asa vpn tunel

8/3/2019 Asa VPN Tunel

1/20

Cisco ASA 5500 Series Adaptive Security Appliances

LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX

ContentsIntroductionPrerequisites

Requirements

Components UsedRelated ProductsConventions

ConfigureNetwork DiagramConfigurations

VerifyTroubleshootCisco Support Community - Featured ConversationsRelated Information

Document ID: 100678

Introduction

This document provides a sample configuration for the LAN-to-LAN (Security Appliances (ASA/PIX) and the Adaptive Secruity Appliance

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and ha

Cisco 5500 Series ASA that runs the software version 7.x an

Cisco 5505 ASA that runs the software version 7.x and later

The information in this document was created from the devices in a sdevices used in this document started with a cleared (default) configthat you understand the potential impact of any command.

Related Products

This configuration can also be used with these hardware and softwa

Cisco 500 Series PIX Security Appliance that runs the softwa

Cisco 5505 ASA that runs the software version 7.x and later

HOME

SUPPORT

PRODUCT SUPPORT

SECURITY

CISCO ASA 5500 SERIESADAPTIVE SECURITYAPPLIANCES

CONFIGURECONFIGURATION EXAMPLES ANDTECHNOTES

LAN-to-LAN Tunnel Between ASA5505 and ASA/PIX ConfigurationExample

Sayfa 1 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...

15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...


2/20

Conventions

Refer to the Cisco Technical Tips Conventions for more information

Configure

In this section, you are presented with the information to configure th

Note: Use the Command Lookup Tool (registered customers only) tcommands used in this section.

Network Diagram

This document uses this network setup:

Configurations

This document uses these configurations:

Cisco 5505 ASA Configuration

Cisco 5510 ASA Configuration

Cisco 5505 A

ASA5505#show running-config: Saved:ASA Version 8.0(2)!hostname ASA5505

enable password 8Ry2YjIyt7RRXU24 encryptnames!interface Vlan1no nameifno security-levelno ip address

!interface Vlan2nameif outsidesecurity-level 0

ip address 172.16.1.1 255.255.255.0!interface Vlan3




3/20

nameif insidesecurity-level 100ip address 10.2.2.1 255.255.255.0

!interface Ethernet0/0switchport access vlan 3

!interface Ethernet0/1switchport access vlan 2

!interface Ethernet0/2shutdown






!passwd 2KFQnbNIdI.2KYOU encryptedboot system disk0:/asa802-k8.binftp mode passiveaccess-list 100 extended permit ip 10.2.

!--- Access-list for interesting traffic!--- encrypted between ASA 5505 and ASA/

access-list nonat extended permit ip 10.

!--- Access-list for traffic to bypass t!--- translation (NAT) process.

pager lines 24mtu inside 1500mtu outside 1500no failovericmp unreachable rate-limit 1 burst-sizeasdm image disk0:/asdm-602.binno asdm history enablearp timeout 14400nat-control




4/20

global (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 0.0.0.0 0.0.0.0

!--- Specify the NAT configuration.!--- NAT 0 prevents NAT for the ACL defi!--- The nat 1 command specifies NAT for

route outside 10.1.1.0 255.255.255.0 172route outside 192.168.1.0 255.255.255.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00timeout sunrpc 0:10:00 h323 0:05:00 h225timeout sip 0:30:00 sip_media 0:02:00 sitimeout uauth 0:05:00 absolutedynamic-access-policy-record DfltAccessPno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentica

!--- PHASE 2 CONFIGURATION!--- The encryption types for Phase 2 ar

crypto ipsec transform-set myset esp-3de

!--- Define the transform set for Phase

crypto map outside_map 20 match address

!--- Define which traffic can be sent to

crypto map outside_map 20 set peer 192.1

!--- Sets the IPsec peer.

