8.2 ASA dynamic VPN to ASA static config help
Hello
I'm trying to set up a tunnel l2l between an ASA and ASA remote central where the remote receives a DHCP provider address.
ASA Remote Config:
interface Vlan1
nameif inside
security-level 100
IP 10.10.10.1 255.255.255.0
# Receives an IP address of 90.0.1.203 from the provider.
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
the Corp_Networks object-group network
object-network 172.16.0.0 255.240.0.0
object-network 10.0.0.0 255.0.0.0
object-network 192.168.252.0 255.255.255.0
access-list SHEEP extended ip 10.10.10.0 allow 255.255.255.0 Corp_Networks object-group
Remote access ip 10.10.10.0 extended list allow 255.255.255.0 Corp_Networks object-group
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
outdoor 10.0.0.0 255.255.255.0 90.0.1.1
Route outside 172.16.0.0 255.240.0.0 90.0.1.1
Route outside 192.168.252.0 255.255.255.0 90.0.1.1
Crypto ipsec transform-set esp-3des esp-sha-hmac ToCorp
outside_map card crypto 10 corresponds to the Remote address
outside_map 10 peer Public_address crypto card game
card crypto outside_map 10 game of transformation-ToCorp
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 864000
No encryption isakmp nat-traversal
tunnel-group Public_address type ipsec-l2l
IPSec-attributes tunnel-group Public_address
pre-share-key Council
ASA company Config:
the Corp_Networks object-group network
object-network 172.16.0.0 255.240.0.0
object-network 10.0.0.0 255.0.0.0
object-network 192.168.252.0 255.255.255.0
access-list allowed extensive sheep object-group Corp_Networks 10.10.10.0 ip 255.255.255.0
access-list ToRemote allowed ext object-group ip Corp_Networks 10.10.10.0 255.255.255.0
NAT (inside) 0 access-list sheep
Route outside 10.10.10.0 255.255.255.0 Public_Gateway
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
ToRemote game Dynamics-card 65530, crypto transform-set ESP-3DES-SHA
outside_map map 8-isakmp dynamic ipsec ToRemote crypto
outside_map interface card crypto outside
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
Output of remote endpoint:
ISAKMP crypto #sh her
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: Public_Address
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
#sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 10, local addr: 90.0.1.203
Hawaii2Avid to access extended list ip 10.10.10.0 allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: Public_address
#pkts program: 616, #pkts encrypt: 616, #pkts digest: 616
#pkts decaps: 22, #pkts decrypt: 22, #pkts check: 22
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 616, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 90.0.1.203/4500, remote Start crypto. : Public_address/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: D6A48143
current inbound SPI: E0C4F32A
SAS of the esp on arrival:
SPI: 0xE0C4F32A (3771003690)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914994/28098)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0 x 00000000 0x007FFFFF
outgoing esp sas:
SPI: 0xD6A48143 (3601105219)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914952/28098)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Tag crypto map: outside_map, seq num: 10, local addr: 90.0.1.203
Hawaii2Avid to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.0.0 255.240.0.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.0.0/255.240.0.0/0/0)
current_peer: Public_Address
#pkts program: 406, #pkts encrypt: 406, #pkts digest: 406
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 406, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 90.0.1.203/4500, remote Start crypto. : Public_Address/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: 1BE239F9
current inbound SPI: AC615F8D
SAS of the esp on arrival:
SPI: 0xAC615F8D (2892062605)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/28095)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x1BE239F9 (467810809)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914973/28092)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0 x 000000000
We just seems stuck at this point and can't seem to get the traffic going back and forth, even if the tunnel does not seem to be connected. The only concern I see is pkts getting encrypted but none decrypts. It is usually something to do with the acl, but this one is pretty simple.
Thank you
-Geoff
Please check if you have any other card/LAN-to-LAN crypto configured on the ASA Corporate where the crypto ACL may overlap.
If you can share the map full encryption as well as the ACL of the ASA Corporate crypto, we can check for you.
Misspelling of the ASA remote path statement:
outdoor 10.0.0.0 255.255.255.0 90.0.1.1
I understand that you want to access the full class on the site of the company, where the road should say:
external route 10.0.0.0 255.0.0.0 90.0.1.1
Tags: Cisco Security
Similar Questions
-
PIX and ASA static, dynamic and RA VPN does not
Hello
I am facing a very interesting problem between a PIX 515 and an ASA 5510.
The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.
The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.
Someone saw something like that?
Here is more detailed information:
HQ - IOS 8.0 (3) - PIX 515
ASA 5510 - IOS 7.2 (3) - remote provider
Several Huawei and Cisco routers dynamically connected via ADSL
Several users remote access IPsec
A VPN site-to site static between PIX and ASA - does not.
Here is the config on the PIX:
Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac
Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
Crypto dynamic-map Dyn - VPN 100 the value reverse-road
VPN - card 30 crypto card matches the ACL address / remote
card crypto VPN-card 30 peers set 20 x. XX. XX. XX
card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value
VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec
interface card crypto VPN-card outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
Thank you.
Marcelo Pinheiro
The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.
Make sure that the acl is reversed.
-
Cisco ASA and dynamic VPN L2L Fortigate configuration
I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.
I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.
However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key. Abandonment
5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key. User switching to the tunnel-group: DefaultL2LGroup
5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, dropYes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be
then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.
You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.
Assuming that you have configured the dynamic map and assign to the card encryption.
Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:
Hope that helps.
-
IOS: Dynamic VPN with l2tp/CVPN Client
It is possible to configure a router (12.3.9a) to accept dynamic vpn through MS l2tp (XP sp1) and Cisco VPN client (4.0.5 for XP) at the same time?
without the line 'crypto map vpn client client authentication list userauthen' 2 vpn clients work but cisco vpn client does not request a user name and password.
with this line, the l2tp MS client fails.
Here is my config:
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
VPDN enable
!
VPDN-group pino
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
Force-local-chap
no authentication of l2tp tunnel
!
crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 5000
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 0.0.0.0 0.0.0.0
!
ISAKMP crypto client configuration group pino
key *.
domain test.test
pool pool_cvpn
!
Crypto ipsec transform-set esp-3des esp-sha-hmac set_3des
Crypto ipsec transform-set esp-3des esp-md5-hmac set_l2tp
transport mode
!
dynamic-map crypto CVPN 20
Set transform-set set_l2tp
match the address l2tp_acl
!
crypto dynamic-map CVPNN 10
Set transform-set set_3des
!
crypto map vpn client client authentication list userauthen
crypto map client-vpn isakmp authorization list groupauthor
address of card crypto configuration vpn-client client answer
Crypto map 10-client vpn ipsec-isakmp dynamic CVPN
Crypto map 20-customer vpn ipsec-isakmp dynamic CVPNN
Thank you
Davide
Hi David
Although it is a L2TP/dynamic IPSEC, you must have authentication configured for dynamic clients.
hope this link can clear things...
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00801dddbb.shtml
regds
Prem
-
I purchased Mikrotik hardware devices and want to use routeros seat firewall cisco asa establish VPN. Aims to establish that a branch may be two IPSEC VPN access devices at the headquarters of the server via the public network.
But now, I'm having some trouble, so I have cisco asa branches and headquarters to establish successful ipsec vpn.
(1) branch routeros WAN port using a private IP address and is a member of the asa above outdoor sound created vpn ipsec, vpn successfully established internal servers and I ping the switch at the headquarters of the branch. However, there is a problem, I go through routeros visit that the headquarters of the https server pages can not be opened, telnet internal switches can telnet to the top, but were unable to penetrate into the character.
(2) in addition, I left the branch routeros on a public IP address WAN port and asa VPN IPSEC created seat, said problems above are not, the server can also be accessed, telnet switch can also enter text and control.
At the present time, I have encountered this problem of interface not CAN not because I need to create of very, very many industries and the need to establish headquarters communications branch offices so I have to use private IP addresses to access the Wan, unable to do wan are public IP address and headquarters to establish IPSEC VPN.now, I can't telnet asa inside the cisco router and open the web inside https, I can't solve the problems.
now, registrants of asa:
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 49.239.3.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.17.0.111 255.255.255.0network of the object inside
172.17.1.0 subnet 255.255.255.0
network outsidevpn object
Subnet 192.168.0.0 255.255.0.0QQQ
NAT (inside, outside) static source inside inside destination static outsidevpn outsidevpn non-proxy-arp-search to itinerary
Route outside 0.0.0.0 0.0.0.0 49.239.3.1 1
Route inside 172.17.1.0 255.255.255.0 172.17.0.5 1Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 cisco
Crypto ipsec pmtu aging infinite - the security association
Crypto dynamic-map cisco 1000 set pfs
Crypto dynamic-map cisco 1000 set transform-set cisco ikev1
Crypto dynamic-map cisco 1000 value reverse-road
Cisco-cisco ipsec isakmp dynamic 1000 card crypto
cisco interface card crypto outside
trustpool crypto ca policy
Crypto isakmp nat-traversal 60
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400IPSec-attributes tunnel-group DefaultL2LGroup
IKEv1 pre-shared-key *.Hello
Could you share the output of the counterpart of its IPSec cry see the 49.239.3.10 of the other device?
Kind regards
Aditya
-
ASA 5505 8.41 dynamic configuration NAT NAT/static
Hello
I am having some problems of configuration statements NAT on my ASA5505 which has recently been upgraded to 8.41.
I have a unique dynamic IP on the external interface of the ASA and wish that all internal hosts NAT/Pat it. In addition, I would like to have multiple ports 'sent' to internal hosts, one of which is TCP/4343. With the current configuration guests originate from the external interface correctly, but the service running on TCP/4343 is not accessible from the outside. See the output of the command below:
exit "sh run object:
network of the object DrJones
Home 10.81.220.90
network of the LAN object - 10.81.220.0
10.81.220.0 subnet 255.255.255.0exit "sh run nat:
network of the object DrJones
NAT (inside, outside) interface static 4343 4343 tcp service
network of the LAN object - 10.81.220.0
NAT dynamic interface (indoor, outdoor)exit "sh run access-list":
access extensive list ip 10.81.220.0 inside_access_in allow 255.255.255.0 any
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access permit tcp any interface outside eq 4343Any help would be appreciated, if additional information is needed please let me know and I'll post it.
Thank you in advance.
Hi Mitch,
There are two major changes between 8.3 - pre and post - 8.3.
1 NAT
2 interface Access-list.
You went directly to step 1, but have set up the pre - 8.3 outside_access_in access list.
The correct config would be:
outside_access_in list extended access permit icmp any any echo-reply //you can remove this and add inspect icmp to the overall strategy.
outside_access_in list extended access permit tcp any host 10.81.220.90 eq 43438.3 and above, the access list interface should have the real ip and not the ip translated.
I hope this helps.
-Shrikant
P.S.: Please check the question as answered if it was resolved. Note the useful messages. Thank you.
-
ASA static IP Addressing for IPSec VPN Client
Hello guys.
I use a Cisco ASA 5540 with version 8.4.I need to assign a static IP address to a VPN client. I saw in the documentation Cisco that this can be done to validate the user against the local ASA and in the user account database, you assign a dedicated IP address, or using the vpn-framed-ip-address CLI command.The problem is that the customer never gets this address and it always gets one of the pool in the political group. If I delete this pool, the client can't get any address.No idea on how to fix this or how can I give this static IP address to a specific VPN client?Thank you.Your welcome please check the response as correct and mark.
See you soon
-
VPN site to Site with ASA 5520 * please help *.
I am using two ASA 5520, and try to put up a site to site VPN. This seems to be pretty simple, but I'm on my third day of train this is up and running. Both 5520's are running the latest 9.1 (5) IOS.
Please note: I replaced it with [#1-WAN IP] and [#2-WAN IP] for WAN IP of the ASA addresses.
Thanks in advance for any help you may have.
