Interesting CRYPTO ipsec traffic - need some understanding

Hi friends,

I need your help to understand the works of tunnel passing crypto ipsec. It is always said that valuable traffic to the times needs to be mirror config. Now my doubt is if I add a host of 10.10.10.10/32 entry at one end and add an entry for network 10.10.10.0/24 to the other end, it will work? If it's not there? According to the logic that this host 10.10.10.10 has work I am rite? Sometimes back I met this senario where part of the IP'S work and other is... ". After checking the config we experienced that one side has been added to it like 24 and another there are 25.

Ipsec tunnel will exchange their interesting traffic ACL acoss each other what phase 2 is coming? What happens if I add the above said 10.10.10.10 stuff in tunnel work already... It will cause any problem?

Awaiting your response

Thanks & best regards,

Kamal

The simple answer to your question is Yes, a entity 32 on one side of the tunnel should work if the network is defined as a 24 on both sides. This isn't like a list of prefixes or routing protocol dynamic where subnet masks must match. Statements of network in the passage from Phase 2 of the IPSEC tunnel (which defines which traffic runs through the tunnel) are defined through ACL, so as long as the traffic meets the criteria of the ACL, then go above the tunnel. That being said, your tunnel of phase 2 should have never been created in your 24 & 25 example because network statements not matching - it's weird. Maybe your tunnels put in correspondence, but you exclude some of the traffic to be NAT'ed?

As you we, however, portions of the phase 2 of the tunnel (aka security association) must be mirror images. If you use two ASAs then you can simply reverse ACL source and destination. If you make the ASA for say, a netscreen, it may be a little more complex depending on whether you're doing road or political from ipsec on this side there. If you can't get the 32 device work for some reason, you can also create another specific to this traffic safety association.

Tags: Cisco Network

Similar Questions

  • Capacity of the crypto ipsec Cisco ASA 9.1 stats system failures

    Hello

    I'm trying to find some performance issues on one ASA centralized and some site VPN settings.  I already address bits of fragmentation and flow control which seeks to solve performance problems, but I came across something that I can't identify to understand what he said.

    I can't seem to find any documentation that explains what triggers the counter for "Capacity of the system failures" on the stats command see the crypto ipsec:

    crypto ipsec sho stats #.

    IPsec statistics
    -----------------------
    The active tunnels: 41
    Previous tunnels: 8999
    Incoming traffic
    Bytes: 8292491846127
    Decompressed bytes: 8292491846127
    Packages: 25115896849
    Packet ignored: 1291637
    Review of chess: 220
    Authentications: 25114592561
    Authentication failures: 0
    Decryptions: 25114592564
    Decryption failures: 0
    TFC packages: 12836
    Fragments of decapsules who need reassembly: 17418535
    Invalid ICMP received errors: 0
    Invalid ICMP received errors: 0
    Outgoing
    Bytes: 37818073925334
    Uncompressed bytes: 37818837785556
    Packages: 38014583887
    Packet ignored: 2413164
    Authentications: 38020189281
    Authentication failures: 0
    Encryption: 38020191839
    Encryption failures: 0
    TFC packets: 0
    Success of fragmentation: 7763651
    Fragmentation before successses: 7763651
    After fragmentation success stories: 0
    Fragmentation failures: 267158
    The failures of previous fragmentation: 267158
    Fragmentation failures after: 0
    Fragments created: 15527302
    PMTUs sent: 267158
    PMTUs rcvd: 185
    Protocol of failures: 0
    Missing chess SA: 255102
    Outages of capacity: 3167258

    Does anyone have knowledge of what this is referring to specifically?

    Cheers, Dale

    Hello

    What is the model of the ASA you have and how many vpn sessions you get on average during peak hours?

    Lack of capacity occurs when it is short of ability of the material or the use...

    Concerning

    Knockaert

  • ASA Site to not tunnel no transmission of traffic for some subnets after awhile

    Hello

    We have a question really strange tunnel from site to site on several ASAs.

    We organize VPN tunnels between a small site and three largest.

    The den has an ASA 5505, the other three principles are ASA 5510.

    One of the tunnels working for months without problems.

    Each tunnel has several class C network.

    example Site:

    -192.168.50.0/24 (named A1)

    -192.168.51.0/24 (called A2)

    Site b:

    -192.168.60.0/24 (named B1)

    -192.168.61.0/24 (called B2)

    On two faulty tunnels, all is well at the beginning. After a few days (1-14) some networks to cease to work. So I can ping both A1 and A2 B1 network networks, but only from A2 B2 network. Pings from A1 to B2 doesn't expire. The ASA site showed tx = 0 traffic for <=>A1, B2, but progressive count rx traffic. ASA b it shows rx = 0 to B2<=>A1 and tx counties upward.

    This happens unexpected after different periods. Sometimes he hits ASA on site B, where tx = 0, it is sometimes ASA on A site.

    I tried to fix it as a result of orders:

    ISAKMP crypto claire his
    clear crypto ipsec his
    clear xlate

    but nothing has worked. The only solution for now is to restart the ASA where tx County indicates 0. After restarting, everything goes well for a while.

    On one of the affected sites, we have a failover configuration - ASA. A failover of the active device also solves the problem. But if you change your prior back restart the old principal question will return immediately.

    I think that there is no configuration because:

    -All tunnels are configured in the same way, and one of them is running for moths without any problem

    -Tunnels work for all combinations of subnet after a reboot

    -The problem occurs after different and long periods of time. So I think that the period between failures is long to be caused by tunnel a.s.o. timeouts.

    All ASA are running 9.1. (5) 21.

    I updated the firmware of several releases these past few months and had the same problem with any version I tested.

    So I hope that someone else has also had this problem and found a solution.

    Christian Hey!

    Hopefully, solve or find the root cause?

    Thank you

  • Out of HS crypto ipsec his

    Hello world

    When we sh crypto ipsec his it shows lo tof info

    Need to know what means ident Eve and away?

    local ident (addr, mask, prot, port): (10.0.x.x/255.255.255.255/0/0)

    Remote ident (addr, mask, prot, port): (10.0.x.x/255.255.255.255/0/0)

    What conn id: and flow_id mean?

    What is the digest of packages?

    Thank you

    Mahesh

    Hello Manu,

    Virtually every SA will show you the traffic that is sent over the VPN (which is innitiating the traffic) in this case, we can see that we send on the VPN tunnel traffic from 10.10.x.x subnet other 10.

    Kind regards

    Julio

  • I need some information on the new iMessage on ox10

    I need some information about the new features on I update to iOS 10 message

    Howdy iotti!

    I understand you want to learn more about iMessage on iOS 10. There are a few new features!

    See these pages for a quick look on the update options:

    Use effects of message with iMessage on your iPhone, iPad and iPod touch
    Use iMessage apps on your iPhone, iPad and iPod touch
    Use #images with Messages in iOS 10

    If you have a question about a specific feature, you are in the right place to help! Don't forget to reply to this topic with specific questions.

    Take care!

  • Need to understand the basics of Oracle RAC and grid technology, for training

    I need to understand the infrastructure Oracle RAC and grid, a manager / training perspective.

    I see links here and here , so a few questions:

    -What is the fundamental difference from the layman's point of view (for example, a Manager)?

    -What training options are available for a generic 11g DBA to learn this new technology? I've seen this course from a partner of Oracle ("" courses: Oracle 11 g: RAC and Grid Infrastructure Administration accelerated Release 2 ""), to a boat load of money, during 5 days I think. So we are looking for something a bit more reasonable (and accessible), for example, books, online, etc.

    WM Peck 1958 wrote:

    I need to understand the infrastructure Oracle RAC and grid, a manager / training perspective.

    I see the links here and here, so a few questions:

    -What is the fundamental difference from the layman's point of view (for example, a Manager)?

    -What training options are available for a generic 11g DBA to learn this new technology? I've seen this course from a partner of Oracle ("" courses: Oracle 11 g: RAC and Grid Infrastructure Administration accelerated Release 2 ""), to a boat load of money, during 5 days I think. So we are looking for something a bit more reasonable (and accessible), for example, books, online, etc.

    For a very basic definition, ACR is technology that is used by the database and IM is the infrastructure that makes the CAR work. In a response to the forum, this is probably all that can be said about the two. For a very long answer, you should read the links you cited.

    # 2, the course you are looking at is called accelerated because it combines two courses in one week training-RAC (4) and GI (3). So it's a day 7 curriculum that we would do in a 5 day course and who must justify its cost. But let me say, it's a really very good. But on the other side, it can be pretty intimidating to someone who does not already know these technologies. So I suggest that you send your team to each course individually and no doubt after doing some research. They can start to read the following books

    Pro Oracle Database 11g RAC on Linux

    https://www.mheducation.co.in/HTML/9781259004063.html

    And this link to doc,

    Online Oracle Database Documentation 11g Release 2 (11.2)

    Aman...

  • Flash newbie needs some advice on a project

    Hey guys,.

    Thought I'd ask you guys to a general approach on a project I'm starting.  I have a background in computer science, so I lose patience with some of the beginner step by step tutorials that are out there online / in books.  What I lack, it is for you guys to let me know what will be important for me to learn what I want to do and what are the aspects of the Flash I can go without.

    I'm a grad student in Psych clinical and I want to build an interactive processing application.  Which basically translates to is that he will have a series of screens with text, sound, and video clickable icons that will show small films, I developed that my views on the principles of different treatment.  Anyway, I just wanted to know if you guys could give me advice on the best way to do it.  I can animate text and it's kind of basic, but I feel like I kind of sense in the dark right now and do not want to waste too much time on dead ends.  If you guys can give me an idea about the basic components of Flash, I'm going to need a solid understanding of creating a project like this, I would really appreciate it.  I'm sorry if it is vague, just trying to reduce the amount of time I spend of experimentation and if you guys could tell me precisely these modules/tools in the application that I have to use to do this I can take it from there.

    Thank you!

    -Ricky

    If you are looking for shortcuts, you're not likely to find.  The essential elements you need to know to start with the basics and expand from there.

    One essential thing you should learn is how to find and solve things by yourself using the Flash help documentation and a good search engine like Google.  Almost all the objects/classes have 3 basic elements (properties, methods, events) you need to understand how use/manipulate, and they are all identified in the help documentation.

    If you want to work with videos, start digging to learn the different ways that you can integrate... using a FLVPlayback component or the NetStream class.  If you want to learn how to work with audio, then dig learn how to use the Sound class.

  • Satellite C660 - need some for my MK3275GSX HARD disk diagnostic utilities

    Hello

    I need some diagnostic utilities for * MK3275GSX * hdd.

    For example * mhdd tool ([link | http://www.hddguru.com/software/2005.10.02-MHDD/]) would be enough for me, but I can not use because in some reason intel card mother block hard drive and I have an error: _Drive don't ready_.

    I find that: [link: http://storage.toshiba.com/storage-services-support/warranty-support/software-utilities], but I don't know what exactly I can use with my hard drive.

    Can I use [this | http://storage.toshiba.com/storage-services-support/warranty-support/software-utilities#erase] utility for my drive?

    Any suggestions?

    Post edited by: richman

    Hello

    What you think him * Drive Fitness Test utility? *
    It s a freeware software means you can use it for free and it helps you to scan the HARD drive for problems.

    Google for Drive Fitness Test, you can download this tool from different pages.

  • Need some tips to merge the two table-manipulation functions

    Hi guys!

    Thanks to Johnsold, Helmut O'Brian and Jcarmody, who helped me through a string function complicated (for me, the noob of LV), I got away with my project and I'm very close to its end.

