Sitemap

Amicuk Programming Answers

Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic

2015-10-11   Views:5

Advertisement

interface Ethernet0/0  switchport access vlan 2 interface Ethernet0/1  switchport access vlan 3 interface Ethernet0/2  switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256  switchport mode trunk interface Ethernet0/3  switchport trun

interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 3
interface Ethernet0/2
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/3
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/4
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/5
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/6
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/7
 switchport access vlan 250
interface Vlan2
 nameif outside
 security-level 0
 ip address 81.XXX.XXX.XXX 255.255.255.252
interface Vlan3
 nameif OUTSIDE_BACK
 security-level 0
 ip address 41.XXX.XXX.XXX 255.255.255.248
interface Vlan20
 nameif XXX
 security-level 80
 ip address 10.143.0.1 255.255.255.0 standby 10.143.0.2
interface Vlan21
 nameif XXX
 security-level 90
 ip address 10.143.1.1 255.255.255.0 standby 10.143.1.2
interface Vlan24
 nameif XXX
 security-level 80
 ip address 10.143.4.1 255.255.255.0 standby 10.143.4.2
interface Vlan28
 nameif XXX
 security-level 80
 ip address 10.143.8.1 255.255.255.0 standby 10.143.8.2
interface Vlan212
 nameif SELF
 security-level 80
 ip address 10.143.12.1 255.255.255.0 standby 10.143.12.2
interface Vlan213
 nameif XXX
 security-level 80
 ip address 10.143.13.1 255.255.255.0 standby 10.143.13.2
interface Vlan214
 nameif BIOFR
 security-level 80
 ip address 10.143.14.1 255.255.255.0 standby 10.143.14.2
interface Vlan232
 nameif MNGT
 security-level 80
 ip address 10.143.32.1 255.255.255.0 standby 10.143.32.2
interface Vlan233
 nameif XXX
 security-level 80
 ip address 10.143.33.1 255.255.255.0 standby 10.143.33.2
interface Vlan234
 nameif XXX
 security-level 80
 ip address 10.143.34.1 255.255.255.0 standby 10.143.34.2
interface Vlan235
 nameif XX
 security-level 80
 ip address 10.143.35.1 255.255.255.0 standby 10.143.35.2
interface Vlan236
 nameif XXX
 security-level 80
 ip address 10.143.36.1 255.255.255.0 standby 10.143.36.2
interface Vlan250
description LAN Failover Interface
interface Vlan254
 nameif TEST
 security-level 80
 ip address 10.143.254.1 255.255.255.0 standby 10.143.254.2
interface Vlan255
 nameif XXX
 security-level 100
 ip address 10.143.255.1 255.255.255.0 standby 10.143.255.2
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network XXX
 subnet 10.143.14.0 255.255.255.0
object network XXX
 subnet 10.143.35.0 255.255.255.0
object network XXX
 subnet 10.143.1.0 255.255.255.0
object network MGMT
 subnet 10.143.32.0 255.255.255.0
object network XXX
 subnet 10.143.36.0 255.255.255.0
object network XXX
 subnet 10.143.4.0 255.255.252.0
object network XXX
 subnet 10.143.33.0 255.255.255.0
object network ACCT
 subnet 10.143.34.0 255.255.255.0
object network XXX
 subnet 10.143.0.0 255.255.255.0
object network XXX
 subnet 10.143.8.0 255.255.255.0
object network XXX
 subnet 10.143.12.0 255.255.255.0
object network XXX
 subnet 10.143.37.0 255.255.255.0
object network TEST
 subnet 10.143.254.0 255.255.255.0
object network XXX
 subnet 10.143.255.0 255.255.255.0
object network NETWORK_OBJ_10.143.0.0_16
 subnet 10.143.0.0 255.255.0.0
object network NETWORK_OBJ_10.91.0.0_16
 subnet 10.91.0.0 255.255.0.0
object-group network vpn-local-network
 network-object 10.143.14.0 255.255.255.0
 network-object 10.143.35.0 255.255.255.0
 network-object 10.143.1.0 255.255.255.0
 network-object 10.143.32.0 255.255.255.0
 network-object 10.143.36.0 255.255.255.0
 network-object 10.143.4.0 255.255.255.0
 network-object 10.143.33.0 255.255.255.0
 network-object 10.143.34.0 255.255.255.0
object-group network vpn-remote-network
 network-object 10.112.0.0 255.255.0.0
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list ACL_INSIDE_NONAT extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list PING extended permit icmp any any
access-list PING extended permit icmp any any object-group ALLOW_PING
pager lines 24
logging asdm informational
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan250
failover interface ip FAILOVER 10.143.250.1 255.255.255.0 standby 10.143.250.2
no monitor-interface outside
no monitor-interface OUTSIDE_BACK
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XX interface
nat(IT,outside) source dynamic IT interface
nat (TEST,outside) source dynamic TEST interface
nat ( IT,outside) source dynamic IT interface
nat (TEST,outside) source static vpn-local-network vpn-local-network destination static vpn-remote-network vpn-remote-network no-proxy-arp route-lookup
access-group PING in interface outside
access-group PING in interface OUTSIDE_BACK
route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.XXX.XXX 1 track 1
route OUTSIDE_BACK 0.0.0.0 0.0.0.0 41.XXXX
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
sysopt connection preserve-vpn-flows
sla monitor 123
 type echo protocol ipIcmpEcho 41.xxx.xxx.xxx interface outside
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map TEST 1 match address ACL_VPN
crypto map TEST 1 set peer 194.XXX.XXX.XXX
crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
crypto map TEST 1 set security-association lifetime seconds 86400
crypto map TEST 1 set security-association lifetime kilobytes 2147483647
crypto map TEST interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
track 1 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.143.255.0 255.255.255.0 IT
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access IT
dhcpd lease 60000
dhcpd ping_timeout 20
dhcpd domain tls.ad
dhcpd auto_config outside
dhcpd address 10.143.4.10-10.143.4.200 XXX
dhcpd dns 10.91.0.34 8.8.8.8 interface XXX
dhcpd option 3 ip 10.143.4.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.12.10-10.143.12.200 XXX
dhcpd option 3 ip 10.143.12.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.14.10-10.143.14.200 XXX
dhcpd option 3 ip 10.143.14.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.32.10-10.143.32.100 MNGT
dhcpd option 3 ip 10.143.32.1 interface MNGT
dhcpd enable MNGT
dhcpd address 10.143.33.10-10.143.33.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.34.10-10.143.34.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.36.10-10.143.36.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.255.10-10.143.255.200 XXX
dhcpd option 3 ip 10.143.255.1 interface XXX
dhcpd enable IT
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.90.0.34
ntp server 10.91.0.34
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
username tlsnimda password OW03yrp6/wvkyg6E encrypted
tunnel-group 194.XXX.XXX.XXX type ipsec-l2l
tunnel-group 194.XXX.XXX.XXX ipsec-attributes
 ikev1 pre-shared-key *****
class-map icmp
 match default-inspection-traffic
policy-map icmppolicy
 class icmp
  inspect icmp
service-policy icmppolicy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e820e629c3cbaf67478c065440ac8138
VPN is up but not passing any traffing
  Crypto map tag: TEST, seq num: 1, local addr: 81.xxx.xxx.xxx
      access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.143.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)
      current_peer: 194.xxx.xxx.xxx
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 10, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 10
      local crypto endpt.: 81.xxx.xxx.xxx/0, remote crypto endpt.: 194.xxx.xxx.xx/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CC4FACB7
      current inbound spi : D8C0AC76
    inbound esp sas:
      spi: 0xD8C0AC76 (3636505718)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 9367552, crypto-map: TEST
         sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xCC4FACB7 (3427773623)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 9367552, crypto-map: TEST
         sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
VPN is unstable 
Connection terminated for peer 194.XXX.XXX.XX.  Reason: Peer Terminate  Remote Proxy 10.112.0.0, Local Proxy 10.143.0.0
I cannot pass any traffic through the vpn when it's UP, or ping the other side.
ASA VERSION 9.2

