Have a vpn site to site of work, added second who has problems

Similar Questions

• I have an iPhone 5 that was my mother in laws who has left us, is it possible that I can erase the phone without a password iTunes as a person doesn't know

  The ITI is a 5 16 GB iPhone and we do not have a computer

  You will need to bring the product to a physical Apple store, with a copy of the death certificate, if possible a copy of the original invoice or something showing that you are the owner legitimate unit. Only Apple can decide what to do with it. No purchase else an Apple would be able to unlock it.

• Routing issue to site VPN site

  Hello

  I have a VPN site-to site of SR520 at SFsence VPN, the tunnel is up, but I can't ping internal addresses of these two paths of layout of the site terminate my default gateway. Help, please

  Access list configuration:

  access-list 100 permit ip 10.0.43.0 0.0.0.255 10.10.10.0 0.0.0.255

  access-list 100 permit ip 10.10.10.0 0.0.0.255 10.0.43.0 0.0.0.255

  IP nat inside source map route SHEEP interface Dialer 0 overload

  access-list 110 deny ip 10.10.10.0 0.0.0.255 10.0.43.0 0.0.0.255

  access-list 110 permit ip 10.10.10.0 0.0.0.255 any

  SHEEP allowed 10 route map

  corresponds to the IP 110

  Note: remote site (SFsence) of 10.0.43.0/24

  local site router Cisco SR520 10.10.10.0/29

  Glad to know everything works now,

  Please check the question as answered so future users can learn on this basis.

  Kind regards

• Configure VPN site to site with CCP

  Hello

  I have several VPN site to site of small offices, at Headquarters.

  Is possible to make a single configuration for all virtual private networks on the "vpn server"(ISR 1801) or I still need to add an entry for each VPN subnet? ". If Yes, is possible with the CCP?

  Kind regards

  Nuno

  You can then configure the VPN using CCP.

  I prefer the command line, and if there are many VPN from Site to Site, you can have a model, and what's happening to one VPN to another is interesting traffic, the INVESTIGATION period by peers and the pre-shared key.

  It depends on the policy.

  Federico.

• Site of the error of phase 2 for the VPN site

  Dear all,

  We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.

  Below is show access ip list matching packages shown but connection to host failed

  With the crypto ipsec to see his I saw send error and I don't know what could be responsible.

  Any body who could be wrong please help me to am exhausted.

  access-list

  10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
  20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
  30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)

  Crypto ipsec to show his

  local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
  current_peer 4.2.6.24 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
   Errors #send 198, #recv errors 0

  local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
  clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
  current outbound SPI: 0x0 (0)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
  Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
  current_peer 4.2.6.24 port 500
  PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
      Errors #send 508, #recv errors 0

  local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
  clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
  current outbound SPI: 0x0 (0)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides

• Next hop for the static route on the VPN site to site ASA?

  Hi all

  I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

  The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

  Concerning

  Ahh, ok, makes sense.

  The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

  Example of topology:

  Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

  The static route must tell:

  outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

  I hope this helps.

• VPN site to site of simple laboratory works no - pix to pix

  Hi all I have a lab at home configuring vpn site to site between 2 cisco pix 501 devices, but it does not work. Can anyone help, I have attached the followign run configs. Thank you

  PIX Version 6.2 (1)

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the encrypted password of NuLKvvWGg.x9HEKO

  2KFQnbNIdI.2KYOU encrypted passwd

  hostname CiscoPix2

  domain ciscopix.com

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  names of

  access-list ping_acl allow icmp a whole

  access-list 90 allow ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

  access-list 100 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

  pager lines 24

  interface ethernet0 10baset

  interface ethernet1 10full

  Outside 1500 MTU

  Within 1500 MTU

  IP 10.0.0.2 255.255.255.0 outside

  IP address 192.168.1.100 within 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  history of PDM activate

  ARP timeout 14400

  NAT (inside) - 0-90 access list

  Access-group ping_acl in interface outside

  ping_acl access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  Enable http server

  http 0.0.0.0 0.0.0.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set strong esp-3des esp-sha-hmac

  20 topix1 of ipsec-isakmp crypto map

  correspondence address 20 card crypto topix1 100

  crypto topix1 20 card set peer 10.0.0.1

  20 strong crypto topix1 transform-set card game

  topix1 interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 10.0.0.1 netmask 255.255.255.255

  part of pre authentication ISAKMP policy 8

  encryption of ISAKMP strategy 8

  ISAKMP strategy 8 sha hash

  8 1 ISAKMP policy group

  ISAKMP life duration strategy 8 the 86400

  Telnet timeout 5

  SSH timeout 5

  Terminal width 80

  Cryptochecksum:81f37c16401555abe7299b5a95e69d3d

  : end

  //////////////////////////////////////////////////////////////

  6.3 (3) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the encrypted password of NuLKvvWGg.x9HEKO

  NuLKvvWGg.x9HEKO encrypted passwd

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list ping_acl allow icmp a whole

  access-list 90 allow ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

  access-list 100 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP 10.0.0.1 255.255.255.0 outside

  IP address inside 192.168.0.100 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  history of PDM activate

