Cisco ezvpn ASAs cannot ping each other inside interfaces

Similar Questions

• DLR Uplink and GSS internal transit same VXLAN cannot ping each other.

  Start with, I run NSX 6.2.2 firewall rules on 'allow all' to 'all' to 'all' "all protocols", in other words disabled...

  I have a VXLAN 5000 transit, with an uplink DLR interface attached to it, and an internal interface GSS in the appendix in which neither of the parties can ping to another. So for troubleshooting, I added 2 VM Windows attached to the same transit VXLAN 5000, a virtual machine is on ESXi host 1 and the other is on host ESXi 4. They can fine ping each other, and two virtual machines can ping both the uplink of DLR and internal interfaces of the GSS.

  This question has puzzled me because it makes no sense, why the DLR and the GSS cannot ping each other but 2 virtual machines that VXLAN can ping all adjacent devices. I can even put bridges on those virtual machines with a rule NAT on the GSS and those virtual machines can get internet through the GSS, but no matter what I try, the DLR cannot ping the GSS, and the GSS cannot ping DLR...

  I need to define a static route between the GSS DLR <>- but if I can't even answer ping interfaces I'm dead in the water.

  If I install virtual machines in a network LAN DLR interface such as WebApp and test for example database, I can ping throughout the DLR together until the IP DLR Uplink, but then he cannot ping the GSS internal.

  Does anyone have suggestions for troubleshooting? Test commands that I can run? I tried many things and then lots of websites with the troubleshooting steps. Everything seems fine, all green checks in the installation steps... All roads, MACs, ARP tables appear as expected when I run test on host computers commands and controllers. I don't know what is the cause except for a bug in the code...

  All ideas are welcome... Thank you

  UPDATE:

  Yes, so it has need of a static NAT rule on the GSS...

  In my environment, I added a SNAT rule on adapter: ESG_Uplink with 0.0.0.0/24 CBC-translation dst: 1.1.1.101 (my lab ESG IP Uplink).

  It works now... VM tenant box connected to WebApp portgroup (192.168.13.115) can now ping gateway DLR, through routing OSPF to the GSS and ping on physical bridge of...

  I learned a lot on this one... I'm not going to worry about why the static route, I tried first post didn't work, since I was the OSPF running instead (which is more appropriate for my laboratory for realistic scenario anyway), and the Foundation will now suffice to build the rest of this POC vRA / vRO lab...

  Thank you in any case, sometimes it's just nice to have someone to listen.

• 2 vSpheres cannot ping each other that are built on vSphere.

  On host A, which is vSpere 4.0, made up of two hosts who are vSpheres 4.0 with vSwitch. Each can ping itself, but cannot ping each other, too, cannot ping A host. After that the two hosts are moved to dvSwich, has achieved some results. But another VM on the dvSwitch is fine.

  Moreover, I need to practice the vHA and vmotion. So, I need two some configuration for her guests. As a result, I built two hosts on A host.

  How can I solve this problem?

  Thank you!

  George

  George,

  You must set the Promiscuous Mode to Accept on vSwitch guests (--> security properties).

  André

• Cluster nodes cannot ping each other

  Hello

  I recently put one of our old clusters online it's a server poweredge 1855. I work at 5 knots, and there a PowerConnect 5316 M switch on the back. 5316M has only 1 cable connecting the switch to uplink.

  Each blade has 2 NIC one of them is a NIC, with a normal IP on our range of normal production. All blades can ping this address each other, and they all have internet.

  The other NETWORK adapter is what I use for live migration, or pulsation of cluster or something... Whatever it is, it has a different range with no gateway (172.50.1.x)

  Now 3 of the blades can all ping eachother, but not the other 2. And 2 that can not ping, can ping each other. It seems that the 2 are on the same VLAN, and the other 3 are on the same VLAN.

  The problem I have, is the switch shows them all on the VLAN by default... and one thing that I can't work... If the servers all have 2 network cards, but there are only 10 ports on the internal switch?... so, how can I set or the other card NETWORK on one VLAN different?

  The configuration of the switch is here:

  console# show runspanning-tree mode mstpspanning-tree mst configurationinstance 1 add vlan 1,15,900instance 2 add vlan 2-3name PDSNetherlands1revision 900exitspanning-tree mst 1 priority 57344spanning-tree mst 2 priority 57344interface port-channel 1description 'LACPGROUP-M5316M-SW2'exitinterface port-channel 1switchport mode generalexitvlan databasevlan 2-3,15,238,328-329,501,638,900exitinterface port-channel 1switchport general allowed vlan add 15exitinterface port-channel 1switchport general allowed vlan add 900exitinterface vlan 2name "PDS Internet"exitinterface vlan 3name "PDS Wireless"exitinterface vlan 15name "PDS ServerInfrastructure"exitinterface vlan 238name "SHELL GI-Desktops"exitinterface vlan 328name "SHELL Unix-Desktops"exitinterface vlan 329name "SHELL Windows-Servers"exitinterface vlan 501name "SHELL Linux-Desktops"exitinterface vlan 638name "SHELL IP-Telephony"exitinterface vlan 900name "PDS Workstations"exitinterface range ethernet g(11-16)channel-group 1 mode autoexitinterface vlan 1ip address 10.254.254.253 255.0.0.0exitip default-gateway 10.0.0.1logging 10.0.1.56  severity debugging facility local0username admin password 5ebe2294ecd0e0f08eab7690d2a6ee69 level 15 encryptedusername admin_jon password ea4462b55746d29a4a0fc44c3db06b95 level 15 encryptedusername administrator password 22d4734b069e91ceebdf297701005b28 level 15 encryptedsnmp-server community private rwsntp client poll timer 60sntp unicast client enablesntp anycast client enablesntp broadcast client enablesntp server 64.90.182.55 pollconsole#
  

  Any help would be appreciated, I cannot complete the cluster validation wizard until i can crack this ..
  

  Kind Regards,
  

  Jon
  

  This document does a good job of showing how interconnections.

  www.Dell.com/.../ps3q05-20050163-Brundridge-OE.pdf

  Module e/s 1 goes to port 1 and i/o 2 module goes to port 2 of the LOM standard.

  It is therefore useful to check what ports are used by the server. If the 3 are on port 1 and then the other 2 are on port 2, try to get all the 172.50.1.x addresses assigned to port 2 for example.

• Router and Switch cannot ping each other

  Hello

  I just build a lab at home.

  In my current lab, I have 2 SW and 3 the router.

  I have a problem, I do not know what Miss me in my config. My router cannot ping my SW.

  and I also want to change my LAN from VLAN 1 interface connection at 30 of VLAN... but when I configure the VLAN 30 he show me line is in PLACE but the Protocol is DOWN.

  Another question, if I want to create a VLAN with a different address, what should I do?

  for example

  VLAN 10 > 10.10.10.1

  VLAN 20 > 20.20.20.1
  etc...

  interface Vlan1 description LAN ip address 10.10.10.1 255.255.255.0 secondary ip address 30.30.30.1 255.255.255.0 secondary ip address 40.40.40.1 255.255.255.0 secondary ip address 20.20.20.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly dot1q tunneling ethertype 0x9100 hold-queue 100 out!

  Here's the conf for my RT. ROUTER > 877SW > 2950 24 WS

  CISCO_877#sh runBuilding configuration...
  
