ACL does not proxy IDs in two tunnels
Hi all
I get an error "ACL does not proxy IDs" that I am not able to solve the problems, google with lots of results, tried some; but nothing is applied.
I have 2 tunnels of installation,
1 / as a pix 515e (office) for an ASA 5505 (hosted server) for my guys access the hosted server
2/A then that of the ASA 5505 firewall to my client so that its equipment can reach the hosted server and from the hosted server reach equipment.
The two tunnels are working well, my problem comes when I try to reach my customers my office equipment, IE cascade tunnel.
Setup was done (part of it) with the help of external professional services, and when we did a test, it seems that it worked... Seems because we did a test only and as I can then I wonder if in fact he ever worked!
It is the first time I'm trying a few tunnels, no problems with other virtual private networks, I built cascade.
I associate myself with the configuration of the pix and asa and an excerpt from the syslogs showing error, hoping someone could tell me an obvious mistake, that I have not seen!
Do not hesitate to request the missing information which could be useful and thanks a lot in advance for your help!
Rgds
JD,
NAT is done before the crypto, for many reasons, flexibility more than anything.
I checked the ACL and still see an incompatibility, I mean the number of ACLs and their content MUST match the only difference is that source and destination must be exchanged between the two.
Until you correct this it's always going to be failing
Once you to it, you may try check where it fails by referring to a reference I posted some time ago?
Can you gather may be to debug it as described here:
https://supportforums.Cisco.com/docs/doc-14044#31_Debugs_used
Marcin
Tags: Cisco Security
Similar Questions
-
PowerConnect 6200 ACL does not seem to work
Hello
I have a total of four 6248 s two groups at different locations that are configured with VRRP + OSPF. I tried to set up a simple ACL on either a VLAN to allow a portion of the traffic and block everything else, but I can't make it work. I have tried many combinations to try to get this working, but so far without success. It's just a simple ACL, which should allow the web/http traffic on the 10.1.30.100 server and blocks everything else.
The only type of ACE that seem to work are either a "deny ip any any" or "permit ip any any" If you try an ACE with a destination host and subnet mask 0.0.0.0 it's just all this blocking. Has anyone else had problems of the ACL or is it just my incompetence in preventing me from getting the 6200 ACL work properly? I didn't have this problem, get the ACL list to work on our Cisco 2811 routers, just at the moment where I tried on the PC6248s.
- config
- int vlan 720
- no ip-group vlan720-in in access
- output
- No list of access-vlan720-en
- access-list vlan720-in permit tcp any 10.1.30.100 0.0.0.0 eq 80
- int vlan 720
- IP access-group vlan720-in in
- output
- output
- copy, run start
- There
Just an update on this issue. I worked with Dell to determine why the ACL does not seem to work. We discovered that the 6200 apply ACL to the traffic as a VLAN ACL Cisco card as opposed to a router ACL entry. This causes the ACL to apply to not only routed or transferred but also traffic switched in the same VLAN.
This has been the source of my problems that my traffic is not limited to a single 6200. I developed a simple laboratory to check that the 6200 applied traffic switched in the same VLAN ACL.
First the 6200 has one ACL applied to VLAN5 both PC1 and PC2 are in VLAN 5. They are both on the same subnet 192.168.5.0/24. The ACL has a statement of "permit icmp any one" but nothing else. The PC1 and PC2 are running Windows XP Pro with IIS is installed for the test. The firewall on both is disabled.
PC #1 IP: 192.168.5.2/24
PC #2 IP: 192.168.5.3/24[6200]
| |
| |
| [2950T #2] <-->[PC #2]
|
|
[2950T #1] <-->[PC #1]In this scenario PC1 and PC2 can ping each other without problem because of the permit icmp any any statement, but you cannot access the IIS site on each of the other computers.
Dell said that this is normal and if you want communication VLAN VLAN you 'license ip
' to make it work properly. I also found that traffic back from other VLANs were also denied because of the ACL applied on all of the incoming traffic. As a solution, the license statement should be included for ALL traffic back to the limited subnet other subnets. So in this case "ip enable any ". I find it a bit annoying that ACL is applied in the form of maps of VLAN not like real incoming router ACL as they are on similar Cisco devices as the 3750. So there is a work around. I hope they can solve the problem in a future update, because I really think that the 6200 is a great device.
Here you can see the difference between VLAN ACLs cards and router entry ACL where they are applied in what concerns local traffic to VLAN.
http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1572522 -
Card player AutoPlay does not work. My two computers are networked. How can I fix it for automatic playback works?
Hello
I suggest you to try the steps in the following Microsoft Help article and check if it works.
Troubleshoot AutoPlay:
http://Windows.Microsoft.com/en-us/Windows7/Troubleshoot-AutoPlay-problems
For more information, see the following link:
http://Windows.Microsoft.com/en-us/Windows7/AutoPlay-frequently-asked-questions
Hope the information is useful.
-
The column that does not match when comparing two records
Hi all
We try to compare two tables and find the differences. So if two records (1 of each table) have same PK but not always matching because of some columns, then we would display this columnname. For example:
Table 1
PK Parent Child Property1 Property2 1 A A1 P1 PR1 2 B B1 P2 oraPR2 3 C C1 P3 SRP Table 2
PK Parent Child Property1 Property2 1 A A1 P1 PR1 2 B B1 P2 PR2 3 C C1 P3 PR4 In the above example when I compare 2 tables all matches except Property2 online n ° 3. Thus, we would like to get an output like:
PK Column_Mismatch 3 Property2 (this must be the name of the column that does not match) Appreciate the help.
Thank you
Andy
Hi, Andy.
Andy1484 wrote:
Hi all
We try to compare two tables and find the differences. So if two records (1 of each table) have same PK but not always matching because of some columns, then we would display this columnname. For example:
Table 1
PK Parent Child Property1 Property2 1 A A1 P1 PR1 2 B B1 P2 oraPR2 3 C C1 P3 PR3 Table 2
PK Parent Child Property1 Property2 1 A A1 P1 PR1 2 B B1 P2 PR2 3 C C1 P3 PR4 In the above example when I compare 2 tables all matches except Property2 online n ° 3. Thus, we would like to get an output like:
PK Column_Mismatch 3 Property2 (this must be the name of the column that does not match) Appreciate the help.
Thank you
Andy
Why you don't want no matter what exit for pk = 2? Property2 does not correspond either to pk.
What happens if the 2 columns (or more) do not match? The following query would produce a list delimited, such as ' parents; PROPERTY2 '.
WITH got_mismatch AS
(
SELECT pk
, CASE WHEN t1.parent <> t2.parent THEN '; PARENT' END
|| CASE WHEN t1.child <> t2.child THEN '; CHILD ' END
|| CASE WHEN t1.properry1 <> t2.property1 THEN '; PROPERTY1 ' END
|| CASE WHEN t1.properry2 <> t2.property2 THEN '; PROPERTY2 ' END
AS the offset
FROM table_1 t1
JOIN table_2 t2 ON t2.pk = t1.pk
)
SELECT pk
, SUBSTR (incompatibility, 3) AS column_mismatch
OF got_mismatch
WHERE mismatch IS NOT NULL
;
If you would care to post CREATE TABLE and INSERT statements for your sample data, and then I could test this.
The query above does not count NULL values as inadequate. If you want that, the same basic approach will work, but you can use DECODE instead of <> to compare columns.
What happens if a pk exist in a table, but not the other? You want an outer join, where I used an inner join above.
-
While the loop does not stop when the two values are equal using equal to comparitor
Hello world
I have a really, really strange bug. I have a LabVIEW VI that change a chain on a power supply. I have a start and a stop voltage and use a while loop to increment the device. For example if I want to scan from 1, 2V to 2.2 V in 0.2 V incremements, the program will end when "The current tension" = "stop the tension." And it works very well!
However, when I start - 3 V and want to stop to say-0.8 (new in 0.2 V incremements) the program does not stop when "The current tension" = "stop the tension." I checked with the probe close to what should be the end of the race and - 0.8 V goes both of the entries ' equal to ' comaprison operator, but that his can't trigger a real result.
It's very strange for me. Espeically as if I'm going - 0.8 V to-2 V but decrement of-0.2 V, the program stops correctly!
I am very confused!
See you soon!
Search on: comparison of floating-point numbers
The second thread is particularly relevant. This discussion was 2009, but you can find that the same "bug" being reported to enter the end of the 1980s.
Mike...
-
Creative cloud does not remember IDs after the computer restarts
Creative cloud app does not remember login after restart of the computer, or simply when it starts after having turned it on. The app starts up fine and appears in the notification area (Windows 64-bit 10), but I have to log each time until I can get updates, etc. This problem started about 3 weeks ago and I still have to find a solution. Does anyone know how to fix this?
