August 30, 2008 01:40am pdt

1. RobWill 348,183
2. batry_boy 236,734
3. lrmoore 165,453
4. arnold 118,053
5. dpk_wal 72,695
6. mwecom... 67,324
7. ebjers 44,300
8. MrHusy 43,020
9. mkielar 42,800
10. Qlemo 39,883
11. Voltz-dk 35,470
12. Cyclops3... 34,840
13. TechSoEasy 33,389
14. tigermatt 31,325
15. keith_ala... 27,046
16. trinak96 26,315
17. JFrederic... 21,480
18. from_exp 21,275
19. stuknhaw... 20,075
20. rsivanandan 19,950
21. rowansmith 19,875
22. PeteLong 19,175
23. johnb6767 19,122
24. 2PiFL 18,725
25. RPPreacher 17,950

1. RobWill 1,501,076
2. lrmoore 966,196
3. batry_boy 411,444
4. grblades 214,434
5. rsivanandan 148,916
6. dpk_wal 125,695
7. arnold 120,053
8. calvinetter 112,055
9. TechSoEasy 106,468
10. mwecom... 85,124
11. keith_ala... 81,885
12. MrHusy 76,294
13. tim_holman 75,964
14. Cyclops3... 70,785
15. ewtaylor 68,324
16. Voltz-dk 65,570
17. plemieux72 64,143
18. PeteLong 62,031
19. trinak96 61,165
20. nodisco 58,930
21. Qlemo 55,976
22. blin2000 52,944
23. ebjers 49,300
24. magicomm... 46,625
25. poweruse... 45,641

05.11.2008 at 01:45AM PDT, ID: 23392481

	[x] Attachment Details

VPN Help!

Asked by eagle341 in Virtual Private Networking (VPN), Network Routers, Cisco PIX Firewall

Tags: Cisco, ASA, 5505, VPN

Hello, I really need urgent help with my VPN, I have setup a peer to peer VPN and the VPN is up, but I can't see ip addresses on either side, please take a look at my config to and advise what I need to do for the remote site to authenicate through my domain active directory and see all servers on both sides.

ASA

ASA Version 7.2(2)
!
hostname ESSKZATFW01
domain-name ERSS.KZ
enable password QBroPiQC0KPCNQCo encrypted
names
name 192.168.10.20 ESSDNS1
name 217.196.XX.XXX KTCDNS1
name 217.XX.XX.XX KTCDNS2
!
interface Ethernet0/0
nameif Inside
security-level 100
ip address 192.168.10.201 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif Outside
security-level 0
ip address 77.245.XX.XX 255.
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name ERSS.KZ
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list management_nat0_outbound extended permit ip 192.168.10.0 255.255.255
.0 any
access-list Outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 1
92.168.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 a
ny
access-list Inside_nat0_outbound extended permit ip any any
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 1
92.168.0.0 255.255.255.0
access-list Inside_access_in extended permit ip 192.168.0.0 255.255.255.0
g
access-list Inside_access_in extended permit ip 192.168.10.0 255.255.255.0 host
217.196.XX.X
access-list Inside_access_in extended permit ip any any log
access-list Outside_access_out extended permit ip any 192.168.0.0 255.255.255.0

access-list Outside_access_out extended permit ip any any
access-list Inside_access_out extended permit ip any 192.168.0.0 255.255.255.0
access-list Inside_access_out extended permit ip any any log
access-list Outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list Outside_access_in extended permit ip any any
access-list Outside_nat0_outbound extended permit ip any any
access-list Outside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0
192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
no failover
monitor-interface Inside
monitor-interface Outside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 0 0.0.0.0 0.0.0.0
nat (Outside) 0 access-list Outside_nat0_outbound
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
route Outside 0.0.0.0 0.0.0.0 77.245.XX.XX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set pfs
crypto map Outside_map 20 set peer 217.196.23.138
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 217.196.XX.XXX type ipsec-l2l
tunnel-group 217.196.XX.XXX ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console ti
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a37fd9c43507ec13b924fdf7b8789a5e

