Cannot ping sub interface from my remote site VPN gateways
I can't ping my gateways to interface my remote vpn connection sub
I can ping 192.6.1.0 network, but can't ping network 192.6.2.0 or 192.6.3.0
When I remote desktop in 192.6.1.20 I can ping all the networks, including gateways to interface sub.
I think that something in my asa is misconfigured or not added
ASA NAT rules:
Exempt NAT Interface: inside
Source 192.6.0.0/16
Destination 192.6.10.96/27
Static NAT interface: inside (it's for the local NAT of E0/0 out)
Source 192.6.1.1/16
Interface translated outside the Destination: 172.35.221.200
Dynamic NAT interface: inside
Source: no
Destination: outside
ASA access rules:
Permit outside
Source: no
Destination: out
Services: udp, tcp, tcp/http
Static routes:
Interface: Outside > network: all outdoors DSL (shows no DSL in the graph)
Some incorrect configuration:
On the ASA:
(1) directions are incorrect, the default should point to the next hop route, that is to say: the internet router: 172.35.221.x, as follows:
Route outside 0.0.0.0 0.0.0.0 172.35.221.x
---> where x must be the router internet ip address.
existing routes need to be removed:
No route outside 0.0.0.0 0.0.0.0 192.298.47.182 255
No route outside 0.0.0.0 0.0.0.0 172.35.209.81 in tunnel
(2) the following declaration of the static NAT is incorrect too and should be removed:
static (inside, outside) USSLTA01_External USSLTA01 netmask 255.255.255.255
--> You can not NAT interface on the SAA itself.
(3) for the SAA within the interface's subnet mask should be 255.255.255.0, no 255.255.0.0. It should be the same as the router interface subnet mask:
interface Ethernet0/1
nameif inside
security-level 100
IP 192.6.1.254 255.255.255.0
(4) on the way to access these sub interfaces subnet on the SAA as follows:
Route inside 192.6.2.0 255.255.255.0 192.6.1.235
Route inside 192.6.3.0 255.255.255.0 192.6.1.235
Route inside 192.6.4.0 255.255.255.0 192.6.1.235
On the router, configure it by default route as follows:
IP route 0.0.0.0 0.0.0.0 192.6.1.254
Tags: Cisco Security
Similar Questions
-
Cannot ping computers on the subnet remote site vpn while to set up
Hi all
I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.
the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip
Here is my scenario:
LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant
LAN1: 192.168.x.0/24
LAN2: 172.25.88.0/24
remote_machine_ip: 172.25.87.30
LAN1 can ping to ASA5505 inside interface (172.25.88.1)
but cannot ping ordinateur_distant (172.25.87.30)
Inside of the interface ASA5505 can ping ordinateur_distant
LAN2 can ASA5510 ping inside the machines on LAN1 and interface
Is there something I missed?
Thanks much for the reply
I don't think it's something you really want to do.
If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.
So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1
But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.
If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.
http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858
Kind regards
-
Traffic redirect Internet from the remote site on the main site using the tunel of vpn ipsec
Hi all
I have a problem to redirect internet traffic from my remote to the main site by the IPSEC VPN tunnel. The remote site is a Cisco 2801 router with ios (c2800nm-advipservicesk9 - mz.124 - 22.T) and the remote site has ios (C870-ADVSECURITYK9-M, Version 12.4 (15) T12, fc3 SOFTWARE VERSION). This redirect does not work and the last jump with extended traceroute form the remote site is the ip wan of the main site.
Is there someone who can help me with the right settings this redirection via VPN?
the remote site config file:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}
crypto ISAKMP policy 8
BA 3des
md5 hash
preshared authentication
ISAKMP crypto key dgsn2010 address 41.223.X.X
!
!
Crypto ipsec transform-set esp-3des vpn
!
vpndgsn 10 ipsec-isakmp crypto map
Description at HQ
set of peer 41.223.X.X
Set transform-set vpn
match address VPNHQ
!
interface FastEthernet0
IP 41.223.X.X 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP tcp adjust-mss 1300
automatic duplex
automatic speed
vpndgsn card crypto
!
interface FastEthernet 4
192.168.11.1 IP address 255.255.255.0
IP nat inside
no ip virtual-reassembly
!
IP route 0.0.0.0 0.0.0.0 41.223.X.X
VPNHQ extended IP access list
ip licensing 192.168.11.0 0.0.0.255 any
!
the main site config file:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
ISAKMP crypto key dgsn2010 address 41.223.X.X
!
!
Crypto ipsec transform-set esp-3des vpn
!
vpncreo 10 ipsec-isakmp crypto map
Description FOR bastos
set of peer 41.205.X.X
Set transform-set vpn
match address 110
!
interface FastEthernet0/0
Description OF WAN
IP 41.223.X.X 255.255.255.240
NAT outside IP
IP tcp adjust-mss 1492
vpncreo card crypto
!
interface FastEthernet0/1
Description OF LAN
IP 192.168.10.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
overload of IP nat inside source list NAT interface FastEthernet0/0
IP route 0.0.0.0 0.0.0.0 41.223.31.241
access-list 110 permit ip any 192.168.11.0 0.0.0.255
NAT extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip licensing 192.168.11.0 0.0.0.255 any
!
You must configure the routing policy based closure for NAT can be invoked on the main site.
Here is an example configuration for your reference:
Additionally, make sure that you don't do any NATing at your remote end, IE: you must configure the NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).
Hope that helps.
-
How to copy tftp on remote site VPN
I know that by the definition of ASA management interface can ping or telnet/SSH to the inside interface of the ASA remote VPN. But it does not work for TFTP. Is it possible to copy config TFP server in a remote site via VPN and using the source as a local within the interface interface?
Your home, remember messages useful rate.
Concerning
-
Hello
I'm trying to solve a problem with the VPN, and I hope that someone could give me a helping hand.
We have 3 offices, each with an ASA 5505 like the router/firewall, connected to a cable modem
(NC Office) <----IPSEC----->(office of PA) <----IPSEC----->(TC Office)
Internally, we have a full mesh VPN, so all offices can talk to each other directly.
I have people at home, by using remote access VPN into the Office of PA, and I need them to be able to connect to two other offices there.
I was able to run for the Office of CT, but I can't seem to work for the Office of the NC. (I want to say is, users can remote access VPN in the PA Office and access resources in the offices of the PA and CT, but they can't get the Office of NC).
Someone could take a look at these 2 configs and let me know if I'm missing something? I am newer to this, so some of these configs do not have better naming conventions, but I'm getting there
PA OFFICE
Output of the command: "show run".
: Saved
:
ASA Version 8.2 (5)
!
hostname WayneASAnames of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 70.91.18.205 255.255.255.252
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
75.75.75.75 server name
75.75.76.76 server name
domain 3gtms.com
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
inside_access_in of access allowed any ip an extended list
IPSec_Access to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.2.0 255.255.255.0
IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
TunnelSplit1 list standard access allowed 192.168.10.0 255.255.255.224
TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
outside_2_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
RemoteTunnel_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0
RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.5.0 255.255.255.0
out_access_in list extended access udp allowed any SIP host 70.91.18.205 EQ
out_access_in list extended access permit tcp any host 70.91.18.205 eq 5000
out_access_in list extended access permits any udp host 70.91.18.205 range 9000-9049
out_access_in list extended access permit tcp any host 70.91.18.205 EQ SIP
out_access_in list extended access allowed object-group TCPUDP any host 70.91.18.205 eq 5090
out_access_in list extended access permit udp any host 70.91.18.205 eq 5000
Note to outside-nat0 access-list NAT0 for VPNPool to Remote Sites
outside-nat0 extended ip 192.168.10.0 access list allow 255.255.255.224 192.168.2.0 255.255.255.0
outside-nat0 extended ip 192.168.10.0 access list allow 255.255.255.224 192.168.5.0 255.255.255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU----IPSEC----->----IPSEC----->
IP mask 255.255.255.224 local pool VPNPool 192.168.10.1 - 192.168.10.30
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside-nat0
inside_access_in access to the interface inside group
Access-group out_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNTransformSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto IPSec_map 1 corresponds to the address IPSec_Access
card crypto IPSec_map 1 set peer 50.199.234.229
card crypto IPSec_map 1 the transform-set VPNTransformSet value
card crypto IPSec_map 2 corresponds to the address outside_2_cryptomap
card crypto IPSec_map 2 set pfs Group1
card crypto IPSec_map 2 set peer 98.101.139.210
card crypto IPSec_map 2 the transform-set VPNTransformSet value
card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
IPSec_map interface card crypto outside
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.199.234.229
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal RemoteTunnel group strategy
attributes of Group Policy RemoteTunnel
value of server DNS 75.75.75.75 75.75.76.76
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RemoteTunnel_splitTunnelAcl_1
dfavier vUA99P1dT3fvnDZy encrypted password username
username dfavier attributes
type of remote access service
rduske vu0Zdx0n3oZWFSaX encrypted password username
username rduske attributes
type of remote access service
eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
lestofts URsSXKLozQMSeCBk username encrypted password
username lestofts attributes
type of remote access service
jpwiggins 3WyoRxmI6LZjGHZE encrypted password username
username jpwiggins attributes
type of remote access service
tomleonard cQXk0RJCBtxyzZ4K encrypted password username
username tomleonard attributes
type of remote access service
algobel 4AjIefFXCbu7.T9v encrypted password username
username algobel attributes
type of remote access service
type tunnel-group RemoteTunnel remote access
attributes global-tunnel-group RemoteTunnel
address pool VPNPool
Group Policy - by default-RemoteTunnel
IPSec-attributes tunnel-group RemoteTunnel
pre-shared key *.
tunnel-group 50.199.234.229 type ipsec-l2l
IPSec-attributes tunnel-group 50.199.234.229
pre-shared key *.
tunnel-group 98.101.139.210 type ipsec-l2l
IPSec-attributes tunnel-group 98.101.139.210
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6d1ffe8d570d467e1ea6fd60e9457ba1
: endCT OFFICE
Output of the command: "show run".
: Saved
:
ASA Version 8.2 (5)
!
hostname RaleighASA
activate the encrypted password of Ml95GJgphVRqpdJ7
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 98.101.139.210 255.0.0.0
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS lookup field inside
DNS server-group DefaultDNS
Server name 24.25.5.60
Server name 24.25.5.61
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
Wayne_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
Wayne_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
Shelton_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.2.0 255.255.255.0
out_access_in list extended access permit tcp any host 98.101.139.210 eq www
out_access_in list extended access permit tcp any host 98.101.139.210 eq ftp
out_access_in list extended access permit udp any host 98.101.139.210 eq tftp
out_access_in list extended access udp allowed any SIP host 98.101.139.210 EQ
out_access_in list extended access permit tcp any host 98.101.139.210 eq 5090
out_access_in list extended access permit tcp any host 98.101.139.210 eq 2001
out_access_in list extended access permit tcp any host 98.101.139.210 eq 5080
out_access_in list extended access permit tcp any host 98.101.139.210 eq ssh
out_access_in list extended access permit tcp any host 98.101.139.210 eq 81
out_access_in list extended access permit tcp any host 98.101.139.210 eq 56774
out_access_in list extended access permit tcp any host 98.101.139.210 eq 5000
out_access_in list extended access permit tcp any host 98.101.139.210 eq 902
out_access_in list extended access permit tcp any host 98.101.139.210 eq netbios-ssn
out_access_in list extended access permit tcp any host 98.101.139.210 eq 445
out_access_in list extended access permit tcp any host 98.101.139.210 eq https
out_access_in list extended access allowed object-group TCPUDP any host 98.101.139.210 eq 3389
out_access_in list extended access allowed object-group TCPUDP range guest 98.101.139.210 5480 5487
out_access_in list extended access permits any udp host 98.101.139.210 range 9000-9050
inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.2.0 255.255.255.0
inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0Access-group out_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 98.101.139.209 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac WayneTransform
Crypto ipsec transform-set esp-3des esp-md5-hmac SheltonTransform
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto IPSec_map 1 corresponds to the address Wayne_Access
card crypto IPSec_map 1 set pfs Group1
card crypto IPSec_map 1 set peer 70.91.18.205
card crypto IPSec_map 1 the transform-set WayneTransform value
card crypto IPSec_map 2 corresponds to the address Shelton_Access
card crypto IPSec_map 2 set pfs Group1
card crypto IPSec_map 2 set peer 50.199.234.229
card crypto IPSec_map 2 the transform-set SheltonTransform value
IPSec_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.5.100 - 192.168.5.199 inside
dhcpd dns 24.25.5.60 24.25.5.61 interface inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
tunnel-group 50.199.234.229 type ipsec-l2l
IPSec-attributes tunnel-group 50.199.234.229
pre-shared key *.
tunnel-group 70.91.18.205 type ipsec-l2l
IPSec-attributes tunnel-group 70.91.18.205
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:3d770ba9647ffdc22b3637e1e5b9a955
: endHello
I might have found the problem.
To be honest, I'm a little tired and concentration is difficult, especially when access between multiple device configurations. So second pair of eyes is perhaps in order.
At the moment it seems to me that this configuration is the problem on the SITE of PA
IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0
This is an ACL that defines networks the and remote for a connection VPN L2L.
Now, when we look at what connection VPN L2L this belong we see the following
card crypto IPSec_map 1 corresponds to the address IPSec_Access
card crypto IPSec_map 1 set peer 50.199.234.229
card crypto IPSec_map 1 the transform-set VPNTransformSet value
Now, we see that the peer IP address is 50.199.234.229. Is what site this? The IP address of the CT Site that works correctly?
Now what that said the ACL line I mentioned more early basically is that when the 192.168.10.0 network 255.255.255.224 wants to connect to the network 192.168.5.0/24 should be sent to the CT Site. And of course, this should not be the case as we want traffic to go on the NC Site
Also worth noting is that on the SITE of the above connection is configured with the '1' priority so it gets first compared a connection. If the VPN L2L configurations were in different order then the VPN Client connection can actually work. But it's just something that I wanted to point out. The actual resolution of the problem, of course, is to detach the configuration which is the cause of the real problem in which ASA attempts to route traffic to a completely wrong place.
So can you remove this line ACL of the ASA of PA
No IPSec_Access access list extended ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0
Then, test the VPN Client connection NC SITE again.
Hope that this will finally be the solution
-Jouni
-
Cannot ping local interface after last criticism of microsoft update
I just bought a Satellite Pro A200.
When I upgraded to the latest critical updates from Microsoft Update, I found that I could ping is no longer my local IP address. This has happened to the card NETWORK LAN RJ45 and the wireless network card.
I reinstalled the operating system using the recovery CD, and I could ping to the IP address of the local interfaces.
But when I again once downloaded and installed the latest critical updates from Microsoft, I can't ping the local IP address.
Anyone has any idea why?
Thank youHey Buddy,
WHERE´s the problem? I know that the updates are the system destroy it when they are buggy, but that's normal with microsoft. I have almost the same problems also! Thhoughts WGAnotify.exe, I was a software pirate and restricted my access to 'zero' access.
"Yes, Sir, I bought a windows and it s stolen... well... OK... :(."
Yes, noone except microsoft (who would be the point where I could say "you are in the wrong forum" ;)) knows why it s happening.)
These days, you should do the following: find update is the cause of this error. You can do this by going in "Add / Remove Programs" in your "Control Panel" and click on the top of the window the button "see the updates.
Then begin to uninstall the last installed update and check if your ping works. Otherwise, proceed to the next update and uninstall it and so on...
