Client VPN crashes to secure the communication channel
I created 2 pix to pix vpn connection on my pix506. Since my vpn clients cannot connect. We use Cisco client ver3.5.2
Journal watch customer severity invalid protocol id 3 MSG (0)
Thank you
* PIX CONFIGURATION *.
Ver6.2 (2) PIX
access-list 110 permit ip 172.20.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list host ip 172.20.100.214 allowed NAT0 192.168.20.0 255.255.255.0
access-list host ip 172.20.100.215 allowed NAT0 192.168.20.0 255.255.255.0
access-list host ip 172.20.100.0 allowed NAT0 192.168.1.0 255.255.255.0
NAT0 172.20.0.0 ip access list allow 255.255.0.0 172.16.1.0 255.255.255.0
access-list host ip 172.20.100.0 allowed NAT0 192.168.6.0 255.255.255.0
GVW_VPN list of allowed access host ip 172.20.100.214 192.168.20.0 255.255.255.0
GVW_VPN list of allowed access host ip 172.20.100.215 192.168.20.0 255.255.255.0
GLDR_VPN ip 172.20.100.0 access list allow 255.255.255.0 192.168.1.0 255.255.255.0
CLIENT ip access list allow any 172.16.1.0 255.255.255.0
PELHM_VPN ip 172.20.100.0 access list allow 255.255.255.0 192.168.6.0 255.255.255.0
IP 172.16.1.1 - dealer 172.16.1.254 pool room
Global (outside) 1 x
NAT (inside) 0 access-list NAT0
NAT (inside) 1 172.20.0.0 255.255.0.0 0 0
outdoor circuit 0 0 0.0.0.1 1
Permitted connection ipsec sysopt
Sysopt pl compatible ipsec
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac VPN3000
Crypto ipsec transform-set esp - esp-md5-hmac GVW_VPN
Crypto ipsec transform-set esp - esp-md5-hmac GLDR_VPN
Crypto ipsec transform-set esp - esp-md5-hmac PELHM_VPN
Crypto address 50 CLIENT dynamic-map CLIENT
set of 50 CLIENT dynamic-map crypto transform-set VPN3000
PEER_VPN_MAP 20 ipsec-isakmp crypto map
card crypto PEER_VPN_MAP 20 corresponds to the address GVW_VPN
card crypto PEER_VPN_MAP 20 peers the value x
crypto PEER_VPN_MAP 20 the transform-set GVW_VPN value card
PEER_VPN_MAP 22 ipsec-isakmp crypto map
card crypto PEER_VPN_MAP 22 corresponds to the address GLDR_VPN
card crypto PEER_VPN_MAP 22 peer set x
crypto PEER_VPN_MAP 22 the transform-set GLDR_VPN value card
PEER_VPN_MAP 26 ipsec-isakmp crypto map
PEER_VPN_MAP 26 crypto card matches the address PELHM_VPN
card crypto PEER_VPN_MAP 26 peers set x
crypto PEER_VPN_MAP 26 the transform-set PELHM_VPN value card
PEER_VPN_MAP interface card crypto outside
50 CLIENT ipsec-isakmp crypto map
ISAKMP allows outside
ISAKMP key * address x netmask 255.255.255.255
ISAKMP key * address x netmask 255.255.255.255
ISAKMP key * address x netmask 255.255.255.255
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP client configuration address dealer outside pool
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
dealer address vpngroup WCRSA pool
vpngroup dns 172.20.100.4 Server WCRSA
vpngroup WCRSA wins server - 172.20.100.4
vpngroup split tunnel 110 WCRSA
vpngroup idle time 1800 WCRSA
WCRSA vpngroup password *.
* DEBUG *.
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 8 against priority policy 20
ISAKMP: DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing KE payload. Message ID = 0
ISAKMP: Created a peer node for 165.247.183.138
ISAKMP (0): ID payload
next payload: 10
type: 2
Protocol: 17
Port: 500
Length: 19
ISAKMP (0): the total payload length: 23
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block: 165.247.183.138 src, dest
Exchange OAK_AG
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): processing NOTIFY payload Protocol 24578 1
SPI 0, message ID = 0
ISAKMP (0): treatment notify INITIAL_CONTACTIPSEC (key_engine): had an event of the queue...
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 165.247.183.138
ISAKMP (0): SA has been authenticated.
to return to the State is IKMP_NO_ERROR
ISAKMP (0): shipment of the phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending message 24576 NOTIFY 1 protocol
crypto_isakmp_process_block: 165.247.183.138 src, dest
Exchange ISAKMP_TRANSACTION
ISAKMP (0:0): responsible for operation of 165.247.183.138 of treatment. Message ID = 2166937244
ISAKMP: Config CFG_REQUEST payload
ISAKMP (0:0): verification of claim:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute APPLICATION_VERSION (7)
Unsupported Attr: 7
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP (0:0): response to peer 165.247.183.138 config. ID = 840554125
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block: CBC 165.247.183.138, dest x.x.x.x
Exchange ISAKMP_TRANSACTION
ISAKMP (0:0): responsible for operation of 165.247.183.138 of treatment. Message ID = 2166937244
ISAKMP: Config CFG_REQUEST payload
ISAKMP (0:0): verification of claim:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute APPLICATION_VERSION (7)
Unsupported Attr: 7
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP (0:0): response to peer 165.247.183.138 config. ID = 2883274625
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block: CBC 165.247.183.138, dest x.x.x.x
Exchange OAK_QM
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): treatment ITS payload. Message ID = 2877072397
ISAKMP: Check IPSec proposal 1
ISAKMP: turn 1, ESP_3DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Skip next ANDed proposal (1)
ISAKMP: Check IPSec proposal 2
ISAKMP: turn 1, ESP_3DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Skip next ANDed proposal (2)
ISAKMP: Check IPSec proposal 3
ISAKMP: turn 1, ESP_3DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP: IPSec proposal 4 audit
ISAKMP: turn 1, ESP_3DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP: Check IPSec proposal 5
ISAKMP: transform 1 ESP_DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Skip next ANDed proposal (5)
ISAKMP: Check IPSec proposal 6
ISAKMP: transform 1 ESP_DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Skip next ANDed proposal (6)
ISAKMP: Check IPSec proposal 7
ISAKMP: transform 1 ESP_DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP: Check IPSec proposal 8
ISAKMP: transform 1 ESP_DES
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: program is 1
ISAKMP: Life Type SA in seconds
ISAKMP: Service life of SA (IPV) 0x0 0 x 20 0xc4 0x9b IPSEC (validate_proposal): peer address not found 165.247.183.138
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP: Check IPSec proposal 9
ISAKMP: turn 1, ESP_NULL
ISAKMP: attributes of transformation:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: program is 1
ISAKMP: Life ITS type in debugging secondssh
Add the following:
> card crypto PEER_VPN_MAP 100-isakmp ipsec dynamic CUSTOMER
Who should you get.
Tags: Cisco Security
Similar Questions
-
PowerShell - ORA-03111: break received on the communication channel
Hi all
I am trying to connect to an oracle database (version Oracle9i Enterprise Edition Release 9.2.0.7.0 - Production). in PowerShell and run a query on the matter.
I added all of the necessary assemblies as far as I know.
When I try to create a new object as follows
Con = New - Object Oracle.ManagedDataAccess.Client.OracleConnection)
I have the following error
Exception calling "Open" with "0" or the arguments: "ORA-03111: Break received on the communication channel.
Please could you tell.
Managed ODP.NET take supported Oracle DB server version10.2 or later.
