Next hop for the static route on the VPN site to site ASA?
Hi all
I would be grateful if someone could help me with my problem ASA/misunderstanding. I have a VPN site-to site on a SAA. I want to add a floating static route to point to the VPN on the ASA. Note that the traffic in this way is not with in subnets cryptographic ACL that is used to bring up the VPN. This VPN is used only as a backup.
The static route with the next hop add local public address or the remote public address of the VPN? The next break maybe local ASA isp internet facing interface? I intend to do on the ASDM. I'm sorry if it's a simple question but I found no material that explains this?
Concerning
Ahh, ok, makes sense.
The next hop should be the next jump to the interface that ends the VPN connection, essentially the same as your Internet connection / outside the next hop interface.
Example of topology:
Site B (outside interface - 1.1.1.1) - (next hop: 1.1.1.2) Internet
The static route must tell:
outdoor 10.2.2.2 255.255.255.255 1.1.1.2 200
I hope this helps.
Tags: Cisco Security
Similar Questions
-
Site of the error of phase 2 for the VPN site
Dear all,
We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.
Below is show access ip list matching packages shown but connection to host failed
With the crypto ipsec to see his I saw send error and I don't know what could be responsible.
Any body who could be wrong please help me to am exhausted.
access-list
10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)Crypto ipsec to show his
local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 198, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
current_peer 4.2.6.24 port 500
PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 508, #recv errors 0local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides
-
ASA 5505 Split tunneling stopped working when upgraded to 8.3 (1) 8.4 (3).
A user has to connect to the old device of 8.3 (1) that they could access all of our subnets: 10.1.0.0/16, 10.33.0.0/16, 10.89.0.0/16, 10.60.0.0/16
but now, they can't and in the newspapers, I see just
6 October 31, 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 routing cannot locate the next hop for ICMP to outside:10.60.30.111/1 to inside:10.89.30.41/0
any tips? I almost tried everything. the running configuration is:
: Saved
:
ASA Version 8.4 (3)
!
host name asa
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.60.70.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP 80.90.98.217 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS lookup field inside
DNS domain-lookup outside
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_10.33.0.0_16 object
10.33.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.60.0.0_16 object
10.60.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.89.0.0_16 object
10.89.0.0 subnet 255.255.0.0
network of the NETWORK_OBJ_10.1.0.0_16 object
10.1.0.0 subnet 255.255.0.0
network tetPC object
Home 10.60.10.1
test description
network of the NETWORK_OBJ_10.60.30.0_24 object
10.60.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.30.64_26 object
255.255.255.192 subnet 10.60.30.64
the SSH server object network
Home 10.60.20.6
network of the SSH_public object
network ftp_public object
Home 80.90.98.218
rdp network object
Home 10.60.10.4
ftp_server network object
Home 10.60.20.2
network ssh_public object
Home 80.90.98.218
Service FTP object
tcp destination eq 12 service
network of the NETWORK_OBJ_10.60.20.3 object
Home 10.60.20.3
network of the NETWORK_OBJ_10.60.40.192_26 object
255.255.255.192 subnet 10.60.40.192
network of the NETWORK_OBJ_10.60.10.10 object
Home 10.60.10.10
network of the NETWORK_OBJ_10.60.20.2 object
Home 10.60.20.2
network of the NETWORK_OBJ_10.60.20.21 object
Home 10.60.20.21
network of the NETWORK_OBJ_10.60.20.4 object
Home 10.60.20.4
network of the NETWORK_OBJ_10.60.20.5 object
Home 10.60.20.5
network of the NETWORK_OBJ_10.60.20.6 object
Home 10.60.20.6
network of the NETWORK_OBJ_10.60.20.7 object
Home 10.60.20.7
network of the NETWORK_OBJ_10.60.20.29 object
Home 10.60.20.29
service port_tomcat object
Beach service tcp 8080 8082 source
network of the TBSF object
172.16.252.0 subnet 255.255.255.0
the e-mail server object network
Home 10.33.10.2
Mail server description
service object HTTPS
tcp source eq https service
test network object
network access_web_mail object
Home 10.60.50.251
network downtown_Interface_host object
Home 10.60.50.1
Downtown host Interface description
service of the Oracle_port object
tcp source eq sqlnet service
network of the NETWORK_OBJ_10.60.50.248_29 object
subnet 10.60.50.248 255.255.255.248
network of the NETWORK_OBJ_10.60.50.1 object
Home 10.60.50.1
network of the NETWORK_OBJ_10.60.50.0_28 object
subnet 10.60.50.0 255.255.255.240
brisel network object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.191.191.0_24 object
10.191.191.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.60.60.0_24 object
10.60.60.0 subnet 255.255.255.0
object-group service TCS_Service_Group
Description this group of Services offered is for the CLD's Clients
port_tomcat service-object
HTTPS_ACCESS tcp service object-group
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
object-network 10.1.0.0 255.255.0.0
network-object 10.33.0.0 255.255.0.0
network-object 10.60.0.0 255.255.0.0
network-object 10.89.0.0 255.255.0.0
allow outside_1_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
outside_3_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 allow 10.1.0.0 255.255.0.0
OUTSIDE_IN list extended access permit icmp any one time exceed
OUTSIDE_IN list extended access allow all unreachable icmp
OUTSIDE_IN list extended access permit icmp any any echo response
OUTSIDE_IN list extended access permit icmp any any source-quench
OUTSIDE_IN list extended access permitted tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access allow icmp 80.90.98.222 host 80.90.98.217
OUTSIDE_IN list extended access permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp
OUTSIDE_IN list extended access permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh
Standard access list OAKDCAcl allow 10.60.0.0 255.255.0.0
Standard access list OAKDCAcl allow 10.33.0.0 255.255.0.0
access-list OAKDCAcl note backoffice
Standard access list OAKDCAcl allow 10.89.0.0 255.255.0.0
access-list OAKDCAcl note maint
OAKDCAcl list standard access allowed 10.1.0.0 255.255.0.0
access-list allowed standard osgd host 10.60.20.4
access-list allowed standard osgd host 10.60.20.5
access-list allowed standard osgd host 10.60.20.7
standard access list testOAK_splitTunnelAcl allow 10.60.0.0 255.255.0.0
list access allowed extended snmp udp any eq snmptrap everything
list of access allowed extended snmp udp any any eq snmp
downtown_splitTunnelAcl list standard access allowed host 10.60.20.29
webMailACL list standard access allowed host 10.33.10.2
access-list standard HBSC allowed host 10.60.30.107
access-list standard HBSC deny 10.33.0.0 255.255.0.0
access-list standard HBSC deny 10.89.0.0 255.255.0.0
allow outside_4_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.1.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.33.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.60.0.0 255.255.0.0
OAK-remote_splitTunnelAcl-list of allowed access standard 10.89.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 10.60.30.110 - 10.60.30.150 255.255.0.0 IP local pool OAKPRD_pool
IP local pool mail_sddress_pool 10.60.50.251 - 10.60.50.255 mask 255.255.0.0
test 10.60.50.1 mask 255.255.255.255 IP local pool
IP local pool ipad 10.60.30.90 - 10.60.30.99 mask 255.255.0.0
mask 10.60.40.200 - 10.60.40.250 255.255.255.0 IP local pool TCS_pool
local pool OSGD_POOL 10.60.50.2 - 10.60.50.10 255.255.0.0 IP mask
mask 10.60.60.0 - 10.60.60.255 255.255.0.0 IP local pool OAK_pool
IP verify reverse path inside interface
IP verify reverse path to the outside interface
IP audit alarm action name ThreatDetection attack
verification of IP within the ThreatDetection interface
interface IP outside the ThreatDetection check
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow any echo inside
ICMP allow any echo outdoors
enable ASDM history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_10.33.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.33.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.89.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.89.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.1.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.1.0.0_16
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.0_24 of NETWORK_OBJ_10.60.30.0_24 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.64_26 of NETWORK_OBJ_10.60.30.64_26 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.60.40.192_26 destination NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.40.192_26 any port_tomcat service
NAT (inside, outside) static source any destination of all public static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1
NAT (inside, outside) static static source NETWORK_OBJ_10.60.50.248_29 destination MailServer MailServer NETWORK_OBJ_10.60.50.248_29
NAT (inside, outside) static source all all NETWORK_OBJ_10.60.50.0_28 of NETWORK_OBJ_10.60.50.0_28 static destination
NAT (inside, outside) static static source NETWORK_OBJ_10.191.191.0_24 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.191.191.0_24
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 non-proxy-arp-search of route static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Route outside 0.0.0.0 0.0.0.0 80.90.98.222 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 10.60.10.10 255.255.255.255 inside
http 10.33.30.33 255.255.255.255 inside
http 10.60.30.33 255.255.255.255 inside
SNMP-server host within the 10.33.30.108 community * version 2 c
SNMP-server host within the 10.89.70.30 community *.