  Current configuration : 3468 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname CISCO_877!boot-start-markerboot-end-marker!enable secret 5 $1$.ISW$71jzJ0Or0nenXZd/8D8.x/!no aaa new-model!!dot11 syslogip cefno ip dhcp use vrf connectedip dhcp excluded-address 20.20.20.0 20.20.20.30!ip dhcp pool LAN network 20.20.20.0 255.255.255.0 domain-name SYS.local default-router 20.20.20.1  dns-server 202.123.2.6 202.123.2.11  lease 0 4!!!!!username admin privilege 15 secret 5 $1$A1V4$GR9sPtPVXDRoOiDKRtC1M1! ! archive log config hidekeys!!!!!interface ATM0 description (OUTSIDE)ADSL_WAN no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive pvc 8/35  encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto !interface FastEthernet0!interface FastEthernet1 dot1q tunneling ethertype 0x9100!interface FastEthernet2!interface FastEthernet3!interface Vlan1 description LAN ip address 20.20.20.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly dot1q tunneling ethertype 0x9100 hold-queue 100 out!interface Vlan30 description LAN no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown hold-queue 100 out!interface Dialer0 description WAN_OUTSIDE ip address negotiated ip mtu 1498 ip nat outside ip virtual-reassembly max-reassemblies 1024 encapsulation ppp ip tcp adjust-mss 1400 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname [email protected]/*  */ ppp chap password 7 071C385F5C001D0403 ppp pap sent-username [email protected]/*  */ password 7 120A1C04000208053E ppp ipcp mask request ppp ipcp route default ppp ipcp address accept!ip default-gateway 20.20.20.1ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer0ip route 10.10.10.0 255.255.255.0 Vlan1!no ip http serverno ip http secure-serverip nat inside source list 110 interface Dialer0 overload!access-list 110 permit ip 20.20.20.0 0.0.0.255 anyaccess-list 110 permit ip 10.10.10.0 0.0.0.255 anyaccess-list 110 permit ip 30.30.30.0 0.0.0.255 anyaccess-list 110 permit ip 40.40.40.0 0.0.0.255 anyaccess-list 110 permit ip 50.50.50.0 0.0.0.255 anyaccess-list 110 permit ip 60.60.60.0 0.0.0.255 any!!!control-plane!banner motd ^C
  
  :'######::'##::::'##:'########::'######::'##::::'##:'##... ##: ##:::: ##: ##.....::'##... ##: ##:::: ##: ##:::..:: ##:::: ##: ##::::::: ##:::..:: ##:::: ##:. ######:: #########: ######:::. ######:: #########::..... ##: ##.... ##: ##...:::::..... ##: ##.... ##:'##::: ##: ##:::: ##: ##:::::::'##::: ##: ##:::: ##:. ######:: ##:::: ##: ########:. ######:: ##:::: ##::......:::..:::::..::........:::......:::..:::::..::
  
  ^C!line con 0 no modem enableline aux 0line vty 0 4 password 7 xxxx login!scheduler max-task-time 5000end
  
  CISCO_877#

  And this is for my SW

  CATALYST_2960_01#sh runBuilding configuration...
  
  Current configuration : 5166 bytes!version 12.1no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname CATALYST_2960_01!enable secret 5 $1$MGrN$PtHgL3KfH0vy7Mr1Fo0hF.!ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3vtp mode transparent!!spanning-tree mode rapid-pvstno spanning-tree optimize bpdu transmissionspanning-tree extend system-idspanning-tree vlan 1-4093 priority 16384!!!!vlan 10 name ADSL!vlan 20 name GUEST!vlan 30 name MANAGEMENT!interface Port-channel1 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiate spanning-tree cost 1!interface FastEthernet0/1 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/2 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/3 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/4 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/5 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/6 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/7 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/8 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/9 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/10 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/11 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/12 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/13 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/14 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/15 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/16 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/17 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/18 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/19 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/20 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/21 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/22 description SPARE switchport mode access switchport nonegotiate spanning-tree portfast spanning-tree bpduguard enable spanning-tree cost 1000!interface FastEthernet0/23 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiate channel-group 1 mode active!interface FastEthernet0/24 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiate channel-group 1 mode active!interface Vlan1 ip address 20.20.20.2 255.255.255.0 no ip route-cache!interface Vlan10 no ip address no ip route-cache shutdown!interface Vlan30 no ip address no ip route-cache shutdown!ip default-gateway 20.20.20.1ip http server!line con 0line vty 0 4 password 7 xxxx loginline vty 5 15 login!!end
  
  

  Thanks in advance.

  Eliane,

  Please remove the etherchannel port f0/24 of the switch configuration and store it in the trunk.

  interface FastEthernet0/24 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiate channel-group 1 mode active  <<< Remove this 

  Configure f0 on the router as trunk I think has 877, a switchport which fe interfaces are a part of. To display the corresponding Lass on the router, that you need to configure the VLANS corresponding on the router, then only the Lass will be in a State of going / up otherwise it will be in a down state. See if that helps. Thank you, hyacinth

• Hosts distributed Virtual Switch cannot ping each other

  host of vSphere 4.0, introduced 2 vSphpere B and C hosts and all put in a switch of distruduted to VMkernal network. Only the host can vmkping has a virtual machine that was put into the same switch and the VM also ping on host A. But, 3 hosts cannot vmkping between them, and B and C cannot vmkpng the virtual machine.

  What is the problem and how can I solve this problem?

  Thank you.

  George

  No, this is not typical of a vDS.  Try starting here:

  http://www.VMware.com/files/PDF/vSphere-vNetwork-DS-migration-configuration-WP.PDF

  http://www.VMware.com/files/PDF/vSphere-vNetwork-deployment-WP.PDF

  If you have found this helpful at all prices please points using the correct or useful!  Thank you!

• Cannot Ping PIX 525 inside interface

  Hi, I can not ping the interface e1 of a new 525 PIX running V6.35. I configured the address e1 and tried, but I can't ping the laptop connected directly to it, or vice versa... ACL has added to what icmp any an and the IP a whole and applied the e1 interface. Still can not ping... any idea why this is happening?... I'm suspect a hardware problem or cable, the cable must be crossver or directly through... I tired to connect to a switch also but same result... interface e1 is towards the top and to the top and show no problem... nor log shows no info as to why this happens... any suggestion is appreciated.

  Thank you

  GT

  Hello

  A single pix failover license does not work like a normal pix, so you can not 'test' with her before connecting. Once that connect you to your primary pix, that it will automatically update the IOS on the unit of failover and reproduce the config, so none of this is required of you before hand. I found this process much easier by using serial failover cable first, once the installation is finished and then in my case, I use the failover LAN based that later, I migrated to. Here's a couple of useful documents that you can review. Your version of the software may require the updated documentation.

  http://www.Cisco.com/en/us/customer/products/HW/vpndevc/ps2030/products_tech_note09186a0080094ea7.shtml

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/failover.htm#1076500

• Two VMS on different networks and ping each other

  Hello

  I'm using VMware Workstation for the first time. I have two VM and I want them to be on two different networks. I want that networks be able to ping each other. I did research on this since yesterday and nothing seems to work. Perhaps I am confused with the bridge, the Nat and host-only adapters. What I have is:

  VM1-> has two network adapters: VMNET1-Host-Only (192.168.247.128) and VMNET8-NAT (192.168.42.130)

  I'm not able to have the internet connection on the HOST only

  VM2-> has a network card: VMNET8-NAT (192.168.42.129)

  Each virtual machine I can ping everything on the other virtual machine, but it seems a little odd.

  Is there another way to do this?

  Thank you very much

  Geneviève Nantel

  Although you can create several networks in VMware Workstation, there is no possibility of embedding to do the routing.

  André

• My ASA cannot ping the lan address

  I use ASA built ezvpn.   I can access the ASA and ping inside port address successfully.    But in my ping to the address of interconnection 10.100.255.2 window7 cant.     I don't know how to solve the problem.  If all goes well, can help me. Thank you...

  set it up

  ASA5520 # sh run

  : Saved

  :

  ASA Version 7.2 (3)

  !

  asa5520-host name

  sxng domain name

  activate the encrypted password of DOAXe2w/ilkXwCIz

  names of

  DNS-guard

  !

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  IP x.x.x.x 255.255.255.248

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  IP 10.100.255.254 255.255.255.0

  !

  interface GigabitEthernet0/2

  nameif dmz

  security-level 50

  IP x.x.x.x 255.255.255.0

  !

  interface GigabitEthernet0/3

  nameif wireless

  security-level 10

  IP x.x.x.x 255.255.255.0

  !

  interface Management0/0

  Shutdown

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  2KFQnbNIdI.2KYOU encrypted passwd

  Disk0: / pix723.bin starting system

  passive FTP mode

  DNS server-group DefaultDNS

  sxng domain name

  dmz_access_in of access allowed any ip an extended list

  dmz_access_in list extended access permit icmp any one

  tunnel of splitting allowed access list standard 10.0.0.0 255.0.0.0

  inside_nat0_outbound list of allowed ip extended access all 10.100.254.0 255.255.255.0

  inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.100.254.0 255.255.255.0

  outside_cryptomap_dyn_20 list of allowed ip extended access all 10.100.254.0 255.255.255.0

  acl_out list extended access permit icmp any one

  acl_out list extended access permit tcp any host x.x.x.x eq www

  acl_out list extended access permit tcp any host x.x.x.x eq 9000

  acl_out list extended access permit udp any host x.x.x.x eq 9000

  ........

