One-way traffic DMVPN
setting up the first star in a mesh network. VPN connects very well and there is a part of the traffic above him, however it looks like anything to get wrapped. I see eigrp and PNDH, try to go forward and backward, but neither made with great success. Any ideas where to look?
E - townInternet #show cry ipsec his
Interface: Tunnel0
Tag crypto map: addr Tunnel0-head-0, local 67.235.62.74
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
current_peer xx port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 1646, #pkts decrypt: 1646, #pkts check: 1646
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
endpt local crypto. : xx, remote Start crypto. : xx
Path mtu 1500, ip mtu 1500
current outbound SPI: 0x1DAF1EB4 (498015924)
SAS of the esp on arrival:
SPI: 0x3E489DA4 (1044946340)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 3003, flow_id: FPGA:3, crypto card: head-Tunnel0-0
calendar of his: service life remaining (k/s) key: (4585669/53)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x1DAF1EB4 (498015924)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 3005, flow_id: FPGA:5, crypto card: head-Tunnel0-0
calendar of his: service life remaining (k/s) key: (4585672/53)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
outgoing ah sas:
outgoing CFP sas:
E - townInternet #.
Neil,
EIGRP retry limit is used when no complete PNDH was built.
You mean interface tunnel itself beat (going up/down)?
Marcin
Tags: Cisco Security
Similar Questions
-
LAN - to - LAN 837 to 3000series one-way traffic
Hello
Not even sure that there is even a way traffic. The 837 is encryting and the 3000series is done by increments Rx but nowhere on decrypt it and Tx respectively.
Tracking guides and hub configuration cisco IOS religiously.
The 837 ipsec cypto debugs seems to show that SAS created - when they actually decide to show them selves on the console.
Routing is not a problem - unless you consider static routes on the 3000. Am I supposed to create a static route to send traffic to the LAN remote (837) on the public interface? Or is it not necessary to have an itinerary as SA definition will determine the tunnel to go down?
Unfortunately no other LAN-to-LAN tnnnels on 3000 to compare these questions and I have no laboratory.
Any help would be welcome. Of course, I can provide more information, all that is necessary. Am at my wits end with this one. So simple and yet not working - have to do something stupid.
Thank you
If the tunnel is under construction and your getting the traffic in one direction and not the other, it is usually the routing.
The 831 sends traffic to the 3000 and 3000 is received, ranging from your counters. The problem is probably that the hosts behind the 3000 do not know how to return to the LAN behind the 831. Your internal network behind the 3000 will need a route to the LAN 831 that points to the interface of the 3000. The 3000 justs needs a default gateway pointing out the public interface.
On the local network of 3000, if you have not all router internal and your interior hosts are directly connected to the same hub/switch interface private 3000, then each host will need a static route to the LAN 831 that points to the private interface 3000 (this is assuming of course that the 3000 is not the default gateway for hosts (, which is usually not).
Keep in mind that if you see not all TX packets on the 3000, then the 3000 is not even see packets of it is inside the hosts which are intended for the 831 LAN, check the local routing behind the 3000 to see what is happening.
-
VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network
Hello
I'm a little confused as to which is the problem. This is the premise for the problem I have face.
One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.
Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)
So essentially the encryption field is configured as follows:
access-list
line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-listline 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-listline 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173) Free NAT has been configured as follows (names modified interfaces):
NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP
the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202NAT (interface2) 0-list of access VPN-SHEEP
VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252
After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.
There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)
The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.
Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).
This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access listPhase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new streamPhase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outsidePhase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:Access-group interface interface1
access-list extendedallow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next moduleResult:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allowSo, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?
And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.
access-list extended
allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.
Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)
If there is any essential information that I can give, please ask.
-Jouni
Jouni,
8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).
If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)
Marcin
-
debugging/troubleshooting IPSec one-way traffic tunnel
I'll put up a business network IPSec consists of a UC520 at the head end (Headquarters) and several routers Linksys WRV remotes nodes/network. I see that ISAKMP and IPSec SA on both ends and I ping the IP of the remote networks UC520 internal. However, I can not ping any other IP on the network of the company.
I see of "cry ips to show his" packages are décapsulés (remote business) but none are encapsulated (remote business). I can also see (from a traceroute) how remote business packages are sent to the default gateway of the UC520 to the Internet instead of being placed in the tunnel. This jives with what I see with ' sho ips cry her. "
I made sure to create an ACL for the NAT for corporate remote subnets are not translated, but I don't know what else to check. I tried to do a "debug IP packet detail xxx' with a corresponding company in remote traffic but the debug and ACL get no success.
Any other ideas?
Thank you
DiegoWell, looks like that your exemption of Nat does not work. Check 'show ip nat trans' confirm this when sending traffic.
Can you maybe post your config NAT (together)?
-
VPN site to Site one-way traffic
Hi all
I set up a Vpn site-to site and everything works well in the remote site to the corporate site, but since the site of the company asa 5510, I can't access to the remote site asa 5505. I checked the logging on the SAA and I can see the packets being fallen but I can't find what I need to do to allow this traffic through. Here are most of my 5510 config, I'm sure it's something simple I'm missing, but I can't run it please help.
REMOTE network is 192.168.72.0
: Saved
: Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010
!
ASA Version 8.0 (5)
!
host name Casa
uk domain name
activate the encrypted password of VgZT0UwPdkSV9l7N
zlo5ImUVRkHl4lcl encrypted passwd
names of
name 192.168.103.14 description of Appliance CITRIX CITRIX Appliance
name 192.168.3.12 description villages villages
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address x.x.x.123 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.3.254 IP address 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
IP 192.168.103.254 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa805 - k8.bin
boot system Disk0: / asa707 - k8.bin
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS server-group DefaultDNS
uk domain name
object-group network ExternalAccess
Description hosts allowed direct web access
network object-SVR-01 255.255.255.255
SVR GIS 255.255.255.255 network-object
host of network-object cient
host villages network-object
the ExternalAccessFromDMZ object-group network
Description hosts allowed direct web access to DMZ
CITRIX-device 255.255.255.255 network-object
network-object IRONPORT1 255.255.255.255
worker of the object-network 255.255.255.255
MitelUDPinternet udp service object-group
Description Mitel UDP services on the internet
20000-27000 object-port Beach
port-object eq sip
port-object eq 5064
MitelTCPinternet tcp service object-group
Description Mitel TCP services on the internet
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 3998
6801-6802 object-port Beach
port-object eq 6880
port-object eq www
EQ object of the https port
port-object eq 6800
EQ object Port 3478
port-object eq sip
EQ port ssh object
MitelTCPinternetOpt tcp service object-group
Description Mitel TCP optional services on the internet
port-object eq 3300
6806-6807 object-port Beach
36005 36005 object-port Beach
36005 36006 object-port Beach
EQ object Port 3478
port-object eq sip
MitelUDP2LAN udp service object-group
Description Mitel UDP for the local network of services
object-port range 1024-65535
port-object eq sip
MitelTCP2LAN tcp service object-group
Description Mitel TCP for the local network of services
port-object eq 2114
port-object eq 2116
port-object eq 35000
port-object eq 37000
port-object eq 1606
object-port 4443 eq
port-object eq 3998
port-object eq 3999
6801-6802 object-port Beach
port-object eq 6880
port-object eq www
EQ object of the https port
EQ object Port 3478
port-object eq sip
acl_outside list extended access permit icmp any any echo response
acl_outside list extended access allow all unreachable icmp
acl_outside list extended access permit icmp any any source-quench
acl_outside list extended access permit tcp any host Mail_Outside_AGH eq smtp
acl_outside list extended access permit tcp any host Mail_Outside_AGH eq https
