Cisco VPN router to Juniper - need phase 1 Main Mode

Similar Questions

• Cisco VPN router VPN client commercial provider

  Hello

  IM new Cisco VPN technology so please forgive my ignorance.

  I am trying to connect my router to a comercial that support IPSec VPN provider gave me only that here the server ip, user name and password Secret.

  With this information, that I can, for example, to connect with an iPhone using the monofamille in Cisco's VPN IPSec.

  My question is how I put this up directly on a cisco router, or using CCP or config?

  Thanks in advance for all the help/pointers

  with the info given, there are the following config:

  Crypto ipsec VPN ezvpn client
  connect auto
  Astrill key way2stars group
  client mode
  Peer 1.2.3.4
  Astrill-email Astrill-password username password

  Sent by Cisco Support technique iPad App

• Cisco VPN Client and Windows XP VPN Client IPSec to ASA

  I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

  PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

  Config is:

  !

  interface GigabitEthernet0/2.30

  Description remote access

  VLAN 30

  nameif remote access

  security-level 0

  IP 85.*. *. 1 255.255.255.0

  !

  access-list 110 scope ip allow a whole

  NAT list extended access permit tcp any host 10.254.17.10 eq ssh

  NAT list extended access permit tcp any host 10.254.17.26 eq ssh

  access-list extended ip allowed any one sheep

  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

  tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

  flow-export destination inside-Bct 192.168.1.27 9996

  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

  ARP timeout 14400

  global (outside-Baku) 1 interface

  global (outside-Ganja) interface 2

  NAT (inside-Bct) 0 access-list sheep-vpn

  NAT (inside-Bct) 1 access list nat

  NAT (inside-Bct) 2-nat-ganja access list

  Access-group rdp on interface outside-Ganja

  !

  Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

  dynamic-access-policy-registration DfltAccessPolicy

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  Crypto ipsec transform-set newset aes - esp esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

  Crypto ipsec transform-set vpnclienttrans transport mode

  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

  life crypto ipsec security association seconds 214748364

  Crypto ipsec kilobytes of life security-association 214748364

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

  card crypto interface for remote access vpnclientmap

  crypto isakmp identity address

  ISAKMP crypto enable vpntest

  ISAKMP crypto enable outside-Baku

  ISAKMP crypto enable outside-Ganja

  crypto ISAKMP enable remote access

  ISAKMP crypto enable Interior-Bct

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  No vpn-addr-assign aaa

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.192 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside Baku

  SSH 10.254.17.18 255.255.255.255 outside Baku

  SSH 10.254.17.10 255.255.255.255 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside-Ganja

  SSH 10.254.17.18 255.255.255.255 outside-Ganja

  SSH 10.254.17.10 255.255.255.255 outside-Ganja

  SSH 192.168.1.0 255.255.255.192 Interior-Bct

  internal vpn group policy

  attributes of vpn group policy

  value of DNS-server 192.168.1.3

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split tunnel

  BCT.AZ value by default-field

  attributes global-tunnel-group DefaultRAGroup

  raccess address pool

  Group-RADIUS authentication server

  Group Policy - by default-vpn

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  Hello

  For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

  Please see configuration below:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  or

  http://tinyurl.com/5t67hd

  Please see the section of tunnel-group config of the SAA.

  There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

  So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

  Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

  "crypto isakmp nat-traversal.

  Thirdly, change the transformation of the value

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  Let me know the result.

  Thank you

  Gilbert

• Problems to connect via the Cisco VPN client IPSec of for RV180W small business router

  Hello

  I tried to configure my router Cisco of RV180W as a customer VPN IPSec, but have encountered a problem that I hope someone can help me with. "" I managed to do the work of configuration so that the Cisco's VPN IPSec client authenticates successfully with the XAUTH user, I put on the router, but during the negotiation, the client ends with the following, which appears several times on the router error message: ' Mar 20 Oct 19:41:53 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [34360] has no config mode.

  I've read around the internet and a number of people seem to say that the Cisco VPN Client is not compatible with the router, but the same thing happens to my iPhone VPN client.

  Is it possible that this can be implemented? Below, I have attached the full configuration files and the log files. Thank you much in advance.