-------------------------------------------------------------------------------------------------------------------------------------------------
ASA 5520 # 1:
Crypto ikev1 allow outside
the local object of net network
10.0.0.0 subnet 255.255.255.0net remote object network
172.20.0.0 subnet 255.255.255.0outside_1_cryptomap list of allowed ip object local net net access / remote
tunnel-group [IP #2-WAN] type ipsec-l2l
IPSec-attributes tunnel-group [#2-WAN IP]
pre-shared-key cisco123IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
card crypto oustide_map 1 match address outside_1_cryptomap
card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 1 set pfs Group1
map 1 set outside_map crypto peer [#2-WAN IP]
outside_map interface card crypto outsideNAT (inside, outside) 1 local static source net net-local destination static remote net net / remote
-------------------------------------------------------------------------------------------------------------------------------------------------
ASA 5520 #2:
Crypto ikev1 allow outside
the local object of net network
172.20.0.0 subnet 255.255.255.0net remote object network
10.0.0.0 subnet 255.255.255.0outside_1_cryptomap list of allowed ip object local net net access / remote
tunnel-group [#1-WAN IP] type ipsec-l2l
IPSec-attributes tunnel-group [#1-WAN IP]
pre-shared-key cisco123IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
card crypto oustide_map 1 match address outside_1_cryptomap
card crypto oustide_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 1 set pfs Group1
map 1 set outside_map crypto peer [#1-WAN IP]
outside_map interface card crypto outsideNAT (inside, outside) 1 local static source net net-local destination static remote net net / remote
Try to correct the mistakes in the two configs.
In some places, you have 'oustide_map' where you need "outside_map".
-
Hi all, I'm about to replace an existing a new ASA 5510 firewall. The environment is pretty simple, just an external and internal interface. I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems. I am concerned mainly with my NAT statements. Nothing in the following config (sterilized) seems out of place? Thank you!!
------------------------------------------------------------
ASA 4,0000 Version 5
!
ciscoasa hostname
enable the encrypted password xxxxxxxxxx
XXXXXXXXXX encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 40.100.2.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.30.0.100 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa844-5 - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
network of the 10.10.0.78 object
Home 10.10.0.78
Nospam description
network of the 10.10.0.39 object
Home 10.10.0.39
Description exch
network of the 55.100.20.109 object
Home 55.100.20.109
Description mail.oursite.com
network of the 10.10.0.156 object
Home 10.10.0.156
Description
network of the 55.100.20.101 object
Home 55.100.20.101
Description
network of the 10.10.0.155 object
Home 10.10.0.155
Ftp description
network of the 10.10.0.190 object
Home 10.10.0.190
farm www Description
network of the 10.10.0.191 object
Home 10.10.0.191
farm svc Description
network of the 10.10.0.28 object
Home 10.10.0.28
Vpn description
network of the 10.10.0.57 object
Home 10.10.0.57
Description cust.oursite.com
network of the 10.10.0.66 object
Home 10.10.0.66
Description spoint.oursite.com
network of the 55.100.20.102 object
Home 55.100.20.102
Description cust.oursite.com
network of the 55.100.20.103 object
Home 55.100.20.103
Ftp description
network of the 55.100.20.104 object
Home 55.100.20.104
Vpn description
network of the 55.100.20.105 object
Home 55.100.20.105
app www description
network of the 55.100.20.106 object
Home 55.100.20.106
app svc description
network of the 55.100.20.107 object
Home 55.100.20.107
Description spoint.oursite.com
network of the 55.100.20.108 object
Home 55.100.20.108
Description exchange.oursite.com
ICMP-type of object-group DM_INLINE_ICMP_1
response to echo ICMP-object
ICMP-object has exceeded the time
ICMP-unreachable object
Exchange_Inbound tcp service object-group
EQ port 587 object
port-object eq 993
port-object eq www
EQ object of the https port
port-object eq imap4
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
object-group service DM_INLINE_SERVICE_1
will the service object
the purpose of the tcp destination eq pptp service
the DM_INLINE_NETWORK_1 object-group network
network-object, object 10.10.0.190
network-object, object 10.10.0.191
the DM_INLINE_NETWORK_2 object-group network
network-object, object 10.10.0.156
network-object, object 10.10.0.57
DM_INLINE_TCP_2 tcp service object-group
port-object eq www
EQ object of the https port
object-group service sharepoint tcp
port-object eq 9255
port-object eq www
EQ object of the https port
outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group
outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp
outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1
outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28
outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2
outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-649 - 103.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78
NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39
NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109
NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156
NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57
NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155
NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28
NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190
NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191
NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1
Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.10.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Telnet timeout 5
SSH 10.10.0.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
source of NTP server outside xxxxxxxxxx
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:40cee3a773d380834b10195ffc63a02f
: end
Hello
You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.
