License of dry and Cisco 2901

Similar Questions

• ALS IP Cisco 2901 and POLITICS with dual gateways LAN-based ROUTING

  Hello

  I am configuring a failover solution combined with the ACB using two bridges already configured. See the attached diagram.

  I currently have two ASA 5505 and a 2901.

  According to the example: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/861-c... I've set up the following in the 2901:

  Interface Port - channel1.1
  encapsulation dot1Q 1 native
  IP 192.168.200.100 255.255.255.0
  intellectual property policy map RM-Comcast-traffic route

  IP route 0.0.0.0 0.0.0.0 192.168.200.200 track 1
  IP route 0.0.0.0 0.0.0.0 192.168.200.150 track 2
  Route IP 10.10.10.1 255.255.255.252 192.168.200.150

  IP extended ACL-Comcast-traffic access list
  object-group permit COMCAST_Routed 192.168.200.0 0.0.0.255 any

  RM-Comcast-traffic route map permit 1
  corresponds to the IP ACL-Comcast-traffic
  set ip next-hop check availability 10.10.10.2 1 excerpt 2

  object-group service COMCAST_Routed
  Eq ftp TCP
  TCP eq www
  TCP eq ftp - data

  ALS IP 1
  ICMP echo - 192.168.200.200
  threshold 2
  timeout of 1000
  frequency 30
  IP SLA annex 1 point of life to always start-time now

  ALS IP 2
  10.10.10.2 ICMP echo
  threshold 2
  timeout of 1000
  frequency 30
  IP SLA annex 2 to always start-time life now

  track 1 accessibility of als 1 ip
  Track 2 accessibility of ALS 2 ip

  I did some tests and the part of failover seems to work but the configuration of the ACB does not work as expected. Only thing missing track 1 each time delivering properly and trak 2 is declining.

  Any help clarifying the feasibility and practicality of this configuration is greatly appreciated.

  Dan

  Adding a value of AD won't fix ACB (sorry if I gave that impression).

  On the client that you are testing with can you look it's the example routing table ' netstat - nr ' example and see what it shows in terms of gateways.

  It can be that you want to debug your routing policy to see what is happening on the router.

  Jon

• Copy the configuration of Cisco 881 to Cisco 2901

  We replace our router Cisco 881 with a Cisco 2901 router.  If I backup the configuration of the 881 and restore it on the 2901, will there be problems? We just want our 2901 to work the same. Thank you.

  routers/switches etc. can with a base image which may allow only certain features the devices come with these out of the box so that they work.

  You can buy advanced ip services images or images of advanced security that will allow all the features work. For example, you cannot use BGP or ACB unless you have an advanced picture, but you can be allowed to use RIP and EIGRP stub.

  You can check what is running on your 881 with a license to show what it will tell you what is on

• Video conference will operate without a license server TP and conductor?

  Hi all

  We need POC for video conferencing with Cisco Jabber on desktop. The scenario is similar to that we have CUCM 10.5 running in the trial license and server TP and TP driver running on the virtual machine without a license.

  We will reach videoconference without license server TP and conductor?

  Thank you & best regards

  Louis Nithin.

  Conductor Essentials can run without licenses, it offers all the functions of conductor but is limited to 1 bridge Conference and no grouping, refer to table 1 in the conductor datasheet for more information.

  TelePresence Server requires licenses to operate, you will need to purchase a license for the software, so it can be activated, as well as wallpapers or multiparty license licenses.  Screen licenses are per participant and installed on the telepresence server itself, while the multi-party licenses are either user or conference of base that are installed on the conductor.  Refer to the presentation of the product just above 1 Figure in the data sheet of the telepresence Server about the screen and the multiparty licensing options.

• LACP hash between N3048 and CISCO SG300/SG200 + question Twinax attach direct cable

  Hello

  In my network I have deployed two new N3048 with 2 transceivers SPF + and SPF module back + as core switches are connected to other 3 switches from edge of N2048 using optical fiber and I reused my previous CISCO SG300 and SG200 goes to serve the other two boxes of my campus via the spine in copper.

  I have 4 copper cable which starts from the hub of the SG300 network and 2 the SG200 brass. I set up to have a redundant connection using 2 + 2 with SG300 and 1 + 1 with SG200 RSTP.

  So for the SG300 I re LAG + LACP to have two channels of the N3048s port, but now that a single cable is connected because I don't know what kind of LACP hash mode should I put on N3048 to have a compatible hash between Dell and Cisco switches.

  My N3048 have mode 7 (Advanced hash) as default but I guess that cisco models do not understand... so, what mode is the best for LACP work perfectly with small business cisco switches?

  I also received my twinax cables to connect my two N3048 via SPF + back modules... conhot can I plug the cables into the slots SPF + (already mounted) without turning off my basic switches?

  Thank you!

  See you soon

  Cables can be connected/disconnected, but I don't know if the real module SFP + for the rear of the N3000 is hot plug.

• Unable to connect to network WPA2 with Windows 7 64-bit (Intel 4965 and Cisco WUSB600N)

  Connect to a WPA2 network seems to be a fairly common problem.  Again, I can't be able to find a solution.

  OS: Windows 7 Ultimate 64-bit

  Wireless adapter (s): Intel 4965AGN (integrated into Dell XPSM1330) and Cisco/Linksys WUSB600N

  Drivers: latest windows 7 64 bit drivers from the two websites of companies.  Intel (v12.4.1.4), Linksys (3.0.10.0)

  Network properties: WPA2 enterprise, encryption of the ACS, authentication EAP - P, several types of routers around the world

  History: has been able to use the same laptop with Vista32 on this network without any problem

  I can not connect to networks non - WPA WPA networks simply not.

  When you try to connect to my companies WPA2 network (at any of our locations around the world).

  Method #1:

  1. Select "Other network" in the list of network
  2. Enter the SSID of the network
  3. Windows could not connect to the SSID
  Method #2
  1. Open network and sharing Center
  2. Select set up a new connection or network
  3. Select manually connect to a wireless network
  4. Select one of my adapters
  5. Enter the SSID, as WPA2-Enterprise security type, type of encryption like AES, check the boxes to connect automatically and connect even if the network is not broadcasting
  6. An unexpected error has occurred

  Method #3: Try to trick windows

  1. Open network and sharing Center
  2. Select set up a new connection or network
  3. Select manually connect to a wireless network
  4. Select one of my adapters
  5. Enter the SSID but select an open network
  6. Adds the network
  7. Then try to change properties
  8. WPA2-Enterprise security type
  9. Set to AES encryption type
  10. "Choose a network authentication method:" drop-down menu is empty!
  11. Windows has encountered an error saving the wireless profile.  Specific error: the profile has an invalid length field.

  I'm pretty desperate for a solution.

  Kind regards

  John

  There are a few people with Win7 x 64 that cannot connect to WPA2 P/EAP Corporate/business networks and no solution?

  Come on, guys, it's the microsoft answers site! someone give me something! I have two asus laptops, both with network cards Intel having this problem on two networks separate enterprise (school).

  Edit:

  RESOLVED:

  Here's the thread of the resolution:

  http://answers.Microsoft.com/en-us/Windows/Forum/Windows_7-networking/unable-to-connect-to-company-wireless-network/3bcd12b1-A0D8-4357-bded-07da96259920?page=3

  The problem occurs when you perform a Wizard for easy transfer to a computer that was Symantec Endpoint Protection installed to one without him.

  Answer, copypasted:

  Inspect the key mentioned above - that is of HKLM\System\CurrentControlSet\services\RasMan\PPP\EAP.

  In each of the number keys look something like ConfigPathBackup and its corresponding ConfigPath - there are a number of them.

  For each, I deleted the original key (e.g., ConfigPath) and restored the original by renaming ConfigPathBackup to ConfigPath

  For each of them, the State is now restored to her pre State Symantec - each key pointed to a Symantec location that is no longer present and by restoring the path key backs up everything was fine

• This version of Cisco Adaptive Security Appliance Software Version 9.6 (1) 5 is affected by Cisco Adaptive Security Appliance SNMP Remote Code execution vulnerability and Cisco Adaptive Security Appliance CLI Remote Code execution vulnerability of

  This version of Cisco Adaptive Security Appliance Software Version 9.6 (1) 5 is affected by Cisco Adaptive Security Appliance SNMP Remote Code execution vulnerability and Cisco Adaptive Security Appliance CLI Remote Code execution vulnerability of

  Hi vrian_colaba,

  You can take a look at cisco's Advisory here:

  https://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/CI...

