A Site with double ISPS to problems of branch

Similar Questions

• I have all of a sudden my site with Dreamweaver FTP download problems?

  I use CS6 for a couple of years and all of a sudden, I have a problem downloading from my site using FTP of Dreamweaver?

  Maybe your host did something on the side of the remote server.  Have you contacted them?

  You have enough space available server?

  You can download files with FTP 3rd party like Filezillaclient?

• ASA VPN Site to Site (WITH the NAT) ICMP problem

  Hi all!

  I need traffic PAT 192.168.1.0/24 (via VPN) contact remote 151.1.1.0/24, through 192.168.123.9 router in the DMZ (see diagram)

  It works with this configuration, with the exception of the ICMP.

  This is the error: Deny icmp src dmz:151.1.1.1 dst foreign entrants: 192.168.123.229 (type 0, code 0)

  Is there a way to do this?

  Thank you all!

  Marco

  ------------------------------------------------------------------------------------

  ASA Version 8.2 (2)
  !
  ciscoasa hostname
  domain default.domain.invalid
  activate 8Ry2YjIyt7RRXU24 encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  name 192.168.1.0 network-remote control
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.200.199 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  the IP 10.0.0.2 255.255.255.0
  !
  interface Vlan3
  prior to interface Vlan1
  nameif dmz
  security-level 0
  192.168.123.1 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  switchport access vlan 3
  !
  passive FTP mode
  DNS server-group DefaultDNS
  domain default.domain.invalid
  the DM_INLINE_NETWORK_1 object-group network
  object-network 151.1.1.0 255.255.255.0
  object-network 192.168.200.0 255.255.255.0
  outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_1 remote ip 255.255.255.0 network
  inside_nat0_outbound to access extended list ip 192.168.200.0 allow 255.255.255.0 255.255.255.0 network-remote control
  VPN_NAT list extended access allow remote-network ip 255.255.255.0 151.1.1.0 255.255.255.0
  dmz_access_in list extended access permit icmp any one
  outside_access_in list extended access permit icmp any one
  pager lines 24
  Enable logging
  notifications of logging asdm
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 dmz
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all dmz
  ASDM image disk0: / asdm - 625.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  Global (dmz) 5 192.168.123.229
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 192.168.200.0 255.255.255.0
  NAT (outside) 5 VPN_NAT list of outdoor access
  Access-group outside_access_in in interface outside
  Access-group dmz_access_in in dmz interface
  Route outside 0.0.0.0 0.0.0.0 10.0.0.100 1
  Dmz route 151.1.1.0 255.255.255.0 192.168.123.9 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 0.0.0.0 0.0.0.0 inside
  remote control-network http 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  card crypto outside_map 1 set peer 10.0.0.1
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  tunnel-group 10.0.0.1 type ipsec-l2l
  tunnel-group 10.0.0.1 ipsec-attributes
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  ------------------------------------------------------------------------------------

  Review the link, you have two ways to leave outgoing icmp, good acl or icmp inspection

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

• SSH stops in double ISP configuration

  ASA 7.2 (4)

  I (unfortunately!) properly configured a site with double TIS, several site to site VPN (which do not failover), going forwards, etc... The only question that remains is SSH. Before adding a 2nd ISP, ssh on the inside and outside has worked well as expected. When the two interfaces of PSI are active and traffic moves on the primary, SSH is 'scales' on all 3 interfaces. Watch monitoring tool that goes up and down and is confirmed when I actually try to connect to it. Puzzled. Attached sanitized config, but for me, the party concerned is...

  SSH 0.0.0.0 0.0.0.0 inside

  SSH 67.xxx.xxx.0 255.255.255.0 outside

  SSH 67.xxx.xxx.0 255.255.255.0 cable

  SSH timeout 15

  I could maybe understand if the interface not in use has expired due to lack of a return path, but all 3 interfaces are defective. As soon as one of the 2 wan interfaces is disconnected, ssh is well on the other 2.

  Thank you

  Ed

  Yes, the way back could be a problem. I appreciate that you try to SSH on the internet and not on the VPN tunnel.

  Can you check if it contains the same way when you try to access ASDM?

  Can console yourself in the SAA and to collect and capture of ASA internet facing interfaces while you try to SSH.

• Cisco ASA5505 with double tis + IPSEC

  Hello guys,.

  I have problem with double ISP + IPSEC on my cisco ASA5505 dry more license.

  Routing works OK (to connect to the Internet from siteA is work trought

  1 also second ISP) but IPSEC works trought just the first

  INTERNET SERVICE PROVIDER! There seemt that phase 1 and 2 of the Protocol IPSEC is correct but the packages

  Encrypt just but no not decryption. You have an idea what is the problem?

  I try to ping from the (PC - 10.4.1.66) siteA siteB (PC - 10.3.128.50)

  Thank you

  config site A:

  ##########################################################################

  ASA5505 Version 8.2 (1)

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.4.1.65 255.255.255.248

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 192.168.1.2 255.255.255.0

  !

  interface Vlan3

  internet nameif

  security-level 0

  IP address 212.89.235.yy 255.255.255.248

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  switchport access vlan 3

  outside_cryptomap list extended access allow icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

  10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.3.0.0 255.255.0.0

  10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.16.0.0 255.255.0.0

  access inside extended ip permit list an entire

  extended permitted inside a whole icmp access list

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  Internet MTU 1500

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 621.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  Global interface (internet) 1

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 10.4.1.64 255.255.255.248

  Access-group internet_in in interface outside

  internet_in group to access the Web interface

  Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1

  Internet route 0.0.0.0 0.0.0.0 212.89.235.yy 254

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  monitor SLA 123

  interface type echo protocol ipIcmpEcho 212.89.229.xx outdoor

  NUM-package of 3

  frequency 10

  Annex ALS life monitor 123 to always start-time now

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  3600 seconds, duration of life crypto ipsec security association

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map0 1 match address outside_cryptomap

  card crypto outside_map0 1 set 212.89.229.xx counterpart

  outside_map0 card crypto 1jeu transform-set ESP-AES-256-SHA

  outside_map0 map 1 lifetime of security association set seconds 28800 crypto

  card crypto outside_map0 1 set security-association life kilobytes 4608000

  card crypto game 2 outside_map0 address outside_cryptomap_1

  outside_map0 interface card crypto outside

  outside_map0 card crypto internet interface

  ISAKMP crypto identity hostname

  crypto ISAKMP allow outside

  crypto ISAKMP enable internet

  crypto ISAKMP policy 3

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 300

  !

  track 1 rtr 123 accessibility

  Telnet 10.4.1.64 255.255.255.248 inside

  Telnet timeout 1440

  SSH 10.4.1.64 255.255.255.248 inside

  SSH 212.89.229.xx 255.255.255.255 outside

  SSH timeout 60

  SSH version 2

  Console timeout 0

  management-access inside

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  NTP server 194.160.23.2 source outdoors

  WebVPN

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec l2tp ipsec

  username xx

  tunnel-group 212.89.229.xx type ipsec-l2l

  212.89.229.XX group of tunnel ipsec-attributes

  pre-shared-key *.

  siteA # sh crypto isakmp his d

  ITS enabled: 1

  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

  Total SA IKE: 1

  1 peer IKE: 212.89.229.xx

  Type: L2L role: initiator

  Generate a new key: no State: MM_ACTIVE

  Encryption: aes - 256 Hash: SHA

  AUTH: preshared to life: 300

  Remaining life: 91

  # sh crypto ipsec siteA his

  Interface: internet

  Tag crypto map: outside_map0, seq num: 1, local addr: 212.89.235.yy

  outside_cryptomap list of access allowed icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

  local ident (addr, mask, prot, port): (10.4.1.64/255.255.255.248/1/0)

  Remote ident (addr, mask, prot, port): (10.3.128.0/255.255.255.0/1/0)

  current_peer: 212.89.229.xx

  program #pkts: 7, #pkts encrypt: 7, #pkts digest: 7

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 7, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 212.89.235.115, remote Start crypto. : 212.89.229.2

  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

  current outbound SPI: 2A9B550B

  SAS of the esp on arrival:

  SPI: 0xCF456F65 (3477434213)

  transform: aes-256-esp esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 32768, crypto-card: outside_map0

  calendar of his: service life remaining (KB/s) key: (4374000/28629)

  Size IV: 16 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  outgoing esp sas:

  SPI: 0x2A9B550B (714822923)

  transform: aes-256-esp esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 32768, crypto-card: outside_map0

  calendar of his: service life remaining (KB/s) key: (4373999/28629)

  Size IV: 16 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  # sh logging asdm siteA | I have 10.3.128.50

  6. 19 sep 2011 10:27:37 | 302020: built outgoing ICMP connection for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0

  6. 19 sep 2011 10:27:39 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0

  config site B:

  ##########################################################################

  ASA 5510 Version 8.0 (4)

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP address 212.89.229.xx 255.255.255.240

  OSPF cost 10

  interface Ethernet0/1.10

  VLAN 10

  nameif users

  security-level 50

  IP 10.3.128.0 255.255.255.0

  10.3.128.0 IP Access-list extended siteA 255.255.255.0 allow 10.4.1.64 255.255.255.248

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  3600 seconds, duration of life crypto ipsec security association

  Crypto ipsec kilobytes of life - safety 4608000 association

  outside_map crypto card 9 matches the address SiteA

  card crypto outside_map 9 peers set 212.89.229.xx

  card crypto outside_map 9 game of transformation-ESP-AES-256-SHA

  life card crypto outside_map 9 set security-association seconds 28800

  card crypto outside_map 9 set security-association life kilobytes 4608000

  outside_map crypto 10 card matches the address SiteA

  card crypto outside_map 10 peers set 212.89.235.yy

  outside_map crypto 10 card value transform-set ESP-AES-256-SHA

  life safety association set card crypto outside_map 10 28800 seconds

  card crypto outside_map 10 set security-association life kilobytes 4608000

  crypto ISAKMP policy 20

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 212.89.229.xx type ipsec-l2l

  212.89.229.XX group of tunnel ipsec-attributes

  pre-shared-key *.

  tunnel-group 212.89.235.yy type ipsec-l2l

  212.89.235.yy group of tunnel ipsec-attributes

  pre-shared-key *.

  SiteB # sh crypto isakmp his d

  HIS active: 7

  Generate a new key SA: 1 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

  Total SA IKE: 8

  8 peer IKE: 212.89.235.115

  Type: L2L role: initiator

  Generate a new key: no State: MM_ACTIVE

  Encryption: aes - 256 Hash: SHA

  AUTH: preshared to life: 300

  Remaining life: 245

  # Sh crypto ipsec SiteB his | b 212.89.235.yy

  current_peer: 212.89.235.yy

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  decaps #pkts: 12, #pkts decrypt: 12, #pkts check: 12

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  local crypto endpt. : 212.89.229.xx, remote Start crypto. : 212.89.235.yy

  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

  current outbound SPI: CF456F65

  SAS of the esp on arrival:

  SPI: 0x2A9B550B (714822923)

  transform: aes-256-esp esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 4378624, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3914999/27310)

  Size IV: 16 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0 x 00000000 0x00001FFF

  outgoing esp sas:

  SPI: 0xCF456F65 (3477434213)

  transform: aes-256-esp esp-sha-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 4378624, crypto-card: outside_map

  calendar of his: service life remaining (KB/s) key: (3915000/27308)

  Size IV: 16 bytes

  support for replay detection: Y

  # sh logging asdm siteB. I have 10.4.1.66

  6. 19 sep 2011 10:29:49 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024

  6. 19 sep 2011 10:29:50 | 302020: built ICMP incoming connections for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024

  I'm glad that this answer to your question, feel free to mark the post as answered and the rate of useful messages

  Good day.

• Redundancy with double tis on cisco ASA VPN Site to Site

  Dear supporters,

  Could you help me to provide a configuration for the network as an attachment diagram.

  I am suitable with your help.

  Thank you

  Best regards

  Hi Sothengse,

  You can visit the below link and configure ASA @ head and Canes accordingly to your condition.

