LAN - to - LAN 837 to 3000series one-way traffic

Hello

Not even sure that there is even a way traffic. The 837 is encryting and the 3000series is done by increments Rx but nowhere on decrypt it and Tx respectively.

Tracking guides and hub configuration cisco IOS religiously.

The 837 ipsec cypto debugs seems to show that SAS created - when they actually decide to show them selves on the console.

Routing is not a problem - unless you consider static routes on the 3000. Am I supposed to create a static route to send traffic to the LAN remote (837) on the public interface? Or is it not necessary to have an itinerary as SA definition will determine the tunnel to go down?

Unfortunately no other LAN-to-LAN tnnnels on 3000 to compare these questions and I have no laboratory.

Any help would be welcome. Of course, I can provide more information, all that is necessary. Am at my wits end with this one. So simple and yet not working - have to do something stupid.

Thank you

If the tunnel is under construction and your getting the traffic in one direction and not the other, it is usually the routing.

The 831 sends traffic to the 3000 and 3000 is received, ranging from your counters. The problem is probably that the hosts behind the 3000 do not know how to return to the LAN behind the 831. Your internal network behind the 3000 will need a route to the LAN 831 that points to the interface of the 3000. The 3000 justs needs a default gateway pointing out the public interface.

On the local network of 3000, if you have not all router internal and your interior hosts are directly connected to the same hub/switch interface private 3000, then each host will need a static route to the LAN 831 that points to the private interface 3000 (this is assuming of course that the 3000 is not the default gateway for hosts (, which is usually not).

Keep in mind that if you see not all TX packets on the 3000, then the 3000 is not even see packets of it is inside the hosts which are intended for the 831 LAN, check the local routing behind the 3000 to see what is happening.

Tags: Cisco Security

Similar Questions

  • VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

    Hello

    I'm a little confused as to which is the problem. This is the premise for the problem I have face.

    One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

    Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

    So essentially the encryption field is configured as follows:

    access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
    access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
    access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

    Free NAT has been configured as follows (names modified interfaces):

    NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

    the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

    NAT (interface2) 0-list of access VPN-SHEEP

    VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

    After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

    There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

    The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

    Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

    This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit rule
    Additional information:
    MAC access list

    Phase: 2
    Type: FLOW-SEARCH
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    Not found no corresponding stream, creating a new stream

    Phase: 3
    Type:-ROUTE SEARCH
    Subtype: entry
    Result: ALLOW
    Config:
    Additional information:
    in 10.82.0.200 255.255.255.252 outside

    Phase: 4
    Type: ACCESS-LIST
    Subtype: Journal
    Result: ALLOW
    Config:
    Access-group interface interface1
    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    Additional information:

    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 6
    Type: INSPECT
    Subtype: np - inspect
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    Policy-map global_policy
    class inspection_default
    inspect the http
    global service-policy global_policy
    Additional information:

    Phase: 7
    Type: FOVER
    Subtype: Eve-updated
    Result: ALLOW
    Config:
    Additional information:

    Phase: 8
    Type: NAT-FREE
    Subtype:
    Result: ALLOW
    Config:
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
    Exempt from NAT
    translate_hits = 32, untranslate_hits = 35251
    Additional information:

    -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

    Phase: 9
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
    NAT-control
    is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
    static translation at 10.231.0.0
    translate_hits = 153954, untranslate_hits = 88
    Additional information:

    -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

    Phase: 10
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    NAT (interface1) 5 10.231.191.0 255.255.255.0
    NAT-control
    is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
    dynamic translation of hen 5 (y.y.y.y)
    translate_hits = 3048900, untranslate_hits = 77195
    Additional information:

    Phase: 11
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional information:

    Phase: 12
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional information:

    Phase: 13
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:

    Phase: 14
    Type: CREATING STREAMS
    Subtype:
    Result: ALLOW
    Config:
    Additional information:
    New workflow created with the 1047981896 id, package sent to the next module

    Result:
    input interface: interface1
    entry status: to the top
    entry-line-status: to the top
    output interface: outside
    the status of the output: to the top
    output-line-status: to the top
    Action: allow

    So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

    And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

    access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
    local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
    current_peer: y.y.y.y

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

    Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

    If there is any essential information that I can give, please ask.