  Fixed versions

  Cisco ASA Major Release	First version fixed
  7.2	Affected; migrate to 9.1.7(9) or later
  8.0	Affected; migrate to 9.1.7(9) or later
  8.1	Affected; migrate to 9.1.7(9) or later
  8.2	Affected; migrate to 9.1.7(9) or later
  8.3	Affected; migrate to 9.1.7(9) or later
  8.4	Affected; migrate to 9.1.7(9) or later
  8.5	Affected; migrate to 9.1.7(9) or later
  8.6	Affected; migrate to 9.1.7(9) or later
  8.7	Affected; migrate to 9.1.7(9) or later
  9.0	9.0.4 (40)
  9.1	9.1.7(9)
  9.2	9.2.4 (14)
  9.3	9.3.3 (10)
  9.4	9.4.3(8) ETA 26/08/2016
  9.5	9.5 (3) ETA 30/08/2016
  9.6 (DFT)	9.6.1 (11) / 6.0.1(2) FTD
  9.6 (ASA)	9.6.2

  5 9.6 (1) is not part of the fixed versions, this means that is assigned for the SNMP Remote Code execution vulnerability.

  Cisco Adaptive Security Appliance CLI Remote Code vulnerability to run you can also take a look at cisco's Advisory here:

  https://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/CI...

  Fixed versions

  The following table shows the first software versions that include fixes for this vulnerability (9.6 is not affected)

  Cisco ASA Major Release	First version fixed
  7.2	Affected, migrate to 8.4 (3) or later
  8.0	Affected, migrate to 8.4 (3) or later
  8.1	Affected, migrate to 8.4 (3) or later
  8.2	Affected, migrate to 8.4 (3) or later
  8.3	Affected, migrate to 8.4 (3) or later
  8.4	8.4 (3)
  8.5	Affected, migrate to 9.0 (1) or later version
  8.6	Affected, migrate to 9.0 (1) or later version
  8.7	Affected, migrate to 9.0 (1) or later version
  9.0	9.0 (1)
  9.1	Not affected
  9.2	Not affected
  9.3	Not affected
  9.4	Not affected
  9.5	Not affected
  9.6	Not affected

  Hope this info helps!

  Note If you help!

  -JP-

• HP J4853A and Cisco SFP Module 100BASE-FX

  Hi all!

  HP J4853A and Cisco SFP Module modules 100BASE-FX is not compatible?

  Thank you!

  Both are 100Base FX for at layer 1, they are interoperable.

  Higher tier features will not be handled on one platform or another.

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett

• The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

  Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

  Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

  Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

  Here is the response from Cisco itself:

  http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

  Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

  A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

  Q: how is Cisco AVS Firewall application differs by a network firewall?

  A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

  Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

  Concerning

  Farrukh

• Difference between Csico and Cisco Unity Connection unit

  What are the main differences between Cisco Unity and Cisco Unity Connection (version 7)

  as: 1. in Cisco Unity servers are active - failover Mode and about unity, the servers are in active-active mode

  2 Cisco Unity, knows about unity and unified messaging, integrated messaging

  What is the major difference between Unified Messaging and integrated messaging?

  Please provide some points of difference between the two...

  This may well be true today, but the gap could soon close... otherwise disappear.  Cisco is currently in EFT (field-tested at the beginning) or testing "beta" for the connection of the Unit 8.5 (1), which aims to add features of Unified Messaging Unit connection using WebDav for Exchange 2003 and Exchange Web Services (EWS) for Exchange 2007/2010.  Just a nugget to think when you consider the timing of your client to install and what platform would be best suited to most environments.  Take a look at this blog for more information/thoughts:

  http://www.netcraftsmen.NET/resources/blogs/unity-connection-with-Unified-Messaging-where-will-unity-fit-in.html?blogger=David+Hailey

  Hailey

  Please note the useful messages!

• difference between cisco NAC agent and cisco Clean Access Agent

  Hi all

  If anyone has the idea on different between cisco NAC agent and cisco Clean Access Agent, please let us know your ideas.

  Thank you

  In 4.6, the agent has been revised and is now called the NAC agent.  Previous versions were called the clean access Agent.  So roughly, 4.5 and 4.1.3.2 agent are own access agents, and agents 4.6.x and 4.7.x are called NAC agents.

  Some of the changes are moving a lot of the agent configuration in an XML file, redesign of the GUI, adding a service portion (of the sort that the agent of heel is no longer necessary) and the best journaling agent.

• NCS and Cisco Security Manager 4.2 servers

  Hi all

  I spec'ing on two new servers; one is for a box of first NCS and other area of Cisco Security Manager 4.2. I have decided to go with the range servers Cisco UCS, but am a little unsure of something on the said recommended in the datasheet for the AC.

  The NCS data sheet

  http://www.Cisco.com/en/us/prod/collateral/wireless/ps5755/ps11682/ps11686/ps11688/data_sheet_c78-650051.PDF

  ... reads as follows:

  ******************************

  If the first Cisco NCS deployment as a virtual appliance on a server provided by the customer, one of the following versions

  VMware ESX or ESXi can be used:

  Version of VMWare ESX or VMWare ESXi 4.1

  ******************************

  This means that the NCS software MUST be be virtualized, or can it be installed and simply turn on something like Windows Server 2008? If Yes, through a serious disk image?

  Secondly,.

  the two servers are running RAID arrays and I was wondering what are your views on the execution of any (OS, Cisco software, records and other data) set on the RAID array, or the OS and Cisco software on a separate boot disk and store data only on the RAID?

  I see no reason why it would not run together on the RAID, but I'm curious to know what you think about it.

  In addition, we are upgrading our WCS courses and I was wondering if some kind of migration is necessary or can we just install fresh NCS on the server and configure it accordingly.

  See you soon,.

  -Dave

  Dave,

  For the first part, the NCS works only as a virtual machine.  You can buy the device hardened to it, but it's still a virtual machine, NCS is presented as a .ova.

  Regarding separate them, with NCS I don't think you'll be able to.

  Steve

• Clients vpn AnyConnect and cisco using the same certificate

  Can use the same certificate on the ASA client Anyconnect and cisco vpn ikev1-2?

  John.

  The certificate is to identify a user/machine rather than the Protocol, then Yes, generally 'yes' you can use the same certificate for SSL/IKEv1/IKEv2 connections.

  What you need to take care of, it's that said certificate is fulliling Elements of the Protocol, for example implmentations IKEv2 is 'necessary' particular KU are defined and client-server-auth/auth EKU are defined on the certificates.

  M.

• VPN between ASA and cisco router [phase2 question]

  Hi all

  I have a problem with IPSEC VPN between ASA and cisco router

  I think that there is a problem in the phase 2

  Can you please guide me where could be the problem.
  I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

  Looking forward for your help

  Phase 1 is like that

  Cisco_router #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

  and ASA

  ASA # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 78.x.x.41
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  Phase 2 on SAA

  ASA # sh crypto ipsec his
  Interface: Outside
  Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

  Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
  19.194.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer: 78.x.x.41

  #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C96393AB

  SAS of the esp on arrival:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4275000/3025)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4274994/3023)
  Size IV: 8 bytes
  support for replay detection: Y

  Phase 2 on cisco router

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x3E9D820B (1050509835)

  SAS of the esp on arrival:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4393981/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4394007/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  VPN configuration is less in cisco router

  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  sheep allowed 10 route map
  corresponds to the IP 105

  Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

  mycryptomap 100 ipsec-isakmp crypto map
  the value of 87.x.x.4 peer
  Set transform-set mytransformset
  match address 101

  crypto ISAKMP policy 100
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key xxx2011 address 87.x.x.4

  Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

  You currently have:

  Extend the 105 IP access list
  5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  It should be:

  Extend the 105 IP access list
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

  To remove it and add it to the bottom:

  105 extended IP access list

  not 5

  IP 172.19.194.0 allow 60 0.0.0.255 any

  Then ' delete ip nat trans. "

  and it should work now.