Problem with IPsec VPN between ASA and router Cisco - ping is not response

Similar Questions

• LAN to lan vpn between ASA and router 7200

  Hi friends,

  I need to configure the lan to lan between ASA vpn (remote location) and router 7200 (on our network).

  <7200 router="" (ip="" add:="" 10.10.5.2)="">-(Internet) -<(IP add:="" 192.168.12.2)="" asa(5510)="">---192.135.5.0/24 network

  I will have the following configuration:

  7200 router:

  crypto ISAKMP policy 80

  the enc

  AUTH pre-shared

  Group 1

  life 3600

  ISAKMP crypto key cisco123 address 192.168.12.2

  Cryto ipsec transform-set esp - esp-md5-hmac VPNtrans

  map VPNTunnel 80 ipsec-isakmp crypto

  defined by peer 192.168.12.2

  game of transformation-VPNtrans

  match address 110

  int fa0/0

  IP add 10.10.5.2 255.255.255.192

  IP virtual-reassembly

  no ip route cache

  Speed 100

  full duplex

  card crypto VPNTunnel

  access-list 110 permit ip any 192.135.5.0 0.0.0.255

  ASA:

  int e0/0

  nameif inside

  security-level 100

  192.135.5.254 Add IP 255.255.255.0

  int e0/1

  nameif outside

  security-level 0

  IP add 192.168.12.2 255.255.255.240

  access-list ACL extended ip 192.135.5.0 allow 255.255.255.0 any

  Route outside 0.0.0.0 0.0.0.0.0 192.168.12.3 1

  "pre-shared key auth" ISAKMP policy 10

  ISAKMP policy 10-enc

  ISAKMP policy 10 md5 hash

  10 1 ISAKMP policy group

  ISAKMP duration strategy of life 10-3600

  Crypto ipsec transform-set esp - esp-md5-hmac VPNtran

  card crypto VPN 10 matches the ACL address

  card crypto VPN 10 set peer 10.10.5.2

  card crypto VPN 10 the transform-set VPNtran value

  tunnel-group 10.10.5.2 type ipsec-l2l

  IPSec-attributes of type tunnel-group 10.10.5.2

  cisco123 pre-shared key

  card crypto VPN outside interface

  ISAKMP allows outside

  dhcpd address 192.135.5.1 - 192.135.5.250 inside

  dhcpd dns 172.15.4.5 172.15.4.6

  dhcpd wins 172.15.76.5 172.15.74.5

  dhcpd lease 14400

  dhcpd ping_timeout 500

  dhcpd allow inside

  Please check the configuration, please correct me if I missed something. I'm in a critical situation at the moment...

  Please advise...

  Thank you very much...

  Where it fails at the present time?

  Can you share out of after trying to establish the VPN tunnel:

  See the isa scream his

  See the ipsec scream his

  Please also run the following debug to see where it is a failure:

  debugging cry isa

  debugging ipsec cry

• VPN between ASA and router

  Hi all

  First of all, I would like to say I'm trying to implement this on Packet trace. I would like to set up a VPN using an ASA 5505 and a Cisco router 1841 (both available on Packet trace).

  The devices can ping external IP address on the other.

  The problem is that the VPN is not established. If I run sh crypto control its isakmp on the SAA, he said: there are no SAs IKEv1

  Configurations for both devices are attached.

  No idea why it doesn't work? Sorry if it is not the right forum for this, is the first time I post. I've searched the forums and I checked some of the proposed solutions, but I have not found the answer to my problem :-(

  Thanks in advance,

  Patty

  1. On the router, there is no crypto card. Need in a manner consistent with the SAA.
  2. Your policy of phase 1 is not compatible. They settings must match on both sides (router: 3des, ASA: aes)
  3. You can adjust your NAT on both devices that tunnel traffic does not get teeth. Remember that NAT is made prior to IPsec. If you do not exempt NAT traffic, then it will not match the ACL crypto more after NAT.
  4. Yes, the forum is perfectly fine! ;-)

• VPN between ASA and cisco router [phase2 question]