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set lux_trans_set ikev1 aes - esp esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 84.51.31.173
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 2 match address outside_2_cryptomap
peer set card crypto outside_map 2 98.85.125.2
card crypto outside_map 2 set transform-set ESP-3DES-SHA ikev1
card crypto outside_map 3 match address outside_3_cryptomap
peer set card crypto outside_map 3 220.79.236.146
card crypto outside_map 3 set transform-set ESP-3DES-SHA ikev1
card crypto 4 correspondence address outside_4_cryptomap outside_map
card crypto outside_map 4 set pfs
peer set card crypto outside_map 4 159.146.232.122
card crypto 4 ikev1 transform-set lux_trans_set set outside_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 30
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
IKEv1 crypto policy 50
preshared authentication
aes encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 70
preshared authentication
aes encryption
sha hash
Group 5
life 86400
Telnet 10.60.10.10 255.255.255.255 inside
Telnet 10.60.10.1 255.255.255.255 inside
Telnet 10.60.10.5 255.255.255.255 inside
Telnet 10.60.30.33 255.255.255.255 inside
Telnet 10.33.30.33 255.255.255.255 inside
Telnet timeout 30
SSH 10.60.10.5 255.255.255.255 inside
SSH 10.60.10.10 255.255.255.255 inside
SSH 10.60.10.3 255.255.255.255 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd dns 155.2.10.20 155.2.10.50 interface inside
dhcpd auto_config outside interface inside
!
a basic threat threat detection
length 3600 scanning-threat shun threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
TFTP server inside 10.60.10.10 configs/config1
WebVPN
internal testTG group policy
attributes of the strategy of group testTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
value of 155.2.10.20 DNS server 155.2.10.50
Protocol-tunnel-VPN l2tp ipsec
internal TcsTG group strategy
attributes of Group Policy TcsTG
VPN-idle-timeout 20
VPN-session-timeout 120
Ikev1 VPN-tunnel-Protocol
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
the address value TCS_pool pools
internal downtown_interfaceTG group policy
attributes of the strategy of group downtown_interfaceTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list downtown_splitTunnelAcl
internal HBSCTG group policy
HBSCTG group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value HBSC
internal OSGD group policy
OSGD group policy attributes
value of 155.2.10.20 DNS server 155.2.10.50
VPN-session-timeout no
Ikev1 VPN-tunnel-Protocol
group-lock value OSGD
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list testOAK_splitTunnelAcl
internal OAKDC group policy
OAKDC group policy attributes
Ikev1 VPN-tunnel-Protocol
value of group-lock OAKDC
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list OAKDCAcl
Disable dhcp Intercept 255.255.0.0
the address value OAKPRD_pool pools
internal mailTG group policy
attributes of the strategy of group mailTG
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list webMailACL
internal OAK-distance group strategy
attributes of OAK Group Policy / remote
value of 155.2.10.20 DNS server 155.2.10.50
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value OAK-remote_splitTunnelAcl
VPN-group-policy OAKDC
type of nas-prompt service
attributes global-tunnel-group DefaultRAGroup
address pool OAKPRD_pool
ipad address pool
Group Policy - by default-DefaultRAGroup_1
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
tunnel-group 84.51.31.173 type ipsec-l2l
IPSec-attributes tunnel-group 84.51.31.173
IKEv1 pre-shared-key *.
tunnel-group 98.85.125.2 type ipsec-l2l
IPSec-attributes tunnel-group 98.85.125.2
IKEv1 pre-shared-key *.
tunnel-group 220.79.236.146 type ipsec-l2l
IPSec-attributes tunnel-group 220.79.236.146
IKEv1 pre-shared-key *.
type tunnel-group OAKDC remote access
attributes global-tunnel-group OAKDC
address pool OAKPRD_pool
Group Policy - by default-OAKDC
IPSec-attributes tunnel-group OAKDC
IKEv1 pre-shared-key *.
type tunnel-group TcsTG remote access
attributes global-tunnel-group TcsTG
address pool TCS_pool
Group Policy - by default-TcsTG
IPSec-attributes tunnel-group TcsTG
IKEv1 pre-shared-key *.
type tunnel-group downtown_interfaceTG remote access
tunnel-group downtown_interfaceTG General-attributes
test of the address pool
Group Policy - by default-downtown_interfaceTG
downtown_interfaceTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group TunnelGroup1 remote access
type tunnel-group mailTG remote access
tunnel-group mailTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-mailTG
mailTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group testTG remote access
tunnel-group testTG General-attributes
address mail_sddress_pool pool
Group Policy - by default-testTG
testTG group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group OSGD remote access
tunnel-group OSGD General-attributes
address OSGD_POOL pool
strategy-group-by default OSGD
tunnel-group OSGD ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group HBSCTG remote access
attributes global-tunnel-group HBSCTG
address OSGD_POOL pool
Group Policy - by default-HBSCTG
IPSec-attributes tunnel-group HBSCTG
IKEv1 pre-shared-key *.
tunnel-group 159.146.232.122 type ipsec-l2l
IPSec-attributes tunnel-group 159.146.232.122
IKEv1 pre-shared-key *.
tunnel-group OAK type remote access / remote
attributes global-tunnel-group OAK / remote
address pool OAK_pool
Group Policy - by default-OAK-remote control
IPSec-attributes tunnel-group OAK / remote
IKEv1 pre-shared-key *.
!
!
!
Policy-map global_policy
!
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
: end
enable ASDM history
Hi David,
I see that you have:
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0
So, please make the following changes:
network object obj - 10.60.30.0
10.60.30.0 subnet 255.255.255.0
!
Route outside 10.60.30.0 255.255.255.0 80.90.98.222
Route outside 10.89.0.0 255.255.0.0 80.90.98.222
NAT (outside, outside) 1 source static obj - 10.60.30.0 obj - 10.60.30.0 static destination NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16 non-proxy-arp-search to itinerary
HTH
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
Could someone tell me that I have a laptop that is compatible with the adapter wireless Athreos in it and it catches an unsecured, network shown as next (automatic) for the SSID (network name). I tried parameter as point of access, AD-hoc, Connect automatticaly etc but will not connect... Please tell me how to connect...
Hi Sumit and thanks for posting.
Your Athreos has never connected? If it has connected then it not only connects it to insecure networks? Also after can trying to connect you do the following?
Start, run, CMD, OK to open a command prompt:
Type the following command:
IPCONFIG/ALL
[Note that there is no space between the oblique and ALL bar].
Right click in the command window and choose Select all, and then press ENTER.
Paste the results in a message here.I hope this helps. After the back if you have any questions.
Shawn - Support Engineer - MCP, MCDST
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think -
When comes out the next firmware for the "rocket"?
When comes out the next firmware for the "rocket"?
Sometimes in the coming months
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
Table for the code for method of payment for the suppliers site
Hi all, does anyone knows how to get the value for the code for method of payment for the suppliers site in R12.1.3? I don't speak from that in the following path: 1 Paybles responsibility 2. Suppliers 3. Request for a 4 suppliers. Click on details of payment 5. Scroll to supplier Sites and press the update button 6. Note that, for example among the payment methods is checked as default thanks in advance, A.Stoynaov
Hello
Please check this note that contains the query:
Default values for method of payment for providers at the level of the Table (Doc ID 737128.1)
You can use this query to view the lines for a given provider site:
SELECT *.
Of iby_ext_party_pmt_mthds IEPPM
WHERE IEPPM.ext_pmt_party_id IN
(SELECT IEP.ext_payee_id
Of iby_external_payees_all IEP
WHERE IEP.supplier_site_id IN
(SELECT APSS.vendor_site_id
Of ap_supplier_sites_all of the PSA, ap_suppliers APS
WHERE APS.vendor_id = APSS.vendor_id
AND APS.vendor_name = '
. ' AND APSS.vendor_site_code = '
')); Concerning
Joel Purswani
Support of Oracle
-
I created a website with Muse using a slide show widget a little over a year. I gave up Muse bur have recently re-enroll as a single Train to examine the use of Muse. The file for the my site is no longer on my computer or at least I find and I want to make changes. Is there a way to download the Internet Web site and bring Muse to make changes or I have to start all over again.
Hello
to copy entire websites is an arduous task in my eyes. Your sounds to me that you have access to your old site. If you could perhaps talk to your supplier at the time, to get it back.
Hans-Günter
-
How do you add a google calendar for the web site of muse, the updates are synchronized
How do you add a google calendar for the web site of muse, the updates are synchronized?
You can add Google Calendar using iframe which Google provides if you go to calendar settings.
Once you insert this code into the page of Muse by object > insert HTML, the calendar will be displayed on the page.
https://support.Google.com/calendar/answer/41207?hl=en
Thank you
Sanjit
-
'Go to the State' vs 'Go to the next State' for the selected button state
I have a series of image galleries in my publication that uses MSOs and buttons to "Go to another" - the thumbnails then have a small edge to have indicated that they are 'selected' - it works very well. The border is added to the click for each thumbnail button state.
I have a similar scenario is a YouTube embed of the video and an article as a MSO with two States: a State is the vid to youtube and the other State is the article of the text. I have a set place button to switch between these two States. This button is set to "Go to the next State" so he'll just between the two States MSO. Is there any way to have a selected State for this button so that the words under the button change to 'play' video in 'see article' while keeping this button set to "Go to the next State" - the only way I can think to do is with two buttons.
I realize, this is a very specific use case and I do not expect the features, but if there is a solution I am curious to know if anyone else has come across this.
Thanks in advance for your help.
Implement for the buttons in the different States. Then add an invisible button on it to the next State meetings.
Bob
-
A hope for the e-mail in El Capitan issues?
Hi - I've upgraded to El Capitan of Mavericks (big BONE btw and wish I could still use it) and nothing went right ever since, especially with mail.
At least 98% of the time I can't answer emails (using the Gmail server) in the mail. I hit 'reply' and get a new window and a frozen program. I went to mail to force to quit and restart, after what I see pieces box of each thread. After reboot, I can not always respond well, the situation becomes an exercise of "Groundhog Day" - not pleasant and professional.
This has been an ongoing problem for me since January 7, and no discussion with several Apple Care helped senior advisers. I keep saying they "work on it" and, as I found out, I'm not the only person to have that kind of question.
While I realize that problems with the utility software is not sexy - as if we were trying to defeat the FBI stupid in a discussion of national security - I think that Apple has forgotten its roots, its core fan base.
We buy phones, tablets, and Apple computers because the material is magnificent and we have always wanted that software is easy to use - and rarely failed. This has changed in recent years, and not for the better. Yes, the material is always beautiful and functional, but the supplied software is anything but. If there is a better platform to use on these elegant machines I would, thanks to inefficiency cited here and the inability - reluctance? d ' Apple to make it right.
Where do we go from here? Anyone got any kind of a solution so that I can work on that machine again?
If you have any problems then detail as much as you can. See writing an effective communities of Apple support question. This isn't a complaint forum, so ignore the parts of the rant.
-
local host to access the vpn site to site with nat static configured
I have two 881 routers with vpn site to site between them. I have a static nat on the router for a Web server that is accessible from the internet. I can't access the Web server through the vpn. All other traffic is fine its VPN. I think that there is a problem with the NAT. Here are the relevant configuration lines.
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP nat inside source static 192.168.150.2 bonnefin map route SDM_RMAP_1allowed SDM_RMAP_1 1 route map
corresponds to the IP 100access-list 100 deny ip 192.168.150.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 100 permit ip 192.168.150.0 0.0.0.255 anyYou should be able to access the web server with its IP private (192.168.150.2) through the VPN connection.
If you just add the VPN and the road map, try to clear the existing translation and see if you can access it via its private of the Remote LAN VPN ip address.
