PIX 501 establish IPSEC connection, but no data transmission

Similar Questions

• PIX: Cisco VPN Client connects but no routing

  Hello

  We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:

  2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)

  2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout

  2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30

  We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.

  I enclose the training concerned in order to understand the problem:

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address xx.yy.zz.tt 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  172.16.0.1 IP address 255.255.255.0

  !

  access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0

  !

  IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248

  !

  NAT-control

  Global xx.yy.zz.tt 12 (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 12 172.16.0.12 255.255.255.255

  !

  internal VPN_clientes group strategy

  attributes of Group Policy VPN_clientes

  xxyyzz.NET value by default-field

  internal VPN_client_group group strategy

  attributes of Group Policy VPN_client_group

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl

  xxyyzz.local value by default-field

  !

  I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.

  Thank you very much.

  can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.

  PIX / ASA 7.1 and earlier versions

  PIX (config) #isakmp nat-traversal 20

  PIX / ASA 7.2 (1) and later versions

  PIX (config) #crypto isakmp nat-traversal 20

• Essbase Studio Error (1021001): could not establish a connection with SQL data

  Hello.
  
  I try to deploy a cube Essbase Studio but I get the error: "* Error (1021001): could not establish connection to the SQL database server."
  
  My environment is Linux 5, Oracle 11 g and EMP 11.1.1.2. Database Oracle and Essbase has been installed with different users. The .bash_profile to hypadmin user (i.e. install Essbase) I put the following variables
  
  ORACLE_BASE=/U01/app/OracleDB/product/11.1.0
  ORACLE_HOME = $ORACLE_BASE/db_1
  LD_LIBRARY_PATH = / usr/X11R6/lib: $ORACLE_HOME/lib: $LD_LIBRARY_PATH
  ORACLE_HOSTNAME = DevBi.sigfe2
  PATH = $ORACLE_HOME/bin: $ORACLE_HOME/jdk/bin: $ORACLE_HOME/bin: / sbin: $ORACLE_HOME/opmn/bin: $PATH
  ORACLE_SID = orcl
  JAVA_HOME=/U01/app/InstallFiles/JDK1.5.0_19
  
  
  In my pc (windows xp), I can open the Essbase Studio console, the connection to the Oracle server, get the tables and create a minischema of measures and hierarchies (I can see the preview of hierarchies). I also can create cubes with EAS and can connect with MAXSHELL to essbase.
  
  When I try to deploy the cube of Essbaes Studio there get the error ' Error (1021001): failed to establish connection to SQL Database Server.
  
  The Essbase Studio log file says:
  
  + 12: 40:16 24/07/09 (admin-1) NEWS beginning hierarchical creation in the database "5.4.0.41:1423.POC_ESS. POC_ESS1 '... +»
  + 12: 40:16 24/07/09 (admin-1) FINA signed on Essbase by CSS token "5.4.0.41:1423" successfully... +.
  + 12: 40:16 24/07/09 (admin-1) building INFO Start dimension 'DM_CIUDADES'... +.
  + 12: 40:16 24/07/09 (admin-1) MAS FINA start creating rule file... +.
  + 12: 40:16 24/07/09 (admin-1) INFO SQL statement was created and implemented rule /home/hypadmin/hyperion/products/Essbase/EssbaseStudio/Server/./ess_japihome/data/DM_CIU.rul"+ file «»
  + 12: 40:16 24/07/09 INFO (admin-1) the query is "SELECT (CONCAT ("reg_", CAST (cp_105." ((ID_REGIONPADRE' AS VARCHAR2 (1000))) as 'REGION_PADRE', (CONCAT ("reg_", CAST (cp_105. (("' Be ' AS VARCHAR2 (1000))) as 'REGION_HIJO', cp_105. "' DE_REGION ' as 'REGION_HIJO. Defaults to"GO"POC ". "" Cp_105 ORDER BY DM_REGIONES_ESS3 cp_105. "" CSA DE_NIVEL ', cp_105. "" CSA ID_REGIONPADRE ', cp_105. "' BE ' ASC ' + '.
  + 12: INFO file 40:16 24/07/09 (admin-1) rule has been created and saved as "/home/hypadmin/hyperion/products/Essbase/EssbaseStudio/Server/./ess_japihome/data/DM_CIU.rul"+ ".
  + 12: 40:16 24/07/09 (admin-1) FINA Essbase starts to add members to DM_CIUDADES dimensioin based on the rules file. +
  + 12: 40:16 24/07/09 (admin-1) ADVERTENCIA (1021001): error al set conexion con el servidor SQL databases. Check out el registro for more information. +
  + 12: 40:16 24/07/09 (admin-1) ADVERTENCIA essbaseDriver.FailedToBuildDimensionException +.
  + 12: unexpected exception SERIOUS cubes from 24/07/09 (admin-1) 40:16 + EssbaseExport to be deployed
  -Exception-
  com.hyperion.cp.datasources.export.essbase.EssbaseDriverException: could not deploy Essbase cube
  ....
  
