Cisco Firewall :: ASA 5540 - IPSec Tunnel / ASA Refuses To Encrypt Traffic But Decrypts It

May 31, 2012

This has to be the most weirdest issue I have seen since the past year on my ASA. I have an ASA 5540 running the 8.4(2) code without any issues until I stumbled upon this problem last week and I have spent sleepless nights with no resolution! So, take a deep breath and here is a brief description of my setup and the problem:
 
A Simple IPSEC tunnel between my ASA 5540 8.4(2) and a Juniper SSG 140 screen OS 6.3.0r9.0(route based VPN)
 
The tunnel comes up without any issues but the ASA refuses to encrypt the traffic but decrypts it with GLORY! below are some debug outputs, show outputs and a packet tracer output which also has an explanation of my WEIRD NAT issue:  

My setup - ( I wont get into the tunnel encryption details as my tunnel negotiations are **** perfect and comes up right off the bat when the ASA is configured as answer only)
 
CISCO ASA - IPSec networking details
LOCAL NETWORK - 10.2.4.0/28
REMOTE NETWORK - 192.168.171.8/32
JUNIPER SSG 140 - IPSec networking details
PROXY ID: LOCAL NETWORK - 192.168.171.8/32
REMOTE NETWORK - 10.2.4.0/28 
HOST NAME# sh cry ipsec sa peer <JUNIPER SSG PEER>
peer address: <JUNIPER SSG PEER>
[code]... 

As you can see, there is no echo reply packet at all as the packet is not being encapsulated while it is being sent back. I have been going mad with this. Also, this is a live production multi tenant firewall with no issues at all apart from this ****** ip sec tunnel to a juniper!!

Also, the 192.168.10.0/24 is another IP Sec tunnel remote network to this 10.2.4.0/28 network and this IP SEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm without any issues, but the 171 is not being encrypted by the ASA at all.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: 5540 - Multicast Over Lan To Lan Ipsec Tunnel

May 3, 2011

I need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.

View 2 Replies View Related

Cisco VPN :: TFTP From ASA Via Site To Site IPSEC Tunnel 5540

Nov 1, 2011

I am having issues getting my ASA 5540 at site A, to pass TFTP and SYSLOG from itself across the IPSEC tunnel to our SYSMON servers (Syslog and TFTP) that live at site B. I have followed the suggestions of other threads and I am still not getting anywhere. Here is a quick topology diagram.

View 6 Replies View Related

Cisco VPN :: ASA Or 871 IPSec L2L To SSG-140 - Tunnel Is Up But No Traffic

Aug 8, 2012

i am curently troubleshooting a ipsec l2l VPN between
 
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
 
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's                    
 
It seems like a routing issue, but we can not find anything on both sites.
 
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
 
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255

View 7 Replies View Related

Cisco VPN :: 881 / Route Traffic Thru IPSec Tunnel To DMZ

Jun 29, 2011

I need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?

View 1 Replies View Related

Cisco VPN :: ASA 5505 - IPSec VPN L2L Tunnel Up But No Traffic

Mar 19, 2011

I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
 
Cisco ASA-5505
Peer A: x.x.x.x
Lan A:     192.168.0.0    255.255.255.0
 Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B:     192.168.23.0  255.255.255.0
 
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
 
"show isakmp sa" seems ok (says "State   : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
 
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
 
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).

View 1 Replies View Related

Cisco VPN :: 881 / Route All Traffic Over IPsec Tunnel?

Jan 30, 2012

We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
 
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.

View 21 Replies View Related

Cisco VPN :: 1841 - IPsec Tunnel Two Way Traffic

Oct 23, 2012

We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
 
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
 
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
 
TROUBLESHOOTING SO FAR
 
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network. 
2. Have tried various NAT entries. 
3. Have removed and then recreated the VPN tunnel from a fresh start. 
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
 
The tunnel is fully up at all times and as we say can ping in both directions.

View 7 Replies View Related

Cisco VPN :: ASA 5505 - Forward All Traffic Over Ipsec Tunnel?

Jul 18, 2011

I currently have two Cisco ASA 5505.  They are at different  physical sites (SITE A, SITE B) and are configured with a site-to-site VPN which is  active and working.
 
I can communicate with the subnets on either site from the other and both are connected to the internet, however I need to ensure that all the traffic at my site B goes through this VPN to my site A.
 
I changed this access-list : access-list outside_2_cryptomap extended permit ip network_siteB network_siteA to access-list outside_2_cryptomap extended permit ip network_siteB any
 
But this does not work. If I do [URL], site B IP address  is not same that site A.

View 7 Replies View Related

Cisco VPN :: 5505 LAN-to-LAN IPsec VPN Tunnel Traffic Not Being Routed

Feb 24, 2011

I am trying to set up a LAN-to-LAN VPN tunnel between two sites.  One site has a 5505, and the other site has a 5510.  It looks like the tunnel is being established fine (both ISAKMP and IPSEC SAs look OK), but traffic doesn't appear to be routing across the internet between the devices. [code]

View 15 Replies View Related

Cisco Switching/Routing :: 1941 / IPSec Tunnel Up No Traffic?