  ARP timeout 14400

  NAT (inside) - 0-90 access list

  Access-group ping_acl in interface outside

  ping_acl access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 10.0.0.2 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  Enable http server

  http 0.0.0.0 0.0.0.0 outdoors

  http 0.0.0.0 0.0.0.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set strong esp-3des esp-sha-hmac

  20 topix2 of ipsec-isakmp crypto map

  correspondence address 20 card crypto topix2 100

  crypto topix2 20 card set peer 10.0.0.2

  20 strong crypto topix2 transform-set card game

  topix2 interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 10.0.0.2 netmask 255.255.255.255

  part of pre authentication ISAKMP policy 8

  encryption of ISAKMP strategy 8

  ISAKMP strategy 8 sha hash

  8 1 ISAKMP policy group

  ISAKMP life duration strategy 8 the 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  Terminal width 80

  Cryptochecksum:4558d14bca52c36021eeab79729ee63b

  : end

  The first problem I see is that the access list that is used to identify the VPN traffic allows traffic from your home subnet for the external subnet of the peer but not inside the subnet of the peer.

  HTH

  Rick

• VPN site to Site, as a part of the work of the ACL, why?

  I built a VPN site-to site IPsec from A to B, I have about 10 different subnets in the traffice interesting ACL, now, I can get some subnets don't talk to each other, no problem, but some may not.  For example, A to site B 10.1.0.1 subnet was not working, but 10.100.0.1 has functioned and 10.1.0.1 and 10.100.0.1 is actually two interfaces VLAN on a same router.

  Debugging of the ICMP has shown, when A ping to 10.1 and 10.100, the firewall at site B receives pings of echo from site A and also the echo of ping time reply 10.1 recevived and 10,100, but only the firewall received echo response from the 10,100.  looked like Firewall VPN B has no echo response 10.1 the site in some way

  Config enabled on both sites several times, is unable to identify the problems and the incompatibility. 10.1.0.0/24 and 10.100.0.0/24 are two network objects in the same ACL.

  The Super Cisco can provide some advice, what could go wrong, what I could use to troubleshoot...

  Thank you very much.

  PS everthing worked perfectly for a few days, then I had the problem of loss of package on the Web link, now the VPN tunnel is up, no config has been changed, but some just subnets not achieved through the VPN.

  W.

  Hello Yue,

  WOW, that's weard.

  Good thing is that now everything works now and believe me, it won't happen to you once again, you and I will know what to do next time... lol

  If possible please brand of answering the question as to future users with the same problem will know what to do based on your experience.

  Kind regards

  Julio

• VPN site to Site btw Pix535 and 2811 router, can't get to work

  Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:

  http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

  #1: config PIX:

  : Saved

  : Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012

  !

  8.0 (4) version PIX

  !

  hostname pix535

  !

  interface GigabitEthernet0

  Description to cable-modem

  nameif outside

  security-level 0

  address IP X.X.138.132 255.255.255.0

  OSPF cost 10

  !

  interface GigabitEthernet1

  Description inside 10/16

  nameif inside

  security-level 100

  IP 10.1.1.254 255.255.0.0

  OSPF cost 10

  !

  outside_access_in of access allowed any ip an extended list

  access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0

  inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248

  outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248

  access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0

  pager lines 24

  cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0

  Global interface 10 (external)

  15 1.2.4.5 (outside) global

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 15 10.1.0.0 255.255.0.0

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5

  life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

  Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

  Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA

  life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

  Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

  Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

  Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA

  life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds

  Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5

  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

  cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

  card crypto outside_map 1 match address outside_1_cryptomap

  outside_map game 1 card crypto peer X.X.21.29

  card crypto outside_map 1 set of transformation-ESP-DES-SHA

  outside_map map 1 lifetime of security association set seconds 28800 crypto

  card crypto outside_map 1 set security-association life kilobytes 4608000

  outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  ISAKMP crypto identity hostname

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  the Encryption

  sha hash

  Group 1

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 3600

  internal GroupPolicy1 group strategy

  cnf-vpn-cls group policy internal

  attributes of cnf-vpn-cls-group policy

  value of 10.1.1.7 WINS server

  value of 10.1.1.7 DNS server 10.1.1.205

  Protocol-tunnel-VPN IPSec l2tp ipsec

  field default value x.com

  sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key secret1

  RADIUS-sdi-xauth

  tunnel-group DefaultRAGroup ppp-attributes

  ms-chap-v2 authentication

  tunnel-group cnf-vpn-cls type remote access

  tunnel-group global cnf-vpn-cls-attributes

  cnf-8-ip address pool

  Group Policy - by default-cnf-vpn-cls

  tunnel-group cnf-CC-vpn-ipsec-attributes

  pre-shared-key secret2

  ISAKMP ikev1-user authentication no

  tunnel-group cnf-vpn-cls ppp-attributes

  ms-chap-v2 authentication

  tunnel-group X.X.21.29 type ipsec-l2l

  IPSec-attributes tunnel-Group X.X.21.29

  Pre-shared key SECRET

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c

  : end

  #2: 2811 router config:

  !

  ! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla

  ! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname THE-2800

  !

  !

  Crypto pki trustpoint TP-self-signed-1411740556

  enrollment selfsigned

  name of the object cn = IOS - Self - signed - certificate - 1411740556

  revocation checking no

  rsakeypair TP-self-signed-1411740556

  !

  !

  TP-self-signed-1411740556 crypto pki certificate chain

  certificate self-signed 01

  308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030

  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

  69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435

  30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D

  34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

  8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28

  C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199

  E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019

  A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33

  010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203

  1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603

  88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E

  054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003

  81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452

  E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D

  310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC

  659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C

  quit smoking

  !

  !

  !

  crypto ISAKMP policy 1

  preshared authentication

  ISAKMP crypto key address SECRET X.X.138.132 No.-xauth

  !

  !

  Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac

  !

  map 1 la-2800-ipsec policy ipsec-isakmp crypto

  ipsec vpn Description policy

  defined by peer X.X.138.132

  the transform-set the-2800-trans-set value

  match address 101

  !

  !

  !

  !

  !

  !

  interface FastEthernet0/0

  Description WAN side

  address IP X.X.216.29 255.255.255.248

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  No cdp enable

  No mop enabled

  card crypto 2800-ipsec-policy

  !

  interface FastEthernet0/1

  Description side LAN

  IP 10.20.1.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  full duplex

  automatic speed

  No mop enabled

  !

  IP nat inside source map route sheep interface FastEthernet0/0 overload

  access-list 10 permit X.X.138.132

  access-list 99 allow 64.236.96.53

  access-list 99 allow 98.82.1.202

  access list 101 remark vpn tunnerl acl

  Note access-list 101 category SDM_ACL = 4

  policy of access list 101 remark tunnel

  access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

  access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

  access-list 110 permit ip 10.20.0.0 0.0.0.255 any

  public RO SNMP-server community

  !

  !

  !

  sheep allowed 10 route map

  corresponds to the IP 110

  !

  !

  !

  !

  WebVPN gateway gateway_1

  IP address X.X.216.29 port 443

  SSL trustpoint TP-self-signed-1411740556

  development

  !

  WebVPN install svc flash:/webvpn/svc.pkg

  !

  WebVPN gateway-1 context

  title 'b '.

  secondary-color white

  color of the title #CCCC66

  text-color black

  SSL authentication check all

  !

  !

  policy_1 political group

  functions compatible svc

  SVC-pool of addresses "WebVPN-Pool."

  SVC Dungeon-client-installed

  SVC split include 10.20.0.0 255.255.0.0

  Group Policy - by default-policy_1

  Gateway gateway_1

  development

  !

  !

  end

  #3: test Pix to the router:

  
  

  ITS enabled: 1

  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

  Total SA IKE: 1

  1 peer IKE: X.X.21.29

  Type: user role: initiator

  Generate a new key: no State: MM_WAIT_MSG2

  > DEBUG:

  12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match
  !
  22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry
  #4: test the router to pix:
  LA - 2800 #sh crypto isakmp his
  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0
  > debug
  LA - 2800 #ping 10.1.1.7 source 10.20.1.1

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:

  Packet sent with a source address of 10.20.1.1

  Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)

  22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 500

  22 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 80000013

  22 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator

  22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 500

  22 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE

  22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA

  22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.

  22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

  Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

  Oct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - t

  Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 ID

  Oct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t

  22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

  Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode Exchange

  Oct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE

  22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.

  22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.132

  22 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

  22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

  Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0

  Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

  Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123

  Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2

  Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment

  Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194

  22 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132

  Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found

  22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...

  22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

  22 Oct 16:24:34.053: ISAKMP: DES-CBC encryption

  22 Oct 16:24:34.053: ISAKMP: SHA hash

  22 Oct 16:24:34.053: ISAKMP: default group 1

  22 Oct 16:24:34.053: ISAKMP: pre-shared key auth

  22 Oct 16:24:34.053: ISAKMP: type of life in seconds

  22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80

  22 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable
  . Next payload is 0
  22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 0
  22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 0
  22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:4
  22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:86400
  22 Oct 16:24:34.053: ISAKMP: (0): return real life: 86400
  22 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.
  Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment
  Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
  Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2
  Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment
  Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
  22 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
  Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP
  22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.
  22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
  22 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.132
  22 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
  Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0
  Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 0
  22 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132
  Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment
  Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unit
  Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment
  Oct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55
  Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTH
  Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment
  Oct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS
  !
  Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment
  22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch
  22 Oct 16:24:34.221: ISAKMP: receives the payload type 20
  22 Oct 16:24:34.221: ISAKMP: receives the payload type 20
  22 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM4
  22 Oct 16:24:34.221: ISAKMP: (1018): send initial contact
  22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
  22 Oct 16:24:34.221: ISAKMP (0:1018): payload ID
  next payload: 8
  type: 1
  address: X.X.216.29
  Protocol: 17
  Port: 500
  Length: 12
  22 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12
  Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
  22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.
  22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5
  ...
  22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 198554740
  22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 812380002
  22 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...
  Success rate is 0% (0/5)
  # THE-2800
  Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
  22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1
  Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
  Oct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
  22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.
  22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132
  Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.
  Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)
  22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD60
  22 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132
  Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.
  Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmission
  Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
  22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
  Oct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
  22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.
  Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.
  Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)
  22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132
  22 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE
  ....
  22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex
  . (local 1 X. X.216.29, remote X.X.138.132)
  22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA
  22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.
  Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
  22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
  Oct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
  22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.
  Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
  22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
  Oct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
  22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.
  Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
  22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.
  ......

  22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

  22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

  22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0

  22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8

  22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.

  22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.

  22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.

  22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

  22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA

  22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180

  22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177

  22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615

  22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0

  The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work

  I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.

  All suggestions and tips are greatly appreciated.

  Sean

  Recommended action:

  On the PIX:

  no card crypto outside_map 1

  !

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  !

  card crypto outside_map 10 correspondence address outside_1_cryptomap

  crypto outside_map 10 peer X.X.216.29 card game

  outside_map crypto 10 card value transform-set ESP-3DES-SHA

  life safety association set card crypto outside_map 10 28800 seconds

  card crypto outside_map 10 set security-association life kilobytes 4608000

  !

  tunnel-group X.X.216.29 type ipsec-l2l

  IPSec-attributes tunnel-Group X.X.216.29

  Pre-shared key SECRET

  !

  On the router:

  crypto ISAKMP policy 10

  preshared authentication

  Group 2

  3des encryption

  !

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  output

  !

  card 10 la-2800-ipsec policy ipsec-isakmp crypto

  ipsec vpn Description policy

  defined by peer X.X.138.132

  game of transformation-ESP-3DES-SHA

  match address 101

  !

  No crypto card-2800-ipsec-policy 1

  Let me know how it goes.

  Portu.

  Please note all useful posts

  Post edited by: Javier Portuguez

• VPN site to Site, LRT214, Windows network active directory DNS, WINS, and DHCP

  Hi guys

  New to the forum. I'm trying to set up a network between 2 sites (one site to another). Each location has a DC with its own protocol, dhcp, dns and wins on the same domain service. I bought 2 LRT214 to establish the connection between the 2 sites.

  I tried searching, but all results are pretty generic (IE assuming you will use the LRT214 as DNS DHCP etc.).

  I went through the pages of the router configuration, and there are so many options. For my particular configuration objectives, which will be the best way to do this? Open vpn? EasyLink vpn? I think I'd rather do a standard vpn configuration, but then for that I have a lot of questions such as: security methods to use (FROM THE, 3DES, SHA1, MD5, etc.). can I export a cert of AD and import to the router, or export from the router and import to AD?

  I know the questions are in all directions and there is much more that I don't specifically know until I get by configuring this router at both ends. Just trying to come up with an initial plan. I guess someone must have made a similar setup and would like to know what is a good start (maybe less safe to operate), and while I get more familiar and it all worked, start to down to safety.

  Is there maybe a guide who walks through this installation with explanations of each parameter type?

  Sorry for the long post and thanks for any direction.

  I suggest you use the gateway to gateway installation and use all default settings it for this time. To start, you can try this link: http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=240cfc1d772642dfad1deb7500a2fa6c_Creating_an_IPSec...

• Cisco ASA 5505 VPN Site to Site

  Hi all

  First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

  I'd appreciate any help that can be directed to this problem please.  Slowly losing my mind

  Please see details below:

  Two ADMS are 7.1

  IOS

  ASA 1

  Nadia

  :

  ASA Version 9.0 (1)

  !

  hostname PAYBACK

  activate the encrypted password of HSMurh79NVmatjY0

  volatile xlate deny tcp any4 any4

  volatile xlate deny tcp any4 any6

  volatile xlate deny tcp any6 any4

  volatile xlate deny tcp any6 any6

  volatile xlate deny udp any4 any4 eq field

  volatile xlate deny udp any4 any6 eq field

  volatile xlate deny udp any6 any4 eq field

  volatile xlate deny udp any6 any6 eq field

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

  !

  interface Ethernet0/0

  switchport access vlan 2

  Speed 100

  full duplex

  !

  interface Ethernet0/1

  link Trunk Description of SW1

  switchport trunk allowed vlan 1,10,20,30,40

  switchport trunk vlan 1 native

  switchport mode trunk

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  No nameif

  no level of security

  no ip address

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 92.51.193.158 255.255.255.252

  !

  interface Vlan10

  nameif inside

  security-level 100

  IP 192.168.10.1 255.255.255.0

  !

  interface Vlan20

  nameif servers

  security-level 100

  address 192.168.20.1 255.255.255.0

  !

  Vlan30 interface

  nameif printers

  security-level 100

  192.168.30.1 IP address 255.255.255.0

  !

  interface Vlan40

  nameif wireless

  security-level 100

  192.168.40.1 IP address 255.255.255.0

  !