crypto map outside_map 20 set transform-

!--- Sets the IPsec transform set "myset!--- to be used with the crypto map entr

crypto map outside_map interface outside




5/20

!--- Crypto map applied to the outside i

crypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400

!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp poli!--- These configuration commands!--- define the Phase 1 policies that ar

telnet timeout 5ssh timeout 5console timeout 0

threat-detection basic-threatthreat-detection statistics access-list!class-map inspection_defaultmatch default-inspection-traffic

!!policy-map type inspect dns preset_dns_mparametersmessage-length maximum 512

policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp

!service-policy global_policy global

tunnel-group 192.168.1.1 type ipsec-l2l




6/20

!--- In order to create and manage the d!--- for ipsec-l2lIPsec (LAN-to-LAN) tu!--- command in global configuration mod!--- For L2L connections the name of the!--- address of the IPsec peer.

tunnel-group 192.168.1.1 ipsec-attributepre-shared-key *

!--- Enter the pre-shared-key in order t

prompt hostname contextCryptochecksum:68eba159fd8e4c893f24185ff: endASA5505#

Cisco 5510 A

ASA5510#show running-config: Saved:

ASA Version 8.0(2)!hostname ASA5510enable password 8Ry2YjIyt7RRXU24 encryptnames!interface Ethernet0/0nameif insidesecurity-level 100ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/1nameif outsidesecurity-level 0ip address 192.168.1.1 255.255.255.0

!interface Ethernet0/2shutdownno nameifno security-levelno ip address

!

interface Ethernet0/3shutdownno nameif




7/20

no security-levelno ip address

!interface Management0/0shutdownno nameifno security-levelno ip address

!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passiveaccess-list 100 extended permit ip 10.1.

!--- Access-list for interesting traffic!--- encrypted between ASA 5505 and ASA/

access-list nonat extended permit ip 10.

!--- Access-list for traffic to bypass t!--- translation (NAT) process.

pager lines 24mtu inside 1500mtu outside 1500no failovericmp unreachable rate-limit 1 burst-sizeasdm image disk0:/asdm-522.binno asdm history enablearp timeout 14400nat-controlglobal (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 0.0.0.0 0.0.0.0

!--- Specify the NAT configuration.!--- NAT 0 prevents NAT for the ACL defi!--- The nat 1 command specifies NAT for

route outside 10.2.2.0 255.255.255.0 192route outside 172.16.1.0 255.255.255.0 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00timeout sunrpc 0:10:00 h323 0:05:00 h225timeout sip 0:30:00 sip_media 0:02:00 sitimeout uauth 0:05:00 absolutedynamic-access-policy-record DfltAccessPno snmp-server locationno snmp-server contact




8/20

snmp-server enable traps snmp authentica

!--- PHASE 2 CONFIGURATION!--- The encryption types for Phase 2 ar

crypto ipsec transform-set myset esp-3de

!--- Define the transform set for Phase

crypto map outside_map 20 match address

!--- Define which traffic can be sent to

crypto map outside_map 20 set peer 172.1

!--- Sets the IPsec peer.

crypto map outside_map 20 set transform-

!--- Sets the IPsec transform set "myset!--- to be used with the crypto map entr

crypto map outside_map interface outside

!--- Crypto map applied to the outside i

crypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400

!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp poli!--- These configuration commands!--- define the Phase 1 policies that ar




9/20

crypto isakmp policy 65535authentication pre-shareencryption 3deshash shagroup 2lifetime 86400

telnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-list!class-map inspection_defaultmatch default-inspection-traffic

!!policy-map type inspect dns preset_dns_mparametersmessage-length maximum 512

policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp

!service-policy global_policy globaltunnel-group 172.16.1.1 type ipsec-l2l

!--- In order to create and manage the d!--- for ipsec-l2lIPsec (LAN-to-LAN) tu!--- command in global configuration mod!--- For L2L connections the name of the!--- address of the IPsec peer.

tunnel-group 172.16.1.1 ipsec-attributespre-shared-key *

!--- Enter the pre-shared-key in order t

prompt hostname context




10/20

Cryptochecksum:d41d8cd98f00b204e9800998e: endASA5510#

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) suppoto view an analysis ofshow command output.

show crypto isakmp saDisplays all current IKE security a

show crypto ipsec saDisplays all current IPsec SAs.

This section shows example verification configurations for:

Cisco 5505 ASA

Cisco 5510 ASA

Cisco 5505 ASA

ASA5505#show crypto isakmp sa

Active SA: 1Rekey SA: 0 (A tunnel will report 1

Total IKE SA: 1

1 IKE Peer: 192.168.1.1Type : L2L Role :Rekey : no State :

ASA5505#show crypto ipsec sainterface: outside

Crypto map tag: outside_map, seq num

access-list 100 permit ip 10.2.2.0local ident (addr/mask/prot/port):remote ident (addr/mask/prot/port)current_peer: 192.168.1.1

#pkts encaps: 4, #pkts encrypt: 4,#pkts decaps: 4, #pkts decrypt: 4,#pkts compressed: 0, #pkts decompr#pkts not compressed: 4, #pkts com#pre-frag successes: 0, #pre-frag#PMTUs sent: 0, #PMTUs rcvd: 0, #d#send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.1.1, r

path mtu 1500, ipsec overhead 58,current outbound spi: A0411DE6

Sayfa 10 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...



11/20

inbound esp sas:spi: 0x8312C39C (2199045020)

transform: esp-3des esp-sha-hmain use settings ={L2L, Tunnel,slot: 0, conn_id: 8192, crypto-sa timing: remaining key lifetiIV size: 8 bytesreplay detection support: Y

outbound esp sas:spi: 0xA0411DE6 (2688622054)


Cisco 5510 ASA

ASA5510#show crypto isakmp sa

Active SA: 1Rekey SA: 0 (A tunnel will report 1

Total IKE SA: 1

1 IKE Peer: 172.16.1.1Type : L2L Role :

Rekey : no State :

ASA5510#show crypto ipsec sainterface: outside

Crypto map tag: outside_map, seq num

access-list 100 permit ip 10.1.1.0local ident (addr/mask/prot/port):remote ident (addr/mask/prot/port)current_peer: 172.16.1.1

#pkts encaps: 4, #pkts encrypt: 4,#pkts decaps: 4, #pkts decrypt: 4,#pkts compressed: 0, #pkts decompr#pkts not compressed: 4, #pkts com#pre-frag successes: 0, #pre-frag#PMTUs sent: 0, #PMTUs rcvd: 0, #d#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.1,

path mtu 1500, ipsec overhead 58,

current outbound spi: 8312C39C

inbound esp sas:




12/20

spi: 0xA0411DE6 (2688622054)transform: esp-3des esp-sha-hmain use settings ={L2L, Tunnel,slot: 0, conn_id: 8192, crypto-sa timing: remaining key lifetiIV size: 8 bytesreplay detection support: Y

outbound esp sas:spi: 0x8312C39C (2199045020)


TroubleshootThis section provides information you can use to troubleshoot your c

Make use of these commands as shown:

clear crypto isakmp saClears the Phase 1 SAs.

Caution: The clear crypto isakmp sa command is intunnels. Starting with the 8.0(3) version of PIX/ASA software,the clear crypto isakmp sa command. Besessiondb logoff tunnel-group commSAs for a single tunnel.

ASA5505#vpn-sessiondb logoff tunDo you want to logoff the VPN seINFO: Number of sessions from TuASA5505# Jan 19 13:58:43 [IKEv1itcher: received key delete msg,Jan 19 13:58:43 [IKEv1]: Group =nated for peer 192.168.1.1. ReaLocal Proxy 10.2.2.0Jan 19 13:58:43 [IKEv1 DEBUG]: G

116f1ccf rcv'd Terminate: stateJan 19 13:58:43 [IKEv1 DEBUG]: Glete/delete with reason messageJan 19 13:58:43 [IKEv1 DEBUG]: Gng blank hash payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng IPSec delete payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng qm hash payloadJan 19 13:58:43 [IKEv1]: IP = 1946fb4) with payloads : HDR + HAS

Jan 19 13:58:43 [IKEv1 DEBUG]: Gt receives a delete event for re




13/20

Jan 19 13:58:43 [IKEv1 DEBUG]: Gng SA: Remote Proxy 10.1.1.0, LoJan 19 13:58:43 [IKEv1 DEBUG]: G116f1ccf terminating: flags 0x0Jan 19 13:58:43 [IKEv1 DEBUG]: Glete/delete with reason messageJan 19 13:58:43 [IKEv1 DEBUG]: Gng blank hash payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng IKE delete payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng qm hash payloadJan 19 13:58:43 [IKEv1]: IP = 1978fac) with payloads : HDR + HASJan 19 13:58:43 [IKEv1 DEBUG]: PJan 19 13:58:43 [IKEv1 DEBUG]: PJan 19 13:58:43 [IKEv1]: IP = 19ching SA, dropping

clear crypto ipsec sa peer Clears the r

ASA5505(config)#clear ipsec sa pASA5505(config)# IPSEC: Deleted

Rule ID: 0xD4E56A18IPSEC: Deleted inbound permit ru

Rule ID: 0xD4DF4110IPSEC: Deleted inbound tunnel fl

Rule ID: 0xD4DAE1F0IPSEC: Deleted inbound VPN conte

VPN handle: 0x00058FBCIPSEC: Deleted outbound encrypt

Rule ID: 0xD4DA4348IPSEC: Deleted outbound permit r

Rule ID: 0xD4DAE7A8IPSEC: Deleted outbound VPN cont

VPN handle: 0x0005633C

debug crypto isakmp sa Debugs ISAKMP

ASA5505(config)#debug crypto isa

ASA5505(config)# Jan 19 13:39:49Message (msgid=0) with payloadsDOR (13) + NONE (0) total lengthJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IIDJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IIDJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Ition capability flags: Main Mod




14/20

Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: I# 1 acceptable Matches global IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Iver 02 payloadJan 19 13:39:49 [IKEv1 DEBUG]: I+ extended capabilities payloadJan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + SA (1) + V: 128Jan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + KE (4) +(13) + VENDOR (13) + NAT-D (130)Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IIOS Vendor ID payload (version:Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Iisco ASA GW VIDJan 19 13:39:49 [IKEv1 DEBUG]: IdJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IdJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IyloadJan 19 13:39:49 [IKEv1 DEBUG]: IadJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Iendor ID payload (version: 1.0.0Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IASA GW VIDJan 19 13:39:49 [IKEv1 DEBUG]: IoadJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IoadJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1]: IP = 19.168.1.1Jan 19 13:39:49 [IKEv1 DEBUG]: G




15/20

keys for Responder...Jan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + KE (4) + N13) + VENDOR (13) + NAT-D (130)Jan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + ID (5) +ONE (0) total length : 96Jan 19 13:39:49 [IKEv1 DEBUG]: GID payloadJan 19 13:39:49 [IKEv1 DEBUG]: Ghash payloadJan 19 13:39:49 [IKEv1 DEBUG]: Ghash for ISAKMPJan 19 13:39:49 [IKEv1 DEBUG]: Iad: proposal=32767/32767 sec.Jan 19 13:39:49 [IKEv1 DEBUG]: GVID payloadJan 19 13:39:49 [IKEv1 DEBUG]: GPD VIDJan 19 13:39:49 [IKEv1]: Group =tection Status: Remote end ibehind a NAT deviceJan 19 13:39:49 [IKEv1]: IP = 19.168.1.1Jan 19 13:39:49 [IKEv1]: Group =ly allocated memory for authorizJan 19 13:39:49 [IKEv1 DEBUG]: Gng ID payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng hash payloadJan 19 13:39:49 [IKEv1 DEBUG]: Ghash for ISAKMPJan 19 13:39:49 [IKEv1 DEBUG]: Iload: proposal=32767/32767 sec.Jan 19 13:39:49 [IKEv1 DEBUG]: Gng dpd vid payloadJan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + ID (5) + HNE (0) total length : 96Jan 19 13:39:49 [IKEv1]: Group =DJan 19 13:39:49 [IKEv1]: IP = 19DPDJan 19 13:39:49 [IKEv1 DEBUG]: G1 rekey timer: 73440 seconds.Jan 19 13:39:49 [IKEv1]: IP = 1921905f) with payloads : HDR + HANOTIFY (11) + NONE (0) total leJan 19 13:39:49 [IKEv1 DEBUG]: Ghash payloadJan 19 13:39:49 [IKEv1 DEBUG]: GSA payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gnonce payload




16/20

Jan 19 13:39:49 [IKEv1 DEBUG]: GID payloadJan 19 13:39:49 [IKEv1]: Group =IP Proxy Subnet data in ID Payloocol 0, Port 0Jan 19 13:39:49 [IKEv1 DEBUG]: GID payloadJan 19 13:39:49 [IKEv1]: Group =P Proxy Subnet data in ID Payloacol 0, Port 0Jan 19 13:39:49 [IKEv1 DEBUG]: Gnotify payloadJan 19 13:39:49 [IKEv1]: Group =sa not found by addrJan 19 13:39:49 [IKEv1]: Group =p check, checking map = outside_Jan 19 13:39:49 [IKEv1]: Group =p check, map outside_map, seq =Jan 19 13:39:49 [IKEv1]: Group =configured for crypto map: outsiJan 19 13:39:49 [IKEv1 DEBUG]: GIPSec SA payloadJan 19 13:39:49 [IKEv1 DEBUG]: Groposal # 1, Transform # 1 accepJan 19 13:39:49 [IKEv1]: Group =SPI!Jan 19 13:39:49 [IKEv1 DEBUG]: GI from key engine: SPI = 0x826ffJan 19 13:39:49 [IKEv1 DEBUG]: Gstucting quick modeJan 19 13:39:49 [IKEv1 DEBUG]: Gng blank hash payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng IPSec SA payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng IPSec nonce payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng proxy IDJan 19 13:39:49 [IKEv1 DEBUG]: G

debug crypto ipsec sa Debugs IPsec SA n

ASA5505(config)#debug crypto ipsASA5505(config)# IPSEC: New embr

SCB: 0xD4E56CF8,Direction: inboundSPI : 0x8030618FSession ID: 0x00006000VPIF num : 0x00000001Tunnel type: l2lProtocol : esp

Lifetime : 240 secondsIPSEC: New embryonic SA created

SCB: 0xD4DAE608,




17/20

Direction: outboundSPI : 0x0D6CDEEBSession ID: 0x00006000VPIF num : 0x00000001Tunnel type: l2lProtocol : espLifetime : 240 seconds

IPSEC: Completed host OBSA updatIPSEC: Creating outbound VPN con

Flags: 0x00000005SA : 0xD4E57AD8SPI : 0x0D6CDEEBMTU : 1500 bytesVCID : 0x00000000Peer : 0x00000000SCB : 0x015E69CBChannel: 0xD3D60A98

IPSEC: Completed outbound VPN coVPN handle: 0x0005633C

IPSEC: New outbound encrypt ruleSrc addr: 10.2.2.0Src mask: 255.255.255.0Dst addr: 10.1.1.0Dst mask: 255.255.255.0Src portsUpper: 0Lower: 0Op : ignore

Dst portsUpper: 0Lower: 0Op : ignore

Protocol: 0Use protocol: falseSPI: 0x00000000Use SPI: false

IPSEC: Completed outbound encrypRule ID: 0xD4DA4348

IPSEC: New outbound permit rule,Src addr: 172.16.1.1Src mask: 255.255.255.255Dst addr: 192.168.1.1Dst mask: 255.255.255.255Src portsUpper: 0Lower: 0Op : ignore


Protocol: 50Use protocol: trueSPI: 0x0D6CDEEB




18/20

Use SPI: trueIPSEC: Completed outbound permit

Rule ID: 0xD4DAE7A8IPSEC: Completed host IBSA updatIPSEC: Creating inbound VPN cont

Flags: 0x00000006SA : 0xD4E56E18SPI : 0x8030618FMTU : 0 bytesVCID : 0x00000000Peer : 0x0005633CSCB : 0x015DD135Channel: 0xD3D60A98

IPSEC: Completed inbound VPN conVPN handle: 0x00058FBC

IPSEC: Updating outbound VPN conFlags: 0x00000005SA : 0xD4E57AD8SPI : 0x0D6CDEEBMTU : 1500 bytesVCID : 0x00000000Peer : 0x00058FBCSCB : 0x015E69CBChannel: 0xD3D60A98

IPSEC: Completed outbound VPN coVPN handle: 0x0005633C

IPSEC: Completed outbound innerRule ID: 0xD4DA4348

IPSEC: Completed outbound outerRule ID: 0xD4DAE7A8

IPSEC: New inbound tunnel flow rSrc addr: 10.1.1.0Src mask: 255.255.255.0Dst addr: 10.2.2.0Dst mask: 255.255.255.0Src portsUpper: 0Lower: 0Op : ignore


Protocol: 0Use protocol: falseSPI: 0x00000000Use SPI: false

IPSEC: Completed inbound tunnelRule ID: 0xD4DAE1F0

IPSEC: New inbound decrypt rule,Src addr: 192.168.1.1Src mask: 255.255.255.255Dst addr: 172.16.1.1Dst mask: 255.255.255.255




19/20

Start A New Discus

Src portsUpper: 0Lower: 0Op : ignore


Protocol: 50Use protocol: trueSPI: 0x8030618FUse SPI: true

IPSEC: Completed inbound decryptRule ID: 0xD4E56A18

IPSEC: New inbound permit rule,Src addr: 192.168.1.1

Cisco Support Community - Featured ConCisco Support Community is a forum for you to ask and answer quescollaborate with your peers. Below are just some of the most recentright now.

Want to see more? Join us by clicking here

Lan-2-Lan Tunnel, ASA to 6500 or...... purevideonetworks 2 Rep

site to site sizing binoyjosephstanly 1 Reply 21/03/2008 08:03

Branch to Branch VPN sarfarazkazi 1 Reply 18/01/2009 10:54

ASA 5505, Client and User VPNs jdawsonbooth 1 Reply 20/02/2

help adressing , planning and configure nicanor00 12 Replies

Multicast over lan to lan ipsec tunnel navypop42 2 Replies 04/05

ASK THE EXPERTS - TROUBLESHOOTING ASA,... ciscomoder15:02

Lan to Lan tunnel between Juniper SSG5... thomuff2 Replies 16

LAN-to-LAN IPsec VPN tunnel traffic not... mattkl3com 15 Replie

LAN to LAN between 2 ASA5505s... dirkmelvin 1 Reply 18/09/2

VPN Client Side disconnection problem brian.young_at_hampto17:04




20/20

Related Information

Cisco ASA 5500 Series Adaptive Security Appliances SuCisco PIX 500 Series Security Appliances Support PageMost Common L2L and Remote Access IPsec VPN TroubIPSec Negotiation/IKE Protocols Support PageTechnical Support & Documentation - Cisco Systems

Updated: Sep 30, 2008

Contacts | Feedback | Help | Site Map | Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks

Information For

Small Business

Service Provider

Executives

Home

Contacts

Contact Cisco

Find a Partner

News & Alerts

Newsroom

Blogs

Newsletters

Field Notices

Security Advisories

Technology Trends

Cloud

IPv6

Video Architecture

Virtualization Experience Infrastructure

Support

Downloads

Documentation

Communities

Developer Network

Learning Network

Support Community

Industries


asa vpn tunel

Documents