cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2501
Views
0
Helpful
9
Replies

VPN

hi to all ...

i have an HQ Site and several Branch Sites .. the HQ has an ASA5540 with Static Public IP's on the outside, and Branches Has DSL Lines with 857 router security bundled, any ways the Branch Sites has DSL lines as you all aware the Public IPs is dynamica ..

i have tested to use the HQ as Eazy VPN server and Easy IOS VPN client the Branch router vpn tunnel and test was fine.

the Customer wants to have Site to Site VPN since in L2L-IPSEC tunnel you will reach the Branch PC with their real LAN IP.

giving the Following parameters is site to site VPN applicable in this condition:

1. HQ has and ASA5540 with static Public IP's.

2. Branchs has DSL with Dynamic Public IP's.

3. Customer wants Branch End Servers to be reached by thier Real Local IP.

Best Regardes

Abdullah

1 Accepted Solution

Accepted Solutions

Hi,

This is possible and Customer  Branch End Servers can be reached by thier Real Local IP.

configure ACL mention  that your source network and your destination network.

Apply no NAT for this ACL and make this traffic as interesting traffic.

These all things needs to be done in both ASA as well as your branch router's.

for more information please go through the below link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

regards

karuppu

View solution in original post

9 Replies 9

Hi,

This is possible and Customer  Branch End Servers can be reached by thier Real Local IP.

configure ACL mention  that your source network and your destination network.

Apply no NAT for this ACL and make this traffic as interesting traffic.

These all things needs to be done in both ASA as well as your branch router's.

for more information please go through the below link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

regards

karuppu

hi Kruppta

thanks for the Solution it worked out perfectly..

one last thing in this scenario only the Branch router will initiate the VPN tunnel ..

is there any way to make the tunnel up for 24 hours, cause the Branch are on duty 16 hours only, and if the tunnels is down the administrator in HQ will not be able to Access tunnel if he wants to do some work or upgrades on it.

Best Regardes

Abdullhi Osman

Hi,

can you paste your configuration related to VPN.

As I know that if you change the phase -1 and phse 2 lifetime into 86400.Then your tunnel will be up for 24 hours.

regards

karuppu

hi Kruppta

here is the router configurations i haven't set any time so it should go with the default 24 hours

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key address x.x.x.x
!
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
!
crypto map secure 10 ipsec-isakmp
set peer x.x.x.x
set transform-set TRANS
match address 100

here is the ASA configurations for Phase 1 and 2

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn-map 1 set transform-set TRANS
crypto dynamic-map dyn-map 1 set reverse-route
crypto map secure 10 ipsec-isakmp dynamic dyn-map
crypto map secure interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

i guess its the firewall terminating the tunnel due the lifetime in seconds and kilobytes .. what is the best value to set on those 2  in order to keep the tunnel up 24 hours

Hi,

crypto ipsec security-association lifetime seconds into 86400 seconds which is one day.

For your info : From cisco asa configuration guide

crypto isakmp policy lifetime integer value (86400 = default) 120 to 2147483647


Specifies the SA lifetime. The default is 86,400 seconds or 24 hours. As a general rule, a shorter lifetime provides more secure ISAKMP negotiations (up to a point). However, with shorter lifetimes, the adaptive security appliance sets up future

Regards

Karuppu

Dear Member

am now trying to configure Remote Access Eazy VPN on the same firewall which has Dynamic IPsec site-to-site VPN.

i have configured everything as i guess but for some reason when i try to connect using the Eazy VPN client i get the reason 412.

in the debug out put i get this as soon this error popups from the client.

CCC-FW# May 04 08:44:50 [IKEv1]: Group = EZVPN, IP = 213.181.160.8, Removing pe  er from peer table failed, no match!
May 04 08:44:50 [IKEv1]: Group = EZVPN, IP = 213.181.160.8, Error: Unable to rem  ove PeerTblEntry

here is the configuration before adding the Eazy VPN parameters.

