NO_ERROR
  ISAKMP (0): sending INITIAL_CONTACT notify
  ISAKMP (0): sending NOTIFY message 24578 protocol 1
  VPN Peer: ISAKMP: Added new peer: ip:212.37.17.43/4500 Total VPN Peers:16
  VPN Peer: ISAKMP: Peer ip:212.37.17.43/4500 Ref cnt incremented to:1 Total VPN Peers:16
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  ISAKMP (0): processing NOTIFY payload 24578 protocol 1
  spi 0, message ID = 3168983470
  ISAKMP (0): processing notify INITIAL_CONTACT
  return status is IKMP_NO_ERR_NO_TRANS
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  OAK_QM exchange
  oakley_process_quick_mode:
  OAK_QM_IDLE
  ISAKMP (0): processing SA payload. message ID = 484086886
  ISAKMP : Checking IPSec proposal 1
  ISAKMP: transform 1, ESP_3DES
  ISAKMP: attributes in transform:
  ISAKMP: SA life type in seconds
  ISAKMP: SA life duration (basic) of 28800
  ISAKMP: SA life type in kilobytes
  ISAKMP: SA life duration (basic) of 32000
  ISAKMP: encaps is 61433
  ISAKMP: authenticator is HMAC-MD5
  ISAKMP (0): atts not acceptable. Next payload is 0
  ISAKMP (0): SA not acceptable!
  ISAKMP (0): sending NOTIFY message 14 protocol 0
  return status is IKMP_ERR_NO_RETRANS
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  ISAKMP: phase 2 packet is a duplicate of a previous packet
  ISAKMP: resending last response
  ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  ISAKMP: phase 2 packet is a duplicate of a previous packet
  ISAKMP: resending last response
  crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500
  ISAKMP (0): processing NOTIFY payload 36136 protocol 1
  spi 0, message ID = 287560609
  ISAMKP (0): received DPD_R_U_THERE from peer 213.210.211.82
  ISAKMP (0): sending NOTIFY message 36137 protocol 1
  return status is IKMP_NO_ERR_NO_TRANSdebug
  ISAKMP (0): retransmitting phase 1 (0)...
  Thanks,
  Ismail

  Hi Kanishka,
  The Phase 2 Parameters are the same also PFS is disabled !
  There are some curious things in the debug msg, could you please throw some light on them
  ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
  ISAKMP: encryption 3DES-CBC
  ISAKMP: hash MD5
  ISAKMP: auth pre-share
  ISAKMP: life type in seconds
  ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
  ISAKMP: default group 1
  ISAKMP (0): atts are acceptable. Next payload is 0
  ISAKMP (0): processing vendor id payload
  ISAKMP (0:0): vendor ID is NAT-T
  ISAKMP (0): processing vendor id payload
  what does the vendor ID is NAT-T above mean ? Is it say that both sides are using Nat traversal.
  Also in ecryption its says encryption 3DES-CBC
  i am not sure if this CBC is the culprit. Because thats what watchgaurd uses only it does not have an option for only 3DES.
  strange enought that Phase 1 is getting up, I am also questioning myself about the following message appearing in Phase 1:
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match MINE hash
  hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
  my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match HIS hash
  hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
  his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
  ISAKMP (0:0): constructed HIS NAT-D
  ISAKMP (0:0): constructed MINE NAT-D
  return status is IKMP_NO_ERROR
  how come Phase 1 is coming up though the PIX is claiming that his HASH is not the same as HIS HASH :(
  the log messages on WATCH GUARD states that there is no proposal chosen!
  why both firewalls are not friends?
  I appreciate any input