Problem with PIX 501-> L2L 1721 VPN

I am setting up a site to site vpn according to the http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008051a69a.shtml.

I want to connect 192.168.105.0/24 and 192.168.106.0/24.

PIX01 is 192.168.106.1, with dynamic external IP (B.B.B.B)

RTR01 is 192.168.105.1, with dynamic external IP address (I'm just using DHCP current address of the ISP as A.A.A.A in the config of PIX01 - this is a temporary application, not critical where I can update the address if necessary)

It seems that the VPN tunnel is established but traffic does not return the router to the pix. I temporarily hosted all of the traffic on indoor/outdoor PIX interfaces (and icmp).

If I enable icmp debug I see ping requests from the client to 192.168.106.100 internal interface of the router (192.168.105.1), but no return icmp:

On PIX01:

180:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 298 192.168.106.100
181:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 299 192.168.106.100
182:-Interior ICMP echo request: 192.168.105.1 ID = 1 length = 40 seq = 300 192.168.106.100
183:-Interior ICMP echo request: 192.168.105.1 ID = 1 seq = length 301 = 40 192.168.106.100

On RTR01:
* 03:40:46.885 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
* 03:40:51.713 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
* 03:40:56.713 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100
* 03:41:01.709 22 dec: ICMP: echo responded, 192.168.105.1 src, dst 192.168.106.100

Output of running sh crypto isakmp his:

PIX01 (config) # sh crypto isakmp his
Total: 1
Embryonic: 0
Src DST in the meantime created State
A.A.A.A B.B.B.B 0 1 QM_IDLE

RTR01 #sh crypto isakmp his
status of DST CBC State conn-id slot
A.A.A.A B.B.B.B QM_IDLE 1 0 ACTIVE

Out of HS crypto ipsec his:

PIX01 (config) # sh crypto ipsec his

Interface: outside
Crypto map tag: IPSEC, local addr. B.B.B.B

local ident (addr, mask, prot, port): (192.168.106.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.105.0/255.255.255.0/0/0)
current_peer: A.A.A.A:500
LICENCE, flags is {origin_is_acl},
#pkts program: 103, #pkts encrypt: collection of #pkts 103, 103
#pkts decaps: 0, #pkts decrypt: 0, #pkts check 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0
#send 12, #recv errors 0

local crypto endpt. : B.B.B.B, remote Start crypto. : A.A.A.A
Path mtu 1500, overload ipsec 56, media, mtu 1500
current outbound SPI: 7cb75998

SAS of the esp on arrival:
SPI: 0xb896f6c6 (3096901318)
transform: esp - esp-md5-hmac.
running parameters = {Tunnel}
slot: 0, conn id: 1, crypto card: IPSEC
calendar of his: service life remaining (k/s) key: (4608000/3151)
Size IV: 8 bytes
support for replay detection: Y

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x7cb75998 (2092390808)
transform: esp - esp-md5-hmac.
running parameters = {Tunnel}
slot: 0, conn id: 2, crypto card: IPSEC
calendar of his: service life remaining (k/s) key: (4607999/3151)
Size IV: 8 bytes
support for replay detection: Y

outgoing ah sas:

outgoing CFP sas:

RTR01 #sh crypto ipsec his

Interface: Vlan600
Crypto map tag: IPSEC, local addr A.A.A.A

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.105.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.106.0/255.255.255.0/0/0)
current_peer B.B.B.B port 500
LICENCE, flags is {}
program #pkts: 10, #pkts encrypt: 10, #pkts digest: 10
decaps #pkts: 10, #pkts decrypt: 10, #pkts check: 10
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : A.A.A.A, remote Start crypto. : B.B.B.B
Path mtu 1500, mtu 1500 ip, ip mtu BID Vlan600
current outbound SPI: 0xB896F6C6 (3096901318)

SAS of the esp on arrival:
SPI: 0x7CB75998 (2092390808)
transform: esp - esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 2002, flow_id: SW:2, crypto card: IPSEC
calendar of his: service life remaining (k/s) key: (4556997/3076)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0xB896F6C6 (3096901318)
transform: esp - esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: SW:1, crypto card: IPSEC
calendar of his: service life remaining (k/s) key: (4556997/3076)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

I can provide more information if necessary.

Thanks in advance for any help,

ISAKMP uses UDP/500 and it is true he helped through phase 1 being upwards (QM_IDLE).

IPSec uses ESP or UDP/4500, and this is what must be authorized by the FW.

Tags: Cisco Security

Similar Questions

Problems with PIX 501 and Server MS Cert

Hi all

I have two problems with my PIX 501:

1. registration works well. The pix has a certificate and use it with SSL and VPN connections. But after a refill, the pix certificate is lost and it has regenerated again self-signed certificate!

