Netmask 255.255.0.0 leading to strange IP addresses
Hello
My modem is an EPC3925 and my router is an E4200. All my PC, printers, etc. are connected to the router E4200.
Because one of my network storage devices had a static IP address outside the subnet, I decided to change the mask of the E4200 subnet and one of my PC to 255.255.0.0. After that, I was able to connect to the web interface of the network storage unit.
However, I could not connect to the E4200 more, so I decided to restart my PC. After that, she had a complete strange IP address that did not begin with 192.168...
I immediately reset the E4200 to the factory settings to avoid further damage. I changed the subnet mask of the normal computer and able to connect again with the E4200.
Question: why has my PC received a strange IP address? Was I connected with one of one of my neighbors... DHCP servers? Or the modem/router EPC3925 would avoid that?
Thanks in advance,
SJW
Was it a 169. Intellectual property? Which indicates that it was not able to talk to a dhcp server so your pc had an ip address
Tags: Linksys Routers
Similar Questions
-
Get a strange IPv4 address of the DHCP server
Hi all
As title, I got a strange IP - DHCP server 169.254.XXX.XXX.
I used Wireshark, tried to get the bootp packets. I found that my laptop 169.254.xxx.xxx used as source address to send DHCP Discover.
In addition, there is an option called content with 169.254.xxx.xxx requested ip address. Like my source address.
I couldn't access the Internet with this IP address.
I was wondering, is that it is a normal behavior for windows 7 to use 169.254.xxx.xxx to send DHCP Discover?
A DHCP request is sent through the universal 255.255.255.255 broadcast address which is one of the addresses that a server is listening. The query includes the MAC address of the applicant unit because at this point, it doesn't have an IP address. The DHCP server responds to the MAC address in order to assign the address.
In your case, the range 169.254 is called the APIPA address and the PC actually assigns to himself because he did not see a response from the DHCP server. As you refer to Wireshark having a reading of the present.
http://wiki.Wireshark.org/APIPA
The customer may not send the request via this address and get a response because the DHCP server is not listening on the address or by using the range. The answer must be done via the Mac.
-
need help, there is a strange thing to pix!
the diagram please see www.ciscofan.com/smbc.jpg
now the router of the ebs has a NM-1CE1U & NM-30DM, then remote clients can dial in to the network, the router of the pboc has a wic - 2T module, connect to the remote site via ebs DDN.the ip address of the pix interface is x.x.45.2, the ebs, the ip address of the ethernet router is x.x.45.1, and the ip address of the remote client can get (the pool of ip addresses) is the ip address x.x.45.110-x.x.45.140.the of pix515E inside the interface is x.x.44.1.I using nat 0 0 0 to avoid any nat (image the pix as the router) then the strange thing happens, after configuration, router ebs, can not ping any address which is like x.x.44.x, after x.x.45.1 ping server1, then both dialer clients and the ebs router can ping Server1, but cannot ping server2, after x.x.45.1 (router ebs) ping server2 , the two Dialer clinets and ebs the router can average ping server2, etc.that computers inside must ping computers outside first, then the external computers can access (include ping) inside is server.and the thing even stanger, if there is any traffic between ebs and the remote client (or the router of the ebs) in some time (maybe a few hours, but I'm not sure) remote dialer clients or ebs router cannot ping (access) inside
Servers.for instance, after one night, in the morning, customers remote dialer or ebs router cannot ping x.x.44.x.It seems there is a configuration of Time out, but how can I set it up?
What follows is the pix (515e) configuration:
PIX Version 6.1 (4)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
nameif ethernet3 intf3 security15
nameif ethernet4 ebs security20
nameif ethernet5 pboc security25
activate n5vL encrypted password
passwd 2KFQnencrypted
pixfirewall hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
pager lines 24
Automatic stop of interface ethernet0
Auto interface ethernet1
Automatic stop of interface ethernet2
Automatic stop of interface ethernet3
Auto interface ethernet4
Auto ethernet5 interface
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
intf3 MTU 1500
MTU 1500 ebs
PBoC MTU 1500
external IP 127.0.0.1 address 255.0.0.0
IP address x.x.44.1 255.255.255.0 inside
IP address intf2 129.0.0.1 255.255.255.0
intf3 IP address 127.0.0.1 255.255.255.255
IP address ebs x.x.. 45.2 255.255.255.0
IP address x.x.46.2 255.255.255.0 pboc
alarm action IP verification of information
alarm action attack IP audit
no failover
failover timeout 0:00:00
failover poll 15
failover outside 0.0.0.0 ip address
IP Failover inside 0.0.0.0
failover ip address 0.0.0.0 intf3
failover ip address 0.0.0.0 ebs
failover ip address 0.0.0.0 pboc
history of PDM activate
ARP timeout 14400
NAT (inside) 0 0.0.0.0 0.0.0.0 0 0
allow icmp a conduit
allow ip a conduit
Route the pboc 10.24.15.0 255.255.255.0 x.x.46.1 1
Timeout xlate 03:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
You have no static command to create the static translation slots. Thus, you need outbound to create temporary translation locations, but these are not permanent, you will have problems.
public static x.x.44.0 (Interior, exterior) x.x.44.0 netmask 255.255.255.0
You must bring happiness
-
Strange behaviour of PIX - cannot access all protocols from high to low security
I have a 515 with four active interfaces (material of three and a VIRTUAL local area network). I have a DMZ interface with security level equal to 6. Inside network (Security 100) I can only access hosts on the DMZ using the HTTP protocol. Ping and telnet do not work while they do not work when I am connected directly to the network DMZ. The DMZ network is flat and all the guests have the PIX as their DGW. Here is a copy of the current configuration. Am I missing something? This shouldn't be so hard!
Thank you
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
logical interface ethernet1 vlan11
interface ethernet2 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 grandhome securite6
nameif vlan11 comments security99
hostname DBADAPIX
clock timezone IS - 5
clock to summer time EDT recurring
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
Name xx.xx.167.101 QualityAirPC_OUTSIDE
name 192.168.100.90 QualityAirPC
rdvvpn ip 172.18.34.0 access list allow 255.255.255.0 192.168.1.0 255.255.255.0
172.18.34.0 IP Access-list sheep 255.255.255.0 allow 192.168.1.0 255.255.255.0
outside_access_in list access permit tcp any host QualityAirPC_OUTSIDE eq https
pager lines 24
opening of session
timestamp of the record
debug logging in buffered memory
Logging trap errors
ICMP allow all outside
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
grandhome MTU 1500
IP address outside xx.xx.167.97 255.255.255.248
IP address inside 172.18.34.1 255.255.255.0
IP address 192.168.100.1 grandhome 255.255.255.0
Comments from IP 192.168.10.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
ARP timeout 14400
Global 1 interface (outside)
interface of global (grandhome) 1
NAT (inside) 0 access-list sheep
NAT (inside) 1 172.18.34.0 255.255.255.0 0 0
NAT (grandhome) 1 192.168.100.0 255.255.255.0 0 0
NAT (guest) 1 192.168.10.0 255.255.255.0 0 0
static (grandhome, external) QualityAirPC_OUTSIDE QualityAirPC netmask 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 xx.xx.167.102 1
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac rdvvpnset
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
rdvvpnmap 10 ipsec-isakmp crypto map
card crypto rdvvpnmap 10 correspondence address rdvvpn
card crypto rdvvpnmap 10 peers set xx.xx.71.66
rdvvpnmap crypto 10 card value transform-set ESP-DES-SHA
life safety association set card crypto rdvvpnmap 10 seconds 43200 4608000 kilobytes
rdvvpnmap interface card crypto outside
ISAKMP allows outside
ISAKMP key * address xx.xx.71.66 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 md5 hash
10 1 ISAKMP policy group
ISAKMP life duration strategy 10 86400
dhcpd address 172.18.34.100 - 172.18.34.199 inside
dhcpd address 192.168.100.100 - 192.168.100.109 grandhome
Dhcpd address 192.168.10.100 reviews - 192.168.10.199
dhcpd dns 64.x.37.x.39.140.42
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
grandhome enable dhcpd
Comments enable dhcpd
to allow pings to return, you must allow traffic. It is not allowed by default.
apply the acl to the dmz interface in.
access-list dmz-> in permit icmp any any echo response
access-list dmz-> in permit icmp any one time exceed
access-list dmz-> in permit all icmp all inaccessible
If you try to ping at the interface of the demilitarized zone from the inside, you can't. Telnet to this interface is not allowed either unless through an ipsec tunnel. You should be able to telnet to a server in the zone demilitarized without problem.
-
strange asa 5505 SAs behavior didn't exist?
Hello
you just bought a new ASA 5505 to implement 2 lan to lan VPN.
It seems to me that it is configured correctly, but the tunnels won't upward.
asaccb2 # show crypto ipsec his
There is no ipsec security associations
I don't see any SAs configured even if I HAVE configured them.
I have nothing with "debug crypto ipsec".
I don't know what's going wrong here and I am naïve.
This similar Setup has always worked on many other ASAs I put in place.
I also have the same problem with
View details xlate
0 in use, most used 0It seems that NAT and VPN are not turned on, but I've made nat-control command and I assigned the external interface card encryption
so, I do not understand.
The VPN configuration is correct in my opinion.
my local network is 192.168.203.0/24
my outdoor public address is 89.e.r.h
my address is 192.168.203.1
the default router for asa is 89.e.r.f
L2L first:
Peer VPN 80.x.y.z
destination networks
80.93.77.0
80.93.78.0
10.174.0.0
172.19.0.0
my local network must be translated into the other side of the tunnel 10.178.54.224/27
Second L2L:
Peer VPN 91.a.b.c.d
destination network 192.168.200.0/24 no individual dealing with my client to the other side
Here is my config to asa
: Written by enable_15 to the 13:11:43.279 it IS Monday, February 21, 2011
!
ASA Version 8.2 (1)
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.203.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address 89.e.r.h 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone THATS 1
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 80.93.77.0 255.255.255.0
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 80.93.78.0 255.255.255.0
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 10.174.0.0 255.255.0.0
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 172.19.0.0 255.255.0.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 80.93.77.0 255.255.255.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 80.93.78.0 255.255.255.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 10.174.0.0 255.255.0.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 172.19.0.0 255.255.0.0
Access extensive list ip 192.168.203.0 DVRvpn allow 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 1 10.178.54.224 - 10.178.54.254 netmask 255.255.255.224
NAT (inside) 1 PLACE the access list
Route outside 10.174.0.0 255.255.0.0 89.e.r.f 1
Route outside 80.93.77.0 255.255.255.0 89.e.r.f 1
Route outside 80.93.78.0 255.255.255.0 89.e.r.f 1
Route outside 80.93.79.168 255.255.255.255 89.e.r.f 1
Route outside 172.19.0.0 255.255.0.0 89.e.r.f 1
Route outside 192.168.200.0 255.255.255.0 89.e.r.f 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac SEATset
Crypto ipsec transform-set esp-3des esp-md5-hmac DVRset
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto SEATmap 10 corresponds to the address SEATvpn
card crypto SEATmap 10 set peer 80.93.79.168
card crypto SEATmap 10 the transform-set SEATset value
card crypto SEATmap 20 corresponds to the address DVRvpn
card crypto SEATmap 20 set peer 91.213.197.63
card crypto SEATmap 20 the transform-set DVRset value
SEATmap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.203.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
username admin privilege 15 encrypted password riAch9TfWXn0ZOOQ
tunnel-group 80.x.y.z type ipsec-l2l
80.x.y.z group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 91.a.b.c type ipsec-l2l
91.a.b.c tunnel ipsec-attributes group
pre-shared-key *.
!
!where is my mistake?
Thank you
Collect some captures, logs and packet - trace to get a better idea of what is happening to the traffic:
1. traffic capture, making it inside to confirm:
Cap allowed access host ip list
Cap allowed access host ip list
interface to access plug list Cap cap inside
(open the traffic in the tunnel)
Show Cap Hat
2. the capture to see if ASA is declining the packe
Cape asp asp type - drop everything
(open the traffic in the tunnel)
display asp cap | I have
display asp cap | I have
3 Syslogs to see what happens to traffic:
debug logging in buffered memory
exploitation forest-size of the buffer of 1000000
(open the traffic in the tunnel)
view Journal | I have
view Journal | I have
4 packet trace to see how hypothetically ASA will manage traffic:
packet-tracer input inside icmp 8 0 detail
-heather
-
Hi all
I have a strange problem, trying to establish a VPN between my camera (1941) and a distance of ASA.
The question is, can I say is that the IKE phase precipitates after MM6. I'm not an expert in the present, but I'll try to explain to the best of my knowledge
Here's a cry full debugging isakmp:* 05:12:05.187 Jun 10: ISAKMP: (1001): serving SA., his is 3AD3BE6C, delme is 3AD3BE6C* Jun 10 05:12:05.259: ISAKMP: (0): profile of THE request is (NULL)* 05:12:05.259 Jun 10: ISAKMP: created a struct peer 41.223.4.83, peer port 500* 05:12:05.259 Jun 10: ISAKMP: new created position = 0x4B475724 peer_handle = 0 x 80000004* 05:12:05.259 Jun 10: ISAKMP: lock struct 0x4B475724, refcount 1 to peer isakmp_initiator* 05:12:05.259 Jun 10: ISAKMP: 500 local port, remote port 500* 05:12:05.263 Jun 10: ISAKMP: set new node 0 to QM_IDLE* 05:12:05.263 Jun 10: ISAKMP: find a dup her to the tree during the isadb_insert his 3AD3BE6C = call BVA* 05:12:05.263 Jun 10: ISAKMP: (0): cannot start aggressive mode, try the main mode.* 05:12:05.263 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83* Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID* Jun 10 05:12:05.263: ISAKMP: (0): built the seller-07 ID NAT - t* Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-03 ID* Jun 10 05:12:05.263: ISAKMP: (0): built the seller-02 ID NAT - t* 05:12:05.263 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM* 05:12:05.263 Jun 10: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1* Jun 10 05:12:05.263: ISAKMP: (0): Beginner Main Mode Exchange* Jun 10 05:12:05.263: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_NO_STATE* 05:12:05.263 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.* 05:12:05.475 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_NO_STATE* 05:12:05.475 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH* 05:12:05.475 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2* Jun 10 05:12:05.475: ISAKMP: (0): treatment ITS payload. Message ID = 0* Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment* Jun 10 05:12:05.475: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69* 05:12:05.475 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947* Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment* Jun 10 05:12:05.475: ISAKMP: (0): IKE frag vendor processing id payload* 05:12:05.475 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled* 05:12:05.475 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83* Jun 10 05:12:05.475: ISAKMP: (0): pre-shared key local found* 05:12:05.475 Jun 10: ISAKMP: analysis of the profiles for xauth...* 05:12:05.475 Jun 10: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1* 05:12:05.475 Jun 10: ISAKMP: AES - CBC encryption* 05:12:05.475 Jun 10: ISAKMP: keylength 256* 05:12:05.475 Jun 10: ISAKMP: SHA hash* 05:12:05.475 Jun 10: ISAKMP: group by default 2* 05:12:05.475 Jun 10: ISAKMP: pre-shared key auth* 05:12:05.475 Jun 10: ISAKMP: type of life in seconds* 05:12:05.475 Jun 10: ISAKMP: life (basic) of 28800* 05:12:05.475 Jun 10: ISAKMP: (0): atts are acceptable* 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts: real life: 0* 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts:life: 0* 05:12:05.475 Jun 10: ISAKMP: (0): base life_in_seconds:28800* 05:12:05.475 Jun 10: ISAKMP: (0): return real life: 28800* 05:12:05.475 Jun 10: ISAKMP: (0): timer life Started: 28800.* Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment* Jun 10 05:12:05.511: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69* 05:12:05.511 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947* Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment* Jun 10 05:12:05.511: ISAKMP: (0): IKE frag vendor processing id payload* 05:12:05.511 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled* 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE* 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2* Jun 10 05:12:05.511: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_SA_SETUP* 05:12:05.511 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.* 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE* 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3* 05:12:05.727 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_SA_SETUP* 05:12:05.727 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH* 05:12:05.727 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4* Jun 10 05:12:05.727: ISAKMP: (0): processing KE payload. Message ID = 0* Jun 10 05:12:05.759: ISAKMP: (0): processing NONCE payload. Message ID = 0* 05:12:05.759 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is the unit* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID seems the unit/DPD but major incompatibility of 104* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is XAUTH* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment* Jun 10 05:12:05.763: ISAKMP: (1003): addressing another box of IOS!* Jun 10 05:12:05.763: ISAKMP: (1003): load useful vendor id of treatment* 05:12:05.763 Jun 10: ISAKMP: (1003): vendor ID seems the unit/DPD but hash mismatch* 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20* 05:12:05.763 Jun 10: ISAKMP (1003): sound not hash no match - this node outside NAT* 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20* 05:12:05.763 Jun 10: ISAKMP (1003): No. NAT found for oneself or peer* 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE* 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM4* 05:12:05.763 Jun 10: ISAKMP: (1003): send initial contact* 05:12:05.763 Jun 10: ISAKMP: (1003): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication* 05:12:05.763 Jun 10: ISAKMP (1003): payload IDnext payload: 8type: 1address: 82.117.193.82Protocol: 17Port: 500Length: 12* 05:12:05.763 Jun 10: ISAKMP: (1003): the total payload length: 12* Jun 10 05:12:05.763: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH* 05:12:05.763 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.* 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE* 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM5* 05:12:05.975 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_KEY_EXCH* Jun 10 05:12:05.975: ISAKMP: (1003): payload ID for treatment. Message ID = 0* 05:12:05.975 Jun 10: ISAKMP (1003): payload IDnext payload: 8type: 1address: 41.223.4.83Protocol: 17Port: 0Length: 12* Jun 10 05:12:05.975: ISAKMP: (0): peer games * no * profiles* Jun 10 05:12:05.975: ISAKMP: (1003): HASH payload processing. Message ID = 0* 05:12:05.975 Jun 10: ISAKMP: received payload type 17* 05:12:05.979 Jun 10: ISAKMP: (1003): SA authentication status:authenticated* 05:12:05.979 Jun 10: ISAKMP: (1003): SA has been authenticated with 41.223.4.83* 05:12:05.979 Jun 10: ISAKMP: try to insert a 82.117.193.82/41.223.4.83/500/peer and inserted 4 B 475724 successfully.* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM5 = IKE_I_MM6* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_I_MM6* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE* 05:12:05.979 Jun 10: ISAKMP: (1003): start Quick Mode Exchange, M - ID 2434392874* 05:12:05.979 Jun 10: ISAKMP: (1003): initiator QM gets spi* Jun 10 05:12:05.979: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE* 05:12:05.979 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.* 05:12:05.979 Jun 10: ISAKMP: (1003): entrance, node 2434392874 = IKE_MESG_INTERNAL, IKE_INIT_QM* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_QM_READY = IKE_QM_I_QM1* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE* 05:12:06.195 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE* 05:12:06.195 Jun 10: ISAKMP: node set 169965215 to QM_IDLE* Jun 10 05:12:06.195: ISAKMP: (1003): HASH payload processing. Message ID = 169965215* Jun 10 05:12:06.195: ISAKMP: (1003): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 30, message ID SPI = 169965215, a = 0x3AD3BE6C* 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 169965215 FALSE reason 'informational (en) State 1.* 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY* 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE* 05:12:06.199 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE* 05:12:06.199 Jun 10: ISAKMP: node set 1149953416 to QM_IDLE* Jun 10 05:12:06.199: ISAKMP: (1003): HASH payload processing. Message ID = 1149953416* Jun 10 05:12:06.199: ISAKMP: (1003): treatment of payload to DELETE. Message ID = 1149953416* 05:12:06.199 Jun 10: ISAKMP: (1003): peer does not paranoid KeepAlive.* 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)* 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 1149953416 FALSE reason 'informational (en) State 1.* 05:12:06.199 Jun 10: ISAKMP: node set 613686650 to QM_IDLE* Jun 10 05:12:06.199: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE* 05:12:06.199 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.* 05:12:06.199 Jun 10: ISAKMP: (1003): purge the node 613686650* 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL* 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA* 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)* 05:12:06.199 Jun 10: ISAKMP: Unlocking counterpart struct 0x4B475724 for isadb_mark_sa_deleted(), count 0* 05:12:06.199 Jun 10: ISAKMP: delete peer node by peer_reap for 41.223.4.83: 4 B 475724* 05:12:06.203 Jun 10: ISAKMP: (1003): node-1860574422 error suppression FALSE reason 'IKE deleted.* 05:12:06.203 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH* 05:12:06.203 Jun 10: ISAKMP: (1003): former State = new State IKE_DEST_SA = IKE_DEST_SA* 05:12:25.187 Jun 10: ISAKMP: (1002): purge the node 1140237073Installed IOS is c1900-universalk9-mz. Spa. 154 - 3.M5.bin
Before that, I had 15.3, same thing.
BGPR1 # running shoBuilding configuration...Current configuration: 5339 bytes!! Last configuration change at 05:19:14 UTC Friday, June 10, 2016 by boris!version 15.4horodateurs service debug datetime msecLog service timestamps datetime msecencryption password service!hostname BGPR1!boot-start-markerstart the system flash0:c1900 - universalk9-mz. Spa. 154 - 3.M5.binboot-end-marker!!logging buffered 51200 warnings!No aaa new-model!!!!!!!!!!!!!!IP flow-cache timeout active 1IP cefNo ipv6 cef!Authenticated MultiLink bundle-name Panel!CTS verbose logging!Crypto pki trustpoint TP-self-signed-enrollment selfsignedname of the object cn = IOS-Self-signed-certificate-revocation checking norsakeypair TP-self-signed-3992366821!!chain pki crypto TP-self-signed certificates.certificate self-signed 01quit smokingudi pid CISCO1941/K9 sn CF license!!usernameusername!redundancy!!!No crypto ikev2 does diagnosis error!!!!crypto ISAKMP policy 1BA aes 256preshared authenticationGroup 2lifetime 28800isakmp encryption key * address 41.223.4.83!!Crypto ipsec transform-set Meridian ah-sha-hmac esp - aes 256tunnel mode!!!Meridian 10 map ipsec-isakmp cryptoVODACOM VPN descriptiondefined by peer 41.223.4.8386400 seconds, life of security association setthe transform-set Meridian valuematch address 100!!!!!the Embedded-Service-Engine0/0 interfaceno ip addressShutdown!interface GigabitEthernet0/0Description peer na TelekomIP 79.101.96.6 255.255.255.252penetration of the IP streamstream IP outputautomatic duplexautomatic speedNo cdp enable!interface GigabitEthernet0/1Description peer na SBBIP 82.117.193.82 255.255.255.252penetration of the IP streamstream IP outputautomatic duplexautomatic speedNo cdp enableMeridian of the crypto map!interface FastEthernet0/0/0no ip address!interface FastEthernet0/0/1no ip addressinterface FastEthernet0/0/2no ip address!interface FastEthernet0/0/3switchport access vlan 103no ip address!interface Vlan1IP 37.18.184.1 255.255.255.0penetration of the IP streamstream IP output!interface Vlan103IP 10.10.10.1 255.255.255.0!router bgp 198370The log-neighbor BGP-changes37.18.184.0 netmask 255.255.255.010.10.10.2 neighbor remote - as 201047map of route-neighbor T-OUT 10.10.10.2 outneighbour 79.101.96.5 distance - 8400neighbor 79.101.96.5 fall-overneighbor 79.101.96.5 LOCALPREF route map in79.101.96.5 T-OUT out neighbor-route mapneighbour 82.117.193.81 distance - as 31042neighbor 82.117.193.81 fall-overneighbor 82.117.193.81 route LocalOnly outside map!IP forward-Protocol ND!IP as path access list 10 permit ^ $IP as path access list 20 permits ^ $ 31042no ip address of the http serverlocal IP http authenticationno ip http secure serverIP http timeout policy slowed down 60 life 86400 request 10000IP flow-export Vlan1 sourcepeer of IP flow-export version 5 - as37.18.184.8 IP flow-export destination 2055!IP route 37.18.184.0 255.255.255.0 Null0IP route 104.28.15.63 255.255.255.255 79.101.96.5IP route 217.26.67.79 255.255.255.255 79.101.96.5!!IP-list of prefixes Filter_IN_Telekom seq 10 permit 0.0.0.0/0!T-OUT route map permit 10match 10 way!route allowed LOCALPREF 10 mapset local preference 90!SBBOnly allowed 10 route map20 as path game!LocalOnly allowed 10 route mapmatch 10 way!!m3r1d1an RO SNMP-server communityServer SNMP ifindex persistaccess-list 100 permit ip host 37.18.184.4 41.217.203.234access-list 100 permit ip host 37.18.184.169 41.217.203.234!control plan!!!Line con 0Synchronous recordinglocal connectionline to 0line 2no activation-characterNo execpreferred no transporttransport output pad rlogin lapb - your MOP v120 udptn ssh telnetStopBits 1line vty 0 4privilege level 15local connectionentry ssh transportline vty 5 15privilege level 15local connectionentry ssh transport!Scheduler allocate 20000 1000!endBGPR1 #.BGPR1 #sho cry isa his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
41.223.4.83 82.117.193.82 MM_NO_STATE 1106 ACTIVE (deleted)
41.223.4.83 82.117.193.82 MM_NO_STATE 1105 ACTIVE (deleted)
For "sho cry ipsec his" I get only a lot of mistakes to send.
