asa vpn tunel
TRANSCRIPT
-
8/3/2019 Asa VPN Tunel
1/20
Cisco ASA 5500 Series Adaptive Security Appliances
LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX
ContentsIntroductionPrerequisites
Requirements
Components UsedRelated ProductsConventions
ConfigureNetwork DiagramConfigurations
VerifyTroubleshootCisco Support Community - Featured ConversationsRelated Information
Document ID: 100678
Introduction
This document provides a sample configuration for the LAN-to-LAN (Security Appliances (ASA/PIX) and the Adaptive Secruity Appliance
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and ha
Cisco 5500 Series ASA that runs the software version 7.x an
Cisco 5505 ASA that runs the software version 7.x and later
The information in this document was created from the devices in a sdevices used in this document started with a cleared (default) configthat you understand the potential impact of any command.
Related Products
This configuration can also be used with these hardware and softwa
Cisco 500 Series PIX Security Appliance that runs the softwa
Cisco 5505 ASA that runs the software version 7.x and later
HOME
SUPPORT
PRODUCT SUPPORT
SECURITY
CISCO ASA 5500 SERIESADAPTIVE SECURITYAPPLIANCES
CONFIGURECONFIGURATION EXAMPLES ANDTECHNOTES
LAN-to-LAN Tunnel Between ASA5505 and ASA/PIX ConfigurationExample
Sayfa 1 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
2/20
Conventions
Refer to the Cisco Technical Tips Conventions for more information
Configure
In this section, you are presented with the information to configure th
Note: Use the Command Lookup Tool (registered customers only) tcommands used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
Cisco 5505 ASA Configuration
Cisco 5510 ASA Configuration
Cisco 5505 A
ASA5505#show running-config: Saved:ASA Version 8.0(2)!hostname ASA5505
enable password 8Ry2YjIyt7RRXU24 encryptnames!interface Vlan1no nameifno security-levelno ip address
!interface Vlan2nameif outsidesecurity-level 0
ip address 172.16.1.1 255.255.255.0!interface Vlan3
Sayfa 2 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
3/20
nameif insidesecurity-level 100ip address 10.2.2.1 255.255.255.0
!interface Ethernet0/0switchport access vlan 3
!interface Ethernet0/1switchport access vlan 2
!interface Ethernet0/2shutdown
!interface Ethernet0/3shutdown
!interface Ethernet0/4shutdown
!interface Ethernet0/5shutdown
!interface Ethernet0/6shutdown
!interface Ethernet0/7shutdown
!passwd 2KFQnbNIdI.2KYOU encryptedboot system disk0:/asa802-k8.binftp mode passiveaccess-list 100 extended permit ip 10.2.
!--- Access-list for interesting traffic!--- encrypted between ASA 5505 and ASA/
access-list nonat extended permit ip 10.
!--- Access-list for traffic to bypass t!--- translation (NAT) process.
pager lines 24mtu inside 1500mtu outside 1500no failovericmp unreachable rate-limit 1 burst-sizeasdm image disk0:/asdm-602.binno asdm history enablearp timeout 14400nat-control
Sayfa 3 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
4/20
global (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 0.0.0.0 0.0.0.0
!--- Specify the NAT configuration.!--- NAT 0 prevents NAT for the ACL defi!--- The nat 1 command specifies NAT for
route outside 10.1.1.0 255.255.255.0 172route outside 192.168.1.0 255.255.255.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00timeout sunrpc 0:10:00 h323 0:05:00 h225timeout sip 0:30:00 sip_media 0:02:00 sitimeout uauth 0:05:00 absolutedynamic-access-policy-record DfltAccessPno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentica
!--- PHASE 2 CONFIGURATION!--- The encryption types for Phase 2 ar
crypto ipsec transform-set myset esp-3de
!--- Define the transform set for Phase
crypto map outside_map 20 match address
!--- Define which traffic can be sent to
crypto map outside_map 20 set peer 192.1
!--- Sets the IPsec peer.
