Next hop for the static route on the VPN site to site ASA?

Hi all

I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.

The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?

Concerning

Ahh, ok, makes sense.

The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.

Example of topology:

Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet

The static route must tell:

outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200

I hope this helps.

Tags: Cisco Security

Similar Questions

Site of the error of phase 2 for the VPN site

Dear all,

We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.

Below is show access ip list matching packages shown but connection to host failed

With the crypto ipsec to see his I saw send error and I don't know what could be responsible.

Any body who could be wrong please help me to am exhausted.

access-list

10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)

Crypto ipsec to show his

local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 198, #recv errors 0

local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 508, #recv errors 0

local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides

Could not locate the next hop for ICMP outside:10.60.30.111/1 to inside:10.89.30.41/0 routing

ASA 5505 Split tunneling stopped working when upgraded to 8.3 (1) 8.4 (3).

A user has to connect to the old device of 8.3 (1) that they could access all of our subnets: 10.1.0.0/16, 10.33.0.0/16, 10.89.0.0/16, 10.60.0.0/16

but now, they can't and in the newspapers, I see just

6 October 31, 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 routing cannot locate the next hop for ICMP to outside:10.60.30.111/1 to inside:10.89.30.41/0

any tips? I almost tried everything. the running configuration is:

: Saved

:

ASA Version 8.4 (3)

!

host name asa

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 10.60.70.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

IP 80.90.98.217 255.255.255.248

!

passive FTP mode

clock timezone GMT 0

DNS lookup field inside

DNS domain-lookup outside

permit same-security-traffic intra-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the NETWORK_OBJ_10.33.0.0_16 object

10.33.0.0 subnet 255.255.0.0

network of the NETWORK_OBJ_10.60.0.0_16 object

10.60.0.0 subnet 255.255.0.0

network of the NETWORK_OBJ_10.89.0.0_16 object

10.89.0.0 subnet 255.255.0.0

network of the NETWORK_OBJ_10.1.0.0_16 object

10.1.0.0 subnet 255.255.0.0

network tetPC object

Home 10.60.10.1

test description

network of the NETWORK_OBJ_10.60.30.0_24 object

10.60.30.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.60.30.64_26 object

255.255.255.192 subnet 10.60.30.64

the SSH server object network

Home 10.60.20.6

network of the SSH_public object

network ftp_public object

Home 80.90.98.218

rdp network object

Home 10.60.10.4

ftp_server network object

Home 10.60.20.2

network ssh_public object

Home 80.90.98.218

Service FTP object

tcp destination eq 12 service

network of the NETWORK_OBJ_10.60.20.3 object

Home 10.60.20.3

network of the NETWORK_OBJ_10.60.40.192_26 object

255.255.255.192 subnet 10.60.40.192

network of the NETWORK_OBJ_10.60.10.10 object

Home 10.60.10.10

network of the NETWORK_OBJ_10.60.20.2 object

Home 10.60.20.2

network of the NETWORK_OBJ_10.60.20.21 object

Home 10.60.20.21

network of the NETWORK_OBJ_10.60.20.4 object

Home 10.60.20.4

network of the NETWORK_OBJ_10.60.20.5 object

Home 10.60.20.5

network of the NETWORK_OBJ_10.60.20.6 object

Home 10.60.20.6

network of the NETWORK_OBJ_10.60.20.7 object

Home 10.60.20.7

network of the NETWORK_OBJ_10.60.20.29 object

Home 10.60.20.29

service port_tomcat object

Beach service tcp 8080 8082 source

network of the TBSF object

172.16.252.0 subnet 255.255.255.0

the e-mail server object network

Home 10.33.10.2

Mail server description

service object HTTPS

tcp source eq https service

test network object

network access_web_mail object

Home 10.60.50.251

network downtown_Interface_host object

Home 10.60.50.1

Downtown host Interface description

service of the Oracle_port object

tcp source eq sqlnet service

network of the NETWORK_OBJ_10.60.50.248_29 object

subnet 10.60.50.248 255.255.255.248

network of the NETWORK_OBJ_10.60.50.1 object

Home 10.60.50.1

network of the NETWORK_OBJ_10.60.50.0_28 object

subnet 10.60.50.0 255.255.255.240

brisel network object

10.191.191.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.191.191.0_24 object

10.191.191.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.60.60.0_24 object

10.60.60.0 subnet 255.255.255.0

object-group service TCS_Service_Group

Description this group of Services offered is for the CLD's Clients

port_tomcat service-object

HTTPS_ACCESS tcp service object-group

EQ object of the https port

the DM_INLINE_NETWORK_1 object-group network

object-network 10.1.0.0 255.255.0.0

network-object 10.33.0.0 255.255.0.0

network-object 10.60.0.0 255.255.0.0

network-object 10.89.0.0 255.255.0.0

allow outside_1_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0

allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0

outside_3_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 allow 10.1.0.0 255.255.0.0

OUTSIDE_IN list extended access permit icmp any one time exceed

OUTSIDE_IN list extended access allow all unreachable icmp

OUTSIDE_IN list extended access permit icmp any any echo response

OUTSIDE_IN list extended access permit icmp any any source-quench

OUTSIDE_IN list extended access permitted tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp

OUTSIDE_IN list extended access permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp

OUTSIDE_IN list extended access allow icmp 80.90.98.222 host 80.90.98.217

OUTSIDE_IN list extended access permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp

OUTSIDE_IN list extended access permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh

Standard access list OAKDCAcl allow 10.60.0.0 255.255.0.0

Standard access list OAKDCAcl allow 10.33.0.0 255.255.0.0

access-list OAKDCAcl note backoffice

Standard access list OAKDCAcl allow 10.89.0.0 255.255.0.0

access-list OAKDCAcl note maint

OAKDCAcl list standard access allowed 10.1.0.0 255.255.0.0

access-list allowed standard osgd host 10.60.20.4

access-list allowed standard osgd host 10.60.20.5

access-list allowed standard osgd host 10.60.20.7

standard access list testOAK_splitTunnelAcl allow 10.60.0.0 255.255.0.0

list access allowed extended snmp udp any eq snmptrap everything

list of access allowed extended snmp udp any any eq snmp

downtown_splitTunnelAcl list standard access allowed host 10.60.20.29

webMailACL list standard access allowed host 10.33.10.2

access-list standard HBSC allowed host 10.60.30.107

access-list standard HBSC deny 10.33.0.0 255.255.0.0

access-list standard HBSC deny 10.89.0.0 255.255.0.0

allow outside_4_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.1.0.0 255.255.0.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.33.0.0 255.255.0.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.60.0.0 255.255.0.0

OAK-remote_splitTunnelAcl-list of allowed access standard 10.89.0.0 255.255.0.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask 10.60.30.110 - 10.60.30.150 255.255.0.0 IP local pool OAKPRD_pool

IP local pool mail_sddress_pool 10.60.50.251 - 10.60.50.255 mask 255.255.0.0

test 10.60.50.1 mask 255.255.255.255 IP local pool

IP local pool ipad 10.60.30.90 - 10.60.30.99 mask 255.255.0.0

mask 10.60.40.200 - 10.60.40.250 255.255.255.0 IP local pool TCS_pool

local pool OSGD_POOL 10.60.50.2 - 10.60.50.10 255.255.0.0 IP mask

mask 10.60.60.0 - 10.60.60.255 255.255.0.0 IP local pool OAK_pool

IP verify reverse path inside interface

IP verify reverse path to the outside interface

IP audit alarm action name ThreatDetection attack

verification of IP within the ThreatDetection interface

interface IP outside the ThreatDetection check

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow any echo inside

ICMP allow any echo outdoors

enable ASDM history

ARP timeout 14400

NAT (inside, outside) static static source NETWORK_OBJ_10.33.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.33.0.0_16

NAT (inside, outside) static static source NETWORK_OBJ_10.89.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.89.0.0_16

NAT (inside, outside) static static source NETWORK_OBJ_10.1.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.1.0.0_16

NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.0_24 of NETWORK_OBJ_10.60.30.0_24 static destination

NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.64_26 of NETWORK_OBJ_10.60.30.64_26 static destination

NAT (inside, outside) static static source NETWORK_OBJ_10.60.40.192_26 destination NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.40.192_26 any port_tomcat service

NAT (inside, outside) static source any destination of all public static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1

NAT (inside, outside) static static source NETWORK_OBJ_10.60.50.248_29 destination MailServer MailServer NETWORK_OBJ_10.60.50.248_29

NAT (inside, outside) static source all all NETWORK_OBJ_10.60.50.0_28 of NETWORK_OBJ_10.60.50.0_28 static destination

NAT (inside, outside) static static source NETWORK_OBJ_10.191.191.0_24 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.191.191.0_24

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 non-proxy-arp-search of route static destination

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

Route outside 0.0.0.0 0.0.0.0 80.90.98.222 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 10.60.10.10 255.255.255.255 inside

http 10.33.30.33 255.255.255.255 inside

http 10.60.30.33 255.255.255.255 inside

SNMP-server host within the 10.33.30.108 community * version 2 c

SNMP-server host within the 10.89.70.30 community *.

No snmp server location

No snmp Server contact

Community SNMP-server

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1

transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set lux_trans_set ikev1 aes - esp esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_map 1 match address outside_1_cryptomap

peer set card crypto outside_map 1 84.51.31.173

card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1

card crypto outside_map 2 match address outside_2_cryptomap

peer set card crypto outside_map 2 98.85.125.2

card crypto outside_map 2 set transform-set ESP-3DES-SHA ikev1

card crypto outside_map 3 match address outside_3_cryptomap

peer set card crypto outside_map 3 220.79.236.146

card crypto outside_map 3 set transform-set ESP-3DES-SHA ikev1

card crypto 4 correspondence address outside_4_cryptomap outside_map

card crypto outside_map 4 set pfs

peer set card crypto outside_map 4 159.146.232.122

card crypto 4 ikev1 transform-set lux_trans_set set outside_map

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

Crypto ikev1 allow outside

IKEv1 crypto policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

preshared authentication

aes-256 encryption

sha hash

Group 5

life 86400

IKEv1 crypto policy 30

preshared authentication

3des encryption

sha hash

Group 2

lifetime 28800

IKEv1 crypto policy 50

preshared authentication

aes encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 70

preshared authentication

aes encryption

sha hash

Group 5

life 86400

Telnet 10.60.10.10 255.255.255.255 inside

Telnet 10.60.10.1 255.255.255.255 inside

Telnet 10.60.10.5 255.255.255.255 inside

Telnet 10.60.30.33 255.255.255.255 inside

Telnet 10.33.30.33 255.255.255.255 inside

Telnet timeout 30

SSH 10.60.10.5 255.255.255.255 inside

SSH 10.60.10.10 255.255.255.255 inside

SSH 10.60.10.3 255.255.255.255 inside

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

dhcpd dns 155.2.10.20 155.2.10.50 interface inside

dhcpd auto_config outside interface inside

!

