NAT error ASA 5505 to 5510

Connection refused because of the failure of path opposite of that of NAT

I put a second location of ASA and not can communicate through the VPN is implemented. The error I get is (rules asymmetrical NAT matched for flows forward and backward; Connection for icmp outside CBC: 192.168.72.14 internal dst: 192.168.73.103 (type 0, code 0) rejected due to the failure of reverse NAT) when trying to ping a host on the network iinsde the 73 to a host within the network of 72.

I mirrored the statements of nat VPN work. I see an ACL to a group of objects but don't see where this is important. Am I missing something obvious?

HOST:
ASA Version 8.3 (1)
!
host name 5510
!
interface Ethernet0/0
Outside of the interface description
nameif OUTSIDE
security-level 0
IP 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
Interior of a description of the network interface internal
nameif inside
security-level 100
IP 192.168.72.2 255.255.255.0
!
boot system Disk0: / asa831 - k8.bin
permit same-security-traffic intra-interface
network object obj - 192.168.72.0
192.168.72.0 subnet 255.255.255.0
network object obj - 192.168.74.0
192.168.74.0 subnet 255.255.255.0
network object obj - 192.168.72.100
Home 192.168.72.100
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
network object obj - 0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
network object obj - 192.168.73.0
192.168.73.0 subnet 255.255.255.0
Rye description
Citrix1494 tcp service object-group
port-object eq citrix-ica
port-object eq www
EQ object of the https port
Beach of port-object 445 447
the ValleywoodInternalNetwork object-group network
object-network 192.168.72.0 255.255.255.0
permit access list extended ip object obj - object obj 192.168.72.0 - OUTSIDE_1_cryptomap 192.168.74.0
Access extensive list ip 192.168.72.0 INSIDE_nat0_inbound allow 255.255.255.0 192.168.74.0 255.255.255.0
access extensive list ip 192.168.74.0 outside_1_cryptomap allow 255.255.255.0 ValleywoodInternalNetwork object-group
extended permitted outside-ACL access list tcp any host 192.168.72.100 object - group Citrix1494
permit access list extended ip object obj - object obj 192.168.72.0 - OUTSIDE_2_cryptomap 192.168.73.0

NAT (inside, inside) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.74.0 obj - 192.168.74.0
NAT (INSIDE, OUTSIDE) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.74.0 obj - 192.168.74.0
NAT (INSIDE, OUTSIDE) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.73.0 obj - 192.168.73.0
NAT (inside, inside) source static obj - 192.168.72.0 obj - 192.168.72.0 destination static obj - 192.168.73.0 obj - 192.168.73.0
!
network object obj - 192.168.72.100
NAT (INSIDE, OUTSIDE) static 72.54.197.26
network obj_any object
dynamic NAT interface (INSIDE, OUTSIDE)
network obj_any-01 object
NAT (INSIDE, OUTSIDE) dynamic obj - 0.0.0.0
object network obj_any-02
NAT (management, outside) dynamic obj - 0.0.0.0
Access-group outside-ACL in interface OUTSIDE
Route outside 0.0.0.0 0.0.0.0 72.54.197.25 100

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
card crypto OUTSIDE_map 1 corresponds to the address OUTSIDE_1_cryptomap
card crypto OUTSIDE_map 1 set pfs Group1


card crypto OUTSIDE_map 1 set peer 72.54.178.126
OUTSIDE_map 1 transform-set ESP-3DES-SHA crypto card game
card crypto OUTSIDE_map 2 corresponds to the address OUTSIDE_2_cryptomap
card crypto OUTSIDE_map 2 set pfs Group1
card crypto OUTSIDE_map 2 set peer 69.15.200.138
card crypto OUTSIDE_map 2 game of transformation-ESP-3DES-SHA
OUTSIDE_map interface card crypto OUTSIDE
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP allow inside
activate the crypto isakmp management
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400

tunnel-group 72.54.178.126 type ipsec-l2l
IPSec-attributes tunnel-group 72.54.178.126
pre-shared key *.
tunnel-group 69.15.200.138 type ipsec-l2l
IPSec-attributes tunnel-group 69.15.200.138
pre-shared key *.
!

DISTANCE:
: Saved
:
ASA Version 8.3 (1)
!
host name 5505

interface Vlan1
nameif inside
security-level 100
IP 192.168.73.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 69.15.200.138 255.255.255.252
!

boot system Disk0: / asa831 - k8.bin

network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the 192.168.72.0 object
192.168.72.0 subnet 255.255.255.0
Description Sixpines
network of the NETWORK_OBJ_192.168.73.0_24 object
192.168.73.0 subnet 255.255.255.0
network object obj - 192.168.73.0
192.168.73.0 subnet 255.255.255.0
network of the Sixpines object
192.168.72.0 subnet 255.255.255.0
the SixpinesInternalNetwork object-group network
object-network Sixpines 255.255.255.0
outside_1_cryptomap extended access list permit ip object obj - 192.168.73.0 object Sixpines

NAT (dmz, external) NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 Shared static source 192.168.72.0 destination 192.168.72.0
NAT (inside, all) source static obj - 192.168.73.0 obj - 192.168.73.0 static destination Sixpines Sixpines
NAT (inside, outside) source static obj - 192.168.73.0 obj - 192.168.73.0 static destination Sixpines Sixpines
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Route outside 0.0.0.0 0.0.0.0 69.15.200.137 1

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 72.54.197.28
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outside
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400

tunnel-group 72.54.197.28 type ipsec-l2l
IPSec-attributes tunnel-group 72.54.197.28
pre-shared key *.
!
!

Any suggestion would be greatly apperciated

You may need to remove the following ASA remote. I don't know what it is for

NAT (dmz, external) NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 Shared static source 192.168.72.0 destination 192.168.72.0

Tags: Cisco Security

Similar Questions

  • HOW connection NAT on ASA 5505

    Hello guys

    first of all, thank fully any community of cisco, they helped me a lot withouth expert and University...

    Today, I have some question on NAT

    We HAVE site-to-site VPN, his job very well.  our company demand of patern to use the public Ip address instead of the ip address private field of encryption. and they said, you have to NAT for you the private to the PUblic ip address. really, we don't know how NAT for cisco ASA 5505.

    THIS IS THE CASE

    OUR COMPANY = USES CISCO ASA 5505

    OUR PUBLIC IP ADDRESS: 155.155.1555.20

    PRIVATE IP: 192.168.7.2 SOUND LINUX SERVER, THEN HOW WE CAN NAT THIS IP PRIVATE AND CHANGE IN PUBLIC

    Thank you very much

    If you have 1 public IP address and it is assigned to your ASA outside interface, then you need to configure static PAT (you will need to know what exactly they want to access and configure the specific port they need).

    However, if you have a free public IP address, then you need not to know exactly what they need to get to and you can configure the linux server using the public IP to spare.

    Also, they need access to the linux server using public IP via the VPN tunnel (encrypted)? or they are happy to access only via the internet (clear text)?

  • VPN SITE-TO-SITE BETWEEN ASA 5505 ASN 5510 DISORDERS

    Hello everyone, I have a problem with my vpn between two ASAs, I will review the configuration of the two devices running, but I couldn't see anything out of the normal.

    As you can see in the image, that the VPN is upward, but in the ASA 5510 I bytes of Rx (ZERO), I tried to config ASAs yet but I have the same problem, I don't know what I can do, please help me...

    Hello

    You should make sure that

    • Remote ends of NAT configurations are correct

      • NAT0 or another type of translation is not configured
      • A NAT rule is the substitution of the rule that you have configured for the VPN L2L?
    • Make sure that you have allowed the circulation/connection you are trying
      • VPN traffic is allowed to bypass the 'external' ACL interface on the remote end or the traffic should be allowed in the 'outer' interface ACL?
    • Make sure that the remote host responds to the same type of its local network connection attempt before trying the same thing from a remote location through VPN L2L
      • If a tested service does not work, try another. For example ICMP is not always the best thing to test connections.

    Can you also give us additional context information.

    • This VPN L2L worked, or did it stop working at some point?
    • I assume that you have administrator access to two ASA? Can you perhaps share some configurations
    • What kind of connections you attempt by the L2L VPN?
      • TCP/UDP/ICMP?
      • IP source and destination?
    • You monitor the newspapers of the SAA through the ASDM on the other end? The device at the remote end which does not send anything back on the L2L VPN connection.

    And as a last post a very common configuration that is absent of configurations of ASA during the test with ICMP

    Make sure you two ASAs have below "icmp inspect" configured

    Policy-map global_policy

    class inspection_default

    inspect the icmp

    -Jouni

  • ASA 5505 Anyconnect traversal nat error

    Good afternoon gents,

    I installed an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, then my LAN can access my laptop.  In the newspapers, I see the following error message:

    Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 refused because of the failure of path opposite of that of NAT.

    I can't seem to figure this point and nothing I read to try worked. Here's the relevant config, any help would be GREATLY appreciated.

    interface Vlan1
    nameif inside
    security-level 100
    IP 10.201.180.10 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 67.200.133.107 255.255.255.248
    !

    access extensive list ip 10.139.50.0 inside_nat0_outbound allow 255.255.255.0 10.201.180.0 255.255.255.0
    access extensive list ip 10.201.180.0 inside_nat0_outbound allow 255.255.255.0 10.139.50.0 255.255.255.0

    mask 10.139.50.1 - 10.139.50.50 255.255.255.0 IP local pool SSLClientPool

    Global 1 interface (outside)
    NAT (inside) 0 inside_nat0_outbound list of outdoor access
    NAT (inside) 1 0.0.0.0 0.0.0.0

    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA authentication enable LOCAL console
    the ssh LOCAL console AAA authentication

    Try the nat statement 0 without the keyword on the outside.

    NAT (inside) 0-list of access inside_nat0_outbound

    In addition,

    sh run sysopt and stick out.

    Manish

  • Ikev1 ASA 5505 VPN connection error

    Hello

    I had previously defined our VPN using IPsec on our ASA 5505 via the ASDM.   It was workign fine until an outtage power loses my settings on the device.  (possibly a recording of order is not pressed)

    Now when I try and put in place, once again I am recieveing an error to port binding.  I have configured as normal using the wizard and activate split defintion and exempt the network inside.

    The isssue when you apply the settings that I get is:

    "[ERROR] crypto ikev 1 activate outdoors.

    IkevReceiverInit, cannot bind the port. "

    When I try to connect to the VPN I then get an error "the server cannot be reached" or something similar to that...

    Could someone please shed some light on what can cause this problem?

    Best regards, the Paris

    William.

    Hello

    Thanks for the information!

    We will need to know why this host using UDP 4500 and if this host really needs to use this port.

    What type of application is running on this host?

    What is a host internal or external?

    You may also block the host on the SAA on the incoming interface to avoid the use of the UDP 4500 port using a group of access (outside or inside). Don't forget that you will need a ip to allow a at the end of the ACL to avoid any problems. Another option would be to use IKEv1/IPsec over TCP

    IKEv1/IPsec over TCP allows a Cisco VPN client operate in an environment in which IKEv1 or standard ESP may not work or may work only with the change of the existing firewall rules. IPsec over TCP encapsulates IPsec protocols both IKEv1 in a TCP packet as and allows a tunnel secure two firewalls and NAT and PAT devices. This feature is disabled by default.

    The default port is 10000.

    HostName (config) # ikev1 crypto ipsec-over-tcp

    You also need to activate on the VPN client under the profile.

    Change > Transport > IPSec over TCP.

    I hope this helps.

    Luis.

  • ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

    Hi all experts

    We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

    I got error syslog 713902 and 713903, how to fix?

    I got the following, when I type "sh crypto isakmp his."

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG2

    Hugo

    Hello

    This State is reached when the policies of the phase 1 do not correspond to the two ends.

    Please confirm that you have the same settings of phase 1 on both sides with the following commands:

    See the isakmp crypto race

    See the race ikev1 crypto

    Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

    Finally, make sure you have a route suitable for the remote VPN endpoint device.

    Hope that helps.

    Kind regards

    Dinesh Moudgil

  • Impossible to establish vpn site to site between asa 5505 5510 year

    Hi all experts

    We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

    Hugo

    Here are the links to the guides-cisco config:

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/site2sit.html

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_site2site.html

    In addition to VPN, you need to consider in NAT exemption:

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/cfgnat.html#wp1043541

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_overview.html#wpxref25608

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/nat_rules.html#wp1232160

    And many examples:

    http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Strange behavior of NAT ASA 5505

    Hello

    We have an ASA 5505 version 9.1 (5) and we need to open port TCP 55055 firewall that redirect to TCP port 80 on ip QNAP Viostor 192.168.11.254

    I added a network object in this way:

    The Viostor object network

    Home 192.168.11.54

    Description QNAP_Viostor

    NAT rule:

    NAT (inside, outside) interface static service tcp 80 55055

    Firewall rule:

    access-list outside_access_in line 8 Note Viostor

    allowed to Access-list outside_access_in line 9 extended tcp any Viostor eq 55055 object

    When I try to connect with the application Android Vmobile I see that notify the journal of the ASA:

    Request TCP and eliminated from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

    The ASA has no server UDP which serves the UDP request

    I don't understand why UDP instead of TCP.

    Please help me!

    Thank you

    Ahmed, thanks for your replies... However're missing you something important (sw ASA version). Tracer package shows THAT NAT is not affected; and on this sw version ACL does not use external_IP or mapped IP, but the real_IP instead.

    s.be00001, follow these steps:

    object service 55055 service tcp source eq 55055object service www service tcp source www!nat (inside,outside) 1 source static Viostor interface service www 55055!access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
    Run the packet - trace and send us the results:
    packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
  • ASA 5505 as internet gateway (must reverse NAT)

    Hi all the Cisco guru

    I have this diet:

    Office-> Cisco 877-> Internet-> ASA 5505-> remote network

    Office network: 192.168.10.0/24

    Cisco 877 IP internal: 192.168.10.200

    Cisco 877 external IP: a.a.a.a

    ASA 5505 external IP: b.b.b.b

    ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3

    Remote network: 192.168.17.0/24 and 192.168.1.0/24

    VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.

    But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:

    305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT

    Ping of OLD-private interface to google result:

    110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

    Result of traceroute

    How can I fix reverse NAT and make ASA as internet gateway?

    There is my full config

    !
    ASA Version 8.2 (2)
    !
    hostname ASA2
    domain default.domain.invalid
    activate the encrypted password password
    encrypted passwd password
    names of
    !
    interface Vlan1
    Description INTERNET
    1234.5678.0002 Mac address
    nameif WAN
    security-level 100
    IP address b.b.b.b 255.255.248.0
    OSPF cost 10
    !
    interface Vlan2
    OLD-PRIVATE description
    1234.5678.0202 Mac address
    nameif OLD-private
    security-level 0
    IP 192.168.17.3 255.255.255.0
    OSPF cost 10
    !
    interface Vlan6
    Description MANAGEMENT
    1234.5678.0206 Mac address
    nameif management
    security-level 0
    192.168.1.3 IP address 255.255.255.0
    OSPF cost 10
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    Shutdown
    !
    interface Ethernet0/2
    Shutdown
    !
    interface Ethernet0/3
    Shutdown
    !
    interface Ethernet0/4
    Shutdown
    !
    interface Ethernet0/5
    Shutdown
    !
    interface Ethernet0/6
    switchport trunk allowed vlan 2.6
    switchport mode trunk
    !
    interface Ethernet0/7
    Shutdown
    !
    connection of the banner * W A R N I N G *.
    banner connect unauthorized access prohibited. All access is
    connection banner monitored, and intruders will be prosecuted
    connection banner to the extent of the law.
    Banner motd * W A R N I N G *.
    Banner motd unauthorised access prohibited. All access is
    Banner motd monitored and trespassers will be prosecuted
    Banner motd to the extent of the law.
    boot system Disk0: / asa822 - k8.bin
    passive FTP mode
    DNS domain-lookup WAN
    DNS server-group DefaultDNS
    Server name dns.dns.dns.dns
    domain default.domain.invalid
    permit same-security-traffic intra-interface
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    object-group service RDP - tcp
    RDP description
    EQ port 3389 object
    Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
    Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
    WAN_access_in list of allowed ip extended access all any debug log
    WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
    WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
    MANAGEMENT_access_in list of allowed ip extended access all any debug log
    access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
    access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
    OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
    access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
    access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
    access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
    Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
    WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
    WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
    Capin list extended access permit ip host 192.18.17.155 192.168.10.7
    Capin list extended access permit ip host 192.168.10.7 192.168.17.155
    LAN_access_in list of allowed ip extended access all any debug log
    Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
    Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0

    permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
    pager lines 24
    Enable logging
    recording of debug trap
    logging of debug asdm
    Debugging trace record
    Debug class auth record trap
    MTU 1500 WAN
    MTU 1500 OLD-private
    MTU 1500 management
    mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP permitted host a.a.a.a WAN
    ICMP deny any WAN
    ICMP permitted host 192.168.10.7 WAN
    ICMP permitted host b.b.b.b WAN
    ASDM image disk0: / asdm - 631.bin
    don't allow no asdm history
    ARP timeout 14400
    Global (OLD-private) 1 interface
    Global interface (management) 1
    NAT (WAN) 1 0.0.0.0 0.0.0.0

    inside_nat0_outbound (WAN) NAT 0 access list
    WAN_access_in access to the WAN interface group
    Access-group interface private-OLD OLD-PRIVATE_access_in
    Access-group MANAGEMENT_access_in in the management interface
    Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    local AAA authentication attempts 10 max in case of failure
    Enable http server
    http 192.168.1.0 255.255.255.0 WAN
    http 0.0.0.0 0.0.0.0 WAN
    http b.b.b.b 255.255.255.255 WAN
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Service resetoutside
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
    card crypto WAN_map 1 set peer a.a.a.a
    WAN_map 1 transform-set ESP-DES-SHA crypto card game
    card crypto WAN_map WAN interface
    ISAKMP crypto enable WAN
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    the Encryption
    sha hash
    Group 1
    life 86400
    Telnet timeout 5
    SSH a.a.a.a 255.255.255.255 WAN
    SSH timeout 30
    SSH version 2
    Console timeout 0
    dhcpd auto_config management
    !

    a basic threat threat detection
    host of statistical threat detection
    Statistics-list of access threat detection
    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
    NTP server 129.6.15.28 source WAN prefer
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    internal admin group strategy
    group admin policy attributes
    DNS.DNS.DNS.DNS value of DNS server
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list LAN_IP
    privilege of encrypted password password username administrator 15
    type tunnel-group admin remote access
    tunnel-group admin general attributes
    address pool VPN_Admin_IP
    strategy-group-by default admin
    tunnel-group a.a.a.a type ipsec-l2l
    tunnel-group a.a.a.a general-attributes
    strategy-group-by default admin
    a.a.a.a group of tunnel ipsec-attributes
    pre-shared-key *.
    NOCHECK Peer-id-validate
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !

    Thank you for your time and help

    Why you use this NAT type?

    Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
    NAT (OLD-private) 0-list of access WAN_nat0_outbound

    You are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.

    If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:

    NAT (OLD-private) 1 0.0.0.0 0.0.0.0

    Global (WAN) 1 interface

  • ASA 5505 <>ASA 5510 VPN Site to Site

    Try to configure a vpn site-to site beetween an ASA 5505 and a 5510. I can't get anything thrown, there are now debugging messages or the other. I must have done something wrong, I followed this paper: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml but I can't make it work. Anyone can have a peek at my configs, maybe I forgot something.

    OK, if you go ahead and add this command to all two firewalls 'inside access management' and try to one side inside the 10.21.32.10 ping always nothing passing by?

  • ASA 5510 &amp; ASA 5505 VPN

    I have an ASA 5510 in HQ (Version 8.0 (3)) and an ASA 5505 (8.3 (1)) Version at remote end.  I am using easy vpn.  The vpn works fine, but when the VPN is connected the 5510 shows 17 IPSEC connections to this one device.  I watch the 5505 and it says 1.

    Thank you!

    Yes, it will create SAs for each subnet you have an ITS twinning with the remote subnet ASA 5505 and one ITS twinning with the ip of the remote ASA 5505 peer.

    He created the pair of HIS extra with the IP peer of the ASA remote for easy vpn (it is normal in easy vpn). If you configure LAN-to-LAN between the ASAs 2, it will be just half of the SAs because there won't be ITS created for peers like in the easy vpn tunnel ip address.

    Here are the SAs created matching:

    local ident (addr, mask, prot, port): (64.196.6.165/255.255.255.255/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.20.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.20.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (172.30.30.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (172.30.30.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.70.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (172.30.70.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.71.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.71.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (172.30.80.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.80.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (172.30.81.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (172.30.81.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.88.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

    local ident (addr, mask, prot, port): (172.30.88.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)

    local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)

  • Error of customer Cisco VPN connection ASA 5505

    I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.

    CISCO VPN CLIENT LOG

    Cisco Systems VPN Client Version 5.0.06.0160

    Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 6.1.7600

    Config files directory: C:\Program Cisco Systems Client\

    1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004

    Establish a secure connection

    3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "71.xx.xx.253".

    4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B

    Attempts to establish a connection with 71.xx.xx.253.

    5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001

    From IKE Phase 1 negotiation

    6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253

    7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

    9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer is a compatible peer Cisco-Unity

    10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports XAUTH

    11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports the DPD

    12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports NAT - T

    13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

    Peer supports fragmentation IKE payloads

    14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001

    IOS Vendor ID successful construction

    15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253

    16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055

    Sent a keepalive on the IPSec Security Association

    17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083

    IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194

    18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072

    Automatic NAT detection status:

    Remote endpoint is NOT behind a NAT device

    This effect is behind a NAT device

    19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

    20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

    ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

    21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E

    Customer address a request from firewall to hub

    22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253

    23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

    25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1

    26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0

    27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250

    28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251

    29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000

    30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA

    31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

    32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45

    33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

    34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

    35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019

    Data in mode Config received

    36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056

    Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0

    37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253

    38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

    40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045

    Answering MACHINE-LIFE notify has value of 86400 seconds

    41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047

    This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now

    42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

    44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253

    45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049

    IPsec security association negotiation made scrapped, MsgID = 89EE7032

    46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017

    Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

    47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 71.xx.xx.253

    48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058

    Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8

    49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

    50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B

    IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

    51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012

    ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED".  Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

    52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025

    Initializing CVPNDrv

    53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046

    Set indicator established tunnel to register to 0.

    54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001

    Signal received IKE to complete the VPN connection

    ----------------------------------------------------------------------------------------

    ASA 5505 CONFIG

    : Saved

    :

    ASA Version 8.2 (1)

    !

    ciscoasa hostname

    domain masociete.com

    activate tdkuTUSh53d2MT6B encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 172.26.0.252 255.255.0.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address 71.xx.xx.253 255.255.255.240

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone IS - 5

    clock to summer time EDT recurring

    DNS server-group DefaultDNS

    domain masociete.com

    access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA

    Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0

    outside_access_in list extended access permit icmp any one

    outside_access_in list extended access udp allowed any any eq 4500

    outside_access_in list extended access udp allowed any any eq isakmp

    outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp

    outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389

    inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240

    inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask

    ICMP unreachable rate-limit 1 burst-size 1

    enable ASDM history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 1 0.0.0.0 0.0.0.0

    static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255

    static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    Enable http server

    http 172.26.0.0 255.255.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

    Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

    Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

    Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd outside auto_config

    !

    no basic threat threat detection

    no statistical access list - a threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    value of server WINS 172.26.0.250 172.26.0.251

    value of 172.26.0.250 DNS server 172.26.0.251

    Protocol-tunnel-VPN IPSec l2tp ipsec svc

    value by default-field TLCUSA

    internal LIMUVPNPOL1 group policy

    LIMUVPNPOL1 group policy attributes

    value of 172.26.0.250 DNS server 172.26.0.251

    VPN-idle-timeout 30

    Protocol-tunnel-VPN IPSec l2tp ipsec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list LIMU_Split_Tunnel_List

    the address value VPN_POOL pools

    internal TLCVPNGROUP group policy

    TLCVPNGROUP group policy attributes

    value of 172.26.0.250 DNS server 172.26.0.251

    Protocol-tunnel-VPN IPSec l2tp ipsec svc

    Re-xauth disable

    enable IPSec-udp

    value by default-field TLCUSA

    barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0

    username barry.julien attributes

    VPN-group-policy TLCVPNGROUP

    Protocol-tunnel-VPN IPSec l2tp ipsec

    bjulien bhKBinDUWhYqGbP4 encrypted password username

    username bjulien attributes

    VPN-group-policy TLCVPNGROUP

    attributes global-tunnel-group DefaultRAGroup

    address VPN_POOL pool

    Group Policy - by default-DefaultRAGroup

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key *.

    tunnel-group DefaultRAGroup ppp-attributes

    no authentication ms-chap-v1

    ms-chap-v2 authentication

    type tunnel-group TLCVPNGROUP remote access

    attributes global-tunnel-group TLCVPNGROUP

    address VPN_POOL pool

    Group Policy - by default-TLCVPNGROUP

    IPSec-attributes tunnel-group TLCVPNGROUP

    pre-shared-key *.

    ISAKMP ikev1-user authentication no

    tunnel-group TLCVPNGROUP ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:b94898c163c59cee6c143943ba87e8a4

    : end

    enable ASDM history

    can you try to change the transformation of dynamic value ESP-3DES-SHA map.

    for example

    remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5

    and replace with

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  • Cisco ASA 5505 VPN Site to Site

    Hi all

    First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

    I'd appreciate any help that can be directed to this problem please.  Slowly losing my mind

    Please see details below:

    Two ADMS are 7.1

    IOS

    ASA 1

    Nadia

    :

    ASA Version 9.0 (1)

    !

    hostname PAYBACK

    activate the encrypted password of HSMurh79NVmatjY0

    volatile xlate deny tcp any4 any4

    volatile xlate deny tcp any4 any6

    volatile xlate deny tcp any6 any4

    volatile xlate deny tcp any6 any6

    volatile xlate deny udp any4 any4 eq field

    volatile xlate deny udp any4 any6 eq field

    volatile xlate deny udp any6 any4 eq field

    volatile xlate deny udp any6 any6 eq field

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    link Trunk Description of SW1

    switchport trunk allowed vlan 1,10,20,30,40

    switchport trunk vlan 1 native

    switchport mode trunk

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    No nameif

    no level of security

    no ip address

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 92.51.193.158 255.255.255.252

    !

    interface Vlan10

    nameif inside

    security-level 100

    IP 192.168.10.1 255.255.255.0

    !

    interface Vlan20

    nameif servers

    security-level 100

    address 192.168.20.1 255.255.255.0

    !

    Vlan30 interface

    nameif printers

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    !

    interface Vlan40

    nameif wireless

    security-level 100

    192.168.40.1 IP address 255.255.255.0

    !

    connection line banner welcome to the Payback loyalty systems

    boot system Disk0: / asa901 - k8.bin

    passive FTP mode

    summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    domain-lookup DNS servers

    DNS lookup domain printers

    DNS domain-lookup wireless

    DNS server-group DefaultDNS

    Server name 83.147.160.2

    Server name 83.147.160.130

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    ftp_server network object

    network of the Internal_Report_Server object

    Home 192.168.20.21

    Description address internal automated report server

    network of the Report_Server object

    Home 89.234.126.9

    Description of server automated reports

    service object RDP

    service destination tcp 3389 eq

    Description RDP to the server

    network of the Host_QA_Server object

    Home 89.234.126.10

    Description QA host external address

    network of the Internal_Host_QA object

    Home 192.168.20.22

    host of computer virtual Description for QA

    network of the Internal_QA_Web_Server object

    Home 192.168.20.23

    Description Web Server in the QA environment

    network of the Web_Server_QA_VM object

    Home 89.234.126.11

    Server Web Description in the QA environment

    service object SQL_Server

    destination eq 1433 tcp service

    network of the Demo_Server object

    Home 89.234.126.12

    Description server set up for the product demo

    network of the Internal_Demo_Server object

    Home 192.168.20.24

    Internal description of the demo server IP address

    network of the NETWORK_OBJ_192.168.20.0_24 object

    subnet 192.168.20.0 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_26 object

    255.255.255.192 subnet 192.168.50.0

    network of the NETWORK_OBJ_192.168.0.0_16 object

    Subnet 192.168.0.0 255.255.0.0

    service object MSSQL

    destination eq 1434 tcp service

    MSSQL port description

    VPN network object

    192.168.50.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_24 object

    192.168.50.0 subnet 255.255.255.0

    service object TS

    tcp destination eq 4400 service

    service of the TS_Return object

    tcp source eq 4400 service

    network of the External_QA_3 object

    Home 89.234.126.13

    network of the Internal_QA_3 object

    Home 192.168.20.25

    network of the Dev_WebServer object

    Home 192.168.20.27

    network of the External_Dev_Web object

    Home 89.234.126.14

    network of the CIX_Subnet object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_84.39.233.50 object

    Home 84.39.233.50

    network of the NETWORK_OBJ_92.51.193.158 object

    Home 92.51.193.158

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    the tcp destination eq ftp service object

    the purpose of the tcp destination eq netbios-ssn service

    the purpose of the tcp destination eq smtp service

    service-object TS

    the Payback_Internal object-group network

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_3

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    service-object TS

    service-object, object TS_Return

    object-group service DM_INLINE_SERVICE_4

    service-object RDP

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    object-group service DM_INLINE_SERVICE_5

    purpose purpose of the MSSQL service

    service-object RDP

    service-object TS

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service DM_INLINE_SERVICE_6

    service-object TS

    service-object, object TS_Return

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    Note to outside_access_in to access list that this rule allows Internet the interal server.

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-list of FTP access

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list of SMTP access

    Note to outside_access_in to access list Net Bios

    Comment from outside_access_in-SQL access list

    Comment from outside_access_in-list to access TS - 4400

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

    access host access-list outside_access_in note rule internal QA

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

    Notice on the outside_access_in of the access-list access to the internal Web server:

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

    Note to outside_access_in to access list rule allowing access to the demo server

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list to access MSSQL

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

    Note to outside_access_in access to the development Web server access list

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

    AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

    AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

    Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

    permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

    pager lines 24

    Enable logging

    information recording console

    asdm of logging of information

    address record

    [email protected] / * /.

    the journaling recipient

    [email protected] / * /.

    level alerts

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 servers

    MTU 1500 printers

    MTU 1500 wireless

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-711 - 52.bin

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (wireless, outdoors) source Dynamics one interface

    NAT (servers, outside) no matter what source dynamic interface

    NAT (servers, external) static source Internal_Report_Server Report_Server

    NAT (servers, external) static source Internal_Host_QA Host_QA_Server

    NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

    NAT (servers, external) static source Internal_Demo_Server Demo_Server

    NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    NAT (servers, external) static source Internal_QA_3 External_QA_3

    NAT (servers, external) static source Dev_WebServer External_Dev_Web

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 84.39.233.50
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    Crypto ikev2 activate out of service the customer port 443
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 192.168.10.0 255.255.255.0 inside
    SSH 192.168.40.0 255.255.255.0 wireless
    SSH timeout 5
    Console timeout 0

    dhcpd 192.168.0.1 dns
    dhcpd outside auto_config
    !
    dhcpd address 192.168.10.21 - 192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    paybackloyalty.com dhcpd option 15 inside ascii interface
    dhcpd allow inside
    !
    dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
    dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
    dhcpd update dns of the wireless interface
    dhcpd option 15 ascii paybackloyalty.com wireless interface
    dhcpd activate wireless
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal Payback_VPN group strategy
    attributes of Group Policy Payback_VPN
    VPN - 10 concurrent connections
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
    attributes of Group Policy DfltGrpPolicy
    value of 83.147.160.2 DNS server 83.147.160.130
    VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
    internal GroupPolicy_84.39.233.50 group strategy
    attributes of Group Policy GroupPolicy_84.39.233.50
    VPN-tunnel-Protocol ikev1, ikev2
    Noelle XB/IpvYaATP.2QYm username encrypted password
    Noelle username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
    Éanna attributes username
    VPN-group-policy Payback_VPN
    type of remote access service
    Michael qpbleUqUEchRrgQX of encrypted password username
    user name Michael attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
    user name Danny attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
    user name Aileen attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
    Aidan username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    shane.c iqGMoWOnfO6YKXbw encrypted password username
    username shane.c attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Shane uYePLcrFadO9pBZx of encrypted password username
    user name Shane attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, encrypted James TdYPv1pvld/hPM0d password
    user name James attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Mark yruxpddqfyNb.qFn of encrypted password username
    user name brand attributes
    type of service admin
    username password of Mary XND5FTEiyu1L1zFD encrypted
    user name Mary attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
    Massimo username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    type tunnel-group Payback_VPN remote access
    attributes global-tunnel-group Payback_VPN
    VPN1 address pool
    Group Policy - by default-Payback_VPN
    IPSec-attributes tunnel-group Payback_VPN
    IKEv1 pre-shared-key *.
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 General-attributes
    Group - default policy - GroupPolicy_84.39.233.50
    IPSec-attributes tunnel-group 84.39.233.50
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    Global class-card class
    match default-inspection-traffic
    !
    !
    World-Policy policy-map
    Global category
    inspect the dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the pptp
    inspect the rsh
    inspect the rtsp
    inspect the sip
    inspect the snmp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect xdmcp
    inspect the icmp error
    inspect the icmp
    !
    service-policy-international policy global
    192.168.20.21 SMTP server
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

    ASA 2

    ASA Version 9.0 (1)

    !

    Payback-CIX hostname

    activate the encrypted password of HSMurh79NVmatjY0

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    Description this port connects to the local network VIRTUAL 100

    switchport access vlan 100

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    switchport access vlan 100

    !

    interface Ethernet0/4

    switchport access vlan 100

    !

    interface Ethernet0/5

    switchport access vlan 100

    !

    interface Ethernet0/6

    switchport access vlan 100

    !

    interface Ethernet0/7

    switchport access vlan 100

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 84.39.233.50 255.255.255.240

    !

    interface Vlan100

    nameif inside

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    !

    banner welcome to Payback loyalty - CIX connection line

    passive FTP mode

    summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    DNS server-group defaultDNS

    Name-Server 8.8.8.8

    Server name 8.8.4.4

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    network of the host-CIX-1 object

    host 192.168.100.2

    Description This is the VM server host machine

    network object host-External_CIX-1

    Home 84.39.233.51

    Description This is the external IP address of the server the server VM host

    service object RDP

    source between 1-65535 destination eq 3389 tcp service

    network of the Payback_Office object

    Home 92.51.193.158

    service object MSQL

    destination eq 1433 tcp service

    network of the Development_OLTP object

    Home 192.168.100.10

    Description for Eiresoft VM

    network of the External_Development_OLTP object

    Home 84.39.233.52

    Description This is the external IP address for the virtual machine for Eiresoft

    network of the Eiresoft object

    Home 146.66.160.70

    Contractor s/n description

    network of the External_TMC_Web object

    Home 84.39.233.53

    Description Public address to the TMC Web server

    network of the TMC_Webserver object

    Home 192.168.100.19

    Internal description address TMC Webserver

    network of the External_TMC_OLTP object

    Home 84.39.233.54

    External targets OLTP IP description

    network of the TMC_OLTP object

    Home 192.168.100.18

    description of the interal target IP address

    network of the External_OLTP_Failover object

    Home 84.39.233.55

    IP failover of the OLTP Public description

    network of the OLTP_Failover object

    Home 192.168.100.60

    Server failover OLTP description

    network of the servers object

    subnet 192.168.20.0 255.255.255.0

    being Wired network

    192.168.10.0 subnet 255.255.255.0

    the subject wireless network

    192.168.40.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the Eiresoft_2nd object

    Home 137.117.217.29

    Description 2nd Eiresoft IP

    network of the Dev_Test_Webserver object

    Home 192.168.100.12

    Description address internal to the Test Server Web Dev

    network of the External_Dev_Test_Webserver object

    Home 84.39.233.56

    Description This is the PB Dev Test Webserver

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_2

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_3

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_4

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_5

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_6

    service-object MSQL

    service-object RDP

    the Payback_Intrernal object-group network

    object-network servers

    Wired network-object

    wireless network object

    object-group service DM_INLINE_SERVICE_7

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_8

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_9

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_10

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_11

    service-object RDP

    the tcp destination eq ftp service object

    outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

    Note to access list OLTP Development Office of recovery outside_access_in

    outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

    Comment from outside_access_in-access Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

    Note to outside_access_in access to OLTP for target recovery Office Access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

    Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

    outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

    Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

    outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

    Note to outside_access_in access from the 2nd IP Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

    outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

    NAT (inside, outside) static source Development_OLTP External_Development_OLTP

    NAT (inside, outside) static source TMC_Webserver External_TMC_Web

    NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

    NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

    NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    Enable http server

    http 92.51.193.156 255.255.255.252 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

    Crypto ipsec ikev2 ipsec-proposal OF

    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 92.51.193.158
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 92.51.193.156 255.255.255.252 outside
    SSH timeout 5
    Console timeout 0

    dhcpd outside auto_config
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal GroupPolicy_92.51.193.158 group strategy
    attributes of Group Policy GroupPolicy_92.51.193.158
    VPN-tunnel-Protocol ikev1, ikev2
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 General-attributes
    Group - default policy - GroupPolicy_92.51.193.158
    IPSec-attributes tunnel-group 92.51.193.158
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hello

    There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

    All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

    Here are a few suggestions on what to change

    ASA1

    Minimal changes

    the object of the LAN network

    192.168.10.0 subnet 255.255.255.0

    being REMOTE-LAN network

    255.255.255.0 subnet 192.168.100.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

    Other suggestions

    These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

    PAT-SOURCE network object-group

    source networks internal PAT Description

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    no nat (wireless, outdoors) source Dynamics one interface

    no nat (servers, outside) no matter what source dynamic interface

    The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

    Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

    network of the SERVERS object

    subnet 192.168.20.0 255.255.255.0

    network of the VPN-POOL object

    192.168.50.0 subnet 255.255.255.0

    NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

    no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    ASA2

    Minimal changes

    the object of the LAN network

    255.255.255.0 subnet 192.168.100.0

    being REMOTE-LAN network

    192.168.10.0 subnet 255.255.255.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM.

    Other suggestions

    PAT-SOURCE network object-group

    object-network 192.168.100.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

    Hope this makes any sense and has helped

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

  • ASA 5505 VPN established, cannot access inside the network

    Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.

    After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.

    Here is my config:

    ASA Version 8.2 (5)
    !
    hostname asa01
    domain kevinasa01.net
    activate 8Ry2YjIyt7RRXU24 encrypted password
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    switchport access vlan 5
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP address dhcp setroute
    !
    interface Vlan5
    No nameif
    security-level 50
    IP 172.16.1.1 255.255.255.0
    !
    passive FTP mode
    DNS server-group DefaultDNS
    domain kevinasa01.net
    permit same-security-traffic intra-interface
    Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
    inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
    inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
    sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
    access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
    access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
    pager lines 24
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (outside) 1 192.168.254.0 255.255.255.0
    NAT (inside) 0 access-list sheep - in
    NAT (inside) 1 192.168.1.0 255.255.255.0
    NAT (inside) 1 0.0.0.0 0.0.0.0
    Access-group outside_access_in in interface outside
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd outside auto_config
    !
    dhcpd address 192.168.1.5 - 192.168.1.36 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    internal Remote_Kevin group strategy
    attributes of Group Policy Remote_Kevin
    value of server DNS 192.168.1.12 192.168.1.13
    VPN - connections 3
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
    kevinasa01.NET value by default-field
    username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
    username kevin attributes
    VPN-group-policy Remote_Kevin
    type tunnel-group Remote_Kevin remote access
    attributes global-tunnel-group Remote_Kevin
    address-pool
    Group Policy - by default-Remote_Kevin
    IPSec-attributes tunnel-group Remote_Kevin
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
    : end

    Thank you

    Hello

    I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.

    I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.

    The acl must be:

    sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

    For nat (inside), you have 2 lines:

    NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
    NAT (inside) 1 0.0.0.0 0.0.0.0

    Why are you doing this nat (outside)?

    NAT (outside) 1 192.168.254.0 255.255.255.0

    Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)

    Thank you.

    PS: Please do not forget to rate and score as good response if this solves your problem.

  • ASA 5505 possibly interfere/blocking calls Incound UC560

    ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462

    All,

    We had this problem the phone when we lose connectivity for some reason any.  Here is an example:

    We have an ASA 5505 before our UC560.  Power lost to ASA (power connector from main Board loose) primary did identical backup with config.  The layout-design is the following:

    UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">

    After the passage of the ASAs, incoming calls have been piecemeal.  I can see the traffic on the firewall when the calls log, nothing otherwise.   OS on the device are:

    UC560 - 15.0 XA (1r).

    ASA 5505-4, 0000 38

    Contacted the provider and after calls debugging support have been expire with the 408 SIP error.

    Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.

    So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA.  Here is the config ASA (it's pretty long, sorry):

    Output of the command: "show run".

    : Saved
    :
    : Serial number:
    : Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
    :
    ASA 4,0000 Version 38
    !
    XXXXX-CA hostname
    activate the encrypted password of WUGxGkjzJJSPhT9N
    volatile xlate deny tcp any4 any4
    volatile xlate deny tcp any4 any6
    volatile xlate deny tcp any6 any4
    volatile xlate deny tcp any6 any6
    volatile xlate deny udp any4 any4 eq field
    volatile xlate deny udp any4 any6 eq field
    volatile xlate deny udp any6 any4 eq field
    volatile xlate deny udp any6 any6 eq field
    WUGxGkjzJJSPhT9N encrypted passwd
    names of
    DNS-guard
    192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
    !
    interface Ethernet0/0
    Description-> Internet
    switchport access vlan 2
    !
    interface Ethernet0/1
    Description-> inside
    switchport access vlan 10
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Vlan2
    Description-> Internet<>
    nameif outside
    security-level 0
    address IP XXX.XXX. XXX.242 255.255.255.240
    !
    interface Vlan10
    nameif inside
    security-level 100
    IP 10.0.1.1 255.255.255.0
    !
    exec banner * W A R N I N G *.
    banner exec unauthorised access prohibited. All access is
    banner exec monitored and the intruder may be continued
    exec banner to the extent of the law.
    connection of the banner * W A R N I N G *.
    banner connect unauthorized access prohibited. All access is
    connection banner monitored, and intruders will be prosecuted
    connection banner to the extent of the law.
    Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
    Banner motd this is a private computer system.
    Banner motd, access is allowed only by authorized employees or agents of the
    company banner motd.
    Banner motd system can be used only for the authorized company.
    Banner motd business management approval is required for all access privileges.
    Banner motd, as this system is equipped with a safety system designed to prevent
    Banner motd and attempts of unauthorized access record.
    Banner motd
    Banner motd unauthorized access or use is a crime under the law.
    banner asdm XXXXX Enterprises Inc. $(hostname)
    boot system Disk0: / asa904-38 - k8.bin
    boot system Disk0: / asa904-29 - k8.bin
    passive FTP mode
    clock timezone PST - 8
    clock summer-time recurring PDT
    DNS domain-lookup outside
    permit same-security-traffic intra-interface
    object obj voip network
    10.1.1.0 subnet 255.255.255.0
    network object obj - 192.168.254.0