The ACL configuration is fine, Nat is fine, so you should have problems,
Kind regards
Julio
-
Trying to setup VPN Dynamic tunnels site to site our ASA with a static ip address by using the correct method of Cisco. We do it for a few years, but apparently this is not the recommended method. We were advised to use the DefaultL2LGroup method.
We have the standard model, but I do not see how this will work without the access lists we used previously.
.
---------
Model
---------
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
!
Crypto-map mymap 1 transform-set RIGHT Dynamics
Crypto-map mymap Dynamics 1 the value reverse-road
10 IPSec-isakmp crypto map dyn-map mymap Dynamics
dyn-map interface card crypto outside
!
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
!
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *..
---------
Previous config to access list
---------
address the Site1 72 of the crypto dynamic-map WAN_cryptomap_59
WAN_cryptomap_59 list extended access permitted ip object HQ Site1
Hello
Please follow below document
TP: / /www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-gener...
Concerning
#Rohan
-
Dynamic VPN for a SAA with IP tunnel
Hi community.
Can someone please send a simple configuration for a SAA with dynamic IP connected to an ASA with a static IP address. I read some manuals and how to. But neither works with my ASA. All the how to are older versions of software, I use softwareversion 9.0.
Do you need a config tunnel and political group for the ASA for dynamic IP and static IP ASA.
Thanks in advance and greetings patrick
Hello
Maybe that this document could help or have you already had a look?
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml
It gives simple examples of HUB with a static public IP address and 2 sites of TALKING with dynamic public IP address. Cisco ASA and Cisco router:
In my work I rarely run in the situation where I have to configure VPNS between sites, while the other site has a dynamic IP address. Although the situations that I met were conducted using an ASA5505 as a hardware network Extension Mode client.
I should really lab installation documents a day before me also.
-Jouni
-
Truly dynamic VPN, is this possible?
Consider the situation where you have ASA 'central' hosting of several l2l IPSec tunnels.
Apart from users uses Anyconnect to connect to ASA and is granted routing profile they choose.
Y at - it * any way * to use only group AnyConnect, that would create dynamically need VPN access list basic example ldap group info.
Small example:
L2L tunnel A specific tunnel and used Anyconnect Group A, only users on ldap goup XYA are allowed
L2L tunnel B has specific tunnel and used Anyconnect Group B, only users on ldap goup XYB are allowed
If the end user has the right to connect groups A and B (belongs to groups XYA XYB), can it be managed dynamic?
Case of the real world holds hundreds of split-tunnel, it is a simple example and question, if this is possible or not?
JRA-
Hi Jari
I'm not quite sure, I understand what you want to achieve, but I think that you should be able to do using a single group and a set of rules DAP.
That is a rule that says that 'if the user is a member of the XYA then apply ACLs A', another rule "If the user is a member of the XYB then apply acl B" etc.
See
HTH
Herbert
-
Political dynamic VPN access and access to the administration
Hi all
I'm testing a scenerio with an ASA 5520 so he could authenticate VPN users against and an environment Active Directory more access to management as well. I created a dynamic access on the ASA policy indicating that, if you are a member of the Active Directory 'Managment' group continue. I have chagned the DefaultAccessPolicy to "Finish." With it, users could not connect VPN because they are not a member of this group, but access to manage the ASA is allowed due to this policy.
Is there a way through the use of dynamic access policies I can afford access to the administration (SSH, AMPS, etc.) by matching to membership in a group and will allow normal users to VPN in successfully, but not give them access to the management of the ASA?
I just try this but it seems that I should be able to swing that?
Thaks in advance.
Hello
You can try to apply the DAP and configure the filter ACL network. allowing only the protocols you want to that they can access.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR
I configured a VPN L2L on a Cisco 1841 ISR. I'm statically from some of my internal hosts to IPS that are included in encrypted traffic. Please note that not all internal hosts are underway using a NAT. I am doing this for hidden some of the actual IP addresses on the inside network. I confirmed that the VPN works as well as natives of VPN traffic. I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841. I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration. All comments are welcome.