Mar 7, 2013

I have an IPSec tunnel configured on my Cisco 1941. The other device is an ZyXEL router.I can see the tunnel is up but there is no traffic.This comes out the show crypto ipsec sa

interface: Dialer1
Crypto map tag: CMAP_AVW, local addr 10.10.10.89
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)
   current_peer 20.20.20.161 port 500

[code]....

View 3 Replies View Related

Cisco VPN :: Traffic Is Not Passing On Plain IPSec Tunnel Between Two 892s

Dec 14, 2011

I've replaced real networkID to the one mentined below.
 
Topology: classical IPSec VPN tunnel between two Cisco 892s, with pre-shared key and no GRE. One 892 (branch_892) has access to the Internet via PPPoE and has three networks/vlans behind it. One VLAN is NATed to access internet via the PPPoE. Access to two other VLANs - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) need is done thrue the VPN tunnel.
 
Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and has a static route to the default GW. It does not have any interal network defined. So the router is strictly used to send traffic for VL92/VL93 to the branch 892 via IPSec tunnel.
 
Here is the problem: access to/from VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not.
 
From devices in VL92 I can ping the 892_DC IP address across the VPN tunnel. From the 892_DC router I can also ping devices in VL92. However I can no ping from VL92 any device beyond the 892_DC and at the same time packet arriving on 892_DC for VL92 are not sent out via the VPN tunnel.
 
I took the packet trace on 892_DC using capture point/buffer to capute packets for VL92 and could see that traffic does arrive at the 892_DC. I run the same capute on Branch_892 and there was not a single packet.More interesting I modified the access list such a way that left on VL92 and still - no packets are sent out thru the tunnel. [code]

View 5 Replies View Related

Cisco VPN :: ASA5500 / TCP State Bypass For Traffic - Coming From IPsec Tunnel?

Feb 6, 2012

We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached) All branch offices are connected to central asa though IPsec. The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel According to the sheme:172.16.1.0/24 is on of the branch office LANs10.1.1.0/24 and 10.2.2.0/24 are central office LANThe crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8 the aim is to restrict access from 172.16.1.0/24 to 10.1.1.0/24 When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2 When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't work.The central asa 5500 is configured according to cisco doc [URL] 
 
access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
!
class-map tcp_bypass_map
description "TCP traffic that bypasses stateful firewall"
match access-list tcp_bypass_acl

[code].....

View 4 Replies View Related

Cisco Routers :: RVL200 IPSEC Channel All Or Some Data Traffic Through Tunnel

Jan 2, 2013

Is it at all possible to channel all/some data traffic through an established ipsec tunneled connection using the RVL200? I have successfully established an ipsec connection through RVL200 and RV042 routers and are able to connect to servers/computers behind it.Now I want to channel all or some traffic through the ipsec-tunnel for computers that reside on 192.168.1.0 subnet of RVL200 network.
 
Main office - RV042 router - 10.200.62.1
Remote office - RVL200 router - 192.168.1.1
 
I am trying to use the Advanced Routing option to add static routes but I am not 100% sure if I am configuring the routes correctly.To give an example of routing DNS requests for HOTMAIL.COM [65.55.72.183]: [code]For some reason this does not appear to work. I have also tried using the interface setting of WAN and tested - this also does not work.

View 10 Replies View Related

Cisco Firewall :: ASA 5540 - 3000 Simultaneous IPsec Connections

May 15, 2013

We are planning to use an ASA 5540 to terminate about 3000 IPSec connections. The maximum supported IPsec VPN Peers for this platform ist 5000, so this should be ok in theory.
 
What is a bit unclear to me is what exactly happens when (for whatever reason) all 3000 clients try to connect at once ? Perhaps it's not at once but depending on timers this could mean 3000 incoming IPsec connection within 10-20 seconds.
 
Will the the ASA cope with it ? I can't find any info regarding this on CCO. It's also not that easy to test/simulate.

View 2 Replies View Related

Cisco VPN :: 2691 - Packets Not Getting Encrypt And Decrypt IPSEC

Dec 14, 2012

I have 2691 Router conencted to Internet and it is doing Nat.
 
This connects to 3550A  Switch which has connection to 1811W  Router.
 
I setup VPN between 1811W and 3550A.
3550A has connection to 2691 via ospf. 
OSPF is running between 1811w and 3550A.  
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA

[Code]....

View 7 Replies View Related

Cisco Routers :: Rv220W / Assign Vpn Traffic To A Vlan When Setup An Ipsec Tunnel?

Apr 7, 2012

i'm using an rv220W and i whant to know if is it possible to assign vpn traffic to a vlan when i setup an ipsec tunnel?
 
example:
Im using different vlans on my rv220W.
Vlan 10: engineers (ex: 192.168.1.0/27) no intervlan routing
Vlan20: sales (ex: 10.0.123.0/24) no intervlan routing
 
 This is what i need:  - An engineer is on the road and when he makes a ipsec vpn connection => assignd to the vlan "engineers" so he can access the server/pc's in that vlan.and when someone from the sales group starts a vpn connection he needs to be in the vlan "sales" so he can access his pc/data,...