  Router log file (I changed the IP addresses > respectively as well as references to MAC addresses)

  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: floating ports NAT - T with counterpart > [44074]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] WARNING: notification to ignore INITIAL-CONTACT > [44074] because it is admitted only after the phase 1.
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [4500]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [44074]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received unknown Vendor ID
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received Vendor ID: CISCO-UNITY
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT detected: is located behind a device. NAT and alsoPeer is behind a NAT device
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: request sending Xauth for > [44074]
  Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association established for > [4500] -> [44074] with spi =>.
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REPLY' of > [44074]
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: login successful for the user "myusername".
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser connected from the IP >
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: sending of information Exchange: Notify payload [10381]
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REQUEST' of > [44074]
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: ignored attribute 5
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28683
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28684
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: remove the invalid payload with doi:0.
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: purged-Association of ISAKMP security with proto_id = ISAKMP and spi =>.
  Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser Logged Out of the IP >
  Mar 20 Oct 20:03:16 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association deleted for > [4500] -> [44074] with spi =>

  The router configuration

  screen_shot_10-20 - 15_at_09.00_pm.png

  

  IKE policy

  screen_shot_10-20 - 15_at_09.00_pm_001.png

  

  screen_shot_10-20 - 15_at_09.01_pm.png

  

  VPN strategy

  screen_shot_10-20 - 15_at_09.02_pm.png

  

  screen_shot_10-20 - 15_at_09.02_pm_001.png

  

  Client configuration

  Hôte : < router="" ip=""> >

  Authentication group name: remote.com

  Password authentication of the Group: mysecretpassword

  Transport: Enable Transparent Tunneling; IPSec over UDP (NAT/PAT)

  Username: myusername

  Password: mypassword

  Please contact Cisco.

  Correct, the RV180 is not compatible with the Cisco VPN Client.  The Iphone uses the Cisco VPN Client.

  You can use the PPTP on the RV180 server to connect a PPTP Client.

  In addition, it RV180 will allow an IPsec connection to third-party customers 3.  Greenbow and Shrew Soft are 2 commonly used clients.

• Cisco IOS - access remote VPN - route unwanted problem

  Hello

  I recently ran into a problematic scenario: I am trying to connect to a remote LAN (using a Cisco VPN client on my windows xp machine) my office LAN and access a server there. The problem is that I need a remote local network access at the same time.

  Remote LAN: 172.16.0.0/16

  LAN office: 172.16.45.0/24

  Topology:

  (ME: 172.16.10.138/25) - (several subnets form 172.16.0.0/16) - (Internet cloud) - (VPN-Gateway) - (172.16.45.0/24) - (TARGET: 172.16.45.100)

  To provide access, I configured a VPN to access simple distance on a 1700 series router. It's the relevant part:

  (...)

  crypto ISAKMP client config group group-remote access

  my-key group

  VPN-address-pool

  ACL 100

  IP local pool pool of addresses-vpn - 172.16.55.1 172.16.55.30

  access-list 100 permit ip 172.16.45.100 host 172.16.55.0 0.0.0.31

  (...)

  The configuration works fine, I can access the 172.16.45.100 server every time I need to. However, the problem is that when the VPN connection is connected, Windows wants to somehow rout the packets intended for 172.16.0.0/16 through the VPN tunnel. This is apparently due to a static route that added by the Cisco VPN Client and all other specific VPN routes.

  I suspect that the culprit is the IP LOCAL POOL, since when the VPN is connected, debugging of Client VPN log shows something like "adapter connected, address 172.16.55.1/16. Focus on the part "/ 16". I checked the VPN status page and the only road indicated there was "172.16.45.100 255.255.255.255" under remote routes. Local routes was empty.

  Is this a known problem I missed the obvious solution for? Is there no workaround apart from the pool local vpn penetrating high-end 10.x.x.x or 192.168.x.x? Thank you in advance for advice or tips!

  Hello

  The best way is to avoid any overlap between the local network and VPN pool.

  Try 172.17.0.0/16, is also private IP address space:

  http://en.Wikipedia.org/wiki/Private_network

  Please rate if this helped.

  Kind regards

  Daniel

• IPSec site to site VPN cisco VPN client routing problem and

  Hello

  I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

  The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

  There are on the shelves, there is no material used cisco - routers DLINK.

  Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

  Can someone help me please?

  Thank you

  Peter

  RAYS - not cisco devices / another provider

  Cisco 1841 HSEC HUB:

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key x xx address no.-xauth

  !

  the group x crypto isakmp client configuration

  x key

  pool vpnclientpool

  ACL 190

  include-local-lan

  !

  86400 seconds, duration of life crypto ipsec security association

  Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

  !

  Crypto-map dynamic dynmap 10

  Set transform-set 1cisco

  !

  card crypto ETH0 client authentication list userauthen

  card crypto isakmp authorization list groupauthor ETH0

  client configuration address card crypto ETH0 answer

  ETH0 1 ipsec-isakmp crypto map

  set peer x

  Set transform-set 1cisco

  PFS group2 Set

  match address 180

  card ETH0 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  interface FastEthernet0/1

  Description $ES_WAN$

  card crypto ETH0

  !

  IP local pool vpnclientpool 192.168.200.100 192.168.200.150

  !

  !

  overload of IP nat inside source list LOCAL interface FastEthernet0/1

  !

  IP access-list extended LOCAL

  deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  IP 192.168.7.0 allow 0.0.0.255 any

  !

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  !

  How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

  Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

  DE:

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

  TO:

  access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

  Also change the ACL 190 split tunnel:

  DE:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

  TO:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

  Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

  Hope that helps.

• VPN router Cisco 2611XM VPN client

  I have 2611XM router on a Central site with two FastEthernet interfaces? XA; (FastEthernet0/0 and FastEtherne0/1). FE0/0 has private ip address?xa;192.168.1.1/24 and it connects on LAN 192.168.1.0/24. FE0/1A public? XA; address x.x.x.x/30 and his connects to Internet. There on this NAT router? XA; with overload. ? XA; This router is to give customers remote access with Cisco VPN client on? XA; Internet to the LAN and at the same time, the users local access to the Internet. ? XA; I did a config that establish the tunnel between the clients and the router but? XA; I can't ping all devices on the local network. ? XA; The router must also give remote access and LAN in the scenarios from site to site? XA;

  I can establish the tunnel between my PC and the router via a dial-up Internet connection. But when the tunnel is established that except my public IP address of the router, I can't ping any public IP address. I can ping all other customers who owns the ip address of the pool for customers.

  Addition of the sheep route map should not make you lose the connection to the router.

  Are the commands that you will need to put in

  access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

  access-list 101 permit ip 192.168.1.0 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 101

  You need to delete translations of nat or remove commands 'ip nat outside' and 'ip nat inside' temporarily while you are taking the following off the coast

  no nat ip inside the source list 7 pool internet overload

  and add the command

  IP nat inside source map route sheep pool internet overload

  Make sure that you reapply the "nat inside ip' and ' ip nat outside of ' orders return of your internal users will not be able to go to the internet.

  You can search this config in the link that sent Glenn-

  http://www.Cisco.com/warp/public/707/ios_D.html

  I pasted the lines that you should look into setting up the example below

  ! - Except the private network and the VPN Client from the NAT process traffic.

  access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 110 permit ip 192.168.100.0 0.0.0.255 any

  ! - Except the private network and the VPN Client from the NAT process traffic.

  sheep allowed 10 route map

  corresponds to the IP 110

  -Except the private network and the VPN Client from the NAT process traffic.

  IP nat inside source map route sheep interface FastEthernet0/0 overload

  Thank you

  Ranjana

• PPTP VPN Cisco IOS router through

  Hi all

  I was wondering if there is a trick to get PPTP to work through a Cisco router.  He was in fact at some point, but I don't remember what has been changed over time... However, it no longer works.

  Current configuration includes:

  * CBAC applied inbound and outbound on the Internet interface (I needed to add incoming to fix a problem with the mode passive FTP doesn't work is not on a FTP server hosted behind this router)

  * CBAC inspects, among other things, PPTP

  * ACL applied inbound on interface Internet, GRE and TCP 1723 admitted any intellectual property

  * No other ACL on the router

  * IOS 15.0 (1)

  * Inbound configuration NAT for TCP 1723 (currently using the WAN IP address)

  One thing I saw was so Troubleshooting "IKE Dispatcher: IKEv2 version detected 2, Dropping package! - but I think that it is a wrong journal (router as the Cisco VPN configuration example).

  The server is definitely okay - we are able to connect over PPTP VPN from the local network to the server.  So I think it's a sort of NAT problem, because I don't see anything dropped by the firewall.

  Anyone able to point me in the right direction?

  Thank you

  Hello

  Thanks for fix the "sh run". Could you change the following:

  IP nat inside source static tcp 10.77.99.11 1723 1723 road-map repeating sheep ccc.ccc.ccc.ccc

  to do this:

  IP nat inside source static tcp 10.77.99.11 1723 1723 extensible ccc.ccc.ccc.ccc

  It would be prudent to proceed with this change in the removal of the map of the route if no one connects to the server via the PPTP VPN.

  Let me know.

  Kind regards

  ANU

  P.S. Please mark this question as answered if it was resolved. Note the useful messages. Thank you!

• Need help with native VPN client for Mac to the Configuration of the VPN router RV082

  Guys,

  I am trying to set up router RV082 VPN Client with native Mac for my remote access. However, no matter what I did, I'm not able to make works. Can any give me an example of how to set my router RV082 and Mac Book Pro (Mountain Lion)?

  Thank you

  Hi Jixian, the native client MAC does not work. The IPSEC VPN client is the same as the 5.x Cisco VPN client is not supported on this device.

  Your alternatives are to use PPTP or a 3rd party IPsec client such as ipsecuritas.

  -Tom
  Please evaluate the useful messages

• Client VPN Cisco ASA 5505 Cisco 1841 router

  Hello. I'm doing a connection during a cisco vpn client and a vpn on one server asa 5505 behind a 1841 router (internet adsl2 + and NAT router).

  My topology is almost as follows

  customer - tunnel - 1841 - ASA - PC

  ASA is the endpoint vpn (outside interface) device. I forward udp port 500 and 4500 on my router to the ASA and the tunnel rises. I exempt nat'ting on the asa and the router to the IP in dhcp vpn pool. I can connect to my tunnel but I can't "see" anything in the internal network. I allowed all traffic from the outside inwards buy from the ip vpn pool and I still send packets through the tunnel and I get nothing. I take a look at the statistics on the vpn client and I 2597 bytes (ping traffic) and there are no bytes. Any idea?

  Where you you logged in when you took the "crypto ipsec to show his"? If this isn't the case then try again, also this option allows IPSEC over UDP 4500 and it is disabled, enable it.

  ISAKMP nat-traversal crypto

  Just enter the command as it is, then try to connect again after activation of this option and get the same result to see the.

• PIX: Cisco VPN Client connects but no routing

  Hello

  We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:

  2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)

  2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout

  2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30

  We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.

  I enclose the training concerned in order to understand the problem:

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address xx.yy.zz.tt 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  172.16.0.1 IP address 255.255.255.0

  !

  access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0

  !

  IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248

  !

  NAT-control

  Global xx.yy.zz.tt 12 (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 12 172.16.0.12 255.255.255.255

  !

  internal VPN_clientes group strategy

  attributes of Group Policy VPN_clientes

  xxyyzz.NET value by default-field

  internal VPN_client_group group strategy

  attributes of Group Policy VPN_client_group

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl

  xxyyzz.local value by default-field

  !

  I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.

  Thank you very much.

  can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.

  PIX / ASA 7.1 and earlier versions

  PIX (config) #isakmp nat-traversal 20

  PIX / ASA 7.2 (1) and later versions

  PIX (config) #crypto isakmp nat-traversal 20

• Cisco VPN Client - what are the ports I need to open the 1841?

  Hello. As it says on the Tin really, what are the ports I need to allow my access on our 1841 list to allow the Cisco VPN client on through it?

  Ta

  UDP 500 (isakmp)

  UDP 4500 (nat - t)

  Protocol ESP 50

• PIX 501 for Cisco 3640 VPN router

  -Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-

  Have a 501 PIX and Cisco 3640 router. The 3640 is configured for dynamic map for VPN. The PIX 501 is set to pointing to the 3640 router static map. I can establish a tunnel linking the PIX to the router and telnet to a machine AIX on the inside network to the router. When I try to print on the network of the PIX 501 inside it fails.

  What Miss me? I added the configuration for the PIX and the router.

  Here are the PIX config:

  PIX Version 6.1 (1)

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable encrypted password xxxxxxxxxxxxxxxx

  xxxxxxxxxxxxx encrypted passwd

  pixfirewall hostname

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 1720

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  names of

  pager lines 24

  interface ethernet0 10baset

  interface ethernet1 10full

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  No sysopt route dnat

  Telnet timeout 5

  SSH timeout 5

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:XXXXXXXXXXXXXXXXXXX

  : end

  Here is the router config

  Router #sh runn

  Building configuration...

