ICMP Port Unreachable
If someone can clarify that the exception java.net.PortUnreachableException: ICMP Port Unreachable shows (outside of what is obvious)? Here's the scenario: using UDP I a client application, a portal application and a server application. The client sends to the server through the gateway and vice versa. I created 2 Sockets, a conflict between the client and the gateway and the other between the gateway and the server. When I try to send from the bridge to the client package never makes it to the client (server-side is fine). When I call sock.getLocalSocketAddress and sock.getRemoteSocketAddress are all two 0.0.0.0 (the latter has at least the right port number). The gateway acts as a server for the customer and as a client to the server. I tried to solve this problem using sock.connect on the side of the gateway for the client in the face of the plug, but it has ultimately generates inaccessible except for ICMP port on the side of the door of entry upon receipt by the customer.Thank you in advance.
This means that there is no UDP connectivity between whatever the host gets the exception and regardless of the host this socket is connected to. Usually a firewall issue.
The address 0.0.0.0 means only that the socket is bound to all interfaces, this isn't a problem.
Tags: Java
Similar Questions
-
Between Disabling ICMP port running on the same vSwitch group
Hello
I'm new to vShield. I added a rule of application vShield to disable the ICMP to the Group of two ports on the same switch running but it does not work. Is it possible or I have to try another way to do the same.
Kind regards
KC
Hello
You can use strategy ICMP with this group of two ports so can you share newspapers?
-
inaccurate NSDB desc for GIS 2001 # ICMP Host Unreachable
GIS # 2001 fires when there are ICMP type 3 sachets. This type of message is more correctly described as inaccessible Destination (refer to IANA).
Triggers of signature on all type 3 messages, but to be precise in the description of the NSDB, it should trigger only on Type 3 Code 1 (refer to IANA).
Can Cisco please make corrections of the NSDB for S94, or correct the signature to only shoot ICMP Type 3 Code 1. I can adjust the setting of code through IDM, but it gets reset after the deployment of config IDS MC. Very annoying (see my previous post) to correctly set up sigs by IDM having to do again after MC IDS push.
http://www.IANA.org/assignments/ICMP-parameters
A fix has been implemented with S94. CSCee64472 following the issue. The NSDB has been updated to reflect the addition of the 1 ICMP code.
-
Sony clio erroe message port unreachable
cannot hot sync with palm desktop to handheld ver.4
Hello
1 have had any changes made on the computer before the show?
2. How have you plugged the Palm device to the computer?
3. What is the full and exact error message?
Check the link and see if it helps:
Pocket computer connection issues that affect the HotSync process
http://KB.hpwebos.com/wps/portal/KB/common/article/1409_en.html
Let us know if it helps.
-
SPA 962 - intermittently without audio (RTP port closed/inaccessible)
Hi all!
We recently bought 21 phones Linksys SPA-962 for our office. We took this directly from our PoE (Cisco 300) switch to our sipx box that is on the same subnet and switch (sipx does not execute iptables). Most of our phone calls works fine, but we find that periodically (for example 1 of 10 calls) we have no audio data. There is no NAT settings so it should be relatively simple.
The most interesting part of the problem is that it seems to be the phone itself. The reason why I believe that it is the phone is due to the attached pcap trace. You can see the first call in this trace is bad and the second is actually filled out correctly.
Trading on SIP, everything seems to work properly and the phone says what RTP port to be used but when sipx is trying to communicate that RTP port the phone returns an ICMP port unreachable! To set a syslog to the phone as a debug server, it appears the phone believes that he opened the receiver port but lower it attempts to send rtp of sipxecs and he can't send rtp backwards but it is because I believe that the port could not allocate/open in the first place.
I tried all four available Cisco firmwares that I could find, and they all have the same question. I tried also to place the phone on it's own VLAN, I tried SRTP, tried symmetric RTP, I tried Sticky 183 and nothing seems to resolve the behavior.
Do we have bad phones?
We have also a gateway Grandstream ATA with polycoms attached and all those phone calls 100% of working time.
Thanks in advance!
I got it. Disable CDP on the page of the system. That's all.
-
PXE error, pxe - e32 TFTP Open Timeout through vmnet
Hi all
I'm completely stuck because my installation has worked in recent weeks and has just stopped working today.
I'm under VMware Fusion 6.02 on Max OS x I have two guest computers, the first is a Ubuntu 10.04 installation that is running a server dhcp and tftp to PXE Boot kernel images. The second is just a generic Ubuntu 64-bit virtual machine that PXE starts the image provided by the Ubuntu 10.04 VM.I've implemented a vmnet customized for two virtual machines by using the following commands:
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_DHCP no
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_HOSTONLY_SUBNET 192.168.0.0
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_HOSTONLY_NETMASK 255.255.255.0
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_VIRTUAL_ADAPTER yesWith the help of vmnet-sniffer on my mac and wireshark in my Ubuntu 10.04 VM I see that packages make it started failing pxe vm for the virtual machine Ubuntu 10.04. The pxe boot vm correctly receives a DHCP address and does not work with PXE - E32 TFTP tftp open timeout.
Packages of the present paper is the following:
Len 590 CBC 00: 0C: 29:d0:4e:26 dst ff: ff: ff: ff: ff: ff CBC 0.0.0.0 255.255.255.255 UDP src port 68 dst dst port IP 67
CBC Len 342 00: 0C: 29:f8:7 c: 77 dst ff: ff: ff: ff: ff: ff CBC 192.168.0.1 255.255.255.255 UDP src port 67 dst dst port IP 68
Len 590 CBC 00: 0C: 29:d0:4e:26 dst ff: ff: ff: ff: ff: ff CBC 0.0.0.0 255.255.255.255 UDP src port 68 dst dst port IP 67
CBC Len 342 00: 0C: 29:f8:7 c: 77 dst ff: ff: ff: ff: ff: ff CBC 192.168.0.1 255.255.255.255 UDP src port 67 dst dst port IP 68
Len 42 00 src: 0C: 29:d0:4e:26 dst ff: ff: ff: ff: ff: ff ARP sender 00: 0C: 29:d0:4e:26 192.168.0.101 target 00:00:00:00:00:00 192.168.0.1 ARP request
Len 42 src 00:50:56:c0:00:06 dst 00: 0C: 29:d0:4e:26 ARP sender 00:50:56:c0:00:06 192.168.0.1 target 00: 0C: 29:d0:4e:26 192.168.0.101 answer ARP
Len 42 00 src: 0C: 29:f8:7 c: 77 00 dst: 0C: sender ARP 00 29:d0:4e:26: 0C: 29:f8:7 c: 77 192.168.0.1 target 00: 0C: 29:d0:4e:26 192.168.0.101 answer ARP
Len 69 00 src: 0C: 29:d0:4e:26 00:50:56:c0:00:06 IP 192.168.0.101 src dst dst 192.168.0.1 UDP src port dst port 2070 69
Len 70 src 00:50:56:c0:00:06 dst 00: 0C: 29:d0:4e:26 IP 192.168.0.1 src dst 192.168.0.101 unknown ICMP type 3
Len 69 00 src: 0C: 29:d0:4e:26 00:50:56:c0:00:06 IP 192.168.0.101 src dst dst 192.168.0.1 UDP src port dst port 2071 69
Len 70 src 00:50:56:c0:00:06 dst 00: 0C: 29:d0:4e:26 IP 192.168.0.1 src dst 192.168.0.101 unknown ICMP type 3So, I investigated the ICMP error unknown 3, which is Destination unreachable (Port Unreachable)
a nmap - known localhost produced the following
SERVICE OF THE PORT STATE
67/udp open | filtered APS
69/udp open | filtered tftp
111/udp open | filtered rpcbind
2049/udp open | filtered nfs
5353/udp open | filtered zeroconfIn addition, a netstat - nulp | grep '69' in addition confirms the tftp running daemon
4:UDP 0 0.0.0.0:69 0 0.0.0.0: * 4159/in.tftpdThe only major changes to the system have been an installation of the vmware tools on the vm Ubuntu 10.04 last week.
I know that the server configurations are correct on the Ubuntu 10.04 VM. As I put the network card for the stroke of lightning Ethernet, which is able to get the addresses DHCP and PXE image to a physical machine connected to the mac via a switch. PXE boot fails only when you go through the vmnet custom on the other virtual machine.
For any help or suggestion would be greatly appreciated.
If you create a virtual card on that network, it'll be to default 192.168.0.1. It seems that your DHCP/tftp server is also to 192.168.0.1.
Move your DHCP/tftp server 192.168.0.2 and it should work.
(Note: 00:50:56:c0:00:06 is the address MAC attributed to vmnet6 virtual card host... so the ICMP Port Unreachable message comes from the host, no server DHCP/tftp VM.)
See you soon,.
