PIX 515E-> URL filtering: enabled

Similar Questions

• Question of PIX 515E

  Hi all

  We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show:

  PIX-151st #show version

  Cisco PIX Firewall Version 6.3 (1)

  Cisco PIX Device Manager Version 3.0 (1)

  Updated Thursday 19 March 03 11:49 by Manu

  PIX-515E up to 5 hours and 15 minutes

  Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor

  Flash E28F128J3 @ 0 x 300, 16 MB

  BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

  0: ethernet0: the address is 000f.2457.4b12, irq 10

  1: ethernet1: the address is 000f.2457.4b13, irq 11

  Features licensed:

  Failover: enabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  Maximum Interfaces: 6

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Flow: IKE peers unlimited: unlimited

  This PIX has a failover license only (FO).

  Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch:

  PIX-515E # config t

  WARNING *.

  Configuration of replication is NOT performed the unit from standby to Active unit.

  Configurations are no longer synchronized.

  PIX-515e (config) #.

  Please help solve this problem. I wonder if we buy the wrong license? Thank you very much.

  you have in your possession a PIX failover. That's why says in the "sh run".

  This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted.

  Good luck

  Steve

• License - PIX 515E, restricted or unrestricted?

  How can I know what license I have on a PIX515E? I need to know if it is limited or unlimited. Here is the output of sh worm but nothing jumps on me and said: that which.

  Cisco PIX Firewall Version 6.2 (2)

  Cisco PIX Device Manager Version 1.1 (2)

  Updated Saturday, June 7 02 17:49 by Manu

  ABC-FW01 up to 3 hours and 24 minutes

  Material: PIX-515E, 32 MB RAM, Pentium II 433 MHz processor

  Flash E28F128J3 @ 0 x 300, 16 MB

  BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

  0: ethernet0: the address is 000a.b7bc.4b30, irq 10

  1: ethernet1: the address is 000a.b7bc.4b31, irq 11

  2: ethernet2: the address is 0002.b3ad.8176, irq 11

  Features licensed:

  Failover: enabled

  VPN - A: enabled

  VPN-3DES: disabled

  Maximum Interfaces: 6

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Throughput: unlimited

  Peer IKE: unlimited

  Serial number: 806343913 (0x300fd4e9)

  Activation key running: xxxx

  Modified configuration of enable_15 to 10:26:27.064 UTC Tuesday, February 7, 2006

  It is an unrestricted license. The number of maximum interfaces is a way of saying. Restricted is only 3 where UR is 6. You can use this page to see other differences.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_data_sheet09186a00800b0d85.html

  You could also paste your show in output interpreter tool version, if you are a registered user.

  Steve

• Question of BandNew PIX 515E

  I got some new PIX 515E security infra-red and I had sex 2 questions about everything I tried. I installed a 5 port switch inside and cannot ping anything from the console. I have a computer on the switch, and he is able to ping other devices on the switch, but not the PIX.

  What I find strange is that when I try to ping from the inside interface on the PIX of one inside computers, PIX displays the MAC address of the computer inside in the arp table.

  My goal is to upgrade the PIX to ver7.0 but I can't do so until I can solve this problem.

  Here are some information among the PIX.

  #sh worm

  Cisco PIX Firewall Version 6.3 (4)

  Cisco PIX Device Manager Version 3.0 (2)

  Updated Saturday 2 July 04 00:07 by Manu

  pixfirewall up to 29 minutes 33 seconds

  Material: PIX-515E, 128 MB RAM, Pentium II 433 MHz processor

  Flash E28F128J3 @ 0 x 300, 16 MB

  BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

  Hardware encryption device: VAC + (Crypto5823 revision 0 x 1)

  0: ethernet0: the address is 0015.625a.f7da, irq 10

  1: ethernet1: the address is 0015.625a.f7db, irq 11

  2: ethernet2: the address is 000d.8810.902c, irq 11

  3: ethernet3: the address is 000d.8810.902d, irq 10

  4: ethernet4: the address is 000d.8810.902e, irq 9

  5: ethernet5: the address is 000d.8810.902f, irq 5

  Features licensed:

  Failover: enabled

  VPN - A: enabled

  VPN-3DES-AES: disabled

  The maximum physical Interfaces: 6

  Maximum Interfaces: 10

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal hosts: unlimited

  Throughput: unlimited

  Peer IKE: unlimited

  This PIX has a failover license only (FO).

  #sh run

  interface ethernet1 100full

  nameif ethernet1 inside the security100

  pixfirewall hostname

  domain testlan

  access-list acl_out permit icmp any one

  No external ip address

  IP address inside 192.168.1.222 255.255.255.0

  No IP failover outdoors

  No IP failover inside

  #sh int e1

  interface ethernet1 'inside' is up, line protocol is up

  The material is i82559 ethernet, the address is 0015.625a.f7db

  IP 192.168.1.222, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 100000 Kbit full duplex

  Hi M8,

  Your firewall has a license of FO, you must enable this device to be able to see it.