-
Client VPN is suspended in the secure communication channel
Group,
I'm having a problem with VPN Client (Version 3.5.1) on a laptop computer from W2K connecting to a VPN 3005 dial hub. We have other laptops, connection successfully, however, I'm having one problem with the other two. The journal of VPN client has messages similar to the following:
35 13:35:02.549 17/08/01 Sev = WARNING/3 IKE/0xE300006D
May not match policy entry:
local host = IP ADDR = 0.0.0.0, lcl_port = 0
remote host = IP ADDR = 0.0.0.0, dst_port = 0
36 13:35:02.549 17/08/01 Sev = WARNING/3 IKE/0xA3000001
Cannot open the negotiation.
37 13:35:02.549 17/08/01 Sev = WARNING/3 IKE/0xE3000002
Function initialize_qm failed with the error code of 0x00000000 (INSIDER: 825)
I have tried to delete the internal NIC on the portable, manually remove and reinstall the VPN client several times, remove and add TCP.
I think that my problem to be on the laptop itself, due to the fact that I have other laptops connect via VPN with similar software and the installation program.
Does anyone have any suggestions?
Thank you in advance, Greg
Yes, it is a problem on the client itself. It is one of the most frequent bugs around, and unfortuantely a fix is not too easy. We used to have to think about re - install Windows as the only solution, that most of the customers were not too happy to hear. We have since found a better procedure, although it is manual.
Read the notes for this bug CSCdv23894bug. Notes can be found at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl
-
Use the client VPN tunnel to cross the LAN-to-LAN tunnel
I have been troubleshooting an issue and cannot cross an obstacle. The ASA is running ASA running 1,0000 code 24. I am using a client VPN tunnel to connect to the ASA. The ASA has already a LAN-to-LAN tunnel, set up and operating and I need the VPN client to access the remote site over the LAN-to-LAN tunnel.
The internal IP address of the local part is 192.168.0.0/24 and the IP address of the Remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are distributed 192.168.200.0/24 IPs. I have attached the relevant configuration for the SAA.
When the VPN client on the network, I can access resources on the ASA network internal. On the internal network of the SAA, users can access resources through the LAN-to-LAN tunnel. Client VPN cannot access resources on the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.
Thank you for your help.
try adding...
permit same-security-traffic intra-interface
-
Client VPN access router to the Internet through the same router! How?
Hi all
I already setup VPN users connect to our router 1841 and corporate network. Use Cisco VPN Client and connection ends on the interface Dialer1 in 1841. This interface is also our ADSL Internet connection.
I need the VPN users out to the Internet via this VPN connection (it is through this Dialer1), rather than use the split tunneling and Internet browsing from their Local Internet service providers.
Of course, this Dialer1 is also 'nat outside' and FastEthernet is LAN and "nat inside '.
So I'll need NAT these VPN-pool addresses to address IP Dialer1. But what would be 'nat inside' in this case...
Can anyone help?
a loopback interface must be configured to "nat inside '.
for example
Loopback int 1
IP 1.1.1.1 255.255.255.0
No tap
IP nat inside
access-list 199 refuse ip<1841 private="" net=""><1841 private="" net="" mask="">
access-list 199 ip allow a
allowed policy-road route map 10
corresponds to the IP 199
set ip next-hop 1.1.1.2
interface Dialer0
political map of IP policy-road route
-
Help with the exception of Pl/SQL 'ora-3150 end of file on the communication channel.
Hello.
The code attached to this post opens a slider that load of 99 dblinks from different remote databases of different version.
He captures the information from these databases and stores them locally on a central database (11.2.0.4.0 version) on different tables.
The problem I have is that when a database is deleted, the dblink to this database show me the error 'ora-3150 end of file on communication channel' and that's right.
But he's not going trough the exception that I created, the cursor is closed and does not continue with the cycle.
The exception I created insert data on DBMONITOR error. DBMONITOR_LOG_ERROR_TABLE in order to catch the error (you'll be able to see all the code on the attachment)
It's the exception:
exception
while others then
INSERT IN DBMONITOR. DBMONITOR_LOG_ERROR_TABLE (NOMBRE_DBLINK, message, info, FECHA_ERROR, TIPO_PROCEDURE) VALUES (var, SUBSTR (DBMS_UTILITY. (FORMAT_ERROR_STACK, 1, 200), "CONNECTION ERROR", SYSDATE, 'CAPACITY');
commit;
end;
Could help me please on how could intercept this exception?
Thank you.
Juan.
You might have a problem with your connection or mishandling. The end of the file ora-3150, on channel of communication error means that there is a connection, but this link was broken somehow.
If a database is not reachable, you should get other types of errors.
For example judgment of the Kingdom or tns - memory could not resolve alias or simliar things.
Here is a list of typical mistakes I have check and manage when accessing remote databases.
e_db_link_broken EXCEPTION; --ORA-02019 connection description for remote database not found PRAGMA EXCEPTION_INIT (e_db_link_broken, -02019); e_oracle_not_available EXCEPTION; --ORA-01034 ORACLE not available PRAGMA EXCEPTION_INIT (e_oracle_not_available, -01034); e_oracle_down EXCEPTION; --ORA-27101: shared memory realm does not exist PRAGMA EXCEPTION_INIT (e_oracle_down, -27101); e_no_listener EXCEPTION; --ORA-12541: TNS:no listener PRAGMA EXCEPTION_INIT (e_no_listener, -12541); e_no_service EXCEPTION; --ORA-12514: TNS:listener does not currently know of service requested in connect descriptor PRAGMA EXCEPTION_INIT (e_no_service, -12514); e_timeout EXCEPTION; --ORA-12170: TNS:Connect timeout occurred PRAGMA EXCEPTION_INIT (e_timeout, -12170);
If you have a long open session and fail to close the db links after recovered information from the remote site?
In addition, I propose to change your dynamic insertion in a normal insert.
First extract the data of the DB link dynamically, but just with a select statement. Then do the insertion with the result data.
Improve your logging table to store messages up to 4000 char CHARACTER. 200 is really small for error messages.
In addition to the DBMS_UTILITY. FORMAT_ERROR_STACK you must also connect DBMS_UTILITY. FORMAT_ERROR_BACKTRACE. Just to see if you get a better message there.
WHEN e_db_link_broken or e_oracle_not_available or e_oracle_down or e_no_listener or e_no_service or e_timeout THEN INSERT INTO DBMONITOR.DBMONITOR_LOG_ERROR_TABLE (NOMBRE_DBLINK, message, info,FECHA_ERROR,TIPO_PROCEDURE) VALUES(var, 'Remote DB not accessible','ERROR DE CONEXION',SYSDATE,'CAPACITY'); -- commit; WHEN OTHERS THEN INSERT INTO DBMONITOR.DBMONITOR_LOG_ERROR_TABLE (NOMBRE_DBLINK, message, info,FECHA_ERROR,TIPO_PROCEDURE) VALUES(var, SUBSTR(DBMS_UTILITY.FORMAT_ERROR_STACK||DBMS_UTILITY.FORMAT_ERROR_BACKTRACE, 1, 4000),'ERROR DE CONEXION',SYSDATE,'CAPACITY'); --commit; end; -
HTTPS protocol between the client vpn and host of the internet through tunnel ipsec-parody
Hello
We have a cisco ASA 5505 and try to get the next job:
ip (192.168.75.5) - connected to the Cisco ASA 5505 VPN client
the customer gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100)
When I try to access the url of the client, I get a syn sent with netstat
When I try trace ASA package, I see the following:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 0.0.0.0 0.0.0.0 outdoors
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
4 IP-OPTIONS ALLOW 5 CP-PUNT ALLOW 6 VPN IPSec-tunnel-flow ALLOW 7 IP-OPTIONS ALLOW 8 VPN encrypt ALLOW outdoors upward upward outdoors upward upward drop (ipsec-parody) Parody of detected IPSEC When I try the reverse (i.e. from the internet host to vpn client), it seems to work:
1 FLOW-SEARCH ALLOW Not found no corresponding stream, creating a new stream
2 ROUTE SEARCH entry ALLOW in 192.168.75.5 255.255.255.255 outside
3 ACCESS-LIST Journal ALLOW Access-group outside_access_in in interface outside
outside_access_in of access allowed any ip an extended list
4 IP-OPTIONS ALLOW 5 VPN IPSec-tunnel-flow ALLOW 6 VPN encrypt ALLOW My question is why this phenomenon happens and how solve us this problem?