crypto map outside_map 20 set transform-
!--- Sets the IPsec transform set "myset!--- to be used with the crypto map entr
crypto map outside_map interface outside
Sayfa 4 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
5/20
!--- Crypto map applied to the outside i
crypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp poli!--- These configuration commands!--- define the Phase 1 policies that ar
telnet timeout 5ssh timeout 5console timeout 0
threat-detection basic-threatthreat-detection statistics access-list!class-map inspection_defaultmatch default-inspection-traffic
!!policy-map type inspect dns preset_dns_mparametersmessage-length maximum 512
policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp
!service-policy global_policy global
tunnel-group 192.168.1.1 type ipsec-l2l
Sayfa 5 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
6/20
!--- In order to create and manage the d!--- for ipsec-l2lIPsec (LAN-to-LAN) tu!--- command in global configuration mod!--- For L2L connections the name of the!--- address of the IPsec peer.
tunnel-group 192.168.1.1 ipsec-attributepre-shared-key *
!--- Enter the pre-shared-key in order t
prompt hostname contextCryptochecksum:68eba159fd8e4c893f24185ff: endASA5505#
Cisco 5510 A
ASA5510#show running-config: Saved:
ASA Version 8.0(2)!hostname ASA5510enable password 8Ry2YjIyt7RRXU24 encryptnames!interface Ethernet0/0nameif insidesecurity-level 100ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1nameif outsidesecurity-level 0ip address 192.168.1.1 255.255.255.0
!interface Ethernet0/2shutdownno nameifno security-levelno ip address
!
interface Ethernet0/3shutdownno nameif
Sayfa 6 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
7/20
no security-levelno ip address
!interface Management0/0shutdownno nameifno security-levelno ip address
!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passiveaccess-list 100 extended permit ip 10.1.
!--- Access-list for interesting traffic!--- encrypted between ASA 5505 and ASA/
access-list nonat extended permit ip 10.
!--- Access-list for traffic to bypass t!--- translation (NAT) process.
pager lines 24mtu inside 1500mtu outside 1500no failovericmp unreachable rate-limit 1 burst-sizeasdm image disk0:/asdm-522.binno asdm history enablearp timeout 14400nat-controlglobal (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 0.0.0.0 0.0.0.0
!--- Specify the NAT configuration.!--- NAT 0 prevents NAT for the ACL defi!--- The nat 1 command specifies NAT for
route outside 10.2.2.0 255.255.255.0 192route outside 172.16.1.0 255.255.255.0 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00timeout sunrpc 0:10:00 h323 0:05:00 h225timeout sip 0:30:00 sip_media 0:02:00 sitimeout uauth 0:05:00 absolutedynamic-access-policy-record DfltAccessPno snmp-server locationno snmp-server contact
Sayfa 7 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
8/20
snmp-server enable traps snmp authentica
!--- PHASE 2 CONFIGURATION!--- The encryption types for Phase 2 ar
crypto ipsec transform-set myset esp-3de
!--- Define the transform set for Phase
crypto map outside_map 20 match address
!--- Define which traffic can be sent to
crypto map outside_map 20 set peer 172.1
!--- Sets the IPsec peer.
crypto map outside_map 20 set transform-
!--- Sets the IPsec transform set "myset!--- to be used with the crypto map entr
crypto map outside_map interface outside
!--- Crypto map applied to the outside i
crypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp poli!--- These configuration commands!--- define the Phase 1 policies that ar
Sayfa 8 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
9/20
crypto isakmp policy 65535authentication pre-shareencryption 3deshash shagroup 2lifetime 86400
telnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-list!class-map inspection_defaultmatch default-inspection-traffic
!!policy-map type inspect dns preset_dns_mparametersmessage-length maximum 512
policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp
!service-policy global_policy globaltunnel-group 172.16.1.1 type ipsec-l2l
!--- In order to create and manage the d!--- for ipsec-l2lIPsec (LAN-to-LAN) tu!--- command in global configuration mod!--- For L2L connections the name of the!--- address of the IPsec peer.
tunnel-group 172.16.1.1 ipsec-attributespre-shared-key *
!--- Enter the pre-shared-key in order t
prompt hostname context
Sayfa 9 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - Cis...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
10/20
Cryptochecksum:d41d8cd98f00b204e9800998e: endASA5510#
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool (registered customers only) (OIT) suppoto view an analysis ofshow command output.
show crypto isakmp saDisplays all current IKE security a
show crypto ipsec saDisplays all current IPsec SAs.
This section shows example verification configurations for:
Cisco 5505 ASA
Cisco 5510 ASA
Cisco 5505 ASA
ASA5505#show crypto isakmp sa
Active SA: 1Rekey SA: 0 (A tunnel will report 1
Total IKE SA: 1
1 IKE Peer: 192.168.1.1Type : L2L Role :Rekey : no State :
ASA5505#show crypto ipsec sainterface: outside
Crypto map tag: outside_map, seq num
access-list 100 permit ip 10.2.2.0local ident (addr/mask/prot/port):remote ident (addr/mask/prot/port)current_peer: 192.168.1.1
#pkts encaps: 4, #pkts encrypt: 4,#pkts decaps: 4, #pkts decrypt: 4,#pkts compressed: 0, #pkts decompr#pkts not compressed: 4, #pkts com#pre-frag successes: 0, #pre-frag#PMTUs sent: 0, #PMTUs rcvd: 0, #d#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.1, r
path mtu 1500, ipsec overhead 58,current outbound spi: A0411DE6
Sayfa 10 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
11/20
inbound esp sas:spi: 0x8312C39C (2199045020)
transform: esp-3des esp-sha-hmain use settings ={L2L, Tunnel,slot: 0, conn_id: 8192, crypto-sa timing: remaining key lifetiIV size: 8 bytesreplay detection support: Y
outbound esp sas:spi: 0xA0411DE6 (2688622054)
transform: esp-3des esp-sha-hmain use settings ={L2L, Tunnel,slot: 0, conn_id: 8192, crypto-sa timing: remaining key lifetiIV size: 8 bytesreplay detection support: Y
Cisco 5510 ASA
ASA5510#show crypto isakmp sa
Active SA: 1Rekey SA: 0 (A tunnel will report 1
Total IKE SA: 1
1 IKE Peer: 172.16.1.1Type : L2L Role :
Rekey : no State :
ASA5510#show crypto ipsec sainterface: outside
Crypto map tag: outside_map, seq num
access-list 100 permit ip 10.1.1.0local ident (addr/mask/prot/port):remote ident (addr/mask/prot/port)current_peer: 172.16.1.1
#pkts encaps: 4, #pkts encrypt: 4,#pkts decaps: 4, #pkts decrypt: 4,#pkts compressed: 0, #pkts decompr#pkts not compressed: 4, #pkts com#pre-frag successes: 0, #pre-frag#PMTUs sent: 0, #PMTUs rcvd: 0, #d#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.1,
path mtu 1500, ipsec overhead 58,
current outbound spi: 8312C39C
inbound esp sas:
Sayfa 11 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
12/20
spi: 0xA0411DE6 (2688622054)transform: esp-3des esp-sha-hmain use settings ={L2L, Tunnel,slot: 0, conn_id: 8192, crypto-sa timing: remaining key lifetiIV size: 8 bytesreplay detection support: Y
outbound esp sas:spi: 0x8312C39C (2199045020)
transform: esp-3des esp-sha-hmain use settings ={L2L, Tunnel,slot: 0, conn_id: 8192, crypto-sa timing: remaining key lifetiIV size: 8 bytesreplay detection support: Y
TroubleshootThis section provides information you can use to troubleshoot your c
Make use of these commands as shown:
clear crypto isakmp saClears the Phase 1 SAs.
Caution: The clear crypto isakmp sa command is intunnels. Starting with the 8.0(3) version of PIX/ASA software,the clear crypto isakmp sa command. Besessiondb logoff tunnel-group commSAs for a single tunnel.