  ......

  acl_out allowed ip extended access list any 10.1.1.0 255.255.255.0

  inside_access_in list extended access permitted tcp 10.1.10.0 255.255.255.0 any eq 5000

  acl_inside of access allowed any ip an extended list

  acl_inside list extended access permit icmp any one

  wireless_access_in of access allowed any ip an extended list

  wireless_access_in list extended access permit icmp any one

  pager lines 24

  Enable logging

  timestamp of the record

  emergency list vpn-event logging level

  log message 109001-109028 vpn-event list

  log message 113001-113019 vpn-event list

  exploitation forest-size of the buffer 5000

  information recording console

  debug logging in buffered memory

  recording of debug trap

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 dmz

  MTU 1500 wireless

  management of MTU 1500

  IP local pool vpnpool 10.100.254.1 - 10.100.254.250 mask 255.255.255.0

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow all outside

  ICMP allow any inside

  ASDM image disk0: / asdm - 507.bin

  don't allow no asdm history

  ARP timeout 14400

  Global (outside) 1 x.x.x.x

  Global (dmz) 1 10.100.253.101 - 10.100.253.200 netmask 255.255.255.0

  Global (wireless) 1 172.16.255.101 - 172.16.255.200 netmask 255.255.255.0

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 10.1.1.14 255.255.255.255

  NAT (inside) 1 10.1.13.100 255.255.255.255

  NAT (wireless) 1 172.16.0.0 255.255.0.0

  static (dmz, outside) tcp x.x.x.x www 10.100.253.1 www netmask 255.255.255.255

  .......

  .........

  static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255

  static (inside, dmz) 10.1.1.16 10.1.1.16 netmask 255.255.255.255

  static (dmz, external) 10.100.253.20 x.x.x.x 255.255.255.255 netmask

  static (dmz, external) 10.100.253.32 x.x.x.x 255.255.255.255 netmask

  Access-group acl_out in interface outside

  acl_inside access to the interface inside group

  Access-group interface inside acl_inside

  Access-group dmz_access_in in dmz interface

  Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

  Route inside 10.0.0.0 255.0.0.0 10.100.255.1 1

  Route inside 10.0.0.0 255.0.0.0 10.100.255.2 1

  Route wireless 172.16.0.0 255.255.0.0 172.16.255.1 1

  !

  router ospf 1

  255.255.255.255 network 10.67.180.0 area 0

  network 0.0.0.0 0.0.0.0 area 1

  Journal-adj-changes

  !

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 10.0.0.0 255.0.0.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  Crypto outside-dyn-map Dynamics-plan 20 reverse-drive value

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 20

  Telnet 0.0.0.0 0.0.0.0 outdoors

  Telnet 10.0.0.0 255.0.0.0 inside

  Telnet 10.100.0.0 255.255.0.0 inside

  Telnet 10.100.255.0 255.255.255.0 inside

  Telnet 0.0.0.0 0.0.0.0 wireless

  Telnet timeout 10

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH timeout 30

  Console timeout 0

  dhcpd x.x.x.x dns

  !

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  Policy-map global_policy

  class inspection_default

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the icmp

  !

  global service-policy global_policy

  internal sxnggroup group policy

  attributes of the strategy of group sxnggroup

  value of server DNS 202.99.192.68

  enable IP-comp

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split tunnel

  username password sxtrq Y6cwK1wOhbhJ6YI / encrypted

  maboai R6eu6P1iKIwFIFjS username encrypted password

  winet FwZ0ghxvIpXOepvf username encrypted password

  tunnel-group sxnggroup type ipsec-ra

  tunnel-group sxnggroup General-attributes

  address vpnpool pool

  Group Policy - by default-sxnggroup

  sxnggroup group of tunnel ipsec-attributes

  pre-shared-key *.