Thanks in advance, Sipke
our running-config:
: Saved
:
ASA Version 8.0 (4)
!
ciscoasa hostname
domain somedomain
activate the password - encrypted
passwd - encrypted
names of
name 10.10.1.0 Hyperion
name 164.140.159.x xxxx
name 192.168.72.25 xxxx
name 192.168.72.24 xxxx
name 192.168.72.196 xxxx
name 192.168.75.0 vpn clients
name 213.206.236.0 xxxx
name 143.47.160.0 xxxx
name 141.143.32.0 xxxx
name 141.143.0.0 xxxx
name 192.168.72.27 xxxx
name 10.1.11.0 xxxx
name 10.1.2.240 xxxx
name 10.1.1.0 xxxx
name 10.75.2.1 xxxx
name 10.75.2.23 xxxx
name 192.168.72.150 xxxx
name 192.168.33.0 xxxx
name 192.168.72.26 xxxx
name 192.168.72.5 xxxx
name 192.168.23.0 xxxx
name 192.168.34.0 xxxx
name 79.143.218.35 inethost
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.72.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP address 193.173.x.x 255.255.255.240
OSPF cost 10
!
interface Vlan3
Shutdown
nameif dmz
security-level 50
192.168.50.1 IP address 255.255.255.0
OSPF cost 10
!
interface Vlan23
nameif wireless
security-level 80
192.168.40.1 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 23
!
interface Ethernet0/7
!
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group DefaultDNS
domain pearle.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
Remote Desktop Protocol Description
EQ port 3389 object
object-group service UDP - udp VC
range of object-port 60000 60039
object-group VC - TCP tcp service
60000 60009 object-port Beach
object-group service tcp Fortis
1501 1501 object-port Beach
Beach of port-object 1502-1502
Beach of port-object sqlnet sqlnet
1584 1584 object-port Beach
1592 1592 object-port Beach
object-group service tcp fortis
1592 1592 object-port Beach
Beach of port-object 1502-1502
1584 1584 object-port Beach
Beach of port-object sqlnet sqlnet
1501 1501 object-port Beach
1500 1500 object-port Beach
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.50.0 255.255.255.0
object-network 192.168.72.0 255.255.255.0
object-group network inside-networks
object-network 192.168.72.0 255.255.255.0
WingFTP_TCP tcp service object-group
Secure FTP description
port-object eq 989
port-object eq 990
DM_INLINE_TCP_1 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
DM_INLINE_TCP_2 tcp service object-group
port-object eq ftp
port-object eq ftp - data
Group object WingFTP_TCP
the DM_INLINE_NETWORK_3 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
the DM_INLINE_NETWORK_4 object-group network
object-network 192.168.72.0 255.255.255.0
object-network VPN_Pool_2 255.255.255.0
object-group network Oracle
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
network-object OracleThree 255.255.224.0
the DM_INLINE_NETWORK_5 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_6 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network Grandvision4
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_7 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
the DM_INLINE_NETWORK_8 object-group network
network-object Grandvision 255.255.255.0
network-object Grandvision2 255.255.255.240
object-network Grandvision3 255.255.255.0
host of the object-Network GrandVision_PC
object-group service DM_INLINE_SERVICE_2
the purpose of the ip service
EQ-3389 tcp service object
the DM_INLINE_NETWORK_9 object-group network
network-object OracleThree 255.255.0.0
network-object OracleTwo 255.255.224.0
network-object OracleOne 255.255.240.0
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
EQ-3389 tcp service object
Atera tcp service object-group
Atera Webbased monitoring description
8001 8001 object-port Beach
8002 8002 object-port Beach
8003 8003 object-port Beach
WingFTP_UDP udp service object-group
port-object eq 989
port-object eq 990
WingFTP tcp service object-group
Description range of ports for the transmission of data
object-port range 1024-1054
HTTPS_redirected tcp service object-group
Description redirect WingFTP Server
port-object eq 40200
Note to inside_access_in to access list ICMP test protocol inside outside
inside_access_in list extended access allow icmp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note HTTP inside outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 any eq www
access-list inside_access_in note queries DNS inside to outside
inside_access_in list extended access allowed object-group TCPUDP 192.168.72.0 255.255.255.0 no matter what eq field
access-list inside_access_in note the HTTPS protocol inside and outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any https eq
Note to inside_access_in to access list ICMP test protocol inside outside
access-list inside_access_in note 7472 Epo-items inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq 7472
access-list inside_access_in note POP3 inside outside
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any eq pop3
inside_access_in list extended access permit udp host LifeSize-PE-HQ any object-group UDP - VC
inside_access_in list extended access permit tcp host LifeSize-PE-HQ all eq h323
access-list inside_access_in note video conference services
inside_access_in list extended access permit tcp host LifeSize-PE-HQ any object-group VC - TCP
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any
Note to inside_access_in to access list Fortis
inside_access_in list extended access permitted tcp 192.168.72.0 255.255.255.0 any object-group Fortis
access extensive list ip 192.168.40.0 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any eq www
inside_access_in list extended access permitted tcp 192.168.40.0 255.255.255.0 any https eq
inside_access_in allowed all Hyperion 255.255.255.0 ip extended access list
inside_access_in list extended access udp allowed any any eq isakmp
inside_access_in list extended access udp allowed any any eq ntp
inside_access_in list extended access udp allowed any any eq 4500
inside_access_in list of allowed ip extended access any Oracle object-group
inside_access_in list extended access udp allowed any any eq 10000
access-list inside_access_in note PPTP inside outside
inside_access_in list extended access permit tcp any any eq pptp
access-list inside_access_in note WILL inside outside
inside_access_in list extended access will permit a full
Note to inside_access_in to access the Infrastructure of the RIM BES server list
inside_access_in list extended access permit tcp host BESServer any eq 3101
inside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
inside_access_in list extended access permit tcp any any HTTPS_redirected object-group
access extensive list ip Hyperion 255.255.255.0 inside_access_in 255.255.255.0 allow VPN_Pool_2
inside_access_in list extended access permit udp any host 86.109.255.177 eq 1194
access extensive list ip 192.168.72.0 inside_access_in allow 255.255.255.0 DM_INLINE_NETWORK_7 object-group
access extensive list ip VPN_Pool_2 inside_access_in allow 255.255.255.0 any
inside_access_in list extended access deny ip any any inactive debug log
Note to outside_access_in to access list ICMP test protocol outside inside
outside_access_in list extended access permit icmp any one
access-list outside_access_in Note SMTP outside inside
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access udp allowed any any eq ntp disable journal
access-list outside_access_in note 7472 EPO-items outside inside
outside_access_in list extended access permit tcp any any eq 7472
outside_access_in list extended access permit tcp any any object-group inactive RDP
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit tcp any any HTTPS_redirected object-group
outside_access_in list extended access permitted tcp everything any https eq
access-list outside_access_in note hyperion outside inside
outside_access_in list extended access permitted tcp Hyperion 255.255.255.0 DM_INLINE_NETWORK_4 object-group
outside_access_in to access Hyperion 255.255.255.0 ip extended list object-group DM_INLINE_NETWORK_3 allow
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ eq h323
outside_access_in list extended access permit tcp any host LifeSize-PE-HQ object-group VC - TCP
outside_access_in list extended access permit udp any host group-object-LifeSize-PE-HQ UDP - VC
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list extended access udp allowed any any eq 10000
outside_access_in list extended access will permit a full
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access allowed object-group ip DM_INLINE_NETWORK_8 192.168.72.0 255.255.255.0 inactive
outside_access_in list extended access permit tcp any any Atera object-group
outside_access_in list extended access deny ip any any inactive debug log
outside_1_cryptomap list extended access allowed object-group Hyperion DM_INLINE_NETWORK_2 255.255.255.0 ip
outside_1_cryptomap to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow Hyperion 255.255.255.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 193.172.182.64 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.72.192 255.255.255.192
inside_nat0_outbound list of allowed ip extended access all 192.168.72.0 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 VPN_Pool_2 255.255.255.0
access extensive list ip 192.168.72.0 inside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_5 object-group
inside_nat0_outbound list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
inside_nat0_outbound list of allowed ip extended access any Swabach 255.255.255.0
access-list 200 scope allow tcp all fortis of fortis host object-group
access extensive list ip VPN_Pool_2 outside_nat0_outbound allow 255.255.255.0 DM_INLINE_NETWORK_9 object-group
outside_cryptomap_2 list extended access allowed object-group Hyperion DM_INLINE_NETWORK_1 255.255.255.0 ip
outside_cryptomap_2 to access extended list ip 192.168.50.0 allow Hyperion 255.255.255.0 255.255.255.0
Note Wireless_access_in of access list, select Hyperion / wifi access NAT rule.
Access extensive list ip 192.168.40.0 Wireless_access_in allow Hyperion inactive 255.255.255.0 255.255.255.0
Wireless_access_in list extended access deny ip 192.168.40.0 255.255.255.0 192.168.72.0 255.255.255.0
Comment by Wireless_access_in-list of the traffic Internet access
Access extensive list ip 192.168.40.0 Wireless_access_in allow 255.255.255.0 any
standard access list splittunnelclientvpn allow 192.168.72.0 255.255.255.0
splittunnelclientvpn list standard access allowed Hyperion 255.255.255.0
standard access list splittunnelclientvpn allow Pearleshare 255.255.255.0
splittunnelclientvpn list standard access allowed host 85.17.235.22
splittunnelclientvpn list standard access allowed OracleThree 255.255.224.0
standard access list splittunnelclientvpn allow 143.47.128.0 255.255.240.0
splittunnelclientvpn list standard access allowed host inethost
Standard access list SplittnlHyperion allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow OracleThree 255.255.0.0
Standard access list SplittnlOOD allow 143.47.128.0 255.255.240.0
access extensive list ip 192.168.72.0 outside_cryptomap allow 255.255.255.0 DM_INLINE_NETWORK_6 object-group
outside_cryptomap_1 list of allowed ip extended access all GrandVisionSoesterberg 255.255.255.0
outside_cryptomap_3 list of allowed ip extended access any Swabach 255.255.255.0
192.168.72.0 IP Access-list extended sheep 255.255.255.0 GrandVisionSoesterberg 255.255.255.0 allow
192.168.72.0 IP Access-list extended sheep 255.255.255.0 VPN_Pool_2 255.255.255.0 allow
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 wireless
local pool VPN_DHCP 192.168.72.220 - 192.168.72.235 255.255.255.0 IP mask
mask 192.168.75.1 - 192.168.75.50 255.255.255.0 IP local pool VPN_Range_2
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (wireless) 1 192.168.40.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp smtp Mailsrv_Pearle_Europe netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp ftp netmask 255.255.255.255 Pearle-DC02
public static 990 Pearle-DC02 990 netmask 255.255.255.255 interface tcp (indoor, outdoor)
static (inside, outside) tcp 3389 3389 Mailsrv_Pearle_Europe netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface www Pearle-DC02 www netmask 255.255.255.255
public static 40200 Pearle-DC02 40200 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static tcp (indoor, outdoor) interface https Exchange2010 https netmask 255.255.255.255
public static tcp (indoor, outdoor) interface h323 h323 LifeSize-PE-HQ netmask 255.255.255.255
public static 60000 60000 LifeSize-PE-HQ netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static (inside, outside) udp interface 60001 LifeSize-PE-HQ 60001 netmask 255.255.255.255
public static (inside, outside) udp interface 60002 LifeSize-PE-HQ 60002 netmask 255.255.255.255
public static (inside, outside) udp interface 60003 LifeSize-PE-HQ 60003 netmask 255.255.255.255
public static (inside, outside) udp interface 60004 LifeSize-PE-HQ 60004 netmask 255.255.255.255
public static (inside, outside) udp interface 60005 LifeSize-PE-HQ 60005 netmask 255.255.255.255
public static (inside, outside) udp interface 60006 LifeSize-PE-HQ 60006 netmask 255.255.255.255
public static (inside, outside) udp interface 60007 LifeSize-PE-HQ 60007 netmask 255.255.255.255
public static (inside, outside) udp interface 60008 LifeSize-PE-HQ 60008 netmask 255.255.255.255
public static (inside, outside) udp interface 60009 LifeSize-PE-HQ 60009 netmask 255.255.255.255
public static (inside, outside) udp interface 60010 LifeSize-PE-HQ 60010 netmask 255.255.255.255
public static (inside, outside) udp interface 60011 LifeSize-PE-HQ 60011 netmask 255.255.255.255
public static (inside, outside) udp interface 60012 LifeSize-PE-HQ 60012 netmask 255.255.255.255
public static (inside, outside) udp interface 60013 LifeSize-PE-HQ 60013 netmask 255.255.255.255
public static (inside, outside) udp interface 60014 LifeSize-PE-HQ 60014 netmask 255.255.255.255
public static (inside, outside) udp interface 60015 LifeSize-PE-HQ 60015 netmask 255.255.255.255
public static (inside, outside) udp interface 60016 LifeSize-PE-HQ 60016 netmask 255.255.255.255
public static (inside, outside) udp interface 60017 LifeSize-PE-HQ 60017 netmask 255.255.255.255
public static (inside, outside) udp interface 60018 LifeSize-PE-HQ 60018 netmask 255.255.255.255
public static (inside, outside) udp interface 60019 LifeSize-PE-HQ 60019 netmask 255.255.255.255
public static (inside, outside) udp interface 60020 LifeSize-PE-HQ 60020 netmask 255.255.255.255
public static (inside, outside) udp interface 60021 60021 LifeSize-PE-HQ netmask 255.255.255.255
public static (inside, outside) udp interface 60022 LifeSize-PE-HQ 60022 netmask 255.255.255.255
public static (inside, outside) udp interface 60023 LifeSize-PE-HQ 60023 netmask 255.255.255.255
public static (inside, outside) udp interface 60024 LifeSize-PE-HQ 60024 netmask 255.255.255.255
public static (inside, outside) udp interface 60025 LifeSize-PE-HQ 60025 netmask 255.255.255.255
public static (inside, outside) udp interface 60026 LifeSize-PE-HQ 60026 netmask 255.255.255.255
public static (inside, outside) udp interface 60027 LifeSize-PE-HQ 60027 netmask 255.255.255.255
public static (inside, outside) udp interface 60028 LifeSize-PE-HQ 60028 netmask 255.255.255.255
public static (inside, outside) udp interface 60029 LifeSize-PE-HQ 60029 netmask 255.255.255.255
public static (inside, outside) udp interface 60030 LifeSize-PE-HQ 60030 netmask 255.255.255.255
public static (inside, outside) udp interface 60031 LifeSize-PE-HQ 60031 netmask 255.255.255.255
public static (inside, outside) udp interface 60032 LifeSize-PE-HQ 60032 netmask 255.255.255.255
public static (inside, outside) udp interface 60033 LifeSize-PE-HQ 60033 netmask 255.255.255.255
public static (inside, outside) udp interface 60034 LifeSize-PE-HQ 60034 netmask 255.255.255.255
public static (inside, outside) udp interface 60035 LifeSize-PE-HQ 60035 netmask 255.255.255.255
public static (inside, outside) udp interface 60036 LifeSize-PE-HQ 60036 netmask 255.255.255.255
public static (inside, outside) udp interface 60037 LifeSize-PE-HQ 60037 netmask 255.255.255.255
public static (inside, outside) udp interface 60038 LifeSize-PE-HQ 60038 netmask 255.255.255.255
public static (inside, outside) udp interface 60039 LifeSize-PE-HQ 60039 netmask 255.255.255.255
public static (inside, outside) udp interface 60040 60040 LifeSize-PE-HQ netmask 255.255.255.255
public static Mailsrv_Pearle_Europe 7472 netmask 255.255.255.255 7472 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8001 8001 interface tcp (indoor, outdoor)
public static 8002 8002 LanSweep-XP netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static LanSweep-XP netmask 255.255.255.255 8003 8003 interface tcp (indoor, outdoor)
static (inside, outside) 193.173.12.194 tcp https Pearle-DC02 https netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Access-group Wireless_access_in in wireless interface
Route outside 0.0.0.0 0.0.0.0 193.173.12.206 1
Route outside OracleThree 255.255.224.0 193.173.12.198 1
Route outside 143.47.128.0 255.255.240.0 193.173.12.198 1
Route inside 172.27.0.0 255.255.255.0 Pearle-DC02 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.40.0 255.255.255.0 Wireless
http 192.168.1.0 255.255.255.0 inside
http 192.168.72.0 255.255.255.0 inside
http GrandVisionSoesterberg 255.255.255.0 inside
SNMP-server host inside 192.168.33.29 survey community public version 2 c
location of Server SNMP Schiphol
contact Server SNMP SSmeekes
SNMP-Server Public community
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-aes-256 GRANDVISION esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map0 1 match address outside_cryptomap_1
outside_map0 card crypto 1jeu pfs
outside_map0 card crypto 1jeu peer 212.78.223.182
outside_map0 card crypto 1jeu transform-set ESP ESP-3DES-SHA-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-ESP ESP-3DES-MD5 MD5-DES-SHA ESP-DES-MD5
outside_map0 map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map0 1 set security-association life kilobytes 4608000
card crypto game 2 outside_map0 address outside_cryptomap_2
outside_map0 crypto map peer set 2 193.173.12.193
card crypto outside_map0 2 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 2 set security-association seconds 28800
card crypto outside_map0 2 set security-association life kilobytes 4608000
card crypto outside_map0 3 match address outside_1_cryptomap
outside_map0 card crypto 3 set pfs
outside_map0 card crypto 3 peers set 193.172.182.66
outside_map0 crypto map 3 the value transform-set ESP-3DES-SHA
life card crypto outside_map0 3 set security-association seconds 28800
card crypto outside_map0 3 set security-association life kilobytes 4608000
card crypto outside_map0 game 4 address outside_cryptomap
outside_map0 card crypto 4 peers set 213.56.81.58
outside_map0 4 set transform-set GRANDVISION crypto card
life card crypto outside_map0 4 set security-association seconds 28800
card crypto outside_map0 4 set security-association life kilobytes 4608000
card crypto outside_map0 5 match address outside_cryptomap_3
outside_map0 card crypto 5 set pfs
outside_map0 crypto card 5 peers set 86.109.255.177
outside_map0 card crypto 5 game of transformation-ESP ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5-DES-SHA ESP-DES-MD5
life card crypto outside_map0 5 set security-association seconds 28800
card crypto outside_map0 5 set security-association life kilobytes 4608000
Crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
outside_map0 interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP enable dmz
crypto ISAKMP enable wireless
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.72.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.72.0 255.255.255.0 inside
SSH GrandVisionSoesterberg 255.255.255.0 inside
SSH 213.144.239.0 255.255.255.192 outside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 194.151.228.18 is 10.10.1.100
dhcpd outside auto_config
!
dhcpd address 192.168.72.253 - 192.168.72.253 inside
!
dhcpd address dmz 192.168.50.10 - 192.168.50.50
dhcpd enable dmz
!
dhcpd address wireless 192.168.40.10 - 192.168.40.99
dhcpd dns 194.151.228.18 wireless interface
dhcpd activate wireless
!
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Group Policy "pearle_vpn_Hyp only" internal
attributes of Group Policy "pearle_vpn_Hyp only".
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SplittnlHyperion
Split-dns value pearle.local
internal pearle_vpn_OOD_only group policy
attributes of the strategy of group pearle_vpn_OOD_only
value of Split-tunnel-network-list SplittnlOOD
internal pearle_vpn group policy
attributes of the strategy of group pearle_vpn
value of server WINS 192.168.72.25
value of server DNS 192.168.72.25
Protocol-tunnel-VPN IPSec l2tp ipsec svc
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splittunnelclientvpn
Pearle.local value by default-field
Split-dns value pearle.local
username anyone password encrypted password
username something conferred
VPN-group-policy pearle_vpn_OOD_only
type of remote access service
tunnel-group 193 type ipsec-l2l
tunnel-group 193 ipsec-attributes
pre-shared-key *.
tunnel-group 193.173.12.193 type ipsec-l2l
IPSec-attributes tunnel-group 193.173.12.193
pre-shared-key *.
NOCHECK Peer-id-validate
type tunnel-group pearle_vpn remote access
tunnel-group pearle_vpn General-attributes
address pool VPN_Range_2
Group Policy - by default-pearle_vpn
pearle_vpn group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group Pearle_VPN_2 remote access
attributes global-tunnel-group Pearle_VPN_2
address pool VPN_Range_2
strategy-group-by default "pearle_vpn_Hyp only".
IPSec-attributes tunnel-group Pearle_VPN_2
pre-shared-key *.
tunnel-group 213.56.81.58 type ipsec-l2l
IPSec-attributes tunnel-group 213.56.81.58
pre-shared-key *.
tunnel-group 212.78.223.182 type ipsec-l2l
IPSec-attributes tunnel-group 212.78.223.182
pre-shared-key *.
tunnel-group 86.109.255.177 type ipsec-l2l
IPSec-attributes tunnel-group 86.109.255.177
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:7d4d9c7ca7c865d9e40f5d77ed1238eb
: end
ASDM image disk0: / asdm - 613.bin
ASDM BESServer 255.255.255.255 inside location
ASDM VPN_Pool_2 255.255.255.0 inside location
ASDM OracleTwo 255.255.224.0 inside location
ASDM OracleOne 255.255.240.0 inside location
ASDM OracleThree 255.255.224.0 inside location
ASDM location Exchange2010 255.255.255.255 inside
ASDM location Grandvision 255.255.255.0 inside
ASDM Grandvision2 255.255.255.240 inside location
ASDM Grandvision3 255.255.255.0 inside location
ASDM Grandvision4 255.255.255.255 inside location
ASDM GrandVision_PC 255.255.255.255 inside location
ASDM location LanSweep-XP 255.255.255.255 inside
ASDM GrandVisionSoesterberg 255.255.255.0 inside location
ASDM location Pearle-DC02 255.255.255.255 inside
ASDM location Pearle-WDS 255.255.255.255 inside
ASDM location Swabach 255.255.255.0 inside
ASDM GrandVisionSoesterberg2 255.255.255.0 inside location
don't allow no asdm history
Where is that host (inethost)? Inside of the ASA, or on the internet (on the outside)?