In this case I advise you to Contact customer services as technical troubleshooting may be required.
-
Hi all
I did a demo of the ACL on ECM11G according to
http://blogs.Oracle.com/Kyle/2011/02/new_security_configuration_flag_ucm_ps3.html
my config.cfg is:
UseEntitySecurity = true
SpecialAuthGroups = Marketing, Public
When I use weblogic to check in a doc with Marketing security group, assign User1 to right (r), then the connection of the User1, user1 found can always update the doc, what could be wrong?
Best regardsHello
I think that the problem is "group1 is also defined as the role of man and has right RWDA for group of Public safety".
I remember to have seen this. As the group "1" RWD "A"on the Public, the Admin level privilege allows any member group' 1 complete control, regardless of the ACL.
Try limiting the privileges "group1" powered back on 'Public' and check the results.My recommendation would be to say two groups "PUBLIC_ADMIN" and "gorup1", where "PUBLIC_ADMIN" should have RWDA on Public and "group1" should be RWD.
Now you can add all users in the Organization of "group1". When they will be added in the ACLs (on a folder/content), they'll be atmost get RWD.However, given that the number of ADMINs is limited, if someone doesn't need it comes later, you can add them to the group 'PUBLIC_ADMIN' too.
A caveat, however, is that PUBLIC_ADMIN will have full privilege on any folder/content in Public. To compare for example with the function of 10g projects, all members with RWDA on the 'Projects' security group and RWDA "prj" account access on all projects.
Another I've seen so far is that anyone with RW will be not only able to write but also update ACL! Always check.I hope this helps.
Kind regards
PrateekPublished by: Prateek Mohan on April 27, 2011 10:34
-
Does not have Internet on two wireless laptops.
I recently reset my router which is just crazy. I was finally able to reset the default settings and create a new network and everything. The main computer that is connected to the router's internet if my two wireless laptops are not.
It says network not then identified my network name in parathenses
Access: Local only
It says it is connected and has green full bars but it won't let me connect to the internet.
Help, please. Thank you.
Also, I made sure to go to with my network properties and make sure that everything matches what is on the router set up page. I really don't know what hurts me, but any help would be appreciated.
Make sure that you don't have the static ip address on the computer... Click the Start button > Panel > Network and Sharing Center > manage Network Connection.Right click on the wireless network connection icon and go to properties - on the 'Général' tab, select "Internet Protocol TCP/IP IPV4" and click on the properties button - select "Obtain the IP address automatically" and down "obtain DNS server automatically.
-
External ACL does not increment for traffic allowed through the site to site VPN
Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.
There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.
There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.
I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)
Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.
Thanks in advance
Mark
VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?
Can you post the output of "sh run all the sysopt"
Federico.
-
RVS4000 V02 IP based ACL does not
Hello
I have a RVS4000 v02 and created 3 VLAN - 192.168.70.0/24, 192.168.80.0/24 and 192.168.90.0/24. I tired to created list IP based to deny network access 192.168.80.0/24 and 192.168.90.0/24 access to 192.168.70.0/24; and deny access 192.168.80.0/24 192.168.90.0/24. Can you help me check my list of ip-based access?
MY RVS4000 access LIST
Refuse any protocol LAN 192.168.80.0/255.255.255.0 192.168.70.0/255.255.255.0 at all times every day
Refuse any protocol LAN 192.168.90.0/255.255.255.0 192.168.70.0/255.255.255.0 at all times every day
Refuse any protocol LAN 192.168.90.0/255.255.255.0 192.168.80.0/255.255.255.0 at all times every day
Allow to All services LAN ANY ANY Anywhere, anytime Daily
Allow to All services WANALL ALLall timeevery day
* all access list is enabled.
Network time 192.168.80.0 and 192.168.90.0 can still reach 192.168.70.0 network.
Hope you can help me understand this.
Hello.
These products are processed by the Cisco Small Business Support Community.
* If my post answered your question, please mark it as "acceptable Solution".
* Do not forget to give a 'congratulations '. Thank you!
-
Why the screen saver does not work in the two screens?
I have a monitor connected to my laptop using the VGA connector.
Laptop LCD is set as the primary display and the additional monitor is defined as the extended desktop. When the screen saver appears, it shows on the main screen. How can I make it work on both? (without setting the external display as a clone of the hand).
