A Site with double ISPS to problems of branch
The topology is fixed so I'll try to be brief. Basically what is happening is when the IP SLA on the main switch of the branch fails it injects a route of default backup to the secondary ISP for the local network (5.5.5.0/24). When this happens, 'interesting' traffic updates one site-to-site of this FW FW HQ even primary uses (3.3.3.2). The problem is when the IP SLA covers, switches, the default route back to the ISP and the same traffic 'interesting' evokes this tunnel - there are now two tunnels at the same line VPN branch head unit. Peer IP address are of course different for the end of the branch, but the peer at HQ is just an IP address and does not change the protected traffic which is defined for each. When the primary comes back upward, it causes problems to be able to access the resources of the branch (and vice versa) until manually clear us the SA for the secondary VPN on the side HQ or simply, its expiry date.
I would really like to than this to automate obviously, but I can't figure out how do it in style (SLA for the tunnels would be nice on the ASA). It is worth noting that the two ASAs at the branch are not in any kind of configuration HA - they are firewalls separate, not dependent on each other, and they share not all state information. It is important that we keep redundancy it if for more than just losing the INET connection b/c of the ISP, we need hardware redundancy for firewalls. In the immediate future, I changed the delays on the track for the IP SLA on switch central branch so they are not as sensitive, but it is not optimal in the long term I think. I'm open to any suggestion, even a new conception of topology at the end of the branch if it is not expensive.
Hi Chris,
I hope you do well.
Indeed, there is a problem when the two VPN tunnels to stay up.
I suggest you check this link, especially the part about the VPN Backup tunnels and the response only feature.
I hope it helps.
Thank you.
Tags: Cisco Security
Similar Questions
-
I have all of a sudden my site with Dreamweaver FTP download problems?
I use CS6 for a couple of years and all of a sudden, I have a problem downloading from my site using FTP of Dreamweaver?
Maybe your host did something on the side of the remote server. Have you contacted them?
You have enough space available server?
You can download files with FTP 3rd party like Filezillaclient?
-
ASA VPN Site to Site (WITH the NAT) ICMP problem
Hi all!
I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)
It works with this configuration, with the exception of the ICMP.
This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)
Is there a way to do this?
Thank you all!
Marco
------------------------------------------------------------------------------------
ASA Version 8.2 (2)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.1.0 network-remote control
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.200.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 10.0.0.2 255.255.255.0
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 0
192.168.123.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
the DM_INLINE_NETWORK_1 object-group network
object-network 151.1.1.0 255.255.255.0
object-network 192.168.200.0 255.255.255.0
outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
dmz_access_in list extended access permit icmp any one
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
notifications of logging asdm
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all dmz
ASDM image disk0: / asdm - 625.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 5 192.168.123.229
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 192.168.200.0 255.255.255.0
NAT (outside) 5 VPN_NAT list of outdoor access
Access-group outside_access_in in interface outside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 0.0.0.0 0.0.0.0 inside
remote control-network http 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set peer 10.0.0.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
------------------------------------------------------------------------------------Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
-
SSH stops in double ISP configuration
ASA 7.2 (4)
I (unfortunately!) properly configured a site with double TIS, several site to site VPN (which do not failover), going forwards, etc... The only question that remains is SSH. Before adding a 2nd ISP, ssh on the inside and outside has worked well as expected. When the two interfaces of PSI are active and traffic moves on the primary, SSH is 'scales' on all 3 interfaces. Watch monitoring tool that goes up and down and is confirmed when I actually try to connect to it. Puzzled. Attached sanitized config, but for me, the party concerned is...
SSH 0.0.0.0 0.0.0.0 inside
SSH 67.xxx.xxx.0 255.255.255.0 outside
SSH 67.xxx.xxx.0 255.255.255.0 cable
SSH timeout 15
I could maybe understand if the interface not in use has expired due to lack of a return path, but all 3 interfaces are defective. As soon as one of the 2 wan interfaces is disconnected, ssh is well on the other 2.
Thank you
Ed
Yes, the way back could be a problem. I appreciate that you try to SSH on the internet and not on the VPN tunnel.
