01-25-2019 08:41 AM - edited 02-21-2020 08:42 AM
i have attach my ASA config site to site vpn with note for the remote site that i need to access
so i have problem with my config can any body help as my main purpose it to access application server (SAP systems)
and i cant so i dont know the problem from ports or from the setup it self , i need help
ill attach every thing in different post coz each post not more than 3 or 4 attach
so i need help to check the setup if its okay or not also the nat is correct or not coz i have 4 vlans but i have use the main ID network or main subnet , so i need to check why no reach ability to other side ?
by the way i have one server i cant reach but via remote desktop only from wifi office vlan but from wired vlan i cant (this server should SAP application but i cant access via the app gui but only remote desktop with no login fir sure its just show me that i cant reach via remote desktop)
thanks
01-25-2019 08:42 AM
01-25-2019 08:42 AM
01-26-2019 02:39 AM
any update or any guidance to share with me ? :) need ur help all thanks
01-26-2019 08:52 AM
01-28-2019 01:37 AM
hi again can u help me to create nat for different vlans ( i have wifi office-printer -wired - guest vlans) i can access to remote using only wifi office vlan so how can i add more nat for different vlans and perform it on the configurations
please check the out put :
> show crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:67, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
230738657 192.168.1.73/4500 194.247.XX.XX/45 00 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/307 sec
Child sa: local selector 10.245.XXX.0/0 - 10.245.XXX.255/65535
remote selector 10.102.44.37/0 - 10.102.44.37/65535
ESP spi in/out: 0x35a5c411/0x94a164b0
show crypto ikev2 sa
IKEv2 SAs:
Session-id:67, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
230738657 192.168.1.73/4500 194.247.125.126/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/476 sec
Child sa: local selector 10.245.1XXX.0/0 - 10.245.XXX.255/65535
remote selector 10.102.44.37/0 - 10.102.44.37/65535
ESP spi in/out: 0x35a5c411/0x94a164b0
> show crypto ipsec sa
interface: outside
Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 192.168.1.73
access-list |s2sAcl|ffdca9e5-034c-11e9-8ca8-f51c2173f055 extended permit ip 10.245.160.0 255.255. 224.0 host 10.102.XX.37
local ident (addr/mask/prot/port): (10.245.1XX.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (10.102.XX.37/255.255.255.255/0/0) the port should be 3610 to access the application not using only Remotedesktop
current_peer: 194.247.125.126
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.73/4500, remote crypto endpt.: 194.247.125.126/4500
path mtu 1500, ipsec overhead 86(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 94A164B0
current inbound spi : 35A5C411
inbound esp sas:
spi: 0x35A5C411 (900056081)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 1319, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (4285439/28304)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FD
outbound esp sas:
spi: 0x94A164B0 (2493605040)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 14, IKEv2, }
slot: 0, conn_id: 1319, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (4055039/28304)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
>
this is application ip ihave reach by remote desktop but using the application it self i cant ??? i believe that port is the problem ?
01-28-2019 08:59 AM
Seems like your Phase 1 still pending (show crypto isakmp sa), let's make sure the proposal are same on both side first, after you fixed the phase 1, you need to verify Phase 2 (show crypto ipsec sa) then you need to configure NAT Exemption, here is an example:
nat (inside,outside) 1 source static <LOCAL> <LOCAL> destination static
<REMOTE> <REMOTE> no-proxy-arp route-lookup
01-28-2019 04:24 PM
how to add more that one nat and deploy .. as u know i have 3 vlans and when i deploy the vpn it ask me whic vlan u will apply like picture please check
i have 3 vlans and each vlan should access 3 network on remote side 10.0.0.0-172.16.0.0-192.168.0.0 for each vlan but i have when deploy to choose only one vlan so if i choose wifi so i cant with printer vlan and wired vlan
01-28-2019 04:24 PM
how to add more that one nat and deploy .. as u know i have 3 vlans and when i deploy the vpn it ask me whic vlan u will apply like picture please check
i have 3 vlans and each vlan should access 3 network on remote side 10.0.0.0-172.16.0.0-192.168.0.0 for each vlan but i have when deploy to choose only one vlan so if i choose wifi so i cant with printer vlan and wired vlan
01-28-2019 04:24 PM
how to add more that one nat and deploy .. as u know i have 3 vlans and when i deploy the vpn it ask me whic vlan u will apply like picture please check
i have 3 vlans and each vlan should access 3 network on remote side 10.0.0.0-172.16.0.0-192.168.0.0 for each vlan but i have when deploy to choose only one vlan so if i choose wifi so i cant with printer vlan and wired vlan
01-28-2019 04:24 PM
how to add more that one nat and deploy .. as u know i have 3 vlans and when i deploy the vpn it ask me whic vlan u will apply like picture please check
i have 3 vlans and each vlan should access 3 network on remote side 10.0.0.0-172.16.0.0-192.168.0.0 for each vlan but i have when deploy to choose only one vlan so if i choose wifi so i cant with printer vlan and wired vlan
01-28-2019 04:24 PM
how to add more that one nat and deploy .. as u know i have 3 vlans and when i deploy the vpn it ask me whic vlan u will apply like picture please check
i have 3 vlans and each vlan should access 3 network on remote side 10.0.0.0-172.16.0.0-192.168.0.0 for each vlan but i have when deploy to choose only one vlan so if i choose wifi so i cant with printer vlan and wired vlan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide