Netmask 255.255.0.0 leading to strange IP addresses

Hello

My modem is an EPC3925 and my router is an E4200. All my PC, printers, etc. are connected to the router E4200.

Because one of my network storage devices had a static IP address outside the subnet, I decided to change the mask of the E4200 subnet and one of my PC to 255.255.0.0. After that, I was able to connect to the web interface of the network storage unit.

However, I could not connect to the E4200 more, so I decided to restart my PC. After that, she had a complete strange IP address that did not begin with 192.168...

I immediately reset the E4200 to the factory settings to avoid further damage. I changed the subnet mask of the normal computer and able to connect again with the E4200.

Question: why has my PC received a strange IP address? Was I connected with one of one of my neighbors... DHCP servers? Or the modem/router EPC3925 would avoid that?

Thanks in advance,

SJW

Was it a 169. Intellectual property? Which indicates that it was not able to talk to a dhcp server so your pc had an ip address

Tags: Linksys Routers

Similar Questions

Get a strange IPv4 address of the DHCP server

Hi all

As title, I got a strange IP - DHCP server 169.254.XXX.XXX.

I used Wireshark, tried to get the bootp packets. I found that my laptop 169.254.xxx.xxx used as source address to send DHCP Discover.

In addition, there is an option called content with 169.254.xxx.xxx requested ip address. Like my source address.

I couldn't access the Internet with this IP address.

I was wondering, is that it is a normal behavior for windows 7 to use 169.254.xxx.xxx to send DHCP Discover?

A DHCP request is sent through the universal 255.255.255.255 broadcast address which is one of the addresses that a server is listening. The query includes the MAC address of the applicant unit because at this point, it doesn't have an IP address. The DHCP server responds to the MAC address in order to assign the address.

In your case, the range 169.254 is called the APIPA address and the PC actually assigns to himself because he did not see a response from the DHCP server. As you refer to Wireshark having a reading of the present.

http://wiki.Wireshark.org/APIPA

The customer may not send the request via this address and get a response because the DHCP server is not listening on the address or by using the range. The answer must be done via the Mac.

need help, there is a strange thing to pix!

the diagram please see www.ciscofan.com/smbc.jpg

now the router of the ebs has a NM-1CE1U & NM-30DM, then remote clients can dial in to the network, the router of the pboc has a wic - 2T module, connect to the remote site via ebs DDN.the ip address of the pix interface is x.x.45.2, the ebs, the ip address of the ethernet router is x.x.45.1, and the ip address of the remote client can get (the pool of ip addresses) is the ip address x.x.45.110-x.x.45.140.the of pix515E inside the interface is x.x.44.1.I using nat 0 0 0 to avoid any nat (image the pix as the router) then the strange thing happens, after configuration, router ebs, can not ping any address which is like x.x.44.x, after x.x.45.1 ping server1, then both dialer clients and the ebs router can ping Server1, but cannot ping server2, after x.x.45.1 (router ebs) ping server2 , the two Dialer clinets and ebs the router can average ping server2, etc.that computers inside must ping computers outside first, then the external computers can access (include ping) inside is server.and the thing even stanger, if there is any traffic between ebs and the remote client (or the router of the ebs) in some time (maybe a few hours, but I'm not sure) remote dialer clients or ebs router cannot ping (access) inside

Servers.for instance, after one night, in the morning, customers remote dialer or ebs router cannot ping x.x.44.x.It seems there is a configuration of Time out, but how can I set it up?

What follows is the pix (515e) configuration:

PIX Version 6.1 (4)

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 intf2

nameif ethernet3 intf3 security15

nameif ethernet4 ebs security20

nameif ethernet5 pboc security25

activate n5vL encrypted password

passwd 2KFQnencrypted

pixfirewall hostname

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

pager lines 24

Automatic stop of interface ethernet0

Auto interface ethernet1

Automatic stop of interface ethernet2

Automatic stop of interface ethernet3

Auto interface ethernet4

Auto ethernet5 interface

Outside 1500 MTU

Within 1500 MTU

intf2 MTU 1500

intf3 MTU 1500

MTU 1500 ebs

PBoC MTU 1500

external IP 127.0.0.1 address 255.0.0.0

IP address x.x.44.1 255.255.255.0 inside

IP address intf2 129.0.0.1 255.255.255.0

intf3 IP address 127.0.0.1 255.255.255.255

IP address ebs x.x.. 45.2 255.255.255.0

IP address x.x.46.2 255.255.255.0 pboc

alarm action IP verification of information

alarm action attack IP audit

no failover

failover timeout 0:00:00

failover poll 15

failover outside 0.0.0.0 ip address

IP Failover inside 0.0.0.0

failover ip address 0.0.0.0 intf3

failover ip address 0.0.0.0 ebs

failover ip address 0.0.0.0 pboc

history of PDM activate

ARP timeout 14400

NAT (inside) 0 0.0.0.0 0.0.0.0 0 0

allow icmp a conduit

allow ip a conduit

Route the pboc 10.24.15.0 255.255.255.0 x.x.46.1 1

Timeout xlate 03:00

Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

p 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

No sysopt route dnat

You have no static command to create the static translation slots. Thus, you need outbound to create temporary translation locations, but these are not permanent, you will have problems.

public static x.x.44.0 (Interior, exterior) x.x.44.0 netmask 255.255.255.0

You must bring happiness

Strange behaviour of PIX - cannot access all protocols from high to low security

I have a 515 with four active interfaces (material of three and a VIRTUAL local area network). I have a DMZ interface with security level equal to 6. Inside network (Security 100) I can only access hosts on the DMZ using the HTTP protocol. Ping and telnet do not work while they do not work when I am connected directly to the network DMZ. The DMZ network is flat and all the guests have the PIX as their DGW. Here is a copy of the current configuration. Am I missing something? This shouldn't be so hard!

Thank you

6.3 (4) version PIX

interface ethernet0 car

interface ethernet1 100full

logical interface ethernet1 vlan11

interface ethernet2 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 grandhome securite6

nameif vlan11 comments security99

hostname DBADAPIX

clock timezone IS - 5

clock to summer time EDT recurring

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

Name xx.xx.167.101 QualityAirPC_OUTSIDE

name 192.168.100.90 QualityAirPC

rdvvpn ip 172.18.34.0 access list allow 255.255.255.0 192.168.1.0 255.255.255.0

172.18.34.0 IP Access-list sheep 255.255.255.0 allow 192.168.1.0 255.255.255.0

outside_access_in list access permit tcp any host QualityAirPC_OUTSIDE eq https

pager lines 24

opening of session

timestamp of the record

debug logging in buffered memory

Logging trap errors

ICMP allow all outside

ICMP allow any inside

Outside 1500 MTU

Within 1500 MTU

grandhome MTU 1500

IP address outside xx.xx.167.97 255.255.255.248

IP address inside 172.18.34.1 255.255.255.0

IP address 192.168.100.1 grandhome 255.255.255.0

Comments from IP 192.168.10.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

ARP timeout 14400

Global 1 interface (outside)

interface of global (grandhome) 1

NAT (inside) 0 access-list sheep

NAT (inside) 1 172.18.34.0 255.255.255.0 0 0

NAT (grandhome) 1 192.168.100.0 255.255.255.0 0 0

NAT (guest) 1 192.168.10.0 255.255.255.0 0 0

static (grandhome, external) QualityAirPC_OUTSIDE QualityAirPC netmask 255.255.255.255 0 0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 xx.xx.167.102 1

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp - esp-md5-hmac rdvvpnset

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

rdvvpnmap 10 ipsec-isakmp crypto map

card crypto rdvvpnmap 10 correspondence address rdvvpn

card crypto rdvvpnmap 10 peers set xx.xx.71.66

rdvvpnmap crypto 10 card value transform-set ESP-DES-SHA

life safety association set card crypto rdvvpnmap 10 seconds 43200 4608000 kilobytes

rdvvpnmap interface card crypto outside

ISAKMP allows outside

ISAKMP key * address xx.xx.71.66 netmask 255.255.255.255

ISAKMP identity address

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP life duration strategy 10 86400

dhcpd address 172.18.34.100 - 172.18.34.199 inside

dhcpd address 192.168.100.100 - 192.168.100.109 grandhome

Dhcpd address 192.168.10.100 reviews - 192.168.10.199

dhcpd dns 64.x.37.x.39.140.42

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd outside auto_config

dhcpd allow inside

grandhome enable dhcpd

Comments enable dhcpd

to allow pings to return, you must allow traffic. It is not allowed by default.

apply the acl to the dmz interface in.

access-list dmz-> in permit icmp any any echo response

access-list dmz-> in permit icmp any one time exceed

access-list dmz-> in permit all icmp all inaccessible

If you try to ping at the interface of the demilitarized zone from the inside, you can't. Telnet to this interface is not allowed either unless through an ipsec tunnel. You should be able to telnet to a server in the zone demilitarized without problem.

strange asa 5505 SAs behavior didn't exist?

Hello

you just bought a new ASA 5505 to implement 2 lan to lan VPN.

It seems to me that it is configured correctly, but the tunnels won't upward.

asaccb2 # show crypto ipsec his

There is no ipsec security associations

I don't see any SAs configured even if I HAVE configured them.

I have nothing with "debug crypto ipsec".

I don't know what's going wrong here and I am naïve.

This similar Setup has always worked on many other ASAs I put in place.

I also have the same problem with

View details xlate
0 in use, most used 0

It seems that NAT and VPN are not turned on, but I've made nat-control command and I assigned the external interface card encryption

so, I do not understand.

The VPN configuration is correct in my opinion.

my local network is 192.168.203.0/24

my outdoor public address is 89.e.r.h

my address is 192.168.203.1

the default router for asa is 89.e.r.f

L2L first:

Peer VPN 80.x.y.z

destination networks

80.93.77.0

80.93.78.0

10.174.0.0

172.19.0.0

my local network must be translated into the other side of the tunnel 10.178.54.224/27

Second L2L:

Peer VPN 91.a.b.c.d

destination network 192.168.200.0/24 no individual dealing with my client to the other side

Here is my config to asa

: Written by enable_15 to the 13:11:43.279 it IS Monday, February 21, 2011
!
ASA Version 8.2 (1)
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.203.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address 89.e.r.h 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone THATS 1
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 80.93.77.0 255.255.255.0
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 80.93.78.0 255.255.255.0
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 10.174.0.0 255.255.0.0
Access extensive list ip 192.168.203.0 SEAT allow 255.255.255.0 172.19.0.0 255.255.0.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 80.93.77.0 255.255.255.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 80.93.78.0 255.255.255.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 10.174.0.0 255.255.0.0
Access extensive list ip 10.178.54.224 SEATvpn allow 255.255.255.224 172.19.0.0 255.255.0.0
Access extensive list ip 192.168.203.0 DVRvpn allow 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 1 10.178.54.224 - 10.178.54.254 netmask 255.255.255.224
NAT (inside) 1 PLACE the access list
Route outside 10.174.0.0 255.255.0.0 89.e.r.f 1
Route outside 80.93.77.0 255.255.255.0 89.e.r.f 1
Route outside 80.93.78.0 255.255.255.0 89.e.r.f 1
Route outside 80.93.79.168 255.255.255.255 89.e.r.f 1
Route outside 172.19.0.0 255.255.0.0 89.e.r.f 1
Route outside 192.168.200.0 255.255.255.0 89.e.r.f 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac SEATset
Crypto ipsec transform-set esp-3des esp-md5-hmac DVRset
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto SEATmap 10 corresponds to the address SEATvpn
card crypto SEATmap 10 set peer 80.93.79.168
card crypto SEATmap 10 the transform-set SEATset value
card crypto SEATmap 20 corresponds to the address DVRvpn
card crypto SEATmap 20 set peer 91.213.197.63
card crypto SEATmap 20 the transform-set DVRset value
SEATmap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.203.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
username admin privilege 15 encrypted password riAch9TfWXn0ZOOQ
tunnel-group 80.x.y.z type ipsec-l2l
80.x.y.z group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 91.a.b.c type ipsec-l2l
91.a.b.c tunnel ipsec-attributes group
pre-shared-key *.
!
!

where is my mistake?

Thank you

Collect some captures, logs and packet - trace to get a better idea of what is happening to the traffic:

1. traffic capture, making it inside to confirm:

Cap allowed access host ip list

Cap allowed access host ip list

interface to access plug list Cap cap inside

(open the traffic in the tunnel)

Show Cap Hat

2. the capture to see if ASA is declining the packe

Cape asp asp type - drop everything

(open the traffic in the tunnel)

display asp cap | I have

display asp cap | I have

3 Syslogs to see what happens to traffic:

debug logging in buffered memory

exploitation forest-size of the buffer of 1000000

(open the traffic in the tunnel)

view Journal | I have

view Journal | I have

4 packet trace to see how hypothetically ASA will manage traffic:
```
packet-tracer input inside icmp 8 0 detail
```
-heather

L2l 1941 to ASA VPN

Hi all

I have a strange problem, trying to establish a VPN between my camera (1941) and a distance of ASA.

The question is, can I say is that the IKE phase precipitates after MM6. I'm not an expert in the present, but I'll try to explain to the best of my knowledge

Here's a cry full debugging isakmp:

* 05:12:05.187 Jun 10: ISAKMP: (1001): serving SA., his is 3AD3BE6C, delme is 3AD3BE6C

* Jun 10 05:12:05.259: ISAKMP: (0): profile of THE request is (NULL)

* 05:12:05.259 Jun 10: ISAKMP: created a struct peer 41.223.4.83, peer port 500

* 05:12:05.259 Jun 10: ISAKMP: new created position = 0x4B475724 peer_handle = 0 x 80000004

* 05:12:05.259 Jun 10: ISAKMP: lock struct 0x4B475724, refcount 1 to peer isakmp_initiator

* 05:12:05.259 Jun 10: ISAKMP: 500 local port, remote port 500

* 05:12:05.263 Jun 10: ISAKMP: set new node 0 to QM_IDLE

* 05:12:05.263 Jun 10: ISAKMP: find a dup her to the tree during the isadb_insert his 3AD3BE6C = call BVA

* 05:12:05.263 Jun 10: ISAKMP: (0): cannot start aggressive mode, try the main mode.

* 05:12:05.263 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

* Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

* Jun 10 05:12:05.263: ISAKMP: (0): built the seller-07 ID NAT - t

* Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-03 ID

* Jun 10 05:12:05.263: ISAKMP: (0): built the seller-02 ID NAT - t

* 05:12:05.263 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

* 05:12:05.263 Jun 10: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

* Jun 10 05:12:05.263: ISAKMP: (0): Beginner Main Mode Exchange

* Jun 10 05:12:05.263: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_NO_STATE

* 05:12:05.263 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.

* 05:12:05.475 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_NO_STATE

* 05:12:05.475 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:05.475 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

* Jun 10 05:12:05.475: ISAKMP: (0): treatment ITS payload. Message ID = 0

* Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.475: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69

* 05:12:05.475 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947

* Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.475: ISAKMP: (0): IKE frag vendor processing id payload

* 05:12:05.475 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled

* 05:12:05.475 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

* Jun 10 05:12:05.475: ISAKMP: (0): pre-shared key local found

* 05:12:05.475 Jun 10: ISAKMP: analysis of the profiles for xauth...

* 05:12:05.475 Jun 10: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

* 05:12:05.475 Jun 10: ISAKMP: AES - CBC encryption

* 05:12:05.475 Jun 10: ISAKMP: keylength 256

* 05:12:05.475 Jun 10: ISAKMP: SHA hash

* 05:12:05.475 Jun 10: ISAKMP: group by default 2

* 05:12:05.475 Jun 10: ISAKMP: pre-shared key auth

* 05:12:05.475 Jun 10: ISAKMP: type of life in seconds

* 05:12:05.475 Jun 10: ISAKMP: life (basic) of 28800

* 05:12:05.475 Jun 10: ISAKMP: (0): atts are acceptable
. Next payload is 0
* 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts: real life: 0

* 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts:life: 0

* 05:12:05.475 Jun 10: ISAKMP: (0): base life_in_seconds:28800

* 05:12:05.475 Jun 10: ISAKMP: (0): return real life: 28800

* 05:12:05.475 Jun 10: ISAKMP: (0): timer life Started: 28800.

* Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.511: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69

* 05:12:05.511 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947

* Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.511: ISAKMP: (0): IKE frag vendor processing id payload

* 05:12:05.511 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled

* 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

* Jun 10 05:12:05.511: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_SA_SETUP

* 05:12:05.511 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.

* 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

* 05:12:05.727 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_SA_SETUP

* 05:12:05.727 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:05.727 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

* Jun 10 05:12:05.727: ISAKMP: (0): processing KE payload. Message ID = 0

* Jun 10 05:12:05.759: ISAKMP: (0): processing NONCE payload. Message ID = 0

* 05:12:05.759 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment

* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is the unit

* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment

* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID seems the unit/DPD but major incompatibility of 104

* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is XAUTH

* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment

* Jun 10 05:12:05.763: ISAKMP: (1003): addressing another box of IOS
!
* Jun 10 05:12:05.763: ISAKMP: (1003): load useful vendor id of treatment

* 05:12:05.763 Jun 10: ISAKMP: (1003): vendor ID seems the unit/DPD but hash mismatch

* 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20

* 05:12:05.763 Jun 10: ISAKMP (1003): sound not hash no match - this node outside NAT

* 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20

* 05:12:05.763 Jun 10: ISAKMP (1003): No. NAT found for oneself or peer

* 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM4

* 05:12:05.763 Jun 10: ISAKMP: (1003): send initial contact

* 05:12:05.763 Jun 10: ISAKMP: (1003): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

* 05:12:05.763 Jun 10: ISAKMP (1003): payload ID

next payload: 8

type: 1

address: 82.117.193.82

Protocol: 17

Port: 500

Length: 12

* 05:12:05.763 Jun 10: ISAKMP: (1003): the total payload length: 12

* Jun 10 05:12:05.763: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH

* 05:12:05.763 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.

* 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM5

* 05:12:05.975 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_KEY_EXCH

* Jun 10 05:12:05.975: ISAKMP: (1003): payload ID for treatment. Message ID = 0

* 05:12:05.975 Jun 10: ISAKMP (1003): payload ID

next payload: 8

type: 1

address: 41.223.4.83

Protocol: 17

Port: 0

Length: 12

* Jun 10 05:12:05.975: ISAKMP: (0): peer games * no * profiles

* Jun 10 05:12:05.975: ISAKMP: (1003): HASH payload processing
. Message ID = 0
* 05:12:05.975 Jun 10: ISAKMP: received payload type 17

* 05:12:05.979 Jun 10: ISAKMP: (1003): SA authentication status:

authenticated

* 05:12:05.979 Jun 10: ISAKMP: (1003): SA has been authenticated with 41.223.4.83

* 05:12:05.979 Jun 10: ISAKMP: try to insert a 82.117.193.82/41.223.4.83/500/peer and inserted 4 B 475724 successfully.

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM5 = IKE_I_MM6

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_I_MM6

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

* 05:12:05.979 Jun 10: ISAKMP: (1003): start Quick Mode Exchange, M - ID 2434392874

* 05:12:05.979 Jun 10: ISAKMP: (1003): initiator QM gets spi

* Jun 10 05:12:05.979: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE

* 05:12:05.979 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.