  
  Thank you for everyone who has an idea to help me solve this problem.
  
  A.S.

  Hello

  If you type database SID lowercase, try entering ITO uppercase. Strange, but my colleagues and I encounter this behavior several times.

• established - VPN connection, but cannot connect to the server?

  vpn connection AnyConnect is implemented - but cannot connect to the server? The server IP is 192.168.0.4

  Thank you

  ASA Version 8.2 (1)

  !

  hostname ciscoasa5505

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.0.3 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 208.0.0.162 255.255.255.248

  !

  interface Vlan5

  Shutdown

  prior to interface Vlan1

  nameif dmz

  security-level 50

  IP address dhcp setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS lookup field inside

  DNS server-group DefaultDNS

  192.168.0.4 server name

  Server name 208.0.0.11

  permit same-security-traffic intra-interface

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  object-group service TS-780-tcp - udp

  port-object eq 780

  object-group service Graphon tcp - udp

  port-object eq 491

  Allworx-2088 udp service object-group

  port-object eq 2088

  object-group service allworx-15000 udp

  15000 15511 object-port Beach

  object-group service udp allworx-2088

  port-object eq 2088

  object-group service allworx-5060 udp

  port-object eq sip

  object-group service allworx-8081 tcp

  EQ port 8081 object

  object-group service web-allworx tcp

  EQ object of port 8080

  allworx udp service object-group

  16001 16010 object-port Beach

  object-group service allworx-udp

  object-port range 16384-16393

  object-group service remote tcp - udp

  port-object eq 779

  object-group service billing1 tcp - udp

  EQ object of port 8080

  object-group service billing-1521 tcp - udp

  port-object eq 1521

  object-group service billing-6233 tcp - udp

  6233 6234 object-port Beach

  object-group service billing2-3389 tcp - udp

  EQ port 3389 object

  object-group service olivia-3389 tcp - udp

  EQ port 3389 object

  object-group service olivia-777-tcp - udp

  port-object eq 777

  netgroup group of objects

  network-object host 192.168.0.15

  network-object host 192.168.0.4

  object-group service allworx1 tcp - udp

  8080 description

  EQ object of port 8080

  allworx_15000 udp service object-group

  15000 15511 object-port Beach

  allworx_16384 udp service object-group

  object-port range 16384-16393

  DM_INLINE_UDP_1 udp service object-group

  purpose of group allworx_16384

  object-port range 16384 16403

  object-group service allworx-5061 udp

  range of object-port 5061 5062

  object-group service ananit tcp - udp

  port-object eq 880

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-6233

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing-1521

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing2-3389

  outside_access_in list extended access permit tcp any host 208.0.0.164 eq https

  outside_access_in list extended access permit tcp any host 208.0.0.164 eq www

  outside_access_in list extended access permit tcp any host 208.0.0.164 eq ftp

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.164 object-group billing1

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 EQ field

  outside_access_in list extended access permit tcp any host 208.0.0.162 eq www

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 remote object-group

  outside_access_in list extended access permit tcp any host 208.0.0.162 eq smtp

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 object-group olivia-777

  outside_access_in list extended access permit udp any host 208.0.0.162 - group Allworx-2088 idle object

  outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5060

  outside_access_in list extended access permit tcp any host 208.0.0.162 object-group web-allworx inactive