If it is outside, you must configure the NAT for the pool of vpn as you turn on the SAA.
NAT (outside) 1 192.168.75.0 255.255.255.0
-
Client VPN cannot get inside the network
The VPN client connects to the 2600 on the serial interface, should be able to get to the 10.10.0.0 network beyond 192.168.1.14. The customer ping responds failure of external serial interface address.
If you still have problems... can you check that there is a static route BOF 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert to a host on the network of 10.10.x.x at 192.168.100.7 and see where it goes... your tests show that the VPN client knows how to get to this subnet, but it seems that there is a problem of routing between 10.X.X.X going 192.168.100.0
I hope that helps!
-
How to put all through traffic the easy vpn client VPN server
Hi people
I want to ask you, how to put all of the server the easy vpn client VPN traffic through.
I mean, I have a server vpn at home, and if I connect to the vpn from outside server, to be with an IP address of my home.
There is the configuration up to now. Where is the problem?
ROUTER1 #sh running-config
Building configuration...
Current configuration: 5744 bytes
!
! Last configuration change at 19:51:18 UTC Wed Sep 4 2013 by cska
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
ROUTER1 hostname
!
boot-start-marker
usbflash0:CVO boot-BOOT Setup. CFG
boot-end-marker
!
!
!
AAA new-model
!
!
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
!
Service-module wlan-ap 0 autonomous bootimage
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-1604488384
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1604488384
revocation checking no
!
!
TP-self-signed-1604488384 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 04050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31363034 34383833 6174652D 3834301E 170 3133 30383239 31313539
32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36303434 65642D
38383338 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100CD 57 F1436ED2 8D9E8B99 B6A76D45 FE56716D D99765A9 1722937C F5603F9F
528E27AF 87A24C3D 276FBA1C A5E7C580 CE99748E 39458C 74 862C 2870 16E29F75
7A7930E1 15FA5644 D7ECF257 BF46C470 A3A17AEB 7AB56194 68BFB803 144B7B10
D3722BDD D1FD5E99 8068B77D A1703059 9F0578C7 F7473811 0421490D 627F25C5
4 HAS 250203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 141B 1326 C111DF7F 9F4ED888 EFE2999A 4C50CDD8 06 12301
03551D0E 04160414 1B1326C1 11DF7F9F 4ED888EF E2999A4C 50CDD812 300 D 0609
2A 864886 04050003 81810096 BD0C2B16 799DB6EE E2C9B7C4 72FEAAAE F70D0101
FF87465C FB7C5248 CFA08E68 522EA08A 4B18BF15 488D D53D9A43 CB400B54 8006
CB21BDFB AA27DA9C C79310B6 BC594A7E D6EDF81D 0DB7D2C1 9EF7251B 19A 75403
211B1E6B 840FE226 48656E9F 67DB4A93 CE75045B A986F0AD 691EE188 7FB86D3F
E43934FA 3D62EC90 8F37590B 618B0C
quit smoking
IP source-route
!
!
!
!
CISCO dhcp IP pool
import all
network 192.168.1.0 255.255.255.0
DNS-server 195.34.133.21 212.186.211.21
default router 192.168.1.1
!
!
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
license udi pid CISCO892W-AGN-E-K9 sn FCZ1530C209
!
!
username privilege 15 secret 5 cska $1$ $8j6G 2sMHqIxJX8MQU6vpr75gp1
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto VPNGR
vpngroup key
DNS 212.186.211.21 195.34.133.21
WINS 8.8.8.8
domain chello.at
pool SDM_POOL_1
ACL 120
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
match of group identity VPNGR
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
security association idle time 86400 value
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Bridge IRB
!
!
!
!
interface Loopback0
192.168.4.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
no ip address
Shutdown
automatic duplex
automatic speed
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface GigabitEthernet0
Description Internet
0023.5a03.b6a5 Mac address
customer_id GigabitEthernet0 dhcp IP address
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
!
wlan-ap0 interface
description of the Service interface module to manage the embedded AP
192.168.9.2 IP address 255.255.255.0
ARP timeout 0
!
interface GigabitEthernet0 Wlan
Description interface connecting to the AP the switch embedded internal
!
interface Vlan1
no ip address
Bridge-Group 1
Bridge-Group 1 covering-disabled people
!
interface BVI1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
local IP SDM_POOL_1 192.168.4.3 pool 192.168.4.245
IP forward-Protocol ND
!
!
IP http server
local IP http authentication
IP http secure server
overload of IP nat inside source list 110 interface GigabitEthernet0
IP nat inside source static tcp 192.168.1.5 3389 interface GigabitEthernet0 3389
IP nat inside source static udp 192.168.1.5 3389 interface GigabitEthernet0 3389
IP nat inside source static tcp 192.168.1.5 21 interface GigabitEthernet0 21
IP nat inside source static udp 192.168.1.5 21 interface GigabitEthernet0 21
IP nat inside source static tcp 192.168.1.4 3389 interface GigabitEthernet0 3390
IP nat inside source static udp 192.168.1.4 3389 interface GigabitEthernet0 3390
overload of IP nat inside source list 120 interface GigabitEthernet0
IP route 0.0.0.0 0.0.0.0 dhcp
!
exploitation forest esm config
access list 101 ip allow a whole
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access list 111 permit tcp any any eq 3389
access-list 120 allow ip 192.168.4.0 0.0.0.255 any
!
!
!
!
!
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
!
Line con 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin udptn ssh telnet
line to 0
line vty 0 4
privilege level 15
preferred transport ssh
entry ssh transport
transportation out all
!
Thanks in advance
To do this you must make the following changes:
(1) disable split Tunneling by deleting the ACL of your configuration of the client group.
(2) enable NAT for VPN traffic by adding 'ip nat inside' to your virtual model of the client network to the ACL that controls your PAT.Edit: Theses are the changes to your config (also with a little cleaning):
Configuration group customer isakmp crypto VPNGR
No 120 LCD
!
type of interface virtual-Template1 tunnel
IP nat inside
!
no nat ip inside the source list 120 interface GigabitEthernet0 overload
!
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
no access-list 120 allow ip 192.168.4.0 0.0.0.255 any
Sent by Cisco Support technique iPad App
-
Connection with the client VPN for RV110W problem
Hi guys: I just installed a RV110W router to my small business and I try to connect via VPN from home client. I was unable to do so, no matter what I try. Relevant information:
1. I can connect to the router via remote very well management, so I know that the router is accessible from the Net.
2. internal address of the router: 10.81.208.1
3. active PPTP. PPTP server IP address: 10.0.0.1
4 IP addresses for PPTP clients: 10.0.0.10 - 14
5. two VPN clients added - one with PPTP, with the QuickVPN Protocol Protocol. Both are enabled (and Yes, I triple checked passwords)
6 encryption MPPE and Netbios active.
7 IPSec, PPTP and L2TP all active gateways.
8 VPN client: 1.4.1.2
9. computer: laptop running Windows 7 family (64-bit), with the firewall Windows is activated.
10 home network: 192.168.2.196
It is causing to tear my hair out. What Miss me?
Shannon
Hi Shannon,
I am pleased to see that you're progress.
Shannon Rotz wrote:
I changed the RM port to 443. Unfortunately, now I can't connect to the router via browser, either by remote management or from the local network - I get the usual "page cannot be displayed". How do I get back into the router configuration GUI?
You should be able to reach the GUI by typing https://192.168.1.1(assuming that you have not changed the default IP address) normally once you replace http (port 80) with https (port 443) the internal router web server automatically will redirect you to the https page if you type http. Open your command prompt and try to do a ping of the IP address of the router to ensure that it still meets this address
With regards to the VPN client: Up until I changed the port, the same error message kept coming up, i.e. "Unable to establish connection" (or something like that), with a list of possible reasons why it couldn't connect. Now the message has changed - I'm getting "Server's certificate doesn't exist on your local computer". If I continue trying to connect, then it says "Activating Policy", followed by "Verifying Network", then "The remote gateway is not responding. Do you want to wait?" This is definitely progress, since I never got this far before.
You are a quarter inch offline. If you look at the log.txt in C:\Program Cisco Small Business\QuickVPN Client, in my view, you will see "Failed to ping router remote VPN! This means that your PC is blocking the ping to the router response. Usually, if you look at this point the status of Client VPN in the router (first of all need to remote management) you will see that your user status is "connected." If the router thinks that the connection is established, but the PC does not work. You might want to try another PC at this stage to verify that it is indeed a problem with your PC. This problem is usually caused by the 3rd party software antivirus/firewall blocking the ping response. Microsoft Security Essentials can do this as well, so if you turn it off. If you do not have another PC to test from, call Cisco Small Business Support and ask a technician, try to connect to the lab. You can find the number to call here
On an impulse, I tried setting up a Windows VPN connection, i.e. created a new VPN connection in Network and Sharing Center, using a PPTP client ID that I had created. That connection actually worked, except for one problem: I can't see the remote network. If I could solve that problem, I'll just tell the other clients to use a Windows connection rather than QuickVPN.
Good thought. If you do not see the remote devices, make sure that they do not block VPN connections. (Windows or third-party firewall, antivirus, antispyware) With a connection, PPTP or QuickVPN, you should be able to go to run, type the IP address of the device that you want to connect to (i.e. \\192.168.1.101 ) and see the list of shared folders. After the PPTP connection is established, try to ping the address LAN IP of the router. If it is successful, try to ping a LAN device such as a network printer or a PC. Again, PCs may block ping requests if they have a firewall running watch so for this.
Answer please if you have any questions.
-
Client VPN Cisco and Cisco Secure
Cisco VPN client and the VPN from Cisco Secure client free to use with pix firewall software?
Thank you.
Hello
If you have a valid contract to Cisco and you can get the following link:
http://www.Cisco.com/Kobayashi/SW-Center/SW-VPN.shtml
with your CCO login, then you should be able to use these customers at no cost because they are already covered by the contract.
Thank you and best regards,
Abdelouahed
-=-=-
-
With the help of Client VPN dial-up networking on L2l
I m tring to configure ASA 5505 with Cleint of VPN to access a remote network on a L2L with an another ASA 5505, but without success. There is a special function for this work?
Follow the topology
TKS
Hello
You must ensure that you have configured following
- permit same-security-traffic intra-interface
- This will allow VPN Client traffic to enter the ASA and leave the same interface
- If you use Split Tunnel ACL with the VPN Client, make sure that the ACL has included Remote Site network
- If you use complete Tunnel this wont be a problem
- Make sure that the ACL of VPN L2L that defines "interesting traffic" includes the pool of Client VPN on both sides of the VPN L2L
- Configure a NAT0 on the ASA of Client VPN 'outside' interface that makes NAT0 for pool of Client VPN Remote Site network
If you have a real-world setting to share I can try to help with those. Otherwise I can only give general things like the above to check.
-Jouni
- permit same-security-traffic intra-interface
-
% 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510
Hi friends,
I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove.
Error in CISCO VPN Client software:
Secure VPN connection terminated locally by the client.
Reason: 414: unable to establish a TCP connection.
Error in CISCO ASA 5510
7-ASA-710005%: TCP request and eliminated from
49276 outward: 10000 The ASA configuration:
XYZ # sh run
: Saved
:
ASA Version 8.4 (4)
!
hostname XYZ
domain XYZ
activate the password encrypted 3uLkVc9JwRA1/OXb N3
activate the encrypted password of R/x90UjisGVJVlh2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside_rim
security-level 0
IP 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
full duplex
nameif XYZ_DMZ
security-level 50
IP 172.1.1.1 255.255.255.248
!
interface Ethernet0/2
Speed 100
full duplex
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.252
!
interface Ethernet0/3
Speed 100
full duplex
nameif inside
security-level 100
IP 3.3.3.3 255.255.255.224
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
domain XYZ
network object obj - 172.17.10.3
Home 172.17.10.3
network object obj - 10.1.134.0
10.1.134.0 subnet 255.255.255.0
network object obj - 208.75.237.0
208.75.237.0 subnet 255.255.255.0
network object obj - 10.7.0.0
10.7.0.0 subnet 255.255.0.0
network object obj - 172.17.2.0
172.17.2.0 subnet 255.255.255.0
network object obj - 172.17.3.0
172.17.3.0 subnet 255.255.255.0
network object obj - 172.19.2.0
172.19.2.0 subnet 255.255.255.0
network object obj - 172.19.3.0
172.19.3.0 subnet 255.255.255.0
network object obj - 172.19.7.0
172.19.7.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.2.0.0
10.2.0.0 subnet 255.255.0.0
network object obj - 10.3.0.0
10.3.0.0 subnet 255.255.0.0
network object obj - 10.4.0.0
10.4.0.0 subnet 255.255.0.0
network object obj - 10.6.0.0
10.6.0.0 subnet 255.255.0.0
network object obj - 10.9.0.0
10.9.0.0 subnet 255.255.0.0
network object obj - 10.11.0.0
10.11.0.0 subnet 255.255.0.0
network object obj - 10.12.0.0
10.12.0.0 subnet 255.255.0.0
network object obj - 172.19.1.0
172.19.1.0 subnet 255.255.255.0
network object obj - 172.21.2.0
172.21.2.0 subnet 255.255.255.0
network object obj - 172.16.2.0
172.16.2.0 subnet 255.255.255.0
network object obj - 10.19.130.201
Home 10.19.130.201
network object obj - 172.30.2.0
172.30.2.0 subnet 255.255.255.0
network object obj - 172.30.3.0
172.30.3.0 subnet 255.255.255.0
network object obj - 172.30.7.0
172.30.7.0 subnet 255.255.255.0
network object obj - 10.10.1.0
10.10.1.0 subnet 255.255.255.0
network object obj - 10.19.130.0
10.19.130.0 subnet 255.255.255.0
network of object obj-XXXXXXXX
host XXXXXXXX
network object obj - 145.248.194.0
145.248.194.0 subnet 255.255.255.0
network object obj - 10.1.134.100
Home 10.1.134.100
network object obj - 10.9.124.100
Home 10.9.124.100
network object obj - 10.1.134.101
Home 10.1.134.101
network object obj - 10.9.124.101
Home 10.9.124.101
network object obj - 10.1.134.102
Home 10.1.134.102
network object obj - 10.9.124.102
Home 10.9.124.102
network object obj - 115.111.99.133
Home 115.111.99.133
network object obj - 10.8.108.0
10.8.108.0 subnet 255.255.255.0
network object obj - 115.111.99.129
Home 115.111.99.129
network object obj - 195.254.159.133
Home 195.254.159.133
network object obj - 195.254.158.136
Home 195.254.158.136
network object obj - 209.164.192.0
subnet 209.164.192.0 255.255.224.0
network object obj - 209.164.208.19
Home 209.164.208.19
network object obj - 209.164.192.126
Home 209.164.192.126
network object obj - 10.8.100.128
subnet 10.8.100.128 255.255.255.128
network object obj - 115.111.99.130
Home 115.111.99.130
network object obj - 10.10.0.0
subnet 10.10.0.0 255.255.0.0
network object obj - 115.111.99.132
Home 115.111.99.132
network object obj - 10.10.1.45
Home 10.10.1.45
network object obj - 10.99.132.0
10.99.132.0 subnet 255.255.255.0
the Serversubnet object-group network
object-network 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
the XYZ_destinations object-group network
object-network 10.1.0.0 255.255.0.0
object-network 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
object-network 10.12.0.0 255.255.0.0
object-network 172.19.1.0 255.255.255.0
object-network 172.19.2.0 255.255.255.0
object-network 172.19.3.0 255.255.255.0
object-network 172.19.7.0 255.255.255.0
object-network 172.17.2.0 255.255.255.0
object-network 172.17.3.0 255.255.255.0
object-network 172.16.2.0 255.255.255.0
object-network 172.16.3.0 255.255.255.0
host of the object-Network 10.50.2.206
the XYZ_us_admin object-group network
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
the XYZ_blr_networkdevices object-group network
object-network 10.200.10.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 XXXXXXXX
access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
access list acl-outside scope permit ip any host 172.17.10.3
access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
access list acl-outside extended permit tcp any any eq 10000
access list acl-outside extended deny ip any any newspaper
pager lines 10
Enable logging
debug logging in buffered memory
outside_rim MTU 1500
MTU 1500 XYZ_DMZ
Outside 1500 MTU
Within 1500 MTU
IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
!