For the other end, I had all the settings, I have no access to this device, they insist that this is a simple installation and that any problem is on my side.
I tried to juggle the order of the access list, life card crypto security association and all "googlable" solutions, that I could find.
Any input appreciated.
Corresponds to the phase 2 double-checking on the SAA, including PFS.
crypto ipsec transform-set meridian ah-sha-hmac esp-aes 256 mode tunnel
-
I have the following scenario:
Internet - FW (non-cisco, to be replaced) - FW (525) - Campus.
Legacy firewall will replace the period of more than 3 months. I will keep it online, and moved behind her again 525 'allowing' to all traffic. Then I'll gradually spend most of my ACL from the old to the new FW.
My question concerns the static command. Even with the investigation leads any one period or group objects with pass all, I always have to create
public static ip ip (indoor, outdoor)
entries for each server that will see outside my network. Otherwise, there is no xlate translation (unless I send the packets from inside to the outside, which will automatically create it)
Since I have a lot of campus wide servers, doing static manually is really painful. Is there another way to allow the translation to occur? Or y at - it another way to allow foreigners access to my servers?
e.g. static for the whole subnet?
That said, as I have also 2 functional issues of PIX. I've read conflicting reports about some cisco commands and I don't know which ones is valid.
NAT 0 disables Cisco adaptive algorithm for the specified entries?
Static command neutralizes Cisco adaptive algorithm for the specified entries?
Emergency aid is apprecited because I need to install the new firewall this weekend (2-4 hours of the Sunday morning).
Thanks in advance.
SP
public static 1.2.3.0 (indoor, outdoor) 1.2.3.0 netmask 255.255.255.0
would be static external interface, which indicates that he resides inside the subnet 1.2.3.0/24 all interface
-
PIX SMTP NAT or Port based NAT?
I have what may seem like a strange question...
I have a client with a PIX and a SMTP server inside their network. They were using a NAT Port basis via the following command (all IP addresses are changed to protect the innocent):
static (inside, outside) 1.1.1.1 tcp smtp 192.168.0.1 netmask 255.255.255.255 smtp
It worked well for incoming and outgoing email except to go to particular mail servers. What was going on, it was that they were receiving messages from rebound as below:
Where IP address 1.1.1.2 combined with overall command of the client.
Once I changed the nat to use a normal NAT rather than on a port a whole worked well. Download
static (inside, outside) 1.1.1.1 192.168.0.1 netmask 255.255.255.255
My question is can I do nat based on the port works for IP addressing in the two directions or am I stuck with the help of a single IP NAT?
I guess what is happening, is that the NAT based on the port looks only to conversations from the incoming direction (ie the conversation is with port 25 on 192.168.0.1), no conversations from the outgoing direction (ie the conversation is with port 25 on an external IP address).
Rgds,
Peter
Excellent analysis and you are immediately. Just a simple set-config that lack of most people. Try the following:
static (inside, outside) 1.1.1.1 tcp smtp 192.168.0.1 netmask 255.255.255.255 smtp
Global 2 1.1.1.1 (outside)
NAT (inside) 2 192.168.0.1 255.255.255.255
The static method will match the traffic from port 25 to the mail server. So when your mail server sends outgoing traffic on one port other that the 25, he uses the nat/global configuration you have defined for the other hosts on the inside interface. Who obviously doesn't like the other e-mail server.
Hope that's clear, but if not, let me know.
Scott
-
static PAT statements, need help...
Hi all
I am trying to set up a mail server, for the time being for reasons that I explain not rather, I can't put it on the demilitarized zone. So he is sitting inside the 515e Firewall interface.
I have the internal IP address of the server as 192.168.50.13 and inside the network I can send, receive, email etc. on this server. This is a new server, so I recently install my a records and MX. When the rattling of the entrance to the area the correct IP address is now assigned domain name. However, I can't see my e-mail server in the outside world. When you run a DNS query on the MX record, I get no response.
The problem is at the level of PIX. My static instructions do not seem to work.
One of my works of 4 static instructions (for our Services Terminal Server server), but the 3 other entries are not.
They are as follows:
static (inside, outside) MainOffice 3389 192.168.50.75 tcp 3389 netmask 255.255.255.255 0 0
static (inside, outside) tcp smtp MainOffice 192.168.50.13 smtp netmask 255.255.255.255 0 0
static (inside, outside) tcp MainOffice 192.168.50.13 pop3 pop3 netmask 255.255.255.255 0 0
static (inside, outside) tcp MainOffice telnet 192.168.50.201 telnet netmask
255.255.255.255 0 0
(the last entry is just to test and see if I could even host a standard telnet server from my local office win2k and see through the firewall, the test has failed, I can telnet in via the local IP address,.201, but not through the external IP, MainOffice.)
As often elsewhere in the config PIX seem to affect issues that I :), I included a complete running-config list below for those who would like to reference. Thank you for your time,
Another strange thing of note, with this current config I can't ping my IP external interface starting from IP external or internal IP. I have my entries ICMP set and thought I should be able to see, but can't. It is not as important a question as the above question.