* 05:12:05.979 Jun 10: ISAKMP: (1003): entrance, node 2434392874 = IKE_MESG_INTERNAL, IKE_INIT_QM

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_QM_READY = IKE_QM_I_QM1

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 05:12:06.195 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE

* 05:12:06.195 Jun 10: ISAKMP: node set 169965215 to QM_IDLE

* Jun 10 05:12:06.195: ISAKMP: (1003): HASH payload processing
. Message ID = 169965215
* Jun 10 05:12:06.195: ISAKMP: (1003): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3

0, message ID SPI = 169965215, a = 0x3AD3BE6C

* 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 169965215 FALSE reason 'informational (en) State 1.

* 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

* 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 05:12:06.199 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE

* 05:12:06.199 Jun 10: ISAKMP: node set 1149953416 to QM_IDLE

* Jun 10 05:12:06.199: ISAKMP: (1003): HASH payload processing. Message ID = 1149953416

* Jun 10 05:12:06.199: ISAKMP: (1003): treatment of payload to DELETE
. Message ID = 1149953416
* 05:12:06.199 Jun 10: ISAKMP: (1003): peer does not paranoid KeepAlive.

* 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)

* 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 1149953416 FALSE reason 'informational (en) State 1.

* 05:12:06.199 Jun 10: ISAKMP: node set 613686650 to QM_IDLE

* Jun 10 05:12:06.199: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE

* 05:12:06.199 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.

* 05:12:06.199 Jun 10: ISAKMP: (1003): purge the node 613686650

* 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

* 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)

* 05:12:06.199 Jun 10: ISAKMP: Unlocking counterpart struct 0x4B475724 for isadb_mark_sa_deleted(), count 0

* 05:12:06.199 Jun 10: ISAKMP: delete peer node by peer_reap for 41.223.4.83: 4 B 475724

* 05:12:06.203 Jun 10: ISAKMP: (1003): node-1860574422 error suppression FALSE reason 'IKE deleted.

* 05:12:06.203 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:06.203 Jun 10: ISAKMP: (1003): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 05:12:25.187 Jun 10: ISAKMP: (1002): purge the node 1140237073

Installed IOS is c1900-universalk9-mz. Spa. 154 - 3.M5.bin

Before that, I had 15.3, same thing.

BGPR1 # running sho

Building configuration...

Current configuration: 5339 bytes

!

! Last configuration change at 05:19:14 UTC Friday, June 10, 2016 by boris

!

version 15.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname BGPR1

!

boot-start-marker

start the system flash0:c1900 - universalk9-mz. Spa. 154 - 3.M5.bin

boot-end-marker

!

!

logging buffered 51200 warnings

!

No aaa new-model

!

!

!

!

!

!

!

!

!

!

!

!

!

!

IP flow-cache timeout active 1

IP cef

No ipv6 cef

!

Authenticated MultiLink bundle-name Panel

!

CTS verbose logging

!

Crypto pki trustpoint TP-self-signed-

enrollment selfsigned

name of the object cn = IOS-Self-signed-certificate-

revocation checking no

rsakeypair TP-self-signed-3992366821

!

!

chain pki crypto TP-self-signed certificates.

certificate self-signed 01

quit smoking

udi pid CISCO1941/K9 sn CF license

!

!

username

username

!

redundancy

!

!

!

No crypto ikev2 does diagnosis error

!

!

!

!

crypto ISAKMP policy 1

BA aes 256

preshared authentication

Group 2

lifetime 28800

isakmp encryption key * address 41.223.4.83

!

!

Crypto ipsec transform-set Meridian ah-sha-hmac esp - aes 256

tunnel mode

!

!

!

Meridian 10 map ipsec-isakmp crypto

VODACOM VPN description

defined by peer 41.223.4.83

86400 seconds, life of security association set

the transform-set Meridian value

match address 100

!

!

!

!

!

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

!

interface GigabitEthernet0/0

Description peer na Telekom

IP 79.101.96.6 255.255.255.252

penetration of the IP stream

stream IP output

automatic duplex

automatic speed

No cdp enable

!

interface GigabitEthernet0/1

Description peer na SBB

IP 82.117.193.82 255.255.255.252

penetration of the IP stream

stream IP output

automatic duplex

automatic speed

No cdp enable

Meridian of the crypto map

!

interface FastEthernet0/0/0

no ip address

!

interface FastEthernet0/0/1

no ip address

!
interface FastEthernet0/0/2

no ip address

!

interface FastEthernet0/0/3

switchport access vlan 103

no ip address

!

interface Vlan1

IP 37.18.184.1 255.255.255.0

penetration of the IP stream

stream IP output

!

interface Vlan103

IP 10.10.10.1 255.255.255.0

!

router bgp 198370

The log-neighbor BGP-changes

37.18.184.0 netmask 255.255.255.0

10.10.10.2 neighbor remote - as 201047

map of route-neighbor T-OUT 10.10.10.2 out

neighbour 79.101.96.5 distance - 8400

neighbor 79.101.96.5 fall-over

neighbor 79.101.96.5 LOCALPREF route map in

79.101.96.5 T-OUT out neighbor-route map

neighbour 82.117.193.81 distance - as 31042

neighbor 82.117.193.81 fall-over

neighbor 82.117.193.81 route LocalOnly outside map

!

IP forward-Protocol ND

!
IP as path access list 10 permit ^ $

IP as path access list 20 permits ^ $ 31042

no ip address of the http server

local IP http authentication

no ip http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

IP flow-export Vlan1 source

peer of IP flow-export version 5 - as

37.18.184.8 IP flow-export destination 2055

!

IP route 37.18.184.0 255.255.255.0 Null0

IP route 104.28.15.63 255.255.255.255 79.101.96.5

IP route 217.26.67.79 255.255.255.255 79.101.96.5

!

!

IP-list of prefixes Filter_IN_Telekom seq 10 permit 0.0.0.0/0

!

T-OUT route map permit 10

match 10 way

!

route allowed LOCALPREF 10 map

set local preference 90

!

SBBOnly allowed 10 route map

20 as path game

!

LocalOnly allowed 10 route map

match 10 way

!

!

m3r1d1an RO SNMP-server community

Server SNMP ifindex persist

access-list 100 permit ip host 37.18.184.4 41.217.203.234

access-list 100 permit ip host 37.18.184.169 41.217.203.234

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line 2

no activation-character

No exec

preferred no transport

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

privilege level 15

local connection

entry ssh transport

line vty 5 15

privilege level 15

local connection

entry ssh transport

!

Scheduler allocate 20000 1000

!

end

BGPR1 #.

BGPR1 #sho cry isa his

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

41.223.4.83 82.117.193.82 MM_NO_STATE 1106 ACTIVE (deleted)

41.223.4.83 82.117.193.82 MM_NO_STATE 1105 ACTIVE (deleted)

For "sho cry ipsec his" I get only a lot of mistakes to send.

For the other end, I had all the settings, I have no access to this device, they insist that this is a simple installation and that any problem is on my side.

I tried to juggle the order of the access list, life card crypto security association and all "googlable" solutions, that I could find.

Any input appreciated.

Corresponds to the phase 2 double-checking on the SAA, including PFS.
```
crypto ipsec transform-set meridian ah-sha-hmac esp-aes 256  mode tunnel
```

Static control

I have the following scenario:

Internet - FW (non-cisco, to be replaced) - FW (525) - Campus.

Legacy firewall will replace the period of more than 3 months. I will keep it online, and moved behind her again 525 'allowing' to all traffic. Then I'll gradually spend most of my ACL from the old to the new FW.

My question concerns the static command. Even with the investigation leads any one period or group objects with pass all, I always have to create

public static ip ip (indoor, outdoor)

entries for each server that will see outside my network. Otherwise, there is no xlate translation (unless I send the packets from inside to the outside, which will automatically create it)

Since I have a lot of campus wide servers, doing static manually is really painful. Is there another way to allow the translation to occur? Or y at - it another way to allow foreigners access to my servers?

e.g. static for the whole subnet?

That said, as I have also 2 functional issues of PIX. I've read conflicting reports about some cisco commands and I don't know which ones is valid.

NAT 0 disables Cisco adaptive algorithm for the specified entries?

Static command neutralizes Cisco adaptive algorithm for the specified entries?

Emergency aid is apprecited because I need to install the new firewall this weekend (2-4 hours of the Sunday morning).

Thanks in advance.

SP

public static 1.2.3.0 (indoor, outdoor) 1.2.3.0 netmask 255.255.255.0

would be static external interface, which indicates that he resides inside the subnet 1.2.3.0/24 all interface

PIX SMTP NAT or Port based NAT?

I have what may seem like a strange question...

I have a client with a PIX and a SMTP server inside their network. They were using a NAT Port basis via the following command (all IP addresses are changed to protect the innocent):

static (inside, outside) 1.1.1.1 tcp smtp 192.168.0.1 netmask 255.255.255.255 smtp

It worked well for incoming and outgoing email except to go to particular mail servers. What was going on, it was that they were receiving messages from rebound as below:

Where IP address 1.1.1.2 combined with overall command of the client.

Once I changed the nat to use a normal NAT rather than on a port a whole worked well. Download

static (inside, outside) 1.1.1.1 192.168.0.1 netmask 255.255.255.255

My question is can I do nat based on the port works for IP addressing in the two directions or am I stuck with the help of a single IP NAT?

I guess what is happening, is that the NAT based on the port looks only to conversations from the incoming direction (ie the conversation is with port 25 on 192.168.0.1), no conversations from the outgoing direction (ie the conversation is with port 25 on an external IP address).

Rgds,

Peter

Excellent analysis and you are immediately. Just a simple set-config that lack of most people. Try the following:

static (inside, outside) 1.1.1.1 tcp smtp 192.168.0.1 netmask 255.255.255.255 smtp

Global 2 1.1.1.1 (outside)

NAT (inside) 2 192.168.0.1 255.255.255.255

The static method will match the traffic from port 25 to the mail server. So when your mail server sends outgoing traffic on one port other that the 25, he uses the nat/global configuration you have defined for the other hosts on the inside interface. Who obviously doesn't like the other e-mail server.

Hope that's clear, but if not, let me know.

Scott

static PAT statements, need help...

Hi all

I am trying to set up a mail server, for the time being for reasons that I explain not rather, I can't put it on the demilitarized zone. So he is sitting inside the 515e Firewall interface.

I have the internal IP address of the server as 192.168.50.13 and inside the network I can send, receive, email etc. on this server. This is a new server, so I recently install my a records and MX. When the rattling of the entrance to the area the correct IP address is now assigned domain name. However, I can't see my e-mail server in the outside world. When you run a DNS query on the MX record, I get no response.

The problem is at the level of PIX. My static instructions do not seem to work.

One of my works of 4 static instructions (for our Services Terminal Server server), but the 3 other entries are not.

They are as follows:

static (inside, outside) MainOffice 3389 192.168.50.75 tcp 3389 netmask 255.255.255.255 0 0

static (inside, outside) tcp smtp MainOffice 192.168.50.13 smtp netmask 255.255.255.255 0 0

static (inside, outside) tcp MainOffice 192.168.50.13 pop3 pop3 netmask 255.255.255.255 0 0

static (inside, outside) tcp MainOffice telnet 192.168.50.201 telnet netmask

255.255.255.255 0 0

(the last entry is just to test and see if I could even host a standard telnet server from my local office win2k and see through the firewall, the test has failed, I can telnet in via the local IP address,.201, but not through the external IP, MainOffice.)

As often elsewhere in the config PIX seem to affect issues that I :), I included a complete running-config list below for those who would like to reference. Thank you for your time,

Another strange thing of note, with this current config I can't ping my IP external interface starting from IP external or internal IP. I have my entries ICMP set and thought I should be able to see, but can't. It is not as important a question as the above question.

Dave

::

6.2 (2) version PIX

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif ethernet2 security10 intf2

hostname YRPCI

domain yrpci.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

fixup protocol http-8080

fixup protocol ftp 22

names of

name x.x.71.8 ConstOffice

name x.x.81.11 BftOffice

name x.x.71.7 MainOffice

allow the ip host 192.168.50.10 access list acl_outbound a

allow the ip host 192.168.50.75 access list acl_outbound a

allow the ip host 192.168.50.201 access list acl_outbound a

allow the ip host 192.168.50.202 access list acl_outbound a

access-list acl_outbound allow the host tcp 192.168.50.203 a

access-list acl_outbound allow the host tcp 192.168.50.204 a

access-list acl_outbound allow the host tcp 192.168.50.205 a

access-list acl_outbound allow the host tcp 192.168.50.206 a

access-list acl_outbound allow the host tcp 192.168.50.207 a

access-list acl_outbound allow the host tcp 192.168.50.208 a

access-list acl_outbound allow the host tcp 192.168.50.209 a

access-list acl_outbound allow the host tcp 192.168.50.210 a

access-list acl_outbound allow the host tcp 192.168.50.211 a

access-list acl_outbound allow the host tcp 192.168.50.212 a

access-list acl_outbound allow the host tcp 192.168.50.213 a

access-list acl_outbound allow the host tcp 192.168.50.214 a

access-list acl_outbound allow the host tcp 192.168.50.215 a

access-list acl_outbound allow the host tcp 192.168.50.216 a

access-list acl_outbound allow the host tcp 192.168.50.217 a

access-list acl_outbound allow the host tcp 192.168.50.218 a

access-list acl_outbound allow the host tcp 192.168.50.219 a

access-list acl_outbound allow the host tcp 192.168.50.220 a

access-list acl_outbound allow the host tcp 192.168.50.221 a

access-list acl_outbound allow the host tcp 192.168.50.222 a

access-list acl_outbound allow the host tcp 192.168.50.223 a

access-list acl_outbound allow the host tcp 192.168.50.224 a

acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq smtp

acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq pop3

acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.51.0

acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.52.0

acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.53.0

allow the ip host 192.168.50.51 access list acl_outbound a

access-list acl_outbound allow the host tcp 192.168.50.11 a

allow the ip host 192.168.50.13 access list acl_outbound a

access-list acl_outbound allow the host tcp 192.168.50.225 a

acl_inbound list access permit tcp any host MainOffice eq 3389

acl_inbound list access permit icmp any any echo response

access-list acl_inbound allow icmp all once exceed

acl_inbound list all permitted access all unreachable icmp

allow the ip host MainOffice one access list acl_inbound

acl_inbound list access permit tcp any any eq ssh

access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

access-list 103 allow ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

pager lines 24

opening of session

timestamp of the record

recording of debug console

logging warnings put in buffered memory

logging trap warnings

history of logging warnings

host of logging inside the 192.168.50.201

interface ethernet0 car

Auto interface ethernet1

Automatic stop of interface ethernet2

ICMP permitted MainOffice outside the host

ICMP permitted outside the host ConstOffice

ICMP allow any inaccessible outside

ICMP allow any response of echo outdoors

ICMP allow any inside

Outside 1500 MTU

Within 1500 MTU

intf2 MTU 1500

IP address outside pppoe setroute

IP address inside 192.168.50.1 255.255.255.0

intf2 IP address 127.0.0.1 255.255.255.255

alarm action IP verification of information

alarm action attack IP audit

don't allow no history of pdm

ARP timeout 14400

Global interface 2 (external)

NAT (inside) - 0 100 access list

NAT (inside) 2 192.168.50.0 255.255.255.0 0 0

static (inside, outside) MainOffice 3389 192.168.50.75 tcp 3389 netmask 255.255.255.255 0 0

static (inside, outside) tcp smtp MainOffice 192.168.50.13 smtp netmask 255.255.255.255 0 0

static (inside, outside) tcp MainOffice 192.168.50.13 pop3 pop3 netmask 255.255.255.255 0 0

static (inside, outside) tcp MainOffice telnet 192.168.50.201 telnet netmask 255.

255.255.255 0 0

Access-group acl_inbound in interface outside

acl_outbound access to the interface inside group

Timeout xlate 08:00

Conn timeout half-closed 06:00 07:00 07:00 from the PRC related to udp h323 from 07:00 0:05:00 TR

p 0:30:00 sip_media 0:02:00

timeout uauth 07.30: absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

Enable http server

http 192.168.50.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set esp - esp-sha-hmac RIGHT

VPN1 card crypto ipsec-isakmp 10

correspondence address 10 card crypto vpn1 102

card crypto vpn1 pfs set 10 group2

card crypto vpn1 together 10 peer ConstOffice

card crypto vpn1 10 set transform-set RIGHT

vpn1 20 ipsec-isakmp crypto map

correspondence address 20 card crypto vpn1 101

card crypto vpn1 pfs set 20 group2

20 card crypto vpn1 peer BftOffice game

card crypto vpn1 20 set transform-set RIGHT

vpn1 outside crypto map interface

ISAKMP allows outside

ISAKMP key * address ConstOffice netmask 255.255.255.255

ISAKMP key * address BftOffice netmask 255.255.255.255

ISAKMP identity address

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 sha hash

10 1 ISAKMP policy group

ISAKMP life duration strategy 10 86400

Telnet ConstOffice 255.255.255.255 outside

Telnet 192.168.51.0 255.255.255.0 outside

Telnet 192.168.52.0 255.255.255.0 outside

Telnet BftOffice 255.255.255.255 outside

Telnet 192.168.50.0 255.255.255.0 inside

Telnet timeout 10

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 192.168.50.0 255.255.255.0 inside

SSH timeout 20

VPDN group pppoex request dialout pppoe

VPDN group pppoex localname xxxxxxxxx

VPDN group ppp authentication pap pppoex

VPDN username password xxxxxxxxxx *.

Terminal width 80

: end

Well, I'll be a son-of-b! * $@ !!! I don't know what I'm talking about then! Ha ha.

I'm just glad that you work, and maybe someone else watching tips can help us understand.

Thereafter.

Public static political static NAT in conflict with NAT VPN

I have a situation where I need to create a VPN site-to site between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises where the LAN behind the Cisco ASA has the same subnet an existing VPN currently created on the Sonicwall. Since the Sonicwall cannot have two VPN both run on the same subnet, the solution is to use policy NAT on the SAA as well as for the Sonicwall, the new VPN seems to have a different subnet.

The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a private network virtual created for another customer with the same subnet). I try to translate it to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The ASA relevant configuration is:

interface Vlan1

IP 192.168.10.1 255.255.255.0

access extensive list ip 192.168.24.0 outside_1_cryptomap allow 255.255.255.0 10.159.0.0 255.255.255.0

list of access VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0

public static 192.168.24.0 (inside, outside) - list of VPN access

card crypto outside_map 1 match address outside_1_cryptomap

In addition, there are other static NAT instructions and their associated ACLs that allow certain traffic through the firewall on the server, for example:

public static tcp (indoor, outdoor) interface smtp SERVER smtp netmask 255.255.255.255

The problem is this: when I enter the static strategy statement NAT, I get the message ' WARNING: real-address conflict with existing static "and then it refers to each of the static NAT statements reflecting the external address to the server. I've thought about it, and it seemed to me that the problem was that policy NAT statement must be the first statement of NAT (it is the last one) so that it is run first and all traffic destined to the VPN to the Sonicwall (destination 10.159.0.0/24) tunnel would be properly treated. If I left him as the last statement, then the other static NAT statements would prevent a part of the 10.159.0.0/24 network-bound traffic to be correctly routed through the VPN.