acl_outside list extended access permit tcp any host x.x.x.123 eq ssh
acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh
acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8088
acl_outside list extended access permit tcp any host Citrix_Portal_outside eq https
acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8081
acl_outside list extended access permit tcp any host Mail_Outside_AVON eq smtp
acl_outside list extended access permit tcp any host Mail_Outside_AVON eq https
acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp
acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp
acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternet object-group
acl_outside list extended access permit udp any host teleworker_outside MitelUDPinternet object-group
acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternetOpt object-group
acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh
acl_outside list extended access permit udp any host ESX-PAL-01 eq ntp
acl_outside list extended access permit udp any host ESX-PAL-02 eq ntp
acl_outside list extended access permit udp any host ESX-PAL-03 eq ntp
inside_outbound_nat0_acl to access ip 192.168.1.0 scope list allow 255.255.255.0 172.30.100.0 inactive 255.255.255.224
inside_outbound_nat0_acl list of allowed ip extended access all 172.31.1.0 255.255.255.0
inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.103.0 255.255.255.0
inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0
inside_pnat_outbound list extended access allowed object-group ip ExternalAccess everything
acl_dmz list extended access permit ip host host IRONPORT1 Mail_Inside_AGH
acl_dmz list extended access permit udp host field of pal-svr-22 eq IRONPORT1 host
acl_dmz list extended access permit tcp host IRONPORT1 host pal-svr-22 eq 3268
acl_dmz list extended access permit udp host host IRONPORT1 ARM-SVR-01 eq field
acl_dmz list extended access permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268
acl_dmz list extended access permit udp host host IRONPORT1 Pal-Svr-17 eq field
acl_dmz list extended access allowed icmp host host IRONPORT1 Mail_Inside_AGH
access extensive list ip 192.168.103.0 acl_dmz allow 255.255.255.0 any
acl_dmz list extended access permit tcp host host CITRIX-device-CITRIXCSG-lan eq https inactive
acl_dmz list extended access permit ip any host CITRIXCSG-lan idle
acl_dmz list extended access permit tcp host IRONPORT1 eq Mail_Outside_AGH smtp
acl_dmz list extended access permit tcp host teleworker host 192.168.20.1 object-group MitelTCP2LAN
acl_dmz list extended access permit udp host teleworker host 192.168.20.1 object-group MitelUDP2LAN
dmz_pnat_outbound list extended access allowed object-group ip ExternalAccessFromDMZ all
access extensive list ip 192.168.103.0 dmz_nat0_inbound allow 255.255.255.0 192.168.3.0 255.255.255.0
dmz_nat0_inbound list of ip host 192.168.20.1 telecommuter host allowed extended access
access extensive list ip 192.168.21.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
access extensive list ip 192.168.22.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
access extensive list ip 192.168.23.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
access extensive list ip 192.168.24.0 inside_pnat_outbound_AVON allow 255.255.248.0 all
inside_pnat_outbound_AVON to access extended list ip 192.168.32.0 allow 255.255.240.0 everything
access extensive list ip 192.168.48.0 inside_pnat_outbound_AVON allow 255.255.248.0 all
access extensive list ip 192.168.56.0 inside_pnat_outbound_AVON allow 255.255.252.0 all
access extensive list ip 192.168.60.0 inside_pnat_outbound_AVON allow 255.255.255.0 any
allow any scope to an entire ip access list
inside_nat_AVON_Marshall list extended access permit ip host Mail_Inside_AVON all
dmz_pnat1_outbound list of ip telecommuter host allowed extended access any
outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
logging e-mail notifications
uk address record
exploitation forest-address recipient [email protected] / * / critical level
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
management of MTU 1500
IP local pool vpnpool 172.31.1.1 - 172.31.1.254 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow no dmz echo
ICMP allow all dmz
ASDM image disk0: / asdm-625 - 53.bin
ASDM location SVR-01 255.255.255.255 inside
ASDM location svr-02 255.255.255.255 inside
ASDM location IRONPORT1 255.255.255.255 dmz
ASDM location 194.81.55.226 255.255.255.255 dmz
ASDM 255.255.255.255 inside server location
ASDM location CITRIX-device 255.255.255.255 dmz
ASDM group ExternalAccess inside
ASDM group dmz ExternalAccessFromDMZ
don't allow no asdm history
ARP timeout 14400
Global x.x.x.121 2 (outdoor)
Global 1 x.x.x.125 (outside)
Global Mail_Outside_AVON 3 (outside)
Global Mail_Outside_AGH 4 (outside)
Global teleworker_outside 5 (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 2-list of access inside_pnat_outbound_AVON
NAT (inside) 3 access-list inside_nat_AVON_Marshall
NAT (inside) 1 access-list inside_pnat_outbound
NAT (dmz) 0-list of access dmz_nat0_inbound outside
NAT (dmz) 4 access-list dmz_pnat_outbound
NAT (dmz) 5 access-list dmz_pnat1_outbound
static (inside, outside) tcp ssh Icritical ssh netmask 255.255.255.255 Icritical_Outside
static (inside, outside) tcp https Mail_Outside_AGH Mail_Inside_AGH https netmask 255.255.255.255
static (dmz, outside) tcp smtp smtp IRONPORT1 netmask 255.255.255.255 Mail_Outside_AGH
static (inside, outside) tcp https Mail_Outside_AVON Exchange_Inside_AVON https netmask 255.255.255.255
static (inside, outside) tcp smtp smtp Mail_Inside_AVON netmask 255.255.255.255 Mail_Outside_AVON
static (inside, outside) udp snmp Icritical snmp netmask 255.255.255.255 Icritical_Outside
static (dmz, outside) device-CITRIX-Citrix_Portal_outside netmask 255.255.255.255
static (inside, outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255
static (dmz, external) teleworker_outside netmask 255.255.255.255 teleworker
Access-group acl_outside in interface outside
Access-group acl_dmz in dmz interface
Route outside 0.0.0.0 0.0.0.0 X.X.X.254 1
Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
oner http 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
card crypto outside_map 1 set r.r.r.244 counterpart
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet timeout 5
SSH x.x.x.x 255.255.255.255 outside
SSH Mail_Inside_AGH 255.255.255.255 inside
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
prefer NTP server SVR - DC1 source inside
internal VPN group policy
attributes of VPN group policy
value 192.168.x.x 192.168.x.x WINS server
Server DNS value 192.168.x.x 192.168.x.x
enable IPSec-udp
value by default domain-ACE
username, password pmmPwcDD/inpnNfB VPN encrypted privilege 0
attributes of VPN username
Strategy-Group-VPN VPN
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address vpnpool pool
Group Policy - by default-VPN
Group-tunnel VPN ipsec-attributes
pre-shared key *.
tunnel-group r.r.r.244 type ipsec-l2l
r.r.r.244 tunnel ipsec-attributes group
pre-shared key *.
by default-group r.r.r.244 tunnel-Group-map
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the sip
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:8360816431357f109b3c4b950d545c86
: end
This route is duplicated with the remote network
Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1
I suggest to make this more specific subnet or add something like
Route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip
Internal, if above not in fact help, put a trace packet to simulate traffic even that fails on the 5510.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/p.html#wp1878788
Kind regards
-
Traffic permitted only one-way for VPN-connected computers
Hello
I currently have an ASA 5505. I put up as a remote SSL VPN access. My computers can connect to the VPN very well. They just cannot access the internal network (192.168.250.0). They cannot ping the inside interface of the ASA, nor any of the machines. It seems that all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN. It seems that the traffic allows only one way. I messed up with ACL with nothing doesn't. Any suggestions please?
Pool DHCP-192.168.250.20 - 50--> for LAN
Pool VPN: 192.168.250.100 and 192.168.250.101
Outside interface to get the modem DHCP
The inside interface: 192.168.1.1
Courses Running Config:
: Saved
:
ASA Version 8.2 (5)
!
hostname HardmanASA
activate the password # encrypted
passwd # encrypted
names of
!
interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.250.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
pager lines 24
Within 1500 MTU
Outside 1500 MTU
mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 10 192.168.250.0 255.255.255.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.250.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH 192.168.250.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.250.20 - 192.168.250.50 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
value of server DNS 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
address pool VPN_Pool
tunnel-group AnyConnect webvpn-attributes
enable AnyConnect group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:30fadff4b400e42e73e17167828e046f
: end
Hello
No worries
As we change the config I would do as well as possible.
First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network
No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask
mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool
NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0
NAT (inside) 0-list of access NAT_0
Then give it a try and it work note this post hehe
-
How to set up a one-way IPSec-L2L tunnel
This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.
But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.
Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.
Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?
Hello
You can use the following command:
defined card crypto seq - num connection-type name {only answer | only | two-way}
This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.
Check:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576
Even if the reference is to ASA8.0 I know it works for 7.2.x so
Hope this helps
Kind regards
Pieter-Jan
-
One way or another on my email print size has decreased to the point I can hardly read it.
One way or another on my email print size has decreased to the point I can hardly read it. Can any of you tell me please what keys hold and scroll to get the largest print size. Thank you very much.
original title: Email printing sizeSorry, but being the Webmail of Yahoo leaves me without a clue. Maybe Internet Explorer forum or Yahoo support might be more useful.
Internet Explorer forums
http://answers.Microsoft.com/en-us/IE -
Hello
We have two expressways and we have received a report of a company, call one of our sites had issues with one-way video. The appellant could not see the person they had composed, but they could see the appellant. Audio was OK. They were ordered to place a new call through our other expressway and all audio and video works just fine. So, I'm trying to understand if there is a difference between highways and why this happens. They run every two X8.1.1. The strange thing is that we only received from an enterprise report then having this problem through this "faulty" highway is us or them? Apparently, they do not have problems with one another that they make calls...
Looks like maybe it's time to collect newspapers... but everyone else encountered this? No I well confused everyone :)
Thank you!
In general I really wouldn't expect things to need to a few reboots to register.
Well sure a typical tech & response of the TAC will be "upgrading to the last" which I also recommended,.
but your symptoms still its a bit sketchy.
Its a good start to check if your firewall/network/dns /... are ok as well. A lot of questions
are hidden there. It is difficult to see the full extend of here.
Please get some internal or as a good Cisco partner or network resources.
And Yes, look in the upgrade to CUCM!
But the network / the environment should still be ok for that as well :-)
Please note the messages with the stars below and define the thread if it is a response.
-
Is there one way other than to_char to get the month of the date field
Is there one way other than to_char to get the month of the date field
Hello
raj4tech wrote:
Is there one way other than to_char to get the month of the date field
EXTRACT is one:
SELECT INTERESTED (SYSDATE MONTHS) AS curr_month
DOUBLE;
-
Is it only a one-way sync?
It does not appear the changes I do either Illustrator or Indesign gets returned to the application? It would be really great. Maybe I'm not saving correctly? In any case, looks very promising!
J.
It is one-way. The application of the model is to make a model, a "global," sketching a layout.
The file is sent to InDesign/Illustrator/Photoshop for the realization of the project.
He actually quite brilliantly designed and implemented, especially for a 1.0 release.
-
In the bpel process one-way transaction management
Hello
I created a one-way bpel process with oneWayDeliveryPolicy property - property Sync and transaction - required. When I exposed this service as a SOAP service, I see well The Participation of Transaction in the Web Service adapter in the way of exposed Services configured as EVER. Is this to say that BPELCallee would not participate in the same transaction as the appellant BPEL?
AdityaHello
Properties refer to the support of different transactions "contexts", as you can see in the documents below. The bpel.config.transaction refers to the semantics of Transaction BPEL Process Manager, while the 'Participation of the operation' refers to WS-AT , which provides interoperability of transaction between Oracle WebLogic Server and transaction of other providers services... I've never tested it myself, but I guess that if you process BPEL transactions, the bpel.config.transaction will prevail...
http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/soa_transactions.htm#CHDEHCFE
http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/sca_bindingcomps.htm#SOASE86071See you soon,.
Vlad -
Configuration very base one-way Golden Gate
Version of DB: Oracle 11.2.0.3
Golden Gate version: 11.2 (last one dated September 22, 2012)
Platform: Solaris x 86 64-bit
Currently learning Golden Gate by googling and I'll install Golden Gate for the first time.
That's what I'm planning.
I intend to set up a very basic one-way GG, where in SCOTT and HR in source DB schemas is replicated in the target DB.Source DB : fncdev Target DB : sgntgt What needs to be replicated : SCOTT and HR schemas from source has to be replicated to Target ( Unidirectional )
I would like to know 2 things.
1. what should be the content of the parameter file?
2. after have I properly configure GG, what would be the output of command all THE INFO in the source and target database-- Source database GGSCI > info all -- Target database GGSCI > info all
Basic extract and replicat content parameter of the file.
Extract E_TEST1
SETENV (ORACLE_SID = OGGTEST)GGADMIN username password *.
Exttrail/goldengate/gg_trail/trail/test/and-Add below lines only if DDL replication is configured.
-The DOF ARE MAPPED
DDLOPTIONS - ADDTRANDATA, REPORTTABLE HR.*;
TABLE SCOTT.*;
-------------------------------------------------------------------------------------------------REPLICAT R_TEST1
SETENV (ORACLE_SID = OGGTEST)GGADMIN username password *.
ASSUMETARGETDEFSDISCARDFILE oragg/11.1/dirrpt/R_TEST1.dsc, APPEND, 1024 MEGABYTES
MAP HR.*, TARGET HR.*;
MAP SCOTT.*, TARGET SCOTT.*;I hope that these samples help!
Kind regards
RB -
L2L ASA tunnel upward, no traffic (or one way...)
I have two ASA 5505, 8.2 (1), call the HQ and BRANCH. HQ is a L2L towards a third point, and that one works fine.
Now I'm setting up a VPN L2L between HQ and BRANCH. The tunnel rises (passes, phases 1 and 2), but I can't ping from both ends.
HS cry isa his looks like 100% ok
Cree SH ips its shows that HQ has only decaps, while the branch has only the program. If HQ looks like the main suspect for me (even with his other L2L works very well).
Here are the configs, great if someone could help me to identify problems of config...
-----------------------------------------------------------------
HQ:
ASA Version 8.2 (1)
!
hostname HQ
domain blah.com/results.htm
enable password blah
encrypted passwd bla
names of
!
interface Vlan1
nameif inside
security-level 100
IP 172.16.106.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
IP address 191.xx.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa821 - k8.bin
DNS server-group DefaultDNS
domain blah.com/results.htm
access extensive list ip 172.16.106.0 inside_outbound_nat0_acl allow 255.255.255.128 all
access extensive list ip 172.16.106.0 outside_cryptomap_20 allow 255.255.255.0 any
access extensive list ip 172.16.106.0 inside_nat0_outbound allow 255.255.255.0 any
access extensive list ip 172.16.106.0 inside_nat0_outbound allow 255.255.255.128 172.16.106.160 255.255.255.224
access extensive list ip 172.16.106.0 outside_1_cryptomap allow 255.255.255.0 any
access extensive list ip 172.16.106.0 outside_1_cryptomap_1 allow 255.255.255.0 any
IP 172.16.106.0 allow to Access-list HQ-BRANCH extended 255.255.255.128 172.16.106.160 255.255.255.248
!
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1
!
Sysopt noproxyarp inside
!
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ipsec security association replay disable
card crypto outside_map 1 match address outside_1_cryptomap_1
card crypto outside_map 1 set 191.xx.xx.xx counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
address for correspondence card crypto outside_map 10 HQ-GENERAL management
card crypto outside_map 10 peers set 82.xx.xx.xx
outside_map card crypto 10 the transform-set ESP-3DES-MD5 value
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
!