  You must change the configuration of the similar example with ends... Double TIS @ ends in your scenario...

  http://networkology.NET/2013/03/08/site-to-site-VPN-with-dual-ISP-for-BA...

  I hope this helps.

  Concerning

  Knockaert

• Site to Site VPN IPSEC for multisite with dual ISP failover

  Hello world

  I have total 6 ASA 5505, I already built failover with double tis. Now, I want to configure site 2 site VPN for all 3 sites. Each site has 2 firewall.

  I just built a config for 2 a site WHAT VPN here is the config for a single site.

  local ip address: 172.16.100.0

  IP of the pubis: 10.5.1.101, 10.6.1.101

  Remote local ip: 172.16.101.0

  Remote public ip: 10.3.1.101, 10.4.1.101

  Remote local ip: 192.168.0.0

  Remote public ip: 10.1.1.101, 10.2.1.101

  the tunnel on the first 2 firewall configuration:

  IP 172.16.100.0 allow Access-list vpn1 255.255.255.0 172.16.101.0 255.255.255.0

  backupvpn1 ip 172.16.100.0 access list allow 255.255.255.0 172.16.101.0 255.255.255.0

  ip 172.16.100.0 access VPN2 list allow 255.255.255.0 192.168.0.0 255.255.255.0

  backupvpn2 ip 172.16.100.0 access list allow 255.255.255.0 192.168.0.0 255.255.255.0

  IP 172.16.100.0 allow Access-list sheep 255.255.255.0 172.16.101.0 255.255.255.0

  172.16.100.0 IP Access-list sheep 255.255.255.0 allow 192.168.0.0 255.255.255.0

  !

  !

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 0.0.0.0 0.0.0.0

  !

  !

  !

  crypto ISAKMP allow outside

  ISAKMP crypto enable backup

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  !

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac my-set1

  card crypto outside_map 1 match for vpn1

  peer set card crypto outside_map 1 10.3.1.101

  My outside_map 1 transform-set-set1 crypto card

  outside_map interface card crypto outside

  !

  !

  card crypto outside_map 2 match address backupvpn1

  peer set card crypto outside_map 2 10.4.1.101

  My outside_map 2 transform-set-set1 crypto card

  backup of crypto outside_map interface card

  !

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac my-set2

  crypto outside_map 3 game card address vpn2

  peer set card crypto outside_map 3 10.1.1.101

  My outside_map 3 transform-set-set2 crypto card

  outside_map interface card crypto outside

  !

  !

  card crypto 4 correspondence address backupvpn2 outside_map

  peer set card crypto outside_map 4 10.2.1.101

  My outside_map 4 transform-set-set2 crypto card

  backup of crypto outside_map interface card

  !

  !

  !

  tunnel-group 10.3.1.101 type ipsec-l2l

  IPSec-attribute Tunnel-Group 10.3.1.101

  pre-shared key cisco

  ISAKMP keepalive retry 20 3 threshold

  !

  !

  tunnel-group 10.4.1.101 type ipsec-l2l

  IPSec-attribute Tunnel-Group 10.4.1.101

  pre-shared key cisco

  ISAKMP keepalive retry 20 3 threshold

  !

  !

  tunnel-group 10.1.1.101 type ipsec-l2l

  IPSec-attribute Tunnel-Group 10.1.1.101

  pre-shared key cisco

  ISAKMP keepalive retry 20 3 threshold

  !

  !

  tunnel-group 10.2.1.101 type ipsec-l2l

  IPSec-attribute Tunnel-Group 10.2.1.101

  pre-shared key cisco

  ISAKMP keepalive retry 20 3 threshold

  !

  !

  backup of MTU 1500

  If this correct what should I configure other side that I want to finish in front of it. Is my address name vpn1 crypto card must match on the other side or not?

  any suggestion is good...

  Thank you...

  What I mean with the routing is a routing protocol or static routes the SAA can choose between interfaces to establish the tunnel.

  If the ASA has the card encryption applied to two interfaces, then one should be used as primary and the other as backup.

  How will be the ASA choose which is better? Via the routing.

  If you use a routing protocol, the ASA will be known which interface to send packets every time, but if using static routes, you need to change the metric and configuring IP SLA.

