L2l VPN using Dynamic IP - question

Dear all,

I have several sites with dynamic IP address.

HO, I have a cisco router with dynamic IP, in which internet VPN and terminated on SAA configured port forwarding.

I have 40 branches will be all dynamic ip. all L2L tunnels are running.

My problem is that of creates a branch to HO communication is perfect but to HO, I'm not able to access the ants of branch resources.

could someone help me solve this problem... Config is attached.

AHA!

I understand a little better Setup.

It seems that your routers are destination NAT, so all the tunnels seem to come from the subnet "172.16.40.0/23."

And indeed your hypothesis is correct problem seems to be related to the lack of correct roads pointing outward. (at least it seems that Yes for now).

However, reverse route injection should take care of it.

Speaking of which I noticed your field of tunnels on

Crypto dynamic-map alfa and not the default system.

Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not speak it, simply identify isakmp and ipsec for this session).

We'll see from there.

Marcin

Tags: Cisco Security

Similar Questions

  • Using VPN L2L static and dynamic dedicated tunnels

    We have an ASA 5510 running 8.0 at our company headquarters. We have remote sites who need to create VPN L2L at the HQ ASA tunnels. Some remote sites have static IP addresses and others have dynamic IP addresses.

    I found documentation Cisco L2L static IP VPN tunnels and make them work. I found another Cisco documentation for static IP dynamic L2L VPN tunnels using the tunnel-group "DefaultL2LGroup".

    My question is, can you have two types of tunnels on the same ASA L2L? If so, simply by using the definitions of "DefaultL2LGroup" tunnel-group and of tunnel-group work? Is there a reason to not do? Is better technology (ASA HQ and a combination of ASA 5505 and 1861 at remote sites) available?

    Yes, you can have both types of tunnels L2L. If you use a PSK - remember that the IP address of the remote site is used to 'validate' to connect to Headquarters. As long as you use a sure PSK = 64 characters and all with upper/lower case alpha numeric - you should be OK.

    A better way to do it - is to get the static IP addresses for the site that currently have DHCP from ISP.

    HTH >

  • VPN with dynamic IP. How to use DNS?

    Hello

    I installed a site to site VPN IPSec between two routers cisco IPs public Static. I notice that I can use dynamic IPs for the case with point-to-multipoint or IPs instead host names. In this case, I can use this command to configure the VPN:

    (config) #crypto isakmp identity hostname

    (config) #crypto isakmp key XXXXX hostname 'Remote_name '.

    (config-crypto-map) # defined peer 'Remote_name '.

    I also noticed that I can use a router cisco as a DNS, and I can add the host records with:

    IP host 'Remote_Name' "IP address"

    In fact, I want only one router to work with Static public IP (Router_A) and the other with the dynamic public IP (Router_B) of ISP address. Then maybe I can put the router with static IP address to work as the DNS server. I know how DynDNS works with an account and update client software on a PC/server, but I've never used the hardware update DNS clients, and I don't know what steps I must follow to implement this.

    Hi John,.

    The section in the link below should help you to configure DDNS on your router:

    (See example Http update)

    http://www.Cisco.com/en/us/docs/iOS/12_3/12_3y/12_3ya8/gt_ddns.html#wp1203580

    This link shows a \windows\system32\conifg\system summary:

    http://www.no-IP.com/support/guides/routers/using_cisco_routers_with_no-IP.html

    Static dynamic VPN to refer to this link (this requires no DDNS):

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080093f86.shtml

    HTH

    Kind regards

    Praveen

  • Press L2L VPN, IPSEC, and L2TP PIX connections

    Hi all

    I'm trying to implement a solution on my FW PIX (pix804 - 24.bin) to be able to support a VPN L2L session with VPN dynamic user sessions where clients will use a mix of IPSEC(Nat detection) and L2TP. We have always supported things IPSEC and that worked great for many years. I'm now trying to Add L2TP support, so that I can support Android phones/ipads, etc. as well as Windows with built in VPN l2tp clients clients. Everything works well except for the new features of L2TP. Allows you to complete one phase but then tries to use the card encryption that is used for the VPN L2L. It seems to fail because IP addresses are not in the configured ACL to the crypto-map L2L. Does anyone know if there are any questions all these configurations support both. And if not can you see what I have wrong here, which would make it not work. Here are the relevant training:

    C515 - A # sh run crypto
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set of society-ras-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set esp-3des esp-sha-hmac company-l2tp
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Dynamic crypto map company-ras 1 correspondence address company-dynamic
    company Dynamics-card crypto-ras 1 set pfs
    Dynamic crypto map company-ras 1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras
    Dynamic crypto map company-ras 1 lifetime of security association set seconds 28800
    company Dynamics-card crypto-ras 1 kilobytes of life together - the association of safety 4608000
    crypto dynamic-map-ras company 2 address company-dynamic game
    crypto dynamic-map company-ras 2 transform-set of society-l2tp
    crypto dynamic-map company-ras 2 set security association lifetime seconds 28800
    company Dynamics-card crypto-ras 2 kilobytes of life together - the association of safety 4608000
    card crypto company-map 1 correspondence address company-colo
    card crypto company-card 1 set pfs
    card crypto company-card 1 set counterpart colo-pix-ext
    card crypto card company 1 value transform-set ESP-3DES-MD5 SHA-ESP-3DES
    company-map 1 lifetime of security association set seconds 28800 crypto
    card company-card 1 set security-association life crypto kilobytes 4608000
    company-card 1 set nat-t-disable crypto card
    company-card 2 card crypto ipsec-isakmp dynamic company-ras
    business-card interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside

    Crypto isakmp nat-traversal 3600

    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 2
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    C515 - A # sh run tunnel-group
    attributes global-tunnel-group DefaultRAGroup
    company-ras address pool
    Group-LOCAL radius authentication server
    Group Policy - by default-l2tp
    IPSec-attributes tunnel-group DefaultRAGroup
    pre-shared-key *.
    tunnel-group DefaultRAGroup ppp-attributes
    PAP Authentication
    No chap authentication
    ms-chap-v2 authentication
    eap-proxy authentication
    type tunnel-group company-ras remote access
    tunnel-group global company-ras-attributes
    company-ras address pool
    Group-LOCAL radius authentication server
    tunnel-group company-ras ipsec-attributes
    pre-shared-key *.
    type tunnel-group company-admin remote access
    attributes global-tunnel-group company-admin
    company-admin address pool
    Group-LOCAL radius authentication server
    company strategy-group-by default-admin
    IPSec-attributes of tunnel-group company-admin
    pre-shared-key *.
    PPP-attributes of tunnel-group company-admin
    No chap authentication
    ms-chap-v2 authentication
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group ipsec-attributes x.x.x.x
    pre-shared-key *.
    ISAKMP keepalive retry threshold 15 10
    C515 - A # sh run Group Policy
    attributes of Group Policy DfltGrpPolicy
    Server DNS 10.10.10.20 value 10.10.10.21
    Protocol-tunnel-VPN IPSec
    enable PFS
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value company-SPLIT-TUNNEL-ACL
    company.int value by default-field
    NAC-parameters DfltGrpPolicy-NAC-framework-create value
    internal strategy of company-admin group
    attributes of the strategy of company-admin group
    WINS server no
    DHCP-network-scope no
    VPN-access-hour no
    VPN - 20 simultaneous connections
    VPN-idle-timeout 30
    VPN-session-timeout no
    Protocol-tunnel-VPN IPSec l2tp ipsec
    disable the IP-comp
    Re-xauth disable
    Group-lock no
    enable PFS
    Split-tunnel-network-list value company-ADMIN-SPLIT-TUNNEL-ACL
    L2TP strategy of Group internal
    Group l2tp policy attributes
    Server DNS 10.10.10.20 value 10.10.10.21
    Protocol-tunnel-VPN l2tp ipsec
    disable the PFS
    Split-tunnel-policy tunnelall
    company.int value by default-field
    NAC-parameters DfltGrpPolicy-NAC-framework-create value

    Relevant debug output

    C515 - Has # Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
    Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
    Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
    Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
    Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
    Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
    Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
    Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa181b866).
    Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
    Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
    Sep 03 02:09:33 [IKEv1]: ignoring msg SA brand with Iddm 204910592 dead because ITS removal
    Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
    Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
    Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
    Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
    Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
    Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
    Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
    Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).
    Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
    Sep 03 02:10:05 [IKEv1]: ignoring msg SA brand with Iddm 204914688 dead because ITS removal

    The outputs of two debugging who worry are the following:

    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701

    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
    Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).

    This seems to indicate that his NAT detection but then do not assign to the entry card cryptography because networks are encrypted are not in the configured ACL that is true. He needs to use dynamic input and it doesn't seem to be.

    I need to create another dynamic map entry to make it work instead of add lines to the same dynamic with a lower (higher) priority map entry?

    Thanks in advance for any help here.

    Hello

    That won't do the trick, l2tp clients are picky kindda, so you know if they do not hit the correct strategy first they just stop trying. Follow these steps:

    correspondence from the company of dynamic-map crypto-ras 1 address company-dynamic

    No crypto-card set pfs dynamic company-ras 1

    No crypto dynamic-map company-ras-1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras

    Dynamic crypto map company-ras 1 transform-set company-l2tp SHA-ESP-3DES ESP-3DES-MD5 company-ras

    The foregoing will not affect existing customers of IPsec at all, these clients will not use the statement of pfs and will link even if the correspondence address is not configured (it is optional), besides Cisco IPsec clients will be affected first the mode of transport policy and fail however they will continue to try and hit another police PH2.

    Regarding your last question, I was referring specifically to the support of l2tp for android, and Yes, you will need to run one of these versions.

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/release/notes/asarn82.html#wp431562

    Tavo-

  • L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

    Hi all

    My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

    I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

    company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

    where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

    I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

    ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
    crypto ISAKMP policy 5
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address no.-xauth y.y.y.y

    ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
    crymap extended IP access list
    IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
    card crypto 1 TUNNEL VPN ipsec-isakmp
    defined peer y.y.y.y
    game of transformation-ESP-3DES-SHA
    match the address crymap

    Gi0/2 interface
    card crypto VPN TUNNEL

    Hello

    debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

    What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

    So I suggest:

    no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

    Then try tunnel initiate.

    Kind regards

    Jan

  • ASA with several L2L VPN Dynamics

    I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.

    I need also some VPN L2L with dynamic peer remote.

    While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?

    Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).

    But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:

    tunnel-group ipsec-attributes ABCD

    pre-shared-key *.

    This configuration is correct?

    Best regards

    Claudio

    Hello

    Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

    Hope this helps

    -Jouni

  • Cisco ASA l2l VPN disorder

    Hello Experts from Cisco,

    I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.

    Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.

    What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:

    Phase: 10

    Type: VPN

    Subtype: encrypt

    Result: DECLINE

    Config:

    Additional information:

    Direct flow from returns search rule:

    ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false

    hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol

    SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0

    DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0

    I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.

    Useful info:

    C SITE

    the object-group NoNatDMZ-objgrp network

    object-network 10.10.0.0 255.255.0.0

    object-network 10.10.12.0 255.255.255.0

    network-object 10.20.0.0 255.255.0.0

    access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0

    IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group

    card crypto outside_map 30 match address outside_30_cryptomap

    card crypto outside_map 30 peers set x.x.x.x

    crypto outside_map 30 card value transform-set ESP-AES256-SHA

    crypto outside_map 30 card value reverse-road

    outside_map interface card crypto outside

    SITE B

    object-group network sheep-objgrp

    object-network 10.10.0.0 255.255.0.0

    object-network 10.21.0.0 255.255.0.0

    object-network 10.10.12.0 255.255.255.0

    network-object 10.100.8.0 255.255.248.0

    IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group

    allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

    card crypto outside_map 50 match address outside_50_cryptomap

    game card crypto outside_map 50 peers XX. XX. XX. XX

    outside_map crypto 50 card value transform-set ESP-AES256-SHA

    outside_map crypto 50 card value reverse-road

    outside_map interface card crypto outside

    I've been struggling with this these days. Any help is very appreciated!

    Thank you!!

    Follow these steps:

    no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    clear crypto ipsec its SITE_B_Public peer

    Try again and attach the same outputs.

    Let me know.

    Thank you.

  • L2l VPN with IPSEC NAT

    Hi all!

    I have a question about L2L VPN and NAT.

    Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.

    Thank you!

    Hello

    You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.

    This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.

    For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:

    access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0

    Global (outside) 6 200.200.200.200

    NAT (inside) 6 access-L199

    Which would be NAT traffic to the public IP address only when the traffic matches the ACL.

    Your ACL crypto should then be something like

    cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0

    That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.

    I hope this helps.

    Raga

  • Get 810 error message when you try to connect to the VPN using L2TP protocol

    Original title: L2TP will not let me connect.

    I am in Workstation 9 and in each virtual machine, I have an AD - DC (2K8R2Enterprise), CA and RRAS (2K8R2Enterprise) and my last vm is a win7 (they are all tests).  All are not updated, but the PPTP, IKEv2 work without problem.  The second server that has the CAs and RRAS is a member of the AD - DC server.  The Win7 is not on the domain and I have Win7 a client certificate.  I have ensured that the CA root of trust is in the user store and computer Trusted Root CA.  I have also ensured that the Win7 client certificate is in the user store and personal computer.  I get a 810 error message when I try to connect to the VPN using the L2TP protocol.  I have exhaustively studied this problem and I can't find a solution to this problem.  I also raise the functional level of the domain to 2K8R2.

    I think this should be a simple and easy solution, but where can I find the answer?
    Please help me.
    Thank you for your time.
    Allan.

    Hi Allan,

    The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the Forum TechNet site:

    http://social.technet.Microsoft.com/forums/en/category/w7itpro

    If you need any other assistance, let know us and we would be happy to help you.

  • VPN on PIX Newbie question

    Hello

    I need to create a site to site VPN, I have in mind a PIX 515e. Behind it is a network of win2k with a domain controller for authentication. Users of the remote site must be attached to authenticate to this DC via a VPN.

    The two sites to connect to the internet by modem cable and the remote site will have up to 10 users behind the PIX/VPN.

    Here are my questions:

    What kind of material PIX the remote site needs? A 501/506, or something else.

    Do I need a VPN concentrator, etc. to the head of line?

    How the hell i make it work?

    Sounds simple right? I appreciate a lot of help because I am a little confused. Thanks in advance.

    Marc

    Hello Mark,

    Here is an example of PIX to PIX VPN using IPSec:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

    In addition, many more examples here to get you go, all TACS is the author:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html

    Hope this helps - Jay

  • L2l VPN tunnel is reset during the generate a new IPSec key

    I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association.  Although there are several SAs, it always resets all of the tunnel.

    I see the following in the log errors when this happens:

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection.  Reason: Peer terminate Proxy remote n/a, Proxy Local n/a

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested

    03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)

    Any thoughts on why she would do that?

    Thank you.

    Jason

    Hello

    Both the log messages seems to suggest that the remote end is closed/compensation connection.

    Is this a new connection that suffer from this problem or has it started on an existing connection?

    The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.

    I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.

    I wonder if the following configuration can help even if this situation persists

    Sysopt preserve-vpn-flow of connection

    Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395

    It is not enabled by default on the SAA.

    Hope this helps

    -Jouni

  • Transaction management in the ADF Application using Dynamic Shell

    Hi all

    I use Jdev 12.1.2. We have an application built using design pattern of Shell of dynamic user interface where each workflow in the application will open in a separate tab. So my question here relates by using transaction management in the workflow.

    I read in many places where we are asked to avoid always using "start new Transaction" as it would open multiple connection. But I also vaguely remember reading that best practices to use in an application built using by using Dynamic user interface Shell, is to have isolated Datacontrol with always start new Transaction.

    So could indicate the recommended approach for impact Shell of the user interface and the performance of the approach?

    Note: We have just a data control in our application.

    Thanks in advance.

    Hello

    the transaction is not defined by the shell of the dynamic tab but the workflow. The shell of the dynamic tab displays only the workflow at a glance. If you plan to display a single feed task several times as tabs in a dynamic tab shell, each indicating a different set of data, then you use "isolate" scope of data control or "adaptive databinding (https://blogs.oracle.com/groundside/entry/towards_ultra_reusability_for_adf). If you are using remote data controls then - if you use ADF BC - each instance of the workflow (in shell dynamic tab tab) creates its own connection to the base and the transaction. Workflow transaction parameters are passed to it.

    So use case issues: If you only display a single instance of a workflow tasks at once in a tab of the shell of the dynamic tab so that you can use the scope of shared control (default) data without doing anything. I however you must show the same workflow multiple times then reach isolated from control data or link Adaptive is the implementation, you should go for. The first option - data control isolated - is expensive because it creates additional database connections. There if its use cases.

    Frank

  • Is it possible to change the definition of LOV uses dynamic action?

    Hello

    I have a multiple selection LOV page article, P27_MULTI_CLASS_CODE, defined as below.  The loading of the page, this list contains only values based on what was passed to P27_OLO_CODE or P27_OLO_CODE_SW.

    SELECT DISTINCT c.class_code d, c.class_code r

    O ORGANIZATION,

    POSITION p,

    CLASS c

    WHERE o.org_wk = p.org_wk

    AND p.class_wk = c.class_wk

    AND o.org_active_flag = 'Y '.

    AND p.pos_active_flag = 'Y '.

    AND c.class_active_flag = 'Y '.