Can you check if it contains the same way when you try to access ASDM?
Can console yourself in the SAA and to collect and capture of ASA internet facing interfaces while you try to SSH.
-
Cisco ASA5505 with double tis + IPSEC
Hello guys,.
I have problem with double ISP + IPSEC on my cisco ASA5505 dry more license.
Routing works OK (to connect to the Internet from siteA is work trought
1 also second ISP) but IPSEC works trought just the first
INTERNET SERVICE PROVIDER! There seemt that phase 1 and 2 of the Protocol IPSEC is correct but the packages
Encrypt just but no not decryption. You have an idea what is the problem?
I try to ping from the (PC - 10.4.1.66) siteA siteB (PC - 10.3.128.50)
Thank you
config site A:
##########################################################################
ASA5505 Version 8.2 (1)
interface Vlan1
nameif inside
security-level 100
IP 10.4.1.65 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.2 255.255.255.0
!
interface Vlan3
internet nameif
security-level 0
IP address 212.89.235.yy 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
outside_cryptomap list extended access allow icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.3.0.0 255.255.0.0
10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.16.0.0 255.255.0.0
access inside extended ip permit list an entire
extended permitted inside a whole icmp access list
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
Internet MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global interface (internet) 1
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.4.1.64 255.255.255.248
Access-group internet_in in interface outside
internet_in group to access the Web interface
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
Internet route 0.0.0.0 0.0.0.0 212.89.235.yy 254
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 123
interface type echo protocol ipIcmpEcho 212.89.229.xx outdoor
NUM-package of 3
frequency 10
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map0 1 match address outside_cryptomap
card crypto outside_map0 1 set 212.89.229.xx counterpart
outside_map0 card crypto 1jeu transform-set ESP-AES-256-SHA
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_1
outside_map0 interface card crypto outside
outside_map0 card crypto internet interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP enable internet
crypto ISAKMP policy 3
preshared authentication
aes-256 encryption
sha hash
Group 2
life 300
!
track 1 rtr 123 accessibility
Telnet 10.4.1.64 255.255.255.248 inside
Telnet timeout 1440
SSH 10.4.1.64 255.255.255.248 inside
SSH 212.89.229.xx 255.255.255.255 outside
SSH timeout 60
SSH version 2
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 194.160.23.2 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
username xx
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
siteA # sh crypto isakmp his d
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 212.89.229.xx
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 91
# sh crypto ipsec siteA his
Interface: internet
Tag crypto map: outside_map0, seq num: 1, local addr: 212.89.235.yy
outside_cryptomap list of access allowed icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
local ident (addr, mask, prot, port): (10.4.1.64/255.255.255.248/1/0)
Remote ident (addr, mask, prot, port): (10.3.128.0/255.255.255.0/1/0)
current_peer: 212.89.229.xx
program #pkts: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 7, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.235.115, remote Start crypto. : 212.89.229.2
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: 2A9B550B
SAS of the esp on arrival:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4374000/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 32768, crypto-card: outside_map0
calendar of his: service life remaining (KB/s) key: (4373999/28629)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
# sh logging asdm siteA | I have 10.3.128.50
6. 19 sep 2011 10:27:37 | 302020: built outgoing ICMP connection for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
6. 19 sep 2011 10:27:39 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0
config site B:
##########################################################################
ASA 5510 Version 8.0 (4)
interface Ethernet0/0
nameif outside
security-level 0
IP address 212.89.229.xx 255.255.255.240
OSPF cost 10
interface Ethernet0/1.10
VLAN 10
nameif users
security-level 50
IP 10.3.128.0 255.255.255.0
10.3.128.0 IP Access-list extended siteA 255.255.255.0 allow 10.4.1.64 255.255.255.248
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
3600 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
outside_map crypto card 9 matches the address SiteA
card crypto outside_map 9 peers set 212.89.229.xx
card crypto outside_map 9 game of transformation-ESP-AES-256-SHA
life card crypto outside_map 9 set security-association seconds 28800
card crypto outside_map 9 set security-association life kilobytes 4608000
outside_map crypto 10 card matches the address SiteA
card crypto outside_map 10 peers set 212.89.235.yy
outside_map crypto 10 card value transform-set ESP-AES-256-SHA
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
crypto ISAKMP policy 20
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
tunnel-group 212.89.229.xx type ipsec-l2l
212.89.229.XX group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 212.89.235.yy type ipsec-l2l
212.89.235.yy group of tunnel ipsec-attributes
pre-shared-key *.
SiteB # sh crypto isakmp his d
HIS active: 7
Generate a new key SA: 1 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 8
8 peer IKE: 212.89.235.115
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared to life: 300
Remaining life: 245
# Sh crypto ipsec SiteB his | b 212.89.235.yy
current_peer: 212.89.235.yy
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
decaps #pkts: 12, #pkts decrypt: 12, #pkts check: 12
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 212.89.229.xx, remote Start crypto. : 212.89.235.yy
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: CF456F65
SAS of the esp on arrival:
SPI: 0x2A9B550B (714822923)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914999/27310)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0 x 00000000 0x00001FFF
outgoing esp sas:
SPI: 0xCF456F65 (3477434213)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 4378624, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/27308)
Size IV: 16 bytes
support for replay detection: Y
# sh logging asdm siteB. I have 10.4.1.66
6. 19 sep 2011 10:29:49 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
6. 19 sep 2011 10:29:50 | 302020: built ICMP incoming connections for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024
I'm glad that this answer to your question, feel free to mark the post as answered and the rate of useful messages
Good day.
-
Redundancy with double tis on cisco ASA VPN Site to Site
Dear supporters,
Could you help me to provide a configuration for the network as an attachment diagram.
I am suitable with your help.
Thank you
Best regards
Hi Sothengse,
You can visit the below link and configure ASA @ head and Canes accordingly to your condition.
You must change the configuration of the similar example with ends... Double TIS @ ends in your scenario...
http://networkology.NET/2013/03/08/site-to-site-VPN-with-dual-ISP-for-BA...
I hope this helps.
Concerning
Knockaert
-
Site to Site VPN IPSEC for multisite with dual ISP failover
Hello world
I have total 6 ASA 5505, I already built failover with double tis. Now, I want to configure site 2 site VPN for all 3 sites. Each site has 2 firewall.
I just built a config for 2 a site WHAT VPN here is the config for a single site.
local ip address: 172.16.100.0
IP of the pubis: 10.5.1.101, 10.6.1.101
Remote local ip: 172.16.101.0
Remote public ip: 10.3.1.101, 10.4.1.101
Remote local ip: 192.168.0.0
Remote public ip: 10.1.1.101, 10.2.1.101
the tunnel on the first 2 firewall configuration:
IP 172.16.100.0 allow Access-list vpn1 255.255.255.0 172.16.101.0 255.255.255.0
backupvpn1 ip 172.16.100.0 access list allow 255.255.255.0 172.16.101.0 255.255.255.0
ip 172.16.100.0 access VPN2 list allow 255.255.255.0 192.168.0.0 255.255.255.0
backupvpn2 ip 172.16.100.0 access list allow 255.255.255.0 192.168.0.0 255.255.255.0
IP 172.16.100.0 allow Access-list sheep 255.255.255.0 172.16.101.0 255.255.255.0
172.16.100.0 IP Access-list sheep 255.255.255.0 allow 192.168.0.0 255.255.255.0
!
!
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
!
!
!
crypto ISAKMP allow outside
ISAKMP crypto enable backup
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac my-set1
card crypto outside_map 1 match for vpn1
peer set card crypto outside_map 1 10.3.1.101
My outside_map 1 transform-set-set1 crypto card
outside_map interface card crypto outside
!
!
card crypto outside_map 2 match address backupvpn1
peer set card crypto outside_map 2 10.4.1.101
My outside_map 2 transform-set-set1 crypto card
backup of crypto outside_map interface card
!
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac my-set2
crypto outside_map 3 game card address vpn2
peer set card crypto outside_map 3 10.1.1.101
My outside_map 3 transform-set-set2 crypto card
outside_map interface card crypto outside
!
!
card crypto 4 correspondence address backupvpn2 outside_map
peer set card crypto outside_map 4 10.2.1.101
My outside_map 4 transform-set-set2 crypto card
backup of crypto outside_map interface card
!
!
!
tunnel-group 10.3.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.3.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
tunnel-group 10.4.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.4.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
tunnel-group 10.1.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.1.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
tunnel-group 10.2.1.101 type ipsec-l2l
IPSec-attribute Tunnel-Group 10.2.1.101
pre-shared key cisco
ISAKMP keepalive retry 20 3 threshold
!
!
backup of MTU 1500
If this correct what should I configure other side that I want to finish in front of it. Is my address name vpn1 crypto card must match on the other side or not?
any suggestion is good...
Thank you...
What I mean with the routing is a routing protocol or static routes the SAA can choose between interfaces to establish the tunnel.
If the ASA has the card encryption applied to two interfaces, then one should be used as primary and the other as backup.
How will be the ASA choose which is better? Via the routing.
If you use a routing protocol, the ASA will be known which interface to send packets every time, but if using static routes, you need to change the metric and configuring IP SLA.
Federico.
-
router in 1921 with the double nat ADSL problem
I have problems with the implementation of a router in 1921 with double lines ADSL for failover. For some reason any internet traffic keeps using Dialer 1 as internet main connection, while 2 Dialer should be primary. Also, when I finish my NAT with allowed a full acl, it translates the public ip address of the 2-to-1 Dialer the Dialer before she sends in the internet.
This is my config:
!
interface GigabitEthernet0/0
Voice netwerk description
IP 192.168.77.254 255.255.255.0
IP helper 192.168.177.1
IP helper 192.168.177.254
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1400
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Inside the interface description
IP 192.168.177.254 255.255.255.0
IP mtu 1492
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1400
automatic duplex
automatic speed
!
ATM0/0/0 interface
Description 1/10 Mb Tele2 ADSL
no ip address
No atm ilmi-keepalive
PVC 0/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
Shutdown
!
ATM0/1/0 interface
no ip address
No atm ilmi-keepalive
!
interface Ethernet0/1/0
VDSL 5/50 Mb KPN description
no ip address
!
interface Ethernet0/1/0.6
KPN VDSL description
encapsulation dot1Q 6
PPPoE enable global group
PPPoE-client dial-pool-number 2
service-policy output parent policy
!
interface Dialer1
Tele2 ADSL description
the negotiated IP address
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
IP tcp adjust-mss 1400
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-username *.
No cdp enable
card crypto SAL_map
!
interface Dialer2
VDSL KPN description
the negotiated IP address
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
IP tcp adjust-mss 1400
load-interval 30
Dialer pool 2
PPP authentication pap callin
PPP pap sent-username *.
No cdp enable
card crypto SAL_map_VDSL!
IP nat inside source overload map route sheep interface Dialer1
IP nat inside source overload map route nonat2 interface Dialer2
IP route 0.0.0.0 0.0.0.0 Dialer2 Track1
IP route 0.0.0.0 0.0.0.0 Dialer1 254
!auto discovering IP sla
ALS IP 10
echo ICMP - 62.69.174.75 source-interface Dialer2
Timeout 30000
frequency 30
Annex IP SLA 10 life never start-time now
!access-list 102 deny ip 192.168.177.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.178.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.179.0 0.0.0.255 host 192.168.1.249
access-list 102 deny ip 192.168.177.0 0.0.0.255 172.28.1.0 0.0.0.255
access-list 102 deny ip any 192.168.255.0 0.0.0.255
access-list 102 deny ip any 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.179.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.178.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255
access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 102 permit ip 192.168.177.0 0.0.0.255 any
access-list 102 permit ip 192.168.77.0 0.0.0.255 any
!Dialer-list 1 ip protocol allow
Dialer-list 2 ip protocol allow
!
nonat2 allowed 10 route map
corresponds to the IP 102
Set the interface Dialer2
!
sheep allowed 10 route map
corresponds to the IP 102
Set the interface Dialer1the ACL is built to exclude some ips private for ipsec VPN destinations.
