Two 5505 ASA's for a customer main site and a local office. I have the tunnel up. But I'm unable to pass traffic across it.
Main Site:
ASA Version 7.2(4)
!
hostname Town
enable password iNbSyJZ1ffmb9kn1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
I have created an L2L tunnel between my self and a 3rd party. I am using a Cisco ASA 5520 and the other end is using a Cisco 3005 VPN concentrator. The tunnel will get established and pass traffic both ways for a little while, it varies, sometimes 1 hour or last time we built it it was working for 17 hours, but at some point my ASA will stop transmitting but it will still be receiving packets. These errors start to show up when I look at the traffic going through my ASA interfaces:
713042 IKE Initiator unable to find policy: Intf Outside, Src: 192.168.xx.16, Dst: 10.1.xx.30
Then when I try to ping their hosts .30 and .27 I get:
713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.30, Crypto map (Outside_map)
713041 Group = 68.23.xx.xx, IP = 68.23.xx.xx, IKE Initiator: New Phase 2, Intf private, IKE Peer 68.23.xx.xx local Proxy Address 192.168.xx.16, remote Proxy Address 10.1.xx.27, Crypto map (Outside_map)
713050 Group = 68.23.xx.xx, IP = 68.23.xx.xx, Connection terminated for peer 68.23.xx.xx. Reason: Peer Terminate Remote Proxy 10.1.xx.27, Local Proxy 192.168.xx.16
When I first configured this tunnel it was with 3DES and SHA for phase 1 & 2, but when the tunnel would come up my phase 1 would negotiate to an MD5 hash, even though I specifically entered SHA, so me and the 3rd party decided to bring all the hashes for phase 1 & 2 down to MD5, and that was when it was up for the longest, but the problem still came back eventually. My ASA config posted below:
ASA Version 8.2(3)
name 192.168.xx.16 Server description Server
name 10.1.xx.27 XYZ_01
name 10.1.xx.28 XYZ_02
name 10.1.xx.29 XYZ_03
[code].....
I have recently purchased a E4200 i have flashed it with the latest Firmware 1.0.03 and Hard Reset the Router so the Media issue was resolved i was having. After upgrading the firmware to the latest version my Nortel VPN IPSEC Client no longer will work. The tunnel is connected and it passes traffic for about 15 seconds then nothing. The connection remains connected but no traffic passes cant ping across tunnel. I have checked all the settings and VPN - IPSEC - Passthru is enabled. I have put the client in DMZ mode and tried that same thing.
View 7 Replies View RelatedI've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies View RelatedI have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
We have a VPN setup and here's the configuration on the Cisco ASA 5505: [code] The problem is that i'm able to ping the otherside of the tunnel i.e. 192.168.23.14 from the dmz IP 172.16.1.2 but i'm unable to ping from the hosts behind the ASA.Also the other side is able to ping 172.16.1.2 IP but no IP's behind the ASA.
View 9 Replies View Related I currently have two Cisco ASA 5505. They are at different physical sites (SITE A, SITE B) and are configured with a site-to-site VPN which is active and working.
I can communicate with the subnets on either site from the other and both are connected to the internet, however I need to ensure that all the traffic at my site B goes through this VPN to my site A.
I changed this access-list : access-list outside_2_cryptomap extended permit ip network_siteB network_siteA to access-list outside_2_cryptomap extended permit ip network_siteB any
But this does not work. If I do [URL], site B IP address is not same that site A.
I am trying to set up a LAN-to-LAN VPN tunnel between two sites. One site has a 5505, and the other site has a 5510. It looks like the tunnel is being established fine (both ISAKMP and IPSEC SAs look OK), but traffic doesn't appear to be routing across the internet between the devices. [code]
View 15 Replies View RelatedI do have a 5505 up and running, and passing data... url...Now I am trying to get a IPSEC VPN tunnel working.I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
The networks concerned: name 10.0.0.0 Eventual (HQ Site behind Firewall)name 1.1.1.0 CFS (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)name 2.2.2.0 T1 (Remote site - Outside interface of 5505: 2.2.2.2)name 10.209.0.0 Local (Remote Network - internal interface of 5505: 10.20 9. 0.3) On a ping to the HQ network from behind the ASA, I get port map translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work. [code]
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies View RelatedEnvironment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies View RelatedI have two WLCs (5508 - v7.0.220 and 2106 - v7.0.116) that were NMSP connected to a MSE (v7.0.201.204) according to WCS (7.0.172.0)The MSE reloaded (Actually a reload command from WCS hung the MSE and it hard to be hard rebooted) and I ran into a NTP issue with the MSE running GMT timezone and WLCs running GMT -8. This was highlighted by the NMSP status testing tool. As a quick solution I changed both WLCs to GMT. The tool now tests all green, but the NMSP status remains Inactive for both WLCs and I have no client or tag information flowing into WCS.
View 3 Replies View RelatedCurrently I have users that connect with the Cisco VPN client to our PIX 515e. Our corporate network is also directly connected to our partners network, sharing common address space. I want to be able allow our VPN users to connect to certain resources on their network. Since they already have routing for our address space, can I allow the VPN to only NAT traffic to certain destination addresses with a local IP address on our network? That way the partner's network does not have to change any routing since they would see the source address as a local IP on our network.
View 1 Replies View RelatedI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
View 7 Replies View Relatedi have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?
View 1 Replies View RelatedI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks.
[code]....
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
is it possible to tunnel all TCP traffic to UDP under port 137?
View 1 Replies View RelatedWe just migrated from a single 5510 to a dual (failover) 5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]
View 12 Replies View RelatedI have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies View RelatedI have set a tunnel between Cisco pix 6.3 and Cisco Router 7200. Show Isakmp sa showing below detail on Pix
Total : 1
Embryonic : 0
dst src state pending created
xx6.x71.x29.x68 x2.1x7.52.1x1 QM_IDLE 0 0
Is tunnel is UP ? Traffice is not going throgh the tunnel . why ?
I have a two RV042 VPN Router, I successfully connected the IPSEC tunnel. I cannot route Traffic in the tunnel. See the diagram.
MAIN Network
10.252.x.x
-------------->
FIREWALL
a.a.a.1
INTERNET
RV042a WANa <<------------------------------->> WANb RV042b
a.a.a.2 b.b.b.b
In this manner the network of b.b.b.b wil connect to the Main Network 10.252.x.x, unfortunately I can't pass traffic to RV042b going to RV042a. Everytime I trace the route, the traffic goes outside the Internet not to RV042a.
I need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?
View 1 Replies View RelatedI'm station overseas and it's really hard to access certain websites and servie like Netflix or ESPN. What I had created was GRE tunnel from my Home "A" to my current location "B" and route my traffic from point A to B using 2 cisco 1700 routers ( and It was working great) but now I can't use GRE nomore. I still have PIX and ASA on both sides and I was trying to do that over VPN tunnel but I can't ping VPN tunnel gateway( basicly what was next hoop in GRE) on the other end ( which is the main problem why I can't route traffic to remote site). I was wondering if I can still do the same thing over VPN tunnel that I did with GRE tunnel.
View 1 Replies View RelatedI'm trying to setup a VPN between an RV042 V3 and an RV082 V2 router. They get connected but no traffic gets through the tunnel. I tried with and without firewall,DPD, Keepalive, forward secrecy but nothing worked. What should I do? I don't want to throw out the V2 routers. V3 to V3 connects fine.
View 1 Replies View RelatedWe've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
we have two offices connected with a lan-to-lan ipsec tunnel. My question is about one of the sites.
At the site a Cisco 870-series router is used for connection to the internet and setting up the tunnel. Two subnets exist, 172.22.x.x and 10.30.x.x.
The router itself has an address in the 172.22.x.x-range. Traffic from the 10.30.x.x subnet needs to be able to reach:
- A host in our network over at the other office (also 172.22.x.x but other range). NATting is needed otherwise it won't traverse the tunnel because the lan-to-lan has only 172.22.x.x in its properties. - The internet. NATting is also needed otherwise it won't be routable on the internet. The packets need to go out of the router directly, not through the tunnel.
How do I accomplish this?
Here is a snippet from the config:
interface ATM0.1 point-to-point
ip address <public ip address>
ip nat outside
ip virtual-reassembly
pvc 8/35
class-vc Office(code)
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies View RelatedI have a site to site tunnel between two 5520 ASAs. Tunnel is up but when I try to talk to the other side, the implicit deny on the inside interface of the local ASA blocks the traffic. When I ping, the tunnel comes up but in the logs it says it is blocking icmp from inside to outside. I have tried the sys opt connection permit-vpn but it is not working. The traffic is from 5 specific machines within the local sub net that I put in a network object group called Celerra_Replication.
I want to them to be able to talk to 5 machines on the far end of the tunnel in a seperate sub net. They are in a net wrok object group called GP_Celerra_Replication The ACLs I created for this appear to be created correctly allowing IP from Celerra_replication to GP_Celerra_Replication and the opposite on the other side.
I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.
We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.
All the sites in China have ASA5505 firewalls
One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.
how to tunnel all traffic but not just specific traffic over the VPN.
I have a two ASA 5520's and I want to be able to see or monitor the traffic between each tunnel. I am using external addresses but for the sake of this question I will use the following: 1.1.1.1 to 2.2.2.2 . How can I montior the traffic?
View 3 Replies View Related