Multiple TCP * extend Proxy
HelloI'm developing a C++ Client for consistency and using the TCP protocol * Extend to connect to the Cache.
I am able to run multiple nodes on the same machine.
My goal is to add more machines to this configuration (is another machine called cluster or node?).
I would like to have a configuration as explained below:
NamedCache: AQRCache
Cache Type: Close cover (Local and distributed/remote)
HOST_A:
TCP * extend A
Node 1
Node 2
C++customera performer on Host_A talk to TCP * Extend_A.
HOST_B:
TCP * extend_B
Node 3
Node 4
C++clientrunning on Host_B B talk to TCP * Extend_B.
Host_C:
TCP * extend_C
Node 5
Node 6
C++clientC running on Host_C talk to TCP * Extend_C.
Other Clients in C++:
C++clientrunning on Host_D talk to TCP * Extend_A.
C++clientE running on Host_E talk to TCP * Extend_A.
C++clientF running on Host_F talk to TCP * Extend_A.
Issues related to the:
1. to add more machines, if I am running an instance on another machine with the same configuration file, it will work?
2. is it possible to run separate TCP * Proxy extend on each host and it will be part of the same cluster?
3 or should all customers C++ must talk to only TCP * extend Proxy?
Thank you
NS
1. to add more machines, if I am running an instance on another machine with the same configuration file, it will work?
Yes, you can add other machines/nodes using the same configuration file.
2. is it possible to run separate TCP * Proxy extend on each host and it will be part of the same cluster?
Yes, you can run several proxy nodes in a single cluster. Just about every production cluster has several proxy nodes.
3 or should all customers C++ must talk to only TCP * extend Proxy?
No, there is no reason to force all C++ clients to connect to a single proxy. In fact you might consider to configure each client with the complete list of proxy servers. Each customer is going to randomly select a server to connect, ensuring that a single proxy is not overloaded.
Also take a look at this document: http://coherence.oracle.com/display/COH35UG/Best+Practices+for+Coherence+Extend
Thank you
Patrick
Tags: Fusion Middleware
Similar Questions
-
Extend Proxy hangs after restart of the Cluster
One of our Application groups faced an interesting problem:
-We have a network problem that causes the cluster restart (not good, but should be recoverable).
-Extend Proxy restart
-Because the Unix port holds on the Socket to the server during 1 min the Proxy fails but crashes
Given that the process blocks (infact that all proxies do) the cluster becomes unusable.
We use 3.5.2.p8.
All thoughts, we should lift a SR?
Best, Andrew.
Total duration for which the application threads were arrested: 0,0050880 seconds
2009-12-03 06:05:50.185/46226.639 Oracle coherence GE 3.4.2/411p8 < Info > (thread = main Member, = 59): Restarting Service: ExendTcpProxyService
2009-12-03 06:05:50.235/46226.689 Oracle coherence GE 3.4.2/411p8 < D6 > (thread = Proxy: ExendTcpProxyService:TcpAcceptor:TcpProcessor, Member = 59): liaison ServerSocket for 11.160.32.243:17061
2009-12-03 06:05:50.236/46226.690 Oracle coherence GE < error > 3.4.2/411p8 (thread = Proxy: ExendTcpProxyService:TcpAcceptor:TcpProcessor, Member = 59): TcpAcceptor ending because of an exception not handled: com.tangosol.util.WrapperException
Application time: 0,0009600 seconds
Total duration for which the application threads were arrested: 0,0039030 seconds
2009-12-03 06:05:50.236/46226.690 Oracle coherence GE < error > 3.4.2/411p8 (thread = Proxy: ExendTcpProxyService:TcpAcceptor:TcpProcessor, Member = 59):
(Packed: error binding ServerSocket to 11.160.32.243:17061) exception java.net.BindException: address already in use
at sun.nio.ch.Net.bind (Native Method)
at sun.nio.ch.ServerSocketChannelImpl.bind (unknown Source)
at sun.nio.ch.ServerSocketAdaptor.bind (unknown Source)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.acceptor.TcpAcceptor.configureSocket(TcpAcceptor.CDB:25)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.acceptor.TcpAcceptor$ TcpProcessor.onEnter (TcpAcceptor.CDB:25)
at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:14)
at java.lang.Thread.run (unknown Source)
... process hangs after that...Hello Andrew,.
Please take a look at the page. If
you set this problem should go away.Best regards
-Dave -
Client TCP extend starts a new cluster
Hello
I'm trying to start a Client Java TCP to extend with a configuration very simple - two caches and the schema of a remote cache. The client starts and establishes the connection to the proxy. However, I see that the client starts it is own Cluster with a Service - management.
It must be something very simple, but I'm out of ideas :(
coherence version: 3.3.2 p1
No specific JVM parameters of coherence (initially blame the JMX settings and had everything off)
coherence-cache - config.xml:
<? XML version = "1.0"? >
<! SYSTEM cache-config DOCTYPE "cache - config.dtd" >
<>cache-config
< cache-system-mapping >
<>cache-mapping
< name-cache > Cache1 < / cache-name >
< scheme name > RemoteScheme < / system-name >
< / cache-mapping >
<>cache-mapping
< name-cache > Cache2 < / cache-name >
< scheme name > RemoteScheme < / system-name >
< / cache-mapping >
< / cache-system-mapping >
<>- cached patterns
< remote-cache-system >
< scheme name > RemoteScheme < / system-name >
< service name > ExtendTcpCacheService < / service-name >
< initiator-config >
<>tcp-initiator
<>remote addresses
> the socket address <
hostname1 < address > < / address >
< port > 1234 < / port >
< / socket-address >
> the socket address <
hostname2 < address > < / address >
< port > 1234 < / port >
< / socket-address >
< / remote-address >
< connect-timeout > 10 s < / connect-timeout >
< / tcp-initiator >
< outgoing-message Manager >
< request-timeout > s 5 < / timeout request >
< / Manager of outbound messages >
< / initiator-config >
< / remote-cache-system >
< remote-invocation-plan >
< scheme name > expand invocation < / system-name >
< service name > ExtendTcpInvocationService < / service-name >
< initiator-config >
<>tcp-initiator
<>remote addresses
> the socket address <
hostname1 < address > < / address >
< port > 1234 < / port >
< / socket-address >
> the socket address <
hostname2 < address > < / address >
< port > 1234 < / port >
< / socket-address >
< / remote-address >
< connect-timeout > 10 s < / connect-timeout >
< / tcp-initiator >
< outgoing-message Manager >
< request-timeout > s 5 < / timeout request >
< / Manager of outbound messages >
< / initiator-config >
< / remote-invocation-plan >
< / cache-plans >
< / cache-config >
tangosol-coherence - override.xml:
<? XML version = "1.0"? >
< coherence >
<>logging-config
log4j < destination > < / destination >
> level < 3 < / severity level >
Member of < message format > {date} = {Member} {text} < / message format >
< character > 4096 limit < / character limit >
< / operational forest-config >
<>license-config
<! - show edition of "Edition (AE) Application" - >
< name of editing - > AE < / edition-name >
< / license-config >
< / coherence >I think that if your client application tries to call an API specific 'cluster', for example, CahceFactory.ensureCluster (), it will start its own cluster.
However, if your client application get only a cache remtoe reference, it shoudn't start is own cluster.
Published by: user639604 on June 1st, 2009 11:34
-
Coherence extend Proxy service with no storage.
Hello
I implement consistency where I have an obligation as follows.
1. create two servers of coherence in the Weblogic console. Here are the stores replicated cache schema cache.
2. creation of towing servers of coherence which acts as a proxy. They must not contain any cache.
Can some body tell me how to create the configuration of cache for step 2 is to tell proxy servers? When I created the proxy without giving the names of cache I get cache not found error.Hi Sri,
Please find my responses inline:
1. How can I use backup storage for my partitioned caches. I want to save one to the top of each cache.
By default, the distributed cache system has the value of backup-count = 1, so you do not do anything, but if you want to have more than 1 backups for you cached data, and then change your system cache as below:
Dist-default
*+2 +*
:
true
Don't forget the order of backup-count tag in the schema is important and must conform to the schema definition.
2. I want to use JMX. How can I use without running coherence.sh
You start the consistency of the servers, add the following parameters:-Dcom.sun.management.jmxremote
-Dtangosol.coherence.management = all (only required on one of the servers of coherence that will collect JMX metrics for the cluster)
-Dtangosol.coherence.management.remote = trueStarting at $JAVA_HOME/bin, are running jconsole on the local computer (where node consistency with management = all is running) and you should be able to view the settings. If you want to run the point of view metrics by running the jconsole on a different machine from where the consistency with the direction = all node is running, you must add the following properties to the server startup script:
-Dcom.sun.management.jmxremote.hostname = 10.255.109.109
-Dcom.sun.management.jmxremote.port = 10008 (port must be opened between the machine and the remote machine where you will run jconsole)
-Dcom.sun.management.jmxremote.authenticate = false
-Dcom.sun.management.jmxremote.ssl = falseOn your local machine, run jconsole as + "jconsole 10.255.109.109:10008"+ ".
PS: If you really enjoy the responses, please mark it as useful or correct if necessary on each of the post which will allow to make me some points of froum and advice for others.
I hope this helps!
See you soon,.
NJ -
Extend the server TCP - could not start Service - Oracle coherence GE 3.5.2/463
Hello
We are about to go into production I see was able to start the TCP Service extend the server (disable storage node).