I know it's a long and boring process, but since there is NO problem of toshiba, you must accept it and try my method to remove the update that is causing your error.Welcome them
-
Cannot copy and paste from a remote desktop
I am running Vista Home Basic, 32-bit and trying to copy and paste at the back of my desktop remote connection to my computer at home. When I connect, I checked the tab local resources and made sure the printer and clip board options have been selected. I even checked them once to try to cheat the system, but has not worked. Any suggestions? It becomes quite complicated to just double tap! He has worked in the past, but he just decided to stop working for some reason any. Thank you!
Hi given dog,
Thanks for posting to answers.microsoft.com.
Essentially, the information on the tab local resources should have selected Clipboard. Since you have already have this setting enabled, let me ask you a few questions:
1. are you remoting of this system from Vista to XP system? or vice versa? or Vista to Vista? If Yes, what is the Service Pack for two revisions of Windows on the computers involved? and these systems are all recent Windows Upates installed?
2. you remember to load any software or maybe a mouse intelliport before this problem? using a keyboard and wireless mouse?
3 do the copy and paste functions work normally on both systems outside when not involved in remote desktop?
Please let us know any information that may be necessary to help solve this problem.
Thank you
Debbie
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
subnet A(192.168.137.0/24) is equipped with computers P and Q
subnet B(192.168.7.0/24) a Q and R computers
P is my windows 7 computer connected to the internet via the interface 10 and connected to Q interface 25
Q (Linux) has been set up to route packets between A and B. Its default gateway P-value
R (Linux) default gateway has been set to Q.
I was able to deliver packets of subnet using B
Pei route add 192.168.7.0
(B)mask 255.255.255.0 192.168.137.2 metric(Q)1 if 25now I could ping (192.168.7.2) R of P (my win7 computer), but I couldn't ping P r! I could ping www.google.com R!
C:\Windows\System32>route print
===========================================================================
List of the interface
11.. 00 1 c 23 29 25 7th... Broadcom NetXtreme 57xx Gigabit Controller
10.. 00 1 c 9 91 38 d bf... Intel (r) PRO/Wireless 3945ABG Network Connect
25... 00 50 56 00 01 c0... VMware Virtual Ethernet adapt for VMnet1
26.. 00 50 56 00 08 c0... VMware Virtual Ethernet adapt for VMnet8
1... software Loopback Interface 1
21 00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17.. 00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
... 23 00 00 00 00 00 00 00 e0 Map Microsoft 6to4
18.. 00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
22.. 00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
24.. 00 00 00 00 00 00 00 e0 Microsoft ISATAP adapter #4
20... 00 00 00 00 00 00 00 e0 Microsoft ISATAP adapter #5
===========================================================================IPv4 routing table
===========================================================================
Active routes:
Network Destination gateway metric Interface subnet mask
0.0.0.0 0.0.0.0 124.123.192.1 124.123.199.79 20
124.123.192.0 255.255.192.0 on a 124.123.199.79 route 276
124.123.199.79 255.255.255.255 on a 124.123.199.79 route 276
124.123.255.255 255.255.255.255 on a 124.123.199.79 route 276
127.0.0.0 255.0.0.0 127.0.0.1 on route 306
127.0.0.1 255.255.255.255 127.0.0.1 on route 306
127.255.255.255 255.255.255.255 on-link 127.0.0.1 306
192.168.7.0 255.255.255.0 192.168.137.2 192.168.137.1 21
192.168.18.0 on route 192.168.18.1 255.255.255.0 276
192.168.18.1 on route 192.168.18.1 255.255.255.255 276
192.168.18.255 on route 192.168.18.1 255.255.255.255 276
192.168.137.0 on route 192.168.137.1 255.255.255.0 276
192.168.137.1 on route 192.168.137.1 255.255.255.255 276
192.168.137.255 on route 192.168.137.1 255.255.255.255 276
224.0.0.0 240.0.0.0 on-link 127.0.0.1 306
224.0.0.0 240.0.0.0 on a 124.123.199.79 route 276
224.0.0.0 240.0.0.0 on binding 192.168.137.1 276
224.0.0.0 240.0.0.0 on binding 192.168.18.1 276
255.255.255.255 255.255.255.255 on-link 127.0.0.1 306
255.255.255.255 255.255.255.255 on a 124.123.199.79 route 276