The replay answer
Advertisement
I do not think that'll be any problem. Here at work we also use Cisco ADSL 800 Series with vpn between customers' sites without any issues. The ASA should vpn for sure.

Go to See the other 2 answers

Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic

Category:DefaultRelease time:2015-10-11Views:130

interface Ethernet0/0  switchport access vlan 2 interface Ethernet0/1  switchport access vlan 3 interface Ethernet0/2  switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256  switchport mode trunk interface Ethernet0/3  switchport trun[More]

Site to Site VPN between ASA 5505 and Cisco 800 router

Category:DefaultRelease time:2015-10-11Views:130

Evening all, Hoping that someboy can see the error of my ways.  It seems very like the problem that i read here: https://supportforums.cisco.com/thread/2016300 We have a cisco 800 in a remote site which we wanted to use for a site to site vpn.  Went[More]

Unable to establish site to site vpn between asa 5505 an 5510

Category:DefaultRelease time:-0001-11-30Views:130

Hi ALL expert We are now plan to form a site to site IPSec VPN tunnel between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failure, would you please teach me how to establish it? Any reference guide? HugoHere are the links to the cis[More]

Site to site VPN - cisco asa 5505

Category:DefaultRelease time:2015-10-11Views:130

having VPN connection problem between 69.x.x.54 VPN 208.x.x.165. Please help. This is 69.x.x.54/172.16.0.0/16 - - A site - ASDM:6.2(1)  ASA: 8.2(1) ASA Version 8.2(1) interface Vlan1 nameif inside security-level 100 ip address 172.16.0.1 255.255.0.0[More]

Change MTU for just one Site-to-Site VPN between ASAs?