    192.168.254.0 subnet 255.255.255.0
    pool of local addresses of description
    object obj cue-network
    10.1.10.0 subnet 255.255.255.0
    object obj priv-network
    192.168.10.0 subnet 255.255.255.0
    object obj data network
    subnet 10.0.1.0 255.255.255.0
    network object obj - 192.168.0.0
    192.168.0.0 subnet 255.255.255.0
    Description not used
    network object obj - 192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    Description not used
    object obj nj-asa-private-network
    Subnet 192.168.2.0 255.255.255.0
    network obj object -? asa-private-network
    192.168.5.0 subnet 255.255.255.0
    network obj object -? asa-private-network
    192.168.6.0 subnet 255.255.255.0
    network obj object -? -asa - private-network
    subnet 192.168.3.0 255.255.255.0
    network obj object -? asa-priv-networl
    subnet 192.168.4.0 255.255.255.0
    network obj object -? asa-private-network
    192.168.7.0 subnet 255.255.255.0
    object obj-asa-Interior-voip-nic network
    host 10.1.1.1
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network obj_any-01 object
    subnet 0.0.0.0 0.0.0.0
    network object obj - 0.0.0.0
    host 0.0.0.0
    object obj-vpn-nic network
    Home 192.168.10.20
    object obj XXXX-asa-private-network
    192.168.8.0 subnet 255.255.255.0
    House of XXXX description
    network obj object -? asa-private-network
    192.168.9.0 subnet 255.255.255.0
    object asa inside-network data
    subnet 10.0.1.0 255.255.255.0
    asa data-outside-network object
    subnet XXX.XXX. XXX.240 255.255.255.240
    network of china-education-and-research-network-center object
    Home 202.194.158.191
    Acl explicitly blocked description
    China unicom shandong network item
    60.214.232.0 subnet 255.255.255.0
    Acl explicitly blocked description
    pbx-cue-Interior-nic network object
    Home 10.1.10.2
    pbx-cue-outside-nic network object
    host 10.1.10.1
    telepacific-voip-trunk network object
    Home 64.60.66.250
    Description is no longer used
    us-la-mianbaodianying network object
    Home 68.64.168.46
    Acl explicitly blocked description
    object network cue
    10.1.10.0 subnet 255.255.255.0
    private-network data object
    192.168.10.0 subnet 255.255.255.0
    pbx-outside-data-nic network object
    host 10.0.1.2
    pbx-voip-Interior-nic network object
    host 10.1.1.1
    voip network object
    10.1.1.0 subnet 255.255.255.0
    vpn-server-nic network object
    Home 192.168.10.20
    asa-data-outside-nic network object
    host XXX.XXX. XXX.242
    asa-voip-ctl-outside-nic network object
    host XXX.XXX. XXX.244
    the object 192.168.0.0 network
    192.168.0.0 subnet 255.255.255.0
    Description not used
    the object 192.168.1.0 network
    subnet 192.168.1.0 255.255.255.0
    Description not used
    nj-asa-priv-netowrk network object
    Subnet 192.168.2.0 255.255.255.0
    network of the 192.168.254.0 object
    192.168.254.0 subnet 255.255.255.0
    pool of local addresses of description
    network of the object? -asa - private-network
    subnet 192.168.3.0 255.255.255.0
    network of the object? asa-private-network
    subnet 192.168.4.0 255.255.255.0
    network of the object? asa-private-network
    192.168.5.0 subnet 255.255.255.0
    network of the object? asa-private-network
    192.168.6.0 subnet 255.255.255.0
    network of the object? asa-private-network
    192.168.7.0 subnet 255.255.255.0
    network of the object? asa-private-network
    192.168.9.0 subnet 255.255.255.0
    the XXXX-asa-private-network object network
    192.168.8.0 subnet 255.255.255.0
    network object XXX.XXX. XXX.242
    host XXX.XXX. XXX.242
    service object 47
    tcp source eq eq 47 47 destination service
    object network dvr
    Home 192.168.10.16
    network dvr-nat-tcp8888 object
    Home 192.168.10.16
    network dvr-nat-tcp6036 object
    Home 192.168.10.16
    network dvr-nat-udp6036 object
    Home 192.168.10.16
    dvr-8888 service object
    destination eq 8888 tcp service
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    object-group service dvr-6036-tcp - udp
    port-object eq 6036
    détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
    détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
    access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
    access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
    inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
    inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
    inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
    inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
    inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
    inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
    inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
    inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
    inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
    inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
    inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
    inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
    inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
    inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
    inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
    inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
    inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
    inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
    inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
    inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
    ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
    ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
    ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
    ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
    ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
    ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
    ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
    access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
    access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
    allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
    allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
    capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
    capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
    ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
    access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
    ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
    access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
    access-list out_in note remote access attempted
    out_in list extended access deny ip object China unicom shandong network any4
    access-list out_in note remote access attempted
    out_in list extended access deny ip object we-the-mianbaodianying any4
    out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
    out_in list extended access allow icmp any4 object vpn-server-nic
    out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
    out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
    out_in list extended access allow accord any4 object vpn-server-nic
    out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
    out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
    out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
    out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
    Comment from out_in-HTTPS access outside the access list
    out_in list extended access permitted tcp any4 object data-private-network eq https
    outside_access_in list extended access allow icmp host 192.168.10.20 any4
    access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
    outside_access_in list extended access allowed host any4 object 47 192.168.10.20
    outside_access_in list extended access allow accord any4 host 192.168.10.20
    outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
    outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
    outside_access_in list extended access allowed object dvr-8888 any object dvr
    outside_access_in list extended access allow icmp any4 host 10.1.1.1
    access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
    access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
    access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
    go to list of access outside_access_in note incoming https.
    outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
    pager lines 24
    Enable logging
    exploitation forest-size of the buffer 1048576
    monitor debug logging
    debug logging in buffered memory
    asdm of logging of information
    address record [email protected] / * /
    exploitation forest-address recipient [email protected] / * / level of errors
    exploitation forest flash-bufferwrap
    No registration message 106015
    No message logging 313001
    No registration message 313008
    no logging message 106023
    No message logging 710003
    no logging message 106100
    No message logging 302015
    No message recording 302014
    No message logging 302013
    No message logging 302018
    No message logging 302017
    No message logging 302016
    No message logging 302021
    No message logging 302020
    destination of exports flow inside 192.168.10.20 4432
    Outside 1500 MTU
    Within 1500 MTU
    ICMP unreachable rate-limit 3 burst-size 1
    ICMP allow any response of echo outdoors
    ICMP allow any echo outdoors
    ICMP allow any inaccessible outside
    ICMP permitted host 75.140.0.86 outside
    ICMP allow any inside
    ASDM image disk0: / asdm-715 - 100.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    !
    object obj-asa-Interior-voip-nic network
    NAT XXX.XXX static (inside, outside). XXX.244
    network obj_any object
    NAT dynamic interface (indoor, outdoor)
    network obj_any-01 object
    NAT (inside, outside) dynamic obj - 0.0.0.0
    object obj-vpn-nic network
    NAT XXX.XXX static (inside, outside). XXX.254
    network dvr-nat-tcp8888 object
    NAT (inside, outside) interface static 8888 8888 tcp service
    network dvr-nat-tcp6036 object
    NAT (inside, outside) interface static 6036 6036 tcp service
    network dvr-nat-udp6036 object
    NAT (inside, outside) interface static service udp 6036 6036
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
    Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
    Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
    Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    AAA authentication http LOCAL console
    AAA authentication enable LOCAL console
    LOCAL AAA authentication serial console
    AAA authentication LOCAL telnet console
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    http 10.0.1.0 255.255.255.0 inside
    http 192.168.254.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outdoors
    authentication & encryption v3 private Server SNMP group
    SNMP server group No_Authentication_No_Encryption v3 /noauth
    SNMP-server host inside the 192.168.10.20 community *.
    Server SNMP Ontario, CA location
    SNMP Server contact [email protected] / * /
    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