  context of prompt hostname

  Cryptochecksum:119ae137eef5ed97d38b4e2f90ed46d7

  : end

  ASA5520 # route sh

  Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

  D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

  N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

  E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

  i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

  * - candidate by default, U - static route by user, o - ODR

  P periodical downloaded static route

  Gateway of last resort is 202.97.158.177 to network 0.0.0.0

  C x.x.x.x 255.255.255.248 is directly connected to the outside of the

  C 172.16.255.0 255.255.255.0 is directly connected, wireless

  S 172.16.0.0 255.255.0.0 [1/0] via 172.16.255.1, wireless

  S 10.0.0.0 255.0.0.0 [1/0] via 10.100.255.1, inside

  [1/0] via 10.100.255.2, inside

  C 10.100.255.0 255.255.255.0 is directly connected to the inside

  S 10.100.254.2 255.255.255.255 [1/0] via x.x.x.x, outdoor

  C 10.100.253.0 255.255.255.0 is directly connected, dmz

  S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor

  ASA5520 # sh arp

  outside 00d0.d0c6.9181 x.x.x.x

  outside 00d0.d0c6.9181 x.x.x.x

  outside 224.0.0.5 0100.5e00.0005

  inside 224.0.0.5 0100.5e00.0005

  inside the 10.100.255.1 0000.0c07.acff

  inside the 10.100.255.2 001c.b0cb.5ec0

  DMZ 10.100.253.20 60a4.4c23.3032

  DMZ 224.0.0.5 0100.5e00.0005

  DMZ 10.100.253.1 001a.6436.6df6

  224.0.0.5 wireless 0100.5e00.0005

  Wireless 172.16.255.1 0026.98c6.41c8

  

  

  

  Try to use the "crypto ipsec to show his ' command to watch the program and decaps packages, I hope this isn't too fast increment. You should be able to see the two increase when you successfully and only one side increase when it fails. Check both sides of the vpn, and this should give you an idea where the problem is. If the program packages are multiplying on the ASA local to your PC Win7 and Decaps multiply on the ASA Remote and the program is not so, then the question is with packets from the remote side. I hope this will help you determine the location of the problem and then you can focus your search here.

• PC Windows 7 and Vista Home Premium computer network cannot access each other

  I have an a Premimum Vista computer with a USB printer on a network with a Windows 7 Ultimate Computer.  Both recognize each other both are visible in the network on both computers) but I can not access one or the other.  Message on window 7 says "your computer seems to be correctly configured but the resource does not."
  "Any suggestions?  I need to produce and share printers.

  Here are the steps of general network troubleshooting. Just cannot apply to your situation, so just take the bits that are. It may seem daunting, but if you follow the steps in the links and suggestions below calmly and consistently, you will have no difficulty to implement your sharing.

  Problems sharing files between computers on a network are usually caused by 1) a misconfigured firewall or a firewall neglected (including a dynamic firewall in a virtual private network); or (2) inadvertently run two firewalls such as the firewall of Windows and a third-party firewall. and/or (3) do not have accounts to the same users and passwords on all computers in the workgroup. (4) tries to create actions where the operating system does not.

  Excellent, comprehensive, but easy to understand article on sharing files/printer under Vista. Contains information about sharing printers and files, and the folders:

  http://TechNet.Microsoft.com/en-us/library/bb727037.aspx

  In Vista, turn on password protected sharing. In Windows 7, go to control panel > everything in Control Panel > network and sharing Center. Click on "change the advanced sharing settings. You don't want to use the residential group unless you have all Windows 7 machines. If you do and you want to use the homegroup, see Windows 7 Help & Support. Otherwise, in sharing advanced:

  Discovery of plug in the network
  Open the files and printers sharing
  Turn on the sharing section Public folder sharing
  Plug the password protected sharing

  A. configure the firewall on all machines to allow traffic to local area network (LAN) as being approved. With the Windows Firewall, turning on window file sharing and printer as the above will take care of that for you. If you are not running a third-party firewall or you have an antivirus/security with its own firewall component program, then you're fine.  With a third-party firewall, I usually set up the allocation of LAN with an IP address range. E.g. would be 192.168.1.0 - 192.168.1.254. Obviously you would substitute your correct subnet. Refer to the safety of any third party program or the user forums for how to correctly configure its firewall. Do not run more than one firewall. DON'T STOP FIREWALLS; CONFIGURE THEM CORRECTLY.

