Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About klombard
Stats
Member since
05-13-2011
26
Posts
0
Helpful
0
Solutions
Created by
klombard
in VPN and AnyConnect
in VPN and AnyConnect
11-26-2013
09:01 AM
11-26-2013
09:01 AM
Scenario: We currently have a DMVPN hub running two tunnels, one to each of our two spoke sites. We are using static routing. At these sites, we'd like to have failover to another ISP if the primary goes down, then reverting back to the original when it comes back up. I've had many issues getting this configuration to work successfully, with various results. Just looking for a good source material to look at for this scenario, with examples. Thus far, I've tried running two tunnels from the hub to the spoke, with the spoke using one wan interface for each tunnel and the hub using the same interface for both tunnels. (along with the tunnel going to the other spoke). I've tried using sla to fail over to the higher cost route, but noticed that the traffic isn't following suit across the tunnel, plus when the primary isp comes back up it doesn't revert back to the primary route. So, to summarize, it's broken. Would appreciate anyone who could provide a breakdown of what would be involved in this scenario, with examples.
... View more
Labels:
05-14-2013
08:58 AM
We currently have DMVPN running with 1 Hub and 2 spokes. What we'd like to do on each of the spokes is have a backup wan connection as a failover in case the primary wan connection goes down. The hub only has one wan connection currently My thought was to build additional tunnels on the hub and spokes to serve as the 'backup' routes. So, for example, all of the devices would have Tunnel0, which is the main tunnel, then I would add Tunnels 1 and 2 on the hub - using a different nhrp subnet and then create Tunnel1 on spoke A and Tunnel2 on spoke B. What I noticed though is that even before I did any change on our routing (it is all static), about a half hour after I brought up the secondary tunnel between the hub and spoke A, both spoke A and spoke B had suddenly shifted over to Tunnel1 from Tunnel0 (which caused their connections to drop). I had configured each of the tunnels to use a different subnet (i.e. 172.16.0.0, 172.16.1.0, 172.16.2.0) and had yet to change the routing at all. They are all sharing the same crypto, so I'm am not sure if that is contributing to the problem. Is there a step I am missing, or am I going about this the wrong way?
... View more
Labels:
04-18-2013
09:43 AM
I have a DMVPN hub with one wan connection/ISP. Our spokes are already connected on their primary wan connections (cable internet). We still have T1 lines at those locations and would like to use those lines as backups. What is the best way to configure these spoke routers for redundancy (keeping the DMVPN connection up in the process)? I've seen the usual tracking method, but that seems to be hit or miss. Also saw a recommendation to use loopback interfaces and just sort of blend the two wan connections together. Looking for any solutions that you have used that have worked well. Thanks!
... View more
Labels:
03-19-2013
08:03 AM
Recently started a project with upgrading our remote site routers and connecting them via a new router here using DMVPN. First site went up fine and has been working pretty well. Just recently started working on the next site and I'm having trouble getting it to connect. HUB and Spoke 1 are working fine, can ping back and forth both on the WAN ip and the tunnel IP HUB and Spoke 2 I can ping the WAN ips, but not tunnel ips. On HUB, when I issue the sh dmvpn command, I see the connection to Spoke 1, but nothing for Spoke 2. On Spoke 2, I see a connection to HUB, but the state is IKE, and as previously mentioned, I cannot ping the tunnel ip for the HUB. I've re-checked and recreated all the crypto information on both sides and re-created the tunnel interfaces, just to make sure everything is matching. What I did notice is that the HUB only seems to be allowing one spoke at a time. By accident, while rebotting the hub and spoke 2, I noticed that when it came back up the HUB had connected to spoke 2 now, but wasn't allow spoke 1 to connect. I've removed all ACL's from the interfaces, so it shouldn't be an access problem. Here's Tunnel config on HUB: interface Tunnel0 description mGRE - DMVPN Tunnel ip address 172.16.0.1 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication firewall ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source 1.1.1.1 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre ! Tunnel config on Spoke 1: interface Tunnel0 description Spoke 1 mGRE - DMVPN Tunnel ip address 172.16.0.2 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication firewall ip nhrp map multicast dynamic ip nhrp map 172.16.0.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 1 ip nhrp nhs 172.16.0.1 ip tcp adjust-mss 1376 tunnel source 2.2.2.2 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre ! Tunnel config on Spoke 2: interface Tunnel0 description Spoke 2 mGRE - DMVPN Tunnel ip address 172.16.0.3 255.255.255.0 no ip redirects ip mtu 1416 ip nhrp authentication firewall ip nhrp map multicast dynamic ip nhrp map 172.16.0.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 1 ip nhrp nhs 172.16.0.1 ip tcp adjust-mss 1376 tunnel source 3.3.3.3 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre ! Here's some of the isakmp debug from Spoke 2: Mar 19 14:58:19.583: ISAKMP:(1017):purging SA., sa=28DE47B8, delme=28DE47B8 Mar 19 14:58:23.383: ISAKMP: set new node 0 to QM_IDLE Mar 19 14:58:23.383: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 3.3.3.3, remote 1.1.1.1) Mar 19 14:58:23.383: ISAKMP: Error while processing SA request: Failed to initialize SA Mar 19 14:58:23.383: ISAKMP: Error while processing KMI message 0, error 2. Mar 19 14:58:25.019: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH... Mar 19 14:58:25.019: ISAKMP (1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 Mar 19 14:58:25.019: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH Mar 19 14:58:25.019: ISAKMP:(1018): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH Mar 19 14:58:25.019: ISAKMP:(1018):Sending an IKE IPv4 Packet. Mar 19 14:58:25.039: ISAKMP (1018): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH Mar 19 14:58:25.039: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet. Mar 19 14:58:25.039: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 20) Mar 19 14:58:35.020: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH... Mar 19 14:58:35.020: ISAKMP (1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 Mar 19 14:58:35.020: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH Mar 19 14:58:35.020: ISAKMP:(1018): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH Mar 19 14:58:35.020: ISAKMP:(1018):Sending an IKE IPv4 Packet. Mar 19 14:58:45.020: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH... Mar 19 14:58:45.020: ISAKMP:(1018):peer does not do paranoid keepalives. Mar 19 14:58:45.020: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 1.1.1.1) Mar 19 14:58:45.020: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 1.1.1.1) Mar 19 14:58:45.020: ISAKMP: Unlocking peer struct 0x40B251B0 for isadb_mark_sa_deleted(), count 0 Mar 19 14:58:45.020: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 40B251B0 Mar 19 14:58:45.020: ISAKMP:(1018):deleting node 161814660 error FALSE reason "IKE deleted" Mar 19 14:58:45.020: ISAKMP:(1018):deleting node -1000666081 error FALSE reason "IKE deleted" Mar 19 14:58:45.020: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Mar 19 14:58:45.020: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_DEST_SA Any thoughts on what could be causing this?
... View more
Labels:
Created by
klombard
in VPN and AnyConnect
in VPN and AnyConnect
01-25-2013
12:04 PM
01-25-2013
12:04 PM
Gah. Knew it was something simple. Actually, following step 1 that you laid out seems to have fixed my issue. Internet is now going through the Hub and access to the Hub LAN is still there. I think I may have been close, but had mixed up the ISP IPs and ISP gateways. Probably did the wrong combination. Thanks for your help!
... View more
Created by
klombard
in VPN and AnyConnect
in VPN and AnyConnect
01-25-2013
10:08 AM
01-25-2013
10:08 AM
Currently setting up DMVPN Between one hub and spoke. We use all static routing. I successfully created the tunnel and am able to get into our internal network from the spoke lan. However, I am unable to get any internet access. Here's the static routing on the spoke: ip route 0.0.0.0 0.0.0.0 <ISP Gateway of spoke> ip route 192.168.48.0 255.255.240.0 <Hub Tunnel IP> In our old site-2-site scenario, we would simply point the default route to the Tunnel interface and then the traffic would flow that way and then statically route any other data we want to go elsewhere. However, I've noticed in this scenario that is not the case. Also, when I go to point the default route somewhere else than the ISP Gateway (even to the Hub tunnel ip), I lose all connectivity to the Hub lan. Basically, I just need all traffic from the spoke to traverse the tunnel to the hub, where all resources and internet access will come from. Any advice would be appreciated!