Dave
::
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 security10 intf2
hostname YRPCI
domain yrpci.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
fixup protocol http-8080
fixup protocol ftp 22
names of
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
name x.x.71.7 MainOffice
allow the ip host 192.168.50.10 access list acl_outbound a
allow the ip host 192.168.50.75 access list acl_outbound a
allow the ip host 192.168.50.201 access list acl_outbound a
allow the ip host 192.168.50.202 access list acl_outbound a
access-list acl_outbound allow the host tcp 192.168.50.203 a
access-list acl_outbound allow the host tcp 192.168.50.204 a
access-list acl_outbound allow the host tcp 192.168.50.205 a
access-list acl_outbound allow the host tcp 192.168.50.206 a
access-list acl_outbound allow the host tcp 192.168.50.207 a
access-list acl_outbound allow the host tcp 192.168.50.208 a
access-list acl_outbound allow the host tcp 192.168.50.209 a
access-list acl_outbound allow the host tcp 192.168.50.210 a
access-list acl_outbound allow the host tcp 192.168.50.211 a
access-list acl_outbound allow the host tcp 192.168.50.212 a
access-list acl_outbound allow the host tcp 192.168.50.213 a
access-list acl_outbound allow the host tcp 192.168.50.214 a
access-list acl_outbound allow the host tcp 192.168.50.215 a
access-list acl_outbound allow the host tcp 192.168.50.216 a
access-list acl_outbound allow the host tcp 192.168.50.217 a
access-list acl_outbound allow the host tcp 192.168.50.218 a
access-list acl_outbound allow the host tcp 192.168.50.219 a
access-list acl_outbound allow the host tcp 192.168.50.220 a
access-list acl_outbound allow the host tcp 192.168.50.221 a
access-list acl_outbound allow the host tcp 192.168.50.222 a
access-list acl_outbound allow the host tcp 192.168.50.223 a
access-list acl_outbound allow the host tcp 192.168.50.224 a
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq smtp
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq pop3
acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.51.0
acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.52.0
acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.53.0
allow the ip host 192.168.50.51 access list acl_outbound a
access-list acl_outbound allow the host tcp 192.168.50.11 a
allow the ip host 192.168.50.13 access list acl_outbound a
access-list acl_outbound allow the host tcp 192.168.50.225 a
acl_inbound list access permit tcp any host MainOffice eq 3389
acl_inbound list access permit icmp any any echo response
access-list acl_inbound allow icmp all once exceed
acl_inbound list all permitted access all unreachable icmp
allow the ip host MainOffice one access list acl_inbound
acl_inbound list access permit tcp any any eq ssh
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 103 allow ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
pager lines 24
opening of session
timestamp of the record
recording of debug console
logging warnings put in buffered memory
logging trap warnings
history of logging warnings
host of logging inside the 192.168.50.201
interface ethernet0 car
Auto interface ethernet1
Automatic stop of interface ethernet2
ICMP permitted MainOffice outside the host
ICMP permitted outside the host ConstOffice
ICMP allow any inaccessible outside
ICMP allow any response of echo outdoors
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
intf2 MTU 1500
IP address outside pppoe setroute
IP address inside 192.168.50.1 255.255.255.0
intf2 IP address 127.0.0.1 255.255.255.255
alarm action IP verification of information
alarm action attack IP audit
don't allow no history of pdm
ARP timeout 14400
Global interface 2 (external)
NAT (inside) - 0 100 access list
NAT (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside, outside) MainOffice 3389 192.168.50.75 tcp 3389 netmask 255.255.255.255 0 0
static (inside, outside) tcp smtp MainOffice 192.168.50.13 smtp netmask 255.255.255.255 0 0
static (inside, outside) tcp MainOffice 192.168.50.13 pop3 pop3 netmask 255.255.255.255 0 0
static (inside, outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.
255.255.255 0 0
Access-group acl_inbound in interface outside
acl_outbound access to the interface inside group
Timeout xlate 08:00
Conn timeout half-closed 06:00 07:00 07:00 from the PRC related to udp h323 from 07:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
timeout uauth 07.30: absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.50.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-sha-hmac RIGHT
VPN1 card crypto ipsec-isakmp 10
correspondence address 10 card crypto vpn1 102
card crypto vpn1 pfs set 10 group2
card crypto vpn1 together 10 peer ConstOffice
card crypto vpn1 10 set transform-set RIGHT
vpn1 20 ipsec-isakmp crypto map
correspondence address 20 card crypto vpn1 101
card crypto vpn1 pfs set 20 group2
20 card crypto vpn1 peer BftOffice game
card crypto vpn1 20 set transform-set RIGHT
vpn1 outside crypto map interface
ISAKMP allows outside
ISAKMP key * address ConstOffice netmask 255.255.255.255
ISAKMP key * address BftOffice netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 10
encryption of ISAKMP policy 10
ISAKMP policy 10 sha hash
10 1 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Telnet ConstOffice 255.255.255.255 outside
Telnet 192.168.51.0 255.255.255.0 outside
Telnet 192.168.52.0 255.255.255.0 outside
Telnet BftOffice 255.255.255.255 outside
Telnet 192.168.50.0 255.255.255.0 inside
Telnet timeout 10
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 192.168.50.0 255.255.255.0 inside
SSH timeout 20
VPDN group pppoex request dialout pppoe
VPDN group pppoex localname xxxxxxxxx
VPDN group ppp authentication pap pppoex
VPDN username password xxxxxxxxxx *.
Terminal width 80
: end
Well, I'll be a son-of-b! * $@ !!! I don't know what I'm talking about then! Ha ha.
I'm just glad that you work, and maybe someone else watching tips can help us understand.
Thereafter.
-
Public static political static NAT in conflict with NAT VPN
I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:
interface Vlan1
IP 192.168.10.1 255.255.255.0
access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0
list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
public static 192.168.24.0 (inside, outside) - list of VPN access
card crypto outside_map 1 match address outside_1_cryptomap
In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:
public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.
So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.
What Miss me?
Hello
I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.
I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.
I guess you could choose any way seems best for you.
Let me know if get you it working. I always find it strange that the original configuration did not work.
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
PIX stops passing all traffic at the entrance to command crypto
I have a strange problem with a PIX 515 6.1 (2).
I have 3 VPN tunnels already implemented. While trying to set up a 4th the PIX stops passing all traffic. He arrives precisely when I enter ANY command "crypto map.
cancellation of the order by using "no card crypto...". ' or "clear xlate" is no help either. The PIX must be restarted before the traffic going on again. The CPU usage drops to zero and my telnet for the PIX session remains connected.
Anyone have any ideas?
I put the relevant configuration below:
172.50.0.0 IP Access-list sheep 255.255.0.0 allow 192.168.0.0 255.255.0.0
172.50.0.0 IP Access-list sheep 255.255.0.0 allow 10.0.0.0 255.0.0.0
acl_vpn1 ip 172.50.0.0 access list allow 255.255.255.0 192.168.0.0 255.255.0.0
acl_vpn2 ip 172.50.0.0 access list allow 255.255.255.0 10.0.0.0 255.255.255.0
acl_vpn3 ip 172.50.0.0 access list allow 255.255.255.0 10.50.0.0 255.255.255.0
NAT (inside) 0 access-list sheep
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac support
toVPNs 10 ipsec-isakmp crypto map
card crypto toVPNs 10 correspondence address acl_vpn1
card crypto toVPNs 10 peers set 1xx.xxx.xxx.xxx
support toVPNs 10 transform-set card crypto
toVPNs 12 ipsec-isakmp crypto map
card crypto toVPNs 12 match address acl_vpn2
card crypto toVPNs 12 peers set 2xx.xxx.xxx.xxx
support toVPNs 12 transform-set card crypto
toVPNs 14 ipsec-isakmp crypto map
card crypto toVPNs 14 correspondence address acl_vpn3
card crypto toVPNs 14 peers set 3xx.xxx.xxx.xxx
support toVPNs 14 transform-set card crypto
toVPNs interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 1xx.xxx.xxx.xxx netmask 255.255.255.255
ISAKMP key * address 2xx.xxx.xxx.xxx netmask 255.255.255.255
ISAKMP key * address 3xx.xxx.xxx.xxx netmask 255.255.255.255
part of pre authentication ISAKMP policy 1
of ISAKMP policy 1 encryption
ISAKMP policy 1 md5 hash
1 1 ISAKMP policy group
ISAKMP policy 1 life 43200
Hi Ishaq,
Please make sure you remove the card "Crypto" off the coast of the Interface by doing a ' no card crypto toVPNs no interface out ' and then add the necessary commands before reconnecting the Crypto map. Usually when we add a new command "toVPNs xx ipsec-isakmp crypto map" without removing the Crypto Card it starts encrypt all traffic passing through the PIX. After you make the required changes, reapply card Cryptography.
Hope this helps,
Kind regards
Abdelouahed
-=-=-
-
PIX 515 no traffic on the new IP address don't block
We have received a new range of ips 213.x.x.x/28 from our ISP. They are routed through our existing entry door 92.x.x.146.
The problem:
We can not all traffic to the pix on the new 213.x.x.x/28 range.
-If we try to ping 213.x.x.61, we get the lifetime exceeded.
-ISP Gets the same thing of their router.
-ISP tries ssh and gets no route to host.The ISP has ticked then double the Routing and the MAC address of our external interface. They are correct.
The strange thing is that we cannot see THE log messages about the new range of incoming connection attempts. The Pix is running at the level of the journal 7.
Does anyone have an idea what could be the problem? or suggestions for debugging the issue?
Excerpt from config:
7.0 (7) independent running Pix 515
outside 92.x.x.146 255.255.255.240
inside 192.168.101.1 255.255.255.0
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
Access-group acl_out in interface outside
acl_out list extended access permit tcp any host 213.x.x.x eq www
acl_out list extended access permit tcp any host 213.x.x.x eq ssh
static (inside, outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
ICMP allow any inaccessible State192.168.101.99 is a test with http and ssh linux server
Any help much appreciated.
PM
dsc_tech_1 wrote:
I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0
ISP says
...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.
If the routers are owned by your ISP, then the fault lies with them. They have a routing loop in their network and that's why packages are not your firewall. You have them shown the traceroute?
They must focus on the routeurs.81 et.82 to establish why the packets are looped between these 2 routers. Until they fix this packet will never get your firewall.
Jon
-
Security level limited access to high security
Dear all,
I have something that I need your help it clarify for me; for reasons of tests outside NAT in PIX, I placed a host on the external interface of my FW PIX and another on the inside interface. We'll call inside host (Host: 172.16.1.178) and outside (Host B: 192.168.1.96).
I then applied:
NAT (inside) 0 0 0 and
NAT (outside) 0 0 0 outside
orders to have two subnets appear to others with their original IP addresses. When ping from host B to host, no response is received and a 305005 syslog message (no translation group not found for ICMP src outdoors: 192.168.1.96 dst inside: 172.16.1.178)... However, when ping from host A to host B with the original B IP host, a response is received successfully. After this, lead to confusion if I try again to ping from host B to host, things work this time without errors. (Note: ICMP is applied both way).
Applying clear XLATE, again! Looks like the PIX doesn't sends the request of host B to host A unless there is a previous, established session from the host through the PIX.
Does anyone have an explanation for what's going on? Is their someone who have experienced something like this before?
Know your opinion.
Thank you
Haitham
You are using nat 0 (identity nat) that does not allow two-way communication, UNLESS the host location to the interface high security initiates the connection.
You can try the following:
public static 172.16.1.178 (Interior, exterior) 172.16.1.178 netmask 255.255.255.255
Which allows inside the host to be 'translated' to the outside and allow the host located on the untrsuted start the communication itself (will be seen with the same IP address)
more information:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/s.htm#wp1026694
Franco Zamora
-
Pix 501 problem, I can not receive smtp messages
Currently, I can send messages but cannot receive the mail from the Internet, if I remove the Pix and connect directly to the Modem/router then I can SMTP on port 25 and SMTP mail works fine both in & out.
All what we want this Pix to allow at present is:
(a) access to Internet to all clients on the network internal
(b) allow the customers to pop mail web e-mail accounts
(c) we want to use Exchange & Outlook and accommodate our own email via the SMTP Protocol
Please find attached two documents: -.