VPN-RTR-01 #show run
Building configuration...Current configuration: 9316 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname VPN-RTR-01
!
boot-start-marker
boot-end-marker
!
! type map necessary for vwic/slot-slot 0/0 control
logging buffered 51200 warnings
no console logging
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
Crypto pki trustpoint TP-self-signed-2010810276
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2010810276
revocation checking no
rsakeypair TP-self-signed-2010810276
!
!
TP-self-signed-2010810276 crypto pki certificate chain
certificate self-signed 01
30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
DD29E815 E9F90877 4 D 68
quit smoking
username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
!
!
!
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
lifetime 28800
xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
!
card crypto SITES REMOTE VPN-ipsec-isakmp 1
defined by peer 172.21.0.1
game of transformation-ESP-AES256-SHA
match address VPN-REMOTE-SITE
!
!
!
interface FastEthernet0/0
no ip address
automatic speed
full-duplex
No mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
Description $FW_INSIDE$
encapsulation dot1Q 61
IP 10.1.0.34 255.255.255.224
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0.3
Description $FW_OUTSIDE$
encapsulation dot1Q 111
IP 172.20.32.17 255.255.255.224
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
crypto VPN-REMOTE-SITE map
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 172.20.32.1
IP route 10.16.0.0 255.255.0.0 10.1.0.33
IP route 10.19.0.0 255.255.0.0 10.1.0.33
IP route 10.191.0.0 255.255.0.0 10.1.0.33
IP route 10.192.0.0 255.255.0.0 10.1.0.33
IP route 192.168.20.48 255.255.255.240 10.1.0.33
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
!
VPN-REMOTE-SITE extended IP access list
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
inside_nat_static_1 extended IP access list
permit ip host 10.192.1.1 10.174.52.39
permit ip host 10.192.1.1 10.174.52.40
refuse an entire ip
inside_nat_static_2 extended IP access list
permit ip host 10.192.1.2 10.174.52.39
permit ip host 10.192.1.2 10.174.52.40
refuse an entire ip
inside_nat_static_3 extended IP access list
permit ip host 10.192.1.3 10.174.52.39
permit ip host 10.192.1.3 10.174.52.40
refuse an entire ip
inside_nat_static_4 extended IP access list
permit ip host 10.192.1.4 10.174.52.39
permit ip host 10.192.1.4 10.174.52.40
refuse an entire ip
inside_nat_static_5 extended IP access list
permit ip host 10.192.1.5 10.174.52.39
permit ip host 10.192.1.5 10.174.52.40
refuse an entire ip
inside_nat_static_6 extended IP access list
permit ip host 10.16.1.6 10.174.52.39
permit ip host 10.16.1.6 10.174.52.40
refuse an entire ip
inside_nat_static_7 extended IP access list
permit ip host 10.191.0.11 10.174.52.39
permit ip host 10.191.0.11 10.174.52.40
refuse an entire ip
inside_nat_static_8 extended IP access list
permit ip host 10.191.0.12 10.174.52.39
permit ip host 10.191.0.12 10.174.52.40
refuse an entire ip
!
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 172.20.32.0 0.0.0.31 all
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit udp any host 192.168.20.62
access-list 101 permit tcp any host 192.168.20.62
access-list 101 permit udp any host 192.168.20.61
access-list 101 permit tcp any host 192.168.20.61
access-list 101 permit udp any host 192.168.20.59
access-list 101 permit tcp any host 192.168.20.59
access-list 101 permit udp any host 192.168.20.58
access-list 101 permit tcp any host 192.168.20.58
access-list 101 permit udp any host 192.168.20.57
access-list 101 permit tcp any host 192.168.20.57
access-list 101 permit udp any host 192.168.20.56
access-list 101 permit tcp any host 192.168.20.56
access-list 101 permit udp any host 192.168.20.55
access-list 101 permit tcp any host 192.168.20.55
access-list 101 permit udp any host 192.168.20.54
access-list 101 permit tcp any host 192.168.20.54
access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
access-list 101 permit esp 172.21.0.1 host 172.20.32.17
access-list 101 permit ahp host 172.21.0.1 172.20.32.17
access-list 101 permit icmp any host 172.20.32.17 - response
access-list 101 permit icmp any host 172.20.32.17 time limit
access-list 101 permit icmp any unreachable host 172.20.32.17
access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
access-list 101 permit tcp any host 172.20.32.17 eq 443
access-list 101 permit tcp any host 172.20.32.17 eq 22
access-list 101 permit tcp any host 172.20.32.17 eq cmd
access-list 101 deny ip 10.1.0.32 0.0.0.31 all
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
access-list 102 permit ip 10.1.0.32 0.0.0.31 all
!