... View more
Labels:
08-31-2012
12:56 PM
Here's the scenario: 1 router will have a primary and secondary ISP connection. I set up an SLA to track connectivity on the primary connection. Here are the static routes: ip route 0.0.0.0 0.0.0.0 Tunnel55 track 10 ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/0 track 10 ip route 12.54.X.Y 255.255.255.255 X.15.115.X track 10 ip route 192.168.32.0 255.255.240.0 Tunnel55 track 10 ip route 192.168.48.0 255.255.252.0 Tunnel55 track 10 ip route 192.168.56.0 255.255.255.0 Tunnel55 track 10 ip route 0.0.0.0 0.0.0.0 Tunnel56 254 ip route 12.54.X.X 255.255.255.240 GigabitEthernet0/1 254 ip route 12.54.X.Y 255.255.255.255 X.15.81.X 254 ip route 192.168.32.0 255.255.240.0 Tunnel56 254 ip route 192.168.48.0 255.255.252.0 Tunnel56 254 ip route 192.168.56.0 255.255.255.0 Tunnel56 254 So I shut down the port (gi0/0) belonging to the primary port. At this point, it seemed like it worked fine. The routes shifted over to the backup routes. However, when I re-enabled the port, only two of the routes switched back. The routes pointing to Tunnels stayed on the secondary tunnel. When I browsed my static routes, I saw this: Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Tunnel56 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks S 12.x.x.16/28 is directly connected, GigabitEthernet0/0 S 12.x.y.20/32 [1/0] via x.15.115.x S 192.168.32.0/20 is directly connected, Tunnel56 S 192.168.48.0/22 is directly connected, Tunnel56 S 192.168.56.0/24 is directly connected, Tunnel56 Is there something special I need to do for Tunnels to allow the Tunnel routes to switch back automatically?
... View more
Labels:
Created by
klombard
in VPN and AnyConnect
in VPN and AnyConnect
06-18-2012
01:11 PM
06-18-2012
01:11 PM
I guess I'm still confused. That solution seems a little more complex than what I'm trying to do. Here is what I understand: 1. develop an sla to monitor a connection on the primary interface 2. Configure static default routes: The first points to the default interface and is tracking the sla. The second goes to the backup interface and has a metric so that it only becomes active should the default fail or should the tracking be interrupted. Where I get confused is in regards to the VPN Tunnels. Here's the relevant current config of the main site-to-site router: crypto isakmp key mycryptokey address IP1.IP1.IP1.IP1 crypto map mymap 30 ipsec-isakmp set peer IP1.IP1.IP1.IP1 set transform-set ESP-DES-MD5 match address 154 interface TunnelA ip address 192.168.154.1 255.255.255.252 ip mtu 1476 ip route-cache flow tunnel source FastEthernet0/1 tunnel destination IP1.IP1.IP1.IP1 crypto map mymap Here's the config on the branch router: crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key mycryptokey address IP2.IP2.IP2.IP2 crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ! crypto map mymap local-address Serial0/0/0 crypto map mymap 10 ipsec-isakmp set peer IP2.IP2.IP2.IP2 set transform-set ESP-DES-MD5 match address 199 Interface TunnelA ip address 192.168.154.2 255.255.255.252 ip access-group 140 out ip mtu 1476 ip route-cache flow tunnel source Serial0/0/0 tunnel destination IP2.IP2.IP2.IP2 crypto map mymap And the current default route on the branch router is: ip route 0.0.0.0 0.0.0.0 TunnelA So I know that what I will eventually need on the branch router is something like this: ip route 0.0.0.0 0.0.0.0 TunnelA Track 1 ip route 0.0.0.0 0.0.0.0 TunnelB 10 My question is, in regards to using Tunnels, is there anything special I need to do aside from having two Tunnel interfaces (one utilizing the T1 interface and one utilizing the DSL FA0/1 interface) on each end (one the primary, one the secondary) and can I share the same crypto key and crypto map for the two tunnels, or do I need to create separate ones? Thanks!
