Planning VPN question...

Similar Questions

• Cisco AnyConnect VPN question

  I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.

  Following configuration:

  : Saved
  :
  ASA Version 8.2 (5)
  !
  asa5505 hostname
  domain BLA
  activate the password * encrypted
  passwd * encrypted
  no names

  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  switchport access vlan 150
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 10.7.30.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP EXTERNAL IP 255.255.255.128
  !
  interface Vlan150
  nameif WLAN_GUESTS
  security-level 50
  IP 10.7.150.1 255.255.255.0
  !
  boot system Disk0: / asa825 - k8.bin
  config to boot Disk0: / running-config
  passive FTP mode
  clock timezone STD - 7
  DNS server-group DefaultDNS
  domain BLA
  permit same-security-traffic intra-interface
  object-group service tcp Webaccess
  port-object eq www
  EQ object of the https port
  object-group network McAfee
  network-object 208.65.144.0 255.255.248.0
  network-object 208.81.64.0 255.255.248.0
  access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
  outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
  outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
  outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
  access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
  outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
  outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
  outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
  permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
  outside_access_in list extended access permit ip host 159.87.64.30 all
  standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
  IPS_TRAFFIC of access allowed any ip an extended list
  access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
  inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
  access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  host of logging inside the 10.7.30.37
  Debugging trace record
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 WLAN_GUESTS
  local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm-645 - 206.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 0-list of access outside_nat0_outbound
  NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
  public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
  public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
  public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
  public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
  public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
  Access-group inside_access_in in interface inside the control plan
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
  Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server ADWM-FPS-02 nt Protocol
  AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
  Timeout 5
  auth-domain NT ADWM-FPS-02 controller
  AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
  auth-DC NT ADWM-DC02
  AAA authentication http LOCAL console
  AAA authentication LOCAL telnet console
  the ssh LOCAL console AAA authentication
  Enable http server
  http 206.169.55.66 255.255.255.255 outside
  http 206.169.50.171 255.255.255.255 outside
  http 10.7.30.0 255.255.255.0 inside
  http 206.169.51.32 255.255.255.240 outside
  http 159.87.35.84 255.255.255.255 outside
  SNMP-server host within the 10.7.30.37 community * version 2 c
  location of the SNMP server *.
  contact SNMP Server
  Community SNMP-server
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic outside_dyn_map pfs set 20 Group1
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 206.169.55.66
  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
  card crypto outside_map 2 match address outside_cryptomap
  peer set card crypto outside_map 2 159.87.64.30
  card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside
  Crypto ca trustpoint *.
  Terminal registration
  full domain name *.
  name of the object *.
  MYKEY keypairs
  Configure CRL
  Crypto ca trustpoint A1
  Terminal registration
  fqdn ***************
  name of the object *.
  MYKEY keypairs
  Configure CRL
  Crypto ca trustpoint INTERMEDIARY
  Terminal registration
  no client-type
  Configure CRL
  Crypto ca trustpoint _SmartCallHome_ServerCA
  Configure CRL
  Crypto ca trustpoint ASDM_TrustPoint0
  Configure CRL
  Crypto ca trustpoint ASDM_TrustPoint1
  Configure CRL
  ca encryption certificate chain *.
  certificate ca 0301
  BUNCH OF STUFF
  quit smoking
  A1 crypto ca certificate chain
  OTHER LOTS of certificate
  quit smoking
  encryption ca INTERMEDIATE certificate chain
  YET ANOTHER certificate
  quit smoking
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca LAST BOUQUET
  quit smoking
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.7.30.0 255.255.255.0 inside
  Telnet timeout 30
  SSH 206.169.55.66 255.255.255.255 outside