    -MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
    Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
    Crypto ca trustpoint CAP-RTP-001_trustpoint
    Terminal registration
    Configure CRL
    Crypto ca trustpoint CAP-RTP-002_trustpoint
    Terminal registration
    Configure CRL
    Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
    registration auto
    full domain name no
    name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
    _internal_ctl_phoneproxy_file_SAST_0 key pair
    Configure CRL
    Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
    registration auto
    full domain name no
    name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
    _internal_ctl_phoneproxy_file_SAST_1 key pair
    Configure CRL
    Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
    registration auto
    full domain name no
    name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
    _internal_PP_ctl_phoneproxy_file key pair
    Configure CRL
    Crypto ca trustpoint Cisco-Mfg-CA
    Terminal registration
    Configure CRL
    Crypto ca trustpoint phoneproxy_trustpoint
    registration auto
    full domain name XXXXXXXXXX.com
    name of the object CN = XXXXXX - ASA
    phoneproxy_trustpoint key pair
    Configure CRL
    trustpool crypto ca policy
    string encryption CAP-RTP-001_trustpoint ca certificates
    certificate ca 7612f960153d6f9f4e42202032b72356
    quit smoking
    string encryption CAP-RTP-002_trustpoint ca certificates
    certificate ca 353fb24bd70f14a346c1f3a9ac725675
    quit smoking
    Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
    certificate e1aee24c
    CA
    quit smoking
    Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
    certificate e4aee24c
    quit smoking
    Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
    certificate e8aee24c
    quit smoking
    a string of ca crypto Cisco-Mfg-CA certificates
    certificate ca 6a6967b3000000000003
    quit smoking
    Crypto ca certificate chain phoneproxy_trustpoint
    certificate 83cbe64c
    quit smoking
    Crypto ikev1 allow outside
    IKEv1 crypto policy 5
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 86400
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 10.0.1.0 255.255.255.0 inside
    SSH 0.0.0.0 0.0.0.0 inside
    SSH timeout 60
    Console timeout 0
    management-access inside

    priority-queue outdoors
    TX-ring-limit of 256
    !
    maximum-session TLS-proxy 24
    !
    !
    TLS-proxy tls_proxy
    _internal_PP_ctl_phoneproxy_file point server trust
    CTL-file ctl_phoneproxy_file
    file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
    !
    Media-termination asdm_media_termination
    address XXX.XXX. XXX.245 outside interface
    address interface inside 10.0.1.245

    !
    Phone-proxy asdm_phone_proxy
    Media-termination asdm_media_termination
    interface address 10.1.1.1 TFTP server on the inside
    TLS-proxy tls_proxy
    no settings disable service
    XXX.XXX proxy server address. Outside the xxx.242 80 interface
    a basic threat threat detection
    threat detection statistics
    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
    NTP server 192.168.10.60 source inside
    internal group myGROUP strategy
    Group myGROUP policy attributes
    VPN-idle-timeout no
    VPN-session-timeout no
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list ezvpn1
    allow to NEM
    XXXXX group policy / internal remote
    attributes of group XXXXX policy / remote
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
    fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
    username fstorm attributes
    type of remote access service
    username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
    username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
    attributes username cisco
    type of remote access service
    username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu8 attributes
    type of remote access service
    username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
    username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
    username XXXXXU1 attributes
    Strategy Group-VPN-XXXXX / remote
    type of remote access service
    username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu3 attributes
    type of remote access service
    username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu2 attributes
    type of remote access service
    username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu5 attributes
    type of remote access service
    username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu4 attributes
    type of remote access service
    username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu7 attributes
    type of remote access service
    username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu6 attributes
    type of remote access service
    tunnel-group XXXXX type remote access / remote
    attributes global-tunnel-group XXXXX / remote
    XXXXX address pool / remote
    Group Policy - by default-XXXXX / remote
    IPSec-attributes tunnel-group XXXXX / remote
    IKEv1 pre-shared-key *.
    type tunnel-group mytunnel remote access
    tunnel-group mytunnel General-attributes
    strategy - by default-group myGROUP
    mytunnel group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    !
    class-card CM-VOICE-SIGNAL
    match dscp af31
    class-map-outside-phoneproxy
    match eq 2443 tcp port
    class-map inspection_default
    match default-inspection-traffic
    Class-map data
    match flow ip destination-address
    match tunnel-group mytunnel
    class-card CM-VOICE
    match dscp ef
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 1024
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the pptp
    inspect the icmp
    class class by default
    Statistical accounting of user
    flow-export-type of event all 192.168.10.20 destination
    outside-policy policy-map
    class outside-phoneproxy
    inspect the thin phone-proxy asdm_phone_proxy
    CM-VOICE class
    priority
    CM-VOICE-SIGNAL class
    priority
    World-Policy policy-map
    !
    global service-policy global_policy
    207.46.163.138 SMTP server
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    HPM topN enable
    Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
    : end

    If someone could give a clue as to what could be the problem, I would appreciate it.

    / / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //

    Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!

    Now, given that your issue is resolved, you must mark the thread as "answered" :)

    Thank you for evaluating useful messages!

Maybe you are looking for

  • iPod shuffle repeating same song

    iPod shuffle suddenly continues to repeat same song - can manually switch to the next track in a playlist, but cannot see how to activate this repetition off the shuffle?  I have a lot of songs in all the selections, I do not see a feature "a song" o

  • browser access to HTTPS, but not HTTP sites

    I had recently several pop ups on a site I visited. I ran malware bytes and cleaned the system. Right after it happened, I was not able to visit HTTP sites. My browsers (Safari and Firefox) will be connect to secure sites (HTTPS), but I get the error

  • BOOTMGR not found - cannot start Windows

    I have a similar problem... Start the computer and I get:-BOOTMGR not found... Press Ctrl + Alt + Del I put the Toshiba recovery disc in and it registered no operating system... I finally gave up and removed the completely hardrive and tried to insta

  • Is possible to go wireless with a PS181C-00CET?

    I have a Toshiba Satellite, model PS181C-00CET. It has an Ethernet LAN card that works very well. Is there something I can do to run wireless on my G network or is it a question of setting up properly. Note that I use XP. Thank you Ford

  • SW5-271 switch 12 - functions of a mouse sometimes do not work.

    Hello Sometimes when I turn on the keyboard, the mouse functions do not work. I can't left or do a right-click and node pointer does not respond. Any ideas? Thank you!