... View more
Created by
klombard
in VPN and AnyConnect
in VPN and AnyConnect
06-15-2012
09:28 AM
06-15-2012
09:28 AM
We've got two 1800 routers connected via IPSEC VPN using a tunnel interface. The router at the branch office is using a T1 on Serial0/0/0 and we'd like to connect DSL service to Fa0/1 as a backup. Now, problem I see is that we use static routing. On the branch router it has a default route pointing to the original Tunnel interface that uses the T1 line. Then it has several other static routes pointing to the serial interface itself. Tried an experiment creating floating static routes that would bounce to a second Tunnel interface or the Fa0/1 interface if the first failed, however, I don't think that works correctly. Tried shutting down the serial interface (wisely scheduling a reload for a couple minutes later), but the second tunnel never came up. I'm sure there is a better way of doing this and would appreciate any pointers. Thanks!
... View more
Labels:
05-13-2011
12:49 PM
Ok, I added a route on another router and now I can ping between the vpn client and the internal network - but nothing else. Can't view intranet, browse file shares, etc.
... View more
05-13-2011
12:19 PM
1 packet captured 1: 11:12:44.525455 192.168.49.29.80 > 192.168.56.10.80: S 1864813813:1864813813(0) win 8192 1 packet shown Captured packet showed up after I ran the packet trace.
... View more
05-13-2011
12:17 PM
Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xac00ec78, priority=12, domain=capture, deny=false hits=4099, user_data=0xabf59c30, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab7f5c10, priority=1, domain=permit, deny=false hits=42154, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 4 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.56.10 255.255.255.255 Outside Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true hits=332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xabfaa3a8, priority=12, domain=capture, deny=false hits=1, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0 src ip=192.168.49.29, mask=255.255.255.255, port=0 dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 7 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: nat-control match ip Inside 192.168.48.0 255.255.240.0 Outside 192.168.56.0 255.255.255.0 NAT exempt translate_hits = 2, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xabdab5a8, priority=6, domain=nat-exempt, deny=false hits=1, user_data=0xac019ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.48.0, mask=255.255.240.0, port=0 dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 8 Type: NAT Subtype: Result: ALLOW Config: nat (Inside) 0 0.0.0.0 0.0.0.0 nat-control match ip Inside any Outside any no translation group, implicit deny policy_hits = 2 Additional Information: Forward Flow based lookup yields rule: in id=0xac01aba8, priority=0, domain=nat, deny=false hits=8, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (Inside) 0 0.0.0.0 0.0.0.0 nat-control match ip Inside any Outside any no translation group, implicit deny policy_hits = 2 Additional Information: Forward Flow based lookup yields rule: in id=0xabd9bb98, priority=0, domain=host, deny=false hits=277, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 10 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0xabfa9e58, priority=70, domain=encrypt, deny=false hits=1, user_data=0x32634, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0 Phase: 11 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xabfa9940, priority=69, domain=ipsec-tunnel-flow, deny=false hits=1, user_data=0x34354, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.56.10, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true hits=534, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 13 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0xac0197f8, priority=12, domain=capture, deny=false hits=0, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0 src ip=192.168.56.0, mask=255.255.255.0, port=0 dst ip=192.168.49.29, mask=255.255.255.255, port=0, dscp=0x0 Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 800, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_encrypt snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_ipsec_tunnel_flow snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: Inside input-status: up input-line-status: up output-interface: Outside output-status: up output-line-status: up Action: allow
... View more
05-13-2011
11:53 AM
Not sure how to do the capture, but when I do a ping from internal to the client, the client receives encrypted packets.