The OS is Vista Home PremiumThanks for any help!
ElIn dual screen extended mode, Win7 screen saver stops working after unpluging external monitor
I have problems of this kind.
I have listed what I've done to illustrate how to reproduce this.
My OS is win7 32 bit.
The replication steps are
1. start on OS with integrated display (it is the system of n. b.)
2. attach the HDMI (external monitor).
3. turn on the extended mode and HDMI monitor as the primary device.
4. set the screen saver 3D to be active and preview.
Screensaver 3D drawing now works on the main screen.
the secondary monitor (built-in monitor) working with black screen.
5. hot unplug a HDMI monitor.
6. the display of the 3D screen saver is changed back to the built-in screen.
7. BUT the drawing of 3D on the built-in screen screensaver is STOPPED (= NOT updated).
8 move the mouse, built-in monitor escapes from the idle screen status (operating system is still alive)
Is this an OS behave as expected?
-
LR3 is compatable with 12 elements. When I installed LR3 E12 seizes upward and won't work, if I have an instal E12 LR3 works perfectly.
Barry
Moving to this discussion on Photoshop Lightroom forum.
-
Hi all
I'm having problems to set up a VPN site-to-site simple between two new ASA 5505. I tried several times with the ASDM entry manual configuration tool or by using the wizard, reset each time at the factory does not by default, but the tunnel.
I followed it it down to the following lines at the reception:
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
May 11 16:42:53 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 73440 seconds.
May 11 16:42:53 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 693161c8
May 11 16:42:53 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=693161c8) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
May 11 16:42:53 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
1.1.1.2
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote Proxy Host data in ID Payload: Address 1.1.1.2, Protocol 0, Port 0
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
May 11 16:42:53 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
1.1.1.1
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local Proxy Host data in ID Payload: Address 1.1.1.1, Protocol 0, Port 0
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = outside_map, seq = 1...
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:1.1.1.2 dst:1.1.1.1
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 1.1.1.2/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface outside´
Looks to me to the remote proxy host and proxy localhost data outside IP instead of subnets (10.0.0.0/24 and 192.168.0.0/24)... How can I fix?
Hello
Him debugs watch ASA's answering machine, so the other ASA is the initiator.
It seems that you have configured the initiator mode only come
Example:
crypto map OUTSIDE_map 20 set type of connection are created only...
If you have that, it attempts to establish the phase 2 its between the ip address of (public) au first, then between the configured ACL...
If you are only created, please remove it.
-
VPN connection but smb://server does not exist
Hello guys,.
I'm having a problem with my Mac.
I have configured a VPN server (work) and connectd normally.
However, when I look at the list servers, in search, the server do not appear:
And when I try to connect using the finder (go > connect to server) the following message
Could you help me?
BdW
TKS
Hello does not work through a VPN tunnel. You identify the server by its numeric IP address or a FQDN name.
-
At present 2 sites not open. When I am trying to open these sites to be ' problem loading page or the Web site you are looking for does not appear. These two messages are displayed.
Try to clear your browser's cache.
Tools > clear recent history... - details and of course Cache hit only is selected, and then select all and click the clear now button.
Maybe you are looking for
-
Error message: "ERROR: Cookies are blocked..." when activated
Try to log on as an administrator for my site using Firefox. Used it for years. Now, I get "ERROR: Cookies are blocked or not supported by your browser." You must enable cookies to use WordPress. "I have: - enabled cookies -deleted the cache-Restart
-
Windows updates fail to download and install the new
Good afternoon I recently bought this satellite laptop computer pro on the package was both windows vista Home premium. I also decided to change fnsi at the same time. The provider also gives Norton Firewall Virus Intrusion etc etc. Microsoft does no
-
Impossible request for Toshiba Bluetooth SDK
Hi allI am trying to send a request to have downloaded the kit of development of Toshiba Bluetooth using this interface. At the end of the page its asking me to enter the text from the Captcha image, but I do not see the image. I've tried this in Fir
-
all the nodes property objects and objects grouped
Hello Now position an on my GUI objects in the center of the screen using nodes property. However, I don't want to have to have a node property for each decoration, image and control. Is it possible that I can group all the objects and then use a pro
-
I'm unable to install Silverlight on my iMac. Supposedly, it is supposed to go to my internet plugin folder on my hard drive, but it does not work! What's wrong?