  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd 4.2.2.2 dns 8.8.8.8
  !
  dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
  enable WLAN_GUESTS dhcpd
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4 - md5 of sha1
  SSL-trust A1 out point
  WebVPN
  allow outside
  AnyConnect essentials
  SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
  enable SVC
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  internal VPNUsers group strategy
  Group Policy VPNUsers attributes
  value of server DNS 10.7.30.20
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list vpn_users_splitTunnelAcl
  dwm2000.WM.State.AZ.us value by default-field
  Split-dns value dwm2000.wm.state.az.us
  username HCadmin password * encrypted privilege 15
  attributes global-tunnel-group DefaultWEBVPNGroup
  address VPN_POOL pool
  authentication-server-group ADWM-FPS-02
  strategy - by default-VPNUsers group
  tunnel-group 206.169.55.66 type ipsec-l2l
  IPSec-attributes tunnel-group 206.169.55.66
  pre-shared key *.
  tunnel-group 159.87.64.30 type ipsec-l2l
  IPSec-attributes tunnel-group 159.87.64.30
  pre-shared key *.
  !
  class-map IPS_TRAFFIC
  corresponds to the IPS_TRAFFIC access list
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the icmp
  Review the ip options
  class IPS_TRAFFIC
  IPS inline help
  !
  global service-policy global_policy
  field of context fast hostname
  anonymous reporting remote call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e70de424cf976e0a62b5668dc2284587
  : end
  ASDM image disk0: / asdm-645 - 206.bin
  ASDM location 159.87.70.66 255.255.255.255 inside
  ASDM location 208.65.144.0 255.255.248.0 inside
  ASDM location 208.81.64.0 255.255.248.0 inside
  ASDM location 172.16.10.0 255.255.255.0 inside
  ASDM location 159.87.64.30 255.255.255.255 inside
  don't allow no asdm history

  Anyone have any ideas?

  Hello

  Please, add this line in your configuration and let me know if it works:

  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0

  I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.

  Let me know if it helps.

  Thank you

  Vishnu

• VPN question

  Hi, I use the windows Server 2003 and. When I access my server at home I connect the VPN but I not have access to the shared private folder when I try to open the system crashes but the other file I can open without blocking. Please help me solve this problem...

  Hi Patchamuthu,

  Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for support on Windows server. Please post your question in the below link:http://social.technet.microsoft.com/Forums/en/itproxpsp/threads

  With regard to:

  Samhrutha G S - Microsoft technical support.

  Visit our Microsoft answers feedback Forum and let us know what you think.

• ACL VPN question

  I have two questions that regarding ACL is used in the instructions on the Card Crypto:

  1. the two devices VPN should have the same ACE in the ACL? I know that without the second ACE site B below will not see as interesting udp traffic, but the will of the vpn tunnel fails because the ACL is not the same ACE?

  That is to say...

  Site has

  Access-list 110 permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

  Access-list 110 permit udp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

  Site B

  Access-list 110 permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

  2. once a tunnel is established it will send ANY/ALL traffic destined to the remote network through this tunnel. If the first ACE in the ACL 110 to Site A list is used to bring up the tunnel, only tcp from to 10.0.2.0/24 10.0.1.0/24 traffic will use the tunnel or all traffic from 10.0.1.0/24 intended for the remote network to cross the tunnel?

  I guess my thought is this. The ACL is only used to determine valuable traffic and once the tunnel is up it is a free for all. Or the ACL only allows traffic that meets the criteria specified in the ACL list to flow once the tunnel is established?

  Thank you

  Brian

  Brian,

  Your statement

  'Or the ACL allows only traffic that meets the criteria specified in the ACL list to flow after the tunnel is established'

  Is correct, only the traffic that meets the ACL crypto will go through the vpn tunnel and all other traffic will be denied. If you need UDP traffic to travel through the tunnel, you need crypto ACL on both sides and not only on one side, that is, SITE A.

  Hope this helps,

  Jay

• VPN question: ISP assigned a private ip address

  Hi all

  Internet-online-online headquarters VPN 3015 concentrator

  Users remote VPN Client connected to the internet using a private ip address provided by the ISP (cable) is to establish a VPN tunnel, but they can not ping our private network.

  The only way to get the VPN works is when remote users use a public ip.

  It is a question of Cisco VPN Client? Or it has a solution...

  Thanks in advance,

  Kind regards

  Carlos Welhous

  Network engineer

  Hi Carlos,

  If your ISP gave you a private address, they must use NAT - in which case you will have to enable NAT - T on the VPN concentrator.

  To configure the NAT - T in the world, go to Configuration | System | Tunnelling protocols. IPSec | Screen of transparent NAT and check on NAT - T IPSec case.

• VPN - question of General design for a ut of a router tunnel more

  Hello

  We have a router that has VPN connections with different partners of our company. VPN remote access were used on computers that are connecting to the different partners of our company.

  There has been problems of this kind, that is to say put on both a watchdog and a customer vpn cisco router led to blue-screens on the PC.

  The current idea is to put different tunnels from site to site on the router (default gateway of PC clients that connect to the partners). My question is... How our PC to get DHCP addresses on networks of visitors, once the tunnels are up? I guess I'm alittle confused about the address for the PC on our side how will work.

  Thanks for your help.

  Divide the pool of ip from the internal network, you're going to visit. for example the document below will be exaplain the same configuration in user mode.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

• nat VPN question.

  Try to find what happened.  I had the remote end raise the tunnel, as they can ping resources on my side.  I am unable to ping 10.90.238.148 through this tunnel.  I used to be able to until the interface of K_Inc has been added.  The network behind this interface is 10/8.

  I asked a question earlier in another post and advises him to play opposite road of Cryptography.  And who did it.  I was able to ping 10.90.238.148 of 192.168.141.10, with the config below.

  I am at a loss to why I can't all of a sudden.  A bit of history, given routes have not changed.  By adding the command set opposite road to cryptography, I find myself with a static entry for the 10.90.238.0 network is what fixed it initially so I don't think it's a problem of route.  The remote end had an overlap with the 192.168.141.0/24 that is why my side is natted on the 10.40.27.0.  None of the nats have changed so if adding the reverse route worked for a day, it should still work.  Any thoughts?

  interface GigabitEthernet0/3.10

  VLAN 10

  nameif K_Inc

  security-level 100

  IP address 192.168.10.254 255.255.255.0

  interface GigabitEthernet0/3.141

  VLAN 141

  cold nameif

  security-level 100

  IP 192.168.141.254 255.255.255.0

  (Cold) NAT 0 access-list sheep

  NAT (cold) 1 192.168.141.0 255.255.255.0

  Access extensive list ip 192.168.141.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

  Access extensive list ip 10.40.27.0 CSVPNOFFSITE allow 255.255.255.0 10.90.238.0 255.255.255.0

  Access extensive list ip 192.168.141.0 CSVPNNAT allow 255.255.255.0 10.90.238.0 255.255.255.0

  IP 10.40.27.0 allow Access-list extended sheep 255.255.255.0 10.90.238.0 255.255.255.0

  static 10.40.27.0 (cold, outside) - CSVPNNAT access list

  card crypto Outside_map 5 corresponds to the address CSVPNOFFSITE

  card crypto Outside_map 5 the value reverse-road

  card crypto Outside_map 5 set pfs

  card crypto Outside_map 5 set peer 20.x.x.3

  Outside_map 5 transform-set ESP-3DES-MD5 crypto card game

  card crypto Outside_map 5 defined security-association life seconds 28800

  card crypto Outside_map 5 set security-association kilobytes of life 4608000

  tunnel-group 20.x.x.3 type ipsec-l2l

  20.x.x.3 Group of tunnel ipsec-attributes

  pre-shared-key *.

  Route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

  Route 10.0.0.0 K_Inc 255.192.0.0 192.168.10.252 1

  Route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

  Route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

  Route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

  Tunnel is up:

  14 peer IKE: 20.x.x.243

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  EDIT:

  I just noticed when tracer packet i run I don't get a phase VPN or encrypt:

  Packet-trace entry cold tcp 192.168.141.10 80 80 10.90.238.148 det

  Phase: 1

  Type: FLOW-SEARCH

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Not found no corresponding stream, creating a new stream

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 10.90.238.0 255.255.255.0 outside

  Phase: 3

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad048d08, priority = 0, sector = option-ip-enabled, deny = true

  hits = 2954624, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 4

  Type: QOS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xb2ed4b80, priority = 72, domain = qos by class, deny = false

  hits = 2954687, user_data = 0xb2ed49d8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 5

  Type: FOVER

  Subtype: Eve-updated

  Result: ALLOW

  Config:

  Additional information:

  Direct flow from returns search rule:

  ID = 0xad090180, priority = 20, area = read, deny = false

  hits = 618776, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0, Protocol = 6