-
Routing between two remote sites connected over the VPN site to site
I have a problem ping between remote sites. Now the Cryptography and no nat ACL's for different sites just to affect traffic between the remote site and main site. I tried to add roads, adding other subnets to the crypto and no. ACL Nat at the remote sites... nothing worked. Any ideas?
Main site:
192.168.100.0 - call manager / phone VLAN
192.168.1.0/24 - data VLAN
Site 1:
192.168.70.0/24 - phone VLAN
192.168.4.0/24 - data VLAN
Site 2:
192.168.80.0/24 - phone VLAN
192.168.3.0/24 - data VLAN
Main router
Expand the IP ACL5 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.70.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.4.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.70.0 0.0.0.255)
50 permit ip 10.255.255.0 0.0.0.255 192.168.70.0 0.0.0.255
Expand the IP ACL6 access list
10 permit ip 192.168.1.0 0.0.0.255 192.168.80.0 0.0.0.255
20 ip 192.168.1.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
30 permits ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
IP 192.168.100.0 allow 40 0.0.0.255 192.168.80.0 0.0.0.255Expand the No. - NAT IP access list
10 deny ip 192.168.2.0 0.0.0.255 192.168.70.0 0.0.0.255
20 deny ip 192.168.200.0 0.0.0.255 192.168.4.0 0.0.0.255
30 deny ip 192.168.2.0 0.0.0.255 192.168.80.0 0.0.0.255
40 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
320 ip 192.168.1.0 allow 0.0.0.255 any
IP 192.168.100.0 allow 330 0.0.0.255 anySite 1:
ACL5 extended IP access list
IP 192.168.70.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.70.0 0.0.0.255 192.168.1.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.100.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 any
ip licensing 192.168.4.0 0.0.0.255 any
Site 2:
ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 10.255.255.0 0.0.0.255
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 10.255.255.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 any
ip licensing 192.168.3.0 0.0.0.255 anyWhat should I do for these two sites can ping each other? I looked through the forums but can't seem to find someone with a similar problem, which has received a definitive answer.
Thanks in advance!
Hi, I assume that you need site 1 and 2 to communicate with each other via the main site right? If this is the case, then you need to set add the following lines to your ACL crypto:
Main router
Expand the IP ACL5 access list
IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
Expand the IP ACL6 access list
IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255
Make sure you add these lines before the last permit
Expand the No. - NAT IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255
Site 1:
ACL5 extended IP access list
IP 192.168.70.0 allow 0.0.0.255 192.168.80.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.80.0 0.0.0.255
IP 192.168.70.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
Make sure that these lines are added before the last permit
No. - NAT extended IP access list
deny ip 192.168.70.0 0.0.0.255 192.168.80.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.80.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 192.168.3.0 0.0.0.255
Site 2:
ACL6 extended IP access list
IP 192.168.80.0 allow 0.0.0.255 192.168.70.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
IP 192.168.80.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
ip licensing 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
So make sure that these lines are added before the last permit
No. - NAT extended IP access list
deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.70.0 0.0.0.255
deny ip 192.168.80.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
So you're saying good enough your routers with these definitions which will be reached via one main remote sites (sites 1 and 2).
I would like to know if this is what you need.
-
need help for the VPN connection
Hi guys
can you help with that?
I installed a VPN connection, but the tunnel shows that status: upward and the protocol description: down.
debugging is turned on and displays following-
ITS has applications pending (xx.xx.xx.xx local port 500, xx.xx.xx.xx remote port 500)
DEC 20 02:39:26.762: ISAKMP: (2142): sitting IDLE. From QM immediately (QM_IDLE)
02:39:26.762 20 Dec: ISAKMP: (2142): start Quick Mode Exchange, M - ID 3357871564
02:39:26.762 20 Dec: ISAKMP: (2142): initiator QM gets spi
DEC 20 02:39:26.762: ISAKMP: (2142): Pack xx.xx.xx.xx my_port 500 peer_port 500 (I) sending QM_IDLE
02:39:26.762 20 Dec: ISAKMP: (2142): sending a packet IPv4 IKE.