  Current configuration: 6500 bytes

  !

  version 12.2

  no service button

  tcp KeepAlive-component snap-in service

  a tcp-KeepAlive-quick service

  horodateurs service debug datetime localtime

  Log service timestamps datetime localtime

  no password encryption service

  !

  router host name

  !

  start the flash slot1:c3640 - ik9o3s - mz.122 - 16.bin system

  queue logging limit 100

  activate the password xxxxxxxxxxxxxxxxx

  !

  clock TimeZone Central - 6

  clock summer-time recurring CENTRAL

  IP subnet zero

  no ip source route

  !

  !

  no ip domain-lookup

  !

  no ip bootp Server

  inspect the name smtp Internet IP

  inspect the name Internet ftp IP

  inspect the name Internet tftp IP

  inspect the IP udp Internet name

  inspect the tcp IP Internet name

  inspect the name DMZ smtp IP

  inspect the name ftp DMZ IP

  inspect the name DMZ tftp IP

  inspect the name DMZ udp IP

  inspect the name DMZ tcp IP

  audit of IP notify Journal

  Max-events of po verification IP 100

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 20

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key address x.x.180.133 xxxxxxxxxxx

  ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0 0.0.0.0

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac vpn test

  Crypto ipsec transform-set esp-3des esp-sha-hmac PIXRMT

  !

  dynamic-map crypto dny - Sai 25

  game of transformation-PIXRMT

  match static address PIX1

  !

  !

  static-card 10 map ipsec-isakmp crypto

  the value of x.x.180.133 peer

  the transform-set vpn-test value

  match static address of Hunt

  !

  map ISCMAP 15-isakmp ipsec crypto dynamic dny - isc

  !

  call the rsvp-sync

  !

  !

  !

  controller T1 0/0

  framing ESF

  linecode b8zs

  Slots 1-12 channels-group 0 64 speed

  Description controller to the remote frame relay

  !

  controller T1 0/1

  framing ESF

  linecode b8zs

  Timeslots 1-24 of channel-group 0 64 speed

  Description controller for internet link SBIS

  !

  interface Serial0/0:0

  Description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites

  bandwidth 768

  no ip address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  encapsulation frame-relay

  frame-relay lmi-type ansi

  !

  interface Serial0 / point to point 0:0.17

  Description Frame Relay to xxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 17 frame relay interface

  !

  interface Serial0 / point to point 0:0.18

  Description Frame Relay to xxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 18 frame relay interface

  !

  interface Serial0 / point to point 0:0.19

  Description Frame Relay to xxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 19 frame relay interface

  !

  interface Serial0 / point to point 0:0.20

  Description Frame Relay to xxxxxxxxxxxxx location

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 20 frame relay interface

  !

  interface Serial0 / point to point 0:0.21

  Description Frame Relay to xxxxxxxxxxxx

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 21 frame relay interface

  !

  interface Serial0 / point to point 0:0.101

  Description Frame Relay to xxxxxxxxxxx

  IP unnumbered Ethernet1/0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  No arp frame relay

  dlci 101 frame relay interface

  !

  interface Serial0/1:0

  CKT ID 14.HCGS.785383 T1 to ITT description

  bandwidth 1536

  IP address x.x.76.14 255.255.255.252

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  inspect the Internet IP on

  no ip route cache

  card crypto ISCMAP

  !

  interface Ethernet1/0

  IP 10.1.1.1 255.255.0.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  no ip route cache

  no ip mroute-cache

  Half duplex

  !

  interface Ethernet2/0

  IP 10.100.1.1 255.255.0.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  no ip route cache

  no ip mroute-cache

  Half duplex

  !

  router RIP

  10.0.0.0 network

  network 192.168.1.0

  !

  IP nat inside source list 112 interface Serial0/1: 0 overload

  IP nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extensible

  IP nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extensible

  IP nat inside source 10.1.3.2 static 209.184.71.140

  IP nat inside source static 10.1.3.6 209.184.71.139

  IP nat inside source static 10.1.3.8 209.184.71.136

  IP nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extensible

  IP classless

  IP route 0.0.0.0 0.0.0.0 x.x.76.13

  IP route 10.2.0.0 255.255.0.0 Serial0 / 0:0.19

  IP route 10.3.0.0 255.255.0.0 Serial0 / 0:0.18

  IP route 10.4.0.0 255.255.0.0 Serial0 / 0:0.17

  IP route 10.5.0.0 255.255.0.0 Serial0 / 0:0.20

  IP route 10.6.0.0 255.255.0.0 Serial0 / 0:0.21

  IP route 10.7.0.0 255.255.0.0 Serial0 / 0:0.101

  no ip address of the http server

  !

