Cannot find the next jump - ASA 5505 VPN routing l2l
We have a 5505 (soon to be replaced by two 5515-x) firewall with two VPN l2l.
"Were trying to allow a remote site traffic flow through the other remote site but the syslog shows."
10.5.25.4 | 1 | 172.16.10.10 | 0 |
Could not locate the next hop for ICMP outside:10.5.25.4/1 to inside:172.16.10.10/0 routing |
||||
Config is less than : ASA Version 8.4 (3) names of ! interface Ethernet0/0 switchport access vlan 2 Speed 100 full duplex ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 <--- more="" ---="">
! interface Ethernet0/7 switchport access vlan 10 ! interface Vlan1 nameif inside security-level 100 allow-ssc-mgmt IP 10.5.19.254 255.255.255.0 ! interface Vlan2 WIMAX Interface Description nameif outside security-level 0 IP address x.247.x.18 255.255.255.248 ! passive FTP mode clock timezone GMT 1 permit same-security-traffic inter-interface permit same-security-traffic intra-interface network obj_any object subnet 0.0.0.0 0.0.0.0 network guestwifi object 10.1.110.0 subnet 255.255.255.0 <--- more="" ---="">
network of the NETWORK_OBJ_10.5.19.0_24 object 10.5.19.0 subnet 255.255.255.0 network of the NETWORK_OBJ_10.5.31.0_24 object 10.5.31.0 subnet 255.255.255.0 network of the NETWORK_OBJ_172.16.0.0_16 object subnet 172.16.0.0 255.255.0.0 the object DS365-Cloud network 172.16.10.0 subnet 255.255.255.0 Description DS365-Cloud network of the object to the inside-network-16 10.5.0.0 subnet 255.255.0.0 atanta network object 10.5.16.0 subnet 255.255.255.0 Atanta description network guest_dyn_nat object 10.5.29.0 subnet 255.255.255.0 network of the NETWORK_OBJ_172.16.254.0_25 object subnet 172.16.254.0 255.255.255.128 network of the NETWORK_OBJ_10.5.16.0_20 object subnet 10.5.16.0 255.255.240.0 network of the NETWORK_OBJ_10.5.16.0_26 object 255.255.255.192 subnet 10.5.16.0 network of the LDAP_DC7 object Home 10.5.21.1 <--- more="" ---="">
LDAP description network c2si object range 10.5.21.180 10.5.21.200 network of the NETWORK_OBJ_10.5.25.0_24 object 10.5.25.0 subnet 255.255.255.0 object-group network rfc1918 object-network 192.168.0.0 255.255.0.0 object-network 172.16.0.0 255.255.240.0 object-network 10.0.0.0 255.0.0.0 the DM_INLINE_NETWORK_1 object-group network object-network 10.5.19.0 255.255.255.0 network-object 10.5.20.0 255.255.254.0 object-network 10.5.22.0 255.255.255.0 object-network 10.5.30.0 255.255.255.0 object-network 192.168.100.0 255.255.255.0 the Sure_Signal object-group network network-object x.183.x.128 255.255.255.192 network-host x.183.133.177 object network-host x.183.133.178 object network-host x.183.133.179 object network-host x.183.133.181 object network-host x.183.133.182 object the LDAP_source_networks object-group network network-object 135.196.24.192 255.255.255.240 <--- more="" ---="">
object-network 195.130.x.0 255.255.255.0 network-object x.2.3.128 255.255.255.192 network-object 213.235.63.64 255.255.255.192 object-network 91.220.42.0 255.255.255.0 object-network 94.x.240.0 255.255.255.0 object-network 94.x.x.0 255.255.255.0 the c2si_Allow object-group network host of the object-Network 10.5.16.1 host of the object-Network 10.5.21.1 network-object object c2si the DM_INLINE_NETWORK_2 object-group network network-object 10.5.20.0 255.255.254.0 object-network 10.5.21.0 255.255.255.0 object-network 10.5.22.0 255.255.255.0 object-network 10.5.29.0 255.255.255.0 network-object, object NETWORK_OBJ_10.5.19.0_24 the DM_INLINE_NETWORK_3 object-group network object-network 10.5.19.0 255.255.255.0 network-object 10.5.20.0 255.255.254.0 object-network 10.5.21.0 255.255.255.0--->--->--->---> |
object-network 10.5.22.0 255.255.255.0
atanta network-object
the DM_INLINE_NETWORK_4 object-group network
network-object 10.5.20.0 255.255.254.0
<--- more="" ---="">--->
object-network 10.5.21.0 255.255.255.0
object-network 10.5.22.0 255.255.255.0
object-network 10.5.23.0 255.255.255.0
object-network 10.5.30.0 255.255.255.0
network-object, object NETWORK_OBJ_10.5.19.0_24
atanta network-object
network-object DS365-Cloud
inside_access_in list extended access permit tcp any eq 50 Sure_Signal object-group
inside_access_in list extended access permit tcp any object-group Sure_Signal eq pptp
inside_access_in list extended access permits will all object-group Sure_Signal
inside_access_in list extended access permit udp any eq ntp Sure_Signal object-group
inside_access_in access list extended icmp permitted no echo of Sure_Signal object-group
inside_access_in list extended access permit udp any eq 50 Sure_Signal object-group
inside_access_in list extended access permit udp any eq Sure_Signal object-group 4500
inside_access_in list extended access permit udp any eq isakmp Sure_Signal object-group
inside_access_in of access allowed any ip an extended list
255.255.0.0 allow access list extended ip 10.5.0.0 clientvpn 10.5.30.0 255.255.255.0
access-list extended BerkeleyAdmin-clientvpn ip 10.5.0.0 allow 255.255.0.0 10.5.30.0 255.255.255.0
IP 10.5.21.0 allow to Access-list BerkeleyUser-clientvpn extended 255.255.255.0 10.5.30.0 255.255.255.0
outside_cryptomap extended access list permit ip object inside-network-16 10.5.25.0 255.255.255.0
access extensive list ip 10.5.29.0 guest_access_in allow 255.255.255.0 any
state_bypass allowed extended access list tcp 192.168.100.0 255.255.255.0 10.5.30.0 255.255.255.0 connect
state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 192.168.100.0 255.255.255.0 connect
state_bypass allowed extended access list tcp 10.5.29.0 255.255.255.0 10.5.30.0 255.255.255.0 connect
<--- more="" ---="">
state_bypass allowed extended access list tcp 10.5.30.0 255.255.255.0 10.5.29.0 255.255.255.0 connect
outside_access_in list extended access permit icmp any one
access extensive list ip 10.5.16.0 outside_cryptomap_1 allow 255.255.240.0 10.5.16.0 255.255.255.192
access-list extended global_access permitted tcp object-group LDAP_source_networks host 10.5.21.1 eq ldap
access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud
outside_cryptomap_3 list extended access allowed object-group ip DM_INLINE_NETWORK_4 10.5.25.0 255.255.255.0
pager lines 24
Enable logging
exploitation forest-size of the buffer of 100000
recording of debug console
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool clientvpn 10.5.30.1 - 10.5.30.100
mask 172.16.254.1 - 172.16.254.100 255.255.255.0 IP local pool VPN_IP_Pool
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) source static rfc1918 rfc1918 destination rfc1918 static rfc1918
NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.31.0_24 NETWORK_OBJ_10.5.31.0_24 non-proxy-arp-search of route static destination
<--- more="" ---="">
NAT (inside, outside) static source NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 NETWORK_OBJ_10.5.19.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source to the static inside-network-16 inside-network-16 destination DS365-DS365-cloud no-proxy-arp-route search
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_20 NETWORK_OBJ_10.5.16.0_26 NETWORK_OBJ_10.5.16.0_26 non-proxy-arp-search of route static destination--->--->
NAT (inside, outside) source static c2si_Allow c2si_Allow NETWORK_OBJ_172.16.254.0_25 NETWORK_OBJ_172.16.254.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) source static atanta atanta static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source DS365-DS365-cloud static destination NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search
NAT (inside, outside) static source DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 static destination DS365-DS365-cloud no-proxy-arp-route search
NAT (inside, outside) static source to the inside-network-16 inside-network-16 destination static NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search to itinerary
NAT (inside, outside) static source DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the LDAP_DC7 object
NAT 194.247.x.19 static (inside, outside) tcp ldap ldap service
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-Group global global_access
!
Router eigrp 143
No Auto-resume
Network 10.5.19.0 255.255.255.0
<--- more="" ---="">
Network 10.5.29.0 255.255.255.0
Network 10.5.30.0 255.255.255.0
redistribute static
!
Route outside 0.0.0.0 0.0.0.0 194.247.x.17 1 track 1
Route inside 10.5.16.0 255.255.255.0 10.5.19.252 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol for AAA-server group
AAA (inside) 10.5.21.1 host server group
key *.
AAA (inside) 10.5.16.1 host server group
key *.
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
<--- more="" ---="">
http 192.168.1.0 255.255.255.0 inside
http 10.5.16.0 255.255.240.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Sysopt connection tcpmss 1350
SLA 1 monitor
type echo protocol ipIcmpEcho 8.8.4.4 outside interface
SLA monitor Appendix 1 point of life to always start-time now
Crypto ipsec transform-set ikev1 strong-comp esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set strong aes-256-esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec ikev2 strong ipsec proposal
Protocol esp encryption aes-256
Esp integrity sha-1 protocol
<--- more="" ---="">
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256--->--->--->
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map dynamic dyn1 1 set transform-set ikev1 strong
1 correspondence address outside_cryptomap_1 outside crypto map
crypto card outside pfs set 1
1 set 83.x.172.68 counterpart outside crypto map
Crypto card outside 1 set transform-set ESP-AES-256-SHA ikev1
1 set ikev2 AES256 ipsec-proposal outside crypto map
card crypto off game 2 address outside_cryptomap_3
map external crypto 2 peers set 23.100.x.177
card external crypto 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
<--- more="" ---="">
map external crypto 2 set AES256 AES192 AES strong proposal ipsec ikev2
Crypto card outside 2 kilobytes of life of security association set 102400000--->
card crypto outside match 3 address outside_cryptomap_2
3 set pfs outside crypto map
map external crypto 3 peers set 91.x.3.39
crypto card outside ikev1 set 3 transform-set ESP-3DES-SHA
map external crypto 3 3DES ipsec-ikev2 set proposal
dynamic outdoor 100 dyn1 ipsec-isakmp crypto map
card crypto outside interface outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
3des encryption
sha hash
Group 2
life 86400
!
track 1 rtr 1 accessibility
Telnet 10.5.16.0 255.255.240.0 inside
Telnet timeout 5
SSH 83.x.x.90 255.255.255.255 outside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcprelay Server 10.5.21.1 on the inside
time-out of 60 dhcprelay
a basic threat threat detection
statistical threat detection port
<--- more="" ---="">
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 10.5.19.253 Server prefer
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 2
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal GroupPolicy_c2si group strategy
attributes of Group Policy GroupPolicy_c2si
WINS server no
value of 10.5.16.1 DNS server 10.5.21.1
client ssl-VPN-tunnel-Protocol
by default no
internal GroupPolicy_91.x.3.39 group strategy
attributes of Group Policy GroupPolicy_91.x.3.39
VPN-tunnel-Protocol ikev1, ikev2
internal GroupPolicy_83.x.172.68 group strategy
attributes of Group Policy GroupPolicy_83.x.172.68
VPN-tunnel-Protocol ikev1, ikev2
<--- more="" ---="">
internal GroupPolicy_23.100.x.177 group strategy
attributes of Group Policy GroupPolicy_23.100.x.177
VPN-tunnel-Protocol ikev1, ikev2
internal GroupPolicy_user group strategy--->--->
attributes of Group Policy GroupPolicy_user
WINS server no
value of 10.5.21.1 DNS server 10.5.16.1
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value BerkeleyAdmin-clientvpn
myberkeley.local value by default-field
internal GroupPolicy_23.101.x.122 group strategy
attributes of Group Policy GroupPolicy_23.101.x.122
VPN-tunnel-Protocol ikev1, ikev2
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
VPN-tunnel-Protocol ikev1, ikev2
internal BerkeleyUser group strategy
attributes of Group Policy BerkeleyUser
value of 10.5.21.1 DNS server 10.5.16.1
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value BerkeleyUser-clientvpn
myberkeley.local value by default-field
internal DS365 group policy
<--- more="" ---="">
DS365 group policy attributes
VPN-idle-timeout no
VPN-filter no
IPv6-vpn-filter no
VPN-tunnel-Protocol ikev1, ikev2
internal BerkeleyAdmin group strategy
attributes of Group Policy BerkeleyAdmin
value of 10.5.21.1 DNS server 10.5.16.1
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value BerkeleyAdmin-clientvpn
myberkeley.local value by default-field
acsadmin encrypted V6hUzNl366K37eiV privilege 15 password username
atlanta uxelpvEvM3I7tw.Z encrypted privilege 15 password username
username of berkeley Kj.RBvUp5dtyLw5T encrypted password
type tunnel-group BerkeleyUser remote access
attributes global-tunnel-group BerkeleyUser
address clientvpn pool
authentication-server-group
Group Policy - by default-BerkeleyUser
IPSec-attributes tunnel-group BerkeleyUser
IKEv1 pre-shared-key *.--->
type tunnel-group BerkeleyAdmin remote access
attributes global-tunnel-group BerkeleyAdmin
address clientvpn pool
<--- more="" ---="">
authentication-server-group
Group Policy - by default-BerkeleyAdmin
IPSec-attributes tunnel-group BerkeleyAdmin
IKEv1 pre-shared-key *.
type tunnel-group user remote access
tunnel-group user General attributes
address pool VPN_IP_Pool
authentication-server-group
Group Policy - by default-GroupPolicy_user
tunnel-group user webvpn-attributes
enable-alias of user group
type tunnel-group c2si remote access
tunnel-group c2si-global attributes
address pool VPN_IP_Pool
authentication-server-group
Group Policy - by default-GroupPolicy_c2si
tunnel-group c2si webvpn-attributes
Group-alias c2si enable
tunnel-group 83.x.172.68 type ipsec-l2l
tunnel-group 83.x.172.68 General-attributes
Group - default policy - GroupPolicy_83.x.172.68
83.x.172.68 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
<--- more="" ---="">
pre-shared-key authentication local IKEv2 *.
tunnel-group 23.101.x.122 type ipsec-l2l
tunnel-group 23.101.x.122 General-attributes
Group - default policy - GroupPolicy_23.101.x.122
23.101.x.122 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
tunnel-group 91.x.3.39 type ipsec-l2l
tunnel-group 91.x.3.39 general-attributes
Group - default policy - GroupPolicy_91.x.3.39
91.x.3.39 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
tunnel-group 23.100.x.177 type ipsec-l2l
tunnel-group 23.100.x.177 General-attributes
Group - default policy - GroupPolicy_23.100.63.177
23.100.x.177 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
class-map state_bypass
corresponds to the state_bypass access list
Policy-map state_bypass_policy
class state_bypass
set the advanced options of the tcp-State-bypass connection
!
service-policy state_bypass_policy to the inside interface
context of prompt hostname
anonymous reporting remote call--->--->
Cryptochecksum:bbc6f2ec2db9b09a1b6eb90270ddfeea
: end
PTB-ch-asa5505 #.