Yes, I wrote mem and ca records all!

2. at the request of ca CRL , I get the following debugging:

Crypto CA thread wakes!

CRYPTO_PKI: Cannot be named County ava

CRYPTO_PKI: transaction GetCRL completed

Crypto CA thread sleeps!

CI thread wakes!

And the CRL is empty.

Does anyone have any idea?

Bert Koelewijn

Not sure about 1, but 2 is usually caused by the COP (Point of Distribution of CRL, basically the situation where the PIX can download the Revocation list from) listed in cert CA is in a format the PIX does not, generally an LDAP URL.

Check the following prayer:

Open the administration tool of CA (Certification Authority) then

(1) right click on the name of CA and choose 'properties '.

2) click on the tab "Policy Module".

3) click on the button "configure."

4) click on the tab "X.509 extensions".

> From there, it can display the list of the "CRL Distribution Points".

Turn off everything that isn't HTTP.

You need to reinstall the CERT in the PIX, I think, but then it should be able to download the CRL through HTTP instead of LDAP.

VPN with PIX 501

Help!

I'm trying to set up VPN on my PIX 501. I have no experience of the PIX and have no idea where to start!

Any help will be greatly appreciated.

Thank you

Bennie

access list allow accord a

where is the name of the access list that you applied the entrants to your external interface. You may also allow accord coming out, if you have a list of incoming configured access to your inside interface.

Port forwarding with PIX 501

I try to get my PIX 501 to forward traffic on port 1412 with TCP and UDP to use Direct Connect, and the problem I have is I can connect to a DC hub, but cannot establish connections with users.

I added the following to the default configuration from the factory with a partial success:

outside access list permit tcp any host 192.168.100.20 eq 1412

access-list outside permit udp any host 192.168.100.20 eq 1412

public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

public static tcp (indoor, outdoor) interface 1412 192.168.100.20 1412 netmask 255.255.255.255 0 0

In the debug log set to the access list I rule this type of errors:

Deny tcp src outside other.users.ip.addr/3099 dst within the my.public.ip.addr/1412 by access-group "access_outside_in".

TCP request discarded outside my.public.ip.addr/45961 other.users.ip.addr/2362

I'm quite lost as to why it does not work when I think it should. I tried several ways, opening of port ranges and no chance for a transfer of the port sucsessful.

You can change you, outside the ACL to the following:

outside access list permit tcp any host eq 1412

access-list outside permit udp any host eq 1412

outside access-group in external interface

Save again with: write mem and also issue: clear xlate

I would like to know if it works.

Jay

Problem of recovery of password with pix 501

Hello

my organization uses a firewall 501 pix with version 6.2 of the software. After I lost the password I tried earasing using the faq provided on this site (using the file np62.bin through a TFTP server).

Unfortunately, I can not connect using the password default "cisco."

Thank you

Raphaël Cohen, University of Tel Aviv

Hello Raphael,.

You need to connect to the PIX via the port on the PIX console. If you deleted the passwords, then (as mentioned before), there is NO password to access privileged EXEC access just don't hit back, now, you will need to configure a password to "enable" with command > pix # enable password - the password is case-sensitive and can be a combination of characters and numbers the length of the password is limited to 16 characters.

You can now set access telnet as well i.e. config mode > pix (config) # telnet [masque_sous] [interface_name]

example: (in config mode) telnet 192.168.10.10 255.255.255.0 inside

Good idea to use the static IP address for the above, makesure to save your config with cmd: write memory

Hope this helps - Jay

PS. Thanks to vote this post if it helped you so that other members can use it if they have the same problem you have - that helps! Thank you.

Problems with FVS336GV2 and AVAYA 9620L VPN

Hello

I have Avaya 9620 L is currently working and all the settings successfully with netgear FVS336gv3. My problem is, when the phone is turned off at the remote site in the afternoon and return the morning that he fails to connect via VPN. Just told IKE Phase 1 error. In my VPN log it says "cannot find the file configuration xx.xx.xx.xx. Now this configuration worked the previous day.

When I go to the netgear and change "encryption algorithm" or 'Authentication algorithm' (no matter what) that the newspaper says that it does not. I have change it back to what it was before and how you know he is running like a charm. In the course of the day, no matter how many times the phone or the netgear feeding cycle, it always connects. Only when he is off all nite, the next day, the netgear let the phone not connect unless I have change a setting and than back to his original one. If I change a setting on the Avaya netgear and it works.

Does anyone have any ideas as to why the netgear blocks VPN until I have change the setting?

Hi Moussa,.

The firmware 3.1.1 - 08 seems to be more stable than version 4.3.3 - 6 at least for my setup here. Last week I had no problems and it works every morning when powered. For now I'll stick to firmware V3.1.1-08.

Another problem with the configuration of Cisco VPN Client access VPN Site2site

We have a Cisco ASA 5505 at our CORP. branch I configured the VPN Site2Site to our COLO with a Juniper SRX220h, to another site works well, but when users access the home Cisco VPN client, they cannot ping or SSH through the Site2Site. JTACS contacted and they said it is not on their end, so I tried to contact Cisco TAC, no support. So here I am today, after for the 3 days (including Friday of last week) of searching the Internet for more than 6 hours per day and try different examples of other users. NO LUCK. The VPN client shows the route secure 10.1.0.0

Sorry to post this, but I'm frustrated and boss breathing down my neck to complete it.

CORP netowrk 192.168.1.0

IP VPN 192.168.12.0 pool

Colo 10.1.0.0 internal ip address

Also, here's an example of my config ASA

: Saved

:

ASA Version 8.2 (1)

!

hostname lwchsasa

names of

name 10.1.0.1 colo

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

backup interface Vlan12

nameif outside_pri

security-level 0

IP 64.20.30.170 255.255.255.248

!

interface Vlan12

nameif backup

security-level 0

IP 173.165.159.241 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

object-group network NY

object-network 192.168.100.0 255.255.255.0

BSRO-3387 tcp service object-group

port-object eq 3387

BSRO-3388 tcp service object-group

port-object eq 3388

BSRO-3389 tcp service object-group

EQ port 3389 object

object-group service tcp OpenAtrium

port-object eq 8100

object-group service Proxy tcp

port-object eq 982

VOIP10K - 20K udp service object-group

10000 20000 object-port Beach

the clientvpn object-group network

object-network 192.168.12.0 255.255.255.0

APEX-SSL tcp service object-group

Description of Apex Dashboard Service

port-object eq 8586

object-group network CHS-Colo

object-network 10.1.0.0 255.255.255.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.1.0 255.255.255.0

host of the object-Network 64.20.30.170

object-group service DM_INLINE_SERVICE_1

the purpose of the ip service

ICMP service object

service-object icmp traceroute

the purpose of the service tcp - udp eq www

the tcp eq ftp service object

the purpose of the tcp eq ftp service - data

the eq sqlnet tcp service object

EQ-ssh tcp service object

the purpose of the service udp eq www

the eq tftp udp service object

object-group service DM_INLINE_SERVICE_2

the purpose of the ip service

ICMP service object

EQ-ssh tcp service object

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 clientvpn object-group

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo

inside_nat0_outbound list of allowed ip extended access any 192.168.12.0 255.255.255.0

outside_pri_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY

outside_pri_access_in list extended access permit tcp any interface outside_pri eq www

outside_pri_access_in list extended access permit tcp any outside_pri eq https interface

outside_pri_access_in list extended access permit tcp any interface outside_pri eq 8100

outside_pri_access_in list extended access permit tcp any outside_pri eq idle ssh interface

outside_pri_access_in list extended access permit icmp any any echo response

outside_pri_access_in list extended access permit icmp any any source-quench

outside_pri_access_in list extended access allow all unreachable icmp

outside_pri_access_in list extended access permit icmp any one time exceed

outside_pri_access_in list extended access permit tcp any 64.20.30.168 255.255.255.248 eq 8586

levelwingVPN_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

levelwingVPN_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.255.0

outside_pri_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo

backup_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 192.168.12.0 ip 255.255.255.0

outside_pri_cryptomap_1 list extended access allow DM_INLINE_SERVICE_2 of object-group 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

outside_19_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0

inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo

VPN-Corp-Colo extended access list permits object-group DM_INLINE_SERVICE_1 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

Note to OUTSIDE-NAT0 NAT0 customer VPN remote site access-list

OUTSIDE-NAT0 192.168.12.0 ip extended access list allow 255.255.255.0 10.1.0.0 255.255.255.0

L2LVPN to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

exploitation forest asdm warnings

record of the rate-limit unlimited level 4

destination of exports flow inside 192.168.1.1 2055

timeout-rate flow-export model 1

Within 1500 MTU

outside_pri MTU 1500

backup of MTU 1500

local pool LVCHSVPN 192.168.12.100 - 192.168.12.254 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 100 burst-size 5

ICMP allow any inside

ICMP allow any outside_pri

don't allow no asdm history

ARP timeout 14400

NAT-control

interface of global (outside_pri) 1

Global 1 interface (backup)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

NAT (inside) 1 0.0.0.0 0.0.0.0

NAT (outside_pri) 0-list of access OUTSIDE-NAT0

backup_nat0_outbound (backup) NAT 0 access list

static TCP (inside outside_pri) interface https 192.168.1.45 https netmask 255.255.255.255 dns

static TCP (inside outside_pri) interface 192.168.1.45 www www netmask 255.255.255.255 dns

static TCP (inside outside_pri) interface 8586 192.168.1.45 8586 netmask 255.255.255.255 dns

static (inside, inside) tcp interface 8100 192.168.1.45 8100 netmask 255.255.255.255 dns

Access-group outside_pri_access_in in the outside_pri interface

Route 0.0.0.0 outside_pri 0.0.0.0 64.20.30.169 1 track 1

Backup route 0.0.0.0 0.0.0.0 173.165.159.246 254

Timeout xlate 03:00

Conn Timeout 0:00:00 half-closed 0:30:00 udp icmp from 01:00 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 01:00 uauth uauth absolute inactivity from 01:00

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

AAA authentication http LOCAL console

the ssh LOCAL console AAA authentication

http server enable 981

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside_pri

http 0.0.0.0 0.0.0.0 backup

SNMP server group Authentication_Only v3 auth

SNMP-server host inside 192.168.1.47 survey community lwmedia version 2 c

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt connection tcpmss 1200

monitor SLA 123

type echo protocol ipIcmpEcho 216.59.44.220 interface outside_pri

Annex ALS life monitor 123 to always start-time now

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto ipsec df - bit clear-df outside_pri

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto outside_pri_map 1 match address outside_pri_1_cryptomap

card crypto outside_pri_map 1 set pfs

peer set card crypto outside_pri_map 1 50.75.217.246

card crypto outside_pri_map 1 set of transformation-ESP-AES-256-MD5

card crypto outside_pri_map 2 match address outside_pri_cryptomap

peer set card crypto outside_pri_map 2 216.59.44.220

card crypto outside_pri_map 2 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

86400 seconds, duration of life card crypto outside_pri_map 2 set security-association

card crypto outside_pri_map 3 match address outside_pri_cryptomap_1

peer set card crypto outside_pri_map 3 216.59.44.220

outside_pri_map crypto map 3 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_pri_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

card crypto outside_pri_map interface outside_pri

crypto isakmp identity address

ISAKMP crypto enable outside_pri

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 10

preshared authentication

the Encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

aes-256 encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 50

preshared authentication

aes encryption

md5 hash

Group 2

life 86400

!

track 1 rtr 123 accessibility

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

management-access inside

dhcpd auto_config outside_pri

!

dhcpd address 192.168.1.51 - 192.168.1.245 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

rental contract interface 86400 dhcpd inside

dhcpd field LM inside interface

dhcpd allow inside

!

a basic threat threat detection

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

a statistical threat detection host number rate 2

no statistical threat detection tcp-interception

WebVPN

port 980

allow inside

Select outside_pri

enable SVC

attributes of Group Policy DfltGrpPolicy

VPN-idle-timeout no

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

internal GroupPolicy2 group strategy

attributes of Group Policy GroupPolicy2

Protocol-tunnel-VPN IPSec svc

internal levelwingVPN group policy

attributes of the strategy of group levelwingVPN

Protocol-tunnel-VPN IPSec svc webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list levelwingVPN_splitTunnelAcl

username password encrypted Z74.JN3DGMNlP0H2 privilege 0 aard

aard attribute username

VPN-group-policy levelwingVPN

type of remote access service

rcossentino 4UpCXRA6T2ysRRdE encrypted password username

username rcossentino attributes

VPN-group-policy levelwingVPN

type of remote access service

bcherok evwBWqKKwrlABAUp encrypted password username

username bcherok attributes

VPN-group-policy levelwingVPN

type of remote access service

rscott nIOnWcZCACUWjgaP encrypted password privilege 0 username

rscott username attributes

VPN-group-policy levelwingVPN

sryan 47u/nJvfm6kprQDs password encrypted username

sryan username attributes

VPN-group-policy levelwingVPN

type of nas-prompt service

username, password cbruch a8R5NwL5Cz/LFzRm encrypted privilege 0

username cbruch attributes

VPN-group-policy levelwingVPN

type of remote access service

apellegrino yy2aM21dV/11h7fR password encrypted username

username apellegrino attributes

VPN-group-policy levelwingVPN

type of remote access service

username rtuttle encrypted password privilege 0 79ROD7fRw5C4.l5

username rtuttle attributes

VPN-group-policy levelwingVPN

username privilege 15 encrypted password vJFHerTwBy8dRiyW levelwingadmin

username password nbrothers Amjc/rm5PYhoysB5 encrypted privilege 0

username nbrothers attributes

VPN-group-policy levelwingVPN

clong z.yb0Oc09oP3/mXV encrypted password username

clong attributes username

VPN-group-policy levelwingVPN

type of remote access service

username, password finance 9TxE6jWN/Di4eZ8w encrypted privilege 0

username attributes finance

VPN-group-policy levelwingVPN

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

type of remote access service

IPSec-attributes tunnel-group DefaultL2LGroup

Disable ISAKMP keepalive

tunnel-group 50.75.217.246 type ipsec-l2l

IPSec-attributes tunnel-group 50.75.217.246

pre-shared-key *.

Disable ISAKMP keepalive

type tunnel-group levelwingVPN remote access

tunnel-group levelwingVPN General-attributes

address LVCHSVPN pool

Group Policy - by default-levelwingVPN

levelwingVPN group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group 216.59.44.221 type ipsec-l2l

IPSec-attributes tunnel-group 216.59.44.221

pre-shared-key *.

tunnel-group 216.59.44.220 type ipsec-l2l

IPSec-attributes tunnel-group 216.59.44.220

pre-shared-key *.

Disable ISAKMP keepalive

!

!

!

Policy-map global_policy

!

context of prompt hostname

Cryptochecksum:ed7f4451c98151b759d24a7d4387935b

: end

Hello

It seems to me that you've covered most of the things.

You however not "said" Configuring VPN L2L that traffic between the pool of VPN and network camp should be in tunnel

outside_pri_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 object-group CHS-Colo

Although naturally the remote end must also the corresponding configurations for users of VPN clients be able to pass traffic to the site of the camp.

-Jouni

problem with users to access remote vpn site to site vpn network

I did the Setup: asa 5510 configured remote access vpn. My vpn users receive asa 5510 range 192.168.50.0/24 addresses and users access my local lan 192.168.0.0/24. the second side of the local lan 192.168.0.0/24 on asa 5505, I did a vpn site-to-site with network 192.168.5.0/24.on that both sides of a site are asa 5505. inside the interface asa 5510 Elise 192.168.0.10 and inside the interface asa 5505 have address 192.168.0.17.third asa 5505 networked 192.168.5.0/24 address 192.168.5.1. I want my remote access vpn users can access resources on network 192.168.5.0/24. I create the static route on inside the asa 5510 static route 192.168.5.0 interface 255.255.255.0 192.168.0.17 and a static route on inside the asa 5505 static route 192.168.50.0 interface 255.255.255.0 192.168.0.10, but it's not working. What do I do?

execution of the configuration of my asa 5510 is

Result of the command: "show run"