    -Jouni

    Jouni,

    8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

    If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

    Marcin

  • VPN site to Site one-way traffic

    Hi all

    I set up a Vpn site-to site and everything works well in the remote site to the corporate site, but since the site of the company asa 5510, I can't access to the remote site asa 5505.  I checked the logging on the SAA and I can see the packets being fallen but I can't find what I need to do to allow this traffic through.  Here are most of my 5510 config, I'm sure it's something simple I'm missing, but I can't run it please help.

    REMOTE network is 192.168.72.0

    : Saved

    : Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

    !

    ASA Version 8.0 (5)

    !

    host name Casa

    uk domain name

    activate the encrypted password of VgZT0UwPdkSV9l7N

    zlo5ImUVRkHl4lcl encrypted passwd

    names of

    name 192.168.103.14 description of Appliance CITRIX CITRIX Appliance

    name 192.168.3.12 description villages villages

    DNS-guard

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP address x.x.x.123 255.255.255.224

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    192.168.3.254 IP address 255.255.255.0

    !

    interface Ethernet0/2

    nameif dmz

    security-level 50

    IP 192.168.103.254 255.255.255.0

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.1.1 255.255.255.0

    management only

    !

    boot system Disk0: / asa805 - k8.bin

    boot system Disk0: / asa707 - k8.bin

    passive FTP mode

    clock timezone GMT/UTC 0

    summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS server-group DefaultDNS

    uk domain name

    object-group network ExternalAccess

    Description hosts allowed direct web access

    network object-SVR-01 255.255.255.255

    SVR GIS 255.255.255.255 network-object

    host of network-object cient

    host villages network-object

    the ExternalAccessFromDMZ object-group network

    Description hosts allowed direct web access to DMZ

    CITRIX-device 255.255.255.255 network-object

    network-object IRONPORT1 255.255.255.255

    worker of the object-network 255.255.255.255

    MitelUDPinternet udp service object-group

    Description Mitel UDP services on the internet

    20000-27000 object-port Beach

    port-object eq sip

    port-object eq 5064

    MitelTCPinternet tcp service object-group

    Description Mitel TCP services on the internet

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 3998

    6801-6802 object-port Beach

    port-object eq 6880

    port-object eq www

    EQ object of the https port

    port-object eq 6800

    EQ object Port 3478

    port-object eq sip

    EQ port ssh object

    MitelTCPinternetOpt tcp service object-group

    Description Mitel TCP optional services on the internet

    port-object eq 3300

    6806-6807 object-port Beach

    36005 36005 object-port Beach

    36005 36006 object-port Beach

    EQ object Port 3478

    port-object eq sip

    MitelUDP2LAN udp service object-group

    Description Mitel UDP for the local network of services

    object-port range 1024-65535

    port-object eq sip

    MitelTCP2LAN tcp service object-group

    Description Mitel TCP for the local network of services

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 1606

    object-port 4443 eq

    port-object eq 3998

    port-object eq 3999

    6801-6802 object-port Beach

    port-object eq 6880

    port-object eq www

    EQ object of the https port

    EQ object Port 3478

    port-object eq sip

    acl_outside list extended access permit icmp any any echo response

    acl_outside list extended access allow all unreachable icmp

    acl_outside list extended access permit icmp any any source-quench

    acl_outside list extended access permit tcp any host Mail_Outside_AGH eq smtp

    acl_outside list extended access permit tcp any host Mail_Outside_AGH eq https

    acl_outside list extended access permit tcp any host x.x.x.123 eq ssh

    acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8088

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq https

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8081

    acl_outside list extended access permit tcp any host Mail_Outside_AVON eq smtp

    acl_outside list extended access permit tcp any host Mail_Outside_AVON eq https

    acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

    acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

    acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternet object-group

    acl_outside list extended access permit udp any host teleworker_outside MitelUDPinternet object-group

    acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternetOpt object-group

    acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

    acl_outside list extended access permit udp any host ESX-PAL-01 eq ntp

    acl_outside list extended access permit udp any host ESX-PAL-02 eq ntp

    acl_outside list extended access permit udp any host ESX-PAL-03 eq ntp

    inside_outbound_nat0_acl to access ip 192.168.1.0 scope list allow 255.255.255.0 172.30.100.0 inactive 255.255.255.224

    inside_outbound_nat0_acl list of allowed ip extended access all 172.31.1.0 255.255.255.0

    inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.103.0 255.255.255.0

    inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

    inside_pnat_outbound list extended access allowed object-group ip ExternalAccess everything

    acl_dmz list extended access permit ip host host IRONPORT1 Mail_Inside_AGH

    acl_dmz list extended access permit udp host field of pal-svr-22 eq IRONPORT1 host

    acl_dmz list extended access permit tcp host IRONPORT1 host pal-svr-22 eq 3268

    acl_dmz list extended access permit udp host host IRONPORT1 ARM-SVR-01 eq field

    acl_dmz list extended access permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

    acl_dmz list extended access permit udp host host IRONPORT1 Pal-Svr-17 eq field

    acl_dmz list extended access allowed icmp host host IRONPORT1 Mail_Inside_AGH

    access extensive list ip 192.168.103.0 acl_dmz allow 255.255.255.0 any

    acl_dmz list extended access permit tcp host host CITRIX-device-CITRIXCSG-lan eq https inactive

    acl_dmz list extended access permit ip any host CITRIXCSG-lan idle

    acl_dmz list extended access permit tcp host IRONPORT1 eq Mail_Outside_AGH smtp

    acl_dmz list extended access permit tcp host teleworker host 192.168.20.1 object-group MitelTCP2LAN

    acl_dmz list extended access permit udp host teleworker host 192.168.20.1 object-group MitelUDP2LAN

    dmz_pnat_outbound list extended access allowed object-group ip ExternalAccessFromDMZ all

    access extensive list ip 192.168.103.0 dmz_nat0_inbound allow 255.255.255.0 192.168.3.0 255.255.255.0

    dmz_nat0_inbound list of ip host 192.168.20.1 telecommuter host allowed extended access

    access extensive list ip 192.168.21.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.22.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.23.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.24.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

    inside_pnat_outbound_AVON to access extended list ip 192.168.32.0 allow 255.255.240.0 everything

    access extensive list ip 192.168.48.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

    access extensive list ip 192.168.56.0 inside_pnat_outbound_AVON allow 255.255.252.0 all

    access extensive list ip 192.168.60.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    allow any scope to an entire ip access list

    inside_nat_AVON_Marshall list extended access permit ip host Mail_Inside_AVON all

    dmz_pnat1_outbound list of ip telecommuter host allowed extended access any

    outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    logging e-mail notifications

    uk address record

    exploitation forest-address recipient [email protected] / * / critical level

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 dmz

    management of MTU 1500

    IP local pool vpnpool 172.31.1.1 - 172.31.1.254 mask 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ICMP allow no dmz echo

    ICMP allow all dmz

    ASDM image disk0: / asdm-625 - 53.bin

    ASDM location SVR-01 255.255.255.255 inside

    ASDM location svr-02 255.255.255.255 inside

    ASDM location IRONPORT1 255.255.255.255 dmz

    ASDM location 194.81.55.226 255.255.255.255 dmz

    ASDM 255.255.255.255 inside server location

    ASDM location CITRIX-device 255.255.255.255 dmz

    ASDM group ExternalAccess inside

    ASDM group dmz ExternalAccessFromDMZ

    don't allow no asdm history

    ARP timeout 14400

    Global x.x.x.121 2 (outdoor)

    Global 1 x.x.x.125 (outside)

    Global Mail_Outside_AVON 3 (outside)

    Global Mail_Outside_AGH 4 (outside)

    Global teleworker_outside 5 (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 2-list of access inside_pnat_outbound_AVON

    NAT (inside) 3 access-list inside_nat_AVON_Marshall

    NAT (inside) 1 access-list inside_pnat_outbound

    NAT (dmz) 0-list of access dmz_nat0_inbound outside

    NAT (dmz) 4 access-list dmz_pnat_outbound

    NAT (dmz) 5 access-list dmz_pnat1_outbound

    static (inside, outside) tcp ssh Icritical ssh netmask 255.255.255.255 Icritical_Outside

    static (inside, outside) tcp https Mail_Outside_AGH Mail_Inside_AGH https netmask 255.255.255.255

    static (dmz, outside) tcp smtp smtp IRONPORT1 netmask 255.255.255.255 Mail_Outside_AGH

    static (inside, outside) tcp https Mail_Outside_AVON Exchange_Inside_AVON https netmask 255.255.255.255

    static (inside, outside) tcp smtp smtp Mail_Inside_AVON netmask 255.255.255.255 Mail_Outside_AVON

    static (inside, outside) udp snmp Icritical snmp netmask 255.255.255.255 Icritical_Outside

    static (dmz, outside) device-CITRIX-Citrix_Portal_outside netmask 255.255.255.255

    static (inside, outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

    static (dmz, external) teleworker_outside netmask 255.255.255.255 teleworker

    Access-group acl_outside in interface outside

    Access-group acl_dmz in dmz interface

    Route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

    Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    oner http 255.255.255.255 inside

    http 192.168.1.0 255.255.255.0 management

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    card crypto outside_map 1 set r.r.r.244 counterpart

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    Telnet timeout 5

    SSH x.x.x.x 255.255.255.255 outside

    SSH Mail_Inside_AGH 255.255.255.255 inside

    SSH timeout 5

    Console timeout 0

    management of 192.168.1.2 - dhcpd address 192.168.1.254

    enable dhcpd management

    !

    a basic threat threat detection

    statistical threat detection port

    Statistical threat detection Protocol

    Statistics-list of access threat detection

    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

    prefer NTP server SVR - DC1 source inside

    internal VPN group policy

    attributes of VPN group policy

    value 192.168.x.x 192.168.x.x WINS server

    Server DNS value 192.168.x.x 192.168.x.x

    enable IPSec-udp

    value by default domain-ACE

    username, password pmmPwcDD/inpnNfB VPN encrypted privilege 0

    attributes of VPN username

    Strategy-Group-VPN VPN

    VPN Tunnel-group type remote access

    General-attributes of VPN Tunnel-group

    address vpnpool pool

    Group Policy - by default-VPN

    Group-tunnel VPN ipsec-attributes

    pre-shared key *.

    tunnel-group r.r.r.244 type ipsec-l2l

    r.r.r.244 tunnel ipsec-attributes group

    pre-shared key *.

    by default-group r.r.r.244 tunnel-Group-map

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the netbios

    inspect the tftp

    inspect the sip

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:8360816431357f109b3c4b950d545c86

    : end

    This route is duplicated with the remote network

    Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

    I suggest to make this more specific subnet or add something like

    Route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip

    Internal, if above not in fact help, put a trace packet to simulate traffic even that fails on the 5510.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/p.html#wp1878788

    Kind regards

  • debugging/troubleshooting IPSec one-way traffic tunnel

    I'll put up a business network IPSec consists of a UC520 at the head end (Headquarters) and several routers Linksys WRV remotes nodes/network.  I see that ISAKMP and IPSec SA on both ends and I ping the IP of the remote networks UC520 internal.  However, I can not ping any other IP on the network of the company.

    I see of "cry ips to show his" packages are décapsulés (remote business) but none are encapsulated (remote business).  I can also see (from a traceroute) how remote business packages are sent to the default gateway of the UC520 to the Internet instead of being placed in the tunnel.  This jives with what I see with ' sho ips cry her. "

    I made sure to create an ACL for the NAT for corporate remote subnets are not translated, but I don't know what else to check.  I tried to do a "debug IP packet detail xxx' with a corresponding company in remote traffic but the debug and ACL get no success.

    Any other ideas?

    Thank you
    Diego

    Well, looks like that your exemption of Nat does not work. Check 'show ip nat trans' confirm this when sending traffic.

    Can you maybe post your config NAT (together)?

  • One-way traffic DMVPN

    setting up the first star in a mesh network. VPN connects very well and there is a part of the traffic above him, however it looks like anything to get wrapped. I see eigrp and PNDH, try to go forward and backward, but neither made with great success. Any ideas where to look?

    E - townInternet #show cry ipsec his

    Interface: Tunnel0
    Tag crypto map: addr Tunnel0-head-0, local 67.235.62.74

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
    current_peer xx port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 1646, #pkts decrypt: 1646, #pkts check: 1646
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    endpt local crypto. : xx, remote Start crypto. : xx
    Path mtu 1500, ip mtu 1500
    current outbound SPI: 0x1DAF1EB4 (498015924)

    SAS of the esp on arrival:
    SPI: 0x3E489DA4 (1044946340)
    transform: esp-3des esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 3003, flow_id: FPGA:3, crypto card: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4585669/53)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x1DAF1EB4 (498015924)
    transform: esp-3des esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 3005, flow_id: FPGA:5, crypto card: head-Tunnel0-0
    calendar of his: service life remaining (k/s) key: (4585672/53)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:
    E - townInternet #.

    Neil,

    EIGRP retry limit is used when no complete PNDH was built.

    You mean interface tunnel itself beat (going up/down)?

    Marcin

  • Traffic permitted only one-way for VPN-connected computers

    Hello

    I currently have an ASA 5505.  I put up as a remote SSL VPN access. My computers can connect to the VPN very well.  They just cannot access the internal network (192.168.250.0).  They cannot ping the inside interface of the ASA, nor any of the machines.  It seems that all traffic is blocked for them.  The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN.  It seems that the traffic allows only one way.  I messed up with ACL with nothing doesn't.  Any suggestions please?

    Pool DHCP-192.168.250.20 - 50--> for LAN

    Pool VPN: 192.168.250.100 and 192.168.250.101

    Outside interface to get the modem DHCP

    The inside interface: 192.168.1.1

    Courses Running Config:

    : Saved

    :

    ASA Version 8.2 (5)

    !

    hostname HardmanASA

    activate the password # encrypted

    passwd # encrypted

    names of

    !

    interface Ethernet0/0

    switchport access vlan 20

    !

    interface Ethernet0/1

    switchport access vlan 10

    !

    interface Ethernet0/2

    switchport access vlan 10

    !

    interface Ethernet0/3

    Shutdown

    !

    interface Ethernet0/4

    Shutdown

    !

    interface Ethernet0/5

    Shutdown

    !

    interface Ethernet0/6

    Shutdown

    !

    interface Ethernet0/7

    switchport access vlan 10

    !

    interface Vlan1

    No nameif

    no level of security

    no ip address

    !

    interface Vlan10

    nameif inside

    security-level 100

    IP 192.168.250.1 255.255.255.0

    !

    interface Vlan20

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    passive FTP mode

    DNS lookup field inside

    DNS domain-lookup outside

    pager lines 24

    Within 1500 MTU

    Outside 1500 MTU

    mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global interface 10 (external)

    NAT (inside) 10 192.168.250.0 255.255.255.0

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.250.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Telnet timeout 5

    SSH 192.168.250.0 255.255.255.0 inside

    SSH timeout 5

    SSH version 2

    Console timeout 0

    dhcpd dns 8.8.8.8

    !

    dhcpd address 192.168.250.20 - 192.168.250.50 inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

    SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

    Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

    enable SVC

    tunnel-group-list activate

    attributes of Group Policy DfltGrpPolicy

    value of server DNS 8.8.8.8

    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

    tunnel-group AnyConnect type remote access

    tunnel-group AnyConnect General attributes

    address pool VPN_Pool

    tunnel-group AnyConnect webvpn-attributes

    enable AnyConnect group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    Review the ip options

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:30fadff4b400e42e73e17167828e046f

    : end

    Hello

    No worries

    As we change the config I would do as well as possible.

    First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

    No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

    mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

    NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

    NAT (inside) 0-list of access NAT_0

    Then give it a try and it work note this post hehe

  • One way or another on my email print size has decreased to the point I can hardly read it.

    One way or another on my email print size has decreased to the point I can hardly read it.  Can any of you tell me please what keys hold and scroll to get the largest print size. Thank you very much.

    original title: Email printing size

    Sorry, but being the Webmail of Yahoo leaves me without a clue. Maybe Internet Explorer forum or Yahoo support might be more useful.

    Internet Explorer forums
    http://answers.Microsoft.com/en-us/IE

    Yahoo help
    http://help.Yahoo.com/l/us/Yahoo/helpcentral/

  • How to set up a one-way IPSec-L2L tunnel

    This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.

    But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.

    Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.

    Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?

    Hello

    You can use the following command:

    defined card crypto seq - num connection-type name {only answer | only | two-way}

    This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.

    Check:

    http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576

    Even if the reference is to ASA8.0 I know it works for 7.2.x so

    Hope this helps

    Kind regards

    Pieter-Jan

  • One-way video problem

    Hello

    We have two expressways and we have received a report of a company, call one of our sites had issues with one-way video. The appellant could not see the person they had composed, but they could see the appellant. Audio was OK. They were ordered to place a new call through our other expressway and all audio and video works just fine. So, I'm trying to understand if there is a difference between highways and why this happens. They run every two X8.1.1. The strange thing is that we only received from an enterprise report then having this problem through this "faulty" highway is us or them? Apparently, they do not have problems with one another that they make calls...

    Looks like maybe it's time to collect newspapers... but everyone else encountered this? No I well confused everyone :)

    Thank you!

    In general I really wouldn't expect things to need to a few reboots to register.

    Well sure a typical tech & response of the TAC will be "upgrading to the last" which I also recommended,.

    but your symptoms still its a bit sketchy.

    Its a good start to check if your firewall/network/dns /... are ok as well. A lot of questions

    are hidden there. It is difficult to see the full extend of here.

    Please get some internal or as a good Cisco partner or network resources.

    And Yes, look in the upgrade to CUCM!

    But the network / the environment should still be ok for that as well :-)

    Please note the messages with the stars below and define the thread if it is a response.

  • Is there one way other than to_char to get the month of the date field

    Is there one way other than to_char to get the month of the date field

    Hello

    raj4tech wrote:

    Is there one way other than to_char to get the month of the date field

    EXTRACT is one:

    SELECT INTERESTED (SYSDATE MONTHS) AS curr_month

    DOUBLE;

  • Is it only a one-way sync?

    It does not appear the changes I do either Illustrator or Indesign gets returned to the application?  It would be really great.  Maybe I'm not saving correctly?  In any case, looks very promising!

    J.

    It is one-way. The application of the model is to make a model, a "global," sketching a layout.

    The file is sent to InDesign/Illustrator/Photoshop for the realization of the project.

    He actually quite brilliantly designed and implemented, especially for a 1.0 release.

  • In the bpel process one-way transaction management

    Hello

    I created a one-way bpel process with oneWayDeliveryPolicy property - property Sync and transaction - required. When I exposed this service as a SOAP service, I see well The Participation of Transaction in the Web Service adapter in the way of exposed Services configured as EVER. Is this to say that BPELCallee would not participate in the same transaction as the appellant BPEL?

    Aditya

    Hello

    Properties refer to the support of different transactions "contexts", as you can see in the documents below. The bpel.config.transaction refers to the semantics of Transaction BPEL Process Manager, while the 'Participation of the operation' refers to WS-AT , which provides interoperability of transaction between Oracle WebLogic Server and transaction of other providers services... I've never tested it myself, but I guess that if you process BPEL transactions, the bpel.config.transaction will prevail...

    http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/soa_transactions.htm#CHDEHCFE
    http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/sca_bindingcomps.htm#SOASE86071

    See you soon,.
    Vlad

  • Configuration very base one-way Golden Gate

    Version of DB: Oracle 11.2.0.3
    Golden Gate version: 11.2 (last one dated September 22, 2012)
    Platform: Solaris x 86 64-bit

    Currently learning Golden Gate by googling and I'll install Golden Gate for the first time.
    That's what I'm planning.
    Source DB : fncdev
Target DB : sgntgt
What needs to be replicated : SCOTT and HR schemas from source has to be replicated to Target ( Unidirectional )
    I intend to set up a very basic one-way GG, where in SCOTT and HR in source DB schemas is replicated in the target DB.

    I would like to know 2 things.

    1. what should be the content of the parameter file?

    2. after have I properly configure GG, what would be the output of command all THE INFO in the source and target database
    -- Source database
GGSCI > info all

-- Target database
GGSCI > info all

    Basic extract and replicat content parameter of the file.

    Extract E_TEST1
    SETENV (ORACLE_SID = OGGTEST)

    GGADMIN username password *.
    Exttrail/goldengate/gg_trail/trail/test/and

    -Add below lines only if DDL replication is configured.
    -The DOF ARE MAPPED
    DDLOPTIONS - ADDTRANDATA, REPORT

    TABLE HR.*;
    TABLE SCOTT.*;
    -------------------------------------------------------------------------------------------------

    REPLICAT R_TEST1
    SETENV (ORACLE_SID = OGGTEST)

    GGADMIN username password *.
    ASSUMETARGETDEFS

    DISCARDFILE oragg/11.1/dirrpt/R_TEST1.dsc, APPEND, 1024 MEGABYTES

    MAP HR.*, TARGET HR.*;
    MAP SCOTT.*, TARGET SCOTT.*;

    I hope that these samples help!

    Kind regards
    RB

  • VPN site to Site from one-way data (need help)

    Hello

    Scenario:

    VPN site to Site with Cisco 837 routers:

    Place: Clients and printers

    Site B: server queues and Print

    Site A can communicate via VPN using RDP to site B, very well.

    Question:

    Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.

    Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?

    I tried change ip tcp adjust 1452 but not good...

    Attached configs.

    An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site

    SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin

    Any help would be appreciated.

    Thank you very much...

    Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.

    I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.

  • BlackBerry Smartphones help BB Storm will synchronize only one way

    When I enter an appointment in my calendar from device, and then try Outlook 2003 calendar SYC, it will not be synchronized (appointments appear in my Outlook calendar).  If I enter my Outlook calendar appointment it will synchronize the appointments on my device.  I have entered in the configuration of the Fund Manager and assign the two-way synchronization. Still no luck.

    I found the problem.  When you create a new appointment, there is an article that says "send help:" this is a list of all email addresses you receive from emails on your Blackberry.  In some ways, the email address was changed to another.  This has caused the problem of synchronization.  Once I changed it to one that was already there, the two way sync worked.

    I still don't know where you configure what email address it uses.  If someone knows let me know.  Or email to three addresses are emails that I synchronize in Outlook.

Maybe you are looking for