  Hi all

  I have a problem with IPSEC VPN between ASA and cisco router

  I think that there is a problem in the phase 2

  Can you please guide me where could be the problem.
  I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

  Looking forward for your help

  Phase 1 is like that

  Cisco_router #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

  and ASA

  ASA # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 78.x.x.41
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  Phase 2 on SAA

  ASA # sh crypto ipsec his
  Interface: Outside
  Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

  Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
  19.194.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer: 78.x.x.41

  #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C96393AB

  SAS of the esp on arrival:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4275000/3025)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4274994/3023)
  Size IV: 8 bytes
  support for replay detection: Y

  Phase 2 on cisco router

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x3E9D820B (1050509835)

  SAS of the esp on arrival:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4393981/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4394007/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  VPN configuration is less in cisco router

  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  sheep allowed 10 route map
  corresponds to the IP 105

  Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

  mycryptomap 100 ipsec-isakmp crypto map
  the value of 87.x.x.4 peer
  Set transform-set mytransformset
  match address 101

  crypto ISAKMP policy 100
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key xxx2011 address 87.x.x.4

  Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

  You currently have:

  Extend the 105 IP access list
  5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  It should be:

  Extend the 105 IP access list
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

  To remove it and add it to the bottom:

  105 extended IP access list

  not 5

  IP 172.19.194.0 allow 60 0.0.0.255 any

  Then ' delete ip nat trans. "

  and it should work now.

• Private of IPSec VPN-private network between ASA and router

  Hello community,

  This is first time for me to configure IPSec VPN between ASA and router. I have an ASA 5540 at Headquarters and 877 router to EH Branch

  Headquarters ASA summary.

  Peer IP: 111.111.111.111

  Local network: 10.0.0.0

  Branch

  Peer IP: 123.123.123.123

  LAN: 192.168.1.0/24

  Please can someone help me set up the vpn.

  Hello

  This guide covers exactly what you need:

  Establishment of ASDM and SDM - http://www.netcraftsmen.net/resources/archived-articles/273.html

  Tunnel VPN - ASA to the router configuration:

  http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM

  Kind regards

  Jimmy

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• Problem with IPSec VPN ISA500 &amp; login questions (multiple devices)

  I have a Cisco ISA500, we use for connection with IPSEC VPN of some products apple (MacBook Pro and iPad). We can operate randomly once in a while, but it fails most of the time of negotiation. Someone at - it suggestions on what I can do to make this work?

  I did test it on my Linux machine and it does not when I had configured default settings. I had to change the NAT Traversal for UDP CISCO on the Linux machine for the connection to work.

  14/04/03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
  2014-04-03 20:54:13 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
  2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: quick mode attempt fails, please check if IKE/transformation/PFS local are the same as remote site; (pluto)
  2014-04-03 20:53:30 - warning - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: max number of retransmissions (2) reached STATE_AGGR_R1. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = 'groupname' [48] XXX.XXX.XXX.XXX #59: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Dead Peer Detection]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [Cisco-Unity]; (pluto)
  2014-04-03 20:53:03 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:43810 package: received vendor ID payload [XAUTH]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: STATE_AGGR_R1: sent AR1, expected AI2.; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = 'groupname' [47] XXX.XXX.XXX.XXX #58: attribute OAKLEY_KEY_LENGTH not preceded by the OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute OAKLEY_KEY_LENGTH. (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Dead Peer Detection]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: regardless of the payload of unknown Vendor ID [16f6ca16e4a4066d83821a0f0aeaa862]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02] Vendor ID = 107, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-02_n] Vendor ID = 106, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received meth payload [draft-ietf-ipsec-nat-t-ike-03] Vendor ID = 108, but already using method 109; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received Vendor ID value = 109 payload [RFC 3947] method; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [Cisco-Unity]; (pluto)
  2014-04-03 20:52:20 - WARNING - IPsec VPN: msg = XXX.XXX.XXX.XXX:58320 package: received vendor ID payload [XAUTH]; (pluto)

  Hi rich,

  What version of firmware you used before upgrade?  You upgrade to 1.2.19 and now this works?