Concerning
DOCUMENTATION
My gaze of Configuration as follows
<? XML version = "1.0" encoding = "windows-1252"? >
<! SYSTEM cache-config DOCTYPE "cache - config.dtd" >
<>cache-config
< cache-system-mapping >
< / cache-system-mapping >
<>- cached patterns
< distributed plan >
< scheme name > distributedCache < / system-name >
< service name > distributedCache < / service-name >
< support-map-plan >
< local plan >
HYBRID of <-eviction strategy > < / eviction strategy >
< high-units > 500 < / high units >
< bass-units > 375 < / bass-units >
< Unit Calculator > BINARY < / Unit-Calculator >
<-> 1048576 uniting factor < / unit factor >
< / local plan >
< / support-map-plan >
< / distributed plan >
< proxy-system >
< service name > ExtendTcpProxyService < / service-name >
< number > 15 threads < / thread count >
< Acceptor-config >
<>tcp-Acceptor
< address - >
< system-property address = "proxy.listen.address" >... < / address >
< port system-property = "proxy.listen.port" >... < / port >
< / local-address >
< / tcp-Acceptor >
< / Acceptor-config >
< autostart > true < / autostart >
< / proxy-system >
< / cache-plans >
< / cache-config >
- And the journal looks like this-
2009-12-04 16:21:54.056/25821.278 Oracle coherence GE 3.5.2/463 < D6 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptor, Member = 12): closed: Channel (Id = 193159068
6, open = false)
2009-12-04 16:21:54.058/25821.280 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:4, Member = 12): repeat SizeReques
t due to the redistribution of PartitionSet {220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242
243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256}
2009-12-04 16:21:54.058/25821.280 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:12, Member = 12): repeat SizeReque
St due to the redistribution of PartitionSet {220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 24
2, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256}
2009-12-04 16:21:54.058/25821.280 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:11, Member = 12): repeat SizeReque
St due to the redistribution of PartitionSet {220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 24
2, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256}
2009-12-04 16:21:54.058/25821.280 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:7, Member = 12): repeat SizeReques
t due to the redistribution of PartitionSet {220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242
243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256}
2009-12-04 16:21:54.175/25821.397 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:10, Member = 12): an exception encountered
Ed during the processing of a SizeRequest for Service = Proxy: ExtendTcpProxyService:TcpAcceptor: java.lang.InterruptedException (Wrapped)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:293)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:269)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:107)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForRedistribution (DistributedCache.CDB:34)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.ensureRequestTarget (DistributedCache.CDB:15)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.sendPartitionedRequest (DistributedCache.CDB:31)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.size (DistributedCache.CDB:13)
to com.tangosol.util.ConverterCollections$ ConverterMap.size (ConverterCollections.java:1470)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ ViewMap.size (DistributedCache.CDB:1)
at com.tangosol.coherence.component.util.SafeNamedCache.size(SafeNamedCache.CDB:1)
at com.tangosol.coherence.component.util.collections.WrapperMap.size(WrapperMap.CDB:1)
to com.tangosol.coherence.component.net.extend.messageFactory.NamedCacheFactory$ SizeRequest.onRun (NamedCacheFactory.CDB:7)
at com.tangosol.coherence.component.net.extend.message.Request.run(Request.CDB:4)
at com.tangosol.coherence.component.net.extend.proxy.NamedCacheProxy.onMessage(NamedCacheProxy.CDB:11)
at com.tangosol.coherence.component.net.extend.Channel.execute(Channel.CDB:28)
at com.tangosol.coherence.component.net.extend.Channel.receive(Channel.CDB:26)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer$ DaemonPool$ WrapperTask.run (Peer.CDB:9)
to com.tangosol.coherence.component.util.DaemonPool$ WrapperTask.run (DaemonPool.CDB:32)
to com.tangosol.coherence.component.util.DaemonPool$ Daemon.onNotify (DaemonPool.CDB:63)
at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:42)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.InterruptedException
at java.lang.Object.wait (Native Method)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:96)
... 18 more
2009-12-04 16:21:54.175/25821.397 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:9, Member = 12): an Unknown exception
d when processing a SizeRequest for Service = Proxy: ExtendTcpProxyService:TcpAcceptor: java.lang.InterruptedException (Wrapped)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:293)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:269)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:107)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForRedistribution (DistributedCache.CDB:34)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.ensureRequestTarget (DistributedCache.CDB:15)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.sendPartitionedRequest (DistributedCache.CDB:31)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.size (DistributedCache.CDB:13)
to com.tangosol.util.ConverterCollections$ ConverterMap.size (ConverterCollections.java:1470)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ ViewMap.size (DistributedCache.CDB:1)
at com.tangosol.coherence.component.util.SafeNamedCache.size(SafeNamedCache.CDB:1)
at com.tangosol.coherence.component.util.collections.WrapperMap.size(WrapperMap.CDB:1)
to com.tangosol.coherence.component.net.extend.messageFactory.NamedCacheFactory$ SizeRequest.onRun (NamedCacheFactory.CDB:7)
at com.tangosol.coherence.component.net.extend.message.Request.run(Request.CDB:4)
at com.tangosol.coherence.component.net.extend.proxy.NamedCacheProxy.onMessage(NamedCacheProxy.CDB:11)
at com.tangosol.coherence.component.net.extend.Channel.execute(Channel.CDB:28)
at com.tangosol.coherence.component.net.extend.Channel.receive(Channel.CDB:26)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer$ DaemonPool$ WrapperTask.run (Peer.CDB:9)
to com.tangosol.coherence.component.util.DaemonPool$ WrapperTask.run (DaemonPool.CDB:32)
to com.tangosol.coherence.component.util.DaemonPool$ Daemon.onNotify (DaemonPool.CDB:63)
at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:42)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.InterruptedException
at java.lang.Object.wait (Native Method)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:96)
... 18 more
2009-12-04 16:21:54.175/25821.397 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:13, Member = 12): an exception encountered
Ed during the processing of a SizeRequest for Service = Proxy: ExtendTcpProxyService:TcpAcceptor: java.lang.InterruptedException (Wrapped)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:293)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:269)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:107)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForRedistribution (DistributedCache.CDB:34)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.ensureRequestTarget (DistributedCache.CDB:15)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.sendPartitionedRequest (DistributedCache.CDB:31)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.size (DistributedCache.CDB:13)
to com.tangosol.util.ConverterCollections$ ConverterMap.size (ConverterCollections.java:1470)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ ViewMap.size (DistributedCache.CDB:1)
at com.tangosol.coherence.component.util.SafeNamedCache.size(SafeNamedCache.CDB:1)
at com.tangosol.coherence.component.util.collections.WrapperMap.size(WrapperMap.CDB:1)
to com.tangosol.coherence.component.net.extend.messageFactory.NamedCacheFactory$ SizeRequest.onRun (NamedCacheFactory.CDB:7)
at com.tangosol.coherence.component.net.extend.message.Request.run(Request.CDB:4)
at com.tangosol.coherence.component.net.extend.proxy.NamedCacheProxy.onMessage(NamedCacheProxy.CDB:11)
at com.tangosol.coherence.component.net.extend.Channel.execute(Channel.CDB:28)
at com.tangosol.coherence.component.net.extend.Channel.receive(Channel.CDB:26)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer$ DaemonPool$ WrapperTask.run (Peer.CDB:9)
to com.tangosol.coherence.component.util.DaemonPool$ WrapperTask.run (DaemonPool.CDB:32)
to com.tangosol.coherence.component.util.DaemonPool$ Daemon.onNotify (DaemonPool.CDB:63)
at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:42)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.InterruptedException
at java.lang.Object.wait (Native Method)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:96)
... 18 more
2009-12-04 16:21:54.175/25821.397 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:11, Member = 12): an exception encountered
Ed during the processing of a SizeRequest for Service = Proxy: ExtendTcpProxyService:TcpAcceptor: java.lang.InterruptedException (Wrapped)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:293)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:269)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:107)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForRedistribution (DistributedCache.CDB:34)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.ensureRequestTarget (DistributedCache.CDB:15)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.sendPartitionedRequest (DistributedCache.CDB:31)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.size (DistributedCache.CDB:13)
to com.tangosol.util.ConverterCollections$ ConverterMap.size (ConverterCollections.java:1470)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ ViewMap.size (DistributedCache.CDB:1)
at com.tangosol.coherence.component.util.SafeNamedCache.size(SafeNamedCache.CDB:1)
at com.tangosol.coherence.component.util.collections.WrapperMap.size(WrapperMap.CDB:1)
to com.tangosol.coherence.component.net.extend.messageFactory.NamedCacheFactory$ SizeRequest.onRun (NamedCacheFactory.CDB:7)
at com.tangosol.coherence.component.net.extend.message.Request.run(Request.CDB:4)
at com.tangosol.coherence.component.net.extend.proxy.NamedCacheProxy.onMessage(NamedCacheProxy.CDB:11)
at com.tangosol.coherence.component.net.extend.Channel.execute(Channel.CDB:28)
at com.tangosol.coherence.component.net.extend.Channel.receive(Channel.CDB:26)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer$ DaemonPool$ WrapperTask.run (Peer.CDB:9)
to com.tangosol.coherence.component.util.DaemonPool$ WrapperTask.run (DaemonPool.CDB:32)
to com.tangosol.coherence.component.util.DaemonPool$ Daemon.onNotify (DaemonPool.CDB:63)
at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:42)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.InterruptedException
at java.lang.Object.wait (Native Method)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:96)
... 18 more
2009-12-04 16:21:54.175/25821.397 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:2, Member = 12): an Unknown exception
d when processing a SizeRequest for Service = Proxy: ExtendTcpProxyService:TcpAcceptor: java.lang.InterruptedException (Wrapped)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:293)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:269)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:107)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForRedistribution (DistributedCache.CDB:34)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.ensureRequestTarget (DistributedCache.CDB:15)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.sendPartitionedRequest (DistributedCache.CDB:31)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.size (DistributedCache.CDB:13)
to com.tangosol.util.ConverterCollections$ ConverterMap.size (ConverterCollections.java:1470)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ ViewMap.size (DistributedCache.CDB:1)
at com.tangosol.coherence.component.util.SafeNamedCache.size(SafeNamedCache.CDB:1)
at com.tangosol.coherence.component.util.collections.WrapperMap.size(WrapperMap.CDB:1)
to com.tangosol.coherence.component.net.extend.messageFactory.NamedCacheFactory$ SizeRequest.onRun (NamedCacheFactory.CDB:7)
at com.tangosol.coherence.component.net.extend.message.Request.run(Request.CDB:4)
at com.tangosol.coherence.component.net.extend.proxy.NamedCacheProxy.onMessage(NamedCacheProxy.CDB:11)
at com.tangosol.coherence.component.net.extend.Channel.execute(Channel.CDB:28)
at com.tangosol.coherence.component.net.extend.Channel.receive(Channel.CDB:26)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer$ DaemonPool$ WrapperTask.run (Peer.CDB:9)
to com.tangosol.coherence.component.util.DaemonPool$ WrapperTask.run (DaemonPool.CDB:32)
to com.tangosol.coherence.component.util.DaemonPool$ Daemon.onNotify (DaemonPool.CDB:63)
at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:42)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.InterruptedException
at java.lang.Object.wait (Native Method)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:96)
... 18 more
2009-12-04 16:21:54.176/25821.398 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:6, Member = 12): an Unknown exception
d when processing a SizeRequest for Service = Proxy: ExtendTcpProxyService:TcpAcceptor: java.lang.InterruptedException (Wrapped)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:293)
at com.tangosol.util.Base.ensureRuntimeException(Base.java:269)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForPartitionRedistribution (DistributedCache
. CDB:107)
to com.tangosol.coherence.component.util.daemon.queueProcessor.service.grid.DistributedCache$ BinaryMap.waitForRedistribution (DistributedCache.CDB:34)
:$
2009-12-04 16:21:54.259/25821.481 Oracle coherence GE 3.5.2/463 < D4 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:8, Member = 12): demon caught a unh
andled exception (com.tangosol.net.messaging.ConnectionException: channel is closed) on the way out.
2009-12-04 16:21:54.264/25821.486 Oracle coherence GE 3.5.2/463 < D4 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptorWorker:3, Member = 12): demon caught a unh
andled exception (com.tangosol.net.messaging.ConnectionException: channel is closed) on the way out.
2009-12-04 16:21:54.330/25821.552 Oracle coherence GE 3.5.2/463 < D5 > (thread = Proxy: ExtendTcpProxyService:TcpAcceptor, Member = 12): stop: TcpAcceptor {Name = Pr
Oxy: ExtendTcpProxyService:TcpAcceptor, State = (SERVICE_STOPPED), ThreadCount = 0, Codec = Codec (Format = POF), PingInterval = 0, = 0 PingTimeout RequestTimeout = 0, Local
Address=[nybc94lxb01/10.12.101.81:21005], LocalAddressReusable = false, KeepAliveEnabled = true, TcpDelayEnabled = false, ReceiveBufferSize = 0, SendBufferSize = 0, Lily
tenBacklog = 0, LingerTimeout = 1, BufferPoolIn = BufferPool (BufferSize = 2KB, BufferType = DIRECT, capacity = unlimited), BufferPoolOut = BufferPool (BufferSize = 2KB, Buffe
rType = DIRECT, capacity = unlimited)}
Exception in thread "Thread-2" java.lang.RuntimeException: could not start the Service "Proxy: ExtendTcpProxyService:TcpAcceptor ' (ServiceState = SERVICE_STOPPED)
at com.tangosol.coherence.component.util.daemon.queueProcessor.Service.waitAcceptingClients(Service.CDB:12)
at com.tangosol.coherence.component.net.extend.Channel.request(Channel.CDB:10)
at com.tangosol.coherence.component.net.extend.Channel.request(Channel.CDB:1)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer.closeChannel(Peer.CDB:18)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer.closeChannel(Peer.CDB:1)
at com.tangosol.coherence.component.net.extend.Channel.close(Channel.CDB:20)
at com.tangosol.coherence.component.net.extend.Channel.close(Channel.CDB:1)
at com.tangosol.coherence.component.net.extend.proxy.NamedCacheProxy.run(NamedCacheProxy.CDB:30)
at java.lang.Thread.run(Thread.java:619)
Exception in thread "Thread-3" java.lang.RuntimeException: could not start the Service "Proxy: ExtendTcpProxyService:TcpAcceptor ' (ServiceState = SERVICE_STOPPED)
at com.tangosol.coherence.component.util.daemon.queueProcessor.Service.waitAcceptingClients(Service.CDB:12)
at com.tangosol.coherence.component.net.extend.Channel.request(Channel.CDB:10)
at com.tangosol.coherence.component.net.extend.Channel.request(Channel.CDB:1)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer.closeChannel(Peer.CDB:18)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer.closeChannel(Peer.CDB:1)
at com.tangosol.coherence.component.net.extend.Channel.close(Channel.CDB:20)
at com.tangosol.coherence.component.net.extend.Channel.close(Channel.CDB:1)
at com.tangosol.coherence.component.net.extend.proxy.NamedCacheProxy.run(NamedCacheProxy.CDB:30)
at java.lang.Thread.run(Thread.java:619)
Published by: Anand Gupta on December 4, 2009 17:10There is also a property of system specific timeout set for the guardian for proxies:-Dtangosol.coherence.proxy.guard.timeout or you can change it in the configuration of the proxy service.
Kind regards
David
-
Call Service, run a query with a LimitFilter and a comparator, extend
I have a lot of difficulties running an InvocationService. I'm relatively new to coherence, please excuse my ignorance
Basically, I'm trying to get a web client access to a cluster of consistency (which uses * extend) and run a query with a LimitFilter and a comparator.
It looks that I implement the PortableObject interface on the comparator. I don't know how to be honest, and I'm getting an exception
: java.io.NotSerializableException:com.tangosol.util.internal.ConcurrentCounter
Do I need to apply the laptop on the comparator? I have to add the Group of comparison in a pof config XML? I have configuration errors?
Java code:
InvocationService service = (InvocationService) CacheFactory.getConfigurableCacheFactory().ensureService("ExtendTcpInvocationService"); Map map = service.query(new LatestContentAgent(), null); Set result = (Set) map.get(service.getCluster().getLocalMember());public class LatestContentAgent extends AbstractInvocable { private static final long serialVersionUID = 5121824227545845101L; @Override public void run() { final Filter filter = new EqualsFilter("getStatusId", Status.LIVE); final LimitFilter limitFilter = new LimitFilter(filter,200); NamedCache cacheInstance = CacheFactory.getCache("dist-extend-cache"); setResult(cacheInstance.entrySet(limitFilter, new ActivityContentVOComparator())); } }public class ActivityContentVO extends AbstractEvolvable implements Serializable, Cacheable { private static final long serialVersionUID = 1282169603551341131L; private static final int VERSION = 2; private static final int WHEN_IDX = 2; private Date when; public ActivityContentVO() { // hibernate needs this constructor } public Date getWhen() { return when; } public void setWhen(Date when) { this.when = when; } public void readExternal(PofReader reader) throws IOException { setWhen((Date) reader.readObject(WHEN_IDX)); } public void writeExternal(PofWriter writer) throws IOException { writer.writeObject(WHEN_IDX, getWhen()); } @Override public int getImplVersion() { return VERSION; } }
POF configuration filepublic class ActivityContentVOComparator implements Comparator<ActivityContentVO>, Serializable,PortableObject { private static final long serialVersionUID = -8536328258251728594L; @Override public int compare(ActivityContentVO a1, ActivityContentVO a2) { if ( a1 == null) { return a2 == null ? 0 : 1; } if (a2 == null) { return -1; } final Date d1 = a1.getWhen(); final Date d2 = a2.getWhen(); if (d1 == null) { return d2 == null ? 0 : 1; } else if (d2 == null) { return -1; } return d2.compareTo(d1); } @Override public void readExternal(PofReader arg0) throws IOException { // TODO Auto-generated method stub } @Override public void writeExternal(PofWriter arg0) throws IOException { // TODO Auto-generated method stub } }
Configuration consistency client-side:<pof-config> <user-type-list> <!-- coherence POF user types --> <include>coherence-pof-config.xml</include> <user-type> <type-id>1004</type-id> <class-name>net.tm.ActivityContentVO</class-name> </user-type> .... <user-type> <type-id>1009</type-id> <class-name>net.tm.ActivityContentVOComparator</class-name> </user-type> </user-type-list> <allow-interfaces>true</allow-interfaces> <allow-subclasses>true</allow-subclasses> </pof-config>
Consistent server configuration<remote-invocation-scheme> <scheme-name>extend-invocation</scheme-name> <service-name>ExtendTcpInvocationService</service-name> <initiator-config> <tcp-initiator> <remote-addresses> <socket-address> <address system-property="tangosol.coherence.extend.remote.node1"></address> <port system-property="tangosol.coherence.extend.invocation.remote.port1">9094</port> </socket-address> <socket-address> <address system-property="tangosol.coherence.extend.remote.node2"></address> <port system-property="tangosol.coherence.extend.invocation.remote.port1">9094</port> </socket-address> </remote-addresses> <connect-timeout>10s</connect-timeout> </tcp-initiator> <outgoing-message-handler> <request-timeout>5s</request-timeout> </outgoing-message-handler> </initiator-config> <serializer> <class-name>com.tangosol.io.pof.ConfigurablePofContext</class-name> <init-params> <init-param> <param-type>String</param-type> <param-value system-property="tangosol.pof.config">app-pof-config.xml</param-value> </init-param> </init-params> </serializer> </remote-invocation-scheme>
It's filling stack trace<proxy-scheme> <scheme-name>extend-proxy</scheme-name> <service-name>ExtendTcpProxyService</service-name> <thread-count>5</thread-count> <acceptor-config> <tcp-acceptor> <local-address> <address>localhost</address> <port system-property="tangosol.coherence.extend.port">9094</port> </local-address> </tcp-acceptor> </acceptor-config> <proxy-config> <cache-service-proxy> <lock-enabled>true</lock-enabled> </cache-service-proxy> </proxy-config> <autostart system-property="tangosol.coherence.extend.enabled"> false </autostart> </proxy-scheme>
Published by: user6122052 on June 28, 2010 09:46TcpConnection(Id=0x000001297F449E980A640BB49B3E90457BFBA97FDB268F4DCF95962206C4C35D, Open=true, LocalAddress=10.100.11.180:90 94, RemoteAddress=10.100.130.22:4989) 2010-06-28 16:54:50.398/277.593 Oracle Coherence GE 3.5.3/465 <D6> (thread=Proxy:ExtendTcpProxyService:TcpAcceptor, member=3): Opened: Channel(Id=1588644627, Open=true, Connection=0x000001297F449E980A640BB49B3E90457BFBA97FDB268F4DCF95962206C4C35D) 2010-06-28 16:54:50.528/277.723 Oracle Coherence GE 3.5.3/465 <Error> (thread=Proxy:ExtendTcpProxyService:TcpAcceptorWorker:3, member=3): An exception occurred while encoding a Response for Service=Proxy:ExtendTcpProxyService:TcpAcceptor: java.io.NotSerializableException: com.tangosol.util.internal.ConcurrentCounter at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156) .... at com.tangosol.io.pof.PofBufferWriter$UserTypeWriter.writeObject(PofBufferWriter.java:2092) at com.tangosol.coherence.component.net.extend.message.Response.writeExternal(Response.CDB:15) at com.tangosol.coherence.component.net.extend.Codec.encode(Codec.CDB:23) at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer.encodeMessage(Peer.CDB:23) at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.acceptor.TcpAcceptor.encodeMessage(TcpAcceptor .CDB:8) at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer.send(Peer.CDB:16) at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer.post(Peer.CDB:23) at com.tangosol.coherence.component.net.extend.Channel.post(Channel.CDB:25) at com.tangosol.coherence.component.net.extend.Channel.send(Channel.CDB:6) at com.tangosol.coherence.component.net.extend.Channel.receive(Channel.CDB:55) at com.tangosol.coherence.component.util.daemon.queueProcessor.service.Peer$DaemonPool$WrapperTask.run(Peer.CDB:9) at com.tangosol.coherence.component.util.DaemonPool$WrapperTask.run(DaemonPool.CDB:32) at com.tangosol.coherence.component.util.DaemonPool$Daemon.onNotify(DaemonPool.CDB:63) at com.tangosol.coherence.component.util.Daemon.run(Daemon.CDB:42) at java.lang.Thread.run(Thread.java:619)Hi user6122052,
The problem is that you try to return the result of a query:
setResult(cacheInstance.entrySet(limitFilter, new ActivityContentVOComparator()));and this set is an instance of com.tangosol.util.ConverterCollections$ ConverterEntrySet, which is not serializable. So, you can either convert it, for example:
Set setResults = cacheInstance.entrySet(limitFilter, new ActivityContentVOComparator()); Set setConverted = new HashSet(setResults.size()); for (Iterator iter = setResults.iterator(); iter.hasNext(); ) { Map.Entry entry = (Map.Entry) iter.next(); setConverted.add(entry.getValue()); } setResult(setConverted);or better yet - query the cache directly from your customer Extend.
Kind regards
Dimitri -
I finished by writing a LabVIEW program that I run in S.C. It would be nice to watch some variables from my office here in OH. Although we have several States apart we are on the same network domain. I suspect that there is an easy way to do it. Could someone point me in the right direction for the good vi or information?
There is an example of 'several customers' that comes with LabVIEW. Just look for TCP/IP in the finder of the example. If you set up your code to handle multiple TCP/IP connections, you can have it send data to multiple clients (your computer being one of them)
-
Extend security FAQ broken example?
I tried the example J.4 extend in the FAQ of coherence here http://coherence.oracle.com/pages/viewpage.action?pageId=1343626
Basically the way it works is that the Extend proxy uses a class model that uses a subclass of com.tangosol.net.cache.WrapperNamedCache to wrap the 'real' cache This subcategory can then override methods that you want to secure in order to access control before transferring the call of method to the wrapped cache.
Now, it all seems to work fine until I tried to run queries on the cache. Queries will be run against the "wrapped" cache that resides in the active storage of the cluster nodes, as Extend proxies are disabled storage. I started to get errors that the methods I have asking me on did not exist in the objects that I had put in the cache.
Method for example missing or inaccessible: [com.tangosol.util.Binary #getIntValue]
The reason for this, it turns out, is that the method 'put' of the WrapperNamedCache in the extend proxy gets instances of com.tangosol.util.Binary for key settings, and the value that the customer extend a POF serialized values to send over the network. When WrapperNamedCache calls 'put' on the real cache likely he sends these values com.tangosol.util.Binary. It appears that these are serialized again to go on the wire to the real cache so the underlying real cache ends up containing a serialized value of value be serialized and therefore my queries fail.
Is this serialization 'double' because of me wrong configure caches, or am I stuck with it?
Obviously, it is quite impractical to deserialize the objects in the methods of the class under WrapperNamedCache.
Probably do storage nodes enabled proxy Extend the cluster wouldn't make any difference either.
I'm starting to give up on ever having a bunch of sure consistency as so many things related to security in consistency seems broken.
Banging my head in frustration...
JK.Jonathan,
After spending a bit of time, I could re - produce the behavior described. It turns out that our example of security was not updated to support the POF transmission. I've updated the example of security and put it on our wiki here: http://wiki.tangosol.com/pages/viewpage.action?pageId=1343626
Please download the example update it should solve your problems.
Thank you
-Noah
-
Query in parallel several caches
Hi experts,
I have several caches defined in the configuration of the cache of the client. And I wanted to interrogate the different caches at the same time. If I use the thread to do the work, it will be for each cache network call (I use TCP extend). Instead, I want it to be managed within the grid. Any suggestions on this?
I appreciate your valuable contributions.
Kind regards
knockaertHi Karthik,
Yes, you need to configure a system call on the server and the remote-invocation-pattern on the client, there is no way around that, but it is not really difficult. The client will always connect to the server through the same proxy system.
EntryProcessors are not really good for what you need as they normally run against a cache or entered into a cache. While allows you to encode an input processor to query multiple caches and return a result, you would be in danger of blocking of service, unless you are careful in the way you did.
If you want to pass parameters to the calling function, then they are in fact the parameters to your invoked class.
For example:
If I wanted some parameters in the example above, I could change the remained like that. In this case, I added two string parameters, but you can add whatever it is the same way. In the run() method, you can now use the settings. You must ensure that you add parameters to methods POF writeExternal and readExternal methods.public class CacheQuery extends AbstractInvocable implements PortableObject { private String parameter1; private String parameter2; // Need and no-arg constructor for POF public CacheQuery() { } public CacheQuery(String parameter1, String parameter2) { this.parameter1 = parameter1; this.parameter2 = parameter2; } public void run() { Object result = ... // Perform your cache queries // set the results to pass back to the client setResult(result); } public void readExternal(PofReader pofReader) throws IOException { parameter1 = pofReader.readString(100); parameter2 = pofReader.readString(101); } public void writeExternal(PofWriter pofWriter) throws IOException { pofWriter.writeString(100, parameter1); pofWriter.writeString(101, parameter2); } }Now you can set the parameters in the client code using the justiciable constructor. For example the following code defines two parameters 'value 1' and ' value-2 ".
InvocationService service = (InvocationService) CacheFactory.getService("EXAMPLE-INVOCATION-SERVICE"); CacheQuery invocable = new CacheQuery("value-1", "value-2"); Object result = service.query(invocable, null);JK
Published by: Jonathan.Knight on April 25, 2010 16:48
-
ASA Version 9.0 (1) - Ping works both inside and outside, WWW does not work for remote VPN
I am at a loss, I can connect VIA VPN and Ping inside the IPs (192.168.1.2) and outside (4.2.2.2) IPs of the remote VPN client, but can't surf WWW. Inside the network, all users have WWW access and the network is fine. I'm new on the revisions to ver 8.3 and don't see what I'm missing?
Info:
ASA-A # sh xl
in use, the most used 12 4
Flags: D - DNS, e - extended, I - identity, i - dynamics, r - portmap,
s - static, T - twice, N - net-to-net
NAT inside:192.168.1.0/24 to outside:24.180.x.x/24
flags s idle 0:10:46 timeout 0:00:00
NAT outside:192.168.2.0/24 to outside:24.180.x./24
flags s idle 0:00:59 timeout 0:00:00
NAT inside:192.168.1.0/24 to any:192.168.1.0/24
sitting inactive flags 0:11:51 timeout 0:00:00
NAT any:192.168.2.0/24 to inside:192.168.2.0/24
sitting inactive flags 0:11:51 timeout 0:00:00
ASA-A #.ASA-A # sh nat
Manual NAT policies (Section 1)
1 (inside) to destination of (all) Inside_Net Inside_Net the VPN-NET VPN static static
translate_hits = 3, untranslate_hits = 3Auto NAT policies (Section 2)
1 (inside) (outside) static source Inside_Net 24.180.x.x
translate_hits = 3, untranslate_hits = 184
2 (outdoor) (outdoor) static source VPN-net 24.180.x.x
translate_hits 97, untranslate_hits = 91 =
ASA-A #.Journal of the Sho:
% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection for udp src outside:192.168.2.10/137(LOCAL\User) dst outside:192.168.2.255/137 refused due to path failure reverse that of NAT
% ASA-609002 7: duration of outside local host: 192.168.2.255 disassembly 0:00:00
% ASA-609001 7: built outside local host: 192.168.2.255% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection for udp src outside:192.168.2.10/137(LOCAL\User) dst outside:192.168.2.255/137 refused due to path failure reverse that of NAT
% ASA-609002 7: duration of outside local host: 192.168.2.255 disassembly 0:00:00Current config:
ASA Version 9.0 (1)
!
ASA-A host name
domain a.local
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
IP local pool vpnpool 192.168.2.10 - 192.168.2.20
!
interface Ethernet0/0
Inet connection description
switchport access vlan 2
!
interface Ethernet0/1
LAN connection description
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP address 24.180.x.x 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
banner exec ********************************************
banner exec * *
exec banner * ASA-A *.
banner exec * *
exec banner * CISCO ASA5505 *.
banner exec * *
exec banner * A Services Inc. *
exec banner * xxx in car Street N. *.
exec banner * city, ST # *.
banner exec * *
banner exec ********************************************
exec banner ^
passive FTP mode
DNS server-group DefaultDNS
domain a.local
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the Inside_Net object
subnet 192.168.1.0 255.255.255.0
network of the VPN-net object
Subnet 192.168.2.0 255.255.255.0
access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
allowed incoming access extended gre a whole list
inbound udp allowed extended access list any host 24.180.x.x eq 1723
list of allowed inbound tcp extended access any host 24.180.x.x eq pptp
list of allowed inbound tcp extended access any host 24.180.x.x eq smtp
list of allowed inbound tcp extended access any host 24.180.x.x eq www
list of allowed inbound tcp extended access any host 24.180.x.x eq https
list of allowed inbound tcp extended access any host 24.180.x.x eq 987
inbound udp allowed extended access list any host 24.180.x.x eq 25
inbound udp allowed extended access list any host 24.180.x.x eq 443
inbound udp allowed extended access list any host 24.180.x.x eq www
inbound udp allowed extended access list any host 24.180.x.x eq 987
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
public static Inside_Net Inside_Net destination NAT (inside, all) static source VPN-NET VPN
!
network of the Inside_Net object
NAT static 24.180.x.x (indoor, outdoor)
network of the VPN-net object
24.180.x.x static NAT (outdoors, outdoor)
Access-group interface incoming outside
Route outside 0.0.0.0 0.0.0.0 24.180.x.x 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 VPN remote esp-3des esp-md5-hmac
Crypto ipsec ikev2 VPN ipsec-proposal-remotetest
Protocol esp encryption aes - 256, aes - 192, aes, 3des and
Esp integrity sha-1 protocol
Crypto ipsec pmtu aging infinite - the security association
Crypto-map dynamic dyn1 1jeu ikev1 transform-set remote VPN
Crypto-map dynamic dyn1 1jeu reverse-road
map VPN - map 1-isakmp ipsec crypto dynamic dyn1
VPN-card interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet timeout 5
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
user name UName encrypted password privilege 15 xxxxxxxxx
type tunnel-group remote VPN remote access
attributes global-tunnel-group VPN-remote controls
address vpnpool pool
tunnel-group, ipsec VPN-remote controls-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:43db9ab2d3427289fb9a0fdb22b551fa
: endHello
Its propably because you do not have a DNS server configured for VPN users. Try this command:
group-policy DfltGrpPolicy attributes dns-server value 8.8.8.8
-
Since I couldn't find any document from Cisco (Cisco produces only that, the longer life ISAKMP, safer) of the directive.
I was wondering if I config life ISAKMP (phase 1) shorter than the life expectancy of IPsec (phase 2). What happens when I still have the traffic through the VPN, the ISAKMP his timeout reachs tunnel. Phase 2 would also got laid off, and turn all the negotiation of Phase 1 VPN again?
Any help will be appreciated.
-Angela
Angela:
We probably need to consider the context of your use of the term "session".
If you had to define an ACL crypto that consisted of a single access control entry (example: 192.168.1.0 ip allow 0.0.0.255 192.168.2.0 0.0.0.255), which would be generally * lead to the creation of an ISAKMP security association unique and two IPSec security associations. Lets call it a "session encryption.
As you said, the implementation of the session "encryption" was triggered by a "session" (for example: TCP) between two hosts (each behind their respective ends of the tunnel). Additional meetings (for example: TCP) between different hosts on two sites, do not need other IPSec security associations. Security associations previously established IPSec supports all traffic defined by the ACE in the ACL crypto.
For each extra ACE in your ACL crypto, you would see the creation of a pair of IPSec security associations (assuming traffic defined by the ACE triggers it) extra.
If you need to set the layer 4 criteria (e.g.: TCP port 80) in an ACL crypto, that would be horrible. IPSec security associations are negotiated for each combination of source/target port used by a host. For example: A single host visiting a single web site (by the crypto tunnel), would open in general multiple TCP sessions (each with a different source port), and IPSec security associations are negotiated for each TCP session. This would quickly deplete resources on the cryptographic endpoints.
We generally use P2P GRE or love with IPSec to swap info dynamic routing between sites. Because the traffic between sites is encapsulated in GRE, only a single proxy is needed.
edg01 #show crypto ipsec his
Interface: Tunnel0
Tag crypto map: addr Tunnel0-head-0, localprotégé of the vrf: (none)
local ident (addr, mask, prot, port): (/ 255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (/ 255.255.255.255/47/0)In this case, a single proxy is used. IP addresses are external physical IP addresses of crypto tunnel endpoints. Mode of transportation (where the 255.255.255.255 masks). The '47' is the GRE protocol.
* Note: Sometimes, each cryptographic peer begins negotiations with the other, causing two bidirectional redundant ISAKMP SAs.
Best regards
Mike
-
VPN clients hairpining through a tunnel from site to site
I have a 8.2 (5) ASA 5510 in Site1 and a 8.2 (1) ASA 5505 Site2 they are configured with a tunnel from site to site.
Each site has VPN clients that connect and I would like to allow customers to access on both sides across the site-to-site tunnel servers.
I enabled same-security-traffic permit intra-interface I also added the remote networks to access list who made the split tunneling.
I think I'm doing something wrong with nat, but I don't know, any help would be greatly appreciated.
Site1 Clients1 (172.17.2.0/24) (10.0.254.0/24)
ASA Version 8.2 (5)
!
hostname site1
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address site1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
nameif DMZ
security-level 0
IP 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 0
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
permit same-security-traffic intra-interface
VPN - UK wide ip 172.17.2.0 access list allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 192.168.123.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 172.17.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
Notice of inside_nat0_outbound access-list us Client Server UK
access extensive list ip 10.0.254.0 inside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
access extensive list ip 192.168.123.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 10.0.254.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0
Split_Tunnel_List list standard access allowed 192.168.123.0 255.255.255.0
Split_Tunnel_List of access note list UK VPN Client pool
Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0
outside-2 extended access list permit tcp any any eq smtp
outside-2 extended access list permit tcp any any eq 82
outside-2 extended access list permit tcp any any eq 81
outside-2 extended access list permit tcp everything any https eq
outside-2 extended access list permit tcp any any eq imap4
outside-2 extended access list permit tcp any any eq ldaps
outside-2 extended access list permit tcp any any eq pop3
outside-2 extended access list permit tcp any any eq www
outside-2 extended access list permit tcp any any eq 5963
outside-2 extended access list permit tcp any any eq ftp
outside-2 allowed extended access list tcp any any eq ftp - data
outside-2 extended access list permit tcp any any eq 3389
list of access outside-2 extended tcp refuse any any newspaper
2-outside access list extended deny ip any any newspaper
outside-2 extended access list deny udp any any newspaper
allow VPN CLIENTS to access extended list ip 172.17.2.0 255.255.255.0 10.0.254.0 255.255.255.0
allow VPN CLIENTS to access extended list ip 172.18.2.0 255.255.255.0 10.0.254.0 255.255.255.0
allow VPN CLIENTS to access extended list 192.168.123.0 ip 255.255.255.0 10.0.254.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0
VPNClient_splittunnel list standard access allowed 192.168.123.0 255.255.255.0
VPNClient_splittunnel of access note list UK VPN Client pool
Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0
VPN-Northwoods extended ip 172.17.2.0 access list allow 255.255.255.0 192.168.123.0 255.255.255.0
Note to outside_nat0_outbound to access list AD 01/05/13
access extensive list ip 10.0.254.0 outside_nat0_outbound allow 255.255.255.0 172.18.2.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
mask 10.0.254.25 - 10.0.254.45 255.255.255.0 IP local pool VPNUserPool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (outside) 0-list of access outside_nat0_outbound
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 172.17.2.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp 172.17.2.200 smtp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 82 172.17.2.253 82 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 81 192.168.123.253 81 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface https 172.17.2.10 https netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 172.17.2.10 imap4 imap4 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ldaps 172.17.2.10 ldaps netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 172.17.2.10 pop3 pop3 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface www 172.17.2.19 www netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 5963 172.17.2.108 5963 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp 172.17.2.7 ftp netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ftp - data 172.17.2.7 ftp - data netmask 255.255.255.255
static (inside, outside) tcp 3389 172.17.2.29 interface 3389 netmask 255.255.255.255
Access-group 2-outside-inside in external interface
Route outside 0.0.0.0 0.0.0.0 74.213.51.129 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol AAA-server DCSI_Auth
AAA-server host 172.17.2.29 DCSI_Auth (inside)
key *.
AAA-server protocol nt AD
AAA-server AD (inside) host 172.16.1.211
AAA-server AD (inside) host 172.17.2.29
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-sha-hmac trans_set
Crypto ipsec transform-set VPN-Client-esp-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map DYN_MAP 20 the value reverse-road
Crypto-map dynamic outside_dyn_map 20 game of transformation-VPN-Client
address for correspondence outside_map 20 card crypto VPN - UK
card crypto outside_map 20 peers set site2
card crypto outside_map 20 transform-set trans_set
address for correspondence outside_map 30 card crypto VPN-Northwoods
card crypto outside_map 30 peers set othersite
trans_set outside_map 30 transform-set card crypto
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
lifetime 28800
Telnet timeout 5
SSH timeout 60
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Clients_vpn group strategy
attributes of strategy of group Clients_vpn
value of server DNS 10.0.1.30
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPNClient_splittunnel
domain.local value by default-field
the authentication of the user activation
tunnel-group VPNclient type remote access
tunnel-group VPNclient-global attributes
address pool VPNUserPool
authentication-server-group DCSI_Auth
strategy - by default-group Clients_vpn
tunnel-group VPNclient ipsec-attributes
pre-shared key *.
tunnel-group othersite type ipsec-l2l
othersite group tunnel ipsec-attributes
pre-shared key *.
tunnel-group site2 type ipsec-l2l
tunnel-group ipsec-attributes site2
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map p2p
game port tcp eq www
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
type of policy-map inspect im bine
parameters
msn - im yahoo im Protocol game
drop connection
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
type of policy-card inspect http P2P_HTTP
parameters
matches the query uri regex _default_gator
Journal of the drop connection
football match request uri regex _default_x-kazaa-network
Journal of the drop connection
Policy-map IM_P2P
class imblock
inspect the im bine
class P2P
inspect the http P2P_HTTP
!
global service-policy global_policy
IM_P2P service-policy inside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:7717a11f5f2dce11af0f35cee7b4c893
: end
Site2 Clients1 (172.18.2.0/24) (172.255.2.0/24)
ASA Version 8.2 (1)
!
names of
name 172.18.2.2 UKserver
!
interface Vlan1
nameif inside
security-level 100
IP 172.18.2.1 255.255.255.0
!
interface Vlan2
nameif GuestWiFi
security-level 0
IP 192.168.2.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
IP address site2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1-2
switchport vlan trunk native 2
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
permit same-security-traffic intra-interface
Access extensive list ip 172.18.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0
Access extensive list ip 172.17.2.0 USER_VPN allow 255.255.255.0 172.255.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.18.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.17.2.0 255.255.255.0
Standard access list VPNClient_splittunnel allow 172.255.2.0 255.255.255.0
Outside_2_Inside list extended access permit tcp any host otherhost eq smtp
Outside_2_Inside list extended access permit tcp any host otherhost eq pop3
Outside_2_Inside list extended access permit tcp any host otherhost eq imap4
Outside_2_Inside list extended access permit tcp any host otherhost eq www
Outside_2_Inside list extended access permit tcp any host otherhost eq https
Outside_2_Inside list extended access permit tcp any host otherhost eq ldap
Outside_2_Inside list extended access permit tcp any host otherhost eq ldaps
Outside_2_Inside list extended access permit tcp any host otherhost eq nntp
Outside_2_Inside list extended access permit tcp any host otherhost eq 135
Outside_2_Inside list extended access permit tcp any host otherhost eq 102
Outside_2_Inside list extended access permit tcp any host otherhost eq 390
Outside_2_Inside list extended access permit tcp any host otherhost eq 3268
Outside_2_Inside list extended access permit tcp any host otherhost eq 3269
Outside_2_Inside list extended access permit tcp any host otherhost eq 993
Outside_2_Inside list extended access permit tcp any host otherhost eq 995
Outside_2_Inside list extended access permit tcp any host otherhost eq 563
Outside_2_Inside list extended access permit tcp any host otherhost eq 465
Outside_2_Inside list extended access permit tcp any host otherhost eq 691
Outside_2_Inside list extended access permit tcp any host otherhost eq 6667
Outside_2_Inside list extended access permit tcp any host otherhost eq 994
Outside_2_Inside access list extended icmp permitted an echo
Outside_2_Inside list extended access permit icmp any any echo response
Outside_2_Inside list extended access permit tcp any host site2 eq smtp
Outside_2_Inside list extended access permit tcp any host site2 eq pop3
Outside_2_Inside list extended access permit tcp any host site2 eq imap4
Outside_2_Inside list extended access permit tcp any host site2 eq www
Outside_2_Inside list extended access permit tcp any host site2 eq https
Outside_2_Inside list extended access permit tcp any host site2 eq ldap
Outside_2_Inside list extended access permit tcp any host site2 eq ldaps
Outside_2_Inside list extended access permit tcp any host site2 eq nntp
Outside_2_Inside list extended access permit tcp any host site2 eq 135
Outside_2_Inside list extended access permit tcp any host site2 eq 102
Outside_2_Inside list extended access permit tcp any host site2 eq 390
Outside_2_Inside list extended access permit tcp any host site2 eq 3268
Outside_2_Inside list extended access permit tcp any host site2 eq 3269
Outside_2_Inside list extended access permit tcp any host site2 eq 993
Outside_2_Inside list extended access permit tcp any host site2 eq 995
Outside_2_Inside list extended access permit tcp any host site2 eq 563
Outside_2_Inside list extended access permit tcp any host site2 eq 465
Outside_2_Inside list extended access permit tcp any host site2 eq 691
Outside_2_Inside list extended access permit tcp any host site2 eq 6667
Outside_2_Inside list extended access permit tcp any host site2 eq 994
Outside_2_Inside list extended access permit tcp any SIP EQ host site2
Outside_2_Inside list extended access permit tcp any range of 8000-8005 host site2
Outside_2_Inside list extended access permit udp any range of 8000-8005 host site2
Outside_2_Inside list extended access udp allowed any SIP EQ host site2
Outside_2_Inside tcp extended access list deny any any newspaper
Outside_2_Inside list extended access deny udp any any newspaper
VPN - USA 172.255.2.0 ip extended access list allow 255.255.255.0 172.17.2.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0
access extensive list ip 172.18.2.0 inside_nat0_outbound allow 255.255.255.0 172.255.2.0 255.255.255.0
access extensive list ip 172.255.2.0 inside_nat0_outbound allow 255.255.255.0 172.17.2.0 255.255.255.0
Comment by Split_Tunnel_List-list of access networks to allow via VPN
Standard access list Split_Tunnel_List allow 172.18.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.17.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 172.255.2.0 255.255.255.0
Standard access list Split_Tunnel_List allow 10.0.254.0 255.255.255.0
pager lines 20
Enable logging
monitor debug logging
debug logging in buffered memory
asdm of logging of information
Debugging trace record
Within 1500 MTU
MTU 1500 GuestWiFi
Outside 1500 MTU
IP pool local ClientVPN 172.255.2.100 - 172.255.2.124
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 172.18.2.0 255.255.255.0
NAT (GuestWiFi) 2 192.168.2.0 255.255.255.0
public static tcp (indoor, outdoor) interface smtp smtp UKserver netmask 255.255.255.255
public static tcp (indoor, outdoor) UKserver netmask 255.255.255.255 pop3 pop3 interface
public static tcp (indoor, outdoor) interface imap4 imap4 netmask 255.255.255.255 UKserver
public static tcp (indoor, outdoor) interface www UKserver www netmask 255.255.255.255
public static tcp (indoor, outdoor) https UKserver netmask 255.255.255.255 https interface
public static tcp (indoor, outdoor) interface ldap UKserver ldap netmask 255.255.255.255
public static tcp (indoor, outdoor) interface ldaps ldaps netmask 255.255.255.255 UKserver
public static tcp (indoor, outdoor) interface nntp nntp netmask 255.255.255.255 UKserver
public static 135 135 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 102 102 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 390 390 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 3268 3268 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 3269 3269 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static UKserver netmask 255.255.255.255 993 993 interface tcp (indoor, outdoor)
public static UKserver 995 netmask 255.255.255.255 995 interface tcp (indoor, outdoor)
public static 563 563 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 465 465 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 691 691 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 6667 UKserver 6667 netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 994 994 UKserver netmask 255.255.255.255 interface tcp (indoor, outdoor)
Access-group Outside_2_Inside in interface outside
Route outside 0.0.0.0 0.0.0.0 87.224.93.53 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Ray of AAA-server vpn Protocol
AAA-server vpn (inside) host UKserver
key DCSI_vpn_Key07
the ssh LOCAL console AAA authentication
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-sha-hmac trans_set
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 transform-set trans_set
Crypto dynamic-map DYN_MAP 20 the value reverse-road
address for correspondence outside_map 20 card crypto VPN - USA
card crypto outside_map 20 peers set othersite2 site1
card crypto outside_map 20 transform-set trans_set
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
lifetime 28800
Telnet timeout 5
SSH timeout 25
Console timeout 0
dhcpd dns 8.8.8.8 UKserver
!
dhcpd address 172.18.2.100 - 172.18.2.149 inside
dhcpd allow inside
!
dhcpd address 192.168.2.50 - 192.168.2.74 GuestWiFi
enable GuestWiFi dhcpd
!
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
WebVPN
internal USER_VPN group policy
USER_VPN group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
the authentication of the user activation
tunnel-group othersite2 type ipsec-l2l
othersite2 group of tunnel ipsec-attributes
pre-shared-key *.
type tunnel-group USER_VPN remote access
attributes global-tunnel-group USER_VPN
address pool ClientVPN
Authentication-server group (external vpn)
Group Policy - by default-USER_VPN
IPSec-attributes tunnel-group USER_VPN
pre-shared-key *.
tunnel-group site1 type ipsec-l2l
tunnel-group ipsec-attributes site1
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:d000c75c8864547dfabaf3652d81be71
: end
Hello
The output seems to say that traffic is indeed transmitted to connect VPN L2L
Can you PING from hosts on the network 172.18.2.0/24 to the hosts on the network 172.17.2.0/24?
Have you tried several different target hosts on the network you are trying to ping while might exclude us actual devices are not just meeting the specifications these PINGs?
-Jouni
-
Help! Several problem of the setup of site-to-site VPN connection
Recently, I place ASA 5505 on 3 sites and communicate with VPN site-to-site. I am able to connect HQ for two offices without any problem. And each office connect as weel. However, I can't do desktop connection remote at camp. Please see below for each configuration of office and thanks to any part of your experience.
(Pri:172.29.88.254 remote desktop; Pub: 173.190.234.138; Subnet:172.29.88.0/24)
|
| (VPN)
|
HQ office (Pri: 172.29.8.254;) Pub: 173.111.222.140; Subnet: 172.29.8.0/24)
|
| (VPN)
|
Colo (Pri: 172.29.168.254;) Pub: 111.167.239.218; Subnet: 172.29.168.0/24)
Configuration of HQ ASA5505-
ASA 4,0000 Version 1
!
hostname jtfw-AC
domain jollytech.com
activate the encrypted password of Yr4Jr0JzJxYTTQQu
GCdiui.2NH7n52DU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
!
interface Ethernet0/1
switchport access vlan 2
Speed 100
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 173.111.222.140 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain jollytech.com
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service object RDP
source eq 3389 tcp service
Orange network object
Home 172.29.8.151
network of the WAN_173_111_222_138 object
Home 173.111.222.138
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
guava network object
Home 172.29.8.3
network obj_HQVPN object
192.168.8.0 subnet 255.255.255.0
jt-fn68zv1 network object
Home 172.29.8.71
service of the JT_FTP object
tcp source eq ftp service
network obj_colo object
172.29.168.0 subnet 255.255.255.0
Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
VPN_Tunnel_User standard access list allow 192.168.8.0 255.255.255.0
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq idle 135
inside_access_in tcp extended access list refuse any eq 135 all idle state
inside_access_in list extended access deny udp any what eq 135 all idle state
inside_access_in list extended access deny udp any any eq idle 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 173.111.222.138 eq 3389
outside_access_in list extended access permit tcp any host 173.111.222.138 eq smtp
outside_access_in list extended access permit tcp any host 173.111.222.138 eq pptp
outside_access_in list extended access permit tcp any host 173.111.222.138 eq www
outside_access_in list extended access permit tcp any host 173.111.222.138 eq https
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
permit access list extended ip object obj_colo object obj_lex outside_cryptomap
inside_in list extended access permit icmp any one
inside_in of access allowed any ip an extended list
inside_in list extended access udp allowed any any eq isakmp
inside_in list extended access udp allowed any isakmp eq everything
inside_in list extended access udp allowed a whole
inside_in list extended access permitted tcp a whole
permit access list extended ip object obj_HQ object obj_colo outside_cryptomap_1
permit access list extended ip object obj_lex object obj_colo outside_cryptomap_1
pager lines 24
Enable logging
timestamp of the record
logging trap information
asdm of logging of information
address record [email protected] / * /
host of logging inside the 172.29.8.89
Within 1500 MTU
Outside 1500 MTU
mask 192.168.8.100 - 192.168.8.150 255.255.255.0 IP local pool Jolly_HQVPN_DHCP
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT static orange interface (inside, outside) source RDP RDP service
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_lex-route search
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_colo obj_colo-route search
NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
NAT interface service (Interior, exterior) source static jt-fn68zv1 JT_FTP JT_FTP
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_HQVPN obj_HQVPN
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 173.111.222.142 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt guava
AAA-server host 172.29.8.3 guava (inside)
Timeout 15
guava auth - NT domain controller
identity of the user by default-domain LOCAL
identity of the user inactive-user-timer minutes 360
Enable http server
http 172.29.8.0 255.255.255.0 inside
SNMP-server host within the 172.29.8.89 community * version 2 c
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 173.190.234.138
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
card crypto outside_map 2 match address outside_cryptomap_1
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 111.167.239.218
card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 2 set AES AES192 AES256 3DES ipsec-proposal ikev2
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 172.29.8.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd auto_config off vpnclient-wins-override
!
dhcprelay Server 172.29.8.3 on the inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal Jolleytech_VPN group strategy
attributes of Group Policy Jolleytech_VPN
value of server DNS 172.29.8.3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Tunnel_User
jollytech.local value by default-field
internal GroupPolicy_10.8.8.1 group strategy
attributes of Group Policy GroupPolicy_10.8.8.1
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
type tunnel-group jollytech remote access
tunnel-group jollytech General-attributes
address pool Jolly_HQVPN_DHCP
authentication-server-group guava
Group Policy - by default-Jolleytech_VPN
jollytech group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group 111.167.239.218 type ipsec-l2l
tunnel-group 111.167.239.218 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 111.167.239.218
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
tunnel-group 173.190.234.138 type ipsec-l2l
tunnel-group 173.190.234.138 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 173.190.234.138
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
inspect the http
!
global service-policy global_policy
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2da829cf9fd3d4901e8131c2ae32b679
: end
Configuration of remote desktop-
ASA Version 8.4 (3)
!
hostname jtfw-lex
activate the encrypted password of Yr4Jr0JzJxYTTQQu
GCdiui.2NH7n52DU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.88.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 173.190.234.138 255.255.255.248
!
passive FTP mode
network obj_any object
subnet 0.0.0.0 0.0.0.0
service object RDP
source eq 3389 tcp service
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
jt-dc01 network object
Home 172.29.88.151
network of the object WAN_jt-dc01
Home 10.8.8.3
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexinton Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
network Jollytech HQ Description
network obj_colo object
172.29.168.0 subnet 255.255.255.0
network of colo Jollytech Description
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq idle netbios-ssn
inside_access_in tcp extended access list refuse any netbios-ssn eq all idle state
inside_access_in list extended access deny udp any what eq 139 all
inside_access_in list extended access deny udp any any eq 139
inside_access_in tcp extended access list deny any any eq 135
inside_access_in tcp extended access list refuse any eq 135 everything
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 10.8.8.3 eq smtp
outside_access_in list extended access permit tcp any host 10.8.8.3 eq pptp
outside_access_in list extended access permit tcp any host 10.8.8.3 eq www
outside_access_in list extended access permit tcp any host 10.8.8.3 eq https
outside_access_in list extended access permit tcp any host 10.8.8.3 eq 3389
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
access extensive list ip 172.29.88.0 outside_cryptomap allow 255.255.255.0 object obj_HQ
permit access list extended ip object obj_lex object obj_colo outside_cryptomap
Standard access list VPN_Tunnel_user allow 172.29.88.0 255.255.255.0
Standard access list VPN_Tunnel_user allow 172.29.8.0 255.255.255.0
Standard access list VPN_Tunnel_user allow 172.29.168.0 255.255.255.0
Standard access list VPN_Tunnel_user allow 192.168.88.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool jolly_lex_DHCP 192.168.88.100 - 192.168.88.120 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT WAN_jt-dc01 service (Interior, exterior) source static jt-dc01 RDP RDP
NAT static (inside, outside) source JT_WWW JT_WWW WAN_jt-dc01 jt-dc01 service
NAT (inside, outside) source obj_lex destination obj_lex static static obj_HQ obj_HQ-route search
NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 173.190.234.137 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 172.29.88.0 255.255.255.0 inside
SNMP-server host within the 172.29.88.30 community * version 2 c
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_set ikev1
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 173.111.222.140
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 172.29.88.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 172.29.88.50 - 172.29.88.100 inside
dhcpd dns 172.29.8.3 166.102.165.11 interface inside
dhcpd jollytech.local area inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy_173.164.222.140 group strategy
attributes of Group Policy GroupPolicy_173.164.222.140
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
name of user who has encrypted password JOYSoaqW4x32VHKB
tunnel-group 173.111.222.140 type ipsec-l2l
tunnel-group 173.111.222.140 general-attributes
Group - default policy - GroupPolicy_173.164.222.140
IPSec-attributes tunnel-group 173.111.222.140
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
global service-policy global_policy
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:0a0cf040a1f0f979ff55f0ef7e15c452
: end
Configuration Colo-
ASA Version 8.4 (3)
!
hostname jtfw-colo
domain jollytech.com
activate the encrypted password of Yr4Jr0JzJxYTTQQu
GCdiui.2NH7n52DU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.168.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 111.167.239.218 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain jollytech.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
service object RDP
source eq 3389 tcp service
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
network Jollytech HQ Description
guava network object
Home 172.29.8.3
network obj_HQVPN object
192.168.8.0 subnet 255.255.255.0
Description Jollytech HQ VPN network
network of the WAN_111_167_239_220 object
Home 111.167.239.220
jt-dc01 network object
Home 172.29.168.3
jt-exch2010 network object
Home 172.29.168.25
network obj_colo object
172.29.168.0 subnet 255.255.255.0
network of colo Jollytech Description
network of the object RC_jt-r610
Home 172.29.168.8
network of the WAN_111_167_239_221 object
Home 111.167.239.221
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq idle 135
inside_access_in tcp extended access list refuse any eq 135 all idle state
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any object WAN_198_167_239_220 eq 3389
outside_access_in list extended access permit tcp any object WAN_198_167_239_220 eq www
outside_access_in list extended access permit tcp any object https eq WAN_198_167_239_220
outside_access_in list extended access permit tcp any object WAN_198_167_239_221 eq www
outside_access_in list extended access permit tcp any object https eq WAN_198_167_239_221
outside_access_in list extended access permit tcp any object WAN_198_167_239_221 eq 3389
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
permit access list extended ip object obj_colo object obj_HQ outside_cryptomap
permit access list extended ip object obj_colo object obj_lex outside_cryptomap
pager lines 24
Enable logging
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
host of logging inside the 172.29.168.89
Within 1500 MTU
Outside 1500 MTU
mask 192.168.168.100 - 192.168.168.110 255.255.255.0 IP local pool Jolly_coloVPN_DHCP
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT of the service interface to the Shared source (internal, external) JT_WWW JT_WWW RC_jt-r610
NAT of the service interface to the Shared source (internal, external) JT_HTTPS JT_HTTPS RC_jt-r610
NAT service of WAN_111_167_239_220 jt-dc01 Shared source (internal, external) JT_HTTPS JT_HTTPS
NAT service of WAN_111_167_239_220 jt-dc01 Shared source (internal, external) JT_WWW JT_WWW
NAT service of WAN_111_167_239_220 jt-dc01 Shared source (inside, outside) RDP RDP
NAT service of WAN_111_167_239_221 jt-exch2010 static source (inside, outside) RDP RDP
NAT source service (Interior, exterior) static jt-exch2010 WAN_111_167_239_221 JT_WWW JT_WWW
NAT source service (Interior, exterior) static jt-exch2010 WAN_111_167_239_221 JT_HTTPS JT_HTTPS
NAT (inside, outside) source obj_colo destination obj_colo static static obj_HQ obj_HQ-route search
NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 111.167.239.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 172.29.168.0 255.255.255.0 inside
http 172.29.8.0 255.255.255.0 inside
SNMP-server host within the 172.29.168.89 community * version 2 c
location of SNMP server it Fremont Colo
SNMP Server contact [email protected] / * /
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 173.111.222.140
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 172.29.8.0 255.255.255.0 inside
Telnet 172.29.168.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd auto_config off vpnclient-wins-override
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal GroupPolicy_173.111.222.140 group strategy
attributes of Group Policy GroupPolicy_173.111.222.140
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
tunnel-group 173.111.222.140 type ipsec-l2l
tunnel-group 173.111.222.140 general-attributes
Group - default policy - GroupPolicy_173.111.222.140
IPSec-attributes tunnel-group 173.111.222.140
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
global service-policy global_policy
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:a45d9f3e7b23713c34d13d5a8ac5ece5
: end
Hello
I think that these NAT configurations must change in the ASA HQ
NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
Note that you must configure to use 'inside' and 'outside' interface.
However if two remote sites put an end to the ASA HQ "outside" interface and the traffic between these remote sites (that go through this ASA HQ) actually must a NAT between 'outside' and 'outside '.
You will need to use the (outside, outside) in the NAT configurations.
NAT (outside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
NAT (outside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
You could actually be fine with either NAT 2 only two-way configurations as it should.
-Jouni
-
Need help! ASA 5505 not PPTP passthrough to the Server internal
Hello:
Recently, I add a new Cisco ASA 5505 like Firewall of the company network. I found that the PPTP authentication has not obtained through internal Microsoft Server. Any help and answer are appriciated.
Please see my setup as below. Thank you!
ASA Version 8.4 (3)
!
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 177.164.222.140 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain ABCtech.com
permit same-security-traffic inter-interface
network obj_any object
172.29.8.0 subnet 255.255.255.0
service object RDP
source eq 3389 tcp service
Orange network object
Home 172.29.8.151
network of the WAN_173_164_222_138 object
Home 177.164.222.138
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
guava network object
Home 172.29.8.3
service object L2TP
Service udp source 1701 eq
Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
Standard access list VPN_Tunnel_User allow 172.29.88.0 255.255.255.0
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq 135
inside_access_in tcp extended access list refuse any eq 135 everything
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 177.164.222.138 eq 3389
outside_access_in list extended access permit tcp any host 177.164.222.138 eq smtp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq pptp
outside_access_in list extended access permit tcp any host 177.164.222.138 eq www
outside_access_in list extended access permit tcp any host 177.164.222.138 eq https
outside_access_in list extended access allowed grateful if any host 177.164.222.138
outside_access_in list extended access permit udp any host 177.164.222.138 eq 1701
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
inside_in list extended access permit icmp any one
inside_in of access allowed any ip an extended list
inside_in list extended access udp allowed any any eq isakmp
inside_in list extended access udp allowed any isakmp eq everything
inside_in list extended access udp allowed a whole
inside_in list extended access permitted tcp a whole
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
local pool ABC_HQVPN_DHCP 172.29.8.210 - 172.29.8.230 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT static orange interface (inside, outside) source RDP RDP service
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_
Lex-route search
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 service L2TP L2TP
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
Route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt guava
AAA-server host 172.29.8.3 guava (inside)
Timeout 15
guava auth - NT domain controller
identity of the user by default-domain LOCAL
Enable http server
http 172.29.8.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 173.190.123.138
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet 172.29.8.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0dhcpd auto_config off vpnclient-wins-override
!
dhcprelay Server 172.29.8.3 on the inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal ABCtech_VPN group strategy
attributes of Group Policy ABCtech_VPN
value of server DNS 172.29.8.3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Tunnel_User
value by default-field ABCtech.local
internal GroupPolicy_10.8.8.1 group strategy
attributes of Group Policy GroupPolicy_10.8.8.1
VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 10.8.8.1
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
tunnel-group ABCtech type remote access
attributes global-tunnel-group ABCtech
address ABC_HQVPN_DHCP pool
authentication-server-group guava
Group Policy - by default-ABCtech_VPN
IPSec-attributes tunnel-group ABCtech
IKEv1 pre-shared-key *.
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 173.190.123.138
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
The first thing I noticed
In the ACL you are pointing to the broad public while it should be to the private sector (YOU HAVE A PERMIT IP ANY ANY to the end, so it's not bad. FYI, if you decide to take this one any allowed ip address then you should point to private servers ip addresses)
Now, the policy where the PPTP inspection, etc., will be used is not applied to any service-policy so add:
global service-policy global_policy
Don't forget not just for a PPTP connection to get established we should see 2 things:
-Trading is done on the TCP 1723 port and then traded on Appreciate data packets.
Follow my blog for more information on this topic:
http://laguiadelnetworking.com/2012/12/22/what-is-new-on-the-PPTP-inspection-on-the-ASA/
Try and let me know
Julio
-
Hello I know theres a lot of topics on this subject, but I've been reading for the past 2 weeks and I can not find my solution.
My Cisco VPN client connects to the ASA 5510 and everything looks good but when I try to send traffic (RDP) nevers connects and logs shows a timeout syn. Here is my setup, I really appreciated all the help
ASA Version 8.2 (1)
!
xxx host name
domain xxxx
activate g.wfzl577L4IVnRL encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
!
interface Ethernet0/0
nameif outside
security-level 0
IP 201.199.135.x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
10.1.1.x 255.255.255.0 IP address
!
interface Ethernet0/2
No nameif
security-level 100
IP 192.168.30.x 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
xx server name
xx server name
domain xxxxx
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
list incoming extended access deny ip object-group DENY_ACCESS does everything
list of allowed inbound tcp extended access any object-group object-group web-servers web-ports
access list entering extended permitted tcp 209.200.128.0 255.255.192.0 201.199.135.x object-group web-host ports
access-list outgoing extended permitted ip object-group have no doubt
access-list extended outgoing allow tcp object-group-servers web any object-group web-ports
access-list extended outgoing allow tcp 10.1.1.0 255.255.255.0 any general-access object-group
outgoing access-list extended permit tcp host 201.199.135.xx any object-group web-ports
inside_access_in allowed extended access list ip object-group trust all disable Journal
inside_access_in to access extensive ip list allow object-group-servers DNS all disable Journal
inside_access_in list extended access allowed host WEB3 udp any eq inactive ntp
inside_access_in to access extended list ip 192.168.3.0 allow 255.255.255.0 10.1.1.0 255.255.255.0
ISA_access_in list extended access allowed object-group Ports host 192.168.30.7 all
permit inside_nat0_outbound to access extended list ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
Split_Tunnel_List list standard access allowed 10.1.1.0 255.255.255.0
pager lines 24
Enable logging
list configLog level Debug class registration auth
list configLog level Debug class config record
Class of information of record list system-IDSLog-level ID
list of logging system-IDSLog class level sys information
exploitation forest buffer-size 10000
asdm of logging of information
xxxx address record
xxxxx the delivery address logging level notifications
No message logging 111008
No message logging 111007
Outside 1500 MTU
Within 1500 MTU
MTU 1500 ISA
management of MTU 1500
192.168.3.2 mask - 192.168.3.254 local pool POOL VPN IP 255.255.255.0
fall of IP audit name attackPolicy attack action alarm
IP audit name antiSnifferPolicy action fall info
IP check outside the attackPolicy interface
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 641.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
Global (ISA) 1 201.199.135.xx netmask 255.255.255.248
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.1.1.0 255.255.255.0
NAT (ISA) 1 192.168.30.0 255.255.255.0
public static 201.199.xxx.xx (inside, outside) WEB3 netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group ISA_access_in in ISA interface
Route outside 0.0.0.0 0.0.0.0 201.199.135.113 1
Route inside 0.0.0.0 0.0.0.0 10.1.1.3 in tunnel
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
SNMP-server host within the 10.1.1.56 community
SNMP-server host within the 10.1.1.18 community
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Server enable SNMP traps syslog
service resetinbound ISA interface
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = xxx.xxxxxx
sslvpnkeypair key pair
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates
certificate 6ef8fc4f
308201f3 3082015c a0030201 0202046e f8fc4f30 0d06092a 864886f7 0d 010105
0500303e 311a 3018 06035504 03131149 4345332e 646f746e 65742e63 6f2e6372
3120301e 06092 has 86 01090216 11494345 332e646f 746e6574 2e636f2e 4886f70d
3132 30393035 31333435 35345a 17 323230 39303331 33343535 0d 6372301e 170d
311a 3018 06035504 03131149 345a303e 4345332e 646f746e 65742e63 6f2e6372
3120301e 06092 has 86 01090216 11494345 332e646f 746e6574 2e636f2e 4886f70d
63723081 9f300d06 092 has 8648 86f70d01 01010500 03818d 30818902 00 818100e4
52687fe4 bc46d95c bb14cb51 c9ba2757 692683e2 315fb2cb 585c 9785 295e9090
88dea89d 5a1497f5 49107a1f ea35d71b fd05d9ff 652f1ff9 68766519 d19dc584
310312b 2 b369673f 70db355a 8d1e0a5e 4c825c27 7ad5e4f6 d36cbda7 b4ad77a5
f490d942 2ef2488a bcb97b3f 5795bbcd 5f5b5c5a ff965272 2c8deaa5 2aa78902
03010001 300 d 0609 2a 864886 f70d0101 05050003 818100aa c1a3301a ec3898ac
9aa26005 18699233 ad6c326f 51228c6b ba6a91e8 2ac79a0c 2af687c1 17bce83f
bbf94b0e e6f09977 fad72c47 96d206ed c1157e67 79862e20 9f28cfa1 739c0fa2
81272d5d a7124fc0 f95904db 72eacc9a 772208e2 1edba72b 618ed8dc d3c1b8f7
5047604e f767eaf1 7ee5ed95 79ef9184 db62bcfb b71e6f
quit smoking
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Telnet timeout 5
SSH 10.1.1.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd address 192.168.30.5 - 192.168.30.20 ISA
dhcpd dns 4.2.2.2 200.91.75.5 ISA interface
dhcpd enable ISA
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2019-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
internal VPNGP group policy
VPNGP group policy attributes
WINS server no
Server DNS 10.1.1.11 value 10.1.1.16
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
dotnet.co.CR value by default-field
the address value VPN-POOL pools
xxxx gsUajqpee0ffkhsw encrypted password username
xx Wl5xhq9rOjTEyzHN encrypted privilege 15 password username
xxvpn 9tblNqPJ2.cWaLSD encrypted password username
username xxvpn attributes
type of remote access service
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
Group Policy - by default-VPNGP
tunnel-group AnyConnect webvpn-attributes
enable VPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
global service-policy global_policy
10.1.1.20 SMTP server
context of prompt hostname
Cryptochecksum:9720306792f52eac533976d69f0f3daa
: end
Thank you
Hi Oscar,.
The configuration seems to be well.
At this point to troubleshoot VPN communication.
SYN timeout period means that the server does not respond, or the SYN ACK never reached the ASA.
We need to put a screenshot of the packages inside the interface as follows:
capture capin interface inside the match ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
Then you try to access the server via RDP and run the command 'see capture capin.
Another good test would be the following:
entry Packet-trace within the icmp 10.1.1.250 8 0 192.168.3.1 retail---> where the 192.168.3.1 must be the IP address of the VPN client
Set the output of the 'see capture capin' and the output of "packet - trace.
Let me know.
Portu.
Please note any workstation that will be useful.
Maybe you are looking for
-
Why photos starts automatically when you restart. It is NOT in the folder.so of starting, why what is happening? I never use photos, so it's a loss of memory perfectly!
-
I accidentally deleted the files inside the partition of Hp tools. How can I recover these files? and these files are needed for the system or is it not important?Please help me my laptop is hp pavilion pavilion dv7 Windows 7 64 bit
-
icon n opening program in windows was errors?
After installing the PDF reader application, all applications cannot be opened and the icon has been changed. and after the diuninstall of the application, the icon changes to notes of windows icon. How to solve this problem... I'm newbie
-
new keyboard of the computer does not
keyboard not working not on new computer. How can I get help without having to type it's a pain using the mouse hunt and peck. need technical help
-
Remote assistance - manage the support network?
Windows 7 Ultimate 32 bit I would use the Windows Remote Assistance as a support tool for every computer on our network (about 400). From now on, I came with the addition of a newspaper in the execution of the script: Password MSRA /saveasfile "x:\%u