--
Darius
-
The Global NAT FVRF questions - for Expert
Hi Expert,
I have a client with a DMVPN network. Here is a simple drawing of installation:
First I set the router og BRANCH1 config: BRANCH1 - Config.txt
What the client wants is simple:
Host 200.200.200.200 reach the host 192.168.100.2 on port 3389.
So I thought to do the static NAT like this:
IP nat inside source static tcp 192.168.100.2 3389 100.10.10.2 3389
but it does not work because the BRANCH1 router is configured with FVRF who wants to say outside interface is in a VRF and local area network inside interface is globally. I couldn't see any traffic coming to the server (192.168.100.2) but I could see the translation in the nat process.
So I tried to configure the virtual interface of NAT (NVI) I read that NVI works best in the VRF environment. This time with these lines:
interface FastEthernet0/0
Description * WAN connection *.
bandwidth 20000
IP vrf forwarding DMVPN-VRF
IP 100.10.10.2 255.255.255.0
IP access-group OUTSIDEACL in
activate nat IP
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description * to connect to the computer 3 *.
IP 192.168.100.1 address 255.255.255.0
NBAR IP protocol discovery
activate nat IP
IP virtual-reassembly
load-interval 30
automatic duplex
automatic speed
No cdp enableIP nat source static tcp 192.168.100.2 3389 100.10.10.2 3389 extensible
Then I finally got some entries of traffic in the server 192.168.100.2. See the Wireshark log:
200.200.200.200 192.168.100.2 TCP stgxfws > ms-wbt-Server [SYN] Seq = 0 Win = 64240 Len = 0 MSS = 1260
192.168.100.2 200.200.200.200 ms-wbt-Server TCP > stgxfws [SYN, ACK] Seq = 0 Ack = 1 win = 64240 Len = 0 MSS = 1460
So far so good but but... the router sends an ICMP destination 13 unreachable code to the server:
10.1.0.1 192.168.100.2 ICMP Destination unreachable (Communication administratively filtered)
I guess that is because the router performs a search in the global routing table instead of the destination FVRF.
Anyone know how I can fix this problem?
Maybe a solution to HUB1 for this so everything is managed central, what do you thing?
Best regards
Laurent Rlap
I can't spoke1 config. But first the routing needs to work and I would like to try a leak of the VRF the way in Global.
IP route 200.200.200.200 255.255.255.255 FastEthernet0/0
When this is fixed we can watch NAT.
/ Ralph
-
Cannot Ping Throught Site to Site host
The two ends are ASA 5510. The IPsec tunnel is running.
Show crypto isakmp
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 50.240.120.233
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Show crypto ipsec
#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
I can't do a ping on my side (10.1.20.0/24), but only to the "inside" on the SAA interface remote (10.2.20.1). I can't ping other computers on the remote subnet. The remote subnet is not able to ping anything on my side.
Here is the config on my side
: Saved
:
ASA Version 8.2(1)
!
hostname asa
names
name 72.xxx.xxx.xxx Telepacific_Gateway
name 184.188.50.225 Cox_Gateway
name 10.1.20.32 VPN
name 10.2.20.0 Jacksonville-Subnet
!
interface Ethernet0/0
description Telepacific 4Mb Internet
nameif WAN_TelePacific
security-level 0
ip address 72.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/1
description Cox 10Mb Fiber Internet
speed 100
duplex full
nameif WAN_Cox
security-level 0
ip address 184.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/2
nameif VOIP
security-level 49
ip address 10.1.10.1 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 50
ip address 10.1.20.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup WAN_TelePacific
dns domain-lookup WAN_Cox
dns server-group DefaultDNS
name-server 209.242.128.100
name-server 209.242.128.101
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0
access-list ragroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0
access-list WAN_Cox_1_cryptomap extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0
access-list WAN_access_in extended permit icmp any any
access-list WAN_Cox_access_in extended permit icmp any any
access-list WAN_Cox_access_in extended permit udp VPN 255.255.255.224 10.1.20.0 255.255.255.0
access-list WAN_Cox_access_in extended permit tcp VPN 255.255.255.224 10.1.20.0 255.255.255.0
access-list inside_nat_outbound_1 extended permit ip any any
access-list inside_nat_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 VPN 255.255.255.224
pager lines 24
logging enable
logging asdm informational
logging mail critical
mtu WAN_TelePacific 1500
mtu WAN_Cox 1500
mtu VOIP 1500
mtu inside 1500
mtu management 1500
ip local pool RA VPN-10.1.20.49 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any WAN_TelePacific
asdm history enable
arp timeout 14400
global (WAN_TelePacific) 101 interface
global (WAN_Cox) 102 interface
global (inside) 103 interface
nat (WAN_Cox) 103 VPN 255.255.255.224 outside
nat (VOIP) 102 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 102 access-list inside_nat_outbound
nat (inside) 101 access-list inside_nat_outbound_1
nat (management) 102 0.0.0.0 0.0.0.0
access-group WAN_access_in in interface WAN_TelePacific
access-group WAN_Cox_access_in in interface WAN_Cox
route WAN_Cox 0.0.0.0 0.0.0.0 Cox_Gateway 1 track 3
route WAN_TelePacific 0.0.0.0 0.0.0.0 Telepacific_Gateway 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map CISCOMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD_Group_author protocol ldap
aaa-server AD_Group_author (inside) host 10.1.20.10
server-port 389
ldap-base-dn DC=,DC=LOCAL
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=VPN,CN=Users,DC=,DC=local
server-type microsoft
ldap-attribute-map CISCOMAP
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 WAN_TelePacific
http 0.0.0.0 0.0.0.0 WAN_Cox
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sla monitor 100
type echo protocol ipIcmpEcho Telepacific_Gateway interface WAN_Cox
num-packets 20
sla monitor schedule 100 life forever start-time now
sla monitor 101
type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox
sla monitor schedule 101 life forever start-time now
sla monitor 102
type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox
sla monitor schedule 102 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN_TelePacific
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto map WAN_Cox_map 1 match address WAN_Cox_1_cryptomap
crypto map WAN_Cox_map 1 set pfs
crypto map WAN_Cox_map 1 set peer 50.240.120.233
crypto map WAN_Cox_map 1 set transform-set ESP-3DES-SHA
crypto map WAN_Cox_map 1 set nat-t-disable
crypto map WAN_Cox_map interface WAN_Cox
crypto ca trustpoint vpn_ssl_cert
fqdn asa
subject-name CN=asa
no client-types
crl configure
crypto isakmp enable WAN_Cox
crypto isakmp enable inside
crypto isakmp enable management
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 100 reachability
!
track 2 rtr 101 reachability
!
track 3 rtr 102 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 10.1.20.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 5
management-access inside
dhcpd address 10.1.10.51-10.1.10.254 VOIP
dhcpd dns 216.70.224.17 8.8.8.8 interface VOIP
dhcpd enable VOIP
!
dhcpd address 10.1.20.100-10.1.20.254 inside
dhcpd dns 216.70.224.17 8.8.8.8 interface inside
dhcpd wins 10.1.20.10 1.1.20.11 interface inside
dhcpd domain local interface inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.1.20.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.1.20.10 255.255.255.255
threat-detection scanning-threat shun except ip-address 10.1.20.12 255.255.255.255
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.20.10 source inside prefer
webvpn
enable WAN_Cox
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
svc enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec svc
webvpn
svc ask none default svc
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.1.20.10
dns-server value 10.1.20.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value local
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
address-pools value RA
group-policy ragroup internal
group-policy ragroup attributes
wins-server value 10.1.20.1
dns-server value 10.1.20.1
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ragroup_splitTunnelAcl
default-domain value
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner none
wins-server value 10.1.20.10
dns-server value 10.1.20.10
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ragroup_splitTunnelAcl
default-domain value local
webvpn
svc ask none default svc
tunnel-group DefaultRAGroup general-attributes
address-pool RA
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool RA
authentication-server-group AD_Group_author LOCAL
authorization-server-group AD_Group_author
authorization-required
username-from-certificate use-entire-name
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication ms-chap-v2
tunnel-group ZRemote type remote-access
tunnel-group ZRemote general-attributes
address-pool RA
authentication-server-group AD_Group_author LOCAL
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool RA
authentication-server-group AD_Group_author LOCAL
default-group-policy ALLOWACCESS
tunnel-group 50.240.xxx.xxx type ipsec-l2l
tunnel-group 50.240.xxx.xxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.1.20.14
prompt hostname context
Cryptochecksum:053e7f169dcfa526b030f5d647cd78e8
: end
This ASA configuration seems correct to me.
Please check the configuration of nat exempt on remote Terminal.
If possible, download the config of the remote terminal as well.
Kind regards
NGO
-
Hello everyone,
I have problems to make IPsec VPN remote access work.
The goal is to be able to connect to our internal network from home or elsewhere.
When I try to connect to my home virtual private network, I will no further than Phase 1.
My architecture is a Cisco ASA5505 behind a router-modem router from ISP. The IP address of the modem is 192.168.1.1 for outside.
The IP address of the ASA is 192.168.1.254 for outdoor and 10.0.0.1 for indoors. I put the ASA in a demilitarized zone of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-bridge just as a simple gateway and handle other things with the ASA).
So my problem is that I can't seem to connect to the VPN through the public IP address.
Here is my config:
: Saved
:
ASA Version 8.2(5)
!
hostname Cisco-ASA-5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
clock timezone GMT 1
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.1.1-10.0.1.50
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.42 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-MAP 10 set transform-set RA-TS
crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.40 inside
dhcpd dns 81.253.149.9 80.10.246.1 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config
webvpn
username admin password 4RdDnLO1w2ilihWc encrypted
username test password zGOnThs6HPdiZhqs encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool VPNpool
tunnel-group testvpn ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c
: end
My config to the client is attached.
When I look at what happened during the connectin with Wireshark, I see 'Port Unreachable '. I have to do something on my ISP router? Because I read that it is not necessary to use NAT if the device is in the demilitarized zone.
Can you help me please?
Because you have the address on your external interface, you will need to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.
I guess you don't have a single address public IP assigned by your ISP.
Kind regards
Jan
-
RVS400, translation NAT period?
My RVS4000 is rejecting DNS _answers_ with "destination unreachable (port unreachable).
I finally managed to sniff packets on the side WAN and the response packets
Search OK. They come from the same IP address and port number that the put RVS in the
outgoing request packet.
This only happens when it is connected to an internet connection by satellite. It works fine with my
old connection cable. My only theory is now the RVS4000 expire the NAT rule
before the answer comes back. Total response time is running around 1.3 seconds, are due,
without a doubt, high latency of satellite link.
I tried to change the installer-> WAN_ > MTU to manually put up and down speeds
under the QoS-> bandwidth management, nothing helps. Those who have been the only parameters that I could find
which seemed to have anything remotely to do with this problem. I've updated the firmware
to 1.3.0.3, but the problem is the same before and after.
Any help on how to do keep explanations more long or other NAT rules would be
greatly appreciated.
I had already tried, without success. I ended up buying a different router
(Netgear RP614v4, is what they had in the retail store), who sets the
problem. Surely, this must be a known problem with satellite internet.
-
IOS ACL interaction w / inspect CBAC
Sorry to bother you guys, but I'm banging my head against the wall with this one
[Vs ACL CBAC Ip inspect]
Specifically, SDM created the following configuration:
inspect the IP name SDM_LOW cuseeme
inspect the IP dns SDM_LOW name
inspect the IP name SDM_LOW ftp
inspect the IP h323 SDM_LOW name
inspect the IP name SDM_LOW https
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW imap
inspect the IP name SDM_LOW pop3
inspect the IP name SDM_LOW netshow
inspect the IP rcmd SDM_LOW name
inspect the IP name SDM_LOW realaudio
inspect the name SDM_LOW rtsp IP
inspect the IP name SDM_LOW esmtp
inspect the IP name SDM_LOW sqlnet
inspect the name SDM_LOW streamworks IP
inspect the name SDM_LOW tftp IP
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
inspect the name SDM_LOW vdolive IP
!
!
interface FastEthernet4
IP 100.100.100.1 255.255.255.0
IP access-group 101 in
inspect the SDM_LOW over IP
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any host 100.100.100.1 - response
access-list 101 permit icmp any host 100.100.100.1 time limit
access-list 101 permit icmp any unreachable host 100.100.100.1
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
So as you can see, the DENY ANY ANY of the ACL would block return traffic wouldn't it? I thought that the ACL is applied FIRST? So I guess that by looking at this config when CBAC examines traffic OUT on the external interface, it can - then - create holes in the ACL to allow return traffic. Is this correct?
And if so, why not simply allow the implicit DENY ALL; does deny ip any all appear explicitly in the ACL?
I read through the guide 12-4 of the site of Cisco security configuration and do not answer this question.
Thanks in advance
:-(
Your assumption is quite right, THAT CBAC is open a hole in the ACL to allow the return of return traffic.
Regarding the ip to refuse a whole at the end of the access list, it's a line of best practice added to the access list, if you look at the line, you will notice that there is a keyword of log at the end of the line, so this is to log traffic refused a syslog server for example for you to review traffic later and analyze only in case you get attacked or sth like that.
You can remove this line if you think it's unnecessary, but as I said to you that it is a good practice when it comes to the access lists.
Regrads,
Shadi'
-
IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has
I had a challege for a site to site vpn scenario that may need some brainstorming you guys.
So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!
Network diagram:
http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3
Challenge:
(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards
(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1
IKE Phase II: des-esp, hmac-md5, tunnel mode
PSK: sitetositevpn
Here is my setup for review:
crypto ISAKMP policy 10
the BA
preshared authentication
Group 1
md5 hash
ISAKMP crypto key sitetositevpn address 210.x.x.66
!
Crypto ipsec transform-set esp - esp-md5-hmac ciscoset
!
infotelmap 10 ipsec-isakmp crypto map
the value of 210.x.x.66 peer
Set transform-set ciscoset
match address 111
!
!
interface Ethernet0
3 LAN description
IP 10.20.20.1 255.255.255.0
IP nat inside
servers-exit of service-policy policy
Hold-queue 100 on
!
ATM0 interface
no ip address
ATM vc-per-vp 64
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
IP address 210.x.20.x.255.255.252
no ip redirection<-- disable="">-->
no ip unreachable<-- disable="" icmp="" host="" unreachable="">-->
no ip proxy-arp<-- disables="" ip="" directed="">-->
NAT outside IP
PVC 8/35
aal5snap encapsulation
!
!
IP nat inside source list 102 interface ATM0.1 overload
IP classless
IP route 0.0.0.0 0.0.0.0 ATM0.1
IP route 0.0.0.0 0.x.0.x.190.60.66
no ip http secure server
!
Note access-list 102 NAT traffic
access-list 102 permit ip 10.20.20.0 0.0.0.255 any
!
access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network
access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255
Kind regards
Junhan
Hello
Three changes required in this configuration.
(1) change the NAT-list access 102 as below:
access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255
access-list 102 permit ip 10.20.20.0 0.0.0.255 any
(2) place the card encryption on interface point-to-point ATM.
(3) remote all of a default route.
Thank you
Mustafa
-
Hello
We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.
What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.
6.3 (3) version PIX
interface ethernet0 car
Auto interface ethernet1
Auto interface ethernet2
Auto ethernet3 interface
!
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security40
!
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
names of
!
IP outside X.Y.Z.163 255.255.255.248
IP address inside 192.168.0.9 255.255.255.0
dmz1 192.168.10.1 IP address 255.255.255.0
IP address dmz2 192.168.20.1 255.255.255.0
!
fromOut list of access permit icmp any host X.Y.Z.162 source-quench
fromOut list of access permit icmp any host X.Y.Z.162 echo-reply
fromOut list of access permit icmp any unreachable host X.Y.Z.162
fromOut list of access permit icmp any host X.Y.Z.162 time limit
fromOut list access permit tcp any host X.Y.Z.162 EQ field
fromOut list access permit tcp any host X.Y.Z.162 eq telnet
fromOut list access permit tcp any host X.Y.Z.162 eq smtp
fromOut list access permit tcp any host X.Y.Z.162 eq www
!
fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0
fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0
!
fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
!
pager lines 24
!
Outside 1500 MTU
Within 1500 MTU
dmz1 MTU 1500
dmz2 MTU 1500
!
Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248
Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248
NAT (inside) 1 192.168.0.0 255.255.255.0 0 0
NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0
NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0
static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0
!
Access-group fromOut in interface outside
Access-group fromDMZ1 in interface dmz1
Access-group fromDMZ2 in the dmz2 interface
Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1
Hi jamil,.
There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...
REDA
-
Hello
I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX.
I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall.
Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping.
Here's my nat and global declarations:
# Sh nat Pix1
NAT (inside) 1 10.0.0.0 255.0.0.0 0 0
NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0
Pix1 # global HS
Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x
Global 1 6x.xxx.xxx.6x (outside)
Global interface (dmz) 1
Here's an abbreviated ICMP trace:
Pix1 debug icmp trace #.
ICMP trace on
WARNING: This can cause problems on busy networks
Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89
length 63 = 40
2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219
GTH = 40
4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475
GTH = 40
6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475
ngth = 40
8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731
GTH = 40
9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
Thanks in advance for your help.
Doug.
ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside!
See: Handling ICMP Pings with the PIX firewall
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The PIX and the traceroute command
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
examples:
Traveroute
Microsoft:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
access-list 101 permit icmp any host YourPublicIP echo-reply
UNIX:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
ICMP command example
ICMP deny everything outside
ICMP allow any response of echo outdoors
ICMP allow any response echo inside
permit ICMP echo host 192.168.1.30 inside
permit ICMP echo host 192.168.1.31 inside
permit ICMP echo host 192.168.1.20 inside
permit ICMP echo host 192.168.1.40 inside
permit ICMP echo host 192.168.1.100 inside
sincerely
Patrick
-
I have my ASA 5505 VPN access installation... I am finally able to connect and receive and the IP address of it. But now I'm stumped on why I can't access my network. My network is as follows: Cable Modem---> ASA 5505---> router Cisco 3660---> Cisco Switch 2900XL---> Windows 2008 Server---> client PC. Can someone help me understand where I'm going wrong?
ASA 5505 Running Config:
ASA Version 8.2 (3)
!
ciscoasa hostname
activate the encrypted password of DQucN59Njn0OjpJL
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
DHCP IP address
!
passive FTP mode
inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.3.0 255.255.255.240
pager lines 24
Enable logging
exploitation forest asdm warnings
Within 1500 MTU
Outside 1500 MTU
mask 192.168.3.0 - 192.168.3.10 255.255.255.0 IP local pool HomeVPN
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
!
router RIP
network 192.168.1.0
network 192.168.2.0
192.168.3.0 network
default information are created
version 2
!
Route outside 0.0.0.0 0.0.0.0 174.56.139.1 1
Route inside 192.168.1.0 255.255.255.0 192.168.2.2 1
Route inside 192.168.3.0 255.255.255.0 192.168.2.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal VPNHome group strategy
attributes of Group Policy VPNHome
value of server DNS 192.168.1.14 8.8.8.8
Protocol-tunnel-VPN IPSec
wood.homeserv.com value by default-field
user name, password of encrypted WsMCHUiqvEuA9Gmb privilege 0 Jonathan
user name Jonathan attributes
VPN-group-policy VPNHome
type tunnel-group VPNHome remote access
attributes global-tunnel-group VPNHome
address pool HomeVPN
Group Policy - by default-VPNHome
IPSec-attributes tunnel-group VPNHome
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:214676358ccd68b2acb313ffcd92c6fa
: endCisco 3660 router configuration:
Building configuration...
Current configuration: 5921 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.7Q9$mJ4Y0sVUoAw8QZ/33g1JD/
activate the henry999 password
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
!
AAA - the id of the joint session
!
!
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.1.1 192.168.1.7
DHCP excluded-address 192.168.1.1 IP 192.168.1.10
DHCP excluded-address IP 192.168.1.11 192.168.1.19
DHCP excluded-address IP 192.168.1.1 192.168.1.19
!
IP dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default router 192.168.1.1
Server DNS 8.8.8.8 8.8.4.4
!
IP dhcp pool 192.168.1.2/24
!
!
inspect the IP name SDM_LOW cuseeme
inspect the IP dns SDM_LOW name
inspect the IP name SDM_LOW ftp
inspect the IP h323 SDM_LOW name
inspect the IP name SDM_LOW https
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW imap
inspect the IP name SDM_LOW pop3
inspect the IP name SDM_LOW netshow
inspect the IP rcmd SDM_LOW name
inspect the IP name SDM_LOW realaudio
inspect the name SDM_LOW rtsp IP
inspect the IP name SDM_LOW esmtp
inspect the IP name SDM_LOW sqlnet
inspect the name SDM_LOW streamworks IP
inspect the name SDM_LOW tftp IP
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
inspect the name SDM_LOW vdolive IP
list of time of inactivity-60 eapoudp of IP admissions name of the NAC1 NAC
property intellectual ips homeless location flash://SDF autosave
IP IP address notify CETS
IP IP name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username privilege 15 secret 5 woodjl $1$ w.xT$ cFJweRcOx29N9hKafqu4h1
username wooldjl privilege 15 secret 5 $1 $4o6 / $IO13XCGj9XXjIAGTsN3Yj0
!
!
!
class-map match-all SDM-transactional-1
af21 dscp match
match dscp af22
af23 dscp match
class-map match-all SDM-signaling-1
match dscp cs3
match dscp af31
class-map match-all SDM-routing-1
cs6 dscp match
class-map match-all SDM-voices-1
match dscp ef
class-map match-all SDM-management-1
match dscp cs2
!
!