WebVPN
tunnel-group 191.xx.xx.xx type ipsec-l2l
191.XX.XX.XX group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 82.xx.xx.xx type ipsec-l2l
82.XX.XX.XX group of tunnel ipsec-attributes
pre-shared-key *.
by default-group 191.xx.xx.xx tunnel-Group-map
!
class-map inspection_default
match default-inspection-traffic
!
!
global service-policy global_policy
context of prompt hostname
: end
-----------------------------------------------------------------
GENERAL management:
ASA Version 8.2 (1)
!
hostname BRANCH
activate djfldksjafl encrypted password
djfldksjafl encrypted passwd
names of
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan3
nameif inside
security-level 100
IP 172.16.106.161 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
boot system Disk0: / asa821 - k8.bin
the obj_any object-group network
IP 172.16.106.160 allow to Access-list BRANCH-HQ extended 255.255.255.248 172.16.106.0 255.255.255.128
IP 172.16.106.160 allow Access - list extended SHEEP 255.255.255.248 172.16.106.0 255.255.255.128
Enable logging
ICMP unreachable rate-limit 1 burst-size 1
!
NAT-control
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 82.xx.xx.xx
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
address for correspondence card crypto 10 BRANCH-HQ outside_map
card crypto outside_map 10 peers set 191.xx.xx.xx
card crypto outside_map 10 transform-set RIGHT
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
dhcpd dns xx.xx.xx.xx
dhcpd outside auto_config
!
dhcpd address 172.16.106.162 - 172.16.106.166 inside
dhcpd allow inside
!
WebVPN
tunnel-group 191.xx.xx.xx type ipsec-l2l
191.XX.XX.XX group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
!
global service-policy global_policy
context of prompt hostname
: end
-----------------------------------------------------------------
Best,
Johnny
Hello Johnny,.
Great to hear that, there, you have some points for you
Please check the question as answered so future users can draw from what you did
-
VPN site to Site from one-way data (need help)
Hello
Scenario:
VPN site to Site with Cisco 837 routers:
Place: Clients and printers
Site B: server queues and Print
Site A can communicate via VPN using RDP to site B, very well.
Question:
Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.
Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?
I tried change ip tcp adjust 1452 but not good...
Attached configs.
An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site
SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin
Any help would be appreciated.
Thank you very much...
Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.
I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.
Maybe you are looking for
-
HP Pavillion DV7: HP Pavillion DV7 Bios paswword lost
HelloToday, I turned on my computer and it asks me to enter a password to access the bios.I noticed you were able to help me if I gave you a code.My code is: 59050448.Thanks in advance!
-
Realtek RTL8188EE 802.11 b/g/n (code 10)
HI everyone, after HP support assistant had updated me the LAN driver (s), my 15-g029 wm hp laptop using Windows 8.1 gives me an error message that the device cannot start (code 10) in Device Manager. It worked without any problems before. Thanks for
-
Windows XP does not correctly initialize after virus removal
I am running Windows XP Home SP3 with FF 5.0. I had a virus (Backdoor.RBot) the Avast program not found. Nor have programmed the MRT of Microsoft, or the online scanner. Used Malwarebytes and the virus has been removed. Installed Microsoft Security
-
Original title: I JUST DELETED 255 CONTACT AND I AM BACK to, at LEAST, THEN 10 MINUTES AND there is 167 NEW CONTACTS IN MY CONTACT LIST. WHAT can I DO about IT... I GET CONTACTS FROM MY CONTACT LIST THAT I KNOW EVEN OR HAS GIVEN PERMISSION TO BE THE
-
Windows 8 update does not restore backed up files
Yesterday I when I joined PC it was just a white screen. I opted to update my windows 8 and had to back up my profile and files on an external hard drive (which took 2-3 hours) a then update the operating system. In the end, he informed me that he wa