: Saved
:
ASA Version 8.4(2)
!
hostname asa5510
domain-name dri.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/2
description Mreza za virtualne masine- mail server, wsus....
nameif DMZ
security-level 50
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dri.local
object network VPN-POOL
subnet 192.168.50.0 255.255.255.0
description VPN Client pool
object network LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
description LAN Network
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network 192.168.0.10
host 192.168.0.10
object service ssl
service tcp destination eq 465
object service tls
service tcp destination eq 995
object network mail_server
host 172.16.20.201
object service StartTLS
service tcp destination eq 587
object service admin_port
service tcp destination eq 444
object service ODMR
service tcp destination eq 366
object service SSL-IMAP
service tcp destination eq 993
object network remote
host 172.16.20.200
object network test
host 192.168.0.22
object network mail
host 172.16.20.200
object network DMZ
host 172.16.20.200
object network Inside_DMZ
host 192.168.0.20
object service rdp
service tcp destination eq 3389
object network DRI_PS99
host 192.168.0.54
object service microsoft_dc
service tcp destination eq 445
object service https448
service tcp destination eq 448
object network mail_server_internal
host 172.16.20.201
object service Acronis_remote
service tcp destination eq 9876
object service Acronis_25001
service tcp destination eq 25001
object service HTTP3000
service tcp destination eq 3000
object network VPNPOOL
subnet 192.168.50.0 255.255.255.0
object-group network PAT-SOURCE-NETWORKS
description Source networks for PAT
network-object 192.168.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object admin_port
service-object object ssl
service-object object tls
service-object object https448
object-group service DM_INLINE_SERVICE_2
service-object object admin_port
service-object object https448
service-object object ssl
service-object object tls
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_3
service-object object admin_port
service-object object https448
service-object object ssl
service-object tcp destination eq smtp
service-object object tls
service-object object Acronis_remote
service-object tcp destination eq www
service-object object Acronis_25001
service-object object microsoft_dc
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object object Acronis_25001
service-object object Acronis_remote
service-object object microsoft_dc
service-object tcp destination eq www
service-object tcp
service-object ip
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object mail
access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list DMZ extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any
access-list DMZ extended permit object-group DM_INLINE_SERVICE_3 host 172.16.20.201 any
access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 172.16.20.0 255.255.255.0 any inactive
access-list DMZ extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
!
object network mail_server
nat (DMZ,outside) static x.x.x.179
object network mail
nat (DMZ,outside) static x.x.x.180
access-group outside_access_in in interface outside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 178.254.133.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record dripolisa
aaa-server DRI protocol ldap
aaa-server DRI (inside) host 192.168.0.20
ldap-base-dn DC=dri,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual telnet 192.168.1.12
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 195.222.96.223
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.14-192.168.0.45 inside
!
dhcpd address 172.16.20.2-172.16.20.150 DMZ
dhcpd dns x.x.x.177 interface DMZ
dhcpd auto_config outside interface DMZ
dhcpd option 6 ip x.x.x.177 interface DMZ
dhcpd enable DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_x.x.x.223 internal
group-policy GroupPolicy_x.x.x.223 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy drivpn internal
group-policy drivpn attributes
dns-server value 192.168.0.20 192.168.0.254
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-network-list value Split_Tunnel_List
default-domain value dri.local
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group drivpn type remote-access
tunnel-group drivpn general-attributes
address-pool vpnadrese
authentication-server-group DRI
default-group-policy drivpn
tunnel-group drivpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.223 type ipsec-l2l
tunnel-group x.x.x.223 general-attributes
default-group-policy GroupPolicy_x.x.x.223
tunnel-group x.x.x.223 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect ip-options
inspect netbios
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:69c651e94663fc570b67e0c4c0dcbae1
: end

running config asa 5505

Result of the command: "show run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password csq7sfr0bQJqMGET encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.5.0 PALATA
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.17 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.13.74.33 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group service Sharepoint8080 tcp
port-object eq 8080
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address
logging recipient-address level debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) 10.13.74.35 192.168.0.22 netmask 255.255.255.255
static (inside,outside) 10.13.74.34 192.168.0.20 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.13.74.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
http 10.15.100.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.0.53
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.15.100.15
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group 10.15.100.15 type ipsec-l2l
tunnel-group 10.15.100.15 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 173.194.79.109
prompt hostname context
Cryptochecksum:4767b6764cb597f0a7b8b138587d4192
: end

Thank you

Hello

I have previously edited the my initial response was in fact not necessary since you were actually using full Tunnel

EDIT: Actually just noticed the the VPN client isnt using Split Tunnel. Its Full Tunnel at the moment since it doesnt have the "split-tunnel-policy tunnelspecified"

So you don't really have any of those.

Please mark the question answers and/or assess response

Ask more if necessary

-Jouni

Logging strange problem with PIX

Since I upgraded to v7.0 on my PIX525 I noticed a weird problem that I have been unable to resolve in what concerns my PIX syslogging. A handful of times a week, I get messages stating that my email gateway trying to send about 4.2 GB e-mail messages to mail servers different.

Problem is I don't see any indication of this in my mail server logs, my SMTP gateway logs, and my bandwidth monitor is not reported this. We move usually about 1.5 GB per day through our internet pipe so if there was a 4.2 GB extra traffic, I know. I tried to sniff the traffic of the mail server and I do not take into account everything that matches the entry in syslog. I can't find any info regarding no matter where this and I was wondering if anyone has seen this issue.

Thank you.

Trac bug Cisco messages the following warning, corrected in version 7.02:

CSCeh96708 Yes Syslog reports erroneous transfer size in syslog TCP disassembly 302014

Please upgrade to version 7.02 and these messages will be fixed.

Please rate this post if this has been helpful.

Cisco router 1921 internet problem with a site-to-site vpn connection

I have TE-data Modem 3com dsl connection in 2 sites. and I have 2 routers cisco 1921 and there is a vpn site-to-site between them and

the VPN connection works well. and I configured the PAT on one of them to allow users access to the internet but tere is a problem:

all users can ping a public ip address

all users can ping any URL

but there is no navigation of the internet

and it's configuration

NOZHA #sh run
Building configuration...