  Thank you

  Brandon

• Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

  Hi all!

  Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

  On our side as initiator:

  Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

  Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

  The site of the customer like an answering machine:

  14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

  14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

  14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

  Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

  Kind regards

  Johan

  From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

  I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

• IPSec VPN between ASAs with same subnet for disaster recovery

  Hello

  I need some clarification from you guys.

  To do disaster EasyVPN tunnels for the Cisco ASA 5505 firewall recovery site. Now, there is only one main site and 3 remote sites.

  Dr., must use the same subnet that it is on the main site because virtual machines Vmware will be replicated to DR.

  For the DR we use Double-Take software.

  What is the best solution for this? I think we could use NAT of Destination on ASAs. Other sites (HQ and remote control) will be directed to only address NAT of the

  DR and not real which is the same as on the main site.

  So guys, will this work? We are using IPSec VPN? In packet - trace on ASA, I see that the package is the first using a NAT, and then encrypted, so it should work, Yes?

  I hope someone can confirm this.

  I can confirm that this will work certainly,

  for prior type natting see 8.3:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml#diag

  for 8.3 and later it is also achievable.

• VPN between ASA and 871

  Hello

  I'm setting up a VPN router between 871 and ASA 5505 for the first time and having a problem. I have attached my network diagram as well as the configuration of 871 and ASA. Although the VPN tunnel is coming for example sh crypto isakmp his watch QM_IDLE and Exchange ipsec SA is successuful as well, but none of the machine can access each other. Please help as I am in desperate need to operate.

  Thank you all,.

  Jérôme

  Hello

  It seems that you are missing some required configuration. See the link below...

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  HTH

  MS

  * Rate of useful messages *.

• S - S VPN between ASA and ASR1001

  Hello

  We have 2 routers ASR to connected to ISP headquarters and there are new remote sites that must be connected to the AC over the site to site VPN. Each remote branch will be ASA, IPs outside of these two recommendations are in the same subnet.

  1. is it possible to reach redudancy beside HQ in this design?

  2. can I create L2L tunnels to two ASR? If yes how can I do 1 active tunnel and other secondary?

  | ASR1

  Users---L3SW---ASA---ISP---CPE---|

  | ASR2

  Any suggestions are welcome

  Thank you

  There are two ways:

  1. IPSec stateful failover
     http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-VPN-availability-15-Mt-book/Sec-State-fail-IPSec.html
     http://packetlife.net/blog/2009/Aug/17/fun-IPSec-stateful-failover/
  2. VPN config with two counterparts one ASA.
     Here you have two individual bridges on the HQ and the ASA has two tunnel-groups en the two bridges but only a single sequence in the crypto plan. Peer education has two HQ - IPs configured.

• Font problem with the publication between Animate and HTML?

  Hello!

  I have a problem with the publication of my animated movie in CC to animate. Some computers don't recognize the font on Google Chrome that I chose in my animation. Firefox never recognize.

  I don't know how to fix.

  Some pictures of the problem:

  -This is the image of Google Chrome with melting Source without Pro. It works normally (on some computers).

  

  -This is on Firefox. The police has not been integrated.

  

  What is going on?

  Thank you!!

  Hello

  You can try to use the type of static text in HTML5 Canvas document for WYSIWYG experience and see if that helps?

  PS: The static text in the document of the canvas is converted to outlines when publishing to preserve the WYSIWYG experience. If you have a requirement that you need to preserve the text in the js to output file, then use a dynamic text with Typekit web font for experience of consistency.

  Thank you!

  Mohan

• IPSec VPN Site-to-Site router Cisco 837 to Firewall FortiGate 200 has

  I had a challege for a site to site vpn scenario that may need some brainstorming you guys.

  So far, I have had a prior configuration planned for this scenario, but I'm not very sure if the tunnel I created will work because I did not test it before with this scenario. I'll go next week on this project and hopefully get a solution of brainstorming you guys. Thanks in advance!