Any suggestions on what I'm missing? It must use dialer 2 as primary internet connection and failover of Dialer 1 if IP SLA fails. The SLA config seems to work properly:
SH ip route
S * 0.0.0.0/0 is directly connected, Dialer2
84.0.0.0/32 is divided into subnets, subnets 1
C 84.246.25.231 is directly connected, Dialer1
145.131.0.0/32 is divided into subnets, subnets 1
C 145.131.131.112 is directly connected, Dialer2
192.168.77.0/24 is variably divided into subnets, 2 subnets, 2 masks
C 192.168.77.0/24 is directly connected, GigabitEthernet0/0
The 192.168.77.254/32 is directly connected, GigabitEthernet0/0
192.168.177.0/24 is variably divided into subnets, 2 subnets, 2 masks
C 192.168.177.0/24 is directly connected, GigabitEthernet0/1
The 192.168.177.254/32 is directly connected, GigabitEthernet0/1
192.168.254.0/24 is variably divided into subnets, 2 subnets, 2 masks
S 192.168.254.0/24 is directly connected, Dialer2
192.168.254.37/32 S [1/0] via 77.241.229.241
S 192.168.255.0/24 is directly connected, Dialer1
212.121.121.0/32 is divided into subnets, subnets 1
C 212.121.121.183 is directly connected, Dialer2
213.144.228.0/32 is divided into subnets, subnets 1
C 213.144.228.72 is directly connected, Dialer1http://docwiki.Cisco.com/wiki/category:NAT
Above document indicates "Beware of the use of the ACL for the NAT with" ip allow a whole ' you can get unpredictable results. " I suggest using the "road-map sheep/nonat2 permit 20" instead of "allow a whole."
For others, change the config as follows-
!
ALS IP 10
Dialer2 interface source ICMP echo 8.8.8.8
Timeout 30000
frequency 30
Annex IP SLA 10 life never start-time now!
IP route 8.8.8.8 255.255.255.255 permanent dialer2
!
!
nonat2 allowed 10 route map
corresponds to the IP 102
match interface Dialer2
!
sheep allowed 10 route map
corresponds to the IP 102
match interface Dialer1!
IP nat inside source overload map route sheep interface Dialer1
IP nat inside source overload map route nonat2 interface Dialer2!
NAT-TRACK event manager applet
track event 1 show all
order cli action 0.1 'enable '.
action 0.2 wait 2
action command 0.3 cli "clear ip nat translations forced."
action 0.4 syslog msg "Translation NAT cleared after state change of track"
!
-Ginette
-
I have Lightroom 4.4 on my Mac laptop. It came with the purchase of a Leica camera. When I check the updates, the answer is that there is no update available. Download Version 5.7 of Adobe's Web site with no problems?
Your license for the 4.4 release will not work with version 5.7, you can download it without doubt, but if you do not have version 5.7 download then it won't do much good. If you do not have a license for it so you won't be able to use it beyond use of the trial.
-
I have problems to download from a Web site with more than 100 pages. The download is stuck at 6%. Muse has a page limit? I use Adobe Muse CC 2014 v7.4
425 is the error that you have been doing all along? That looks like a firewall or router problem or a server side hosting configuration problem.
-
I have a problem to download a Web of Muse - the following site seems to be the problem - unable to validate the specified domain is associated with the FTP server and folder. Still
In Adobe help, it tells me to download and extract the ftppefs.xml file - it's supposed to be found in the Mac/Library/Preferences/Adobe/Adobe Muse CC/20141 and paste this folder GO.
I checked this place and there is no file. I have re-installed Muse but preference file doesn't show up - where I can get it?
Daryl
Please check the used domain in the domain and the server is entered, it can be the reason for the absence of the field.
Thank you
Sanjit
-
I'm on windows 7 64 bit and when I try to save a site by double clicking on the icon star on the address bar, bookmark box flickers power on and off and then disappears. I did some research and found that the default theme is the cause. I installed a different theme and the problem goes away and that's why I don't know the root cause. Anyone with ideas on how to solve this problem? I like the default theme!