... View more
05-13-2011
11:51 AM
ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$ Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.56.10 255.255.255.255 Outside Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab7b0000, priority=111, domain=permit, deny=true hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: Outside input-status: up input-line-status: up output-interface: Outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ------------ ASAVPN# packet input inside tcp 192.168.56.10 http 192.168.49.29 http detailed Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.48.0 255.255.252.0 Inside Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab7f6650, priority=111, domain=permit, deny=true hits=9, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: Inside input-status: up input-line-status: up output-interface: Inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ------------------------------ ASAVPN# packet input inside tcp 192.168.49.29 http 192.168.56.10 http detailed Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.56.10 255.255.255.255 Outside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group Inside_access_in in interface Inside access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object udp protocol-object tcp Additional Information: Forward Flow based lookup yields rule: in id=0xac019928, priority=12, domain=permit, deny=false hits=3, user_data=0xa89f6e40, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true hits=191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: nat-control match ip Inside 192.168.48.0 255.255.252.0 Outside 192.168.56.0 255.255.255.0 NAT exempt translate_hits = 4, untranslate_hits = 29 Additional Information: Forward Flow based lookup yields rule: in id=0xabfaa238, priority=6, domain=nat-exempt, deny=false hits=3, user_data=0xabd9c480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.48.0, mask=255.255.252.0, port=0 dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (Inside) 0 0.0.0.0 0.0.0.0 nat-control match ip Inside any Outside any no translation group, implicit deny policy_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xac01aba8, priority=0, domain=nat, deny=false hits=3, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (Inside) 0 0.0.0.0 0.0.0.0 nat-control match ip Inside any Outside any no translation group, implicit deny policy_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xabd9bb98, priority=0, domain=host, deny=false hits=137, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0xac00e338, priority=70, domain=encrypt, deny=false hits=2, user_data=0x2f37c, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0 Phase: 9 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xabf0ba20, priority=69, domain=ipsec-tunnel-flow, deny=false hits=2, user_data=0x31afc, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.56.10, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true hits=449, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 577, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_encrypt snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_ipsec_tunnel_flow snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: Inside input-status: up input-line-status: up output-interface: Outside output-status: up output-line-status: up Action: allow --------------- ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$ Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.56.0 255.255.255.0 Outside Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab7b0000, priority=111, domain=permit, deny=true hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: Outside input-status: up input-line-status: up output-interface: Outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
... View more
Created by
klombard
in VPN and AnyConnect
11-26-2013
11-26-2013
Scenario: We currently have a DMVPN hub running two tunnels, one to each
of our two spoke sites. We ...
05-14-2013
We currently have DMVPN running with 1 Hub and 2 spokes. What we'd like
to do on each of the spokes ...
04-18-2013
I have a DMVPN hub with one wan connection/ISP. Our spokes are already
connected on their primary wa...
03-19-2013
Recently started a project with upgrading our remote site routers and
connecting them via a new rout...
Created by
klombard
in VPN and AnyConnect
01-25-2013
01-25-2013
Gah. Knew it was something simple. Actually, following step 1 that you
laid out seems to have fixed ...
Created by
klombard
in VPN and AnyConnect
01-25-2013
01-25-2013
Currently setting up DMVPN Between one hub and spoke. We use all static
routing. I successfully crea...
08-31-2012
Here's the scenario: 1 router will have a primary and secondary ISP
connection. I set up an SLA to t...
Created by
klombard
in VPN and AnyConnect
06-18-2012
06-18-2012
I guess I'm still confused. That solution seems a little more complex
than what I'm trying to do.Her...
Created by
klombard
in VPN and AnyConnect
06-15-2012
06-15-2012
We've got two 1800 routers connected via IPSEC VPN using a tunnel
interface. The router at the branc...
05-13-2011
Ok, I added a route on another router and now I can ping between the vpn
client and the internal net...
05-13-2011
1 packet captured 1: 11:12:44.525455 192.168.49.29.80 >
192.168.56.10.80: S 1864813813:1864813813(0)...
05-13-2011
Phase: 1Type: CAPTURESubtype:Result: ALLOWConfig:Additional Information:
Forward Flow based lookup y...
05-13-2011
Not sure how to do the capture, but when I do a ping from internal to
the client, the client receive...
Public Statistics
| Date Registered | 05-13-2011 09:11 AM |
| Date Last Visited | 08-18-2017 04:00 AM |
| Total Messages Posted | 26 |