  Network diagram:

  http://cjunhan.multiply.com/photos/hi-res/5/3?xurl=%2Fphotos%2Fphoto%2F5%2F3

  Challenge:

  (1) configure CISCO R3 IPSec Site to Site VPN between 172.20.10.0 and 10.20.20.0 using cryptographic cards

  (2) IKE Phase I MainMode, lifetime 28000, md5, DH-Group1

  IKE Phase II: des-esp, hmac-md5, tunnel mode

  PSK: sitetositevpn

  Here is my setup for review:

  crypto ISAKMP policy 10

  the BA

  preshared authentication

  Group 1

  md5 hash

  ISAKMP crypto key sitetositevpn address 210.x.x.66

  !

  Crypto ipsec transform-set esp - esp-md5-hmac ciscoset

  !

  infotelmap 10 ipsec-isakmp crypto map

  the value of 210.x.x.66 peer

  Set transform-set ciscoset

  match address 111

  !

  !

  interface Ethernet0

  3 LAN description

  IP 10.20.20.1 255.255.255.0

  IP nat inside

  servers-exit of service-policy policy

  Hold-queue 100 on

  !

  ATM0 interface

  no ip address

  ATM vc-per-vp 64

  No atm ilmi-keepalive

  DSL-automatic operation mode

  !

  point-to-point interface ATM0.1

  IP address 210.x.20.x.255.255.252

  no ip redirection<-- disable="">

  no ip unreachable<-- disable="" icmp="" host="" unreachable="">

  no ip proxy-arp<-- disables="" ip="" directed="">

  NAT outside IP

  PVC 8/35

  aal5snap encapsulation

  !

  !

  IP nat inside source list 102 interface ATM0.1 overload

  IP classless

  IP route 0.0.0.0 0.0.0.0 ATM0.1

  IP route 0.0.0.0 0.x.0.x.190.60.66

  no ip http secure server

  !

  Note access-list 102 NAT traffic

  access-list 102 permit ip 10.20.20.0 0.0.0.255 any

  !

  access-list 111 note VPN Site-to-Site 3 LAN to LAN 2 network

  access-list 111 allow 0.0.0.x.x.10.0 ip 10.20.20.0 0.0.0.255

  Kind regards

  Junhan

  Hello

  Three changes required in this configuration.

  (1) change the NAT-list access 102 as below:

  access-list 102 deny ip 10.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255

  access-list 102 permit ip 10.20.20.0 0.0.0.255 any

  (2) place the card encryption on interface point-to-point ATM.

  (3) remote all of a default route.

  Thank you

  Mustafa

• Problem with the creation of New and subfolders only appear is not in the list

  Thunderbird is allowing the creation of some New & subfolders, but they aren't always in the list each time.

  Photo shows the current list, but they tried to get money records IMarEST & Bank. (My apologies for Hypersnap stamps)
  Sorry, but the photo is not download!

  I use the Windows x 86 Version 8.1 - Thunderbird 31.6.0

  How to subscribe to see the imap folders:

  • Right click on your email account name, and then select 'subscribe '.
  • IMAP folders available on the server will be listed.
  • Select the ones you want to add to your e-mail client
  • Click the button to subscribe.
  • Press the OK button

• Routing over VPN between ISA550W and RV215W

  Hello all I have a problem with the VPN between my two office

  I have an ISA550W at the head office (chcnorth)

  I have a RV215W to the remote desktop (chcsouth)

  the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

  and vice versa however when client computers on the remote end are trying to connect to the

  Main office to access the database, they can't.

  the problem started last week I received a call from the remote desktop that they can connect to our database

  on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

  at the plant, including the firmware

  I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

  get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

  the remote desktop, however my remote clients still cannot access my server at the main office

  I realized after I have everything set up, I had a backup of my original installation and thinking I had

  just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

  RV215W I've had. still no dice

  So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

  are blurred,

  any ideas, workarounds for solutions would be greatly appreciated

  Thanks in advance

  John G

  John,

  It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

  If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

  http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

  In your case, it might look more at:

  192.168.1.200 sqlsvr

  Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

  Answer please if you have any questions.

  -Marty