1. a current edited config of my Pix 501 running
2. a PowerPoint of my network diagram.
I appreciate a lot of help.
Vinny.
I finally found the problem.
On the ADSL router, you have configured the same 192.168.0.0/24 network you use behind the post office
Server. This configuration will not work because it leads to a duplicate IP address range and you have routing
problems.
Change the configuration to another range of IP between the ADSL router and PIX firewall and everthing will be
work.
Note the address unique public IP that is configured, received is on the router Netgear ADSL uses all other interfaces
public IP addresses.
Recovery of the networks and the IPs:
80.x.y.z/255.255.255.x = Netgear outside intellectual property
192.168.2.0/255.255.255.0 = network between the internal Netgear and the PIX outside interface
192.168.1.0/255.255.255.0 = network between the PIX inside and the external interface of the mail server
192.168.0.0/255.255.255.0 = network between the internal interface of mail server and mail clients.
Use 192.168.2.0 255.255.255.0 for this network, and then set it 192.168.2.1 for your ADSL router inside
interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX firewall outside interface.
ADSL installation:
You can choose on the Netgear between all public traffic of the 80.x.y.z IP to 192.168.2.2 transmission which is NAT or
You can transfer to forward the http, pop3 and smtp, didn't really matter, it's just important that you NAT or PAT it
for the PIX firewall.
PIX installation example:
All traffic received on the PIX outside interface for http, pop3 and smtp is then transmitted by 192.168.2.2 to mail
the server 192.168.1.2 external IP address.
outdoor IP 192.168.2.2 address 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
acl_out list access permit tcp any host 192.168.2.2 eq http
acl_out list access permit tcp any host 192.168.2.2 pop eq
acl_out list access permit tcp any host 192.168.2.2 eq smtp
Access-group acl_out in interface outside
static (inside, outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0
static (inside, outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0
static (inside, outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 192.168.2.1
Installation of mail server:
The mail server has a default route to the PIX firewall.
Default gateway on the mail server = 192.168.1.1
Do you have NAt or PAT on the mail server internal clients to the Internet in the direction of the PIX? If not, you need to add another road on the PIX, so know the PIX the 192.168.0.0/24 network is behind the e-mail server, as this unit is the routing for this network.
Add a route on the PIX inside interface:
Route inside 192.168.0.0 255.255.255.0 192.168.1.2
E-mail clients:
All mail clients have the internal IP address of mail as default gateway server.
Default gateway = 192.168.0.3
This configuration will work 100%
Sorry if I you confused.
sincerely
Patrick
-
Client certificate and router WebVPN
Hello!
In my test harness I can not to run my webvpn configuration =.
I have several components: AD MS, MS CS (but without NDE), 2911 router and client computer. Client and router have a certificate of MS CS. In my setup I use certificate or aaa (LDAP) authentication and authentication work aaa good. But the client certificate authentication does not work. And my internal https services do not work too--"no certificate or invalid", but this strange because I imported the CA certificate for that.
Can you help me it work?
My version of 2911:
Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.1 (3) T, RELEASE SOFTWARE (fc1)
My Config:
AAA authentication login webvpn group local ldap
IP local pool webvpn 192.168.200.1 192.168.200.254
bind authenticates root-dn cn = webvpn, OU = team, dc = domain, dc = com password [email protected]/ * /.
WebVPN vpn gateway
IP address
port 4443 SSL root-ca trustpoint
development
!
WebVPN install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1
!
employee framework WebVPN
SSL authentication check all
!
connection message 'Portal VPN'
!
the policy group peche1
List of URLS "on the inside".
functions compatible svc
filter VPN SPLIT tunnel
SVC-pool of addresses "webvpn" netmask 255.255.255.0
SVC by default-domain "domain.com".
SVC Dungeon-client-installed
SVC split dns "domain.com".
SVC split include 192.168.0.0 255.255.0.0
SVC-Server primary dns 192.168.1.1
SVC-Server secondary dns 192.168.1.2
Citrix enabled
virtual-model 1
strategy-group-by default peche1
AAA authentication list webvpn
vpn gateway
authentication certificate
user name - sign up
root CA trustpoint-AC
User location flash0 profile: / userprof
development
!
Crypto pki trustpoint root-ca
Terminal registration
revocation checking no
rsakeypair root-ca
!
I imported with CA pkcs12 certificate.
My debug (it happened so I am trying to access my webvpn portal and I choose my certificate of MS CS for access)
5 Jun 11:22:39: WV: validated_tp: cert_username: matched_ctx:
5 Jun 11:22:39: WV: could not get opssl appinfo sslvpn
5 Jun 11:22:39: WV: could not get opssl appinfo sslvpn
5 Jun 11:22:39: WV: error: no certificate validated for the customer
Can someone explain to me why it does not work?
Resolved by the update IOS - version 15.2 (4) M2.
Concerning
Maybe you are looking for
-
HP 35s how to stop using the format "h".
If I go for example. 55 (break-in), the Calculator displays 37 h, how can I return to normal functions?
-
Satellite Pro L40 - what video card
The boss plays the Knights of Baphomet iii and he crashes an hour and 40 minutes. The game recommends a GeForce 4 Ti 4200 or equivalent - I think that the lack of any video card is causing the problem. Is the recommended card good or is there one mor
-
What size power supply will fit in a case of dc5750
I think the upgrade with an AMD Athlon X 2 5800 + processor for socket AM2 ADA5800IAA5DO 3.0 ghz, 1 MB, 2 sticks of 2gig RAM, 2 HARD drives, DVD player. Thank you dysart22 dysart22
-
What version of new Toshiba driver ATI Catalyst for Satellite A200-17O Vista?
The pre-installed and also last display driver download is not up-to-date.The display driver version: 8.383.1.1 - 070621 a-048565C ATI release every month new Catalyst drivers, with improved performance and more features... this month release ATI ver
-
vision: how to use the structure of the event to the output of the voting structure.
Hello. I make a program of video detection with vision. I use 'County IMAQ objects' to detect people moving and identify if a people enters or leaves through the demarcated areas (Centre and right to left). If someone is detected, the program returns