  (B) to facilitate the Organization, put all computers in the same workgroup. This is done from the System applet in Control Panel, the computer name tab.

  C. create the counterpart of the user accounts and passwords on all machines. You do not need to be logged into the same account on all machines and assigned to each user account passwords can be different; accounts/passwords just need to exist and to match on all machines. DO NOT NEGLECT TO CREATE PASSWORDS, EVEN IF ONLY OF SIMPLE. If you want a machine to boot directly to the desktop (a particular user account) for convenience, you can do this:

  Start > Search box > type: netplwiz [Enter]
  Click continue (or provide an administrator password) when you are prompted by UAC

  Uncheck "users must enter a user name and password to use this computer". Select a user account to connect automatically by clicking on the account you want to highlight and press OK. Enter the password for this user account (when it exists) when you are prompted. Leave blank if there is no password (null).

  D. create shares as desired. In Windows 7/Vista I usually shares its office and the Public directory.

  E. After you have the job of file sharing (and tested by exchanging a file between machines), if you want to share a printer connected locally to one of your computers, share of this machine. Then go to the printer mftr Web site. and download the latest drivers for the correct system. Install them on the target machines. The printer must be collected during the installation procedure. If this isn't the case, install the drivers and then use the Add Printer Wizard. In some cases, printers must be installed as local printers, but that is beyond the scope of this answer. MS - MVP - Elephant Boy computers - don't panic!

• I tried to set up a homegroup, but the system cannot see each other.

  I tried to set up a homegroup

  I tried to set up a homegroup with my netbook (windows 7 starter edition) and printer, Pc (windows 7 Home premium). PC and printer were already on this residential group.

  The other was found nor a computer. I run the troubleshooter homegroup several times without success.  I have Norton antivirus installed on both computers. Would be Norton prevent computers find each other?

  Thank you

  Thank you for your response. In the end, I didn't turn off norton. I tried again and it worked.

  concerning

• Comments and host OS can ping each other; but all the other hosts on the same subnet cannot ping guest OS

  I use Bridge network.  I tried to delete and recreate the NIC (did not help). I've upgraded to the latest version of VMware Server (20.0.0 build 122589) with the same result. Stub here. Anyone have any ideas? Thank you.

  What is your host and guest operating system? Are WHAT NIC configured correctly (IP, DNS, gateway, etc.).

  Are all necessary ports (firewall, antyvir)?

  J.

• Cisco VPN Client cannot ping from LAN internal IP

  Hello

  I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.

  If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.

  Thanks in advance.

  : Saved

  :

  ASA Version 7.2 (2)

  !

  hostname ciscoasa5510

  domain.local domain name

  activate the password. 123456789 / encrypted

  names of

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  PPPoE client vpdn group ISP

  12.34.56.789 255.255.255.255 IP address pppoe setroute

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.10.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passwd encrypted 123456789

  passive FTP mode

  clock timezone GMT/UTC 0

  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

  DNS server-group DefaultDNS

  domain.local domain name

  permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

  access-list Split_Tunnel_List note the network of the company behind the ASA

  Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 522.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  internal domain_vpn group policy

  attributes of the strategy of group domain_vpn

  value of 212.23.3.100 DNS server 212.23.6.100

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Split_Tunnel_List

  username domain_ra_vpn password 123456789 encrypted

  username domain_ra_vpn attributes

  VPN-group-policy domain_vpn

  encrypted utilisateur.123456789 password username

  encrypted utilisateur.123456789 password username

  privilege of username user password encrypted passe.123456789 15

  encrypted utilisateur.123456789 password username

  the ssh LOCAL console AAA authentication

  AAA authentication enable LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 192.168.10.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 set pfs

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  card crypto outside_map 20 match address outside_20_cryptomap

  peer set card crypto outside_map 20 987.65.43.21

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  3600 seconds, duration of life card crypto outside_map 20 set - the security association

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 987.65.43.21 type ipsec-l2l

  IPSec-attributes tunnel-group 987.65.43.21

  pre-shared-key *.

  tunnel-group domain_vpn type ipsec-ra

  tunnel-group domain_vpn General-attributes

  address domain_vpn_pool pool

  Group Policy - by default-domain_vpn

  domain_vpn group of tunnel ipsec-attributes

  pre-shared-key *.