  outside_access_in list extended access permit tcp any host 208.0.0.162 object-group inactive allworx-8081

  outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-15000

  outside_access_in list extended access permit udp any host 208.0.0.162 DM_INLINE_UDP_1 idle object-group

  outside_access_in list extended access permit udp any host 208.0.0.162 object-group inactive allworx-5061

  outside_access_in list extended access allowed object-group TCPUDP any host 208.0.0.162 inactive ananit object-group

  outside_access_in list extended access deny ip host 151.1.68.194 208.0.0.164

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

  permit access ip 192.168.0.0 scope list outside_20_cryptomap 255.255.255.0 172.16.0.0 255.255.0.0

  Ping list extended access permit icmp any any echo response

  inside_access_in of access allowed any ip an extended list

  permit access ip 192.168.0.0 scope list outside_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0

  access-list 1 standard allow 192.168.0.0 255.255.255.0

  pager lines 24

  Enable logging

  logging buffered stored notifications

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 dmz

  IP local pool 192.168.100.30 - 192.168.100.60 mask 255.255.255.0 remote_pool

  192.168.0.20 mask - distance local pool 255.255.255.0 IP 192.168.0.50

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT (outside) 1 192.168.0.0 255.255.255.0

  alias (inside) 192.168.0.4 99.63.129.65 255.255.255.255

  public static tcp (indoor, outdoor) interface 192.168.0.4 smtp smtp netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface field 192.168.0.4 netmask 255.255.255.255 area

  public static tcp (indoor, outdoor) interface 192.168.0.4 www www netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface 777 192.168.0.15 777 netmask 255.255.255.255

  public static tcp (indoor, outdoor) interface 779 192.168.0.4 779 netmask 255.255.255.255

  public static (inside, outside) udp interface field 192.168.0.4 netmask 255.255.255.255 area

  public static tcp (indoor, outdoor) interface 880 192.168.0.16 880 netmask 255.255.255.255

  static (inside, outside) 208.0.0.164 tcp 3389 192.168.0.185 3389 netmask 255.255.255.255

  inside_access_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 208.0.0.161 1

  Route inside 192.168.50.0 255.255.255.0 192.168.0.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.0.0 255.255.255.0 inside

  http 192.168.0.3 255.255.255.255 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Sysopt noproxyarp inside

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 108.0.0.97

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 20 match address outside_20_cryptomap

  card crypto outside_map 20 set pfs

  peer set card crypto outside_map 20 69.0.0.54

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life no

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 1

  life no

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  identifying client DHCP-client interface dmz

  dhcpd outside auto_config

  !

  dhcpd address 192.168.0.20 - 192.168.0.50 inside

  dhcpd dns 192.168.0.4 208.0.0.11 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  internal group anyconnect strategy

  attributes of the strategy group anyconnect

  VPN-tunnel-Protocol svc webvpn

  WebVPN

  list of URLS no

  SVC request enable

  encrypted olivia Zta1M8bCsJst9NAs password username

  username of graciela CdnZ0hm9o72q6Ddj encrypted password

  tunnel-group 69.0.0.54 type ipsec-l2l

  IPSec-attributes tunnel-group 69.0.0.54

  pre-shared-key *.

  tunnel-group 108.0.0.97 type ipsec-l2l

  IPSec-attributes tunnel-group 108.0.0.97

  pre-shared-key *.

  tunnel-group anyconnect type remote access

  tunnel-group anyconnect General attributes

  remote address pool

  strategy-group-by default anyconnect

  tunnel-group anyconnect webvpn-attributes

  Group-alias anyconnect enable

  !

  Global class-card class

  match default-inspection-traffic

  !

  !

  World-Policy policy-map

  Global category

  inspect the icmp

  !

  service-policy-international policy global

  : end

  ASDM location 208.0.0.164 255.255.255.255 inside

  ASDM location 192.168.0.15 255.255.255.255 inside

  ASDM location 192.168.50.0 255.255.255.0 inside

  ASDM location 192.168.1.0 255.255.255.0 inside

  don't allow no asdm history

  Right now your nat 0 (NAT exemption) follows the access list:

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 172.16.0.0 255.255.0.0

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

  Traffic back from your server to 192.168.0.4 in the pool of VPN (192.168.0.20 - 50) not correspond to this access list and thus be NATted. The TCP connection will not develop due to the failure of the Reverse Path Forwarding (RPF) - traffic is asymmetric NATted.