Category:DefaultRelease time:-0001-11-30Views:130

        Hi - I'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362. Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I[More]

VPN Problems ASA 5505 to 7206 Router MM_WAIT_MSG2

Category:DefaultRelease time:2015-10-11Views:130

Hi Since I swapped a Pix Firewall for a Cisco ASA 5505 Firewall at one of our Sites the VPN Tunnel wont come up I'm getting this: asaXXXXX# sho crypto isakmp sa    Active SA: 1     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during reke[More]

Problem with Remote Access VPN on ASA 5505

Category:DefaultRelease time:2015-10-11Views:130

I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails so[More]

OWA not accessible after setting up vpn through ASA 5505

Category:DefaultRelease time:2015-10-11Views:130

I have a client that is running Win2003 Server R2 with Exchange Server 2003. OWA was setup and clients could connect to their exchange mailbox from the internet with no problems. We recently configured vpn on the ASA 5505 and now no-one can connect t[More]

Setup vpn in ASA 5505

Category:DefaultRelease time:2015-10-11Views:130

We have a hosted server with a new provider and we also opted for a firewall which is a ASA 5505. It turns out that they do not provide assistance with the firewall, so I have come here! The server hosts multiple customer websites, along with both My[More]

Problem with VPN by ASA 5505 and PIX 501

Category:DefaultRelease time:2015-10-11Views:130

Hi I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ). I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA). When i configure the ASA i have[More]

Problem with AnyConnect VPN on ASA 5505

Category:DefaultRelease time:2015-10-11Views:130

Hello everyone, We're troubleshooting an issue where a client cannot pass any traffic across an AnyConnect VPN with an ASA5505 as the endpoint. The client receives and IP address in the 172.16.0.1/24 range and the ASA creates a static route to the 10[More]

Hot
I installed windows 7 (64-bit) on my mac using bootcamp. The partition I set up was 220 GB for Snow Leopard and 80 GB for Window 7. Somehow the Mac OS has been deleted, it is not available when I reboot using option key. However the partition is stil [More]
For the last two weeks my MacPro 3,1 has been experiencing three to five intermittent freezes per day. The last couple of days I have experienced nearly one an hour. I have not been able to peg it to any specific system update, application or hardwar [More]
I have a laser system with a frequency of 1kHz, I am using this 1kHz signal to trigger the DAQmx and get the data from a photodetector, e.g. I will get 1000 data points during 1 second from DAQmx, but I need to separate this 1000 data points into the [More]
So I just went through the new software update, and since my phone has restarted it won't get service. A "Waiting for activation - this may take some time" message popped up after the reset, but nothing else. All I see is "Searching..." [More]
I'm currently preparing my PC for the installation Windows 7 Pro 64 bit on 22/10 by making a few upgrades. I've increased RAM from 2Gb to 4Gb and I've now bought a Samsung F3 1TB drive for the OS. I've previously run two Samsung 400Gb hard drives in [More]
Under Portal Settings in the Admin section is a checkbox to "Allow creation of Self Registered Users". And a note that says "Changes in these settings will take effect immediately." I'd like to utilize this feature and have therefore c [More]
Hi ! I4m using the OWB and I did a map to extract data from two tables on my source database and populate a destination dimension table, in my destination database. I deploy this map, it4s sucesfull, I run it from OWB and it populates the destination [More]
New to the whole EDI gateway so please bear with me. I've been tasked with getting the 850 inbound, 810 outbound and 856 outbound working. So far I've been able to get all of these to work with some semi-production data. We have a company that is wor [More]
The above error stops me from using FF. I have removed it and reinstalled it twice. Same problem. After two years of FF use I had to to back to IE8. When I checked on the problem several weeks ago I found 161 people had the same problem. I have not b [More]
I've just done a complete re-install of OS X Tiger and i have a bit of a Hard Disk capacity issue/question... I've got an 80GB drive, but when i click 'Get Info' on the HDD icon it says: Capacity - 74.41 GB Available - 64.98 GB Used - 9.42 GB Am i mi [More]