  !

  PIX1 static extended IP access list

  IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

  IP access-list extended hunting-static

  IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255

  extended IP access vpn-static list

  ip permit 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

  IP 192.0.0.0 allow 0.255.255.255 10.1.0.0 0.0.255.255

  access-list 1 refuse 10.0.0.0 0.255.255.255

  access-list 1 permit one

  access-list 12 refuse 10.1.3.2

  access-list 12 allow 10.1.0.0 0.0.255.255

  access-list 12 allow 10.2.0.0 0.0.255.255

  access-list 12 allow 10.3.0.0 0.0.255.255

  access-list 12 allow 10.4.0.0 0.0.255.255

  access-list 12 allow 10.5.0.0 0.0.255.255

  access-list 12 allow 10.6.0.0 0.0.255.255

  access-list 12 allow 10.7.0.0 0.0.255.255

  access-list 112 deny ip host 10.1.3.2 everything

  access-list 112 refuse ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255

  access-list 112 allow ip 10.1.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.2.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.3.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.4.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.5.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.6.0.0 0.0.255.255 everything

  access-list 112 allow ip 10.7.0.0 0.0.255.255 everything

  access-list 120 allow ip host 10.100.1.10 10.1.3.7

  not run cdp

  !

  Dial-peer cor custom

  !

  !

  !

  !

  connection of the banner ^ CCC

  ******************************************************************

  WARNING - Unauthorized USE strictly PROHIBITED!

  ******************************************************************

  ^ C

  !

  Line con 0

  line to 0

  password xxxxxxxxxxxx

  local connection

  Modem InOut

  StopBits 1

  FlowControl hardware

  line vty 0 4

  exec-timeout 15 0

  password xxxxxxxxxxxxxx

  opening of session

  !

  end

  Router #.

  Add the following to the PIX:

  > permitted connection ipsec sysopt

  This indicates the PIX around all ACLs for IPsec traffic. Now that your IPSec traffic is still subject to the standard rules of PIX, so launched inside the traffic is allowed to go in, but off-initiated traffic is not.

• Cisco VPN Client 2801 router

  Hello

  I installed a router cisco 2801 to accept vpn connections, I use the cisco vpn client and the tunnel is created and is being created of the its.

  However, I cannot ping my vlan (only those who have a nat inside the ACL, those who have not said I can ping), so I have a NAT problem, just don't know where.

  Heres part of my setup on the ACL,

  IP local pool ippool 192.168.100.10 192.168.100.100

  by default-gateway IP X.X.X.X (ISP GATEWAY)

  IP forward-Protocol ND

  IP http server

  no ip http secure server

  IP http flash path:

  !

  !

  IP nat inside source list 1 interface FastEthernet0/1 overload

  IP nat inside source list 2 interface FastEthernet0/1 overload

  IP nat inside source list 3 interface FastEthernet0/1 overload

  IP nat inside source list 6 interface FastEthernet0/1 overload

  overload of IP nat inside source list 20 interface FastEthernet0/1

  IP nat inside source map route SHEEP interface FastEthernet0/1 overload

  IP route 0.0.0.0 0.0.0.0 X.X.X.X (external IP)

  Route IP 192.168.10.0 255.255.255.0 192.168.90.2

  IP route 192.168.20.0 255.255.255.0 192.168.90.2

  IP route 192.168.30.0 255.255.255.0 192.168.90.2

  IP route 192.168.40.0 255.255.255.0 192.168.90.2

  IP route 192.168.50.0 255.255.255.0 192.168.90.2

  IP route 192.168.60.0 255.255.255.0 192.168.90.2

  IP route 192.168.200.0 255.255.255.0 192.168.90.2

  !