  Then try to add an entry to the list of access as:

  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.0 255.255.255.0

  It's a bit paradoxical but necessary that your VPN pool is cut out in your interior space network. You could also do like André offers below and use a separate network, but you would still have to add an access list entry to exempt outgoing NAT traffic.

• WebWorks connected BBM application - data transmission

  Hello

  Where can I find a sample application that communicates with the instance on the other device using the bbm Protocol? Like the Tic-Tac-Toe for two users, bbm etc.

  It is available at all?

  Are there differences in the Protocol between OS and BB10?

  Kind regards

  Unfortunately, these APIs is not supported on BlackBerry 10.  Sorry I can't be more helpful.

• IPSec VPN pix 501 no LAN access

  I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:

  : Saved

  :

  6.3 (3) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  nameif ethernet0 WAN security0

  nameif ethernet1 LAN security99

  enable encrypted password xxxxxxxxxxxxx

  xxxxxxxxxxxxxxxxx encrypted passwd

  host name snowball

  domain xxxxxxxxxxxx.local

  clock timezone PST - 8

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol pptp 1723

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  No fixup not protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  acl_in list of access permit udp any any eq field

  acl_in list of access permit udp any eq field all

  acl_in list access permit tcp any any eq field

  acl_in tcp allowed access list any domain eq everything

  acl_in list access permit icmp any any echo response

  access-list acl_in allow icmp all once exceed

  acl_in list all permitted access all unreachable icmp

  acl_in list access permit tcp any any eq ssh

  acl_in list access permit tcp any any eq www

  acl_in tcp allowed access list everything all https eq

  acl_in list access permit tcp any host 192.168.5.30 eq 81

  acl_in list access permit tcp any host 192.168.5.30 eq 8081

  acl_in list access permit tcp any host 192.168.5.22 eq 8081

  acl_in list access permit icmp any any echo

  access-list acl_in permit tcp host 76.248.x.x a

  access-list acl_in permit tcp host 76.248.x.x a

  allow udp host 76.248.x.x one Access-list acl_in

  access-list acl_out permit icmp any one

  ip access list acl_out permit a whole

  acl_out list access permit icmp any any echo response

  acl_out list access permit icmp any any source-quench

  allowed any access list acl_out all unreachable icmp

  access-list acl_out permit icmp any once exceed

  acl_out list access permit icmp any any echo

  Allow Access-list no. - nat icmp a whole

  access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

  access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any

  access-list no. - nat permit icmp any any echo response

  access-list no. - nat permit icmp any any source-quench

  access-list no. - nat icmp permitted all all inaccessible

  access-list no. - nat allow icmp all once exceed

  access-list no. - nat permit icmp any any echo

  pager lines 24

  MTU 1500 WAN

  MTU 1500 LAN

  IP address WAN 65.74.x.x 255.255.255.240

  address 192.168.5.1 LAN IP 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool pptppool 172.16.0.2 - 172.16.0.13

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global (WAN) 1 interface

  NAT (LAN) - access list 0 no - nat

  NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0

  static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0

  static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0

  acl_in access to the WAN interface group

  access to the LAN interface group acl_out

  Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  NTP server 72.14.188.195 source WAN

  survey of 76.248.x.x WAN host SNMP Server

  location of Server SNMP Sacramento

  SNMP Server contact [email protected] / * /

  SNMP-Server Community xxxxxxxxxxxxx

  SNMP-Server enable traps

  enable floodguard

  the string 1 WAN fragment

  Permitted connection ipsec sysopt

  Sysopt connection permit-pptp

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  client configuration address map mymap crypto initiate

  client configuration address map mymap crypto answer

  card crypto mymap WAN interface

  ISAKMP enable WAN

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup myvpn address pptppool pool

  vpngroup myvpn Server dns 192.168.5.44

  vpngroup myvpn by default-field xxxxxxxxx.local

  vpngroup split myvpn No. - nat tunnel

  vpngroup idle 1800 myvpn-time

  vpngroup myvpn password *.