  Federico.

• router in 1921 with the double nat ADSL problem

  I have problems with the implementation of a router in 1921 with double lines ADSL for failover. For some reason any internet traffic keeps using Dialer 1 as internet main connection, while 2 Dialer should be primary. Also, when I finish my NAT with allowed a full acl, it translates the public ip address of the 2-to-1 Dialer the Dialer before she sends in the internet.

  This is my config:

  !
  interface GigabitEthernet0/0
  Voice netwerk description
  IP 192.168.77.254 255.255.255.0
  IP helper 192.168.177.1
  IP helper 192.168.177.254
  IP nat inside
  IP virtual-reassembly in
  IP tcp adjust-mss 1400
  automatic duplex
  automatic speed
  !
  interface GigabitEthernet0/1
  Inside the interface description
  IP 192.168.177.254 255.255.255.0
  IP mtu 1492
  IP nat inside
  IP virtual-reassembly in
  IP tcp adjust-mss 1400
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  Description 1/10 Mb Tele2 ADSL
  no ip address
  No atm ilmi-keepalive
  PVC 0/35
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  !
  interface Ethernet0/0/0
  no ip address
  Shutdown
  !
  ATM0/1/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  interface Ethernet0/1/0
  VDSL 5/50 Mb KPN description
  no ip address
  !
  interface Ethernet0/1/0.6
  KPN VDSL description
  encapsulation dot1Q 6
  PPPoE enable global group
  PPPoE-client dial-pool-number 2
  service-policy output parent policy
  !
  interface Dialer1
  Tele2 ADSL description
  the negotiated IP address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP mtu 1492
  NAT outside IP
  IP virtual-reassembly in
  encapsulation ppp
  IP tcp adjust-mss 1400
  Dialer pool 1
  Authentication callin PPP chap Protocol
  PPP pap sent-username *.
  No cdp enable
  card crypto SAL_map
  !
  interface Dialer2
  VDSL KPN description
  the negotiated IP address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP mtu 1492
  NAT outside IP
  IP virtual-reassembly in
  encapsulation ppp
  IP tcp adjust-mss 1400
  load-interval 30
  Dialer pool 2
  PPP authentication pap callin
  PPP pap sent-username *.
  No cdp enable
  card crypto SAL_map_VDSL

  !

  IP nat inside source overload map route sheep interface Dialer1
  IP nat inside source overload map route nonat2 interface Dialer2
  IP route 0.0.0.0 0.0.0.0 Dialer2 Track1
  IP route 0.0.0.0 0.0.0.0 Dialer1 254
  !

  auto discovering IP sla
  ALS IP 10
  echo ICMP - 62.69.174.75 source-interface Dialer2
  Timeout 30000
  frequency 30
  Annex IP SLA 10 life never start-time now
  !

  access-list 102 deny ip 192.168.177.0 0.0.0.255 host 192.168.1.249
  access-list 102 deny ip 192.168.178.0 0.0.0.255 host 192.168.1.249
  access-list 102 deny ip 192.168.179.0 0.0.0.255 host 192.168.1.249
  access-list 102 deny ip 192.168.177.0 0.0.0.255 172.28.1.0 0.0.0.255
  access-list 102 deny ip any 192.168.255.0 0.0.0.255
  access-list 102 deny ip any 192.168.254.0 0.0.0.255
  access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.179.0 0.0.0.255
  access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.178.0 0.0.0.255
  access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.79.0 0.0.0.255
  access-list 102 deny ip 192.168.177.0 0.0.0.255 192.168.78.0 0.0.0.255
  access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.179.0 0.0.0.255
  access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.178.0 0.0.0.255
  access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255
  access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255
  access-list 102 permit ip 192.168.177.0 0.0.0.255 any
  access-list 102 permit ip 192.168.77.0 0.0.0.255 any
  !

  Dialer-list 1 ip protocol allow
  Dialer-list 2 ip protocol allow
  !
  nonat2 allowed 10 route map
  corresponds to the IP 102
  Set the interface Dialer2
  !
  sheep allowed 10 route map
  corresponds to the IP 102
  Set the interface Dialer1

  the ACL is built to exclude some ips private for ipsec VPN destinations.