  connection line banner welcome to the Payback loyalty systems

  boot system Disk0: / asa901 - k8.bin

  passive FTP mode

  summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

  DNS domain-lookup outside

  DNS lookup field inside

  domain-lookup DNS servers

  DNS lookup domain printers

  DNS domain-lookup wireless

  DNS server-group DefaultDNS

  Server name 83.147.160.2

  Server name 83.147.160.130

  permit same-security-traffic inter-interface

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  ftp_server network object

  network of the Internal_Report_Server object

  Home 192.168.20.21

  Description address internal automated report server

  network of the Report_Server object

  Home 89.234.126.9

  Description of server automated reports

  service object RDP

  service destination tcp 3389 eq

  Description RDP to the server

  network of the Host_QA_Server object

  Home 89.234.126.10

  Description QA host external address

  network of the Internal_Host_QA object

  Home 192.168.20.22

  host of computer virtual Description for QA

  network of the Internal_QA_Web_Server object

  Home 192.168.20.23

  Description Web Server in the QA environment

  network of the Web_Server_QA_VM object

  Home 89.234.126.11

  Server Web Description in the QA environment

  service object SQL_Server

  destination eq 1433 tcp service

  network of the Demo_Server object

  Home 89.234.126.12

  Description server set up for the product demo

  network of the Internal_Demo_Server object

  Home 192.168.20.24

  Internal description of the demo server IP address

  network of the NETWORK_OBJ_192.168.20.0_24 object

  subnet 192.168.20.0 255.255.255.0

  network of the NETWORK_OBJ_192.168.50.0_26 object

  255.255.255.192 subnet 192.168.50.0

  network of the NETWORK_OBJ_192.168.0.0_16 object

  Subnet 192.168.0.0 255.255.0.0

  service object MSSQL

  destination eq 1434 tcp service

  MSSQL port description

  VPN network object

  192.168.50.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.50.0_24 object

  192.168.50.0 subnet 255.255.255.0

  service object TS

  tcp destination eq 4400 service

  service of the TS_Return object

  tcp source eq 4400 service

  network of the External_QA_3 object

  Home 89.234.126.13

  network of the Internal_QA_3 object

  Home 192.168.20.25

  network of the Dev_WebServer object

  Home 192.168.20.27

  network of the External_Dev_Web object

  Home 89.234.126.14

  network of the CIX_Subnet object

  255.255.255.0 subnet 192.168.100.0

  network of the NETWORK_OBJ_192.168.10.0_24 object

  192.168.10.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_84.39.233.50 object

  Home 84.39.233.50

  network of the NETWORK_OBJ_92.51.193.158 object

  Home 92.51.193.158

  network of the NETWORK_OBJ_192.168.100.0_24 object

  255.255.255.0 subnet 192.168.100.0

  network of the NETWORK_OBJ_192.168.1.0_24 object

  subnet 192.168.1.0 255.255.255.0

  object-group service DM_INLINE_SERVICE_1

  the tcp destination eq ftp service object

  the purpose of the tcp destination eq netbios-ssn service

  the purpose of the tcp destination eq smtp service

  service-object TS

  the Payback_Internal object-group network

  object-network 192.168.10.0 255.255.255.0

  object-network 192.168.20.0 255.255.255.0

  object-network 192.168.40.0 255.255.255.0

  object-group service DM_INLINE_SERVICE_3

  the purpose of the service tcp destination eq www

  the purpose of the tcp destination eq https service

  service-object TS

  service-object, object TS_Return

  object-group service DM_INLINE_SERVICE_4

  service-object RDP

  the purpose of the service tcp destination eq www

  the purpose of the tcp destination eq https service

  object-group service DM_INLINE_SERVICE_5

  purpose purpose of the MSSQL service

  service-object RDP

  service-object TS

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  object-group service DM_INLINE_SERVICE_6

  service-object TS

  service-object, object TS_Return

  the purpose of the service tcp destination eq www

  the purpose of the tcp destination eq https service

  Note to outside_access_in to access list that this rule allows Internet the interal server.

  Notice on the outside_access_in of the access-list allowed:

  Comment from outside_access_in-list of FTP access

  Comment from outside_access_in-RDP access list

  Comment from outside_access_in-list of SMTP access

  Note to outside_access_in to access list Net Bios

  Comment from outside_access_in-SQL access list

  Comment from outside_access_in-list to access TS - 4400

  outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

  access host access-list outside_access_in note rule internal QA

  Notice on the outside_access_in of the access-list allowed:

  Comment from outside_access_in-HTTP access list

  Comment from outside_access_in-RDP access list

  outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

  Notice on the outside_access_in of the access-list access to the internal Web server:

  Notice on the outside_access_in of the access-list allowed:

  Comment from outside_access_in-HTTP access list

  Comment from outside_access_in-RDP access list

  outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

  Note to outside_access_in to access list rule allowing access to the demo server

  Notice on the outside_access_in of the access-list allowed:

  Comment from outside_access_in-RDP access list

  Comment from outside_access_in-list to access MSSQL

  outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

  Note to outside_access_in access to the development Web server access list

  outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

  AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

  AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

  Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

  AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

  print the access-list AnyConnect_Client_Local_Print Note Windows port

  AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

  access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

  AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

  AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

  AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

  Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

  AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

  AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

  Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

  permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

  pager lines 24

  Enable logging

  information recording console

  asdm of logging of information

  address record

  [email protected] / * /.

  the journaling recipient

  [email protected] / * /.

  level alerts

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 servers

  MTU 1500 printers

  MTU 1500 wireless

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-711 - 52.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (inside, outside) source Dynamics one interface