  Run the command:

  active failover

  With this command, the device turns into the 'Active' from a perspective of failover state. It will work after that.

  See you soon.

  Salem.

• 4240 IPS blocking queries with Pix 515E

  I have activated the lock on the 4240 and put locking as our Pix 515E. When I look at the Configurations of Signature quite a few Signature Actions are set to alert only produce. If blocking is enabled you also go and the Actions of signing the Deny value or TCP Reset? So far my attackers show dosen't IPS refused and he detected the high level of traffic which I assume must now be blocked. Thanks John

  Yes, go under the signatures that you want and enable blocking for them as an action. Globally blocking configuration (setting the blocking device, the interface, the connection of the device information, etc.), does not actually blocked on the sensor itself, we must still go and activate the blocking of this particular signature. When this particular GIS fires in the future, the sensor it will block on the device that you configured.

  Be very careful with blocking, the reason that we're not blocking simply all the signatures, it is that it would be very dangerous to blindly add access lists to a device that will stop traffic. You must first make sure that you don't get any number of false positives on the signatures and end up blocking valid traffic. In addition, on a busy sensor you could easily overrun detector and locking to writing and deleting 1000's of top access lists. And finally, although probably not, blocking can even be used as an attack denial of service, where an attacker, if they know what signatures you block, can usurp packages past your sensor so that it denies traffic to our legitimate guests.

  You have to look at what signatures you really want to block, and then enable blocking on them individually.

• Cisco VPN Client Authentication - PIX 515E-UR

  Hi all

  I need your expert help on the following issues I have:

  1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.

  2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?

  3 can. what command I use to debug RADIUS authentication?

  Thanks in advance for your help.

  Hi vincent,.

  (1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication

  (2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...

  (3) use the "RADIUS session debug" or "debug aaa authentication..."

  I hope this helps... all the best... the rate of responses if found useful

  REDA

• PIX 515E for VPN remote site

  Hello

  7.0 (1) version pix

  ASDM version 5.0 (1)

  I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site

  who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success

  The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.

  where can I see the vpn pix for error log?

  is there a manual for the solution of site to site VPN using the wizard

  Help, please.

  Thanks in advance

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml#ASDM

  the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm

  Newspaper to go to the section "check".

• Cannot select on FireSight URL filtering with license activated

  Hi community

  I have a FireSight 6.0 VM with 4 modules of firepower enabled from four 5506-X ASA devices.

  They are all updated to 6.0 the power of fire and FireSight, I have an activated license:

  

  Under management of devices for fire power I can't even select URL filtering:

  

  What should do?

  The permanent control (CTRL) license free of charge is a sine qua non for all licenses of the term-based subscription. The PAK, it should have been included with the ASA.

  If this is not your partner (or TAC) can call the sales order and you can then redeem it for a license.

• Configuration of RADIUS and accounting AAA + PIX-515E

  Dear All;

  I want to put the accounting of PIX.

  Here is the composition of the equipment.

  ACS SE: 4.1.1.23.5

  PIX 515E: 7.0 (6)

  PIX of setting is as follows.

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + host xx.xx.xx.xx

  key xxxxx

  order of accounting AAA GANYMEDE +.

  Console telnet accounting AAA GANYMEDE +.

  Thus, the configuration setting was written in ACS.

  But the user name is enable_15. (attached 1.jpg)

  Is it a restriction?

  Kind regards

  Reiji

  Hi Marilou,

  Looks like we have the authority to command configured on the pix. You must enable authentication configured on the RADIUS server then only we would get username is accounting, unlike pix Device IOS doesn't send user name to the RADIUS server, he would send enable_15 as username for all users.

  Configure the following command to make it work.

  AAA authentication enable console LOCAL + Ganymede

  HTH

  -Philou

• Several outbound VPN connections behind PIX-515E

  I will take a PIX-515E off-site for a provision of access internet location. I have several people behind this PIX, who will have to return to the same Office VPN. One person can VPN through the PIX very well, but if someone else tries to VPN they cannot. Once the first person has disconnected for 10 minutes, then the next person can connect. I activated the NAT - T and added fixup protocol esp-ike. What can I do it wrong? Thank you.

  fixup protocol esp-ike - allows PAT to (ESP), one tunnel.

  Please remove this correction.

  If the remote site has NAT - T enabled, then you should be able to use NAT - T and more than 1 user should be able to use behind the PIX VPN client.