ASA5505#vpn-sessiondb logoff tunDo you want to logoff the VPN seINFO: Number of sessions from TuASA5505# Jan 19 13:58:43 [IKEv1itcher: received key delete msg,Jan 19 13:58:43 [IKEv1]: Group =nated for peer 192.168.1.1. ReaLocal Proxy 10.2.2.0Jan 19 13:58:43 [IKEv1 DEBUG]: G
116f1ccf rcv'd Terminate: stateJan 19 13:58:43 [IKEv1 DEBUG]: Glete/delete with reason messageJan 19 13:58:43 [IKEv1 DEBUG]: Gng blank hash payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng IPSec delete payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng qm hash payloadJan 19 13:58:43 [IKEv1]: IP = 1946fb4) with payloads : HDR + HAS
Jan 19 13:58:43 [IKEv1 DEBUG]: Gt receives a delete event for re
Sayfa 12 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
13/20
Jan 19 13:58:43 [IKEv1 DEBUG]: Gng SA: Remote Proxy 10.1.1.0, LoJan 19 13:58:43 [IKEv1 DEBUG]: G116f1ccf terminating: flags 0x0Jan 19 13:58:43 [IKEv1 DEBUG]: Glete/delete with reason messageJan 19 13:58:43 [IKEv1 DEBUG]: Gng blank hash payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng IKE delete payloadJan 19 13:58:43 [IKEv1 DEBUG]: Gng qm hash payloadJan 19 13:58:43 [IKEv1]: IP = 1978fac) with payloads : HDR + HASJan 19 13:58:43 [IKEv1 DEBUG]: PJan 19 13:58:43 [IKEv1 DEBUG]: PJan 19 13:58:43 [IKEv1]: IP = 19ching SA, dropping
clear crypto ipsec sa peer Clears the r
ASA5505(config)#clear ipsec sa pASA5505(config)# IPSEC: Deleted
Rule ID: 0xD4E56A18IPSEC: Deleted inbound permit ru
Rule ID: 0xD4DF4110IPSEC: Deleted inbound tunnel fl
Rule ID: 0xD4DAE1F0IPSEC: Deleted inbound VPN conte
VPN handle: 0x00058FBCIPSEC: Deleted outbound encrypt
Rule ID: 0xD4DA4348IPSEC: Deleted outbound permit r
Rule ID: 0xD4DAE7A8IPSEC: Deleted outbound VPN cont
VPN handle: 0x0005633C
debug crypto isakmp sa Debugs ISAKMP
ASA5505(config)#debug crypto isa
ASA5505(config)# Jan 19 13:39:49Message (msgid=0) with payloadsDOR (13) + NONE (0) total lengthJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IIDJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IIDJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Ition capability flags: Main Mod
Sayfa 13 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
14/20
Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: I# 1 acceptable Matches global IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Iver 02 payloadJan 19 13:39:49 [IKEv1 DEBUG]: I+ extended capabilities payloadJan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + SA (1) + V: 128Jan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + KE (4) +(13) + VENDOR (13) + NAT-D (130)Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IIOS Vendor ID payload (version:Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Iisco ASA GW VIDJan 19 13:39:49 [IKEv1 DEBUG]: IdJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IdJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IyloadJan 19 13:39:49 [IKEv1 DEBUG]: IadJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: Iendor ID payload (version: 1.0.0Jan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IASA GW VIDJan 19 13:39:49 [IKEv1 DEBUG]: IoadJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1 DEBUG]: IoadJan 19 13:39:49 [IKEv1 DEBUG]: IJan 19 13:39:49 [IKEv1]: IP = 19.168.1.1Jan 19 13:39:49 [IKEv1 DEBUG]: G
Sayfa 14 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
15/20