a basic threat threat detection

length 3600 scanning-threat shun threat detection

threat detection statistics

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

TFTP server inside 10.60.10.10 configs/config1

WebVPN

internal testTG group policy

attributes of the strategy of group testTG

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

internal DefaultRAGroup_1 group strategy

attributes of Group Policy DefaultRAGroup_1

value of 155.2.10.20 DNS server 155.2.10.50

Protocol-tunnel-VPN l2tp ipsec

internal TcsTG group strategy

attributes of Group Policy TcsTG

VPN-idle-timeout 20

VPN-session-timeout 120

Ikev1 VPN-tunnel-Protocol

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list testOAK_splitTunnelAcl

the address value TCS_pool pools

internal downtown_interfaceTG group policy

attributes of the strategy of group downtown_interfaceTG

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list downtown_splitTunnelAcl

internal HBSCTG group policy

HBSCTG group policy attributes

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value HBSC

internal OSGD group policy

OSGD group policy attributes

value of 155.2.10.20 DNS server 155.2.10.50

VPN-session-timeout no

Ikev1 VPN-tunnel-Protocol

group-lock value OSGD

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list testOAK_splitTunnelAcl

internal OAKDC group policy

OAKDC group policy attributes

Ikev1 VPN-tunnel-Protocol

value of group-lock OAKDC

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list OAKDCAcl

Disable dhcp Intercept 255.255.0.0

the address value OAKPRD_pool pools

internal mailTG group policy

attributes of the strategy of group mailTG

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list webMailACL

internal OAK-distance group strategy

attributes of OAK Group Policy / remote

value of 155.2.10.20 DNS server 155.2.10.50

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value OAK-remote_splitTunnelAcl

VPN-group-policy OAKDC

type of nas-prompt service

attributes global-tunnel-group DefaultRAGroup

address pool OAKPRD_pool

ipad address pool

Group Policy - by default-DefaultRAGroup_1

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

tunnel-group 84.51.31.173 type ipsec-l2l

IPSec-attributes tunnel-group 84.51.31.173

IKEv1 pre-shared-key *.

tunnel-group 98.85.125.2 type ipsec-l2l

IPSec-attributes tunnel-group 98.85.125.2

IKEv1 pre-shared-key *.

tunnel-group 220.79.236.146 type ipsec-l2l

IPSec-attributes tunnel-group 220.79.236.146

IKEv1 pre-shared-key *.

type tunnel-group OAKDC remote access

attributes global-tunnel-group OAKDC

address pool OAKPRD_pool

Group Policy - by default-OAKDC

IPSec-attributes tunnel-group OAKDC

IKEv1 pre-shared-key *.

type tunnel-group TcsTG remote access

attributes global-tunnel-group TcsTG

address pool TCS_pool

Group Policy - by default-TcsTG

IPSec-attributes tunnel-group TcsTG

IKEv1 pre-shared-key *.

type tunnel-group downtown_interfaceTG remote access

tunnel-group downtown_interfaceTG General-attributes

test of the address pool

Group Policy - by default-downtown_interfaceTG

downtown_interfaceTG group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group TunnelGroup1 remote access

type tunnel-group mailTG remote access

tunnel-group mailTG General-attributes

address mail_sddress_pool pool

Group Policy - by default-mailTG

mailTG group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group testTG remote access

tunnel-group testTG General-attributes

address mail_sddress_pool pool

Group Policy - by default-testTG

testTG group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group OSGD remote access

tunnel-group OSGD General-attributes

address OSGD_POOL pool

strategy-group-by default OSGD

tunnel-group OSGD ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group HBSCTG remote access

attributes global-tunnel-group HBSCTG

address OSGD_POOL pool

Group Policy - by default-HBSCTG

IPSec-attributes tunnel-group HBSCTG

IKEv1 pre-shared-key *.

tunnel-group 159.146.232.122 type ipsec-l2l

IPSec-attributes tunnel-group 159.146.232.122

IKEv1 pre-shared-key *.

tunnel-group OAK type remote access / remote

attributes global-tunnel-group OAK / remote

address pool OAK_pool

Group Policy - by default-OAK-remote control

IPSec-attributes tunnel-group OAK / remote

IKEv1 pre-shared-key *.

!

!

!

Policy-map global_policy

!

context of prompt hostname

no remote anonymous reporting call

HPM topN enable

: end

enable ASDM history

Hi David,

I see that you have:

allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0

So, please make the following changes:

network object obj - 10.60.30.0

10.60.30.0 subnet 255.255.255.0

!

Route outside 10.60.30.0 255.255.255.0 80.90.98.222

Route outside 10.89.0.0 255.255.0.0 80.90.98.222

NAT (outside, outside) 1 source static obj - 10.60.30.0 obj - 10.60.30.0 static destination NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16 non-proxy-arp-search to itinerary

HTH

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

Could someone tell me that I have a laptop that is compatible with the adapter wireless Athreos in it and it catches an unsecured, network shown as next (automatic) for the SSID (network name). Please tell me how to connect...

Could someone tell me that I have a laptop that is compatible with the adapter wireless Athreos in it and it catches an unsecured, network shown as next (automatic) for the SSID (network name). I tried parameter as point of access, AD-hoc, Connect automatticaly etc but will not connect... Please tell me how to connect...

Hi Sumit and thanks for posting.

Your Athreos has never connected? If it has connected then it not only connects it to insecure networks? Also after can trying to connect you do the following?

Start, run, CMD, OK to open a command prompt:

Type the following command:

IPCONFIG/ALL

[Note that there is no space between the oblique and ALL bar].

Right click in the command window and choose Select all, and then press ENTER.
Paste the results in a message here.

I hope this helps. After the back if you have any questions.

Shawn - Support Engineer - MCP, MCDST
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think

When comes out the next firmware for the "rocket"?

When comes out the next firmware for the "rocket"?

Sometimes in the coming months

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Table for the code for method of payment for the suppliers site

Hi all, does anyone knows how to get the value for the code for method of payment for the suppliers site in R12.1.3? I don't speak from that in the following path: 1 Paybles responsibility 2. Suppliers 3. Request for a 4 suppliers. Click on details of payment 5. Scroll to supplier Sites and press the update button 6. Note that, for example among the payment methods is checked as default thanks in advance, A.Stoynaov

Hello

Please check this note that contains the query:

Default values for method of payment for providers at the level of the Table (Doc ID 737128.1)

You can use this query to view the lines for a given provider site:

SELECT *.

Of iby_ext_party_pmt_mthds IEPPM

WHERE IEPPM.ext_pmt_party_id IN

(SELECT IEP.ext_payee_id

Of iby_external_payees_all IEP

WHERE IEP.supplier_site_id IN

(SELECT APSS.vendor_site_id

Of ap_supplier_sites_all of the PSA, ap_suppliers APS

WHERE APS.vendor_id = APSS.vendor_id

AND APS.vendor_name = '. '

AND APSS.vendor_site_code = ''));

Concerning

Joel Purswani

Support of Oracle

I created a website with Muse using a slide show widget a little over a year. I gave up Muse bur have recently re-enroll as a single Train to examine the use of Muse. The file for the my site is no longer on my computer or lea

I created a website with Muse using a slide show widget a little over a year. I gave up Muse bur have recently re-enroll as a single Train to examine the use of Muse. The file for the my site is no longer on my computer or at least I find and I want to make changes. Is there a way to download the Internet Web site and bring Muse to make changes or I have to start all over again.

Hello

to copy entire websites is an arduous task in my eyes. Your sounds to me that you have access to your old site. If you could perhaps talk to your supplier at the time, to get it back.

Hans-Günter

How do you add a google calendar for the web site of muse, the updates are synchronized

How do you add a google calendar for the web site of muse, the updates are synchronized?

You can add Google Calendar using iframe which Google provides if you go to calendar settings.

Once you insert this code into the page of Muse by object > insert HTML, the calendar will be displayed on the page.

https://support.Google.com/calendar/answer/41207?hl=en

Thank you

Sanjit

'Go to the State' vs 'Go to the next State' for the selected button state

I have a series of image galleries in my publication that uses MSOs and buttons to "Go to another" - the thumbnails then have a small edge to have indicated that they are 'selected' - it works very well. The border is added to the click for each thumbnail button state.
I have a similar scenario is a YouTube embed of the video and an article as a MSO with two States: a State is the vid to youtube and the other State is the article of the text. I have a set place button to switch between these two States. This button is set to "Go to the next State" so he'll just between the two States MSO. Is there any way to have a selected State for this button so that the words under the button change to 'play' video in 'see article' while keeping this button set to "Go to the next State" - the only way I can think to do is with two buttons.
I realize, this is a very specific use case and I do not expect the features, but if there is a solution I am curious to know if anyone else has come across this.
Thanks in advance for your help.

Implement for the buttons in the different States. Then add an invisible button on it to the next State meetings.

Bob

A hope for the e-mail in El Capitan issues?

Hi - I've upgraded to El Capitan of Mavericks (big BONE btw and wish I could still use it) and nothing went right ever since, especially with mail.

At least 98% of the time I can't answer emails (using the Gmail server) in the mail. I hit 'reply' and get a new window and a frozen program. I went to mail to force to quit and restart, after what I see pieces box of each thread. After reboot, I can not always respond well, the situation becomes an exercise of "Groundhog Day" - not pleasant and professional.

This has been an ongoing problem for me since January 7, and no discussion with several Apple Care helped senior advisers. I keep saying they "work on it" and, as I found out, I'm not the only person to have that kind of question.

While I realize that problems with the utility software is not sexy - as if we were trying to defeat the FBI stupid in a discussion of national security - I think that Apple has forgotten its roots, its core fan base.

We buy phones, tablets, and Apple computers because the material is magnificent and we have always wanted that software is easy to use - and rarely failed. This has changed in recent years, and not for the better. Yes, the material is always beautiful and functional, but the supplied software is anything but. If there is a better platform to use on these elegant machines I would, thanks to inefficiency cited here and the inability - reluctance? d ' Apple to make it right.

Where do we go from here? Anyone got any kind of a solution so that I can work on that machine again?

If you have any problems then detail as much as you can. See writing an effective communities of Apple support question. This isn't a complaint forum, so ignore the parts of the rant.

local host to access the vpn site to site with nat static configured

I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.

IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1

allowed SDM_RMAP_1 1 route map
corresponds to the IP 100

access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 100 permit ip 192.168.150.0 0.0.0.255 any

You should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.

If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.

Routing between two remote sites connected over the VPN site to site

I have a problem ping between remote sites. Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked. Any ideas?

Main site:

192.168.100.0 - call manager / phone VLAN

192.168.1.0/24 - data VLAN

Site 1:

192.168.70.0/24 - phone VLAN

192.168.4.0/24 - data VLAN

Site 2:

192.168.80.0/24 - phone VLAN

192.168.3.0/24 - data VLAN

Main router

Expand the IP ACL5 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
Expand the IP ACL6 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255

Expand the No. - NAT IP access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
320 ip 192.168.1.0 allow 0.0.0.255 any
IP 192.168.100.0 allow 330 0.0.0.255 any

Site 1:

ACL5 extended IP access list

IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255

No. - NAT extended IP access list

deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 any

ip licensing 192.168.4.0 0.0.0.255 any

Site 2:

ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 any
ip licensing 192.168.3.0 0.0.0.255 any

What should I do for these two sites can ping each other? I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.

Thanks in advance!

Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:

Main router

Expand the IP ACL5 access list

IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Expand the IP ACL6 access list

IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

Make sure you add these lines before the last permit

Expand the No. - NAT IP access list

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

Site 1:

ACL5 extended IP access list

IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255

IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255

ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

Make sure that these lines are added before the last permit

No. - NAT extended IP access list

deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255

deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255

refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255

Site 2:

ACL6 extended IP access list

IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255

ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So make sure that these lines are added before the last permit

No. - NAT extended IP access list

deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255

deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).

I would like to know if this is what you need.

need help for the VPN connection

Hi guys

can you help with that?

I installed a VPN connection, but the tunnel shows that status: upward and the protocol description: down.

debugging is turned on and displays following-

ITS has applications pending (xx.xx.xx.xx local port 500, xx.xx.xx.xx remote port 500)

DEC 20 02:39:26.762: ISAKMP: (2142): sitting IDLE. From QM immediately (QM_IDLE)

02:39:26.762 20 Dec: ISAKMP: (2142): start Quick Mode Exchange, M - ID 3357871564

02:39:26.762 20 Dec: ISAKMP: (2142): initiator QM gets spi

DEC 20 02:39:26.762: ISAKMP: (2142): Pack xx.xx.xx.xx my_port 500 peer_port 500 (I) sending QM_IDLE

02:39:26.762 20 Dec: ISAKMP: (2142): sending a packet IPv4 IKE.

02:39:26.762 20 Dec: ISAKMP: (2142): entrance, node 3357871564 = IKE_MESG_INTERNAL, IKE_INIT_QM

02:39:26.762 20 Dec: ISAKMP: (2142): former State = new State IKE_QM_READY = IKE_QM_I_QM1

02:39:26.794 20 Dec: ISAKMP (2142): packet received from xx.xx.xx.xx dport 500 sport Global 500 (I) QM_IDLE

02:39:26.794 20 Dec: ISAKMP: node set-419503660 to QM_IDLE

DEC 20 02:39:26.794: ISAKMP: (2142): HASH payload processing. Message ID = 3875463636

DEC 20 02:39:26.794: ISAKMP: (2142): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3

SPI 2561284360, message ID = 3875463636, a = 0x87D0CFC8

DEC 20 02:39:26.794: ISAKMP: (2142): removal of spi 2561284360 message ID = 3357871564

02:39:26.794 20 Dec: ISAKMP: (2142): node-937095732 error suppression REAL reason "remove larval.

02:39:26.794 20 Dec: ISAKMP: (2142): node-419503660 error suppression FALSE reason 'informational (en) State 1.

02:39:26.794 20 Dec: ISAKMP: (2142): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

02:39:26.794 20 Dec: ISAKMP: (2142): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

02:39:46.798 20 Dec: ISAKMP: (2142): purge the node-1177810765

02:39:46.798 20 Dec: ISAKMP: (2142): purge the node-138734109

02:39:56.763 20 Dec: % s-6-IPACCESSLOGRL: the rate limited or missed 2 sachets of access list record

DEC 20 02:39:56.763: IPSEC (key_engine): request timer shot: count = 2,.

local (identity) = xx.xx.xx.xx:0, distance = xx.xx.xx.xx:0,

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

the config is following.

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

ISAKMP crypto key xxxxxx address xx.xx.xx.xx

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac vpnset

transport mode

!

Crypto ipsec tech profile

Set transform-set vpnset

!

!

my-map 20 ipsec-isakmp crypto map

defined peer xx.xx.xx.xx

Set transform-set vpnset

match address 155

Hello

As for your question, you can have more than 1 card crypto on the interface.

However, you can use the same card encryption for several strategies. You can change the ma-card to vpnmap.
In this way the two are enabled on the same interface, with one having a higher priority than the other.

So if a package came from inside, the first crypto ACL interface is checked and then the next and so on. The first match found is chosen for the IPsec negotioation.

Œuvres ping for the VPN ASA5505 RDP does not work?

I have an ASA5505 VPN remote access facility

I have a server connected directly behind the ASA and I can ping the server without problem.

The reports being encrypted and decrypted packets VPN client

However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.

I also do not see all RDP traffic hit the server (checked by ethereal)

I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.

This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?

% ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session

% ASA-609001 7: built internal local-host: 192.168.100.37

% ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)

I have that configured NAT

NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172

The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?

And decrypt packets increase not when trying to RDP

Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!

Thank you

Roger

Answer is based on your other thread:

https://supportforums.Cisco.com/thread/2207372

Next hop for the static route on the VPN site to site ASA?

Similar Questions

Maybe you are looking for