  See you soon

  Gilbert

• Cisco VPN Client behind PIX 515E,-> VPN concentrator

  I'm trying to configure a client as follows:

  The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

  Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

  You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

• PIX 515E - VPN connections

  Hello

  I have pix 515E and I configured a VPN on it. My users connect to my network from the internet via the Cisco VPN client.

  I have problem, only their LAN machine can do VPN from Cisco VPN client to my network at once.

  Users are connected to the internet via an ADSL router and the LAN switch.

  --------------------------------------------------

  PIX Config:

  6.3 (4) version PIX

  interface ethernet0 car

  Auto interface ethernet1

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable encrypted password xxxxxxxxxxxxxxx

  xxxxxxxxxxxxxxxx encrypted passwd

  hostname ABCDEFGH

  ABCD.com domain name

  clock timezone IS - 5

  clock to summer time EDT recurring

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  inside_out to the list of allowed access nat0_acl ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  list of allowed shared access ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside xxx.xxx.xxx.xxx 255.255.255.0

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool vpnpool 192.168.2.1 - 192.168.2.254

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 0-list of access inside_out-nat0_acl

  NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server RADIUS (inside) host ABCDE timeout 10

  AAA-server local LOCAL Protocol

  RADIUS protocol radius AAA-server

  Radius max-failed-attempts 3 AAA-server

  AAA-radius deadtime 10 Server

  RADIUS protocol AAA-server partnerauth

  AAA-server partnerauth max-failed-attempts 3

  AAA-server deadtime 10 partnerauth

  partnerauth AAA-server (host ABCDEFG myvpn1 timeout 10 Interior)

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  card crypto client outside_map of authentication partnerauth

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

  ISAKMP identity address

  part of pre authentication ISAKMP policy 8

  ISAKMP strategy 8 3des encryption

  ISAKMP strategy 8 md5 hash

  8 2 ISAKMP policy group

  ISAKMP life duration strategy 8 the 86400

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 sha hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup myvpn address vpnpool pool

  vpngroup myvpn ABCDE dns server

  vpngroup myvpn by default-field ABCD.com

  splitting myvpn vpngroup split tunnel

  vpngroup idle 1800 myvpn-time

  vpngroup myvpn password *.

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.1.200 - 192.168.1.254 inside

  dhcpd dns ABCDE

  dhcpd lease 3600

  dhcpd ping_timeout 750

  field of dhcpd ABCD.com

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  --------------------------------------------------

  Thanks in advance.

  -Amit

  Try to add the "isakmp nat-traversal" command to your PIX. I suspect what happens is that Remote LAN users is translated to a single IP address as they pass through the DSL connection. I also assume that the machine doing the translation has a capacity of IPSec passthrough. Linksys routers would be a good example of this type of NAT device that allows IPSec pull-out.

  If that's the case, that a single VPN connection will be able to operate both. The above command will turn PIX detect clients that are located behind a NAT device, and then try to configure the VPN sessions in UDP packets and so to work around the limitation of NAT and IPSec passthrough device.

• ASDM 5.02 on PIX-515E

  When I use ASDM to administer my PIX-515E (v7.0), I get messages from 2 following error if I update the screen after being inactive in the session for about 2-3 minutes about:

  Error message 1

  ASDM is temporarily unable to communicate with the firewall.

  Error message 2

  ASDM is unable to reach the PIX. Please check the configuration and your connection and try again by clicking the Refresh button.

  These messages were recently and I don't know why. Is there an ASDM idle session time-out setting? I could not found.

  Thank you

  Bill Fanning

  Hello

  What version of Java are you using. If you have Java 1.6, can you go back to 1.5 and see if the problem goes away.

  Also, here is the URL indicating the operating system for client PC and browser requirements

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa70/asdm50/release/notes/RN505.html#wp231810

  I hope it helps.

  Kind regards

  Arul

  * Please note all useful messages *.

• PIX 515E config help

  I am a new user and I'm trying to configure a PIX 515e Ver 6.3 (3). How can I give my users inside access to my webfarm located on dmz1. I am able to access the test sites inside and outside dzm1. I can't access the Web inside dmz1 sites. Here is my current config:

  6.3 (3) version PIX

  interface ethernet0 100full

  interface ethernet1 100full

  interface ethernet2 100full

  Automatic stop of interface ethernet3

  Automatic stop of interface ethernet4

  Automatic stop of interface ethernet5

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif ethernet2 dmz1 security50

  nameif ethernet3 intf3 securite6

  nameif ethernet4 intf4 security8

  ethernet5 intf5 security10 nameif

  enable password xxxx

  passwd xxxx

  hostname pix1

  apprendrefacile.com domain name

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  aetest name 10.10.10.1

  name 10.10.10.2 aetest1

  name 13.13.13.3 aetestdmz

  name 13.13.13.4 aetestdmz1

  access-list from-out-to allow tcp any any eq www

  pager lines 24

  opening of session

  debug logging in buffered memory

  Outside 1500 MTU

  Within 1500 MTU

  dmz1 MTU 1500

  intf3 MTU 1500

  intf4 MTU 1500

  intf5 MTU 1500

  IP address outside the 12.x.x.x.255.255.0

  IP address inside 10.10.10.2 255.255.255.0

  IP address dmz1 13.x.x.x.255.255.0

  No intf3 ip address

  No intf4 ip address

  No intf5 ip address

  alarm action IP verification of information

  alarm action attack IP audit

  no failover

  failover timeout 0:00:00

  failover poll 15

  No IP failover outdoors

  No IP failover inside

  no failover ip address dmz1

  no failover ip address intf3

  no failover ip address intf4

  no failover ip address intf5

  history of PDM activate

  ARP timeout 14400

  public static 12.12.12.15 (inside, outside) aetest netmask 255.255.255.255 0 0

  public static 12.12.12.16 (inside, outside) aetest1 netmask 255.255.255.255 0 0

  (dmz1, external) 12.12.12.17 static aetestdmz netmask 255.255.255.255 0 0

  (dmz1, external) 12.12.12.18 static aetestdmz1 netmask 255.255.255.255 0 0

  Access-group from-out-to external interface

  Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  Enable http server

  http 10.10.10.207 255.255.255.255 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Telnet 10.10.10.0 255.255.255.0 inside

  Telnet timeout 20

  SSH timeout 5

  Console timeout 0

  Terminal width 80

  Cryptochecksum:XXXXX

  : end

  Thank you... Jay

  with pix v6.x, nat/global or static is a must do before the pix will start to transfer packets between two interfaces.

  the current static instructions do not cover the translation between the inside and the dmz. as the traffic between pix inside the net and dmz is private, I suggest you to set up no. - nat between the two.

  for example

  static (inside, dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

  clear xlate

  in the above example, pix inside the host must be able to access the dmz Server pointing to the private ip address of dmz Web server.

  If you prefer the pix inside the host to access the dmz by name server, then "alias" command should be applied.

  for example

  alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255

  the need for the command "alias" is due to the fact that when pix inside the host tries to access the server dmz by name, the public dns will point to the public IP address of the dmz Web server. now, as the static electricity created for the dmz Web server is directional i.e. public ip will be accessible from the outside, not the pix inside the net. so the 'alias' command will allow the PIX to manipulate the dns response and point the name to the private ip of Web server dmz for the pix inside the host.

• VPN - Pix 515e for Cisco router

  I have the following Setup and I can't seem to get the next tunnel. My end is a PIX 515e race 7.2 (4). The other end is a Cisco router-not sure of the model or version of the IOS.

  PIX:

  90 extended access-list allow ip host a.a.a.a host b.b.b.b

  NAT (inside) - 0-90 access list

  correspondence address card crypto mymap 20 90
  card crypto mymap 20 peers set x.x.x.x
  map mymap 20 set transformation-strong crypto
  mymap outside crypto map interface
  ISAKMP crypto identity hostname
  crypto ISAKMP allow outside
  crypto ISAKMP policy 8
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared key 12345

  Router:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} / * Définitions de style * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  SDM_5 extended IP access list

  permit ip host b.b.b.b host a.a.a.a

  ISAKMP crypto key 12345 address y.y.y.y no.-xauth

  map SDM_CMAP_1 5 ipsec-isakmp crypto

  Description vpn for laboratory

  defined peer y.y.y.y

  game of transformation-ESP-3DES-SHA

  match address SDM_5

  I'm running him debugs following:

  Debug crypto ipsec enabled at level 1
  ISAKMP crypto debugging enabled at level 1

  I get the following debug output:

  August 16-04:16:10 [IKEv1]: IP = x.x.x.x, counterpart of drop table counterpart, didn't match!
  August 16-04:16:10 [IKEv1]: IP = x.x.x.x, error: cannot delete PeerTblEntry

  Isa HS her

  IKE Peer: x.x.x.x
  Type: user role: initiator
  Generate a new key: no State: MM_WAIT_MSG2

  Any ideas?

  Thank you

  Dave

  If you see the MM_WAIT_MSG2, which means that her counterpart (the other side) does not answer and this side where you can see the status MM_WAIT_MSG2 sent the first message IKE, however, did not hear of the peer.

  You can check if UDP/500 is stuck on the way between the 2 sites.

  Try running traffic on the other side and see if you also get the same status of MM_WAIT_MSG2. If you do, that confirms 100% 500/UDP is blocked on the way between the 2 sites.