Ah OK I see now.
Your cryptomap for the cloud of DS365 is:
access extensive list 10.5.0.0 ip outside_cryptomap_2 255.255.0.0 allow object DS365-Cloud
so, which covers interesting traffic.
However, your NAT statement is:
NAT (inside, outside) static source NETWORK_OBJ_10.5.25.0_24 NETWORK_OBJ_10.5.25.0_24 static destination DS365-DS365-cloud no-proxy-arp-route search
Network 10.5.25.0 is remote, then it will actually appear to be an "outside" network so I think you need this statement to begin "nat (outside, outside).
Tags: Cisco Security
Similar Questions
-
Cannot establish the Tunnel on ASA 5505 Vlan please help!
I can not get a tunnel to establish from (see config). I don't think I'm getting the phase 1. Am I missing something simple? Help, please
volatile xlate deny tcp any4 any4volatile xlate deny tcp any4 any6volatile xlate deny tcp any6 any4volatile xlate deny tcp any6 any6volatile xlate deny udp any4 any4 eq fieldvolatile xlate deny udp any4 any6 eq fieldvolatile xlate deny udp any6 any4 eq fieldvolatile xlate deny udp any6 any6 eq fieldnames of!interface Ethernet0/0Inet description!interface Ethernet0/1Shutdown!interface Ethernet0/2Shutdown!interface Ethernet0/3Shutdown!interface Ethernet0/4Shutdown!interface Ethernet0/5switchport access vlan 8!interface Ethernet0/6Shutdown!interface Ethernet0/7switchport access vlan 155!interface Vlan1Inet descriptionnameif outsidesecurity-level 0IP address xxx!interface Vlan8no interface before Vlan155nameif [email protected]security-level 100IP 10.8.18.6 255.255.255.248!interface Vlan155Private descriptionnameif insidesecurity-level 50192.168.200.254 IP address 255.255.255.0!passive FTP modeclock timezone IS - 5clock to summer time EDT recurringthe object to the Interior-net network192.168.200.0 subnet 255.255.255.0network of the LocalLAN objectsubnet 10.8.18.0 255.255.255.248the RemoteVPNObjects object-group networkobject-network 10.0.0.0 255.0.0.0network-host xxxxxxxxx objectaccess extensive list ip 10.8.18.0 acl_iwdn allow 255.255.255.248 10.0.0.0 255.0.0.0access extensive list ip 10.8.18.0 acl_iwdn allow 255.255.255.248 host xxxxxxxxacl_outside list extended access permit icmp any any echo responseacl_outside list extended access permit icmp any one time exceedaccess extensive list ip 10.8.18.0 acl_inside allow 255.255.255.248 10.0.0.0 255.0.0.0access extensive list ip 10.8.18.0 acl_inside allow 255.255.255.248 host xxxxxxxxpager lines 24Enable loggingasdm of logging of informationOutside 1500 MTUWithin 1500 MTU[email protected] MTU 1500ICMP unreachable rate-limit 1 burst-size 1don't allow no asdm historyARP timeout 14400no permit-nonconnected arpNAT dynamic interface of Interior-net source (indoor, outdoor)NAT ([email protected], any) static static source to destination LocalLAN LocalLAN RemoteVPNObjects RemoteVPNObjectsNAT ([email protected], outside) no matter what source dynamic interfacethe object to the Interior-net networkNAT dynamic interface (indoor, outdoor)Access-group acl_inside in the [email protected] interfaceRoute outside 0.0.0.0 0.0.0.0 publicTimeout xlate 03:00Pat-xlate timeout 0:00:30Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00Floating conn timeout 0:00:00dynamic-access-policy-registration DfltAccessPolicyidentity of the user by default-domain LOCALthe ssh LOCAL console AAA authenticationNo snmp server locationNo snmp Server contactServer enable SNMP traps snmp authentication linkup, linkdown warmstart of cold startCrypto ipsec transform-set esp-3des esp-sha-hmac P2PVPNSet ikev1Crypto ipsec pmtu aging infinite - the security associationcard crypto DynamicMap 10 corresponds to the address acl_iwdnDynamicMap 10 set crypto map peer xxxxxxxxxxcard crypto DynamicMap 10 set transform-set P2PVPNSet ikev1DynamicMap interface card crypto outsidetrustpool crypto ca policycrypto isakmp identity addressCrypto ikev1 allow outsideIKEv1 crypto policy 10preshared authentication3des encryptionsha hashGroup 2life 86400Console timeout 0management-access insidea basic threat threat detectionStatistics-list of access threat detectionno statistical threat detection tcp-interceptionNTP server 132.163.4.103 prefer external sourceNTP server 192.43.244.18 prefer external sourceTunnel-Group XXX type ipsec-l2ltunnel-group ipsec-attributes xxxxxxxxxIKEv1 pre-shared-key *.!class-map inspection_defaultmatch default-inspection-traffic!!type of policy-card inspect dns preset_dns_mapparametersmaximum message length automatic of customermessage-length maximum 512Policy-map global_policyclass inspection_defaultinspect the preset_dns_map dnsinspect the ftpinspect h323 h225inspect the h323 rasReview the ip optionsinspect the netbiosinspect the rshinspect the rtspinspect the skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect the tftpinspect the sipinspect xdmcpinspect the icmp!Delete this;
no nat dynamic interface of Interior-net source (indoor, outdoor)
Add this;
network of the object OBJ-NAT-ALL
subnet 0.0.0.0 0.0.0.0
NAT dynamic interface (indoor, outdoor)Try again, after the results of
Show cry isa
Pete
-
Cannot resolve the problem between ASA - CheckPoint (VPN)
Hi team,
I have a strange problem with a L2L VPN between an ASA on my side and a checkpoint as her counterpart.