interface GigabitEthernet0/0
nameif INTERNET
security-level 0
ip address x.x.x.x x.x.x.x standby x.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.10 255.255.0.0 standby 172.16.1.11
!
interface GigabitEthernet0/3.1
description LAN Failover Interface
vlan 10
!
interface GigabitEthernet0/3.2
description STATE Failover Interface
vlan 20
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone AST 3
dns domain-lookup INTERNET
dns server-group DefaultDNS

name-server x.x.x.x
name-server x.x.x.x
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list al-internet extended permit esp any interface INTERNET
access-list al-internet extended permit udp any interface INTERNET eq isakmp
access-list al-internet extended permit udp any interface INTERNET eq 4500
access-list al-internet extended permit tcp any interface INTERNET eq ssh
access-list al-internet extended permit tcp any interface INTERNET eq www
access-list al-internet extended permit tcp any interface INTERNET eq https
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.19.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.255.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 130.1.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list cap-in extended permit ip 172.16.0.0 255.255.0.0 130.1.0.0 255.255.0.0
access-list cap-in extended permit ip 130.1.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list EZVPN_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
pager lines 24
ip local pool EZVPN 172.16.255.100-172.16.255.150
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3.1
failover key *****
failover link state GigabitEthernet0/3.2
failover interface ip failover 192.168.200.1 255.255.255.252 standby 192.168.200.2
failover interface ip state 192.168.200.5 255.255.255.252 standby 192.168.200.6
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply inside
no asdm history enable
arp timeout 14400
global (INTERNET) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.3.10 255.255.255.255
nat (inside) 1 172.16.3.101 255.255.255.255
nat (inside) 1 172.16.3.102 255.255.255.255
nat (inside) 1 172.16.3.103 255.255.255.255
nat (inside) 1 172.16.3.104 255.255.255.255
nat (inside) 1 172.16.3.105 255.255.255.255


access-group al-internet in interface INTERNET
route INTERNET 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 130.1.0.0 255.255.0.0 172.16.1.1 1
route inside 172.17.0.0 255.255.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
service resetoutside
crypto ipsec transform-set MCCC-set esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map MCCC-map 1 set transform-set MCCC-set
crypto dynamic-map MCCC-map 1 set reverse-route
crypto map MCCC 10 ipsec-isakmp dynamic MCCC-map
crypto map MCCC interface INTERNET
crypto isakmp enable INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

class-map inspection_default
match default-inspection-traffic
!


!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global

here is the config after adding Eazy VPN Parameters

interface GigabitEthernet0/0
nameif INTERNET
security-level 0
ip address x.x.x.x x.x.x.x standby x.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.10 255.255.0.0 standby 172.16.1.11
!
interface GigabitEthernet0/3.1
description LAN Failover Interface
vlan 10
!
interface GigabitEthernet0/3.2
description STATE Failover Interface
vlan 20
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone AST 3
dns domain-lookup INTERNET
dns server-group DefaultDNS

name-server x.x.x.x
name-server x.x.x.x
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list al-internet extended permit esp any interface INTERNET
access-list al-internet extended permit udp any interface INTERNET eq isakmp
access-list al-internet extended permit udp any interface INTERNET eq 4500
access-list al-internet extended permit tcp any interface INTERNET eq ssh
access-list al-internet extended permit tcp any interface INTERNET eq www
access-list al-internet extended permit tcp any interface INTERNET eq https
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.19.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.255.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 130.1.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list cap-in extended permit ip 172.16.0.0 255.255.0.0 130.1.0.0 255.255.0.0
access-list cap-in extended permit ip 130.1.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list EZVPN_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
pager lines 24
ip local pool EZVPN 172.16.255.100-172.16.255.150
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3.1
failover key *****
failover link state GigabitEthernet0/3.2
failover interface ip failover 192.168.200.1 255.255.255.252 standby 192.168.200.2
failover interface ip state 192.168.200.5 255.255.255.252 standby 192.168.200.6
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply inside
no asdm history enable
arp timeout 14400
global (INTERNET) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.3.10 255.255.255.255
nat (inside) 1 172.16.3.101 255.255.255.255
nat (inside) 1 172.16.3.102 255.255.255.255
nat (inside) 1 172.16.3.103 255.255.255.255
nat (inside) 1 172.16.3.104 255.255.255.255
nat (inside) 1 172.16.3.105 255.255.255.255


access-group al-internet in interface INTERNET
route INTERNET 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 130.1.0.0 255.255.0.0 172.16.1.1 1
route inside 172.17.0.0 255.255.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
service resetoutside
crypto ipsec transform-set MCCC-set esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map MCCC-map 1 set transform-set MCCC-set
crypto dynamic-map MCCC-map 1 set reverse-route
crypto map MCCC 10 ipsec-isakmp dynamic MCCC-map
crypto map MCCC interface INTERNET
crypto isakmp enable INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy EZVPN internal
group-policy EZVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZVPN_splitTunnelAcl
username cisco password privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
address-pool EZVPN
default-group-policy EZVPN
tunnel-group EZVPN ipsec-attributes
pre-shared-key *

i hope some one can find the answer for this problem.

thanks

best regardes.