Policy-map SDM-QoS-policy-1
SDM-voices-1 class
percentage of priority 33
police CIR 33000000
issuance of the share are consistent
decline of the action exceeds
SDM-signaling-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
SDM-routing-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
SDM-management-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
SDM-transactional-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
class class by default
Fair/fair-queue
random detection
Police cir 22000000
issuance of the share are consistent
decline of the action exceeds
!
!
!
Configuration group customer isakmp crypto HomeUsers
henrydixie7153 key
192.168.1.14 DNS 8.8.8.8
wood.homeserv.com field
pool SDM_POOL_1
include-local-lan
Max-users 5
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac SDM_TRANSFORMSET_1
!
Profile of crypto ipsec HomeVPN
game of transformation-SDM_TRANSFORMSET_1
!
!
map HomeVPN 1 ipsec-isakmp crypto
defined peer 192.168.3.1
Set the security association idle time 7200
game of transformation-SDM_TRANSFORMSET_1
PFS Group1 Set
match address VPN1
!
!
!
!
interface FastEthernet0/0
Description $FW_OUTSIDE$
IP 192.168.2.2 255.255.255.0
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
inspect the SDM_LOW over IP
admission of the IP of the NAC
sdm_ips_rule IP IP addresses in
sdm_ips_rule IP IP addresses on
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $FW_INSIDE$
IP 192.168.1.1 255.255.255.0
IP access-group 100 to
Check IP unicast reverse path
IP nat inside
sdm_ips_rule IP IP addresses in
sdm_ips_rule IP IP addresses on
IP virtual-reassembly
automatic duplex
automatic speed
service-policy output SDM-QoS-policy-1
!
router RIP
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 192.168.1.0
No Auto-resume
!
local IP SDM_POOL_1 192.168.3.1 pool 192.168.3.10
IP http server
local IP http authentication
no ip http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
192.168.1.1 IP nat pool house 192.168.1.24 netmask 255.255.255.0
!
!
NAC1 extended IP access list
Note of the NAC
Remark SDM_ACL = 64 category
Note the rule of the NAC
IP 192.0.0.0 allow 0.255.255.255 everything
list of IP - VPN access scope
Note the VPN access
Remark SDM_ACL = 4 category
Note VPN
allow an ip
VPN1 extended IP access list
Note the VPN access
Remark SDM_ACL = 4 category
allow an ip host 192.168.3.1
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 192.168.2.0 0.0.0.255 any
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
access list 101 remark self-generated by the configuration of the firewall SDM
Note access-list 101 = 1 SDM_ACL category
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.2.2 echo-reply
access-list 101 permit icmp any host 192.168.2.2 exceeded time
access-list 101 permit icmp any unreachable host 192.168.2.2
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
SNMP-server 192.168.1.1 RO community
Enable SNMP-Server intercepts ATS
!
!
!
!
control plan
!
!
!
!
!
!
!
!
!
Line con 0
transportation out all
line to 0
transportation out all
line vty 0 4
Henry of password
transport telnet entry
transportation out all
!
!
endSince you already have a default to the ASA route, you don't need one more specific.
But, the most recent ASA config that you posted, I think that there is some confusion about the config of split tunnel.
You have
access-list VPNWoodHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list WoodVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
But only one of these is actually used in the group-policy.
group-policy WoodVPN attributes
split-tunnel-network-list value WoodVPN_splitTunnelAcl
So my suggestion is to add:access-list WoodVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
(and remove the other 2 access-lists unless they're used for something else)hth
Herbert
Maybe you are looking for
-
Satellite P205D freeze after hibernation/standby in Win7
Hello Satellite P205D my daughter has just been upgraded to Windows 7. fine, except that now, it freezes shortly after the resumption from standby or hibernation. Minidumps just point to a "hardware". We executed the installed Toshiba installation so
-
El want 1402: recovery rom IPMMB-FM
Hi, I need the bios recovery on my pc. his mother is hp formosa. I would like to know how I can put his recovery one touch connector?
-
PROBLEM WITH NAME CHANGE RECORDS
I have Vista and when I try to rename a folder, it will not work and returns just to "New folder" or what ever the original title was. This just started to happen. David H
-
I can't find drivers for pavalion g6-1341eo
Hello Can someone help me to find drivers for pavalion g6-1341?
-
Don't forget not - says is een openbaar due forum private information such as E-mail bericht van telefoonnummers nooit! Ideas: Programma u lapses problems encountered Foutberichten Recent p die u aan uw computer Wat I al geprobeerd om het op clean wo