The IPsec tunnel works very well, but from time to time, the traffic stop through the tunnel.
Scenario:
172.31.250.0/28--ASA---Internet---checkpoint---200.122.x.y/32
I've done many tunnels between ASAs and control points, but this time we found this:
access extensive list ip 172.31.250.0 outside_1_cryptomap allow 255.255.255.240 host 200.122.164.165
local ident (addr, mask, prot, port): (172.31.250.0/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (200.122.164.165/255.255.255.255/0/0)
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 1148, #pkts decrypt: 1148, #pkts check: 1148
local ident (addr, mask, prot, port): (172.31.250.8/255.255.255.248/0/0)
Remote ident (addr, mask, prot, port): (200.122.164.0/255.255.255.0/0/0)
#pkts program: 27682, #pkts encrypt: 27683, #pkts digest: 27683
#pkts decaps: 27683, #pkts decrypt: 27683, #pkts check: 27683
local ident (addr, mask, prot, port): (172.31.250.8/255.255.255.248/0/0)
Remote ident (addr, mask, prot, port): (200.122.164.165/255.255.255.255/0/0)
#pkts program: 3579, #pkts encrypt: 3579, #pkts digest: 3579
#pkts decaps: 10443, #pkts decrypt: 10443, #pkts check: 10443
Traffic is defined between 172.31.250.0/28 and a single host, but I see three SAs:
1 172.31.250.0/28 - 200.122.164.165/32
2 172.31.250.8/32 - 200.122.164.0/24
3 172.31.250.8/32 - 200.122.164.165/32
What is the reason for this?
The reason why I have paste this above is because the control point defines the traffic "interesting" as two rules (one in each direction).
Control point:
Rule 1: The traffic of 200.122.164.165/32 172.31.250.0/28
Rule 2: The traffic of 172.31.250.0/28 200.122.164.165/32
So, I think that the problem occurs because we hear by the SAs of the phase 2 bidirectional rules (crypto ACL), and control point sets the SAs of the phase 2 as one-way rules. Even if traffic matches, I see the output above.
I think this means that the ASA receives a portion of the traffic in a SA and send it via another, and I don't know if that is causing the problem and if so, how to fix?
The problem is totally random. We have reduced the time to generate a new key for 2 minutes at the minute of the phase 2 and 5 on the phase 1 and there is no problem during the generate a new key.
We had not been able to capture the log at the exact moment of the problem. Then the tunnel suddenly rises again and start working.
ASA 5510 version 8.2 (5)
Any help is appreciated!
Federico.
Federico,
New installation SAs is not so to generate a new key, it consicides with a homologous assuming it matches traffic again and must so initial has ITS new.
Now when we have a static, selector of this SA traffic encryption card new must match what we defined in the ACL.
Generally, you will get an error if there is absolutely no match and tunnel would fail to phase 2.
I want to just make sure we're on the same page. When it ends on a dynamic encryption card, we know (or rarely know) what will look like the SA distance so we accept everything.
I do not say that this checkpoint of the half was here half it matched. I say it's more likely (for some reason I couldn't be aware, or a bug) implemented match the ACL under static crypto map.
Marcin
-
Net 51 with a view system error
I have two boxes of Windows XP that I login as administrator account. I was able to synchronize files, map network drives and can do a tracert to reach one of them.However, when I perform a net view on, I get the following error
51 system error has occurred.
Windows cannot find the network path. Make sure the network path is correct and the destination computer is not busy or turned off the coast. If Windows still can't find the network path, contact your network administrator.
How to make this command work?
Hello
· Your computer is on a domain network?
Follow the steps in troubleshooting this article and check if that helps:
You cannot access shared files and folders or browse computers in the workgroup with Windows XP
http://support.Microsoft.com/kb/318030
See also this article that resembles the same error.
Error when you try to access shared resources on a computer that is running Windows 2000 or Windows Server 2003: "53 system error has occurred" or "51 system error has occurred."
-
ASA 5505 VPN sessions maximum 25?
Hello friend´s
The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:
Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?
Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?
I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?
Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.
Kind regards!
Hi Alex,
The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.
To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.
Find the official documentation for the ASA5505 on the following link:
Rate if helps.
-Randy-
-
Please give index on configuring vpn site to site on 881 to ASA 5505 cisco router
Earlier my boss asked me to prepare to implement the VPN site-to site on router Cisco 881 Integrated Services to ASA 5505 router, which is now running on the side of HQ. Someone please give me a hint. I am now learning the pdf file from Cisco that mention how to configure VPN site to site between 1812 Cisco IOS router and router of the ASA 5505 using ASDM V6.1 and SDM V2.5. Cannot find the book for the Cisco 881 device.
Someone please please suggest me something as soon as POSSIBLE.
Thank you
CLI version:
ASDM and SDM Version:
-
Satellite T110-11U - cannot find the router WLAN
Hello
I have a Toshiba Satellite T110-11U. Have had since February and loved it-fortunately it wireless used throughout the House. Then one day on a month, unless I was in the same room that the wireless router, Wireless does not work. I have 2 other laptops (and iPhone) which still connect wirelessly throughout the House and the garden without problem.
As you can imagine, it was very strange. When I take in the garden, my other laptops are all networks wireless in the region, but my Toshiba can't find any.Suspecting it was a driver problem, I made sure that the wireless drivers are up-to-date. With no joy, I got the system as it was at the time of purchase (do a complete restoration by interupting, starting and leaving the hard drive to be deleted and reinstalled etc.). Still the same problem. I even changed the rooms in which the router is, and the same problem - the Toshiba cannot find the router unless the router is located a few meters from the laptop.
Until I lose the will to live, can anyone suggest the cause of my problems, or is it time I admitted defeat and brought back to the Comet under warranty (where likely test next to a wireless router and tell me everything is fine!).
Thank you very much
Steve.
Hey Buddy,
Did you check if the wireless network card is recognized correctly in the Device Manager? There may be a yellow exclamation or unknown device. Try also updating the driver WLAN from Toshiba Web site:
http://APS2.toshiba-tro.de/WLAN/See all other WLAN routers?
The wireless network card can be activated using a combination of keys FN + F8 and in the BIOS. In the BIOS, you should also load default settings and test again. -
Photosmart C4780 installation fails at the "system cannot find the file specified."
My problem began simply with your printer, a HP Photosmart C4780, who has always had a wireless connection and would not print. Initially, the checked network connection fine control panel of the printer. I ran a Microsoft printer troubleshooting, which found a block in line print and authorized. The first test page print, but did print the "internal test page. I did not understand what it meant, so I looked for help on the HP site.
I ran the HP print and Scan Doctorand he suggested I have reinstall the driver. I have downloaded and saved the current HP (PS_AIO_06_C4700_USW_Full_Win_enu_140_175.exe) and then uninstalled the existing driver. When I tried to install a new, a window pops up saying "the system cannot find the file specified," with only a single box for click that simply says "OK". The installation went through 'examining installation options', after entering "check updates, download updates, install updates" and then it was all in "audit system", who jumped out of the window "file not found" upwards, and when I clicked 'OK', the installation window as well as the error message box simply disappeared. Which I suppose is the path to the file is under the window, but it didn't fit so he showed not the end. What I read was "C:\Users\... \Local\Temp\7zS588E\Setup\.\Setup\hpzpnp40...»
I found a topic on the same printer model for the same problem in the forum, which offered this hotfix:
You must first complete a level 3 of the software uninstallation. I've included the steps below to do this.
1. press the Windows key and the letter R
2. type %temp%, and then click OK
3. open the 7z folder (a more recent if there are multiples)
4 open the util folder
5 open the folder of the ccc
6. double-click on the Uninstall_L3
Once you have completed the Uninstall_L3, delete all of the items listed in the temp folder. Note, you will not be able to remove all the elements, please ignore those that do not. Then please empty the trash and perform a clean boot. I've included the document «How to perform a boot in Windows» If your computer does not request it, restart your computer.
Once your computer is back, you must reinstall the printer software. You can do this either by using the Setup CD, or by downloading the software.I did what was suggested, until he got to the point where it says it was the case recommend not removing any more items if I had intended on using the HP Officejet printer (Yes, I have a second HP printer connected to the network) anytime in the future. Not really understand how it all works, I decided to stop what I was doing, so unfortunately it has not solved my problem.
Do I need to uninstall both printers HP before I can reinstall a? And if I do that, is there a reason that I wouldn't be able to reinstall the two printers? Looks like I'm asking trouble. Bottom line... I can not install the driver.
I tried to install the full versions and the driver base and still get the same result.
I have a HP Pavilion dv6 - 3100t for computer laptop, running Windows 7 Edition Premium, version 6.1.7601 family service pack 1 64-bit. I have not installed new hardware or software. This printer has always had a wireless connection. The router I'm using is a Netgear 54Mbps WGR614 v6 (provided by my cable company) and the network includes not only my laptop and the Photosmart printer, but also desktop ASUS, HP printer, an Officejet 6300 series (used only for printing graphics and photos via a wired to the router) and a chip on Vizio TV. I use Norton 360 first Edition and disabled the antivirus auto-protect when I downloaded and tried to install the driver.