So, I tried first to my stated policy NAT upward in the ASDM GUI interface. However, moving the declaration was not allowed. Then I tried to delete the five static NAT statements that point to the server (an example is above) and then recreate them, hoping that would then move up the policy statement NAT. This also failed.

What Miss me?

Hello

I assumed that we could have changed the order of the 'static' , the original orders, but as it did not work for some reason any then it seems to me that you suggested or change, that I proposed should work.

I guess that your purpose was to set up static political PAT for the VPN for some these services, then static PAT of public network access, then static NAT to policy for the rest of the network in-house.

I guess you could choose any way seems best for you.

Let me know if get you it working. I always find it strange that the original configuration did not work.

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

PIX stops passing all traffic at the entrance to command crypto

I have a strange problem with a PIX 515 6.1 (2).

I have 3 VPN tunnels already implemented. While trying to set up a 4th the PIX stops passing all traffic. He arrives precisely when I enter ANY command "crypto map.

cancellation of the order by using "no card crypto...". ' or "clear xlate" is no help either. The PIX must be restarted before the traffic going on again. The CPU usage drops to zero and my telnet for the PIX session remains connected.

Anyone have any ideas?

I put the relevant configuration below:

172.50.0.0 IP Access-list sheep 255.255.0.0 allow 192.168.0.0 255.255.0.0

172.50.0.0 IP Access-list sheep 255.255.0.0 allow 10.0.0.0 255.0.0.0

acl_vpn1 ip 172.50.0.0 access list allow 255.255.255.0 192.168.0.0 255.255.0.0

acl_vpn2 ip 172.50.0.0 access list allow 255.255.255.0 10.0.0.0 255.255.255.0

acl_vpn3 ip 172.50.0.0 access list allow 255.255.255.0 10.50.0.0 255.255.255.0

NAT (inside) 0 access-list sheep

Permitted connection ipsec sysopt

No sysopt route dnat

Crypto ipsec transform-set esp - esp-md5-hmac support

toVPNs 10 ipsec-isakmp crypto map

card crypto toVPNs 10 correspondence address acl_vpn1

card crypto toVPNs 10 peers set 1xx.xxx.xxx.xxx

support toVPNs 10 transform-set card crypto

toVPNs 12 ipsec-isakmp crypto map

card crypto toVPNs 12 match address acl_vpn2

card crypto toVPNs 12 peers set 2xx.xxx.xxx.xxx

support toVPNs 12 transform-set card crypto

toVPNs 14 ipsec-isakmp crypto map

card crypto toVPNs 14 correspondence address acl_vpn3

card crypto toVPNs 14 peers set 3xx.xxx.xxx.xxx

support toVPNs 14 transform-set card crypto

toVPNs interface card crypto outside

ISAKMP allows outside

ISAKMP key * address 1xx.xxx.xxx.xxx netmask 255.255.255.255

ISAKMP key * address 2xx.xxx.xxx.xxx netmask 255.255.255.255

ISAKMP key * address 3xx.xxx.xxx.xxx netmask 255.255.255.255

part of pre authentication ISAKMP policy 1

of ISAKMP policy 1 encryption

ISAKMP policy 1 md5 hash

1 1 ISAKMP policy group

ISAKMP policy 1 life 43200

Hi Ishaq,

Please make sure you remove the card "Crypto" off the coast of the Interface by doing a ' no card crypto toVPNs no interface out ' and then add the necessary commands before reconnecting the Crypto map. Usually when we add a new command "toVPNs xx ipsec-isakmp crypto map" without removing the Crypto Card it starts encrypt all traffic passing through the PIX. After you make the required changes, reapply card Cryptography.

Hope this helps,

Kind regards

Abdelouahed

-=-=-

PIX 515 no traffic on the new IP address don't block

We have received a new range of ips 213.x.x.x/28 from our ISP. They are routed through our existing entry door 92.x.x.146.

The problem:
We can not all traffic to the pix on the new 213.x.x.x/28 range.
-If we try to ping 213.x.x.61, we get the lifetime exceeded.
-ISP Gets the same thing of their router.
-ISP tries ssh and gets no route to host.

The ISP has ticked then double the Routing and the MAC address of our external interface. They are correct.

The strange thing is that we cannot see THE log messages about the new range of incoming connection attempts. The Pix is running at the level of the journal 7.

Does anyone have an idea what could be the problem? or suggestions for debugging the issue?

Excerpt from config:
7.0 (7) independent running Pix 515
outside 92.x.x.146 255.255.255.240
inside 192.168.101.1 255.255.255.0
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 92.x.x.145 1
Access-group acl_out in interface outside
acl_out list extended access permit tcp any host 213.x.x.x eq www
acl_out list extended access permit tcp any host 213.x.x.x eq ssh
static (inside, outside) 213.x.x.61 192.168.101.99 netmask 255.255.255.255
ICMP allow any inaccessible State

192.168.101.99 is a test with http and ssh linux server

Any help much appreciated.

PM
```
dsc_tech_1 wrote:
I have spoken to the ISP and confirmed the MAC address of the outside interface Ethernet0

    ISP says

    ...we are sending this correctly to your pix, you should see any traffic destined for a 213.x.x.0/28 address hit your interface at 92.x.x.146/32

Yes 217.x.x.81 and 217.x.x.82 are routers owned by our ISP.
Is there anything else I can ask the ISP in terms of testing/debugging? I've run out of ideas.
```
If the routers are owned by your ISP, then the fault lies with them. They have a routing loop in their network and that's why packages are not your firewall. You have them shown the traceroute?

They must focus on the routeurs.81 et.82 to establish why the packets are looped between these 2 routers. Until they fix this packet will never get your firewall.

Jon

Security level limited access to high security

Dear all,

I have something that I need your help it clarify for me; for reasons of tests outside NAT in PIX, I placed a host on the external interface of my FW PIX and another on the inside interface. We'll call inside host (Host: 172.16.1.178) and outside (Host B: 192.168.1.96).

I then applied:

NAT (inside) 0 0 0 and

NAT (outside) 0 0 0 outside

orders to have two subnets appear to others with their original IP addresses. When ping from host B to host, no response is received and a 305005 syslog message (no translation group not found for ICMP src outdoors: 192.168.1.96 dst inside: 172.16.1.178)... However, when ping from host A to host B with the original B IP host, a response is received successfully. After this, lead to confusion if I try again to ping from host B to host, things work this time without errors. (Note: ICMP is applied both way).