    As I've described it here I wanted to explore an array of words combined with-, i.e. C1 - C10. Help, when I arrived, I was able to do. I also learned a few things and was able to do the following:

    Original array: new table:

    R1                                                       R1

    R2                                                       R2

    C1-C3                                                  C1

    K1                                                       C2

    C3

    K1

    I have this:

    Original array: new table:

    R1                                                       R1

    R2,R4,R7                                             R2

    C1                                                       R4

    K1                                                       R7

    C1

    K1

    I was also able to combine these two functions

    Now, back to my problem.

    Until now, it was just a 1 d array that I worked with. In fact, it's a 2D array, I read a. CSV file:

    As you can see there are a few places where things is combined with either - or by commas. I need to widen the first column as described above and as resolved in the thread I mentioned. Fact! No problem. I extracted the first column in table 1 d. Then expand it. Now, I need to replace in the original array and also expand all.

    It should then look like this:

    Then I only need to copy the position of the R6 line and paste it in the empty fields:

    I enclose below two screws. Start by opening the main.vi. Then copy.vi. I tried to describe the problem here too. You can see what I've accomplished and what is missing.

    Tasks:

    1. replace the column expanded in the original array and expand all.

    2 copy the needed lines.

    In the main.vi, I do the 1 d expansion, but I have the problem with the expansion of table 2D. In copy.vi, I managed to copy the lines. If this part is done.

    Basically, I need some advice on enlargement that I do and how do I get the 2D table also expanded. Because I have not much experience, I feel more comfortable working with 1 d arrays. But I can't seem to get any further with this 1 d-> expansion 2D.

    I also really can't seem to find a smart way to implement my function of copy-line-in the main.vi.

    P.S the joint screws are manufactured in LV2010.

    Fortunately, I can attend some courses of basic home OR here in Norway, but so far, I'm still learning and I think that sometimes, I try to do things that are way out of my League

    I don't know what I did but it works now

    Thanks for the help, same!

    You are even welcome!

    Have attached the file if anyone wants to see what I did.

  • HP 15-r045sr: need some drivers for HP 15-r045sr

    Hello.

    Please, help me, I need some drivers.

    Network controller

    PCI\VEN_1814 & DEV_3290 & SUBSYS_18EC103C & REV_00
    PCI\VEN_1814 & DEV_3290 & SUBSYS_18EC103C
    PCI\VEN_1814 & DEV_3290 & CC_028000
    PCI\VEN_1814 & DEV_3290 & CC_0280

    SM Bus controller

    PCI\VEN_8086 & DEV_0F12 & SUBSYS_2213103C & REV_0E
    PCI\VEN_8086 & DEV_0F12 & SUBSYS_2213103C
    PCI\VEN_8086 & DEV_0F12 & CC_0C0500
    PCI\VEN_8086 & DEV_0F12 & CC_0C05

    PCI device

    PCI\VEN_10EC & DEV_5229 & SUBSYS_2213103C & REV_01
    PCI\VEN_10EC & DEV_5229 & SUBSYS_2213103C
    PCI\VEN_10EC & DEV_5229 & CC_FF0000
    PCI\VEN_10EC & DEV_5229 & CC_FF00

    PCI encryption/decryption controller

    PCI\VEN_8086 & DEV_0F18 & SUBSYS_2213103C & REV_0E
    PCI\VEN_8086 & DEV_0F18 & SUBSYS_2213103C
    PCI\VEN_8086 & DEV_0F18 & CC_108000
    PCI\VEN_8086 & DEV_0F18 & CC_1080

    HP Truevision HD

    USB\VID_04F2 & PID_B40E & REV_6934 & MI_00
    USB\VID_04F2 & PID_B40E & MI_00

    AND (looks like it's my mouse)

    REV_0010 & USB\VID_13EE & PID_0001
    USB\VID_13EE & PID_0001

    You are the very welcome.

    So, I just owe you the pilot of the universal camera... back to the site, here it is...

    http://h20564.www2.HP.com/hpsc/SWD/public/detail?sp4ts.Oid=6943827&swItemId=ob_141708_1&swEnvOid=4058

    You will also need the cyberlink youcam software...

    http://h20564.www2.HP.com/hpsc/SWD/public/detail?sp4ts.Oid=6943827&swItemId=ob_133024_1&swEnvOid=4058

    You can try to uninstall the device mouse, reboot and see if it is properly installed.

  • Need to understand what this command is

    I need to understand what this command does, it was on a router that I just picked up and I am familiar with this part of the order.

    IP nat inside source static tcp 192.168.5.201 mail_192.168.7 25 203.161.81.22 25-extensible route map

    I ask is because the customer has a scanner that sends scanned document via smtp to an off-site mail server which, in turn, sends mail to the user.  Before that, they used an internal e-mail server (. 201). What is mail users can go out and reach their destination.  However, any scanned mail does not work and I'm trying to understand why.  The scanner has an internal ip address, which is 192.168.5.25, the 192.168.5.201 is a mail server that was running and this command seems to be allow e-mail from the mail server (. 201) to send mail to another location through VPN tunnel to our other offices. What I'm trying to understand is the order indicating that the mail de.201 can go to the 192.168.7 network via the 203.161.81.22 port road 25.  If this is true who will stop mail from other devices out via 203.161.81.22 on port 25

    Hello jonl711

    As you know, do the NAT ports on a Cisco router, add a line for each of them, such as:

    IP nat inside source static tcp 192.168.5,201 25 X.X.X.X 25 - card expandable route

    Here we ¨nating¨ port 25 to the machine 192.168.5.201 in our network, where XXXX is the our public ip address.

    That said, here I explain what each command

    access-list 112 refuse host ip 192.168.5.201 192.168.1.0 0.0.0.255

    access-list 112 refuse host ip 192.168.5.201 192.168.7.0 0.0.0.255

    access ip-list 112 allow a whole

    --> Here you can create an access list who deny ip 192.168.5.201 go to 192.168.1.0 and 192.168.7.0

    mail_192.168.7 allowed 10 route map

    corresponds to the IP 112

    --> Here you create a ¨rule¨ to match the access list you created.

    IP nat inside source static tcp 192.168.5.201 mail_192.168.7 25 203.161.81.22 25-extensible route map

    --> and here you are mapping the IP 192.168.5.201 with port 25 (SMTP) that go outside with the IP 203.161.81.22 with port 25 (SMTP) and get a match with the road map

    Best regards and have a nice day

    Johnnatan Rodriguez Miranda

    If this answer is satisfactory to you, please mark it as response.

    Thank you

  • Output of "crypto ipsec to show her.

    Hello

    In a VPN l2l baseline using ezVPN, the server behind the NAT, client device using 3 G. What would be the reason to have the output of the show crypto ipsec sa, a current peer differs from crypto remote endpoint on the server?

    Thanks for your help.

    David

    Given that it is behind a NAT and NAT device is only the layer 3, and it changes the contents of the IPSec VPN when negotiating because it is encrypted, so you might see counterpart current differs from endpoint remote crypto on the server.

  • Need some clarification on the operation of H323 with VCS-C/E

    We have our points of endpoints connected to the VCS - C with a VCS-E. When an end point called another unit through IP H323 the VCS - C does anything with the video/audio? He plays the intermediaries? Or is the VCS - C just let both units communicate DIRECTLY with each other (even when I see the appeal in calls in course VCS-C)?

    I try to debug problems with call and need some explanation on how it works.

    Thank you

    RB

    By default, call Routed mode should be on.  This means that the installation & signalling through the VCS, but all media streams are direct between endpoints.

    See you soon,.

    Paul R

  • Need some clarification for upgrade

    Experts in the morning,

    I need some references for the process to upgrade between 10 and 11 g.

    I always use DBUA to update our database.


    For most administrators recommend NOT following options. I am confused.

    Experts, please guide me to travel in the right direction.

