Limited Cisco ASA 5510 IPSEC

Hi guys

There are IPsec deadline for ASA 5510?

There are users complain on connected, they cannot access any server on the local network. but now it works fine

Hello

What do you mean by limit? The number of IPSEC sessions is limited to 250, if I remember correctly.

To limit access to internal resources, there is not.

These users complain using the same IPSEC vpn as others? Is that your exemption of crypto and nat that allows all internal resources?

Thank you

PS: Please do not forget to rate and score as correct answer if this answered your question

Tags: Cisco Support

Similar Questions

  • Cisco ASA 5510, ipsec vpn. What address to connect the client to

    Hello

    It's maybe a stupid question, but I can't find the answer anywhere.

    I used the ipsec vpn configuration wizard, I activated the external interface to access ipsec and went through SCW pools of addresses etc. When I try to connect with the cisco vpn client to my address of the external interface (of a remote host) I'm unable to connect. I scanned the interface for open ports, but there is not, I have to allow traffic to ipsec at this interface?

    Best regards

    Andreas

    No, once you have configured the access remote vpn ipsec, it will be automatically activated, and you should be able to connect to the ASA outside the ip address of the interface.

    Can you please share the configuration? and also which group name you are trying to access the vpn client?

  • % 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510

    Hi friends,

    I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove.

    Error in CISCO VPN Client software:

    Secure VPN connection terminated locally by the client.

    Reason: 414: unable to establish a TCP connection.

    Error in CISCO ASA 5510

    7-ASA-710005%: TCP request and eliminated from 49276 outward: 10000

    The ASA configuration:

    XYZ # sh run
    : Saved
    :
    ASA Version 8.4 (4)
    !
    hostname XYZ
    domain XYZ
    activate the password encrypted 3uLkVc9JwRA1/OXb N3
    activate the encrypted password of R/x90UjisGVJVlh2
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface Ethernet0/0
    nameif outside_rim
    security-level 0
    IP 1.1.1.1 255.255.255.252
    !
    interface Ethernet0/1
    full duplex
    nameif XYZ_DMZ
    security-level 50
    IP 172.1.1.1 255.255.255.248
    !
    interface Ethernet0/2
    Speed 100
    full duplex
    nameif outside
    security-level 0
    IP address 2.2.2.2 255.255.255.252
    !
    interface Ethernet0/3
    Speed 100
    full duplex
    nameif inside
    security-level 100
    IP 3.3.3.3 255.255.255.224
    !
    interface Management0/0
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    boot system Disk0: / asa844 - k8.bin
    passive FTP mode
    DNS domain-lookup outside
    DNS server-group DefaultDNS
    Server name xx.xx.xx.xx
    Server name xx.xx.xx.xx
    Server name xx.xx.xx.xx
    Server name xx.xx.xx.xx
    domain XYZ
    network object obj - 172.17.10.3
    Home 172.17.10.3
    network object obj - 10.1.134.0
    10.1.134.0 subnet 255.255.255.0
    network object obj - 208.75.237.0
    208.75.237.0 subnet 255.255.255.0
    network object obj - 10.7.0.0
    10.7.0.0 subnet 255.255.0.0
    network object obj - 172.17.2.0
    172.17.2.0 subnet 255.255.255.0
    network object obj - 172.17.3.0
    172.17.3.0 subnet 255.255.255.0
    network object obj - 172.19.2.0
    172.19.2.0 subnet 255.255.255.0
    network object obj - 172.19.3.0
    172.19.3.0 subnet 255.255.255.0
    network object obj - 172.19.7.0
    172.19.7.0 subnet 255.255.255.0
    network object obj - 10.1.0.0
    10.1.0.0 subnet 255.255.0.0
    network object obj - 10.2.0.0
    10.2.0.0 subnet 255.255.0.0
    network object obj - 10.3.0.0
    10.3.0.0 subnet 255.255.0.0
    network object obj - 10.4.0.0
    10.4.0.0 subnet 255.255.0.0
    network object obj - 10.6.0.0
    10.6.0.0 subnet 255.255.0.0
    network object obj - 10.9.0.0
    10.9.0.0 subnet 255.255.0.0
    network object obj - 10.11.0.0
    10.11.0.0 subnet 255.255.0.0
    network object obj - 10.12.0.0
    10.12.0.0 subnet 255.255.0.0
    network object obj - 172.19.1.0
    172.19.1.0 subnet 255.255.255.0
    network object obj - 172.21.2.0
    172.21.2.0 subnet 255.255.255.0
    network object obj - 172.16.2.0
    172.16.2.0 subnet 255.255.255.0
    network object obj - 10.19.130.201
    Home 10.19.130.201
    network object obj - 172.30.2.0
    172.30.2.0 subnet 255.255.255.0
    network object obj - 172.30.3.0
    172.30.3.0 subnet 255.255.255.0
    network object obj - 172.30.7.0
    172.30.7.0 subnet 255.255.255.0
    network object obj - 10.10.1.0
    10.10.1.0 subnet 255.255.255.0
    network object obj - 10.19.130.0
    10.19.130.0 subnet 255.255.255.0
    network of object obj-XXXXXXXX
    host XXXXXXXX
    network object obj - 145.248.194.0
    145.248.194.0 subnet 255.255.255.0
    network object obj - 10.1.134.100
    Home 10.1.134.100
    network object obj - 10.9.124.100
    Home 10.9.124.100
    network object obj - 10.1.134.101
    Home 10.1.134.101
    network object obj - 10.9.124.101
    Home 10.9.124.101
    network object obj - 10.1.134.102
    Home 10.1.134.102
    network object obj - 10.9.124.102
    Home 10.9.124.102
    network object obj - 115.111.99.133
    Home 115.111.99.133
    network object obj - 10.8.108.0
    10.8.108.0 subnet 255.255.255.0
    network object obj - 115.111.99.129
    Home 115.111.99.129
    network object obj - 195.254.159.133
    Home 195.254.159.133
    network object obj - 195.254.158.136
    Home 195.254.158.136
    network object obj - 209.164.192.0
    subnet 209.164.192.0 255.255.224.0
    network object obj - 209.164.208.19
    Home 209.164.208.19
    network object obj - 209.164.192.126
    Home 209.164.192.126
    network object obj - 10.8.100.128
    subnet 10.8.100.128 255.255.255.128
    network object obj - 115.111.99.130
    Home 115.111.99.130
    network object obj - 10.10.0.0
    subnet 10.10.0.0 255.255.0.0
    network object obj - 115.111.99.132
    Home 115.111.99.132
    network object obj - 10.10.1.45
    Home 10.10.1.45
    network object obj - 10.99.132.0
    10.99.132.0 subnet 255.255.255.0
    the Serversubnet object-group network
    object-network 10.10.1.0 255.255.255.0
    network-object 10.10.5.0 255.255.255.192
    the XYZ_destinations object-group network
    object-network 10.1.0.0 255.255.0.0
    object-network 10.2.0.0 255.255.0.0
    network-object 10.3.0.0 255.255.0.0
    network-object 10.4.0.0 255.255.0.0
    network-object 10.6.0.0 255.255.0.0
    network-object 10.7.0.0 255.255.0.0
    network-object 10.11.0.0 255.255.0.0
    object-network 10.12.0.0 255.255.0.0
    object-network 172.19.1.0 255.255.255.0
    object-network 172.19.2.0 255.255.255.0
    object-network 172.19.3.0 255.255.255.0
    object-network 172.19.7.0 255.255.255.0
    object-network 172.17.2.0 255.255.255.0
    object-network 172.17.3.0 255.255.255.0
    object-network 172.16.2.0 255.255.255.0
    object-network 172.16.3.0 255.255.255.0
    host of the object-Network 10.50.2.206
    the XYZ_us_admin object-group network
    network-object 10.3.1.245 255.255.255.255
    network-object 10.5.33.7 255.255.255.255
    network-object 10.211.5.7 255.255.255.255
    network-object 10.3.33.7 255.255.255.255
    network-object 10.211.3.7 255.255.255.255
    the XYZ_blr_networkdevices object-group network
    object-network 10.200.10.0 255.255.255.0
    access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
    access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
    access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
    access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
    Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
    Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
    Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
    Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
    Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
    Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
    Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
    Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
    10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
    10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
    Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
    10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
    10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
    Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
    Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
    10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
    IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
    10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
    access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
    access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
    access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
    access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
    10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
    10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
    IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
    Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
    CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
    Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
    Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
    Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
    Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
    Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
    Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
    Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
    Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
    Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
    Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
    Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
    XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
    Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
    Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
    XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
    Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
    XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
    Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
    XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
    XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
    XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
    ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
    permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
    permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
    permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
    permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
    permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
    Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
    Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
    Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
    Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
    Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
    Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
    permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
    permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
    Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
    Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
    permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
    permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
    Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
    Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
    permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
    permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
    Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
    access-list coextended permit ip host 2.2.2.2 XXXXXXXX
    access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
    permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
    permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
    access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
    access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
    access list acl-outside scope permit ip any host 172.17.10.3
    access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
    access list acl-outside extended permit tcp any any eq 10000
    access list acl-outside extended deny ip any any newspaper
    pager lines 10
    Enable logging
    debug logging in buffered memory
    outside_rim MTU 1500
    MTU 1500 XYZ_DMZ
    Outside 1500 MTU
    Within 1500 MTU
    IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow all outside
    ICMP allow any inside
    don't allow no asdm history
    ARP timeout 14400
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
    NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
    NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
    NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
    NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
    NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
    NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
    NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
    NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
    NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
    NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
    NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
    NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
    NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
    NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
    NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
    NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
    NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
    !
    network object obj - 172.17.10.3
    NAT (XYZ_DMZ, outside) static 115.111.99.134
    Access-group acl-outside in external interface
    Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
    Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
    Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
    Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
    Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
    Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
    Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
    Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
    Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
    Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
    Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
    Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication LOCAL telnet console
    LOCAL AAA authorization command
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
    Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
    Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
    Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
    Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
    Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
    Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
    Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
    86400 seconds, duration of life crypto ipsec security association
    Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
    Crypto-map dynamic dyn1 1jeu reverse-road
    card crypto vpn 1 corresponds to the address XYZ
    card 1 set of peer XYZ Peer IP vpn crypto
    1 set transform-set vpn1 ikev1 vpn crypto card
    card crypto vpn 1 lifetime of security set association, 3600 seconds
    card crypto vpn 1 set security-association life kilobytes 4608000
    correspondence vpn crypto card address 2 DON'T
    2 peer NE_Peer IP vpn crypto card game
    2 set transform-set vpn2 ikev1 vpn crypto card
    3600 seconds, duration of life card crypto vpn 2 set security-association
    card crypto vpn 2 set security-association life kilobytes 4608000
    card crypto vpn 4 corresponds to the address ML_VPN
    card crypto vpn 4 set pfs
    vpn crypto card game 4 peers ML_Peer IP
    4 set transform-set vpn4 ikev1 vpn crypto card
    3600 seconds, duration of life card crypto vpn 4 set - the security association
    card crypto vpn 4 set security-association life kilobytes 4608000
    vpn crypto card 5 corresponds to the address XYZ_global
    vpn crypto card game 5 peers XYZ_globa_Peer IP
    5 set transform-set vpn5 ikev1 vpn crypto card
    3600 seconds, duration of life card crypto vpn 5 set - the security association
    card 5 security-association life set vpn crypto kilobytes 4608000
    vpn crypto card 6 corresponds to the address Da_VPN
    vpn crypto card game 6 peers Da_VPN_Peer IP
    6 set transform-set vpn6 ikev1 vpn crypto card
    3600 seconds, duration of life card crypto vpn 6 set - the security association
    card crypto vpn 6 set security-association life kilobytes 4608000
    vpn crypto card 7 corresponds to the address Da_Pd_VPN
    7 peer Da_Pd_VPN_Peer IP vpn crypto card game
    7 set transform-set vpn6 ikev1 vpn crypto card
    3600 seconds, duration of life card crypto vpn 7 set - the security association
    card crypto vpn 7 set security-association life kilobytes 4608000
    vpn outside crypto map interface
    crypto map vpn_reliance 1 corresponds to the address XYZ_rim
    card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
    card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
    vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
    card crypto vpn_reliance 1 set security-association life kilobytes 4608000
    card crypto vpn_reliance interface outside_rim
    dynamic mymap 1 dyn1 ipsec-isakmp crypto map
    crypto isakmp identity address
    No encryption isakmp nat-traversal
    Crypto ikev1 enable outside_rim
    Crypto ikev1 allow outside
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 5
    lifetime 28800
    IKEv1 crypto policy 2
    preshared authentication
    aes-256 encryption
    sha hash
    Group 5
    life 86400
    IKEv1 crypto policy 4
    preshared authentication
    aes-256 encryption
    sha hash
    Group 5
    life 28000
    IKEv1 crypto policy 5
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 43200
    IKEv1 crypto policy 65535
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet 10.8.100.0 255.255.255.224 inside
    Telnet timeout 5
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    no basic threat threat detection
    no statistical access list - a threat detection
    no statistical threat detection tcp-interception
    internal XYZ_c2s_vpn group strategy
    username testadmin encrypted password oFJjANE3QKoA206w
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group ipsec-attributes XXXXXXXX
    IKEv1 pre-shared-key *.
    tunnel-group XXXXXXXXtype ipsec-l2l
    tunnel-group XXXXXXXXipsec-attributes
    IKEv1 pre-shared-key *.
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group ipsec-attributes XXXXXXXX
    IKEv1 pre-shared-key *.
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group ipsec-attributes XXXXXXXX
    IKEv1 pre-shared-key *.
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group ipsec-attributes XXXXXXXX
    IKEv1 pre-shared-key *.
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group ipsec-attributes XXXXXXXX
    IKEv1 pre-shared-key *.
    tunnel-group XXXXXXXX type ipsec-l2l
    tunnel-group ipsec-attributes XXXXXXXX
    IKEv1 pre-shared-key *.
    type tunnel-group XYZ_c2s_vpn remote access
    attributes global-tunnel-group XYZ_c2s_vpn
    address pool XYZ_c2s_vpn_pool
    IPSec-attributes tunnel-group XYZ_c2s_vpn
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    inspect the icmp
    Review the ip options
    !
    global service-policy global_policy
    level 3 privilege see the running-config command exec mode
    logging of orders privilege see the level 3 exec mode
    privilege see the level 3 exec mode command crypto
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
    : end

    XYZ #.

    Good news

    Follow these steps:

    network object obj - 172.30.10.0_24

    172.30.10.0 subnet 255.255.255.0

    !

    the LOCAL_NETWORKS_VPN object-group network

    object-network 1.1.1.0 255.255.255.0

    !

    NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search

    * Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel.

    Keep me posted.

    Thank you.

    Please note all messages that will be useful.

  • Cisco ASA 5510 VPN Site to Site with Sonicwall

    I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

    Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

    Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

    NAT (inside) 0 access-list sheep

    ..

    IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

    access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

    ..

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set counterpart x.x.x.x

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    ..

    crypto ISAKMP allow outside

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    lifetime 28800

    ..

    internal SiteToSitePolicy group strategy

    attributes of Group Policy SiteToSitePolicy

    VPN-idle-timeout no

    Protocol-tunnel-VPN IPSec

    Split-tunnel-network-list no

    ..

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group x.x.x.x General attributes

    Group Policy - by default-SiteToSitePolicy

    tunnel-group ipsec-attributes x.x.x.x

    pre-shared key *.

    ..

    Added some excerpts from the configuration file

    Hello Manjitriat,

    Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

    Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

    Now the packet tracer must be something like this:

    entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

    Please provide us with the result of the following instructions after you run the packet tracer.

    See the crypto Isakamp SA

    See the crypto Ipsec SA

    Kind regards

    Julio

  • False claims RADIUS of customer VPN Cisco ASA 5510

    Hello world

    I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

    Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

    What is the source of such behavior?

    The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

    Debugging of ASA:

    -First application-

    RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

    RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

    RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

    RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

    RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

    RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

    -The second request-

    RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

    RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

    RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

    RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

    GBA debug:

    -First application-

    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

    -The second request-
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

    The ASA config:

    Crypto ikev1 allow outside
    Crypto ikev1 allow inside
    IKEv1 crypto ipsec-over-tcp port 10000
    life 86400
    IKEv1 crypto policy 65535
    authentication rsa - sig
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    internal Cert_auth group strategy
    attributes of Group Policy Cert_auth
    client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list aclVPN2
    the address value vpnpool pools
    rule of access-client-none

    !

    attributes global-tunnel-group DefaultRAGroup
    address (inside) vpnpool pool
    address vpnpool pool
    authentication-server-group RADIUS01
    authorization-server-group RADIUS01
    authorization-server-group (inside) RADIUS01
    Group Policy - by default-Cert_auth

    !

    RADIUS protocol AAA-server RADIUS01
    AAA-server host 10.2.9.224 RADIUS01 (inside)
    key *.
    RADIUS-common-pw *.
    AAA-server host 10.4.2.223 RADIUS01 (inside)
    key *.

    Hello

    It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

    If you remove this line:

    authorization-server-group RADIUS01

    you will see that it starts to work properly

    In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

    This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

    Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

    HTH

    Herbert

  • Cisco ASA 5510 + license + AIP - SSM

    Hello.

    I have this box.

    I have a few questions about it.

    (1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

    (2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

    (3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

    (4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

    Please help me.

    (1) you must Smartnet in order to download the software from the download from cisco.com site.

    (2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

    (3) Yes, the basic license is OK for the AIP module.

    (4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

    Hope that answers your questions.

  • How to activate IP accounting or capture packets in Cisco ASA 5510 (8.2)

    Hi all

    Please help me for activation

    IP accounting packets or capture in Cisco ASA 5510 (8.2).

    Thank you

    Solene

    Hi Eric,.

    Create a list of access with the source destination ip address and/or tcp/udp ports

    can use it

    CAP_NAME access-list ACL_NAME buffer 12345bytes INT_NAME capture interface

    You can check capture

    See the capture?

    Name Capture PASSWORD

    |     Output modifiers

    Take care

    PaulC

  • in my cisco asa 5510 heartbeat interface

    Cisco asa 5510 heartbeat interface

    Of course, we will need to more information than what you have given to us. Next time, don't even bother if you want to help us...

  • Cisco ASA 5510 - IOS upgrade 7.0 failing. Not found Flash BIOS

    Hello everyone

    I have a Cisco ASA 5510 in a lab with none of the configurations environment what so ever.

    Objective: upgrade the IOS current version 7.0 (8) to 7.1.1 (possibly go to 8.2 until memory upgrade on the SAA: 256 MB to 1 GB and then move to the latest version of 8.2 IOS).

    Output to see the attached Version.

    Output Flash attached show.

    asa711 - k8.bin is the file that has been copied from a TFTP server to flash.

    The following commands have been executed in order to update the IOS

    ciscoasa (config) # boot flash system: / asa711 - k8.bin
    INFO: Conversion of flash: / asa711 - k8.bin to disk0: / asa711 - k8.bin
    ciscoasa (config) #.
    ciscoasa (config) # end
    ciscoasa # write memory
    Cryptochecksum: aaaa08ce ccde38f2 19c42e08 dea24cbd
    2713 bytes copied in 1,450 dry (2713 bytes/s)
    [OK]
    ciscoasa # reload

    PROBLEM: the device ASA goes in an infinite loop (guard restart). This is the message on the console:

    The system boot, please wait...

    CISCO SYSTEMS
    Embedded BIOS Version 1.0 (11) 15:11:51.82 5 08/28/08
    Memory: 631ko
    Memory: 256 MB
    PCI device table.
    Bus Dev Func VendID DevID class Irq
    00 00 00 8086 2578 host Bridge
    00 01 00 8086 2579 PCI to PCI bridge
    00 03 00 8086 PCI bridge to PCI 257 b
    00 1 00 8086 PCI bridge to PCI 25AE
    1 d 00 00 8086 25A 9 Serial Bus 11
    1 00 01 8086 25AA Bus series 10 d
    1 d 00 04 8086 25AB system
    1 d 00 05 8086 25AC IRQ controller
    1 d 00 07 8086 25AD Bus series 9
    1E 00 00 8086 PCI bridge to 244th PCI
    1F 00 00 8086 25A 1 ISA Bridge
    1F 00 02 8086 25 IDE controller has 3 11
    1F 00 03 8086 25A 4 Bus series 5
    1F 00 05 8086 25A 6 Audio 5
    02 01 00 8086 1075 Ethernet 11
    03 01 00 177 D 0003 encrypt/decrypt 9
    03 02 00 8086 1079 Ethernet 9
    03 02 01 8086 1079 Ethernet 9
    03 03 00 8086 1079 Ethernet 9
    03 03 01 8086 1079 Ethernet 9
    04 02 00 8086 1209 Ethernet 11
    04 03 00 8086 1209 Ethernet 5
    Evaluate the BIOS Options...
    Launch of the BIOS Extension installation ROMMON
    Cisco Systems ROMMON Version (1.0 (11) 5) #0: Thu Aug 28 15:23:50 CDT 2008
    Platform ASA5510
    Use BREAK or ESC to interrupt the boot.
    Use the SPACE to start boot immediately.
    Start the program boot...
    Startup configuration file contains 1 entry.

    Load disk0: / asa711 - k8.bin... The starting...

    256 MB OF RAM
    Total of SSMs found: 0
    Total cards network found: 7
    mcwa i82557 Ethernet to irq 11 MAC: 0024.974a.65af
    mcwa i82557 Ethernet to the irq 5 MAC: 0000.0001.0001
    Not found BIOS flash.
    Reset...

    The only way for me to do things to normal is if I BREAK the sequence starting with ESC and go into ROMMON mode. I then issue a start command for the SAA to start with 7.0 (8) default IOS Image.

    Please can someone explain what is the problem here?

    Apologies if I'm missing something obvious that I'm not an expert of the SAA.

    Looks like that the ASA is hitting a field notice: fn62378. The FN, it's because of the incompatible version of hardware and software. Please upgrade to version 7.1.2 instead of 7.1.1. If you plan to spend in 8.2. So instead of going 7.1.2 you could go to 7.2.5 (recommanded), then 8.2.5

    http://www.Cisco.com/c/en/us/support/docs/field-notices/620/fn62378.html

    It will be useful.

    Kind regards

    Akshay Rouanet

    Remember messages useful rate.

  • Cisco ASA 5510 multiple dynamic config VPN L2L necessary

    Hello

    We have a Cisco asa 5510 with static IP address. Also, we have a remote office with a dynamic IP address. We now have a dynamic to static VPN configured L2L. And now, we must add new tunnel to another site with a dynamic IP address. Is this possible? Does anyone have an example of woking, or manual?

    Oleg Kobelev

    The config only you need in the ASA is: -.

    (1) set of crypto processing

    (2) political ISAKMP

    (3) dynamic Crypto map

    (4) default group L2L & PSK

    (5) Config RRI (reverse Route Injection)

    HTH >

  • Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

    Hello

    I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

    Config

    ciscoasa # sh run

    : Saved

    :

    ASA Version 8.0 (3)

    !

    ciscoasa hostname

    activate the 5QB4svsHoIHxXpF password / encrypted

    names of

    xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

    xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

    xxx.xxx.xxx.xxx name Mail_Server

    xxx.xxx.xxx.xxx IncomingIP name

    xxx.xxx.xxx.xxx SAP name

    xxx.xxx.xxx.xxx Web server name

    xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

    isa_server_outside name 192.168.2.2

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    address IP IncomingIP 255.255.255.248

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP 192.168.2.1 255.255.255.0

    !

    interface Ethernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.1.253 255.255.255.0

    management only

    !

    passwd 123

    passive FTP mode

    clock timezone IS 2

    clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

    TCP_8081 tcp service object-group

    EQ port 8081 object

    DM_INLINE_TCP_1 tcp service object-group

    EQ port 3389 object

    port-object eq ftp

    port-object eq www

    EQ object of the https port

    EQ smtp port object

    EQ Port pop3 object

    port-object eq 3200

    port-object eq 3300

    port-object eq 3600

    port-object eq 3299

    port-object eq 3390

    EQ port 50000 object

    port-object eq 3396

    port-object eq 3397

    port-object eq 3398

    port-object eq imap4

    EQ port 587 object

    port-object eq 993

    port-object eq 8000

    EQ port 8443 object

    port-object eq telnet

    port-object eq 3901

    purpose of group TCP_8081

    EQ port 1433 object

    port-object eq 3391

    port-object eq 3399

    EQ object of port 8080

    EQ port 3128 object

    port-object eq 3900

    port-object eq 3902

    port-object eq 7777

    port-object eq 3392

    port-object eq 3393

    port-object eq 3394

    Equalizer object port 3395

    port-object eq 92

    port-object eq 91

    port-object eq 3206

    port-object eq 8001

    EQ port 8181 object

    object-port 7778 eq

    port-object eq 8180

    port-object 22222 eq

    port-object eq 11001

    port-object eq 11002

    port-object eq 1555

    port-object eq 2223

    port-object eq 2224

    object-group service RDP - tcp

    EQ port 3389 object

    3901 tcp service object-group

    3901 description

    port-object eq 3901

    object-group service tcp 50000

    50000 description

    EQ port 50000 object

    Enable_Transparent_Tunneling_UDP udp service object-group

    port-object eq 4500

    access-list connection to SAP Note inside_access_in

    inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

    access-list inside_access_in note outgoing VPN - PPTP

    inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

    access-list inside_access_in note outgoing VPN - GRE

    inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

    Comment from inside_access_in-list of access VPN - GRE

    inside_access_in list extended access will permit a full

    access-list inside_access_in note outgoing VPN - Client IKE

    inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

    Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

    inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

    Note to inside_access_in of outgoing DNS list access

    inside_access_in list extended access udp allowed any any eq field

    Note to inside_access_in of outgoing DNS list access

    inside_access_in list extended access permit tcp any any eq field

    Note to inside_access_in to access list carried forward Ports

    inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

    access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

    outside_access_in of access allowed any ip an extended list

    outside_access_in list extended access permit tcp any any eq pptp

    outside_access_in list extended access will permit a full

    outside_access_in list extended access allowed grateful if any host Mail_Server

    outside_access_in list extended access permit tcp any host Mail_Server eq pptp

    outside_access_in list extended access allow esp a whole

    outside_access_in ah allowed extended access list a whole

    outside_access_in list extended access udp allowed any any eq isakmp

    outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

    list of access allowed standard VPN 192.168.2.0 255.255.255.0

    corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    management of MTU 1500

    pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 603.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT-control

    Global (outside) 2 Mail_Server netmask 255.0.0.0

    Global 1 interface (outside)

    Global interface (2 inside)

    NAT (inside) 0-list of access corp_vpn

    NAT (inside) 1 0.0.0.0 0.0.0.0

    static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

    static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

    static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

    public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

    static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

    static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

    static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

    static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

    static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

    static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

    static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

    static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

    static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

    static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

    static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

    static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

    static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

    static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

    public static 192.168.2.0 (inside, outside) - corp_vpn access list

    Access-group outside_access_in in interface outside

    inside_access_in access to the interface inside group

    Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout, uauth 0:05:00 absolute

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.2.0 255.255.255.0 inside

    http 192.168.1.0 255.255.255.0 management

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp - esp-md5-hmac transet

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic dynmap 10 set pfs

    Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

    cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

    cryptomap interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    Telnet 192.168.2.0 255.255.255.0 inside

    Telnet 192.168.1.0 255.255.255.0 management

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

    dhcpd domain.local domain inside interface

    !

    a basic threat threat detection

    host of statistical threat detection

    Statistics-list of access threat detection

    Management Server TFTP 192.168.1.123.

    internal group mypolicy strategy

    mypolicy group policy attributes

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value VPN

    Pseudo vpdn password 123

    vpdn username attributes

    VPN-group-policy mypolicy

    type of remote access service

    type mypolicy tunnel-group remote access

    tunnel-group mypolicy General attributes

    address-pool

    strategy-group-by default mypolicy

    tunnel-group mypolicy ipsec-attributes

    pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    inspect the pptp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

    : end

    Thank you very much.

    Hello

    You probably need

    Policy-map global_policy

    class inspection_default

    inspect the icmp

    inspect the icmp error

    Your Tunnel of Split and NAT0 configurations seem to.

    -Jouni

  • Cisco ASA 5510 - restrictions of VPN (AnyConnect) based on the AD user or IP address

    Hello

    I want to test how to restrict access user on an ASA 5510 AnyConnect. In politics, I can define what networks will go through the VPN tunnel and which not (split tunneling). The ASA has a LDAP connection and only AD users with a special security group can connect over AnyConnect.
    On the other hand I would like to restrict access for special users within a VPN policy.

    So my question:
    What are your recommendations to implement this szenario?

    My two ideas would be:
    1. the access rules based on the user of the AD.
    2. special reserve IP addresses in the pool of addresses AnyConnect for some users, so I can limit access to the normal firewall rules base based on the source IP address.

    What are your recommendations and is it possible to realize my ideas (and how)?

    Thanks in advance

    Best regards

    Hello

    I will suggest that you configure a second ad group in the server and another group strategy in the ASA, you can configure certain access on each group policy "the installer of the filters, assign different split political tunnel, different ACL' and in the ad server, you can assign users for example to the AD Group A and AD Group B based on the access you want to give them now , you must configure LDAP mapping to assign the user specific group policy that you want based on the AD group that they belong.

    You can follow this documentation that will help you configure the LDAP Mapping:

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Best regards, please rate.

  • VPN Cisco ASA 5510 - 250 licenses?

    I can't find a clear answer on this.  I see that only 2 SSL VPN clients are included, but if I buy an ASA 5510 (ASA5510-BUN-K9), am I allowed to use as a VPN endpoint for up to 250 customers?  If so, is it a total of VPN 'site-to-site' and 'customer '?

    For IPSec VPN (IPSec VPN site-to-site and remote client access), there is no additional license required as it is included in the device.

    For SSL VPN, there is failure to license 2, and if you need more than 2 connections SSL VPN Client, then Yes, you must purchase an additional license (the AnyConnect Essentials or the AnyConnect license Premium depending on what you need).

  • Licenses, IPS on pair of Cisco ASA 5510 active / standby

    I have two ASA 5510 devices in Active mode / standby.  I think of buying both used IPS modules and their installation.  My question is, me 1 or 2 licenses IPS that requires?  We are on 8.4 right now, and I see 8.3 Cisco changed license to c/o to where you need only one license, not two.  This is true for any way VPN licenses, so I was wondering if the same applies to licenses IPS.

    In addition, the unique licensing model will as much as only requiring a base for the pair a/s license too?  Or is the base license, something that you must have two pair a/s?

    Failover doesn't f, you have only one module in the ASA elementary school. You must have two modules. But it is fine if you do not have a subscription license for your secondary IPS (at least for the system).

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Cisco ASA - l2l IPSEC tunnel two dynamic hosts

    Hello

    I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?

    Hello

    ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
    i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

    On ASA, it is not possible to configure the tunnel between two dynamic peers.
    You will need to have a static end to configure static to dynamic IP.

    For routers, you can follow this link.
    I hope this helps.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

Maybe you are looking for