Abdullah Osman

So, after adding the EzVPN commands you can't connect with the VPN client and getting error 412?

Could you post the output from:

debug cry isa 127

debug cry ips 127

When attempting the VPN client connection?

Federico.

Dear Federico

here is the Debug once i tried to initiate the Eazy VPN

May 07 09:02:39 [IKEv1]: IP = 213.181.160.9, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10)

+ ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing SA payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing ke payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing ISA_KE payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing nonce payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing ID payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing VID payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, Received xauth V6 VID
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing VID payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, Received DPD VID
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing VID payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, Received Fragmentation VID
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True

Aggressive Mode:  False
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing VID payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, Received NAT-Traversal ver 02 VID
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, processing VID payload
May 07 09:02:39 [IKEv1 DEBUG]: IP = 213.181.160.9, Received Cisco Unity client VID
May 07 09:02:39 [IKEv1]: IP = 213.181.160.9, Connection landed on tunnel_group EZVPN
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, processing IKE SA payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, IKE SA Proposal # 1, Transform # 10 acceptable  Matches global IKE

entry # 1
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing ISAKMP SA payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing ke payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing nonce payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, Generating keys for Responder...
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing ID payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing hash payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, Computing hash for ISAKMP
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing Cisco Unity VID payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing xauth V6 VID payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing dpd vid payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing NAT-Traversal VID ver 02 payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing NAT-Discovery payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, computing NAT Discovery hash
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing NAT-Discovery payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, computing NAT Discovery hash
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing Fragmentation VID + extended capabilities payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing VID payload
May 07 09:02:39 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 07 09:02:39 [IKEv1]: IP = 213.181.160.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) +

ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) +

NONE (0) total length : 428
May 07 09:02:45 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, Duplicate Phase 1 packet detected.  Retransmitting last packet.
May 07 09:02:45 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, P1 Retransmit msg dispatched to AM FSM
May 07 09:02:50 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, Duplicate Phase 1 packet detected.  Retransmitting last packet.
May 07 09:02:50 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, P1 Retransmit msg dispatched to AM FSM

May 07 09:02:55 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, Duplicate Phase 1 packet detected.  Retransmitting last packet.
May 07 09:02:55 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, P1 Retransmit msg dispatched to AM FSM
%ASA-3-713902: Group = EZVPN, IP = 213.181.160.9, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = EZVPN, IP = 213.181.160.9, Error: Unable to remove PeerTblEntry
May 07 09:03:03 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, IKE AM Responder FSM error history (struct &0xcd3fd0e8)  ,

:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2,

EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG
May 07 09:03:03 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, IKE SA AM:d9238dcc terminating:  flags 0x0104c001, refcnt 0, tuncnt

0
May 07 09:03:03 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, sending delete/delete with reason message
May 07 09:03:03 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing blank hash payload
May 07 09:03:03 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing IKE delete payload
May 07 09:03:03 [IKEv1 DEBUG]: Group = EZVPN, IP = 213.181.160.9, constructing qm hash payload
May 07 09:03:03 [IKEv1]: IP = 213.181.160.9, IKE_DECODE SENDING Message (msgid=62c0e48e) with payloads : HDR + HASH (8) + DELETE (12)

+ NONE (0) total length : 76
May 07 09:03:03 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, Removing peer from peer table failed, no match!
May 07 09:03:03 [IKEv1]: Group = EZVPN, IP = 213.181.160.9, Error: Unable to remove PeerTblEntry

as you can see my IP address is 213.181.160.9

Best Regardes

Abdulla Osman

Abdulla,

You can't connect with the VPN client now correct?
We know from the debugs, that the remote access connection is landing on the EZVPN tunnel-group.
213.181.160.9 is the public IP address where your VPN client is coming from correct?

From the debugs, all went good until there were retranmissions because of duplicate packets.


Can you show us the status of the
sh cry isa sa
sh cry ips sa
For your client VPN, when attempting the connection?

Federico.