    AND (o.olo_code =: P27_OLO_CODE)

    GOLD o.olo_code =: P27_OLO_CODE_SW)

    ORDER BY c.class_code ASC

    Before submitting the page, I want the definition of LOV's P27_MULTI_CLASS_CODE to change the following (similar application without reference to the P27_OLO_CODE or P27_OLO_CODE_SW) based on the question if the user selects a checkbox, P27_ALLOW_SW.   In doing so, P27_MULTI_CLASS_CODE would contain a wide range of values, rather than the limited values.

    SELECT DISTINCT c.class_code d, c.class_code r

    O ORGANIZATION,

    POSITION p,

    CLASS c

    WHERE o.org_wk = p.org_wk

    AND p.class_wk = c.class_wk

    AND o.org_active_flag = 'Y '.

    AND p.pos_active_flag = 'Y '.

    AND c.class_active_flag = 'Y '.

    ORDER BY c.class_code ASC

    I wanted to avoid writing Javascript.  Is this possible using dynamic measurements... or at least somehow update P27_MULTI_CLASS_CODE so that it ignores the P27_OLO_CODE and the P27_OLO_CODE_SW?

    Tried to create dynamic action to clear the value of P27_OLO_CODE or P27_OLO_CODE_SW, in the hope this would trigger P27_MULTI_CLASS_CODE to display all the values, but it has failed.  Any ideas?

    APEX 4.2

    You can do this by editing the query lov a little:

    SELECT DISTINCT c.class_code d, c.class_code r
  FROM ORGANIZATION o,
       POSITION p,
       CLASS c
WHERE o.org_wk = p.org_wk
   AND p.class_wk = c.class_wk
   AND o.org_active_flag = 'Y'
   AND p.pos_active_flag = 'Y'
   AND c.class_active_flag = 'Y'
   AND ((:P27_ALLOW_SW = 'Y' AND (o.olo_code = :P27_OLO_CODE OR o.olo_code = :P27_OLO_CODE_SW))
        OR :P27_ALLOW_SW = 'N')
ORDER BY c.class_code ASC

    (of course, use the correct value for P27_ALLOW_SW)

    The "cascade LOV Parent article (s)" value P27_ALLOW_SW and also add "Page elements to submit" element (Note: this item appears only when you have entered a value in the element of parent lov cascading items)

    Now, after changing P27_ALLOW_SW the lov will update to P27_MULTI_CLASS_CODE.

  • WRV200/Quick VPN and dynamic DNS

    Linksys supports States that I need to contact verizon DSL to get a public IP address and set up a "bridge connection" in the DSL modem.  I would try even when using dynamic DNS.  If someone is successful with this change I would appreciate some tips

    To use the dynamic DNS on the WRV you will need a public IP address on the WRV and for what the modem needs to be filled. This brings you straight to where you already are.

  • Can I use dynamic subject line in email?

    Hello

    Can I use dynamic subject line in email?

    Hi Sanjiv yadav, Yes, we do. For this we need to put dynamic content on this particular line or section. Thanks, Eloqua Expert

Maybe you are looking for

  • Portege M400 unable to find the new 320 GB HARD drive

    Hello I'm moving my 80 GB HARD drive to a new WD 320 and research questions. Although I've updated the Bios with the latest version of the disk hard is not down to any operating system when it is in the main HARD drive Bay. The weird thing is complet

  • New updates for HP first...

    Hi all!!! HP released a brand-new first HP updates emulator, firmware and connectivity kit. Resources and in a download link: http://www.hpmuseum.org/cgi-sys/cgiwrap/hpmuseum/forum.cgi?read=257514#257514 Thanks for the forum of Franz of MoHPC to disc

  • WRT54G2 brick 1.5

    So I tried to update firmare for FW_WRT54G2V1.5_1.5.02.005_US_20120221 and router has lost its connection. No, I can't join not via wifi or ethernet 192.168.1.1 I just power led flashes. Tried to reset for 30 sec, no luck

  • cannot force the player to stop playback of the audio file

    Hi guys,. I'm stuck with the pretty easy task. I have an audio player, start playing the audio file and I just want to stop it, do not wait until the player arrives at the end of the media. But nothing happens! The media playing contiunes. And there

  • startup nomount pfile = $ORACLE_HOME/dbs/init &lt; SID &gt; _noaq.ora

    Hi allEBS 11i9iRHEL5Dataguard, what is the purpose of initPROD_noaq.ora instead of initPROD.ora?Thank you all,JC