Applying clear XLATE, again! Looks like the PIX doesn't sends the request of host B to host A unless there is a previous, established session from the host through the PIX.

Does anyone have an explanation for what's going on? Is their someone who have experienced something like this before?

Know your opinion.

Thank you

Haitham

You are using nat 0 (identity nat) that does not allow two-way communication, UNLESS the host location to the interface high security initiates the connection.

You can try the following:

public static 172.16.1.178 (Interior, exterior) 172.16.1.178 netmask 255.255.255.255

Which allows inside the host to be 'translated' to the outside and allow the host located on the untrsuted start the communication itself (will be seen with the same IP address)

more information:

http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/s.htm#wp1026694

Franco Zamora

Pix 501 problem, I can not receive smtp messages

Currently, I can send messages but cannot receive the mail from the Internet, if I remove the Pix and connect directly to the Modem/router then I can SMTP on port 25 and SMTP mail works fine both in & out.

All what we want this Pix to allow at present is:

(a) access to Internet to all clients on the network internal

(b) allow the customers to pop mail web e-mail accounts

(c) we want to use Exchange & Outlook and accommodate our own email via the SMTP Protocol

Please find attached two documents: -.

1. a current edited config of my Pix 501 running

2. a PowerPoint of my network diagram.

I appreciate a lot of help.

Vinny.

I finally found the problem.

On the ADSL router, you have configured the same 192.168.0.0/24 network you use behind the post office

Server. This configuration will not work because it leads to a duplicate IP address range and you have routing

problems.

Change the configuration to another range of IP between the ADSL router and PIX firewall and everthing will be

work.

Note the address unique public IP that is configured, received is on the router Netgear ADSL uses all other interfaces

public IP addresses.

Recovery of the networks and the IPs:

80.x.y.z/255.255.255.x = Netgear outside intellectual property

192.168.2.0/255.255.255.0 = network between the internal Netgear and the PIX outside interface

192.168.1.0/255.255.255.0 = network between the PIX inside and the external interface of the mail server

192.168.0.0/255.255.255.0 = network between the internal interface of mail server and mail clients.

Use 192.168.2.0 255.255.255.0 for this network, and then set it 192.168.2.1 for your ADSL router inside

interface, use a static IP 192.168.2.2 255.255.255.0 on the PIX firewall outside interface.

ADSL installation:

You can choose on the Netgear between all public traffic of the 80.x.y.z IP to 192.168.2.2 transmission which is NAT or

You can transfer to forward the http, pop3 and smtp, didn't really matter, it's just important that you NAT or PAT it

for the PIX firewall.

PIX installation example:

All traffic received on the PIX outside interface for http, pop3 and smtp is then transmitted by 192.168.2.2 to mail

the server 192.168.1.2 external IP address.

outdoor IP 192.168.2.2 address 255.255.255.0

IP address inside 192.168.1.1 255.255.255.0

acl_out list access permit tcp any host 192.168.2.2 eq http

acl_out list access permit tcp any host 192.168.2.2 pop eq

acl_out list access permit tcp any host 192.168.2.2 eq smtp

Access-group acl_out in interface outside

static (inside, outside) tcp 192.168.2.2 80 192.168.1.2 80 netmask 255.255.255.255 0 0

static (inside, outside) tcp 192.168.2.2 110 192.168.1.2 110 netmask 255.255.255.255 0 0

static (inside, outside) tcp 192.168.2.2 25 192.168.1.2 25 netmask 255.255.255.255 0 0

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 192.168.2.1

Installation of mail server:

The mail server has a default route to the PIX firewall.

Default gateway on the mail server = 192.168.1.1

Do you have NAt or PAT on the mail server internal clients to the Internet in the direction of the PIX? If not, you need to add another road on the PIX, so know the PIX the 192.168.0.0/24 network is behind the e-mail server, as this unit is the routing for this network.

Add a route on the PIX inside interface:

Route inside 192.168.0.0 255.255.255.0 192.168.1.2

E-mail clients:

All mail clients have the internal IP address of mail as default gateway server.

Default gateway = 192.168.0.3

This configuration will work 100%

Sorry if I you confused.

sincerely

Patrick

Client certificate and router WebVPN

Hello!

In my test harness I can not to run my webvpn configuration =.

I have several components: AD MS, MS CS (but without NDE), 2911 router and client computer. Client and router have a certificate of MS CS. In my setup I use certificate or aaa (LDAP) authentication and authentication work aaa good. But the client certificate authentication does not work. And my internal https services do not work too--"no certificate or invalid", but this strange because I imported the CA certificate for that.

Can you help me it work?

My version of 2911:

Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.1 (3) T, RELEASE SOFTWARE (fc1)

My Config:

AAA authentication login webvpn group local ldap

IP local pool webvpn 192.168.200.1 192.168.200.254

bind authenticates root-dn cn = webvpn, OU = team, dc = domain, dc = com password [email protected]/ * /.

WebVPN vpn gateway

IP address port 4443

SSL root-ca trustpoint

development

!

WebVPN install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1

!

employee framework WebVPN

SSL authentication check all

!

connection message 'Portal VPN'

!

the policy group peche1

List of URLS "on the inside".

functions compatible svc

filter VPN SPLIT tunnel

SVC-pool of addresses "webvpn" netmask 255.255.255.0

SVC by default-domain "domain.com".

SVC Dungeon-client-installed

SVC split dns "domain.com".

SVC split include 192.168.0.0 255.255.0.0

SVC-Server primary dns 192.168.1.1

SVC-Server secondary dns 192.168.1.2

Citrix enabled

virtual-model 1

strategy-group-by default peche1

AAA authentication list webvpn

vpn gateway

authentication certificate

user name - sign up

root CA trustpoint-AC

User location flash0 profile: / userprof

development

!

Crypto pki trustpoint root-ca

Terminal registration

revocation checking no

rsakeypair root-ca

!

I imported with CA pkcs12 certificate.

My debug (it happened so I am trying to access my webvpn portal and I choose my certificate of MS CS for access)

5 Jun 11:22:39: WV: validated_tp: cert_username: matched_ctx:

5 Jun 11:22:39: WV: could not get opssl appinfo sslvpn

5 Jun 11:22:39: WV: could not get opssl appinfo sslvpn

5 Jun 11:22:39: WV: error: no certificate validated for the customer

Can someone explain to me why it does not work?

Resolved by the update IOS - version 15.2 (4) M2.

Concerning

Netmask 255.255.0.0 leading to strange IP addresses

Similar Questions

Maybe you are looking for