Help, please! And thanks in advance for your time and your attention.
Oh, Jamieson, it worked! I can print again! A massive amount of thanks and congratulations to you.
I couldn't believe it when he actually passed the point where it normally would stop the installation, but then almost at the end, upward jumped «Fatal error during installation» My excitement sank into a depression. He said while the installation was not successful and he needed to collect information in order to diagnose the fault. I looked at what has been collected, and it was more or less gobblety-* beep * for me. There was a code of 19714722 error condition, if that means anything.
Then he placed on my desk, the "Error of Installation HP - Windows 7.hta" file and instructed me to do away with the current window, restart, and then open the file and move forward with these guidelines. I did and he basically had me to restart the computer once again, and then turn the printer off, unplug the printer, then unplug the router, wait 30 seconds and then plug the TAA - DAA and back in, I'm back in the business of printing.
Thank you very much for your time and patience.
All the best to you and yours!
-
Hello
I recently haven't been able to burn a CD with Windows Media Player (he worked last week, but not now). I get an error message "Windows Media Player cannot find the file. The link between the library item and its digital media file associated with may be broken. "Try to fix the link or delete the item. There is a web help option which says that to fix a link, you click on the blue icon next to the item, then click "Browse this article. But the only icon I see is a little blue triangle next to individual songs in the library pane or list, there is no icon next to the name of the playlist. Although the click with the right button on the blue triangle gives me a few options, "Browse this point" is not one of them. Does anyone have any ideas what is wrong and how can I sort it please!
Rick
original title: burning a CD problems
Hello
(1) what version of Windows Media Player do you use?
(2) what is the model of your CD burner?
(3) you have the latest drivers for the CD burner?
(4) what type of file you are trying to burn?(5) you receive error codes?(6) what version of the operating system is installed on the computer?(7) we get to a particular file?
Method 1: You can try to update the drivers of your CD burner visit the manufactures Web site.Method 2: You can try to remove the CD, and then insert another CD and try to burn another file and check if the problem persists.
Method 3: You can also check out the link below:Windows Help and procedures: burn a CD or DVD in Windows Media Player: frequently asked questions
I hope this information helps! -
original title: Chess Titans
I have a PC brand new - HP and played Chess Titans. Now all of a sudden it says it cannot find the texture, but he said no zero the reference count and then could not find device 3D. What's past and how to fix this. Thank you.
These error messages can occur if you (or software) also disabled Aero. Aero must be on (and supported by the video card) to play Chess Titans. "192GO should be enough for everyone." (of the miniseries "Next generation jokes")
-
Came across an interesting problem this morning. After starting my PC from various applications (OutLook 2002, Management Studio of SQL Server 2008, etc.). I was able to connect to a server by using Remote Desktop (RDP, alias). On trying to connect to a second system, I started getting the following error message:
The system cannot find the specified file. C:\WINDOWS\system32\
\mstsc.exe.MUI Will always be connected to the server, I tried to launch a second instance using RDP, but received the same error message.
I googled the error and found different solutions (the best solution to examine ishttp://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/164d1e0b-51e6-4201-9dc2-3f4a0ccb14e5), however, none of the solutions seemed to work.
I tried checking the virus/malware, etc, but nothing was found. I tried to re - load the dll and the exe (s), but still not received the error message.
The next solution was to try to see what can be changed on my system (new programs, etc.). I noticed there is an update downloaded to my system (C:\Windows\WindowsUpdate.log): AutomaticUpdates content success install successful and Restart required for the following update: update for Windows XP (KB969084)... the update is related to remote desktop.
I rebooted the system, still not received the RDP error messages. Is I did a complete "install updates and shut down ', and then restarted my system that started working again.
For the record, here is some information on my system:
XP Professional: Version 5.1 (Build 2600.xpsp_sp3_gdr.091208 - 2036: Service Pack 3)
c:\windows\system32\mstsc.exe: 6.1.7600.16385
I wanted to just post this in case someone else runs into a similar problem...
Thank you!
Argue for your limitations and of course they will belong. -Richard Bach, Illusions
I have a machine with the same problem
XP Professional: Version 5.1 (Build 2600
I installed the update for Windows XP (KB969084).
It does not, but a reboot is required because the system is running on the old dll
MSTSC.exe works now
Thanks for the info!
-
When the update of Windows XP is install SP3, the sequence is abandoned at the location of the process. After you download the SP3, the progresses set install through the normal initialization sequence, inspection, creating list of 3rd drive part, backup files, etc., begins to install the files but when to reach the "UNIDRV. The installation of the file "DLL" stops and I get a message "the system cannot find the file specified". The close message will invalidate all the installation and possible automatic restart. I did not locate a UNIDRV. DLL file and copy it to my C:\ root directory but have tried almost everything in the 22/01/12 'terribrownQF' and the response "Tommy Stanley" 22/01/12 no change where the installation of SP3 crashes. Should I try to put the UNIDRV. DLL file on my computer? Any other ideas?