  NAT extended IP access list

  deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

  deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255

  deny ip 192.168.30.0 0.0.0.255 192.168.100.0 0.0.0.255

  deny ip 192.168.60.0 0.0.0.255 192.168.100.0 0.0.0.255

  deny ip 192.168.90.0 0.0.0.255 192.168.100.0 0.0.0.255

  permit ip 192.168.10.0 0.0.0.255 any

  ip licensing 192.168.20.0 0.0.0.255 any

  IP 192.168.30.0 allow 0.0.0.255 any

  IP 192.168.60.0 allow 0.0.0.255 any

  IP 192.168.90.0 allow 0.0.0.255 any

  !

  access-list 1 permit 192.168.90.0 0.0.0.255

  access-list 2 allow to 192.168.10.0 0.0.0.255

  access-list 3 allow 192.168.30.0 0.0.0.255

  access-list 6 permit 192.168.60.0 0.0.0.255

  access-list 20 allow 192.168.200.0 0.0.0.255

  !

  SHEEP allowed 10 route map

  corresponds to the IP NAT

  !

  The 192.168.90.2 address is my switch L3 (Cisco 3750)

  Any pointer is more than welcome,

  Concerning

  Miranda,

  Have you tried to remove the following lines:

  IP nat inside source list 1 interface FastEthernet0/1 overload

  IP nat inside source list 2 interface FastEthernet0/1 overload

  IP nat inside source list 3 interface FastEthernet0/1 overload

  IP nat inside source list 6 interface FastEthernet0/1 overload

  overload of IP nat inside source list 20 interface FastEthernet0/1

  And simply let this one:

  IP nat inside source map route SHEEP interface FastEthernet0/1 overload

  ?

  I have all the neceary allowed in the ACL of NAT, so you do not have individual lines for each network.

  Also, I noticed that your ACL 20 reads

  access-list 20 allow 192.168.200.0 0.0.0.255

  But your NAT ACL bed

  ip licensing 192.168.20.0 0.0.0.255 any

  I think you have a typo in there, you have a 200 on 20 and on the other.

  Check it out and let me know how it goes. Don't forget to clear the NAT table after deleting these lines:

  clear the ip nat trans *.

  I hope this helps!

  Raga

• Problem starting the Cisco 2821 router

  Hello world

  I have cisco 2821 router. I am facing problem starting.

  someone suggest me what is the problem.

  Thanks in advance...

  VERSION of the SOFTWARE system Bootstrap, Version 12.4 (13r) T, (fc1)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 2006 by cisco Systems, Inc.

  The ECC memory initialization
  .
  C2821 platform of 262144 KB of main memory
  Main memory is configured for 64-bit with ECC active

  ReadOnly initialized ROMMON
  load complete, point of entry to the program: 0x8000f000, size: 0xcb80
  load complete, point of entry to the program: 0x8000f000, size: 0xcb80

  load complete, point of entry to the program: 0x8000f000, size: 0x26bc2cc
  Decompression of self-image: #.
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################################
  ################################################################# [OK]

  Smart init is enabled
  Smart init is sizing iomem
  MEMORY_REQ TYPE ID
  0003E8 0X003DA000 C2821 Mainboard
  1A 0X0025178C E3 0001AB
  0X00263F50 VPN on board
  0X000021B8 embedded USB
  Swimming pools public buffer 0X002C29F0
  Swimming pools public particle 0 X 00211000
  TOTAL: 0X00D65284

  If all memory conditions above are
  "UNKNOWN", you could use a non supported
  configuration or there is a software problem and
  the system may be compromised.
  Rounded IOMEM to: 14 MB.
  Using iomem of 5 percent. [14 mb / 256Mb]

  Legend restricted rights

  Use, duplication, or disclosure by the Government is
  subject to such restrictions as set out in paragraph
  (c) Commercial - limited computer software
  The rights to FAR clause 52.227 - 19 and subparagraph s
  (c) (1) (ii) rights to technical and computer data
  Clause of DFARS 252.227 - 7013 section software.