And the 1800

!This is the running config of the router: 217.196.XX.XXX
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ESS_E11
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$ZQ2H$EajrjDiWdNoaFK5p.rIsl.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 5
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 217.196.XX.XXX 217.196.XX.XX
domain-name erss.kz
netbios-name-server 192.168.10.20
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name erss.kz
ip name-server 217.196.XX.XXX
ip name-server 217.196.XXX.XX
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method sdm_ddns1
DDNS both
!
!
!
crypto pki trustpoint TP-self-signed-96517047
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-96517047
revocation-check none
rsakeypair TP-self-signed-96517047
!
!
crypto pki certificate chain TP-self-signed-96517047
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39363531 37303437 301E170D 30383032 30373039 31323235
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D393635 31373034
3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100997A
F234DA03 142F709B C66E6B63 DB149485 EA4A0070 FBAE8E3D A02BF014 8796666D
90BBA3E3 C756230B 5BA8C510 A8635E86 90AC38C0 E94822E0 D8DFD82B 01E69A17
DFBC8622 A9AEF997 3EB91789 9F809219 47E8369F 9641EF75 F6EA6022 773DC92B
DAFC9238 626CEBB1 79CEC30C C7B8E04B 3994441A 3A265C50 DADFD2AE 1F190203
010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603 551D1104
12301082 0E455353 5F453131 2E657373 2E6B7A30 1F060355 1D230418 30168014
65AF36C7 F05281A6 C689E5E4 4A9F0D8E 9C648E46 301D0603 551D0E04 16041465
AF36C7F0 5281A6C6 89E5E44A 9F0D8E9C 648E4630 0D06092A 864886F7 0D010104
05000381 810071A1 B7B61FF6 E8152381 212FDC31 A39428D9 0E95539F BC316957
0154B6B9 A006B45A 80054452 93EF515C E54ABECA F47DDAA5 DDB7A984 91CD8EA2
EBCA3F5B 94198098 D8F5D247 26B50669 4D14822E 9C144B61 EFA6CBBA B69F18EB
CC6102CF D2B5BAC6 96246BE4 F1AE7779 5B3A2F3F 480685FF 4FE34639 CD2164ED
6E37615A ABFA
quit
username administrator privilege 15 secret 5 $1$rQL2$w7om2VNuVpElcZ7KKMO6u.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key esskzat2kztz address 77.245.XX.XX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 77.245.XX.XX
set peer 77.245.XX.XX
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
set pfs group2
match address 107
reverse-route
!
bridge irb
!
!
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_INSIDE$$ETH-WAN$
ip ddns update hostname ESS_E11.erss.kz
ip ddns update sdm_ddns1
ip address 217.196.XX.XXX 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit 7 028B93741B05 transmit-key
encryption mode wep mandatory
!
ssid ESS_E11
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption key 1 size 40bit 7 6E8F57543705 transmit-key
encryption mode wep mandatory
!
ssid ESS_E11
authentication open
guest-mode
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip route 0.0.0.0 0.0.0.0 217.196.XX.XXX
ip route 0.0.0.0 0.0.0.0 77.245.XX.XX permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 217.196.23.136 0.0.0.3 77.245.XX.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 198.168.0.0 0.0.0.255 77.245.XX.XX 0.0.0.7
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 77.245.XX.XX 0.0.0.7
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 198.168.0.0 0.0.0.255 77.245.XX.XX 0.0.0.7
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 106 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Start Free Trial

Keywords: VPN Help!

	Title
1	IPSec VPN
2	Cisco IPSec VPN crashing when chan…
3	PIX 8.0.3 site-to-site VPN disco…
4	Remote access to a Pix from a Pix prot…
5	Cisco 871W and RA VPN problems
6	3cr870-95 router dropping IPSEC…

Loading Advertisement...

20080716-EE-VQP-32 / EE_QW_2_20070628

VPN Help!

Asked by eagle341 in Virtual Private Networking (VPN), Network Routers, Cisco PIX Firewall

Tags: Cisco, ASA, 5505, VPN

About this solution