allowed NO_NAT 1 route map
corresponds to the IP 102
!
STATIC_NAT_8 allowed 10 route map
inside_nat_static_8 match ip address
!
STATIC_NAT_5 allowed 10 route map
inside_nat_static_5 match ip address
!
STATIC_NAT_4 allowed 10 route map
inside_nat_static_4 match ip address
!
STATIC_NAT_7 allowed 10 route map
inside_nat_static_7 match ip address
!
STATIC_NAT_6 allowed 10 route map
inside_nat_static_6 match ip address
!
STATIC_NAT_1 allowed 10 route map
inside_nat_static_1 match ip address
!
STATIC_NAT_3 allowed 10 route map
inside_nat_static_3 match ip address
!
STATIC_NAT_2 allowed 10 route map
inside_nat_static_2 match ip address
!
!
!
control plan
!
!
!
Line con 0
exec-timeout 30 0
line to 0
line vty 0 4
privilege level 15
local connection
transport input telnet ssh
line vty 5 15
privilege level 15
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
endVPN-RTR-01 #.
Hello
Configuration looks ok to me.
yet you can cross-reference with the following link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
WebVPN ASA "Customization of help" is not up to date
Hello
I have a set the clientless VPN (WebVPN) ASA for a customer portal that you am only using the plugin RDP Protocol. I would rephrase the RDP help that appears on the RIGHT side of the screen once the user is logged in, because the text is quite vervbose and especially does not apply to my deployment (I only provided bookmarks for RDP sessions, no manual entry or navigation were allowed).
I tried to download a .htm file to the 'personalization help' for RDP but after connection via a WebVPN session the new page simply does not, all I have is the standard on the box help page.
It sounds pretty simple and I followed the steps in this document
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a008094abcb.shtml#helpapps
I tried a lot of files with different extensions all this without a bit of luck. Y at - there are simple somehting that I'm missing or that simply not work?
I tried on 8.0 (4) and 8.4 (1) with the same results (or not), someone at - he never had any luck with this?
Thanks to all in advance.
Hello
How do import you exactly? What language option do you use? Tried "in" ASA is set to default ' fr', for other languages that the "us - in ' respective translation table necessary to add
Thank you
Asim
Maybe you are looking for
-
8000FA1 and 80003FB error codes
I TRY EVERYTHING THAT WAS TOLD TO ME AT THE END AND I STILL CAN'T GET THE UPDATES I HAVE VISTA 64 AND NO MATTER WHAT I ALWAYS DO THE SAME ERROR CODES 80003FB, 8000FA1, AND IT IS ON EVERY UPDATE THAT I'M TRYING TO DO, I MADE THE FIX BOOT AND ALSO OWN
-
Windows Vista Home Premium-reinstall using disks OEM, error file missing
My existing plant from my factory installed DVD Windows Vista Home Premium will not reinstall reinstall disks. I get a missing file error. The existing facility is a Service Pack 2 (service pak 2 update). This software has been installed on my 200
-
Don't forget not - says is een openbaar due forum private information such as E-mail bericht van telefoonnummers nooit! Ideas: Programma u lapses problems encountered Foutberichten Recent p die u aan uw computer Wat I al geprobeerd om het op clean wo
-
Difficulties to download first 2015 on Asus computer
I have an Asus ASG751JYWH71 and can download Photoshop 2015 but not first or Media Encoder. Get error messages
-
Pay the license for different user
Is it possible to pay monthly fees for Photoshop for a certain user through my account and leave the user connect via its own (new) account?