keys for Responder...Jan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + KE (4) + N13) + VENDOR (13) + NAT-D (130)Jan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + ID (5) +ONE (0) total length : 96Jan 19 13:39:49 [IKEv1 DEBUG]: GID payloadJan 19 13:39:49 [IKEv1 DEBUG]: Ghash payloadJan 19 13:39:49 [IKEv1 DEBUG]: Ghash for ISAKMPJan 19 13:39:49 [IKEv1 DEBUG]: Iad: proposal=32767/32767 sec.Jan 19 13:39:49 [IKEv1 DEBUG]: GVID payloadJan 19 13:39:49 [IKEv1 DEBUG]: GPD VIDJan 19 13:39:49 [IKEv1]: Group =tection Status: Remote end ibehind a NAT deviceJan 19 13:39:49 [IKEv1]: IP = 19.168.1.1Jan 19 13:39:49 [IKEv1]: Group =ly allocated memory for authorizJan 19 13:39:49 [IKEv1 DEBUG]: Gng ID payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng hash payloadJan 19 13:39:49 [IKEv1 DEBUG]: Ghash for ISAKMPJan 19 13:39:49 [IKEv1 DEBUG]: Iload: proposal=32767/32767 sec.Jan 19 13:39:49 [IKEv1 DEBUG]: Gng dpd vid payloadJan 19 13:39:49 [IKEv1]: IP = 19with payloads : HDR + ID (5) + HNE (0) total length : 96Jan 19 13:39:49 [IKEv1]: Group =DJan 19 13:39:49 [IKEv1]: IP = 19DPDJan 19 13:39:49 [IKEv1 DEBUG]: G1 rekey timer: 73440 seconds.Jan 19 13:39:49 [IKEv1]: IP = 1921905f) with payloads : HDR + HANOTIFY (11) + NONE (0) total leJan 19 13:39:49 [IKEv1 DEBUG]: Ghash payloadJan 19 13:39:49 [IKEv1 DEBUG]: GSA payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gnonce payload
Sayfa 15 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
16/20
Jan 19 13:39:49 [IKEv1 DEBUG]: GID payloadJan 19 13:39:49 [IKEv1]: Group =IP Proxy Subnet data in ID Payloocol 0, Port 0Jan 19 13:39:49 [IKEv1 DEBUG]: GID payloadJan 19 13:39:49 [IKEv1]: Group =P Proxy Subnet data in ID Payloacol 0, Port 0Jan 19 13:39:49 [IKEv1 DEBUG]: Gnotify payloadJan 19 13:39:49 [IKEv1]: Group =sa not found by addrJan 19 13:39:49 [IKEv1]: Group =p check, checking map = outside_Jan 19 13:39:49 [IKEv1]: Group =p check, map outside_map, seq =Jan 19 13:39:49 [IKEv1]: Group =configured for crypto map: outsiJan 19 13:39:49 [IKEv1 DEBUG]: GIPSec SA payloadJan 19 13:39:49 [IKEv1 DEBUG]: Groposal # 1, Transform # 1 accepJan 19 13:39:49 [IKEv1]: Group =SPI!Jan 19 13:39:49 [IKEv1 DEBUG]: GI from key engine: SPI = 0x826ffJan 19 13:39:49 [IKEv1 DEBUG]: Gstucting quick modeJan 19 13:39:49 [IKEv1 DEBUG]: Gng blank hash payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng IPSec SA payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng IPSec nonce payloadJan 19 13:39:49 [IKEv1 DEBUG]: Gng proxy IDJan 19 13:39:49 [IKEv1 DEBUG]: G
debug crypto ipsec sa Debugs IPsec SA n
ASA5505(config)#debug crypto ipsASA5505(config)# IPSEC: New embr
SCB: 0xD4E56CF8,Direction: inboundSPI : 0x8030618FSession ID: 0x00006000VPIF num : 0x00000001Tunnel type: l2lProtocol : esp
Lifetime : 240 secondsIPSEC: New embryonic SA created
SCB: 0xD4DAE608,
Sayfa 16 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
17/20
Direction: outboundSPI : 0x0D6CDEEBSession ID: 0x00006000VPIF num : 0x00000001Tunnel type: l2lProtocol : espLifetime : 240 seconds
IPSEC: Completed host OBSA updatIPSEC: Creating outbound VPN con
Flags: 0x00000005SA : 0xD4E57AD8SPI : 0x0D6CDEEBMTU : 1500 bytesVCID : 0x00000000Peer : 0x00000000SCB : 0x015E69CBChannel: 0xD3D60A98
IPSEC: Completed outbound VPN coVPN handle: 0x0005633C
IPSEC: New outbound encrypt ruleSrc addr: 10.2.2.0Src mask: 255.255.255.0Dst addr: 10.1.1.0Dst mask: 255.255.255.0Src portsUpper: 0Lower: 0Op : ignore
Dst portsUpper: 0Lower: 0Op : ignore
Protocol: 0Use protocol: falseSPI: 0x00000000Use SPI: false
IPSEC: Completed outbound encrypRule ID: 0xD4DA4348
IPSEC: New outbound permit rule,Src addr: 172.16.1.1Src mask: 255.255.255.255Dst addr: 192.168.1.1Dst mask: 255.255.255.255Src portsUpper: 0Lower: 0Op : ignore