Current configuration: 2425 bytes
!
! Last configuration change at 11:24:08 UTC Thu Sep 20 2012
!
version 15.0
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname NOZHA
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
No aaa new-model
!
!
!
!
No ipv6 cef
IP source-route
IP cef
!
!
!
IP dhcp pool 1
network 192.168.40.0 255.255.255.0
router by default - 192.168.40.1
4.2.2.2 DNS Server 8.8.8.8
Infinite rental
!
!
IP domain name shady2012
!
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1921/K9 sn FCZ1432C5KM
licence start-up module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
ISAKMP crypto key shady2012 address 81.10.xxx.yy
!
!
Crypto ipsec transform-set shady2012 aes - esp esp-sha-hmac
!
card crypto 150 s2s - VPN ipsec-isakmp
the value of 81.10.xxx.yy peer
PFS group2 Set
match address s2s-vpn-Oly
!
!
!
!
!
interface GigabitEthernet0/0
MTU 1000
IP address 41.41.xx.yy 255.255.255.252
NAT outside IP
activate nat IP
IP virtual-reassembly
automatic duplex
automatic speed
s2s - VPN crypto card
!
!
interface GigabitEthernet0/1
192.168.40.1 IP address 255.255.255.0
IP nat inside
activate nat IP
IP virtual-reassembly
automatic duplex
automatic speed
!
!
default IP gateway (hop 41.41.xx.yy) next
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
The dns server IP
overload of the IP nat source list mypool GigabitEthernet0/0 interface
IP route 0.0.0.0 0.0.0.0 41.41.xx.yy
IP route 192.168.20.0 255.255.255.0 (41.41.xx.yy) next hop
IP route 192.168.30.0 255.255.255.0 (41.41.xx.yy) next hop
!
mypool extended IP access list
deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
allow an ip
s2s-vpn-Oly extended IP access list
ip permit 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
IP 192.168.21.0 allow 0.0.0.255 192.168.20.0 0.0.0.255
IP 192.168.30.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
ip permit 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
IP 192.168.21.0 allow 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line vty 0 4
password
opening of session
!
Scheduler allocate 20000 1000
end

If anyone has the answer please answer ASAP

When you say can ping any URL, I am assuming that you are pinging of the FULL domain name, IE: it is resolved to an ip address, right?

If you disable the VPN, can you access the internet?

You have a proxy server or anything that could block navigation?

This error message you get on your web browser?

Also try another web browser, and none works?

I have a problem with the security of the VPN.

Oriiginal title: security of the VPN

Windows XP and Windows 7.

We have some external users that connect to our network via a VPN PPTP tunnel. They use the standard VPN Wizard in Windows to set up the connection. Once they are connected, their traffic is encrypted and secure, I am led to understand. HOWEVER, before they connect and are put on and transmitting their VPN user name and password, what protection is in place? Can people catch their powers say if they use a public wireless connection? Or more succinctly, are transmitted in clear text or encrypted letters from original claim VPN?

Hi Dr. Doug Pruiett,

I suggest you to report the issue in the following link for assistance.

http://social.technet.Microsoft.com/forums/Hu/w7itpronetworking/thread/41632887-9234-46f7-8B76-6538e061d47a

I hope that helps!

Problems with site-to-site vpn

Hello world

I recently received the mission assigned to the site to site vpn configuration and this is my first time. I'm trying to set up a vpn with pix 501 but short questions site. I managed to get that below, but I'm stuck now and do not know what could be the problem. Here's the debug output.

Any help is greatly appreciated on what could be the potential problem.

-AK

ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3
ISAKMP (0): early changes of Main Mode
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy
ISAKMP: 3DES-CBC encryption
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: duration of life (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): load useful treatment vendor id

ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
Exchange OAK_MM
ISAKMP (0): processing KE payload. Message ID = 0

ISAKMP (0): processing NONCE payload. Message ID = 0

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): provider v6 code received xauth

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): addressing another box of IOS!

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): addressing a VPN3000 concentrator

ISAKMP (0): ID payload
next payload: 8
type: 1
Protocol: 17
Port: 0
Length: 8
ISAKMP (0): the total payload length: 12
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): keep treatment alive: proposal = 32767/32767 sec., real = 3276/2 sec.

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): Peer Remote supports dead peer detection

ISAKMP (0): SA has been authenticated.

ISAKMP (0): start Quick Mode changes, 413131006:189fe0feIPSEC (key_e M - ID
(Display): had an event of the queue...
IPSec (spi_response): spi 0x3e9451fa graduation (1049907706) for SA
from 208.249.117.203 to 70.91.20.245 for prot 3

to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:208.249.117.203/500 Total VPN peer: 1
Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt is incremented to peers: 1 Total VPN
Peers: 1
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
ISAKMP (0): processing DELETE payload. Message ID = 3425658127, spi size = 16
ISAKMP (0): delete SA: src 70.91.20.245 dst 208.249.117.203
to return to the State is IKMP_NO_ERR_NO_TRANS
ISADB: Reaper checking HIS 0xac149c, id_conn = 0 DELETE IT!