Try to uncheck the box next to 'use acceleration hardware when available' in the Options. Worked for me!
-
How will I be informed when getting in and out a site with a secure server
I can't find where to set the option for this. I could on Firefox 3.6
Firefox 3.6 gives me a pop up that says I'm entering or leaving a site with a secure server. It's PARAMETERS in the Messages of warning on the Security tab in the window options. When you push the button PARAMETERS, a number of checkboxes allow for different parameters. I can't find it in Firefox 8.The settings for the 5 Warning Messages has been removed from security section in Firefox 4 and newer versions. These settings should be accessible through Subject: config now. So you're looking for the first and the third in the list below "parameters of the former in Firefox 3.6 on the Security Panel.
See: http://kb.mozillazine.org/About:config
- type of topic: config in the URL bar and press the Enter key.
- If you see a cautionary, accept it (promise to be careful)
- Filter = security.warn_
- Double-click the pref in the lower panel on the subject: config display to toggle to true or false according to the descriptions below (scroll down to security.warn to see these particular preferences)
Parameters of the ancients in Firefox 3.6 on the Security Panel
Display a dialog warning when:- I'm about to view an encrypted page
- Pref: security.warn_entering_secure
- I'm about to view a page that uses low-grade encryption
- Pref: security.warn_entering_weak
- I leave a page encrypted to one that is not encrypted
- Pref: security.warn_leaving_secure
- I submit, information that is not encrypted
- Pref: security.warn_submit_insecure
- I'm about to view an encrypted page that contains unencrypted information
- Pref: security.warn_viewing_mixed
If this answer solved your problem, please click 'Solved It' next to this response when connected to the forum.
Not related to your question, but...
You may need to update some plug-ins. Check your plug-ins and update if necessary:
- Plugin check-> http://www.mozilla.org/en-US/plugincheck/
- Adobe Shockwave for Director Netscape plug-in: install (or update) the Shockwave with Firefox plugin
- Adobe PDF plugin for Firefox and Netscape: Installation/update Adobe Reader in Firefox
- Shockwave Flash (Adobe Flash or Flash): updated Flash in Firefox
- Next-generation Java plug-in for the Mozilla browser: install or update Java in Firefox
-
If I go on a site with video, it stops, and a sound is heard. It crashes sometimes. These are the messages I had
Stop: OxOOOOO8E (Ox805BC1E9, OxBA287c7c, OxcOOOOOO5, OXOOOOOOOO)
ALSO
BCCode: 1000008e BCP1: C0000005 BCP2: 805BC1E9 BCP3: BA287C7C
BCP4: 00000000 OSVer: 5_1_2600 SP: 3_0 product: 256_1Please provide additional information on your system:What is your system brand and model?What is your version of XP and the Service Pack?Describe your current antivirus and software anti malware situation: McAfee, Norton, Spybot, AVG, Avira!, Defender, ZoneAlarm, PC Tools, MSE, Comodo, etc..Click Start, run and enter in the box:Msinfo32Click on OK and when the system info summary appears, click on Edition, select all, copy, and then paste the information here.For information about video drivers, expand components, click view, click on edit, select all, copy and then paste the information here.For more audio information, expand components, click on Sound Device, click on edit, select all, copy and then paste the information here.There will be some personal information (such as the user name and the name of the system), and anything that turns information private for you, simply delete the pasted information.This will minimize back Q & A and eliminate guesswork.Download BlueScreenView here:Unzip it and run it (BSV installs nothing) and let him complete the digitization of all of your files to dump.If you double-click on depressed, you will get information on it (including the field caused by the driver) and you should be able to spot the problem right away - especially if you see a model in landfills where Caused by field pilot is the same (beginning with this driver).Select (highlight) one or more of the most recent dump files by clicking on them and hold down the CTRL key to select multiple files. Try to select only the most recent links that relate to your problem (perhaps five or six to start dump files).Click on file, save selected items and save information from the dumps to a text file on your desktop called BSOD.txt. Open BSOD.txt with a text editor, copy the text and paste it in your next reply.Here's an example of report ASB to a single BSOD I initiated