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 6

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  static (ColdSpring, external) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

  match ip host 192.168.141.10 ColdSpring outside of any

  static translation at 74.x.x.50

  translate_hits = 610710, untranslate_hits = 188039

  Additional information:

  Definition of static 192.168.141.10/0 to 74.112.122.50/0 using subnet mask 255.255.255.255

  Direct flow from returns search rule:

  ID = 0xac541e50, priority = 5, area = nat, deny = false

  hits = 610742, user_data = 0xac541c08, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

  SRC ip = 192.168.141.10, mask is 255.255.255.255, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 7

  Type: NAT

  Subtype: host-limits

  Result: ALLOW

  Config:

  static (ColdSpring, dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

  match ip ColdSpring 192.168.141.0 255.255.255.0 dmz all

  static translation at 192.168.141.0

  translate_hits = 4194, untranslate_hits = 20032

  Additional information:

  Direct flow from returns search rule:

  ID = 0xace2c1a0, priority = 5, area = host, deny = false

  hits = 2954683, user_data = 0xace2ce68, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 192.168.141.0, mask is 255.255.255.0, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 8

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0xaacbcb90, priority = 0, sector = option-ip-enabled, deny = true

  hits = 282827537, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 9

  Type: QOS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Reverse flow from returns search rule:

  ID = 0xb2ed5c78, priority = 72, domain = qos by class, deny = false

  hits = 4749562, user_data = 0xb2ed5ad0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Phase: 10

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 339487904 id, package sent to the next module

  Information module for forward flow...

  snp_fp_inspect_ip_options

  snp_fp_tcp_normalizer

  snp_fp_translate

  snp_fp_adjacency

  snp_fp_fragment

  snp_fp_tracer_drop

  snp_ifc_stat

  Information for reverse flow...

  snp_fp_inspect_ip_options

  snp_fp_translate

  snp_fp_tcp_normalizer

  snp_fp_adjacency

  snp_fp_fragment

  snp_fp_tracer_drop

  snp_ifc_stat

  Phase: 11

  Type:-ROUTE SEARCH

  Subtype: output and contiguity

  Result: ALLOW

  Config:

  Additional information:

  found 7.x.x.1 of next hop using ifc of evacuation outside

  contiguity Active

  0007.B400.1402 address of stretch following mac typo 51982146

  Result:

  input interface: cold

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  What version are you running to ASA?

  My guess is that your two static NAT is configured above policy nat you have configured for the VPN?  If this is the case, move your above these static NAT NAT policy and you should see the traffic start to flow properly.

  --

  Please note all useful posts

• IPhone and cisco vpn question

  All, I have an IPhone and I'm VPN'ing in a SAA with IOS 8.2.2.  I do not have vpn'ing of issues, but I have a question that is causing quite a stir here.  When I try to use names rather than IP addresses (trying to access a server or an internal Web site), the client does not receive DNS answers.  I can get to the servers via IP, but not by the name of the server.  I can use the same PCF file for my laptop, and it works fine.  Someone at - it a resolution to this scenario?  Any help appreciated.

  Add the domain name in the attributes of Group Policy: -.

  value by default-domain MYDOMAIN.COM

  Manish

• VPN question on encryption

  Hi all

  I am currently studying my CCNA to the University and we are doing a group project and must implement a vpn encrypted tunnel. It's a lab environment that is the reason why ports fast ethernet are used for the wan between sites link. Our tunnel works as we only eigrp ajacency when the tunnel is enabled, but is not encrypt the traffic. I pasted the config for both routers below in the hope that someone will spot the problem etc. of the missing parameter. Thanks in advance:

  Melbourne router

  Ballarat router

  SH run Building configuration... Current configuration: 2701 bytes ! version 12.4 horodateurs service debug datetime msec Log service timestamps datetime msec no password encryption service ! Melbourne host name ! boot-start-marker boot-end-marker ! enable secret 5 $1$ a6cF$ hku9VwfFY2t91gYi56.f00 enable password cisco ! No aaa new-model ! ! IP cef ! ! no ip domain search property intellectual auth-proxy max-nodata-& 3 property intellectual admission max-nodata-& 3 ! Authenticated MultiLink bundle-name Panel ! ! voice-card 0 No dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Archives The config log hidekeys ! ! crypto ISAKMP policy 1 BA aes preshared authentication Group 2 ISAKMP crypto key 0zMult1 address 192.168.200.30 ! ! Crypto ipsec transform-set VPN - SET esp - aes esp-sha-hmac ! map VPN-map 10 ipsec-isakmp crypto defined by peer 192.168.200.30 Set security-association second life 28800 transform-Set VPN - SET matches the address VPN - ACL ! ! ! ! ! ! ! interface Tunnel0 IP 10.31.31.1 255.255.255.252 source of tunnel FastEthernet0/1 tunnel destination 192.168.200.30 ! interface FastEthernet0/0 no ip address automatic duplex automatic speed ! interface FastEthernet0/0.2 encapsulation dot1Q 2 IP 172.17.0.254 255.255.255.0 IP helper 172.17.5.1 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 IP 172.17.1.254 255.255.255.0 IP helper 172.17.5.1 ! interface FastEthernet0/0.4 encapsulation dot1Q 4 IP 172.17.2.254 255.255.255.0 IP helper 172.17.5.1 ! interface FastEthernet0/0.5 encapsulation dot1Q 5 IP 172.17.3.254 255.255.255.0 IP helper 172.17.5.1 ! interface FastEthernet0/0.6 encapsulation dot1Q 6 IP 172.17.4.254 255.255.255.0 IP helper 172.17.5.1 ! interface FastEthernet0/0.10 encapsulation dot1Q 10 IP 172.17.5.22 255.255.255.248 interface FastEthernet0/0.20 encapsulation dot1Q 20 IP 172.17.5.14 255.255.255.240 ! interface FastEthernet0/0.99 99 native encapsulation dot1Q IP 172.17.99.254 255.255.255.0 ! interface FastEthernet0/1 IP 192.168.100.29 255.255.255.0 automatic duplex automatic speed card crypto VPN-map ! Router eigrp 32 Network 10.31.31.0 0.0.0.3 network 172.17.0.0 0.0.0.255 network 172.17.1.0 0.0.0.255 network 172.17.2.0 0.0.0.255 network 172.17.3.0 0.0.0.255 network 172.17.4.0 0.0.0.255 network 172.17.5.0 0.0.0.15 network 172.17.5.16 0.0.0.7 No Auto-resume ! IP forward-Protocol ND IP route 0.0.0.0 0.0.0.0 192.168.100.1 ! ! IP http server no ip http secure server ! scope of access to IP-VPN-ACL list allow gre 10.31.31.1 host 10.31.31.2 ! ! ! ! ! ! ! control plan ! ! ! ! ! ! ! ! ! Line con 0 Synchronous recording line to 0 line vty 0 4 password ciscoccna opening of session !

  Scheduler allocate 20000 1000

  !

  end

  Melbourne

  SH run

  Building configuration...

  Current configuration: 2371 bytes

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  Ballarat hostname

  !

  boot-start-marker

  boot-end-marker

  !

  enable secret 5 $1$ jo2Y$ N/21BdfKAKs5A.N6xuMBd0

  enable password cisco

  !

  No aaa new-model

  !

  !

  IP cef

  !

  !

  no ip domain search

  property intellectual auth-proxy max-nodata-& 3

  property intellectual admission max-nodata-& 3

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  voice-card 0

  No dspfarm

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  Archives

  The config log

  hidekeys

  !

  !

  crypto ISAKMP policy 1

  BA aes

  preshared authentication

  Group 2

  ISAKMP crypto key 0zMult1 address 192.168.100.29

  !

  !

  Crypto ipsec transform-set VPN - SET esp - aes esp-sha-hmac

  !

  map VPN-map 10 ipsec-isakmp crypto

  defined by peer 192.168.100.29

  Set security-association second life 28880

  transform-Set VPN - SET matches the address VPN - ACL

  !

  !

  !

  !

  !

  !