02:39:26.762 20 Dec: ISAKMP: (2142): entrance, node 3357871564 = IKE_MESG_INTERNAL, IKE_INIT_QM
02:39:26.762 20 Dec: ISAKMP: (2142): former State = new State IKE_QM_READY = IKE_QM_I_QM1
02:39:26.794 20 Dec: ISAKMP (2142): packet received from xx.xx.xx.xx dport 500 sport Global 500 (I) QM_IDLE
02:39:26.794 20 Dec: ISAKMP: node set-419503660 to QM_IDLE
DEC 20 02:39:26.794: ISAKMP: (2142): HASH payload processing. Message ID = 3875463636
DEC 20 02:39:26.794: ISAKMP: (2142): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
SPI 2561284360, message ID = 3875463636, a = 0x87D0CFC8
DEC 20 02:39:26.794: ISAKMP: (2142): removal of spi 2561284360 message ID = 3357871564
02:39:26.794 20 Dec: ISAKMP: (2142): node-937095732 error suppression REAL reason "remove larval.
02:39:26.794 20 Dec: ISAKMP: (2142): node-419503660 error suppression FALSE reason 'informational (en) State 1.
02:39:26.794 20 Dec: ISAKMP: (2142): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
02:39:26.794 20 Dec: ISAKMP: (2142): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
02:39:46.798 20 Dec: ISAKMP: (2142): purge the node-1177810765
02:39:46.798 20 Dec: ISAKMP: (2142): purge the node-138734109
02:39:56.763 20 Dec: % s-6-IPACCESSLOGRL: the rate limited or missed 2 sachets of access list record
DEC 20 02:39:56.763: IPSEC (key_engine): request timer shot: count = 2,.
local (identity) = xx.xx.xx.xx:0, distance = xx.xx.xx.xx:0,
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)
the config is following.
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto key xxxxxx address xx.xx.xx.xx
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpnset
transport mode
!
Crypto ipsec tech profile
Set transform-set vpnset
!
!
my-map 20 ipsec-isakmp crypto map
defined peer xx.xx.xx.xx
Set transform-set vpnset
match address 155
Hello
As for your question, you can have more than 1 card crypto on the interface.
However, you can use the same card encryption for several strategies. You can change the ma-card to vpnmap.
In this way the two are enabled on the same interface, with one having a higher priority than the other.So if a package came from inside, the first crypto ACL interface is checked and then the next and so on. The first match found is chosen for the IPsec negotioation.
-
Œuvres ping for the VPN ASA5505 RDP does not work?
I have an ASA5505 VPN remote access facility
I have a server connected directly behind the ASA and I can ping the server without problem.
The reports being encrypted and decrypted packets VPN client
However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.
I also do not see all RDP traffic hit the server (checked by ethereal)
I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.
This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?
% ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session
% ASA-609001 7: built internal local-host: 192.168.100.37
% ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session
% 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)
I have that configured NAT
NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172
The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?
And decrypt packets increase not when trying to RDP
Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!
Thank you
Roger
Answer is based on your other thread:
Maybe you are looking for
-
Options will not keep the update page to display my chosen homepage
Why browser keeps showing 2 tabs? One is the update page and the other is my chosen homepage. I tried the options but it doesn't work.
-
Errors of HP Photosmart Premium 309 a envelope
I am trying to print on envelopes and I have both microsoft word envelopes the value #10 and the printer, the #10 value envelopes. I have even the printer in landscape mode (since it seems properly) Nevertheless, the printer will feed the envelope t
-
Corrupted recovery disk &; battery bad health
Laptop model: HP Pavilion 15 (ENERGY STAR) ab288sa OS: Running Windows 10 Home (x 64-bit) RAM: 8 GB HARD DRIVE: 2 TB [personal information] Product no.: P5P67EA #ABU Bought: UK Currently using: Sri Lanka My laptop is slow although it has 8 GB of ram.
-
How can I upgrade XP to W7?
Hellocan I switch to W7 from XP? What is the best way to install W7 on an area of Vista, upgrade, or reimige?
-
transfer data to the external hard drive to the new computer laptop
How can I recover the external hard drive LaCie saved information from old computer XP & download on new viao Windows 7? my old computer crashed so I have no way to run the the windows on my old computer program transfer.