network object obj - 172.17.10.3
NAT (XYZ_DMZ, outside) static 115.111.99.134
Access-group acl-outside in external interface
Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
86400 seconds, duration of life crypto ipsec security association
Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
Crypto-map dynamic dyn1 1jeu reverse-road
card crypto vpn 1 corresponds to the address XYZ
card 1 set of peer XYZ Peer IP vpn crypto
1 set transform-set vpn1 ikev1 vpn crypto card
card crypto vpn 1 lifetime of security set association, 3600 seconds
card crypto vpn 1 set security-association life kilobytes 4608000
correspondence vpn crypto card address 2 DON'T
2 peer NE_Peer IP vpn crypto card game
2 set transform-set vpn2 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 2 set security-association
card crypto vpn 2 set security-association life kilobytes 4608000
card crypto vpn 4 corresponds to the address ML_VPN
card crypto vpn 4 set pfs
vpn crypto card game 4 peers ML_Peer IP
4 set transform-set vpn4 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 4 set - the security association
card crypto vpn 4 set security-association life kilobytes 4608000
vpn crypto card 5 corresponds to the address XYZ_global
vpn crypto card game 5 peers XYZ_globa_Peer IP
5 set transform-set vpn5 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 5 set - the security association
card 5 security-association life set vpn crypto kilobytes 4608000
vpn crypto card 6 corresponds to the address Da_VPN
vpn crypto card game 6 peers Da_VPN_Peer IP
6 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 6 set - the security association
card crypto vpn 6 set security-association life kilobytes 4608000
vpn crypto card 7 corresponds to the address Da_Pd_VPN
7 peer Da_Pd_VPN_Peer IP vpn crypto card game
7 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 7 set - the security association
card crypto vpn 7 set security-association life kilobytes 4608000
vpn outside crypto map interface
crypto map vpn_reliance 1 corresponds to the address XYZ_rim
card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
card crypto vpn_reliance 1 set security-association life kilobytes 4608000
card crypto vpn_reliance interface outside_rim
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
crypto isakmp identity address
No encryption isakmp nat-traversal
Crypto ikev1 enable outside_rim
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 4
preshared authentication
aes-256 encryption
sha hash
Group 5
life 28000
IKEv1 crypto policy 5
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 10.8.100.0 255.255.255.224 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
internal XYZ_c2s_vpn group strategy
username testadmin encrypted password oFJjANE3QKoA206w
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
type tunnel-group XYZ_c2s_vpn remote access
attributes global-tunnel-group XYZ_c2s_vpn
address pool XYZ_c2s_vpn_pool
IPSec-attributes tunnel-group XYZ_c2s_vpn
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
Review the ip options
!
global service-policy global_policy
level 3 privilege see the running-config command exec mode
logging of orders privilege see the level 3 exec mode
privilege see the level 3 exec mode command crypto
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: endXYZ #.
Good news
Follow these steps:
network object obj - 172.30.10.0_24
172.30.10.0 subnet 255.255.255.0
!
the LOCAL_NETWORKS_VPN object-group network
object-network 1.1.1.0 255.255.255.0
!
NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search
* Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel.
Keep me posted.
Thank you.
Please note all messages that will be useful.
-
The VPN client VPN connection behind other PIX PIX
I have the following problem:
I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).
So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5
I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.
Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.
If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:
305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x
194.x.x.x is our customer s address IP PIX
I understand that somewhere access list is missing, but I can not understand.
Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.
Can you please help me?
Thank you in advan
The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.
I've cut and pasted here for you to read, I think that the problem mentioned below:
Question:
Hi Glenn,.
Following is possible?
I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.
The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?
My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.
Thank you very much for any help provided in advance.
Response from Glenn:
First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:
fixup protocol esp-ike
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.
If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:
ISAKMP nat-traversal
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.
ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.
A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.
NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.
Hope that helps.
-
How to create a VPN file .pcf for the CISCO VPN CLIENT software profile
Dear all
How to create a VPN file .pcf for the CISCO VPN CLIENT software profile
Concerning
Hi Imran,
Can't do much about that because it depends on what authenticate you the VPN server and how the settings. But let me introduce you to the memory layout. Once you install and open a VPN client. Press it again and it opens up a new page for the VPN config.
Example of configuration as it is attached. But it differs depending on the configuration of your vpn server.
Once you create and save this profile. Your FCP file is stored.
Please assess whether the information provided is useful.
By
Knockaert
Maybe you are looking for
-
iBook in the iPhone more stuck 6s. Help me fix it please!
Hello! I have the new iPhone 6 s more than 64 GB and I have a problem with the iBooks app. It is stuck and I can't open anything. I have tried rebooting my phone, is turned off but nothing help me! Please help me. I 9.2.1 iOS.
-
someone hacked my Firefox (site who came said that I was hacked by). Should I be worried?
Someone hacked my Firefox. When I tried to open it this am, it became very small and floating on the start screen. I clicked it and it opened a site that said 'hacked by TiGER-M@TE. After the closure of this site, Firefox seems to work very well. Sho
-
I have a puzzle game, installed Windows 8 two days ago runs great. Tried yesterday to Skype with a friend he could hear me fine I could hear everything except him. When I run a test dial the same problem. I tried Google den got the same problem - to
-
Why I can't reduce sync center offline use cursor file. It uses my disk space but I can't reduce it. Help here. See in the picture right slider side file does not move for me. I want to reduce the 105 GB limit, but it is not allowing me. Please help
-
When the computer is suspended can continue with downloads?
Dear Microsoft Community: is anyway to continues with download for example huge downloads to feel if the computer is put to sleep? Or all programs can do that? Just afraid my computer overheats with normal the day before or the off the computer scree