  !

  interface Tunnel0

  IP 10.31.31.2 255.255.255.252

  source of tunnel FastEthernet0/1

  tunnel destination 192.168.100.29

  !

  interface FastEthernet0/0

  no ip address

  automatic duplex

  automatic speed

  !

  interface FastEthernet0/0.7

  encapsulation dot1Q 7

  IP 172.17.32.254 255.255.255.0

  IP helper 172.17.35.1

  !

  interface FastEthernet0/0.8

  encapsulation dot1Q 8

  IP 172.17.33.254 255.255.255.0

  IP helper 172.17.35.1

  !

  interface FastEthernet0/0.9

  encapsulation dot1Q 9

  IP 172.17.34.254 255.255.255.0

  IP helper 172.17.35.1

  !

  interface FastEthernet0/0.30

  encapsulation dot1Q 30

  IP 172.17.35.14 255.255.255.240

  !

  interface FastEthernet0/0.99

  99 native encapsulation dot1Q

  IP 172.17.99.254 255.255.255.0

  !

  interface FastEthernet0/1

  IP 192.168.200.30 255.255.255.0

  automatic duplex

  automatic speed

  !

  Router eigrp 32

  Network 10.31.31.0 0.0.0.3

  network 172.17.32.0 0.0.0.255

  network 172.17.33.0 0.0.0.255

  network 172.17.34.0 0.0.0.255

  network 172.17.35.0 0.0.0.15

  No Auto-resume

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 192.168.200.1

  !

  !

  IP http server

  no ip http secure server

  !

  scope of access to IP-VPN-ACL list

  allow gre 10.31.31.2 host 10.31.31.1

  IP 172.17.0.0 allow 0.0.255.255 172.17.0.0 0.0.255.255

  permit ip host 192.168.200.30 192.168.100.29

  !

  !

  !

  !

  !

  !

  control plan

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  Line con 0

  Synchronous recording

  line to 0

  line vty 0 4

  password ciscoccna

  opening of session

  !

  Scheduler allocate 20000 1000

  !

  end

  Ballarat #.

  Hello

  1. cryptographic maps on tunnel interfaces are not supported. You can remove that?

  2. your crypto ACL should be allowed free will host 192.168.100.29 host 192.168.200.30 [since you want to protect free WILL - so select you the points end tunnel source and destination]

  See you soon,.

• Access remote VPN question - hairpin

  Hello, I did a search before posting this question but I have not found anything specific to my situation.

  We have our ASA5520 configured in our main office to allow remote access Cisco VPN client users to access our network.  We have a (network 192.168.1.0/24) remote desktop we have a configured on the same ASA5520 VPN IPSec tunnel that allows the use of internal users (in the main office) to access resources on the network remote (192.168.1.0) and vice versa.  The problem is that when users connect to the remote VPN access, they are not able to access the resources of the remote office network.  We created the nat0 ACL and labour, and split tunnel routing is implemented for users VPN remote network access (if I make a copy of the route on my laptop after connecting to the VPN, I see the road to 192.168.0.0/24 in my routing table).  Routing everything is in place to do this, since the IPSec VPN tunnel is up and working.  My suspicion is that the question has something to do with the consolidation of these VPN clients.

  What else needs to be configured to work?  Thank you.

  Hi Scott,.

  I have a client with a PIX 515E which allows connections to remote VPN and VPN LAN2LAN multiple connections.

  We had this problem too... so what I made in my pix was:

  TEST (config) # same-security-traffic intra-interface permits (its off by default)

  If you use ASDM go to:

  Configuration > Interfaces >

  at the bottom of this page, there is an option that says: 'enable traffic between two or more host computers connected to the same interface '.

  Check and it should work... I hope

  I await your comments...

  Kind regards.

  Joao Tendeiro

• ASA (Active standby) site-to-Site VPN Question

  Hello

  I had the question as below

  Site A - 1 unit of VPN Netscreen firewall

  Site B - 2 units of ASA VPN firewall

  

  I'm trying to set up a VPN from Site to Site, but a problem with the configuration of the active standby.

  Initially, I tried Site A 1 unit Netscreen and Site B 1 unit ASA vpn site-to-site. There's no problem.

  but joins another ASA at site B and configure it as active / standby then I saw a few questions that I need help from here

  Things that confuse me.

  (1) do I need to use 2 public IP address on the SAA? (public IP for assets and the other a public IP ensures IP. it seems like a waste of the public IP address.)

  (2) link failover and dynamic failover can be configured on the same interface?