255.255.255.255 255.255.255.255 on binding 192.168.137.1 276
255.255.255.255 255.255.255.255 on binding 192.168.18.1 276
===========================================================================
Persistent routes:
Network gateway address mask network address metric
192.168.7.0 255.255.255.0 192.168.137.2 1
===========================================================================IPv6 routing table
===========================================================================
Active routes:
If metric network Destination Gateway
1275 23: / 0 2002:c058:6301:c058:6301
23 1274: / 0 2002:c058:6301:1
1 306: 1/128 liaison
23 1025 2002: / 16 over a link
2002:7c7b:c74f:7c7b:c74f 23 281 / 128
Over a link
11 276 fe80: / 64 On-link
25 276 fe80: / 64 On-link
26 276 fe80: / 64 On-link
FE80::7456:AB7F:70fa:3029 11 276 / 128
Over a link
FE80::7c8a:b566:2 has 17: RDFN 25 276 / 128
Over a link
FE80::e12e:9f18:a010:B07B 26 276 / 128
Over a link
1 306 ff00: / 8 On-link
11 276 ff00: / 8 On-link
25 276 ff00: / 8 On-link
26 276 ff00: / 8 On-link
===========================================================================
Persistent routes:
NoneHello Satya,
Thanks for posting your question on the forum of the Microsoft community.
The question will be better suited to the audience of professionals on the TechNet forums.
I would recommend posting your query in the TechNet forums.
TechNet Forum
http://social.technet.Microsoft.com/forums/en-us/home?category=w7itproThank you
-
Do not do a ping ASA inside IP port of the remote site VPN L2L with her
The established VPN L2L OK between ASA-1/ASA-2:
ASA-2# see the crypto isakmp his
KEv1 SAs:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 207.140.28.102
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
There are no SAs IKEv2
QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).
Debug icmp ASA-1 data:
ASA-1 debug icmp trace #.
trace of icmp debug enabled at level 1
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72
Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72
ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72
Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72
Make sure you have access to the administration # inside
lt me know f This allows.
-
Dynamically loading the interface from a remote source implementation class
Hello guys,.
I'm kind new to AS3, please bear with me.
I'm working on a project were I want to implement some sort of MVC. The idea is this: have an application Viewer that connects to a database and reads the object to display (based on some ID); have an app Setter that connects to the database and sets the object to display for a particular ID.
What I'm trying to do is to have an interface that declares the common methods for the object class (like the draw, etc.) and have implementations of this interface be dynamically loaded from the database in the Viewer.
Is this possible? I still think about it in the right way?
I'd appreciate any suggestions really.
Thank youIf you check the book by peldi et al., u would have found what you're talking about. The principle u want to talk is easy to do. This might get u started (it is FMS but the idea is the same): http://help.adobe.com/en_US/FlashMediaServer/3.5_SS_ASD/flashmediaserver_3.5_sslr.pdf - p.28 - application.registerClass () method.
-
routing of multiple site-2-site VPN gateways
I have a strange configuration and need help.
We have and ISP with a 29 network. We have connected the Ethernet transfer to a 2 layer equipment and connected one end to a Calyptix firewall and the other to our Cisco 2811.
the router has a default route that points to the Calyptix firewall.
Currently, the router also has a P2P T1 line at the corp office.
We would like to install a VPN site-to site of this router in the corp office and use P2P as the backup to local traffic, but everything else goes out the ASA.
I feel like I should be able to configure a tunnel between the two (branch and corp) public IP addresses, but I can't ping the public IP address of Corp. branch because it passes to the firewall (default route).
What Miss me?
I have attached a PDF file of the configuration of the network.
I tried to configure static routes
IP route 50.199.17.17 255.255.255.255 72.34.95.209
&
IP route 72.34.95.210 255.255.255.255 50.199.17.22
But this does not work, any ideas or suggestions?