  Any suggestions on what I'm missing? It must use dialer 2 as primary internet connection and failover of Dialer 1 if IP SLA fails. The SLA config seems to work properly:

  SH ip route

  S * 0.0.0.0/0 is directly connected, Dialer2
  84.0.0.0/32 is divided into subnets, subnets 1
  C 84.246.25.231 is directly connected, Dialer1
  145.131.0.0/32 is divided into subnets, subnets 1
  C 145.131.131.112 is directly connected, Dialer2
  192.168.77.0/24 is variably divided into subnets, 2 subnets, 2 masks
  C 192.168.77.0/24 is directly connected, GigabitEthernet0/0
  The 192.168.77.254/32 is directly connected, GigabitEthernet0/0
  192.168.177.0/24 is variably divided into subnets, 2 subnets, 2 masks
  C 192.168.177.0/24 is directly connected, GigabitEthernet0/1
  The 192.168.177.254/32 is directly connected, GigabitEthernet0/1
  192.168.254.0/24 is variably divided into subnets, 2 subnets, 2 masks
  S 192.168.254.0/24 is directly connected, Dialer2
  192.168.254.37/32 S [1/0] via 77.241.229.241
  S 192.168.255.0/24 is directly connected, Dialer1
  212.121.121.0/32 is divided into subnets, subnets 1
  C 212.121.121.183 is directly connected, Dialer2
  213.144.228.0/32 is divided into subnets, subnets 1
  C 213.144.228.72 is directly connected, Dialer1

  http://docwiki.Cisco.com/wiki/category:NAT

  Above document indicates "Beware of the use of the ACL for the NAT with" ip allow a whole ' you can get unpredictable results. " I suggest using the "road-map sheep/nonat2 permit 20" instead of "allow a whole."

  For others, change the config as follows-

  !

  ALS IP 10
  Dialer2 interface source ICMP echo 8.8.8.8
  Timeout 30000
  frequency 30
  Annex IP SLA 10 life never start-time now

  !

  IP route 8.8.8.8 255.255.255.255 permanent dialer2

  !

  !
  nonat2 allowed 10 route map
  corresponds to the IP 102
  match interface Dialer2
  !
  sheep allowed 10 route map
  corresponds to the IP 102
  match interface Dialer1

  !

  IP nat inside source overload map route sheep interface Dialer1
  IP nat inside source overload map route nonat2 interface Dialer2

  !

  NAT-TRACK event manager applet

  track event 1 show all

  order cli action 0.1 'enable '.

  action 0.2 wait 2

  action command 0.3 cli "clear ip nat translations forced."

  action 0.4 syslog msg "Translation NAT cleared after state change of track"

  !

  -Ginette

• I have Lightroom 4.4 on my Mac laptop. It came with the purchase of a Leica camera. When I check the updates, the answer is that there is no update available. Download Version 5.7 of Adobe's Web site with no problems?

  I have Lightroom 4.4 on my Mac laptop. It came with the purchase of a Leica camera. When I check the updates, the answer is that there is no update available. Download Version 5.7 of Adobe's Web site with no problems?

  Your license for the 4.4 release will not work with version 5.7, you can download it without doubt, but if you do not have version 5.7 download then it won't do much good.  If you do not have a license for it so you won't be able to use it beyond use of the trial.

• I have problems to download from a Web site with more than 100 pages. The download is stuck at 6%. Muse has a page limit? I use Adobe Muse CC 2014 v7.4

  I have problems to download from a Web site with more than 100 pages. The download is stuck at 6%. Muse has a page limit? I use Adobe Muse CC 2014 v7.4

  425 is the error that you have been doing all along? That looks like a firewall or router problem or a server side hosting configuration problem.

• I have a problem to download a Web of Muse - the following site seems to be the problem - unable to validate the specified domain is associated with the FTP server and folder. Continue nevertheless helps Adobe told me to download and extract the f

  I have a problem to download a Web of Muse - the following site seems to be the problem - unable to validate the specified domain is associated with the FTP server and folder. Still

  In Adobe help, it tells me to download and extract the ftppefs.xml file - it's supposed to be found in the Mac/Library/Preferences/Adobe/Adobe Muse CC/20141 and paste this folder GO.