  Cisco Systems, Inc.
  170 West Tasman Drive
  San Jose, California 95134-1706

  Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 T7 (9)
  Version of the SOFTWARE (fc3)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2008 by Cisco Systems, Inc.
  Last updated Friday, January 10 08 16:35 by prod_rel_team
  Image text-base: 0x400B1E74 database: 0x434A9AC0

  ERROR detected on Bus PCI1
  Try REINSTALLING all the modules in the system
  pci1_int_cause 0 x 00000240,
  pci1_err_addr 0 x 00091009, pci0_err_cmd 0x0000000A
  PCI Master Read parity error
  Abort target PCI

  R0 = r1 = r2 FFFFFFFF FFFFFFFF = 0 r3 = 45 80000 r4 = 0
  R5 = 303 r6 = 0 A7 = 1 = 0 = 100000 r9 r8
  R10 = 0 r11 = 465E4369 r12 = 0 r13 = 465E436A r14 = 0
  R15 = r16 r17 8 = 0 = C100 r18 = 0 r19 3400 101 =
  R20 = r21 0 = 40096828 r22 = FFFFFFFF r23 = r24 FFFF00FF = 0
  R25 = 469AAC64 r26 = 0 = 469AAC60 r28 = 0 = 469AAC5C r29, r27
  R30 = 0 r31 = 469AAC58 r32 = r33 FFFFFFFF = r34 = FFFFFFFF FFFFFFFF
  R35 = r36 = r37 = r38 = r39 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF = FFFFFFFF
  R40 = FFFFFFFF = FFFFFFFF = FFFFFFFF = FFFFFFFF r44 r43 r42 r41 = FFFFFFFF
  R45 = r46 = r47 = r48 FFFFFFFF FFFFFFFF FFFFFFFF = r49 0 = 469AACD0
  R50 = 0 0 = 0 r53 r51 = r52 = 3040A 801 r54 = FFFFFFFF
  R55, r56 = FFFFFFFF = FFFFFFFF r58 r57 A000F000 = = 0 = 465E4358 r59
  R60 = r61 = r62 FFFFFFFF FFFFFFFF = r63 = 0 402E4B10
  GENS = 3400 103 mdlo_hi = my 0 = 251 00
  mdhi_hi = 0 = 0 badvaddr_hi = FFFFFFFF mdhi
  BadVAddr = cause = epc_hi 0 = FFFFFFFF FFFFFFFF
  EPC = 402E4B08 err_epc_hi = err_epc FFFFFFFF = FFFFFFFF

  ERR-1-FATAL %: interruption of the fatal error, reload
  err_stat = 0 x 0

  = Posts from Flushing (02: 37:51 UTC Wednesday, may 18, 2016) =.

  Messages in queue:

  02:37:51 UTC Wednesday, may 18, 2016: interrupt exception, signal CPU 22, PC = 0 x 0

  --------------------------------------------------------------------
  Software fault possible. On reccurence, you perceive
  crashinfo, 'show tech' and contact Cisco Technical Support.
  --------------------------------------------------------------------

  -Trace =
  $0: 00000000, AT: 00000000, v0: 00000000, v1: 00000000
  A0: 00000000, a1: 00000000, a2: 00000000, a3: 00000000
  T0: 00000000, t1: 00000000, t2: 00000000, t3: 00000000
  T4: 00000000, t5: 00000000, t6: 00000000, t7: 00000000
  s0: 00000000, s1: 00000000, s2: 00000000, s3: 00000000
  S4: 00000000, s5: 00000000, s6: 00000000, s7: 00000000
  T8: 00000000, t9: 00000000, k0: 00000000, k1: 00000000
  GP: 00000000, sp: 00000000, s8: 00000000, ra: 00000000
  EPC: 00000000, ErrorEPC: 00000000, GENS: 00000000
  MY: 00000000, MDHI: 00000000, BadVaddr: 00000000
  CacheErr: 00000000, DErrAddr0: 00000000, DErrAddr1: 00000000
  DATA_START: 0X434A9AC0
  Cause 00000000 (Code 0 x 0): Exception of interruption

  Writing crashinfo in flash: crashinfo_20160518-023752
  No reboot to warm storage
  System received a system error *.
  signal = 0 x 16, code = 0x0, context = 0 x 46905718
  PC = 0x40096d7c, Cause = 0 x 20, State Reg = 0 x 34008002

  Software Cisco IOS, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (9)T7
  Version of the SOFTWARE (fc3)

  OK, the router is running on a train of "T".

  ERROR detected on Bus PCI1
  Try REINSTALLING all the modules in the system
  pci1_int_cause 0 x 00000240,
  pci1_err_addr 0 x 00091009, pci0_err_cmd 0x0000000A
  PCI Master Read parity error
  Abort target PCI

  Remove any all NM/NME or WIC/HWIC cards and restart again.  If the router is able to start properly, upgrade the router to a higher version.  DO NOT use another "T" train if it is needed.  Use instead a train of "M".