  Please help in this case, configuring VPN from Site to Site with active configuration / standby.

  just to add to this,

  just be careful when you dedicate an interface for dynamic failover, make sure that it is the highest capacity, or at least the same ability as an interface offers th

  so if you use concert for passing traffic interface uses a concert for dynamic failover port, several times we saw people using the management for steful interface when they ports of concert and they run into issues where the dynamic function does not work as expected

  You can read more here

  https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/failover.html#wp1051759

• Question 1: The button "Buy now" does not work when you select a plan. Question 2: Can not select "Monthly Plan" for a "unique App."

  Question 1: The button "Buy now" does not work when you select a plan.

  How to reproduce the problem:

  1. go in terms of pricing and membership creative cloud | Adobe Creative Cloud

  2. choose a plan, then click on 'buy now '.

  3. you go to a blank page instead of the next steps in the payment.

  Question 2: Can not select "Monthly Plan" for a "unique App."

  How to reproduce the problem:

  1. go into "https://creative.adobe.com/plans".

  2. under "Unique App", select a product and then try to select the "monthly Plan" in the second menu drop-down.

  3. for some reason, it isn't get selected and the price is replaced with the ellipsis (...). I expect the monthly price to appear.

  Please notify.

  Thank you.

  Contact adobe during the time pst support by clicking here and, when available, click on "still need help," http://helpx.adobe.com/x-productkb/global/service-ccm.html

• Install the Version 11.1.1.3 Plan & sequence: Questions

  I have to install Essbase, Planning & Financial Reporting Version 11.1.1.3. For now, it's a development server with 3 client machines (all developers who will need administrator rights). My plan is this, please check, I have a few questions on the way:
  
  Check the compatibility of platform: Will probably use Windows Server 2003 and by default built in Server tomcat web. Intend using EPMA for IIS 6.0 must be installed first (correct?)
  
  Download files:
  E.M.P. Installer
  Parts of the foundations Services 1-4
  Essbase Client
  Essbase Server
  Planning
  
  Unzip all the files in a folder on the development server. Also unzip the installer of EPM and the Foundation Services on all client machines 3.
  
  For the Configuration and installation of the server:
  Run the installation program of EPM on the development server.
  Configure the SSP on the development server. Then connect on shared services and see if it works and is running. If so, then go ahead. If this isn't the case, then back to the forums and SOS to the rescue!
  Configure Essbase and planning on the development server, with a separate Oracle (or SQL) database for each. (* For all that I have to do is to create a database in Oracle or SQL Server for each component is accurate *?) Stupid question, but how do guys usually appoint those?)
  
  For the configuration and installation of the client
  Unzip EMP Installer, Foundation Services, Essbase and planning
  Run Setup EMP and less 'install by Tier' box ONLY correct CUSTOMER for Essbase and planning products?
  When configuring shared services, use 'a previously configured shared services' (the one on the development server)
  How to configure the database for the client components? If I point to on the development server? Pls clarify this part for me.
  
  I think that the above is all the steps in order. Pls correct me if I'm wrong. Answers to my questions, more additional tips, experts and experienced users appreciated.

  I think that the autonomous addin is available from My Oracle Support.
  Classic vs EPMA has been raised several times on the essbase forum or forum of planning so just give a bit of research.
  It may depend on how you want to maintain your hierarchies and what is your data source and the fact must be processed that will take you in what direction to take.

  See you soon

  John
  http://John-Goodwin.blogspot.com/

• Gateway RV320 ping RV320 VPN question

  Hi all

  I have 3 x RV320 with the latest firmware to all configure to use VPN from gateway to gateway in a configuration of spokes and hub.

  On all RV320, I can see the connected state of the VPN tunnels. However, I can't do a ping to gateway to gateway or computer connected to each RV320. Firewall has been disabled on all RV320.

  Any help will be appreciated.

  concerning

  J

  Try the ping of the diagnosis of each rv320 page.  Recreational vehicles cannot ping between them?  If so, your tunnel is up, but something wrong with the subnet configs.

• A connection VPN Question

  Dear,

  I have configured anyconnect on my asa and it works fine, but I can't manage the ASA it free VPN, all ideas session

  BR

  Hazem

  It is possible with the help of the command "access management". Please refer to the following documentation: -.

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa82/configuration/guide/config/access_management.html#wp1064497

  Make sure you have good split tunnel and free of nat-access list for traffic destined for the interface of the ASA.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.