  Telnet 192.168.5.0 255.255.255.0 LAN

  Telnet timeout 5

  SSH 192.168.5.0 255.255.255.0 LAN

  SSH timeout 30

  Console timeout 0

  VPDN group pptpusers accept dialin pptp

  VPDN group ppp authentication pap pptpusers

  VPDN group ppp authentication chap pptpusers

  VPDN group ppp mschap authentication pptpusers

  VPDN group ppp encryption mppe 128 pptpusers

  VPDN group pptpusers client configuration address local pptppool

  VPDN group pptpusers customer 192.168.5.44 dns configuration

  VPDN group pptpusers pptp echo 60

  VPDN group customer pptpusers of local authentication

  VPDN username password xxx *.

  VPDN username password xxx *.

  VPDN enable WAN

  dhcpd address 192.168.5.200 - 192.168.5.220 LAN

  dhcpd 192.168.5.44 dns 8.8.8.8

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd enable LAN

  username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

  username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

  Terminal width 80

  Cryptochecksum:xxxxxxxxxxxxxxxxxx

  : end

  I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!
  Thank you very much
  Trevor

  "No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:

  do not allow any No. - nat icmp access list a whole

  No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any

  No No. - nat access list permit icmp any any echo response

  No No. - nat access list permit icmp any any source-quench

  No No. - nat access list permit all all unreachable icmp

  No No. - nat access list do not allow icmp all once exceed

  No No. - nat access list only allowed icmp no echo

  You must have 1 line as follows:

  access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

  Please 'clear xlate' after the changes described above.

  In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.

  Hope that helps.

• PPTP VPN pix 501 question

  I'm relatively new to the security stuff.  I'm a guy of the voice.  I created a Pix 501 for IPSEC VPN and works very well.  Then I tried it setting up PPTP VPN.  I use Windows XP to connect.  It connects fine, but I can't ping to the inside interface on the PIX.  I can do this by using IPSEC.  Any ideas?   Here is my config:

  :

  6.3 (3) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the password * encrypted

  passwd * encrypted

  host name *.

  domain name *.

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol pptp 1723

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit icmp any any echo response

  access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0

  access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0

  access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0

  pager lines 24

  opening of session

  emergency logging console

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside of *. *. *. * 255.255.255.0

  IP address inside 10.0.0.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool pool1 192.168.5.100 - 192.168.5.200

  IP local pool pool2 192.168.6.100 - 192.168.6.200

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

  Access-group 101 in external interface

  Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  the ssh LOCAL console AAA authentication

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Sysopt connection permit-pptp

  Sysopt connection permit-l2tp

  Crypto ipsec transform-set high - esp-3des esp-sha-hmac

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto dynamic-map cisco 4 strong transform-set - a

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  Cisco dynamic of the partners-card 20 crypto ipsec isakmp

  partner-map interface card crypto outside

  card crypto 10 PPTP ipsec-isakmp dynamic dynmap

  ISAKMP allows outside

  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 8

  ISAKMP strategy 8 3des encryption

  ISAKMP strategy 8 md5 hash

  8 2 ISAKMP policy group

  ISAKMP life duration strategy 8 the 86400

  vpngroup address pool1 pool test

  vpngroup default-field lab118 test

  vpngroup split tunnel 80 test

  vpngroup test 1800 idle time

  Telnet timeout 5

  SSH 10.0.0.0 255.0.0.0 inside

  SSH 192.168.5.0 255.255.255.0 inside

  SSH 192.168.6.0 255.255.255.0 inside

  SSH timeout 5

  management-access inside

  Console timeout 0

  VPDN PPTP-VPDN-group accept dialin pptp

  VPDN group PPTP-VPDN-GROUP ppp authentication chap

  VPDN group PPTP-VPDN-GROUP ppp mschap authentication

  VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto

  VPDN group VPDN GROUP-PPTP client configuration address local pool2

  VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8

  VPDN group VPDN GROUP-PPTP pptp echo 60

  VPDN group VPDN GROUP-PPTP client for local authentication

  VPDN username bmeade password *.

  VPDN allow outside

  You will have to connect to an internal system inside and out run the PIX using pptp.

  For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#C4

  Concerning

• PIX 501 Logging

  I would like to open a session of hacking and intrusion of the attacks through a PIX 501 with a connection to broadband in a Home Office Setup. I have the camera upwards and the race and I am currently Setup with the Kiwi Syslog Dameon. What would be my best approach Logging all relevant information with the load to the bottom of the unit? Any suggestions / tips would be appreciated.

  Thank you

  It is a common logging configuration that I use:

  opening of session

  timestamp of the record

  logging trap information

  host of logging inside x.x.x.x

  No registration message 106015

  No message logging 106007

  No message logging 105003

  No registration message 105004

  No message recording 309002

  No message logging 305012

  No registration message 305011

  No message logging 303002

  No message logging 111008

  No message logging 302015

  No message recording 302014

  No message logging 302013

  No registration message 304001

  No message logging 111005

  No message logging 609002

  No message recording 609001

  No message logging 302016

  I usually do not enable the logging buffer (never use connection console it will affect performance) because it's not the messages timestamp (it only timestamps in the syslog). But the PIX loaded down with the load, you and Kiwi you before the PIX don't.

  Also turn on the IDs on the PIX.

  It will be useful.

  Steve

• QoS is supported on the Cisco PIX 501 or 506th?

  Hello

  There is no mention of QoS in technical for the PIX 501 and 506 records but nothing for the 515. PIX OS 7.x configuration guides do not mention specific material support.

  Does anyone know if QoS is taken care of in the 501 or 506th - I need support lines expectations for VoIP over IPSec.

  Thank you

  Chris

  QoS is supported in 7.x code, you would have to level 501/506 to 7.x code, but this is not supported on these two models, the next logical solution would be to upgrade your PIX 501/506 to asa5505s.

  Rgds

  Jorge

• Simple question PIX 501

  Hey guys,.

  The switch integrated on a PIX 501 will freely forward traffic between devices plugged into it, as long as they are on the same subnet? I assume that the answer is Yes. If so, is it possible to isolate one device other network traffic using the PIX only? I can t think in a certain way, but I'm not a guru PIX, so I figured that I d ask Mr. thanks a lot for any information that you may be able to provide.

  Do you hear them VLAN private?

  If so, then 'NO', it is not possible.

  There is no options at all to things like private VLAN on a PIX 501.

  Connect a Switch which suports as suppoorts this kind of features and a port of the switch to the pix.

  sincerely

  Patrick

• Customer Cisco PIX 501 VPN connects but no connection to the local network

  Hi all:

  I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

  I have attached the PIX configuration.

  Advice will be greatly appreciated.

  ********************

  6.3 (5) PIX version

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxxxx

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool ippool 192.168.2.1 - 192.168.2.5

  location of PDM 192.168.2.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup vpn3000 ippool address pool

  vpngroup vpn3000 Server dns 68.87.72.130

  vpngroup vpn3000-wins 192.168.1.100 Server

  vpngroup vpn3000 split tunnel 101

  vpngroup vpn3000 downtime 1800

  password vpngroup vpn3000 *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:xxxx

  ****************

  The DNS server is the one assigned to me by my ISP.

  My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

  "isakmp nat-traversal 20" can do the trick.

• Connectivity random Cisco Pix 501

  Hello. I'm having some trouble with my CISCO PIX 501 Setup.

  A few months I started having random disconnects on my network (from inside to outside). The machines can ping the DC or the Pix, but impossible to surf the internet. The only way to make them go outside is a reboot of Pix.

  My configuration is:

  -----------

  See the ACE - pix config (config) #.
  : Saved
  : Written by enable_15 at 09:23:07.033 UTC Tuesday, June 3, 2014
  6.3 (3) version PIX
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate 8Ry34retyt7RR564 encrypted password
  2fvbbfgdI.2KUOU encrypted passwd
  hostname as pix
  domain as.local
  fixup protocol dns-length maximum 512
  fixup protocol esp-ike
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol pptp 1723
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  access-list acl_out permit icmp any one
  ip access list acl_out permit a whole
  access-list acl_out permit tcp any one
  Allow Access-list outside_access_in esp a whole
  outside_access_in list access permit udp any eq isakmp everything
  outside_access_in list of access permit udp any eq 1701 all
  outside_access_in list of access permit udp any eq 4500 all
  outside_access_in ip access list allow a whole
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  outside 10.10.10.2 IP address 255.255.255.0
  IP address inside 192.168.100.1 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  history of PDM activate
  ARP timeout 14400
  Global 1 10.10.10.8 - 10.10.10.254 (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
  Access-group outside_access_in in interface outside
  access to the interface inside group acl_out
  Route outside 0.0.0.0 0.0.0.0 10.10.10.1 0
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  RADIUS Protocol RADIUS AAA server
  AAA-server local LOCAL Protocol
  Enable http server
  http 192.168.10.2 255.255.255.255 inside
  http 192.168.10.101 255.255.255.255 inside
  http 192.168.100.2 255.255.255.255 inside
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  ISAKMP nat-traversal 20
  Telnet timeout 5
  SSH 192.168.10.101 255.255.255.255 inside
  SSH timeout 60
  Console timeout 0
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  Terminal width 80
  Cryptochecksum:7f9bda5e534eaeb1328ab08a3c4d28a
  ------------

  Do you have any advice? I don't get what's wrong with my setup.

  My DC is 192.168.100.2 and the network mask is 255.255.255.0

  The network configuration is configured to set the IP of the gateway to 192.168.100.1 (i.e. the PIX 501).

  I have about 50 + peers on the internal network.

  Any help is apprecciate.

  Hello

  You have a license for 50 users +?

  After the release of - Show version

  RES

  Paul

• PIX 501, allows external clients only before the next hop to connect.

  Here's the problem:

  I have configured the Pix501 to accept PPTP connections and it works. I tried using a laptop with win98 on the same network segment (of the external interface). However, whenever my customers who are on a different ISP try to connect they may not. I tried with my laptop even home and another location, and all fail.

  I read recently that a router/firewall may block certain types of packets that do not establish PPTP connections. I think this is my problem, but I am unable to find information to pass on to my ISPS support staff.

  This is the router that provides the pix with the external connection is the problem in my view.

  Any thoughts?

  PPTP uses GRE packets. Ask them if they are blocking GRE, also ask if they block ESP and AH (types of IPSec packets, you can switch to IPSec if you determine that ISPS for your end-users block GRE to try to shake down to rates for dsl/cable "class business".)

• PAT on IPSEC VPN (Pix 501)

  Hello

  I work to connect a PIX 501 VPN for a 3rd party hub 3015. The hub requires all traffic to come from a single source IP address. This IP address is assigned to me as z.z.z.z. I have successfully built the VPN and tested by mapping staticly internal IP with the IP address assigned, but cannot get the orders right to do with PAT in order to have more than one computer on the subnet 10.x.x.0. This Pix is also a backup for internet routing and NAT work currently as well for this.

  I can redirect traffic to my subnet to the remote subnet via the VPN, but I can't seem to get the right stuff PAT to the VPN using the assigned IP address. If anyone can give me some advice that would be great.

  lines of current config interesting configuration with static mapping:

  --------------------------------------------------------------------------

  access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0

  access-list 102 permit ip y.y.y.0 255.255.255.0 z.z.z.z host

  access-list 103 allow host ip y.y.y.0 255.255.255.0 z.z.z.z

  IP address outside w.w.w.1 255.255.255.248

  IP address inside 10.0.0.1 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static z.z.z.z (Interior, exterior) 10.x.x.50 netmask 255.255.255.255 0 0

  Route outside 0.0.0.0 0.0.0.0 w.w.w.2 1

  correspondence address card crypto mymap 10 103

  mymap outside crypto map interface

  ISAKMP allows outside

  Thank you!

  Dave

  Dave,

  (1) get rid of static electricity. Use more Global/NAT. The static method will create a permanent

  translation for your guests inside and they will always be this way natted. Use

  NAT of politics, on the contrary, as shown here:

  not static (inside, outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

  Global (outside) 2 z.z.z.z netmask 255.255.255.255

  (Inside) NAT 2-list of access 101

  (2) the statement, "nat (inside) access 0 2' list will prevent nat of your valuable traffic."