  Telnet 192.168.10.0 255.255.255.0 inside

  Telnet timeout 5

  Console timeout 0

  VPDN group ISP request dialout pppoe

  VPDN group ISP localname [email protected] / * /

  VPDN group ISP ppp authentication chap

  VPDN username [email protected] / * / password *.

  dhcpd dns 212.23.3.100 212.23.6.100

  dhcpd lease 691200

  dhcpd ping_timeout 500

  domain.local domain dhcpd

  !

  dhcpd address 192.168.10.10 - 192.168.10.200 inside

  dhcpd allow inside

  !

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:1234567890987654321

  : end

  Hello

  Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.

  This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.

  You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next

  Add this

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

  Hope this helps

  Let me know how it goes

  -Jouni

• Cannot ping machine, but can RDP

  Hi all

  I have 3 viral machines:

  DC 10.0.0.1

  SQL 10.0.0.2

  Members 10.0.0.3

  I've implemented network VMnet2 only, so there is no outside world.

  Everything works, but I cannot ping each other.

  I can't ping DC-> SQL

  DC-> members

  Members-> SQL

  SQL-> members

  I can ping SQL-> DC

  Members-> DC

  I can RDP to machines for all machines, for network is woring

  Why I can't ping?

  Thank you

  You must disable the windows firewall or authorize the ping on the firewall.

• Instances of VMware cannot ping between them somehow...

  This is the environment for my experience:

  Host: My Windows XP sp3

  Products VMware: Vmware Workstation 6.0.3

  Instances of VMware: one is installed Win2k3 with SP2 and a domain controller/DNS/Exchange server role, another is installed Win XP sp3 and play as a customer...

  IP of the domain controller configuration:

  Windows IP configuration

  Name of the host...: dc

  Suffix main Dns...: ge.com

  Node... type: hybrid

  Active... IP routing: No.

  Active... proxy WINS: No.

  ... DNS suffix search list: ge.com

  Ethernet connection to the Local card:

  The connection-specific DNS suffix. :

  ... Description: VMware accelerated AMD PCNet Adapter

  Physical address.... : 00-0C-29-56-FD-24

  DHCP active...: No.

  ... The IP address: 192.168.238.3

  ... Subnet mask: 255.255.255.0.

  ... Default gateway. :

  DNS servers...: 192.168.238.3.

  Configuration of the client IP as below:

  *********************************************************

  Windows IP configuration

  Name of the host...: client1

  Suffix main Dns...: ge.com

  ... Node type: unknown

  Active... IP routing: No.

  Active... proxy WINS: No.

  ... DNS suffix search list: ge.com

  Ethernet connection to the Local card:

  The connection-specific DNS suffix. :

  ... Description: VMware accelerated AMD PCNet Adapter

  Physical address.... : 00-0C-29-54-9D-B4

  DHCP active...: No.

  ... The IP address: 192.168.238.4

  ... Subnet mask: 255.255.255.0.

  ... Default gateway. :

  DNS servers...: 192.168.238.3.

  And here are the parameters of the DC on Vmware:

  

  And here's the VMware client settings:

  

  And settings of network virtual as below:

  

  

  My problem is:

  Today, two Merethe cannot ping each other all at ONCE, even if they worked very well without any problems.

  I tried to change the other IPs/remove and add maps network/restart on two instances but still no luck

  Please kindly help me friends :)

  Hmm so there is no problem with the NAT adapter, problem looks to with Bridge mode... Check if proceeding under in the cardiac control panels network connections is enabled for all vmware... cards try to disable and enable them

  If its possible to restart the virtual machine... try this

  -Remove the network card

  -Turn on the virtual computer.

  -Turning off the virtual computer.

  -Add the network adapter

  -Start the virtual machine. See if that helps.

  Concerning

  Anil

  Save the planet, go for green

  If you have found my reply to be useful, feel free to mark it as useful or Correct.