    > > Is this really necessary until the upgrade process, which is the real benefit?

    SQL > exec DBMS_STATS. GATHER_DICTIONARY_STATS;


    > > To activate my database in NOARCHIVELOG MODE, it provides massive difference during the upgrade process?

    SQL > alter the noarchive base newspaper;


    > > TRUNCATE table audit SYS. AUD$

    SQL > truncate table SYS. Storage of AUD$ drop;


    > > Depends on length process,.

    Size of the database

    Number of synonyms

    Number of data files

    Size of the recovery logs

    Number of installed components

    For the types of data and not the XDB user objects.

    > > Deletion of FILES NETWORK completely from 10 g $ORACLE_HOME, creating newfiles in 11 g $ORACLE_HOME


    $ rm - rf tnsnames.ora

    $ rm - rf listener.ora


    Thanks in advance.

    Hello

    > Is this really necessary until the upgrade process, which is the real benefit?

    SQL > exec DBMS_STATS. GATHER_DICTIONARY_STATS;

    1 prior to advantage, was causing problem - degrade the performance of your database? What its not beneficial?

    Logically, if you see the dictionary is on your information about your database - default provided with products and items of custom applications. Now during the upgrade - given that the term refers to a new addition of things monofores or gout or new table segmetns is getting added to your existing dictionary. Now, if I don't keep his stats up to date on my dictionary itself then update itself is the process of taking time. It will hit my sqls himself upgrade performance

    Thus, in order to reduce this impact - prior to your downtime in pre-upgrade task you can collect stats on your dictionary. While during upgrade if you run / run research in its stats its would take very little time to collect minor statistics and it will not affect the order of execution of ddl or dml SQL out that focus on changes in your dictionary.

    > To activate my database in NOARCHIVELOG MODE, it provides massive difference during the upgrade process?

    SQL > alter the noarchive base newspaper;

    2. I don't know who s/n, suggested the above step to achieve. Not a good, better I would have fired the DBA immediately. Despite that I have perform the update level or no, keep you the database in log mode archive.

    To upgrade, its gives no performance improvement for your upgrade process. What is your intention on the upgrade?

    You want to run through the upgrade in 15 minutes? Listen you dictionary database or application objects develop the direcrtly would increase the upgrade. Is not all synonyms - maybe a few times - up to what the table - dictionary of data updated in upgrade tis - for example bitand 12 c on synonyms function table is changed, so his punches performance - it is not a must and was cause depends on the base of the environment for the environment. Reason for this how you store your environment that will reduce the burden of upgrading

    > TRUNCATE table audit SYS. AUD$

    3. I hope I answered this question is another thread

    > Length upgrade depends on.

    Size of the database

    Number of synonyms

    Number of data files

    Size of the recovery logs

    Number of installed components

    For the types of data and not the XDB user objects.

    It is partially dependent on the data dictionary and how clean it is, whatever. Clean - number sense of invalids and statistics.

    Number of components installed in a concern - it might be a minimum until we reached and deliver the bad SQL with performance.

    Size of database and data file and restore logs is out of reach... If my database is to have 10 k datafles, my upgrade script will go and touch all the header files of data blocks, is indicated in MOS linsks or docs. No, he will not be at level of offers to work on something of dictionary and Oracle database metadata.

    > Deleting FILES of network completely from 10 g $ORACLE_HOME, creating newfiles in 11 g $ORACLE_HOME

    You have any load 2 mins to copy files during upgrade spending. Fact the DBA is so busy that he can afford 2 mins tasks.

    It is out of reach, you have to manage.

    -Pavan Kumar N

  • I bought cs6 design web premium, I need some somware to open the file "7z".

    I bought cs6 design web premium, I need some somware to open the file "7z".

    You can view the applications download Creative Suite 6 to download the software. To open the 7z file, you can download WinRAR from WinRAR download and support: download

    Hope this will help you.

    Concerning

    Hervé Khare

Maybe you are looking for