ACL does not proxy IDs in two tunnels

Hi all

I get an error "ACL does not proxy IDs" that I am not able to solve the problems, google with lots of results, tried some; but nothing is applied.

I have 2 tunnels of installation,
1 / as a pix 515e (office) for an ASA 5505 (hosted server) for my guys access the hosted server
2/A then that of the ASA 5505 firewall to my client so that its equipment can reach the hosted server and from the hosted server reach equipment.

The two tunnels are working well, my problem comes when I try to reach my customers my office equipment, IE cascade tunnel.
Setup was done (part of it) with the help of external professional services, and when we did a test, it seems that it worked... Seems because we did a test only and as I can then I wonder if in fact he ever worked!

It is the first time I'm trying a few tunnels, no problems with other virtual private networks, I built cascade.

I associate myself with the configuration of the pix and asa and an excerpt from the syslogs showing error, hoping someone could tell me an obvious mistake, that I have not seen!

Do not hesitate to request the missing information which could be useful and thanks a lot in advance for your help!

Rgds

JD,

NAT is done before the crypto, for many reasons, flexibility more than anything.

I checked the ACL and still see an incompatibility, I mean the number of ACLs and their content MUST match the only difference is that source and destination must be exchanged between the two.

Until you correct this it's always going to be failing

Once you to it, you may try check where it fails by referring to a reference I posted some time ago?

Can you gather may be to debug it as described here:

https://supportforums.Cisco.com/docs/doc-14044#31_Debugs_used

Marcin

Tags: Cisco Security

Similar Questions

  • PowerConnect 6200 ACL does not seem to work

    Hello

    I have a total of four 6248 s two groups at different locations that are configured with VRRP + OSPF.  I tried to set up a simple ACL on either a VLAN to allow a portion of the traffic and block everything else, but I can't make it work.  I have tried many combinations to try to get this working, but so far without success.  It's just a simple ACL, which should allow the web/http traffic on the 10.1.30.100 server and blocks everything else.

    The only type of ACE that seem to work are either a "deny ip any any" or "permit ip any any" If you try an ACE with a destination host and subnet mask 0.0.0.0 it's just all this blocking.  Has anyone else had problems of the ACL or is it just my incompetence in preventing me from getting the 6200 ACL work properly?  I didn't have this problem, get the ACL list to work on our Cisco 2811 routers, just at the moment where I tried on the PC6248s.

    1. config
    2. int vlan 720
    3. no ip-group vlan720-in in access
    4. output
    5. No list of access-vlan720-en
    6. access-list vlan720-in permit tcp any 10.1.30.100 0.0.0.0 eq 80
    7. int vlan 720
    8. IP access-group vlan720-in in
    9. output
    10. output
    11. copy, run start
    12. There

    Just an update on this issue.  I worked with Dell to determine why the ACL does not seem to work.  We discovered that the 6200 apply ACL to the traffic as a VLAN ACL Cisco card as opposed to a router ACL entry.  This causes the ACL to apply to not only routed or transferred but also traffic switched in the same VLAN.

    This has been the source of my problems that my traffic is not limited to a single 6200.  I developed a simple laboratory to check that the 6200 applied traffic switched in the same VLAN ACL.

    First the 6200 has one ACL applied to VLAN5 both PC1 and PC2 are in VLAN 5.  They are both on the same subnet 192.168.5.0/24.  The ACL has a statement of "permit icmp any one" but nothing else.  The PC1 and PC2 are running Windows XP Pro with IIS is installed for the test.  The firewall on both is disabled.

    PC #1 IP: 192.168.5.2/24
    PC #2 IP: 192.168.5.3/24

    [6200]
    |    |
    |    |
    |   [2950T #2] <-->[PC #2]
    |
    |
    [2950T #1] <-->[PC #1]

    In this scenario PC1 and PC2 can ping each other without problem because of the permit icmp any any statement, but you cannot access the IIS site on each of the other computers.

    Dell said that this is normal and if you want communication VLAN VLAN you 'license ip ' to make it work properly.  I also found that traffic back from other VLANs were also denied because of the ACL applied on all of the incoming traffic.  As a solution, the license statement should be included for ALL traffic back to the limited subnet other subnets.  So in this case "ip enable any ".

    I find it a bit annoying that ACL is applied in the form of maps of VLAN not like real incoming router ACL as they are on similar Cisco devices as the 3750.  So there is a work around.  I hope they can solve the problem in a future update, because I really think that the 6200 is a great device.

    Here you can see the difference between VLAN ACLs cards and router entry ACL where they are applied in what concerns local traffic to VLAN.
    http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1572522

  • Card player AutoPlay does not work. My two computers are networked. How can I fix it for automatic playback works?

    Card player AutoPlay does not work. My two computers are networked. How can I fix it for automatic playback works?

    Hello

    I suggest you to try the steps in the following Microsoft Help article and check if it works.

    Troubleshoot AutoPlay:

    http://Windows.Microsoft.com/en-us/Windows7/Troubleshoot-AutoPlay-problems

    For more information, see the following link:

    http://Windows.Microsoft.com/en-us/Windows7/AutoPlay-frequently-asked-questions

    Hope the information is useful.

  • The column that does not match when comparing two records

    Hi all

    We try to compare two tables and find the differences. So if two records (1 of each table) have same PK but not always matching because of some columns, then we would display this columnname. For example:

    Table 1

    PK Parent Child Property1 Property2
    1AA1P1PR1
    2BB1P2oraPR2
    3CC1P3SRP

    Table 2

    PK Parent Child Property1 Property2
    1AA1P1PR1
    2BB1P2PR2
    3CC1P3PR4

    In the above example when I compare 2 tables all matches except Property2 online n ° 3. Thus, we would like to get an output like:

    PK Column_Mismatch
    3Property2 (this must be the name of the column that does not match)

    Appreciate the help.

    Thank you

    Andy

    Hi, Andy.

    Andy1484 wrote:

    Hi all

    We try to compare two tables and find the differences. So if two records (1 of each table) have same PK but not always matching because of some columns, then we would display this columnname. For example:

    Table 1

    PK Parent Child Property1 Property2
    1 A A1 P1 PR1
    2 B B1 P2 oraPR2
    3 C C1 P3 PR3

    Table 2

    PK Parent Child Property1 Property2
    1 A A1 P1 PR1
    2 B B1 P2 PR2
    3 C C1 P3 PR4

    In the above example when I compare 2 tables all matches except Property2 online n ° 3. Thus, we would like to get an output like:

    PK Column_Mismatch
    3 Property2 (this must be the name of the column that does not match)

    Appreciate the help.

    Thank you

    Andy

    Why you don't want no matter what exit for pk = 2?  Property2 does not correspond either to pk.

    What happens if the 2 columns (or more) do not match?  The following query would produce a list delimited, such as ' parents; PROPERTY2 '.

    WITH got_mismatch AS

    (

    SELECT pk

    , CASE WHEN t1.parent <> t2.parent THEN '; PARENT' END

    || CASE WHEN t1.child <> t2.child THEN '; CHILD ' END

    || CASE WHEN t1.properry1 <> t2.property1 THEN '; PROPERTY1 ' END

    || CASE WHEN t1.properry2 <> t2.property2 THEN '; PROPERTY2 ' END

    AS the offset

    FROM table_1 t1

    JOIN table_2 t2 ON t2.pk = t1.pk

    )

    SELECT pk

    , SUBSTR (incompatibility, 3) AS column_mismatch

    OF got_mismatch

    WHERE mismatch IS NOT NULL

    ;

    If you would care to post CREATE TABLE and INSERT statements for your sample data, and then I could test this.

    The query above does not count NULL values as inadequate.  If you want that, the same basic approach will work, but you can use DECODE instead of <> to compare columns.

    What happens if a pk exist in a table, but not the other?  You want an outer join, where I used an inner join above.

  • While the loop does not stop when the two values are equal using equal to comparitor

    Hello world

    I have a really, really strange bug. I have a LabVIEW VI that change a chain on a power supply. I have a start and a stop voltage and use a while loop to increment the device. For example if I want to scan from 1, 2V to 2.2 V in 0.2 V incremements, the program will end when "The current tension" = "stop the tension." And it works very well!

    However, when I start - 3 V and want to stop to say-0.8 (new in 0.2 V incremements) the program does not stop when "The current tension" = "stop the tension." I checked with the probe close to what should be the end of the race and - 0.8 V goes both of the entries ' equal to ' comaprison operator, but that his can't trigger a real result.

    It's very strange for me. Espeically as if I'm going - 0.8 V to-2 V but decrement of-0.2 V, the program stops correctly!

    I am very confused!

    See you soon!

    Search on: comparison of floating-point numbers

    The second thread is particularly relevant. This discussion was 2009, but you can find that the same "bug" being reported to enter the end of the 1980s.

    Mike...

  • Creative cloud does not remember IDs after the computer restarts

    Creative cloud app does not remember login after restart of the computer, or simply when it starts after having turned it on. The app starts up fine and appears in the notification area (Windows 64-bit 10), but I have to log each time until I can get updates, etc. This problem started about 3 weeks ago and I still have to find a solution. Does anyone know how to fix this?

    In this case I advise you to Contact customer services as technical troubleshooting may be required.

  • ACL does not work in ECM11G

    Hi all

    I did a demo of the ACL on ECM11G according to
    http://blogs.Oracle.com/Kyle/2011/02/new_security_configuration_flag_ucm_ps3.html

    my config.cfg is:

    UseEntitySecurity = true
    SpecialAuthGroups = Marketing, Public

    When I use weblogic to check in a doc with Marketing security group, assign User1 to right (r), then the connection of the User1, user1 found can always update the doc, what could be wrong?

    Best regards

    Hello

    I think that the problem is "group1 is also defined as the role of man and has right RWDA for group of Public safety".

    I remember to have seen this. As the group "1" RWD "A"on the Public, the Admin level privilege allows any member group' 1 complete control, regardless of the ACL.
    Try limiting the privileges "group1" powered back on 'Public' and check the results.

    My recommendation would be to say two groups "PUBLIC_ADMIN" and "gorup1", where "PUBLIC_ADMIN" should have RWDA on Public and "group1" should be RWD.
    Now you can add all users in the Organization of "group1". When they will be added in the ACLs (on a folder/content), they'll be atmost get RWD.

    However, given that the number of ADMINs is limited, if someone doesn't need it comes later, you can add them to the group 'PUBLIC_ADMIN' too.

    A caveat, however, is that PUBLIC_ADMIN will have full privilege on any folder/content in Public. To compare for example with the function of 10g projects, all members with RWDA on the 'Projects' security group and RWDA "prj" account access on all projects.
    Another I've seen so far is that anyone with RW will be not only able to write but also update ACL! Always check.

    I hope this helps.

    Kind regards
    Prateek

    Published by: Prateek Mohan on April 27, 2011 10:34

  • Does not have Internet on two wireless laptops.

    I recently reset my router which is just crazy. I was finally able to reset the default settings and create a new network and everything. The main computer that is connected to the router's internet if my two wireless laptops are not.

    It says network not then identified my network name in parathenses

    Access: Local only

    It says it is connected and has green full bars but it won't let me connect to the internet.

    Help, please. Thank you.

    Also, I made sure to go to with my network properties and make sure that everything matches what is on the router set up page. I really don't know what hurts me, but any help would be appreciated.

    Make sure that you don't have the static ip address on the computer... Click the Start button > Panel > Network and Sharing Center > manage Network Connection.Right click on the wireless network connection icon and go to properties - on the 'Général' tab, select "Internet Protocol TCP/IP IPV4" and click on the properties button - select "Obtain the IP address automatically" and down "obtain DNS server automatically.

  • External ACL does not increment for traffic allowed through the site to site VPN

    Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.

    There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.

    There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.

    I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)

    Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.

    Thanks in advance

    Mark

    VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?

    Can you post the output of "sh run all the sysopt"

    Federico.

  • RVS4000 V02 IP based ACL does not

    Hello

    I have a RVS4000 v02 and created 3 VLAN - 192.168.70.0/24, 192.168.80.0/24 and 192.168.90.0/24.  I tired to created list IP based to deny network access 192.168.80.0/24 and 192.168.90.0/24 access to 192.168.70.0/24; and deny access 192.168.80.0/24 192.168.90.0/24.  Can you help me check my list of ip-based access?

    MY RVS4000 access LIST

    Refuse any protocol LAN 192.168.80.0/255.255.255.0 192.168.70.0/255.255.255.0 at all times every day

    Refuse any protocol LAN 192.168.90.0/255.255.255.0 192.168.70.0/255.255.255.0 at all times every day

    Refuse any protocol LAN 192.168.90.0/255.255.255.0 192.168.80.0/255.255.255.0 at all times every day

    Allow to All services LAN ANY ANY Anywhere, anytime Daily

    Allow to All services   WANALL ALLall timeevery day        

    * all access list is enabled.

    Network time 192.168.80.0 and 192.168.90.0 can still reach 192.168.70.0 network.

    Hope you can help me understand this.


    Hello.

    These products are processed by the Cisco Small Business Support Community.

    * If my post answered your question, please mark it as "acceptable Solution".

    * Do not forget to give a 'congratulations '. Thank you!

  • Why the screen saver does not work in the two screens?

    I have a monitor connected to my laptop using the VGA connector.
    Laptop LCD is set as the primary display and the additional monitor is defined as the extended desktop. When the screen saver appears, it shows on the main screen. How can I make it work on both? (without setting the external display as a clone of the hand).
    The OS is Vista Home Premium

    Thanks for any help!
    El

    In dual screen extended mode, Win7 screen saver stops working after unpluging external monitor

    I have problems of this kind.

    I have listed what I've done to illustrate how to reproduce this.

    My OS is win7 32 bit.

    The replication steps are

    1. start on OS with integrated display (it is the system of n. b.)

    2. attach the HDMI (external monitor).

    3. turn on the extended mode and HDMI monitor as the primary device.

    4. set the screen saver 3D to be active and preview.

    Screensaver 3D drawing now works on the main screen.

    the secondary monitor (built-in monitor) working with black screen.

    5. hot unplug a HDMI monitor.

    6. the display of the 3D screen saver is changed back to the built-in screen.

    7. BUT the drawing of 3D on the built-in screen screensaver is STOPPED (= NOT updated).

    8 move the mouse, built-in monitor escapes from the idle screen status (operating system is still alive)

    Is this an OS behave as expected?

  • Hi, I am trying to install items 12, when I install LR3 does not work, are the two compatible?

    LR3 is compatable with 12 elements. When I installed LR3 E12 seizes upward and won't work, if I have an instal E12 LR3 works perfectly.

    Barry

    Moving to this discussion on Photoshop Lightroom forum.

  • ASA 5505 site-site does not

    Hi all

    I'm having problems to set up a VPN site-to-site simple between two new ASA 5505. I tried several times with the ASDM entry manual configuration tool or by using the wizard, reset each time at the factory does not by default, but the tunnel.

    I followed it it down to the following lines at the reception:

    May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
    
    May 11 16:42:53 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
    
    May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 73440 seconds.
    
    May 11 16:42:53 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 693161c8
    
    May 11 16:42:53 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=693161c8) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
    
    May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
    
    May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
    
    May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
    
    May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
    
    May 11 16:42:53 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
    
    1.1.1.2
    
    May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote Proxy Host data in ID Payload:  Address 1.1.1.2, Protocol 0, Port 0
    
    May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
    
    May 11 16:42:53 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
    
    1.1.1.1
    
    May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local Proxy Host data in ID Payload:  Address 1.1.1.1, Protocol 0, Port 0
    
    May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
    
    May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
    
    May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = outside_map, seq = 1...
    
    May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:1.1.1.2 dst:1.1.1.1
    
    May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 1.1.1.2/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface outside

    ´

    Looks to me to the remote proxy host and proxy localhost data outside IP instead of subnets (10.0.0.0/24 and 192.168.0.0/24)... How can I fix?

    Hello

    Him debugs watch ASA's answering machine, so the other ASA is the initiator.

    It seems that you have configured the initiator mode only come

    Example:

    crypto map OUTSIDE_map 20 set type of connection are created only...

    If you have that, it attempts to establish the phase 2 its between the ip address of (public) au first, then between the configured ACL...

    If you are only created, please remove it.

  • VPN connection but smb://server does not exist

    Hello guys,.

    I'm having a problem with my Mac.

    I have configured a VPN server (work) and connectd normally.

    However, when I look at the list servers, in search, the server do not appear:

    And when I try to connect using the finder (go > connect to server) the following message

    Could you help me?

    BdW

    TKS

    Hello does not work through a VPN tunnel. You identify the server by its numeric IP address or a FQDN name.

  • I think someone is hacking my visit Web sites and IP address. Some sites do not open. When I try to open mozilla 1 message is displayed indicating that a single firefox is open and does not first close and reboot the system.

    At present 2 sites not open. When I am trying to open these sites to be ' problem loading page or the Web site you are looking for does not appear. These two messages are displayed.

    Try to clear your browser's cache.

    Tools > clear recent history... - details and of course Cache hit only is selected, and then select all and click the clear now button.

Maybe you are looking for