  I checked this place and there is no file. I have re-installed Muse but preference file doesn't show up - where I can get it?

  Daryl

  Please check the used domain in the domain and the server is entered, it can be the reason for the absence of the field.

  Thank you

  Sanjit

• I'm on windows 7 64 bit, and when I try to save a site by double clicking on the icon star on the address bar, bookmark box flickers power on and off and disappears later

  I'm on windows 7 64 bit and when I try to save a site by double clicking on the icon star on the address bar, bookmark box flickers power on and off and then disappears. I did some research and found that the default theme is the cause. I installed a different theme and the problem goes away and that's why I don't know the root cause. Anyone with ideas on how to solve this problem? I like the default theme!

  Try to uncheck the box next to 'use acceleration hardware when available' in the Options. Worked for me!

• How will I be informed when getting in and out a site with a secure server

  I can't find where to set the option for this. I could on Firefox 3.6
  Firefox 3.6 gives me a pop up that says I'm entering or leaving a site with a secure server. It's PARAMETERS in the Messages of warning on the Security tab in the window options. When you push the button PARAMETERS, a number of checkboxes allow for different parameters. I can't find it in Firefox 8.

  The settings for the 5 Warning Messages has been removed from security section in Firefox 4 and newer versions. These settings should be accessible through Subject: config now. So you're looking for the first and the third in the list below "parameters of the former in Firefox 3.6 on the Security Panel.

  See: http://kb.mozillazine.org/About:config

  1. type of topic: config in the URL bar and press the Enter key.
  2. If you see a cautionary, accept it (promise to be careful)
  3. Filter = security.warn_
  4. Double-click the pref in the lower panel on the subject: config display to toggle to true or false according to the descriptions below (scroll down to security.warn to see these particular preferences)
     • http://kb.mozillazine.org/About:config_entries #Security.

  Parameters of the ancients in Firefox 3.6 on the Security Panel
  
  Display a dialog warning when:

  • I'm about to view an encrypted page
    • Pref: security.warn_entering_secure
  • I'm about to view a page that uses low-grade encryption
    • Pref: security.warn_entering_weak
  • I leave a page encrypted to one that is not encrypted
    • Pref: security.warn_leaving_secure
  • I submit, information that is not encrypted
    • Pref: security.warn_submit_insecure
  • I'm about to view an encrypted page that contains unencrypted information
    • Pref: security.warn_viewing_mixed

  If this answer solved your problem, please click 'Solved It' next to this response when connected to the forum.

  Not related to your question, but...

  You may need to update some plug-ins. Check your plug-ins and update if necessary:

  • Plugin check-> http://www.mozilla.org/en-US/plugincheck/
  • Adobe Shockwave for Director Netscape plug-in: install (or update) the Shockwave with Firefox plugin
  • Adobe PDF plugin for Firefox and Netscape: Installation/update Adobe Reader in Firefox
  • Shockwave Flash (Adobe Flash or Flash): updated Flash in Firefox
  • Next-generation Java plug-in for the Mozilla browser: install or update Java in Firefox

• System crashes, moreover, it freezes during playback of the media or on a site with the media.

  If I go on a site with video, it stops, and a sound is heard.  It crashes sometimes.  These are the messages I had

  Stop: OxOOOOO8E (Ox805BC1E9, OxBA287c7c, OxcOOOOOO5, OXOOOOOOOO)

  ALSO

  BCCode: 1000008e BCP1: C0000005 BCP2: 805BC1E9 BCP3: BA287C7C
  BCP4: 00000000 OSVer: 5_1_2600 SP: 3_0 product: 256_1