View 15 Replies View Related

Cisco VPN :: ASR901 Support IPsec - Cannot Encrypt ICMP Packet Back

Apr 25, 2013

I'm trying to setup a GDOI based IPsec connection between a cisco AS901 (advanced Metro lic - asr901-universalk9-mz.152-2.SNI ) and a 7606-S.What I see is that the ASR901 is capable of decrypting the IPsec packet but I cannot encrypt the ICMP packet back, so the question is if the AS901 can support IPsec in software. What I could not find in the docs on CCO. [code]

View 1 Replies View Related

Cisco Switching/Routing :: 1811W - Packets Not Getting Encrypt And Decrypt IPSEC

Dec 14, 2012

I have 2691 Router conencted to Internet and it is doing Nat. This connects to 3550A  Switch which has connection to 1811W  Router.
 
I setup VPN between 1811W and 3550A. 3550A has connection to 2691 via ospf.
 
OSPF is running between 1811w and 3550A.
  
1811 
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA

[Code].....

View 5 Replies View Related

Cisco Firewall :: ASA 5540 Blocking Legit Traffic From Inside

Aug 21, 2011

I just made a move from a PIX 506 to an ASA 5540.  I have a user that currently logs into a web portal and runs a job.  It is now erroring out.  When I run the test it gives me the following message:
 
Testing ports...
Port 1433: Failed
Port 1150: Success
Port 80: Success
Port 443: Success
 
One or more tests have failed
 
The computer we access this site from is on the inside network and the ACL says permit ip any any from the inside out so I am not sure why it is failing.  Under the ASA Home screen I see the Top 10 Protected Servers under SYN Attack and it appears that the ASA thinks this is some sort of attack. 

View 1 Replies View Related

Cisco Firewall :: IPSec Tunnel On Sub-interface On ASA 5510?

Jun 11, 2012

I working on a security solution using ASA firewall. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - IPSec Tunnel Without Private Network

Apr 11, 2013

I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520.  Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with.  Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel.  My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic. If so, what configuration options should I consider?

View 5 Replies View Related

Cisco Firewall :: Can Configure Two IPsec Tunnel In ASA5525X / When Destination Is Same

Sep 7, 2012

Can I configure two IPsec tunnel in a ASA5525X, when the destination is same.

View 1 Replies View Related

Cisco Firewall :: Command To Check IPSEC Tunnel On ASA 5520?

Jan 7, 2013

Need to check how many tunnels IPSEC are running over ASA 5520.Tried commands which we use on Routers no luck?

View 6 Replies View Related

Cisco Firewall :: PIX515 / 2821 / 2921 / Getting GRE IPsec Tunnel Setup?

Apr 18, 2013

We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
 
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.  Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
 
Main Office The external address     198.40.227.50. The loopback address   10.254.10.6 The tunnel address        10.2.60.1
 Offsite Datacenter The external address     198.40.254.178 The loopback address   10.254.60.6 The tunnel address        10.2.60.2
 
The main office PIX515 Config :

PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240

[code]....

View 2 Replies View Related

Cisco Firewall :: ASA 5520 VPN Tunnel Up But Not Traffic

Nov 1, 2012

We just migrated from a single 5510 to a dual (failover)  5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]

View 12 Replies View Related

Cisco Firewall :: ASA 5520 8.3 VPN Tunnel Drops Traffic

Aug 23, 2011

We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
 
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.

View 6 Replies View Related

Cisco VPN :: 5520 - How Much Traffic Pass Through Into IPSec In ASA Firewall

Mar 20, 2013

How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.

View 3 Replies View Related

Cisco WAN :: 1941 Router - Enable IPSec Virtual Tunnel Interface With Tunnel Mode IPv4

Sep 23, 2012

I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?

View 4 Replies View Related

Cisco Routers :: Set A VPN IpSec Tunnel GW To GW Tunnel Between RV110W

Oct 17, 2012

I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
 
What would be the correct Configuration? the current configuration I am using is
 
in the RV042 i am using
 
Check Enable 
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address

[Code].....

View 3 Replies View Related

Cisco WAN :: 7201 Option To Send All Traffic Through GRE Tunnel / L2TPV3 Tunnel

Jan 9, 2011

i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?

View 1 Replies View Related

Cisco VPN :: 5540 Stop Split Tunnel For Only One User

Apr 18, 2013

 i have cisco asa 5540, users access vpn through anyconnect, i have applied split tunnel so that all users accessing internal network (10.0.0.0) grows through tunnel and other traffic through internet.. working fine.i want to fully tunnel one user so that all his traffic goes through the tunnel, what is the best way to do it, "is there any guide (step by step)"

View 3 Replies View Related

Cisco VPN :: Set Up Remote Access IPsec VPN On Pair Of ASA 5540

Feb 6, 2011

I'm trying to set up remote access IPsec VPN on a pair of ASA 5540 without much success. I can connect with a client on the outside, and when I try to ping something on the inside I can see the ping requests reach the target but the answers don't come back to the VPN client. I've tried with different NAT rules without success.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved