Help! My 2691xm router is deaf to ISAKMP

Similar Questions

• Need help installing BEFSR41 router

  Hello

  I need some help configure a router BEFSR41, that I bought recently.  A year ago, I got a WRT54GS router and was able to set it up to my Siemens modem DSL 4100 b without any problem.  (Maybe I was just lucky before when I set up the wireless router)  Now I have misery BEFSR41 to work.  I tried to replace my BEFSR41 in the same position as my WRT54GS by using the same configuration.  I'm reproducing the setting on my WRT54GS BEFSR41 router to the wired connection. I took the "Automatic Configuration - DHCP" on my WRT54GS, so on the BEFSR41, I choose "obtain an IP address automatically".  I also activate local DHCP server from 192.168.1.100.  This should configure the BEFSR41 as WRT54GS, right?  But I couldn't get on the internet using BEFSR41 with this configuration.

  I checked the routing table for the two router see if it makes a difference and noticed that the only thing different is that the routing table for BEFSR41, the fields of the gateway is 0.0.0.0, but they have correct values on my WRT54GS.

  Another difference between the two routers is that on the screen of my WRT54GS State, he showed entry 192.168.0.1 DNS1 and DNS2 and DNS3 entries are empty.  On the State of BEFSR41 screen, it showed DNS1 as 192.168.0.1, then he repeats DNS1 as 192.168.0.1, and finally another DNS1 entry is empty.  How important is it that on the status of the BEFSR41 display, is to show field DNS1 3 times? (instead of DNS3 DNS1, DNS2)

  Thanks in advance for any help.

  I suspect that the reason the 4100 and the BEFSR41 do not play well together is that both of them use the proxy DNS servers.  DNS proxy on the BEFSR41 servers run 192.168.1.1 and the DNS proxy on the 4100 servers run 192.168.0.1.   My bet is that "double proxy servers" are simply not passing addresses correctly.

  As to why the 4100 b works with your old router, but not with your most recent router, I'm not sure.  Is your 4100 several years old?  Often old modems work with older routers, but not with the newer routers.

  I think that it is best to place your 4100 b in Bridge mode.  It would like to convert it to a real modem.  It therefore would not have an IP address, or make your PPPoE connection.  This would be "Not used PPPoE" (on the modem).

  Your BEFSR41 would have to be configured to your PPPoE connection.

• need help with wifi router & ipos touch 5

  Hi pretty new to this, bought an ipod touch 5, said I need wifi, buy a mofinetwork 3G Router wants to connect my ipod to itunes store continues by saying that I am not connected, but my computer shows me that I am, also keep getting a message to trouble shoot is as follows-Windows could not automatically detect this proxy networks , detected a settings (image of a triangle of yellow color with a slash in the Center)?, also when I go to my Control Panel Setup-devices & systems my computer is constantly with the symbol of the triangle warning sign on this also when I connest to the symbol of mofinetwork there is the same symbol?, please help crazy me

  Hello

  "you want to connect my ipod to itunes store".

  iPod is Apple hardware and iTunes is a software from Apple.

  Contact Apple support for help on this issue.

  See you soon.

• Need help Configureing Netgear router so I can connect to Playstation Network.

  My playstation 3 says "Failure of Type NAT" and will not sign into the playstation network. I have a router Netgrear that connect PS3 to Internet, but times out when you try to connect to the PS network. How can I configure the router? I use a wired connection.

  Hello

  I suggest you to contact the manufacturer of the playstation for assistance on this issue.

  Thanks and greetings
  Umesh P - Microsoft technical support.

  Visit our Microsoft answers feedback Forum and let us know what you think.
  [If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message.] [Marking a post as answer, or relatively useful, you help others find the answer more quickly.]

• Help! Static route between two router WRT160NL

  Hi all

  I have my internet connection to connect to my main router from Linksys WRT160NL (192.168.1.1) with 192.168.1.x.

  My 2nd Linksys router to connect to the first gateway as well.
  The 2nd router has the ip 192.168.1.100 WAN and it's a local subnet as 192.168.2.x.

  My 192.168.2.x machines can access the internet and connect to all the machines in the network 192.168.1.x.

  However, the 1.x network cannot access the machines on the network of the 2. And because of that, I can't share or print between two networks.

  I try to add static routes on my main router (192.168.1.1) with the road: 192.168.2.0 mask 255.255.255.0 and default gateway 192.168.1.100

  However, the road does not work yet.

  in any case to ensure that the 1.x network able to access the network 2.x and 2.x access 1.x file and print sharing.

  Thanks for your help!

  Gateway of the router does NAT who made the side inaccessible side LAN WAN, unless you configure port forwarding automatic or similar. If she would not make your LAN 192.168.1 would be accessible from the internet. Static routing will not change that.

  You will need to disable NAT (aka switch to router mode) on the second router. You must configure a static route on the main router then. However, most likely your network 192.168.2 * will not have Internet more because the main router will NAT for 192.168.1. * and no 192.168.2. *.

  If possible set up the second router as access point only and run a LAN.

• Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN

  Hi all

  I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941.  I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here.  Have I not IOS bad? I thought that a picture of K9 would do the trick.

  Any suggestions are appreciated

  That's what I get:

  Router (config) #crypto?
  CA Certification Authority
  main activities key long-term
  public key PKI components

  SEE THE WORM

  Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
  Technical support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2010 by Cisco Systems, Inc.
  Updated Thursday, March 10, 10 22:27 by prod_rel_team

  ROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)

  The availability of router is 52 minutes
  System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
  System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
  Last reload type: normal charging
  Reload last reason: reload command

  This product contains cryptographic features...

  Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
  Card processor ID FTX142281F4
  2 gigabit Ethernet interfaces
  2 interfaces Serial (sync/async)
  Configuration of DRAM is 64 bits wide with disabled parity.
  255K bytes of non-volatile configuration memory.
  254464K bytes of system CompactFlash ATA 0 (read/write)

  License info:

  License IDU:

  -------------------------------------------------
  Device SN # PID
  -------------------------------------------------
  * 0 FTX142281F4 CISCO1941/K9

  Technology for the Module package license information: "c1900".

  ----------------------------------------------------------------
  Technology-technology-package technology
  Course Type next reboot
  -----------------------------------------------------------------
  IPBase ipbasek9 ipbasek9 Permanent
  security, none none none
  given none none none

  Configuration register is 0 x 2102

  You need get the license of security feature to configure the IPSec VPN.

  Currently, you have 'none' for the security feature:

  ----------------------------------------------------------------
  Technology-technology-package technology
  Course Type next reboot
  -----------------------------------------------------------------
  IPBase ipbasek9 ipbasek9 Permanent
  security, none none none
  given none none none

  Here is the information about the licenses on router 1900 series:

  http://www.Cisco.com/en/us/partner/docs/routers/access/1900/hardware/installation/guide/Software_Licenses.html

• Hi need some help on this router cisco 1921 complete, auto & half duplex

  We have this old 1841 router series and we change in 1921, I still put the same settings, but this two-sided thing is having problem (I think).

  We are supposedly to have 20mbps up & download speed using this 1841, and if we use 1921 20down / 10upload speed.

  When I put gi0/1 on full-duplex it will descend to the bottom. But if I set auto duplex, it register under the/s and half-duplex and the internet works but only 10 Mbps upload. See below

  igabitEthernet0/1 is up, line protocol is up
  Material is CN Gigabit Ethernet, the address is 0000000
  Description: "connected to this."
  The Internet address is 000000
  MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,
  reliability 255/255, txload 1/255, rxload 13/255
  Encapsulation ARPA, loopback not set
  KeepAlive set (10 sec)
  Half-Duplex, 100 Mbps, media type is RJ45
  control output stream is not supported, control of input stream is not supported
  Type of the ARP: ARPA, ARP Timeout 04:00
  Last entry of 00:00:00, 00:00:00 exit, exit hang never
  Final cleaning of "show interface" counters never
  Input queue: 0, 75, 14, 10242 (size/max/drops/dumps); Total output drops: 79729
  Strategy of queues: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 5400000 bps, packets/s 546
  5 minute output rate 719000 bps, 390 packets/s
  170608043 package, 1963069286 bytes, 79501 no input buffer
  Received 477 broadcasts (0 of IP multicasts)
  0 Runts, 0 giants, 4 controllers
  entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
  Watchdog 0, multicast 0, break 0 comments
  160510262 packets output, 1965851816 bytes, 0 underruns
  0 output errors, 4095435 collisions, 0 resets interface
  unknown protocol 0 drops
  0 babbles, collision end 0, 0 deferred
  carrier, 0 no carrier, lost 0 0 interrupt output
  output buffer, the output buffers 0 permuted 0 failures

  I really appreciate your comments and thank you

  It is very likely that the provider has configured its device for 100 Mbps, which was compatible with the interface of your FE 1841. If you configure the 1921 at a fixed speed of 100 Mbps and full-duplex, it should probably work.

• need help with natted routing networks

  Hello

  1 VMWorkstation on the 192.168.1.0 network

  2. virtual machines on natted 10.0.0.0 255.255.0.0 Gateway 10.0.0.1

  I have 2003 domain on this network. I have DC, Exchange and work station.

  I have no problem with access for network 10.0.0.0 192...

  But I can't ping 10.0.0.0... from 192.0.0.0 machines, beside the host 192.168.1.130.

  Yes, I can ping the host virtual.

  I added the road to 10.0.0.0 on one of the 192... machines, it can't do on 10.0.0.0 machine

  What does take to ping network 10...

  THX.

  Michael.

  If 10.0.0.0 is your virtual network of NAT (VMnet8) you cannot ping it because it is hidden to the outside (because it's NAT). You can only join in this network of specific port forwarding, but packages must go to the IP address of the host (and then they are redirected to the virtual prompt appropriate depending on the configuration of port forwarding).

  AWo
  VCP / VMware vEXPERT 2009

  = Due to a lack of employees, human beings humans are working here. -Treat it with care, they are rare. =

• DMVPN router behind ASA - need help please.

  Hello

  After reading many other discussions on this topic, it appears with the correct IOS and NAT - T active router, you bring up DMVPN behind a NAT device.

  I tried to perform this task, but I can not even phase 1 going to the DMVPN. The routing was checked and I can ping the routers DMVPN public IP. I'm sure that the configurations for routers are good, but asked if any additional NAT is required on the ASA.

  Here is the topology:

  Plate rotating DMVPN > ASA > Internet > ASA > DMVPN Branch

  The SAA on the side of the hub is in our data center and in production with several site-to-site and traffic to DMZ. Devices DMVPN is a Cisco 2921 and 1921. When I run a "debug crypto isakmp" on both routers, I see ISAKMP messages are sent on the branch DMVPN router. Nothing in the hub and no hits on the ASA ACL. I tried both the public IP address and the private IP address of the ACL on the ASA.

  I have attached the relevant training and can post more if necessary.

  Thank you

  Brandon

  Hello

  I finally had time to laboratory it.

  I used this topology:

  I have

  DMVPN - nat.png

  

  ASA (config) # sh run nat
  NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-4500 udp-eq-4500
  NAT (INSIDE, OUTSIDE) static source HUB-ROUTER-REAL-IP interface service udp-eq-500 udp-eq-500
  !
  object network HUB
  dynamic NAT interface (INSIDE, OUTSIDE)

  ASA (config) # sh run access-list
  extended OUTSIDE permitted udp access list any HUB-ROUTER-REAL-IP eq isakmp object
  list access extended OUTSIDE permitted udp any eq HUB-ROUTER-REAL-IP 4500

  R2 #sh run inter t0

  interface Tunnel0
  172.16.0.1 IP address 255.255.255.0
  no ip redirection
  no ip next-hop-self eigrp 1
  no ip split horizon eigrp 1
  dynamic multicast of IP PNDH map
  PNDH id network IP-99
  source of tunnel FastEthernet0/0
  multipoint gre tunnel mode
  tunnel key 100000
  Tunnel ipsec DMVPN-IPSEC-PROFILE protection profile

  So it should be the same configuration that you use.

  The only thing is that I had to ' stop/no shut' tunnel interface and removing some config that I also need to clear the connection on the ASA using "clear conn."

  R2 #sh dmvpn
  Legend: Attrb--> S - static, D - dynamic, I - incomplete
  Local N - using a NAT, L-, X - no Socket
  # Ent--> entries number of the PNDH with same counterpart NBMA
  State of the NHS: E--> RSVPs, R--> answer, W--> waiting
  UpDn time--> upward or down time for a Tunnel
  ==========================================================================

  Interface: Tunnel0, IPv4 PNDH details
  Type: hub, PNDH peers: 2,.

  # Ent Peer NBMA Peer Tunnel Addr add State UpDn Tm Attrb
  ----- --------------- --------------- ----- -------- -----
  1 200.20.0.10 172.16.0.2 UNTIL 00:11:28
  1 200.30.0.10 172.16.0.3 AT 00:11:22

  R2 #.

• How to disable the default ISAKMP on Cisco 2800 router policy

  I'll have a check point asking me to disable or delete the policy by default ISAKMP on my router. I tried to do, but I got an error that the command is not supported as below:

  

  If this is not possible on my router that has a version of IOS:

  

  So, is it possible to upgrade my router IOS to the latest version to solve this problem, which is:

  "c2800nm-advsecurityk9 - mz.151 - 4.M6.

  If that does not solve my problem, I have an official document from CISCO, which on my router, which is not supported "Disabling the default ISAKMP policy.

  I would really appreciate your reply guys.

  Thanks in advance,

  Hi Ebrahim,

  Version 15.1 (4) M6 supported by the command "no default crypto isakmp policy."

  Before you run 'no default crypto isakmp policy. "

  :

  Router #sh cry default isakmp policy

  IKE default policy

  Default priority protection suite 65507

  encryption algorithm: AES - Advanced Encryption Standard (128-bit keys).

  hash algorithm: Secure Hash Standard

  authentication method: Rivest-Shamir-Adleman Signature

  Diffie-Hellman group: #5 (1536 bit)

  lifetime: 86400 seconds, no volume limit

  Default priority protection suite 65508

  encryption algorithm: AES - Advanced Encryption Standard (128-bit keys).

  hash algorithm: Secure Hash Standard

  authentication method: pre-shared Key

  Diffie-Hellman group: #5 (1536 bit)

  lifetime: 86400 seconds, no volume limit

  .

  .

  .skipped output

  After:

  Router (config) #no cry isakmp policy default

  default router #sh policy cry isakmp

  Router #sh crying political isa

  World IKE policy

  *****

  If you are upgrading, you should be ale to delete default isakmp policy.

  Thank you

  Shakur

• ISAKMP error - 2811 router

  Hi guys,.

  I would like to create a VPN site-to site between my ASA and a remote router in China.

  On the router, when I typed ""crypto isakmp enable ' command I know that isakmp is not present. "

  What can I do, where is the problem? License, ios image,...? !

  error type:

  Router (config) #crypto enable isakmp

  ^

  Invalid entry % detected at ' ^' marker.

  Router (config) #crypto?

  CA Certification Authority

  main activities key long-term

  public key PKI components

  commissioning Secure Device Provisioning

  Wui Crypto HTTP configuration interfaces

  News of the router:

  Cisco CISCO2811C/K9

  Version 12.4 (13r) T13, RELEASE SOFTWARE (fc1)

  c2800nmc-spservicesk9 - mz.150 - 1.M7.bin

  Thank you very much.

  Luca

  To configure the site to site VPN, or any other VPN, you need advanced business picture, advanced security or Advanced IP Services.

• ISAKMP nat - t

  For statement: isakmp nat - t

  What is it, or in what circumstances, should it be used?

  Thank you for helping.

  Scott

  the command "isakmp nat-traversal" should be applied to the vpn server when the vpn client is behind a nat/pat device.

  the reason being nat/pat on the client side will result in the ip original source to the IP (public) own peripheral nat/pat. When the vpn server receives, decrypts, and analysis package, it's going to come back with a mistake as the original source ip does not correspond to the

  for example

  Remote vpn client implements a remote vpn router and the client remote vpn is behind a nat/pat device, such as a router or pix.

• IPSec VPN with private WAN address... Help!

  I am trying to establish an IPSec Site to Site VPN to my company network. I use a Cisco 2811. If I plug a Public IP WAN connection my tunnel past traffic without problem, but if I tell a router in the middle where the 2811 pulls a private IP address of the home router I no longer get a tunnel a success. Any suggestion?

  I have the following instructions.

  FA 0/0
  DHCP IP ADDRESS
  CRYPTO MAP AESMAP

  VLAN 1
  IP ADDRESS XX. XX. XX. XX 255.255.255.240 (public IP)

  IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0

  If this can help clerify the "router" is a CradlePoint (CRT500) that takes the Mobile 3 G and send it to an ethernet port on the WAN port on my router. The installation remains mobile and I rarely get the chance to have a public IP address for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN to my network of companies. We hope to move all of our mobile kits to the cisco product, but need to find a solution before change can occur.

  If I do 'Show IP Crypto ISAKMP SA' it shows: XX. XX. XX. XX (PUBLIC) <> Active 192.168.0.1.

  My thoughts are that my TCP 500 traffic to the VPN router and when the VPN router sends traffic to the address there SA with it's no the case because it is an ip address private. Limited my knowledge of the works of the VPN, I think only in Phase 1, two addresses must "bind" and NAT cannot be used with VPN? But I keep out hope that this might be a somewhat common question and there is a procedure in place to get around, or maybe I'm just a bad configuration or IP road...

  When I disable card crypto on the FA 0/0 and add NAT to the FA 0/0 and 1 VLAN more change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get non - vpn connectivity.  Also, I put the address that gets my FA 0/0 in the DMZ of the Cradlepoint.

  Thanks for any help anyone can provide!

  Brandon,

  NAT - T is designed to overcome the problems of NAT/PAT, known in the world of IPv4.

  The big problem is that if you have a public IPv4 address, you will need to run PAT. Packages ESP / AH do not have a port number so that they cannot be PATed. To do this, we enacapsulate IPsec payload inside udp/4500 packages.

  That being said, some providers overcome this problem differently, but it's not THE standard way.

  Your head should see you as PublicIP facig of internet device.

  I agree, that both sonicwall and IOS should work with other IOS. At the same time, it is difficult to say what is happening in the middle.

  I would say that if possible, connect you to a case of TAC, the guys will be able to view your configs and able to solve the problem when it's there. These types of discussions on the forums can go for very long ;-)

  Marcin

• Site to site VPN router-ASA5505

  Hello

  I have a problem with the VPN between ASA5505 and 3825 router.

  behind the ASA, we have a server that serves the specific port. If for any reason any link is disconnected assets if the VPN will become not we do not generate traffic to this server. After generating even a ping VPN immediately become active and communication starts. another case is when you reboot ASA the VPn is not created without ping server behind this ASA.

  How we could solve this problem without sending a traffing who serve?

  How remote access to this ASA, I can access internal interface? If I open access on port 443 on the external interface of asa could I access it? or I must also exclude this traffic VPN

  I used the VPN Wizard to configure on asa and CLI on router

  some troubleshootingand configuration commands, if this is not enough please let me know what you otherwise.

  Thanks in advance for your help

  ciscoasa # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 10.10.10.1
  Type: L2L role: initiator
  Generate a new key: no State: AM_ACTIVE

  Configuration of the SAA.

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  card crypto outside_map 1 set counterpart 10.10.10.1
  map outside_map 1 set of transformation-ESP-DES-MD5 crypto
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  the main router configuration

  crypto ISAKMP policy 1
  preshared authentication
  !
  crypto ISAKMP policy 5
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 10
  preshared authentication
  Group 2
  crypto ISAKMP key 6 _JQfe [BeRGNBCGfbGxxxxxxxxx address 10.10.10.10

  Crypto ipsec transform-set esp - esp-md5-hmac xxxxx

  ETH0 2696 ipsec-isakmp crypto map
  defined peer 10.10.10.10
  Set transform-set xxxxx
  match address 2001

  access-list 2001 permit ip any 192.168.26.96 0.0.0.7

  Post edited by: adriatikb
  I just read somewhere that might change the type VPN "bi-direcitonal' two 'initiator' or 'answering machine' could help me but I test and no results.

  I had the same problem last week, and told the TAC engineer on our service ticket downgrade from IOS 8.2 (3) 8.2 (1).  Since then, it works fine.

• Site to site VPN routing via ASA

  Need help setting up routing through the tunnel. We have a bunch of remote sites in the 192.168.0.0 16 passing through a central site 192.168.137.0

  How can I get all the traffic goes 192.168.0.0 to cross the tunnel. I have the tunnel upward, but no traffic passes through. Here is the config.

  XXXX # show run
  : Saved
  :
  ASA Version 8.2 (1)
  !
  xxxxx host name
  xxxx.xxx domain name
  activate the xxxxxxxx password
  passwd xxxxxxxxxxxxx
  names of
  !
  interface Vlan1
  Description =-= - on the INSIDE of the INTERFACE =-=-
  nameif inside
  security-level 100
  192.168.33.1 IP address 255.255.255.0
  !
  interface Vlan2
  Description =-= - CABLE EXTERNAL INTERFACE =-=-
  nameif outside
  security-level 0
  IP address aaa.bbb.ccc.202 255.255.255.252
  !
  interface Ethernet0/0
  Description =-= - CABLE EXTERNAL INTERFACE =-=-
  switchport access vlan 2
  !
  interface Ethernet0/1
  Description =-= - on the INSIDE of the INTERFACE =-=-
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  boot system Disk0: / asa821 - k8.bin
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  Server name 24.92.226.12
  Server name 24.92.226.11
  Domain xxxxxx.xxx
  object-group NETWORK-OUR network
  object-network 10.254.1.0 255.255.255.0
  network-object 172.22.0.0 255.255.0.0
  object-network 192.168.0.0 255.255.0.0
  access-list SHEEP note-=-=-= = =-=-=-= -
  access-list SHEEP note is-ACCESS LIST for EXEMPTION NAT =-=-
  access-list SHEEP note-=-=-= = =-=-=-= -
  IP 192.168.33.0 allow Access - list extended SHEEP 255.255.255.0 object-group NETWORK-OUR
  access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
  access list INTERESTING note is-ACCESS LIST for INTERESTING TRAFFIC =-=-
  access INTERESTING list Remarque-=-=-=-=-=-= = =-=-=-=-=-=-=-=-= -.
  INTERESTING list extended ip access 192.168.33.0 allow 255.255.255.0 object-group NETWORK-OUR
  access-list ICMP note =--= =-= = =-=-=-= -
  access-list ICMP note is - to ALLOW ICMP to the OUTSIDE INTERFACE =-=-
  access-list ICMP note =--= =-= = =-=-=-= -
  ICMP access list extended icmp permitted no echo of aaa.bbb.ccc.201 host
  no pager
  Enable logging
  timestamp of the record
  exploitation forest-size of the buffer 38400
  logging buffered stored alerts
  logging of debug asdm
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0 access-list SHEEP
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Access-group ICMP in interface outside
  Route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.201 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  LOCAL AAA authentication serial console
  AAA authentication http LOCAL console
  Enable http server
  http xx.xx.xx.xx 255.255.255.0 outside
  xxx.xxx.xxx.xxx http 255.255.192.0 outside
  http xxx.xxx.0.0 255.255.0.0 inside
  xxx.xxx.xxx.xxx http 255.255.255.255 outside
  Server SNMP location xxxxxx
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-HMAC-SHA-ESP-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  86400 seconds, duration of life crypto ipsec security association
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto L2LMAP 10 INTERESTING address correspondence
  card crypto L2LMAP 10 set pfs
  card crypto L2LMAP 10 set peer ddd.eee.fff.32
  10 L2LMAP transform-set ESP-3DES-MD5 crypto card game
  card crypto L2LMAP set 10 security-association life seconds 86400
  card crypto L2LMAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  L2LMAP interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH enable ibou
  SSH xxx.xxx.0.0 255.255.0.0 inside
  SSH xxx.xxx.0.0 255.255.0.0 outside
  SSH xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx outside
  SSH timeout 60
  Console timeout 0
  management-access inside
  dhcpd dns 192.168.137.225 24.92.226.12
  dhcpd field arc.com
  dhcpd outside auto_config
  dhcpd option 150 ip 172.22.137.5
  !
  dhcpd address 192.168.33.2 - 192.168.33.33 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  statistical threat detection port
  Statistical threat detection Protocol
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP server 206.246.122.250 source outdoors
  NTP server 96.47.67.105 prefer external source
  WebVPN
  xxxx xxxx password username
  IPSec-attributes tunnel-group DefaultL2LGroup
  pre-shared-key *.
  tunnel-group ddd.eee.fff.32 type ipsec-l2l
  ddd.EEE.fff.32 group of tunnel ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  context of prompt hostname

  Thank you

  Mike

  As I suspected unmatched.

  Remote side is set to 3des/sha. You are set to 3des/md5.

  change the following:

  10 L2LMAP transform-set ESP-3DES-MD5 crypto card game

  TO

  10 L2LMAP transform-set ESP-3DES-SHA crypto card game

  Assuming that the things ACL match should be fine.

  Let me know.