  Delete this because you need to nat 2 nat/global card. (as a general rule, simply you

  If you terminate VPN clients on your device and do not want inside the traffic which

  is intended for the vpn clients to be natted on the external interface).

  (3) with the instructions of Global/nat 2, all traffic destined for the remote network will be first

  translated into z.z.z.z. Then your card crypto using the ACL 103 will encrypt all traffic which

  sources of z.z.z.z for y.y.y.0 24. This translation wil happen only when traffic is destined for the vpn.

  I hope this helps. I have this work on many tunnels as you describe.

  Jamison

• Unable to connect to PDM on PIX 501

  just cannot understand this. I have a PIX 501 I used to connect very well. Now I can't get the PDM to come up inside, outside, nothing.  I use the same (old) of JAVA 1.4 version I always used. I can Telnet etc... Very well. The HTTP server is enabled and have granted access from my IP address. Any help would be greatly appreciated. See my config below.

  See the pixfirewall # running
  : Saved
  :
  6.3 (5) PIX version
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate 8Ry2YjIyt7RRXU24 encrypted password
  passwd encrypted XXXXXXXX
  pixfirewall hostname
  domain ciscopix.com
  clock timezone IS - 5
  clock to summer time EDT recurring
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 X 0
  fixup protocol h323 ras X 18 - X 19
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  name admin_subnet X.X.X.X
  inside_outbound_nat0_acl X.X.X.X 255.255.255.0 ip access list allow admin_
  subnet 255.255.0.0
  inside_outbound_nat0_acl X.X.X.X 255.255.255.0 ip access list allow X.X
  . X.X 255.255.255.0
  outside_cryptomap_20 X.X.X.X 255.255.255.0 ip access list permit admin_subn
  and 255.255.0.0
  outside_cryptomap_20 X.X.X.X 255.255.255.0 ip access list allow X.X.X
  . X 255.255.255.0
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  IP outside X.X.X.X 255.255.255.128
  inside X.X.X.X 255.255.255.0 IP address
  alarm action IP verification of information
  alarm action attack IP audit
  PDM location admin_subnet 255.255.0.0 outside
  location of PDM X.X.X.X 255.255.255.0 inside
  PDM location x.x.x.x 255.255.255.255 outside
  location of PDM X.X.X.X 255.255.255.0 outside
  location of PDM X.X.X.X 255.255.255.255 outside
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
  Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  AAA authentication enable LOCAL console
  AAA authentication http LOCAL console
  LOCAL AAA authentication serial console
  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  Enable http server
  http X.X.X.X 255.255.255.0 inside
  http admin_subnet 255.255.0.0 inside
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  outside_map 20 ipsec-isakmp crypto map
  card crypto outside_map 20 match address outside_cryptomap_20
  card crypto outside_map pfs set 20 group2
  card crypto outside_map 20 game peers X.X.X.X
  outside_map crypto 20 card value transform-set ESP-AES-256-SHA
  outside_map interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address X.X.X.X 255.255.255.255 netmask No.-xauth non - co
  Nfig-mode
  part of pre authentication ISAKMP policy 20
  ISAKMP policy 20 aes-256 encryption
  ISAKMP policy 20 chopping sha
  20 2 ISAKMP policy group
  ISAKMP duration strategy of life 20 8 X 00
  Telnet X.X.X.X 255.255.255.0 outside
  Telnet X.X.X.X 255.255.255.0 inside
  Telnet admin_subnet 255.255.0.0 inside
  Telnet timeout 30
  ssh X.X.X.X 255.255.255.255 outside
  X.X.X.X 255.255.255.0 inside SSH
  SSH timeout 30
  management-access inside
  Console timeout 30
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  username password XXXXXX XXXXXXXXXXX encrypted privilege 15
  Terminal width 80
  Cryptochecksum:
  : end

  Hello Mark,

  lol Nice to know that everything works fine now

  Don't forget to mark it as answered and to classify the useful messages (if you don't know how to evaluate a message just to get to the bottom of each answer and mark 1 being a wrong answer, being a great answer 5 stars)

  Kind regards

  Julio

  PD: Some kudos for you (because of the answer)