Dst portsUpper: 0Lower: 0Op : ignore
Protocol: 50Use protocol: trueSPI: 0x0D6CDEEB
Sayfa 17 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
18/20
Use SPI: trueIPSEC: Completed outbound permit
Rule ID: 0xD4DAE7A8IPSEC: Completed host IBSA updatIPSEC: Creating inbound VPN cont
Flags: 0x00000006SA : 0xD4E56E18SPI : 0x8030618FMTU : 0 bytesVCID : 0x00000000Peer : 0x0005633CSCB : 0x015DD135Channel: 0xD3D60A98
IPSEC: Completed inbound VPN conVPN handle: 0x00058FBC
IPSEC: Updating outbound VPN conFlags: 0x00000005SA : 0xD4E57AD8SPI : 0x0D6CDEEBMTU : 1500 bytesVCID : 0x00000000Peer : 0x00058FBCSCB : 0x015E69CBChannel: 0xD3D60A98
IPSEC: Completed outbound VPN coVPN handle: 0x0005633C
IPSEC: Completed outbound innerRule ID: 0xD4DA4348
IPSEC: Completed outbound outerRule ID: 0xD4DAE7A8
IPSEC: New inbound tunnel flow rSrc addr: 10.1.1.0Src mask: 255.255.255.0Dst addr: 10.2.2.0Dst mask: 255.255.255.0Src portsUpper: 0Lower: 0Op : ignore
Dst portsUpper: 0Lower: 0Op : ignore
Protocol: 0Use protocol: falseSPI: 0x00000000Use SPI: false
IPSEC: Completed inbound tunnelRule ID: 0xD4DAE1F0
IPSEC: New inbound decrypt rule,Src addr: 192.168.1.1Src mask: 255.255.255.255Dst addr: 172.16.1.1Dst mask: 255.255.255.255
Sayfa 18 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
19/20
Start A New Discus
Src portsUpper: 0Lower: 0Op : ignore
Dst portsUpper: 0Lower: 0Op : ignore
Protocol: 50Use protocol: trueSPI: 0x8030618FUse SPI: true
IPSEC: Completed inbound decryptRule ID: 0xD4E56A18
IPSEC: New inbound permit rule,Src addr: 192.168.1.1
Cisco Support Community - Featured ConCisco Support Community is a forum for you to ask and answer quescollaborate with your peers. Below are just some of the most recentright now.
Want to see more? Join us by clicking here
Lan-2-Lan Tunnel, ASA to 6500 or...... purevideonetworks 2 Rep
site to site sizing binoyjosephstanly 1 Reply 21/03/2008 08:03
Branch to Branch VPN sarfarazkazi 1 Reply 18/01/2009 10:54
ASA 5505, Client and User VPNs jdawsonbooth 1 Reply 20/02/2
help adressing , planning and configure nicanor00 12 Replies
Multicast over lan to lan ipsec tunnel navypop42 2 Replies 04/05
ASK THE EXPERTS - TROUBLESHOOTING ASA,... ciscomoder15:02
Lan to Lan tunnel between Juniper SSG5... thomuff2 Replies 16
LAN-to-LAN IPsec VPN tunnel traffic not... mattkl3com 15 Replie
LAN to LAN between 2 ASA5505s... dirkmelvin 1 Reply 18/09/2
VPN Client Side disconnection problem brian.young_at_hampto17:04
Sayfa 19 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...
15.01.2012http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186...
-
8/3/2019 Asa VPN Tunel
20/20
Related Information
Cisco ASA 5500 Series Adaptive Security Appliances SuCisco PIX 500 Series Security Appliances Support PageMost Common L2L and Remote Access IPsec VPN TroubIPSec Negotiation/IKE Protocols Support PageTechnical Support & Documentation - Cisco Systems
Updated: Sep 30, 2008
Contacts | Feedback | Help | Site Map | Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks
Information For
Small Business
Service Provider
Executives
Home
Contacts
Contact Cisco
Find a Partner
News & Alerts
Newsroom
Blogs
Newsletters
Field Notices
Security Advisories
Technology Trends
Cloud
IPv6
Video Architecture
Virtualization Experience Infrastructure
Support
Downloads
Documentation
Communities
Developer Network
Learning Network
Support Community
Industries
Sayfa 20 / 20LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example - ...