  NAT (wireless, outdoors) source Dynamics one interface

  NAT (servers, outside) no matter what source dynamic interface

  NAT (servers, external) static source Internal_Report_Server Report_Server

  NAT (servers, external) static source Internal_Host_QA Host_QA_Server

  NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

  NAT (servers, external) static source Internal_Demo_Server Demo_Server

  NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

  NAT (servers, external) static source Internal_QA_3 External_QA_3

  NAT (servers, external) static source Dev_WebServer External_Dev_Web

  NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  Enable http server
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.40.0 255.255.255.0 wireless
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_cryptomap
  card crypto outside_map 1 set pfs
  peer set card crypto outside_map 1 84.39.233.50
  card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 5
  FRP sha
  second life 86400
  Crypto ikev2 activate out of service the customer port 443
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH 77.75.100.208 255.255.255.240 outside
  SSH 192.168.10.0 255.255.255.0 inside
  SSH 192.168.40.0 255.255.255.0 wireless
  SSH timeout 5
  Console timeout 0

  dhcpd 192.168.0.1 dns
  dhcpd outside auto_config
  !
  dhcpd address 192.168.10.21 - 192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  paybackloyalty.com dhcpd option 15 inside ascii interface
  dhcpd allow inside
  !
  dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
  dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
  dhcpd update dns of the wireless interface
  dhcpd option 15 ascii paybackloyalty.com wireless interface
  dhcpd activate wireless
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  internal Payback_VPN group strategy
  attributes of Group Policy Payback_VPN
  VPN - 10 concurrent connections
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
  attributes of Group Policy DfltGrpPolicy
  value of 83.147.160.2 DNS server 83.147.160.130
  VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
  internal GroupPolicy_84.39.233.50 group strategy
  attributes of Group Policy GroupPolicy_84.39.233.50
  VPN-tunnel-Protocol ikev1, ikev2
  Noelle XB/IpvYaATP.2QYm username encrypted password
  Noelle username attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
  Éanna attributes username
  VPN-group-policy Payback_VPN
  type of remote access service
  Michael qpbleUqUEchRrgQX of encrypted password username
  user name Michael attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
  user name Danny attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
  user name Aileen attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
  Aidan username attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
  shane.c iqGMoWOnfO6YKXbw encrypted password username
  username shane.c attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  Shane uYePLcrFadO9pBZx of encrypted password username
  user name Shane attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  username, encrypted James TdYPv1pvld/hPM0d password
  user name James attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  Mark yruxpddqfyNb.qFn of encrypted password username
  user name brand attributes
  type of service admin
  username password of Mary XND5FTEiyu1L1zFD encrypted
  user name Mary attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
  Massimo username attributes
  VPN-group-policy Payback_VPN
  type of remote access service
  type tunnel-group Payback_VPN remote access
  attributes global-tunnel-group Payback_VPN
  VPN1 address pool
  Group Policy - by default-Payback_VPN
  IPSec-attributes tunnel-group Payback_VPN
  IKEv1 pre-shared-key *.
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 General-attributes
  Group - default policy - GroupPolicy_84.39.233.50
  IPSec-attributes tunnel-group 84.39.233.50
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  Global class-card class
  match default-inspection-traffic
  !
  !
  World-Policy policy-map
  Global category
  inspect the dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  Review the ip options
  inspect the netbios
  inspect the pptp
  inspect the rsh
  inspect the rtsp
  inspect the sip
  inspect the snmp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect xdmcp
  inspect the icmp error
  inspect the icmp
  !
  service-policy-international policy global
  192.168.20.21 SMTP server
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

  ASA 2

  ASA Version 9.0 (1)

  !

  Payback-CIX hostname

  activate the encrypted password of HSMurh79NVmatjY0

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  Speed 100

  full duplex

  !

  interface Ethernet0/1

  Description this port connects to the local network VIRTUAL 100

  switchport access vlan 100

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  switchport access vlan 100

  !

  interface Ethernet0/4

  switchport access vlan 100

  !

  interface Ethernet0/5

  switchport access vlan 100

  !

  interface Ethernet0/6

  switchport access vlan 100

  !

  interface Ethernet0/7

  switchport access vlan 100

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 84.39.233.50 255.255.255.240

  !

  interface Vlan100

  nameif inside

  security-level 100

  IP 192.168.100.1 address 255.255.255.0

  !

  banner welcome to Payback loyalty - CIX connection line

  passive FTP mode

  summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

  DNS domain-lookup outside

  DNS lookup field inside

  DNS server-group defaultDNS

  Name-Server 8.8.8.8

  Server name 8.8.4.4

  permit same-security-traffic inter-interface

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  network of the host-CIX-1 object