Please respond to each of the following diagnostic questions in a numbered list type in your very next answer (no need to quote this post):
1. What is the full name of your application or the installed antivirus security suite and when (date about) is your subscription current expires? What (other than Defender) anti-spyware applications are installed? What third-party firewall (if applicable)?
2 a Norton or McAfee application ALREADY installed on the computer?
3. do you have a free trial Norton or a test of free McAfee [CHOOSE ONE ANSWER] come preinstalled on the computer when you bought it? (No matter if you have never used or activated).
4. why has not been installed SP3 years? [1]
5. is Firefox, Chrome or any other alternative browser installed?
6. are you familiar with "Registry cleaners" (e.g., Registry Mechanic;) System Mechanic; RegCure; RegClean Pro. Advanced SystemCare. Registry Booster; McAfee QuickClean. AVG PC TuneUp. Norton Registry Cleaner; PCTools optimizer; SpeedUpMyPC; PC Doctor; TuneUp Utilities; WinMaximizer; WinSweeper; Comodo System Cleaner. Advanced System Optimizer. CCleaner)?
7 have you ever had the opportunity to do a repair install or clean install of Windows XP for some reason any?
=====================================================================
[1] note: support for WinXP SP2 ended the July 13, 2010! "Computers running WinXP SP2" will no longer receive software updates from Windows Update "[i.e., updated on and after August 2, 2010 so now that you're missing more than two years worth of updates to security critical! ] until SP3 has been installed. -
Windows media player cannot find the file...
After I burn a cd, and then try to play on the same pc that was used to burn, I get this message.
"windows media player cannot find the file. If you try to read, burn or sync an item that is in your library, the element can point to a file that has been moved, renamed, or deleted. »
In Media Player, the cd track pop-up as a reading list, but theree is an error next to the track and it reads as stated above.
A similar message is displayed when you try to play with other software media, such as Real Player or media player.
The cd will not play in the CD-ROM drive or the reader of Scripture.
However, the cd will play in my dvd player, truck and laptop.
I tried to run hard, and got this report, you have encountered the error C00D1197 and also reported Original error Code 80070003
You can try to remove the drive in Device Manager (Control Panel - System - hardware - Device Manager). Then restart the PC to let it reinstall. If this does not help, a firmware update may be necessary.
-
Try to delete a file from the Program Neighborhood Agent, so I can load a different version. When I try to remove the program through the Control Panel, it says "an installation support file could not be installed, the system cannot find the file specified."
Hello rarif, welcome.
I recommend that you try and that you use the Windows Installer Cleanup Utility (WICU).
1. go in:
http://download.Microsoft.com/download/e/9/d/e9d80355-7ab4-45b8-80e8-983a48d5e1bd/msicuu2.exe2. download the utility and install it
3 run the utility from START > all programs > Windows Installer Cleanup...4. find the program you want to uninstall, then remove the
5. next, restart your computerLet us know if this helps,
Thank you! Ryan Thieman
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
Remote Desktop error
I use Vista Home Premium. I used to be able to use the remote desktop connection application, but all of a sudden, it stopped working. When I try to run it I get this message:
_________________
The system cannot find the specified file.C:\Windows\System32\
\mstsc.exe.MUI
_________________Does anyone have a solution to this problem? I do not have this file into C:\Windows\System32\en-US\... but perhaps it was corrupted somehow?
Please help me. Thanks in advance.
Hello
It seems that there are a few system files that have trouble. One of them being mstsc.exe, I wish you find spyware or infection by the virus first, before you try the next step. Please see the sticky thread in the security forum. MVP offers some good advice how to remove these problems.
If everything is clean, we will try a repair installation to replace the problem files and also to ensure that other system files are good.
The 'repair' installation (upgrade on-site) will not affect your installed programs or data. Just make sure that you are already connected to your computer when you start the installation. Do not boot from the DVD.
If the installation does not start automatically when you insert the DVD, run setup.exe from your DVD player.
- When the Setup program starts and the install now screen, click install now.
- Note When you receive the important Get updates for installation message, click go online.
- Click upgrade when the which type of installation you want? appears
Please let us know if this solves the problem for you.
Brent
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think.
Maybe you are looking for
-
Hello! I have no idea why this problem occurred suddenly. Would appreciate any advice.
-
T120 24 inches: B332206C
When the Tracker is turned on the only message on the screen is "B332206C". Desktop PC it is attached to via the USB port cannot communicate to the plotter. The fact to unplug the cable USB and reatttaching, message on PC says the device is unable to
-
HPO D5560 not print with the black print cartridge
Having a D5560 printer which stopped printing with the black cartridge. Thought it was the cartridge has installed a new (only use HP cartridges) no difference After thinking the Black just stopped - no phasing-out quality, etc.. Ran the cartridge fi
-
I have 02.02.26 running on a GB 4 rocket. I use it only as a USB mass storage device (Linux is the host of synchronization). I've only used to contain records of the albums under the pre-made MUSIC folder. I now about 40 files. It seems that Someti
-
why I get faxes when everything is set up completely
Why am I not receiving faxes when everything is set up completely, what else could be wrong and why is it so complicated