Hi James,
1. Please check the traffic from 50.199.17.17 to 72.34.95.210 where he's going. Make an itinerary of track of 72.34.95.210 and check if it goes to 210 OR a.211 (capture the firewall), then to 210
Note: Maybe traffic flow return of 50.199.17.16--> Firewall (72.34.95.211)--> router based on your current configuration (maybe ISP force to go in this direction)
(2 Please check that you do not receive this route(50.199.17.16/29) P2P T1 somehow by a trace of 72.34.95.210 to 50.199.17.17.
3. check that you don't have any inbound ACL on both routers.
Please mark this message as correct if it works.
-
ASA Site, Remote Site cannot access DMZ to the Hub site
So I've been scratching my head and I just can't visualize what I what and how I want to do.
Here is the overview of my network:
Headquarters: ASA 5505
Site1: ASA 5505
Site2: ASA 5505
Training3: ASA 5505
All Sites are connected L2L to the location of the Headquarters with VPN Site to Site.
Since the HQ site I can ping each location by satellite, and each satellite location I can ping the HQ site. I will also mention that all other traffic is also correctly.
Here's my number: HQ site, I have a DMZ set up with a web/mail server. This mail/web server is accessible from my HQ LAN, but not from the satellite location. I need allow that.
What should I do?
My second question is that I want for satellite sites to see networks of eachother. I should create a VPN network between sites, or can this be solved in the same way that the question of the DMZ?
I enclose the show run from my ASA HQ
See the race HQ ASA
For the mail/web server that requires access on the remote site VPN tunnels, you must add the servers to the acl crypto, similar to the way you have it for network access. Make sure that both parties have the ACL in mirror. If you're natting from the DMZ to the outside, make sure you create an exemption from nat from the dmz to the outside for VPN traffic.
For the second question, because you have only three sites, I would recommend creating a tunnel from site to site between two satellite sites.
HTH
PS. If you found this post useful, please note it.
-
Can also interface with VPN remote site also for another use?
Hi all
An interface used for the remote site VPN on PIX can be used for another function, for example for the smtp server and web publishing?
Thank you!
Best regards
Teru Lei
Yes! of course you can. Just try it.
--
Alexis Fidalgo
Systems engineer
AT & T Argentina
-
PIX515E: Cannot ping interfaces
Hi all
I ' v has just got a new PIX 515E, 6 interfaces, Version 6.3 (5).
I can't focus on any task with my PIX because the simplest operation is impossible: I cannot ping inside interface or PIX any host belonging to e same subnet. Interface is up and running, connected directly to a switch, icmp is to allow the inside...
Please, could someone of you give me a help?
Concerning
Alberto Brivio
Make sure the PIX is not a license to "failover". You will not be able to ping to this type of box until you activate failover.
-
Hello
7.0 (1) version pix
ASDM version 5.0 (1)
I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site
who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success
The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.
where can I see the vpn pix for error log?
is there a manual for the solution of site to site VPN using the wizard
Help, please.
Thanks in advance
the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm
Newspaper to go to the section "check".
Maybe you are looking for
-
Whenever I go to my Youtube account and watch my own videos or other audio (I guess that 3rd party) video pop up interrupts loudly advertising message. I searched the Internet and made all empty them cache and cookie dumping and I did not add additio
-
HP Pavilion dv6-6166se Entertainment Notebook PC USB 3.0
After upgrade to 8.1 Windows x 64-bit USB 3.0 does not work perfectly...
-
How can I configure my WRT600N router for a service that I have who wants to upload to a specific Port to enable SSL
-
Help lead CC, unwanted objects on the scenes to succeed
Hi all, super noob here is so desperately need help.I create a drag and drop for a project, but some items are report to the next scene when they are not on the timeline. I have a drag and drop on stage 8 announcement that carry the items to the next
-
What software do I need to create Adobe documents and thus modify them?
What software do I need to create Adobe documents and thus modify them?