  host 192.168.100.2

  Description This is the VM server host machine

  network object host-External_CIX-1

  Home 84.39.233.51

  Description This is the external IP address of the server the server VM host

  service object RDP

  source between 1-65535 destination eq 3389 tcp service

  network of the Payback_Office object

  Home 92.51.193.158

  service object MSQL

  destination eq 1433 tcp service

  network of the Development_OLTP object

  Home 192.168.100.10

  Description for Eiresoft VM

  network of the External_Development_OLTP object

  Home 84.39.233.52

  Description This is the external IP address for the virtual machine for Eiresoft

  network of the Eiresoft object

  Home 146.66.160.70

  Contractor s/n description

  network of the External_TMC_Web object

  Home 84.39.233.53

  Description Public address to the TMC Web server

  network of the TMC_Webserver object

  Home 192.168.100.19

  Internal description address TMC Webserver

  network of the External_TMC_OLTP object

  Home 84.39.233.54

  External targets OLTP IP description

  network of the TMC_OLTP object

  Home 192.168.100.18

  description of the interal target IP address

  network of the External_OLTP_Failover object

  Home 84.39.233.55

  IP failover of the OLTP Public description

  network of the OLTP_Failover object

  Home 192.168.100.60

  Server failover OLTP description

  network of the servers object

  subnet 192.168.20.0 255.255.255.0

  being Wired network

  192.168.10.0 subnet 255.255.255.0

  the subject wireless network

  192.168.40.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.100.0_24 object

  255.255.255.0 subnet 192.168.100.0

  network of the NETWORK_OBJ_192.168.10.0_24 object

  192.168.10.0 subnet 255.255.255.0

  network of the Eiresoft_2nd object

  Home 137.117.217.29

  Description 2nd Eiresoft IP

  network of the Dev_Test_Webserver object

  Home 192.168.100.12

  Description address internal to the Test Server Web Dev

  network of the External_Dev_Test_Webserver object

  Home 84.39.233.56

  Description This is the PB Dev Test Webserver

  network of the NETWORK_OBJ_192.168.1.0_24 object

  subnet 192.168.1.0 255.255.255.0

  object-group service DM_INLINE_SERVICE_1

  service-object MSQL

  service-object RDP

  object-group service DM_INLINE_SERVICE_2

  service-object MSQL

  service-object RDP

  object-group service DM_INLINE_SERVICE_3

  service-object MSQL

  service-object RDP

  object-group service DM_INLINE_SERVICE_4

  service-object MSQL

  service-object RDP

  the tcp destination eq ftp service object

  object-group service DM_INLINE_SERVICE_5

  service-object MSQL

  service-object RDP

  the tcp destination eq ftp service object

  object-group service DM_INLINE_SERVICE_6

  service-object MSQL

  service-object RDP

  the Payback_Intrernal object-group network

  object-network servers

  Wired network-object

  wireless network object

  object-group service DM_INLINE_SERVICE_7

  service-object MSQL

  service-object RDP

  object-group service DM_INLINE_SERVICE_8

  service-object MSQL

  service-object RDP

  object-group service DM_INLINE_SERVICE_9

  service-object MSQL

  service-object RDP

  object-group service DM_INLINE_SERVICE_10

  service-object MSQL

  service-object RDP

  the tcp destination eq ftp service object

  object-group service DM_INLINE_SERVICE_11

  service-object RDP

  the tcp destination eq ftp service object

  outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

  Note to access list OLTP Development Office of recovery outside_access_in

  outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

  Comment from outside_access_in-access Eiresoft access list

  outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

  outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

  Note to outside_access_in access to OLTP for target recovery Office Access list

  outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

  outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

  Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

  outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

  Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

  outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

  Note to outside_access_in access from the 2nd IP Eiresoft access list

  outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

  outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

  outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

  outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (inside, outside) source Dynamics one interface

  NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

  NAT (inside, outside) static source Development_OLTP External_Development_OLTP

  NAT (inside, outside) static source TMC_Webserver External_TMC_Web

  NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

  NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

  NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

  NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

  NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  Enable http server

  http 92.51.193.156 255.255.255.252 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

  Crypto ipsec ikev2 ipsec-proposal OF

  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_cryptomap
  card crypto outside_map 1 set pfs
  peer set card crypto outside_map 1 92.51.193.158
  card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
  outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH 77.75.100.208 255.255.255.240 outside
  SSH 92.51.193.156 255.255.255.252 outside
  SSH timeout 5
  Console timeout 0

  dhcpd outside auto_config
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  internal GroupPolicy_92.51.193.158 group strategy
  attributes of Group Policy GroupPolicy_92.51.193.158
  VPN-tunnel-Protocol ikev1, ikev2
  username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 General-attributes
  Group - default policy - GroupPolicy_92.51.193.158
  IPSec-attributes tunnel-group 92.51.193.158
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
  : end

  Hello

  There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

  All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

  Here are a few suggestions on what to change

  ASA1

  Minimal changes

  the object of the LAN network

  192.168.10.0 subnet 255.255.255.0

  being REMOTE-LAN network

  255.255.255.0 subnet 192.168.100.0

  NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

  no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

  That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

  Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

  Other suggestions

  These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

  PAT-SOURCE network object-group

  source networks internal PAT Description

  object-network 192.168.10.0 255.255.255.0

  object-network 192.168.20.0 255.255.255.0

  object-network 192.168.40.0 255.255.255.0

  NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

  No source (indoor, outdoor) nat Dynamics one interface

  no nat (wireless, outdoors) source Dynamics one interface

  no nat (servers, outside) no matter what source dynamic interface

  The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

  Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

  network of the SERVERS object

  subnet 192.168.20.0 255.255.255.0

  network of the VPN-POOL object

  192.168.50.0 subnet 255.255.255.0

  NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

  no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

  The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

  no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

  It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

  ASA2

  Minimal changes

  the object of the LAN network

  255.255.255.0 subnet 192.168.100.0

  being REMOTE-LAN network

  192.168.10.0 subnet 255.255.255.0

  NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

  no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

  That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

  Finally, we remove the old rule that generated the ASDM.

  Other suggestions

  PAT-SOURCE network object-group

  object-network 192.168.100.0 255.255.255.0

  NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

  No source (indoor, outdoor) nat Dynamics one interface

  The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

  no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

  It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

  I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

  Hope this makes any sense and has helped

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary

  -Jouni

• Issue of ASA vpn site to site isakmp

  Hello

  He has been asked to configure on ASA a new vpn site-to-site. For that vpn should I put:

  crypto isakmp identity address
  crypto ISAKMP allow outside

  .. the configuration of my identity crypto isakmp is automatic and isakmp crypto is not enabled on any interface. I love vpn with ike enabled on the external interface. My question is: why should I enable isakmp on the external interface and especially can create disturbances to ike vpn that are already in place?

  By elsewhere-group or tunnel-group strategy, it was me asked to set up, the two do not have indication of ike. Never seen this kind of configuration before vpn, something new.

  Thank you

  Hi, Giuseppe.

  The crypto isakmp command activate outside changed ikev1 crypto Enable outside in the new ASA versions you need not enable this.

  There is also no need configure isakmp crypto identity address such that it is set to auto.

  This command indicates that the tunnel would be negotiated on the basis of the IP address but since it is set to auto it on it own will therefore not need to specify this command.

  Yes, you can create a new group policy group for this new tunnel and tunnel and there should be no impact on other tunnels of work.

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• Problem with VPN Site-to-Site between RV215W and ASA5510

  The RV215W is intended to connect a new branch via 3G, but fail.

  But when connected to the internet via a cable modem VPN works.

  I have set up with the FULL domain name and remote ip address.

  Please help me soon as soon as you can.

  Thaks a lot.

  Henriux2412.

  Dear Henry;

  Thank you to the small community of Support Business.

  I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.

  Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support

  https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport

  https://www.Cisco.com/en/us/support/tsd_cisco_small_business_support_center_contacts.html

  Do not hesitate to contact me if there is anything I can help you with in the meantime.

  Kind regards

  Jeffrey Rodriguez S... : | :. : | :.
  Support Engineer Cisco client

  * Please rate the Post so other will know when an answer has been found.

• IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

  I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

  So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

  Network diagram:

  http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

  Challenge:

  (1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

  (2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

  IKE Phase II: des-esp, hmac-md5, tunnel mode

  PSK: sitetositevpn

  Here is my setup for review:

  crypto ISAKMP policy 10

  the BA

  preshared authentication

  Group 1

  md5 hash

  ISAKMP crypto key sitetositevpn address 210.x.x.66

  !

  Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

  !

  infotelmap 10 ipsec-isakmp crypto map

  the value of 210.x.x.66 peer

  Set transform-set ciscoset

  match address 111

  !

  !

  interface Ethernet0

  3 LAN description

  IP 10.20.20.1 255.255.255.0

  IP nat inside

  servers-exit of service-policy policy

  Hold-queue 100 on

  !

  ATM0 interface

  no ip address

  ATM vc-per-vp 64

  No atm ilmi-keepalive

  DSL-automatic operation mode

  !

  point-to-point interface ATM0.1

  IP address 210.x.20.x.255.255.252

  no ip redirection<-- disable="">

  no ip unreachable<-- disable="" icmp="" host="" unreachable="">

  no ip proxy-arp<-- disables="" ip="" directed="">

  NAT outside IP

  PVC 8/35

  aal5snap encapsulation

  !

  !

  IP nat inside source list 102 interface ATM0.1 overload

  IP classless

  IP route 0.0.0.0 0.0.0.0 ATM0.1

  IP route 0.0.0.0 0.x.0.x.190.60.66

  no ip http secure server

  !

  Note access-list 102 NAT traffic

  access-list 102 permit ip 10.20.20.0 0.0.0.255 any

  !

  access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

  access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

  Kind regards

  Junhan

  Hello

  Three changes required in this configuration.

  (1) change the NAT-list access 102 as below:

  access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

  access-list 102 permit ip 10.20.20.0 0.0.0.255 any

  (2) place the card encryption on interface point-to-point ATM.

  (3) remote all of a default route.

  Thank you

  Mustafa

• RV042 VPN site to Site

  Hello please could someone help me regarding my PROBLEM with VPN site-to-site.

  I have installation of gateway to gateway unfortunetly I don't have any static IP address, so I have 2 accounts of DynDNS.org on two installation Sites. The two RV042 connect to another router/Modem.

  I put the two as router in router Mode and not as a gateway.  The VPN status remains tab just to "waiting for connection" I can see the dynamic IP address to connect remotely on the main site and distance from each other.  I can ping so two dyndns names.  But unable to connect...

  The VPN log shows the following.

  ERROR: error report asynchronous network on eth1 to message to the port of 105.237.1.xx 500, complainant 192.168.137.153: no route to the host [errno 148, original ICMP type 3 code 1 (unauthenticated)]

  What is the main site and 192.168.138.0 the remote site, the main site has a subnet of 192.168.137.0

  Please could someone help me or point me in the right direction? Thanks in advance.

  Hi Stephen, it may be a few problems. The first is maybe that you said that you have a modem/router device, this means that it is for the RV042 nating.  If that's the case then the modems/routers upstream need port forwarding to go to the RV042. ICMP type 3 is a destination unreachable error. That means subnet remote th could not be reached by the applicant rv042. This can withdraw your NAT problem with modems/routers.

  So, first thing I would do is port before all the RV042 services to make sure that the firewall on the modems/routers aren't pipe upward works.

  -Tom
  Please mark replied messages useful