on purpose that indicates the cause of the accident as the pilot i8042prt.sys belonging to Microsoft Corporation:==================================================Dump file: Mini062110 - 01.dmpCrash time: 21/06/2010-11:51:31Bug Check String: MANUALLY_INITIATED_CRASHBug check code: 0x000000e2Parameter 1: 0x00000000Parameter 2: 0x00000000Parameter 3: 0x00000000Parameter 4: 0x00000000Caused by the driver: i8042prt.sysCaused by the address: i8042prt.sys + 27fbDescription of the file: i8042 Port driverProduct name: Microsoft® Windows® Operating SystemCompany: Microsoft CorporationFile version: 5.1.2600.5512 (xpsp.080413 - 2108)Processor: 32-bitComputer name:Full path: C:\WINDOWS\minidump\Mini062110-01.dmp==================================================Send information from 5 last memory dumps.No matter what you use for protection against malware, please follow these steps:Download, install, update and do a full scan with these free malware detection programs:Malwarebytes (MMFA): http://malwarebytes.org/SUPERAntiSpyware: (SAS): http://www.superantispyware.com/It can be uninstalled later if you wish.Do not guess what the problem might be - understand and resolve it. I need YOUR voice and the points for helpful answers and propose responses. I'm saving for a pony!
-
Mobile site with muse not recognized once downloaded - ideas?
First time I made a mobile site with muse and I thought it would work just as well, as did the transfer of funds. I made sure to optimize everything but when I visit the mobile site according to it I downloaded my ISP, I would try to visit it on my phone and I get the message ' 404 - page not found. "
I checked the page to index Office & under the head code is:
< script src = "" scripts/museredirect.js? 3859090011 "type =" text/javascript"> < / script >"
< script type = "text/javascript" >
Muse.Redirect.redirect ('Office', ", ' phone/index.html',");
< /script >
Seems this code good to you? am I missing something
Thanks for your help
Mark
In addition, if a new Muse site fees published on the same server to another subdirectory will throw a 404 error too when you access via a mobile device, so I suspect it might be something to do with the configuration of your server. If you happen to have a for testing different hosting account/server, can you try edition to him and see if you are able to reproduce the problem?
Also, I noticed that the homepage for example http://www.msugarman.com/index.html (which is not built in Muse) redirects automatically to a Mobile version of the site when accessed through a mobile device (and redirection does not seem to be based JS) which probably means that you have a server-side device detection and redirection mechanism in place which is most likely to come into conflict with JS based device redirection system leading to a Muse Error 404 for pages when accessed through mobile. A cookie (at the site level) is also created on your site named is_mobile with a value of 0 or 1 depending on whether the visitor has accessed a page on your site via mobile phone or desktop.
If the above is true, I would say that the deactivation of the side server redirects for mobile devices or contact your webhost for any response on this. Let me know how it goes!
Thank you
Vinayak
Maybe you are looking for
-
How to return to the previous version? A new is not compatible with my version of OSX.
I'm running 10.4.11 and had 3.6.something of Firefox. I installed the update of Firefox, assuming that, if it was not compatible with my version of OSX, it wouldn't install. First, huge mistake. I need to go back to my previous version. I have no sys
-
Problem of sound on Satellite U200 - 10 h
I have a problem with my Toshiba U200 - 10: 00. There is no sound through speakers or headphones.All the drivers are installed correctly. I reinstalled Windows Vista from recovery CD but it did not help.What can I do to fix this?
-
I'm reading from a device that puts the body core temperature and heart rate. When I use hyperterminal data is displayed as it should, but when I try to read with lvterm.vi looks like jibberish. This is how it should look. I don't know what is happe
-
Windows XP Pro - failure of the scheduled task?
Why my regular job failure? Is there an example page on things to do and not do? I have a backup program will not work correctly. TY, Bill
-
S IPhone 4 cannot connect to protected Net PW
I just installed my Linksys E1000 and it seems really easy. I allow comments, named the network and put in a password system. When I try to connect the phone, I get the screen on the phone requesting the PW. I can log in as a guest, but he connects w