ICMP Port Unreachable

If someone can clarify that the exception java.net.PortUnreachableException: ICMP Port Unreachable shows (outside of what is obvious)? Here's the scenario: using UDP I a client application, a portal application and a server application. The client sends to the server through the gateway and vice versa. I created 2 Sockets, a conflict between the client and the gateway and the other between the gateway and the server. When I try to send from the bridge to the client package never makes it to the client (server-side is fine). When I call sock.getLocalSocketAddress and sock.getRemoteSocketAddress are all two 0.0.0.0 (the latter has at least the right port number). The gateway acts as a server for the customer and as a client to the server. I tried to solve this problem using sock.connect on the side of the gateway for the client in the face of the plug, but it has ultimately generates inaccessible except for ICMP port on the side of the door of entry upon receipt by the customer.

Thank you in advance.

This means that there is no UDP connectivity between whatever the host gets the exception and regardless of the host this socket is connected to. Usually a firewall issue.

The address 0.0.0.0 means only that the socket is bound to all interfaces, this isn't a problem.

Tags: Java

Similar Questions

Between Disabling ICMP port running on the same vSwitch group

Hello
I'm new to vShield. I added a rule of application vShield to disable the ICMP to the Group of two ports on the same switch running but it does not work. Is it possible or I have to try another way to do the same.
Kind regards
KC

Hello

You can use strategy ICMP with this group of two ports so can you share newspapers?

inaccurate NSDB desc for GIS 2001 # ICMP Host Unreachable

GIS # 2001 fires when there are ICMP type 3 sachets. This type of message is more correctly described as inaccessible Destination (refer to IANA).

Triggers of signature on all type 3 messages, but to be precise in the description of the NSDB, it should trigger only on Type 3 Code 1 (refer to IANA).

Can Cisco please make corrections of the NSDB for S94, or correct the signature to only shoot ICMP Type 3 Code 1. I can adjust the setting of code through IDM, but it gets reset after the deployment of config IDS MC. Very annoying (see my previous post) to correctly set up sigs by IDM having to do again after MC IDS push.

http://www.IANA.org/assignments/ICMP-parameters

A fix has been implemented with S94. CSCee64472 following the issue. The NSDB has been updated to reflect the addition of the 1 ICMP code.

Sony clio erroe message port unreachable

cannot hot sync with palm desktop to handheld ver.4

Hello

1 have had any changes made on the computer before the show?

2. How have you plugged the Palm device to the computer?

3. What is the full and exact error message?

Check the link and see if it helps:

Pocket computer connection issues that affect the HotSync process

http://KB.hpwebos.com/wps/portal/KB/common/article/1409_en.html

Let us know if it helps.

SPA 962 - intermittently without audio (RTP port closed/inaccessible)

Hi all!

We recently bought 21 phones Linksys SPA-962 for our office. We took this directly from our PoE (Cisco 300) switch to our sipx box that is on the same subnet and switch (sipx does not execute iptables). Most of our phone calls works fine, but we find that periodically (for example 1 of 10 calls) we have no audio data. There is no NAT settings so it should be relatively simple.

The most interesting part of the problem is that it seems to be the phone itself. The reason why I believe that it is the phone is due to the attached pcap trace. You can see the first call in this trace is bad and the second is actually filled out correctly.

Trading on SIP, everything seems to work properly and the phone says what RTP port to be used but when sipx is trying to communicate that RTP port the phone returns an ICMP port unreachable! To set a syslog to the phone as a debug server, it appears the phone believes that he opened the receiver port but lower it attempts to send rtp of sipxecs and he can't send rtp backwards but it is because I believe that the port could not allocate/open in the first place.

I tried all four available Cisco firmwares that I could find, and they all have the same question. I tried also to place the phone on it's own VLAN, I tried SRTP, tried symmetric RTP, I tried Sticky 183 and nothing seems to resolve the behavior.

Do we have bad phones?

We have also a gateway Grandstream ATA with polycoms attached and all those phone calls 100% of working time.

Thanks in advance!

I got it. Disable CDP on the page of the system. That's all.

PXE error, pxe - e32 TFTP Open Timeout through vmnet

Hi all
I'm completely stuck because my installation has worked in recent weeks and has just stopped working today.

I'm under VMware Fusion 6.02 on Max OS x I have two guest computers, the first is a Ubuntu 10.04 installation that is running a server dhcp and tftp to PXE Boot kernel images. The second is just a generic Ubuntu 64-bit virtual machine that PXE starts the image provided by the Ubuntu 10.04 VM.
I've implemented a vmnet customized for two virtual machines by using the following commands:
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_DHCP no sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_HOSTONLY_SUBNET 192.168.0.0 sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_HOSTONLY_NETMASK 255.255.255.0 sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cfgcli vnetcfgadd VNET_6_VIRTUAL_ADAPTER yes
With the help of vmnet-sniffer on my mac and wireshark in my Ubuntu 10.04 VM I see that packages make it started failing pxe vm for the virtual machine Ubuntu 10.04. The pxe boot vm correctly receives a DHCP address and does not work with PXE - E32 TFTP tftp open timeout.
Packages of the present paper is the following:
Len 590 CBC 00: 0C: 29:d0:4e:26 dst ff: ff: ff: ff: ff: ff CBC 0.0.0.0 255.255.255.255 UDP src port 68 dst dst port IP 67
CBC Len 342 00: 0C: 29:f8:7 c: 77 dst ff: ff: ff: ff: ff: ff CBC 192.168.0.1 255.255.255.255 UDP src port 67 dst dst port IP 68
Len 590 CBC 00: 0C: 29:d0:4e:26 dst ff: ff: ff: ff: ff: ff CBC 0.0.0.0 255.255.255.255 UDP src port 68 dst dst port IP 67
CBC Len 342 00: 0C: 29:f8:7 c: 77 dst ff: ff: ff: ff: ff: ff CBC 192.168.0.1 255.255.255.255 UDP src port 67 dst dst port IP 68
Len 42 00 src: 0C: 29:d0:4e:26 dst ff: ff: ff: ff: ff: ff ARP sender 00: 0C: 29:d0:4e:26 192.168.0.101 target 00:00:00:00:00:00 192.168.0.1 ARP request
Len 42 src 00:50:56:c0:00:06 dst 00: 0C: 29:d0:4e:26 ARP sender 00:50:56:c0:00:06 192.168.0.1 target 00: 0C: 29:d0:4e:26 192.168.0.101 answer ARP
Len 42 00 src: 0C: 29:f8:7 c: 77 00 dst: 0C: sender ARP 00 29:d0:4e:26: 0C: 29:f8:7 c: 77 192.168.0.1 target 00: 0C: 29:d0:4e:26 192.168.0.101 answer ARP
Len 69 00 src: 0C: 29:d0:4e:26 00:50:56:c0:00:06 IP 192.168.0.101 src dst dst 192.168.0.1 UDP src port dst port 2070 69
Len 70 src 00:50:56:c0:00:06 dst 00: 0C: 29:d0:4e:26 IP 192.168.0.1 src dst 192.168.0.101 unknown ICMP type 3
Len 69 00 src: 0C: 29:d0:4e:26 00:50:56:c0:00:06 IP 192.168.0.101 src dst dst 192.168.0.1 UDP src port dst port 2071 69
Len 70 src 00:50:56:c0:00:06 dst 00: 0C: 29:d0:4e:26 IP 192.168.0.1 src dst 192.168.0.101 unknown ICMP type 3
So, I investigated the ICMP error unknown 3, which is Destination unreachable (Port Unreachable)
a nmap - known localhost produced the following
SERVICE OF THE PORT STATE
67/udp open | filtered APS
69/udp open | filtered tftp
111/udp open | filtered rpcbind
2049/udp open | filtered nfs
5353/udp open | filtered zeroconf
In addition, a netstat - nulp | grep '69' in addition confirms the tftp running daemon
4:UDP 0 0.0.0.0:69 0 0.0.0.0: * 4159/in.tftpd
The only major changes to the system have been an installation of the vmware tools on the vm Ubuntu 10.04 last week.
I know that the server configurations are correct on the Ubuntu 10.04 VM. As I put the network card for the stroke of lightning Ethernet, which is able to get the addresses DHCP and PXE image to a physical machine connected to the mac via a switch. PXE boot fails only when you go through the vmnet custom on the other virtual machine.
For any help or suggestion would be greatly appreciated.

If you create a virtual card on that network, it'll be to default 192.168.0.1. It seems that your DHCP/tftp server is also to 192.168.0.1.

Move your DHCP/tftp server 192.168.0.2 and it should work.

(Note: 00:50:56:c0:00:06 is the address MAC attributed to vmnet6 virtual card host... so the ICMP Port Unreachable message comes from the host, no server DHCP/tftp VM.)

See you soon,.

--

Darius

The Global NAT FVRF questions - for Expert

Hi Expert,

I have a client with a DMVPN network. Here is a simple drawing of installation:

First I set the router og BRANCH1 config: BRANCH1 - Config.txt

What the client wants is simple:

Host 200.200.200.200 reach the host 192.168.100.2 on port 3389.

So I thought to do the static NAT like this:

IP nat inside source static tcp 192.168.100.2 3389 100.10.10.2 3389

but it does not work because the BRANCH1 router is configured with FVRF who wants to say outside interface is in a VRF and local area network inside interface is globally. I couldn't see any traffic coming to the server (192.168.100.2) but I could see the translation in the nat process.

So I tried to configure the virtual interface of NAT (NVI) I read that NVI works best in the VRF environment. This time with these lines:

interface FastEthernet0/0
Description * WAN connection *.
bandwidth 20000
IP vrf forwarding DMVPN-VRF
IP 100.10.10.2 255.255.255.0
IP access-group OUTSIDEACL in
activate nat IP
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description * to connect to the computer 3 *.
IP 192.168.100.1 address 255.255.255.0
NBAR IP protocol discovery
activate nat IP
IP virtual-reassembly
load-interval 30
automatic duplex
automatic speed
No cdp enable

IP nat source static tcp 192.168.100.2 3389 100.10.10.2 3389 extensible

Then I finally got some entries of traffic in the server 192.168.100.2. See the Wireshark log:

200.200.200.200 192.168.100.2 TCP stgxfws > ms-wbt-Server [SYN] Seq = 0 Win = 64240 Len = 0 MSS = 1260

192.168.100.2 200.200.200.200 ms-wbt-Server TCP > stgxfws [SYN, ACK] Seq = 0 Ack = 1 win = 64240 Len = 0 MSS = 1460

So far so good but but... the router sends an ICMP destination 13 unreachable code to the server:

10.1.0.1 192.168.100.2 ICMP Destination unreachable (Communication administratively filtered)

I guess that is because the router performs a search in the global routing table instead of the destination FVRF.

Anyone know how I can fix this problem?

Maybe a solution to HUB1 for this so everything is managed central, what do you thing?

Best regards

Laurent Rlap

I can't spoke1 config. But first the routing needs to work and I would like to try a leak of the VRF the way in Global.

IP route 200.200.200.200 255.255.255.255 FastEthernet0/0

When this is fixed we can watch NAT.

/ Ralph

Cannot Ping Throught Site to Site host

The two ends are ASA 5510. The IPsec tunnel is running.

Show crypto isakmp

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 50.240.120.233

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Show crypto ipsec

#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46

#pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

I can't do a ping on my side (10.1.20.0/24), but only to the "inside" on the SAA interface remote (10.2.20.1). I can't ping other computers on the remote subnet. The remote subnet is not able to ping anything on my side.

Here is the config on my side

: Saved

ASA Version 8.2(1)

hostname asa

names

name 72.xxx.xxx.xxx Telepacific_Gateway

name 184.188.50.225 Cox_Gateway

name 10.1.20.32 VPN

name 10.2.20.0 Jacksonville-Subnet

interface Ethernet0/0

description Telepacific 4Mb Internet

nameif WAN_TelePacific

security-level 0

ip address 72.xxx.xxx.xxx 255.255.255.248

interface Ethernet0/1

description Cox 10Mb Fiber Internet

speed 100

duplex full

nameif WAN_Cox

security-level 0

ip address 184.xxx.xxx.xxx 255.255.255.248

interface Ethernet0/2

nameif VOIP

security-level 49

ip address 10.1.10.1 255.255.255.0

interface Ethernet0/3

nameif inside

security-level 50

ip address 10.1.20.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup WAN_TelePacific

dns domain-lookup WAN_Cox

dns server-group DefaultDNS

name-server 209.242.128.100

name-server 209.242.128.101

name-server 8.8.8.8

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ICMP

icmp-object alternate-address

icmp-object conversion-error

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object mask-reply

icmp-object mask-request

icmp-object mobile-redirect

icmp-object parameter-problem

icmp-object redirect

icmp-object router-advertisement

icmp-object router-solicitation

icmp-object source-quench

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object unreachable

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0

access-list ragroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0

access-list WAN_Cox_1_cryptomap extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0

access-list WAN_access_in extended permit icmp any any

access-list WAN_Cox_access_in extended permit icmp any any

access-list WAN_Cox_access_in extended permit udp VPN 255.255.255.224 10.1.20.0 255.255.255.0

access-list WAN_Cox_access_in extended permit tcp VPN 255.255.255.224 10.1.20.0 255.255.255.0

access-list inside_nat_outbound_1 extended permit ip any any

access-list inside_nat_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 VPN 255.255.255.224

pager lines 24

logging enable

logging asdm informational

logging mail critical

mtu WAN_TelePacific 1500

mtu WAN_Cox 1500

mtu VOIP 1500

mtu inside 1500

mtu management 1500

ip local pool RA VPN-10.1.20.49 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any WAN_TelePacific

asdm history enable

arp timeout 14400

global (WAN_TelePacific) 101 interface

global (WAN_Cox) 102 interface

global (inside) 103 interface

nat (WAN_Cox) 103 VPN 255.255.255.224 outside

nat (VOIP) 102 0.0.0.0 0.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 102 access-list inside_nat_outbound

nat (inside) 101 access-list inside_nat_outbound_1

nat (management) 102 0.0.0.0 0.0.0.0

access-group WAN_access_in in interface WAN_TelePacific

access-group WAN_Cox_access_in in interface WAN_Cox

route WAN_Cox 0.0.0.0 0.0.0.0 Cox_Gateway 1 track 3

route WAN_TelePacific 0.0.0.0 0.0.0.0 Telepacific_Gateway 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map CISCOMAP

map-name msNPAllowDialin IETF-Radius-Class

map-value msNPAllowDialin FALSE NOACCESS

map-value msNPAllowDialin TRUE ALLOWACCESS

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD_Group_author protocol ldap

aaa-server AD_Group_author (inside) host 10.1.20.10

server-port 389

ldap-base-dn DC=,DC=LOCAL

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=VPN,CN=Users,DC=,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.1.20.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 WAN_TelePacific

http 0.0.0.0 0.0.0.0 WAN_Cox

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sla monitor 100

type echo protocol ipIcmpEcho Telepacific_Gateway interface WAN_Cox

num-packets 20

sla monitor schedule 100 life forever start-time now

sla monitor 101

type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox

sla monitor schedule 101 life forever start-time now

sla monitor 102

type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox

sla monitor schedule 102 life forever start-time now

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN_map interface WAN_TelePacific

crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map management_map interface management

crypto map WAN_Cox_map 1 match address WAN_Cox_1_cryptomap

crypto map WAN_Cox_map 1 set pfs

crypto map WAN_Cox_map 1 set peer 50.240.120.233

crypto map WAN_Cox_map 1 set transform-set ESP-3DES-SHA

crypto map WAN_Cox_map 1 set nat-t-disable

crypto map WAN_Cox_map interface WAN_Cox

crypto ca trustpoint vpn_ssl_cert

fqdn asa

subject-name CN=asa

no client-types

crl configure

crypto isakmp enable WAN_Cox

crypto isakmp enable inside

crypto isakmp enable management

crypto isakmp policy 10

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

track 1 rtr 100 reachability

track 2 rtr 101 reachability

track 3 rtr 102 reachability

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh 10.1.20.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 5

management-access inside

dhcpd address 10.1.10.51-10.1.10.254 VOIP

dhcpd dns 216.70.224.17 8.8.8.8 interface VOIP

dhcpd enable VOIP

dhcpd address 10.1.20.100-10.1.20.254 inside

dhcpd dns 216.70.224.17 8.8.8.8 interface inside

dhcpd wins 10.1.20.10 1.1.20.11 interface inside

dhcpd domain local interface inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.1.20.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 10.1.20.10 255.255.255.255

threat-detection scanning-threat shun except ip-address 10.1.20.12 255.255.255.255

threat-detection scanning-threat shun duration 3600

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.1.20.10 source inside prefer

webvpn

enable WAN_Cox

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3

svc enable

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec svc

webvpn

svc ask none default svc

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 10.1.20.10

dns-server value 10.1.20.10

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value local

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

address-pools value RA

group-policy ragroup internal

group-policy ragroup attributes

wins-server value 10.1.20.1

dns-server value 10.1.20.1

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ragroup_splitTunnelAcl

default-domain value

group-policy ALLOWACCESS internal

group-policy ALLOWACCESS attributes

banner none

wins-server value 10.1.20.10

dns-server value 10.1.20.10

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ragroup_splitTunnelAcl

default-domain value local

webvpn

svc ask none default svc

tunnel-group DefaultRAGroup general-attributes

address-pool RA

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool RA

authentication-server-group AD_Group_author LOCAL

authorization-server-group AD_Group_author

authorization-required

username-from-certificate use-entire-name

tunnel-group DefaultWEBVPNGroup ppp-attributes

authentication ms-chap-v2

tunnel-group ZRemote type remote-access

tunnel-group ZRemote general-attributes

address-pool RA

authentication-server-group AD_Group_author LOCAL

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

address-pool RA

authentication-server-group AD_Group_author LOCAL

default-group-policy ALLOWACCESS

tunnel-group 50.240.xxx.xxx type ipsec-l2l

tunnel-group 50.240.xxx.xxx ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

smtp-server 10.1.20.14

prompt hostname context

Cryptochecksum:053e7f169dcfa526b030f5d647cd78e8

: end

This ASA configuration seems correct to me.

Please check the configuration of nat exempt on remote Terminal.

If possible, download the config of the remote terminal as well.

Kind regards

NGO

ASA5505 - VPN does not

Hello everyone,

I have problems to make IPsec VPN remote access work.

The goal is to be able to connect to our internal network from home or elsewhere.

When I try to connect to my home virtual private network, I will no further than Phase 1.

My architecture is a Cisco ASA5505 behind a router-modem router from ISP. The IP address of the modem is 192.168.1.1 for outside.

The IP address of the ASA is 192.168.1.254 for outdoor and 10.0.0.1 for indoors. I put the ASA in a demilitarized zone of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-bridge just as a simple gateway and handle other things with the ASA).

So my problem is that I can't seem to connect to the VPN through the public IP address.

Here is my config:

: Saved

ASA Version 8.2(5)

hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

ftp mode passive

clock timezone GMT 1

access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool 10.0.1.1-10.0.1.50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 10.0.0.42 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 10 set transform-set RA-TS

crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP

crypto map VPN-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.10-10.0.0.40 inside

dhcpd dns 81.253.149.9 80.10.246.1 interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config

webvpn

username admin password 4RdDnLO1w2ilihWc encrypted

username test password zGOnThs6HPdiZhqs encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool VPNpool

tunnel-group testvpn ipsec-attributes

pre-shared-key *****

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c

: end

My config to the client is attached.

When I look at what happened during the connectin with Wireshark, I see 'Port Unreachable '. I have to do something on my ISP router? Because I read that it is not necessary to use NAT if the device is in the demilitarized zone.

Can you help me please?

Because you have the address on your external interface, you will need to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.

I guess you don't have a single address public IP assigned by your ISP.

Kind regards

Jan

RVS400, translation NAT period?

My RVS4000 is rejecting DNS _answers_ with "destination unreachable (port unreachable).

I finally managed to sniff packets on the side WAN and the response packets

Search OK. They come from the same IP address and port number that the put RVS in the

outgoing request packet.

This only happens when it is connected to an internet connection by satellite. It works fine with my

old connection cable. My only theory is now the RVS4000 expire the NAT rule

before the answer comes back. Total response time is running around 1.3 seconds, are due,

without a doubt, high latency of satellite link.

I tried to change the installer-> WAN_ > MTU to manually put up and down speeds

under the QoS-> bandwidth management, nothing helps. Those who have been the only parameters that I could find

which seemed to have anything remotely to do with this problem. I've updated the firmware

to 1.3.0.3, but the problem is the same before and after.

Any help on how to do keep explanations more long or other NAT rules would be

greatly appreciated.

I had already tried, without success. I ended up buying a different router

(Netgear RP614v4, is what they had in the retail store), who sets the

problem. Surely, this must be a known problem with satellite internet.

IOS ACL interaction w / inspect CBAC

Sorry to bother you guys, but I'm banging my head against the wall with this one

[Vs ACL CBAC Ip inspect]

Specifically, SDM created the following configuration:

inspect the IP name SDM_LOW cuseeme

inspect the IP dns SDM_LOW name

inspect the IP name SDM_LOW ftp

inspect the IP h323 SDM_LOW name

inspect the IP name SDM_LOW https

inspect the IP icmp SDM_LOW name

inspect the IP name SDM_LOW imap

inspect the IP name SDM_LOW pop3

inspect the IP name SDM_LOW netshow

inspect the IP rcmd SDM_LOW name

inspect the IP name SDM_LOW realaudio

inspect the name SDM_LOW rtsp IP

inspect the IP name SDM_LOW esmtp

inspect the IP name SDM_LOW sqlnet

inspect the name SDM_LOW streamworks IP

inspect the name SDM_LOW tftp IP

inspect the tcp IP SDM_LOW name

inspect the IP udp SDM_LOW name

inspect the name SDM_LOW vdolive IP

!

!

interface FastEthernet4

IP 100.100.100.1 255.255.255.0

IP access-group 101 in

inspect the SDM_LOW over IP

access-list 101 deny ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any host 100.100.100.1 - response

access-list 101 permit icmp any host 100.100.100.1 time limit

access-list 101 permit icmp any unreachable host 100.100.100.1

access-list 101 deny ip 10.0.0.0 0.255.255.255 everything

access-list 101 deny ip 172.16.0.0 0.15.255.255 all

access-list 101 deny ip 192.168.0.0 0.0.255.255 everything

access-list 101 deny ip 127.0.0.0 0.255.255.255 everything

access-list 101 deny ip 255.255.255.255 host everything

access-list 101 deny host ip 0.0.0.0 everything

access-list 101 deny ip any any newspaper

So as you can see, the DENY ANY ANY of the ACL would block return traffic wouldn't it? I thought that the ACL is applied FIRST? So I guess that by looking at this config when CBAC examines traffic OUT on the external interface, it can - then - create holes in the ACL to allow return traffic. Is this correct?

And if so, why not simply allow the implicit DENY ALL; does deny ip any all appear explicitly in the ACL?

I read through the guide 12-4 of the site of Cisco security configuration and do not answer this question.

Thanks in advance

:-(

Your assumption is quite right, THAT CBAC is open a hole in the ACL to allow the return of return traffic.

Regarding the ip to refuse a whole at the end of the access list, it's a line of best practice added to the access list, if you look at the line, you will notice that there is a keyword of log at the end of the line, so this is to log traffic refused a syslog server for example for you to review traffic later and analyze only in case you get attacked or sth like that.

You can remove this line if you think it's unnecessary, but as I said to you that it is a good practice when it comes to the access lists.

Regrads,

Shadi'

IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

Network diagram:

http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

Challenge:

(1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

(2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

IKE Phase II: des-esp, hmac-md5, tunnel mode

PSK: sitetositevpn

Here is my setup for review:

crypto ISAKMP policy 10

the BA

preshared authentication

Group 1

md5 hash

ISAKMP crypto key sitetositevpn address 210.x.x.66

!

Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

!

infotelmap 10 ipsec-isakmp crypto map

the value of 210.x.x.66 peer

Set transform-set ciscoset

match address 111

!

!

interface Ethernet0

3 LAN description

IP 10.20.20.1 255.255.255.0

IP nat inside

servers-exit of service-policy policy

Hold-queue 100 on

!

ATM0 interface

no ip address

ATM vc-per-vp 64

No atm ilmi-keepalive

DSL-automatic operation mode

!

point-to-point interface ATM0.1

IP address 210.x.20.x.255.255.252

no ip redirection<-- disable="">

no ip unreachable<-- disable="" icmp="" host="" unreachable="">

no ip proxy-arp<-- disables="" ip="" directed="">

NAT outside IP

PVC 8/35

aal5snap encapsulation

!

!

IP nat inside source list 102 interface ATM0.1 overload

IP classless

IP route 0.0.0.0 0.0.0.0 ATM0.1

IP route 0.0.0.0 0.x.0.x.190.60.66

no ip http secure server

!

Note access-list 102 NAT traffic

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

!

access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

Kind regards

Junhan

Hello

Three changes required in this configuration.

(1) change the NAT-list access 102 as below:

access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

access-list 102 permit ip 10.20.20.0 0.0.0.255 any

(2) place the card encryption on interface point-to-point ATM.

(3) remote all of a default route.

Thank you

Mustafa

PIX 515 DMZ problem

Hello

We have some difficulty in moving traffic in and out of a Cisco PIx 515 firewall. We use it with two demilitarized. The first DMZ has a mail in her Server (before end mail server) that communicates with a different mail server (back end mail server) inside, it is called DMZ1. The second DMZ (DMZ2) has some users who are expected to pass through the firewall to the outside and use the internet and must have access to the e-mail DMZ1 server. Inside users must be able to use the Internet and can access DMZ1. Here's the important part of our Setup.

What we were doing, we can correctly access from inside, inside users to access internet permit to join the DMZ1 e-mail server and the mail in DMZ1 server the inside. Our problem is that we are unable to browse the internet on the DMZ1 Messaging server if we put DMZ1 as gateway ip address on that server and the address ip of the DNS of the ISP is propely located on the same machine. Also, we could not do DMZ2 users browse the internet, although we allowed the www Protocol in the fromOut access list. One last question, can we do the DMZ2 a DHCP server on the interface on the PIX and do distribute ip addresses to users on that subnet only? Thanks for any help in advance.

6.3 (3) version PIX

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Auto ethernet3 interface

!

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 dmz1 security50

nameif ethernet3 dmz2 security40

!

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

!

names of

!

IP outside X.Y.Z.163 255.255.255.248

IP address inside 192.168.0.9 255.255.255.0

dmz1 192.168.10.1 IP address 255.255.255.0

IP address dmz2 192.168.20.1 255.255.255.0

!

fromOut list of access permit icmp any host X.Y.Z.162 source-quench

fromOut list of access permit icmp any host X.Y.Z.162 echo-reply

fromOut list of access permit icmp any unreachable host X.Y.Z.162

fromOut list of access permit icmp any host X.Y.Z.162 time limit

fromOut list access permit tcp any host X.Y.Z.162 EQ field

fromOut list access permit tcp any host X.Y.Z.162 eq telnet

fromOut list access permit tcp any host X.Y.Z.162 eq smtp

fromOut list access permit tcp any host X.Y.Z.162 eq www

!

fromDMZ1 list of access permit tcp host 192.168.10.2 192.168.0.0 255.255.255.0

fromDMZ1 list of allowed access host ip 192.168.10.2 192.168.0.0 255.255.255.0

!

fromDMZ2 list of access allowed tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

!

pager lines 24

!

Outside 1500 MTU

Within 1500 MTU

dmz1 MTU 1500

dmz2 MTU 1500

!

Global (outside) 1 X.Y.Z.164 netmask 255.255.255.248

Global (outside) 2 X.Y.Z.165 netmask 255.255.255.248

NAT (inside) 1 192.168.0.0 255.255.255.0 0 0

NAT (dmz1) 1 192.168.10.2 255.255.255.255 0 0

NAT (dmz2) 2 192.168.20.0 255.255.255.0 0 0

static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz2, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz1, external) X.Y.Z.162 192.168.10.2 netmask 255.255.255.255 0 0

!

Access-group fromOut in interface outside

Access-group fromDMZ1 in interface dmz1

Access-group fromDMZ2 in the dmz2 interface

Route outside 0.0.0.0 0.0.0.0 X.Y.Z.161 1

Hi jamil,.

There is a sentence on the URL I sent you, you can now activate dhcp option within the interface. Just check this...

REDA

Cannot ping to Internet

Hello

I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX.

I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall.

Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping.

Here's my nat and global declarations:

# Sh nat Pix1

NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0

Pix1 # global HS

Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x

Global 1 6x.xxx.xxx.6x (outside)

Global interface (dmz) 1

Here's an abbreviated ICMP trace:

Pix1 debug icmp trace #.

ICMP trace on

WARNING: This can cause problems on busy networks

Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89

length 63 = 40

2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219

GTH = 40

4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475

GTH = 40

6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475

ngth = 40

8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731

GTH = 40

9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6

Thanks in advance for your help.

Doug.

ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside!

See: Handling ICMP Pings with the PIX firewall

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute command

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

Access-group 101 in external interface

access-list 101 permit icmp any unreachable host YourPublicIP

access-list 101 permit icmp any host YourPublicIP time exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

Access-group 101 in external interface

access-list 101 permit icmp any unreachable host YourPublicIP

access-list 101 permit icmp any host YourPublicIP time exceeded

ICMP command example

ICMP deny everything outside

ICMP allow any response of echo outdoors

ICMP allow any response echo inside

permit ICMP echo host 192.168.1.30 inside

permit ICMP echo host 192.168.1.31 inside

permit ICMP echo host 192.168.1.20 inside

permit ICMP echo host 192.168.1.40 inside

permit ICMP echo host 192.168.1.100 inside

sincerely

Patrick

Access VPN HELP

I have my ASA 5505 VPN access installation... I am finally able to connect and receive and the IP address of it. But now I'm stumped on why I can't access my network. My network is as follows: Cable Modem---> ASA 5505---> router Cisco 3660---> Cisco Switch 2900XL---> Windows 2008 Server---> client PC. Can someone help me understand where I'm going wrong?

ASA 5505 Running Config:

ASA Version 8.2 (3)
!
ciscoasa hostname
activate the encrypted password of DQucN59Njn0OjpJL
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
DHCP IP address
!
passive FTP mode
inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.3.0 255.255.255.240
pager lines 24
Enable logging
exploitation forest asdm warnings
Within 1500 MTU
Outside 1500 MTU
mask 192.168.3.0 - 192.168.3.10 255.255.255.0 IP local pool HomeVPN
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
!
router RIP
network 192.168.1.0
network 192.168.2.0
192.168.3.0 network
default information are created
version 2
!
Route outside 0.0.0.0 0.0.0.0 174.56.139.1 1
Route inside 192.168.1.0 255.255.255.0 192.168.2.2 1
Route inside 192.168.3.0 255.255.255.0 192.168.2.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal VPNHome group strategy
attributes of Group Policy VPNHome
value of server DNS 192.168.1.14 8.8.8.8
Protocol-tunnel-VPN IPSec
wood.homeserv.com value by default-field
user name, password of encrypted WsMCHUiqvEuA9Gmb privilege 0 Jonathan
user name Jonathan attributes
VPN-group-policy VPNHome
type tunnel-group VPNHome remote access
attributes global-tunnel-group VPNHome
address pool HomeVPN
Group Policy - by default-VPNHome
IPSec-attributes tunnel-group VPNHome
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:214676358ccd68b2acb313ffcd92c6fa
: end

Cisco 3660 router configuration:

Building configuration...

Current configuration: 5921 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.7Q9$mJ4Y0sVUoAw8QZ/33g1JD/
activate the henry999 password
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
!
AAA - the id of the joint session
!
!
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.1.1 192.168.1.7
DHCP excluded-address 192.168.1.1 IP 192.168.1.10
DHCP excluded-address IP 192.168.1.11 192.168.1.19
DHCP excluded-address IP 192.168.1.1 192.168.1.19
!
IP dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default router 192.168.1.1
Server DNS 8.8.8.8 8.8.4.4
!
IP dhcp pool 192.168.1.2/24
!
!
inspect the IP name SDM_LOW cuseeme
inspect the IP dns SDM_LOW name
inspect the IP name SDM_LOW ftp
inspect the IP h323 SDM_LOW name
inspect the IP name SDM_LOW https
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW imap
inspect the IP name SDM_LOW pop3
inspect the IP name SDM_LOW netshow
inspect the IP rcmd SDM_LOW name
inspect the IP name SDM_LOW realaudio
inspect the name SDM_LOW rtsp IP
inspect the IP name SDM_LOW esmtp
inspect the IP name SDM_LOW sqlnet
inspect the name SDM_LOW streamworks IP
inspect the name SDM_LOW tftp IP
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
inspect the name SDM_LOW vdolive IP
list of time of inactivity-60 eapoudp of IP admissions name of the NAC1 NAC
property intellectual ips homeless location flash://SDF autosave
IP IP address notify CETS
IP IP name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username privilege 15 secret 5 woodjl $1$ w.xT$ cFJweRcOx29N9hKafqu4h1
username wooldjl privilege 15 secret 5 $1 $4o6 / $IO13XCGj9XXjIAGTsN3Yj0
!
!
!
class-map match-all SDM-transactional-1
af21 dscp match
match dscp af22
af23 dscp match
class-map match-all SDM-signaling-1
match dscp cs3
match dscp af31
class-map match-all SDM-routing-1
cs6 dscp match
class-map match-all SDM-voices-1
match dscp ef
class-map match-all SDM-management-1
match dscp cs2
!
!
Policy-map SDM-QoS-policy-1
SDM-voices-1 class
percentage of priority 33
police CIR 33000000
issuance of the share are consistent
decline of the action exceeds
SDM-signaling-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
SDM-routing-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
SDM-management-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
SDM-transactional-1 class
percentage of bandwidth 5
Police cir 5000000
issuance of the share are consistent
decline of the action exceeds
class class by default
Fair/fair-queue
random detection
Police cir 22000000
issuance of the share are consistent
decline of the action exceeds
!
!
!
Configuration group customer isakmp crypto HomeUsers
henrydixie7153 key
192.168.1.14 DNS 8.8.8.8
wood.homeserv.com field
pool SDM_POOL_1
include-local-lan
Max-users 5
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac SDM_TRANSFORMSET_1
!
Profile of crypto ipsec HomeVPN
game of transformation-SDM_TRANSFORMSET_1
!
!
map HomeVPN 1 ipsec-isakmp crypto
defined peer 192.168.3.1
Set the security association idle time 7200
game of transformation-SDM_TRANSFORMSET_1
PFS Group1 Set
match address VPN1
!
!
!
!
interface FastEthernet0/0
Description $FW_OUTSIDE$
IP 192.168.2.2 255.255.255.0
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
inspect the SDM_LOW over IP
admission of the IP of the NAC
sdm_ips_rule IP IP addresses in
sdm_ips_rule IP IP addresses on
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $FW_INSIDE$
IP 192.168.1.1 255.255.255.0
IP access-group 100 to
Check IP unicast reverse path
IP nat inside
sdm_ips_rule IP IP addresses in
sdm_ips_rule IP IP addresses on
IP virtual-reassembly
automatic duplex
automatic speed
service-policy output SDM-QoS-policy-1
!
router RIP
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
network 192.168.1.0
No Auto-resume
!
local IP SDM_POOL_1 192.168.3.1 pool 192.168.3.10
IP http server
local IP http authentication
no ip http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
192.168.1.1 IP nat pool house 192.168.1.24 netmask 255.255.255.0
!
!
NAC1 extended IP access list
Note of the NAC
Remark SDM_ACL = 64 category
Note the rule of the NAC
IP 192.0.0.0 allow 0.255.255.255 everything
list of IP - VPN access scope
Note the VPN access
Remark SDM_ACL = 4 category
Note VPN
allow an ip
VPN1 extended IP access list
Note the VPN access
Remark SDM_ACL = 4 category
allow an ip host 192.168.3.1
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 192.168.2.0 0.0.0.255 any
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
access list 101 remark self-generated by the configuration of the firewall SDM
Note access-list 101 = 1 SDM_ACL category
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.2.2 echo-reply
access-list 101 permit icmp any host 192.168.2.2 exceeded time
access-list 101 permit icmp any unreachable host 192.168.2.2
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
SNMP-server 192.168.1.1 RO community
Enable SNMP-Server intercepts ATS
!
!
!
!
control plan
!
!
!
!
!
!
!
!
!
Line con 0
transportation out all
line to 0
transportation out all
line vty 0 4
Henry of password
transport telnet entry
transportation out all
!
!
end

Since you already have a default to the ASA route, you don't need one more specific.

But, the most recent ASA config that you posted, I think that there is some confusion about the config of split tunnel.

You have
```
access-list VPNWoodHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list WoodVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
But only one of these is actually used in the group-policy.
group-policy WoodVPN attributes

  split-tunnel-network-list value WoodVPN_splitTunnelAcl

So my suggestion is to add:
access-list WoodVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

(and remove the other 2 access-lists unless they're used for something else)
hth

Herbert
```

ICMP Port Unreachable

Similar Questions

Maybe you are looking for