  Please provide additional information on your system:
  What is your system brand and model?
  What is your version of XP and the Service Pack?
  Describe your current antivirus and software anti malware situation: McAfee, Norton, Spybot, AVG, Avira
  !, Defender, ZoneAlarm, PC Tools, MSE, Comodo, etc..
  Click Start, run and enter in the box:
  Msinfo32
  Click on OK and when the system info summary appears, click on Edition, select all, copy, and then paste the information here.
  For information about video drivers, expand components, click view, click on edit, select all, copy and then paste the information here.
  For more audio information, expand components, click on Sound Device, click on edit, select all, copy and then paste the information here.
  There will be some personal information (such as the user name and the name of the system), and anything that turns information private for you, simply delete the pasted information.
  This will minimize back Q & A and eliminate guesswork.
  Download BlueScreenView here:
  http://www.NirSoft.NET/utils/blue_screen_view.html
  Unzip it and run it (BSV installs nothing) and let him complete the digitization of all of your files to dump.
  If you double-click on depressed, you will get information on it (including the field caused by the driver) and you should be able to spot the problem right away - especially if you see a model in landfills where Caused by field pilot is the same (beginning with this driver).
  Select (highlight) one or more of the most recent dump files by clicking on them and hold down the CTRL key to select multiple files.  Try to select only the most recent links that relate to your problem (perhaps five or six to start dump files).
  Click on file, save selected items and save information from the dumps to a text file on your desktop called BSOD.txt.  Open BSOD.txt with a text editor, copy the text and paste it in your next reply.
  Here's an example of report ASB to a single BSOD I initiated on purpose that indicates the cause of the accident as the pilot i8042prt.sys belonging to Microsoft Corporation:
  ==================================================
  Dump file: Mini062110 - 01.dmp
  Crash time: 21/06/2010-11:51:31
  Bug Check String: MANUALLY_INITIATED_CRASH
  Bug check code: 0x000000e2
  Parameter 1: 0x00000000
  Parameter 2: 0x00000000
  Parameter 3: 0x00000000
  Parameter 4: 0x00000000
  Caused by the driver: i8042prt.sys
  Caused by the address: i8042prt.sys + 27fb
  Description of the file: i8042 Port driver
  Product name: Microsoft® Windows® Operating System
  Company: Microsoft Corporation
  File version: 5.1.2600.5512 (xpsp.080413 - 2108)
  Processor: 32-bit
  Computer name:
  Full path: C:\WINDOWS\minidump\Mini062110-01.dmp
  ==================================================
  Send information from 5 last memory dumps.
  No matter what you use for protection against malware, please follow these steps:
  Download, install, update and do a full scan with these free malware detection programs:
  Malwarebytes (MMFA): http://malwarebytes.org/
  SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
  It can be uninstalled later if you wish.

  Do not guess what the problem might be - understand and resolve it. I need YOUR voice and the points for helpful answers and propose responses. I'm saving for a pony!

• Mobile site with muse not recognized once downloaded - ideas?

  First time I made a mobile site with muse and I thought it would work just as well, as did the transfer of funds. I made sure to optimize everything but when I visit the mobile site according to it I downloaded my ISP, I would try to visit it on my phone and I get the message ' 404 - page not found. "

  I checked the page to index Office & under the head code is:

  < script src = "" scripts/museredirect.js? 3859090011 "type =" text/javascript"> < / script >"

  < script type = "text/javascript" >

  Muse.Redirect.redirect ('Office', ", ' phone/index.html',");

  < /script >

  Seems this code good to you? am I missing something

  Thanks for your help

  Mark

  In addition, if a new Muse site fees published on the same server to another subdirectory will throw a 404 error too when you access via a mobile device, so I suspect it might be something to do with the configuration of your server. If you happen to have a for testing different hosting account/server, can you try edition to him and see if you are able to reproduce the problem?

  Also, I noticed that the homepage for example http://www.msugarman.com/index.html (which is not built in Muse) redirects automatically to a Mobile version of the site when accessed through a mobile device (and redirection does not seem to be based JS) which probably means that you have a server-side device detection and redirection mechanism in place which is most likely to come into conflict with JS based device redirection system leading to a Muse Error 404 for pages when accessed through mobile. A cookie (at the site level) is also created on your site named is_mobile with a value of 0 or 1 depending on whether the visitor has accessed a page on your site via mobile phone or desktop.

  If the above is true, I would say that the deactivation of the side server redirects for mobile devices or contact your webhost for any response on this. Let me know how it goes!

  Thank you

  Vinayak