Peer VPN: ISAKMP: ip:208.249.117.203/500 Ref cnt decremented to peers: 0 Total VPN
Peers: 1
Peer VPN: ISAKMP: deleted peer: ip:208.249.117.203/500 VPN peer Total: 0IPSEC (ke
y_engine): got an event from the queue.
IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify
IPSec (key_engine_delete_sas): remove all SAs shared with 208.249.117.203
IPSec (key_engine): request timer shot: count = 2,.
local (identity) = 70.91.20.245, distance = 208.249.117.203.
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

Hello

Newspapers, I see you are using a VPN 3000 Concentrator as the remote vpn end point. Now, also of the debugs next section is interesting:

local (identity) = 70.91.20.245, distance = 208.249.117.203.
local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
remote_proxy = 206.200.22.0/255.255.255.0/0/0 (type = 4)

-Looks like our traffic interesting PIX and the hub are not mirrors of each other, and does not. Can you please paste the PIX here cryptographic access lists, so that I can analyze the entries.

-Also, please make sure that you have followed all the steps during the vpn configuration according to the following links:

If your PIX is running at version 7.x and more: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

If your PIX is running version 6.3.x: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Once you check the config on PIX and concentrator, please provide me with the output of "sh cry isa his" and "sh cry ipsec his ' of the PIX. With this release, we can continue to troubleshoot if there is more questions.

Let me know if this can help,

See you soon,.

Christian V

IPSec VPN pix 501 no LAN access

I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:

: Saved

:

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

nameif ethernet0 WAN security0

nameif ethernet1 LAN security99

enable encrypted password xxxxxxxxxxxxx

xxxxxxxxxxxxxxxxx encrypted passwd

host name snowball

domain xxxxxxxxxxxx.local

clock timezone PST - 8

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

No fixup not protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

acl_in list of access permit udp any any eq field

acl_in list of access permit udp any eq field all

acl_in list access permit tcp any any eq field

acl_in tcp allowed access list any domain eq everything

acl_in list access permit icmp any any echo response

access-list acl_in allow icmp all once exceed

acl_in list all permitted access all unreachable icmp

acl_in list access permit tcp any any eq ssh

acl_in list access permit tcp any any eq www

acl_in tcp allowed access list everything all https eq

acl_in list access permit tcp any host 192.168.5.30 eq 81

acl_in list access permit tcp any host 192.168.5.30 eq 8081

acl_in list access permit tcp any host 192.168.5.22 eq 8081

acl_in list access permit icmp any any echo

access-list acl_in permit tcp host 76.248.x.x a

access-list acl_in permit tcp host 76.248.x.x a

allow udp host 76.248.x.x one Access-list acl_in

access-list acl_out permit icmp any one

ip access list acl_out permit a whole

acl_out list access permit icmp any any echo response

acl_out list access permit icmp any any source-quench

allowed any access list acl_out all unreachable icmp

access-list acl_out permit icmp any once exceed

acl_out list access permit icmp any any echo

Allow Access-list no. - nat icmp a whole

access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any

access-list no. - nat permit icmp any any echo response

access-list no. - nat permit icmp any any source-quench

access-list no. - nat icmp permitted all all inaccessible

access-list no. - nat allow icmp all once exceed

access-list no. - nat permit icmp any any echo

pager lines 24

MTU 1500 WAN

MTU 1500 LAN

IP address WAN 65.74.x.x 255.255.255.240

address 192.168.5.1 LAN IP 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool pptppool 172.16.0.2 - 172.16.0.13

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global (WAN) 1 interface

NAT (LAN) - access list 0 no - nat

NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0

static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0

acl_in access to the WAN interface group

access to the LAN interface group acl_out

Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

NTP server 72.14.188.195 source WAN

survey of 76.248.x.x WAN host SNMP Server

location of Server SNMP Sacramento

SNMP Server contact [email protected] / * /

SNMP-Server Community xxxxxxxxxxxxx

SNMP-Server enable traps

enable floodguard

the string 1 WAN fragment

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto-map dynamic dynmap 10 transform-set RIGHT

map mymap 10-isakmp ipsec crypto dynamic dynmap

client configuration address map mymap crypto initiate

client configuration address map mymap crypto answer

card crypto mymap WAN interface

ISAKMP enable WAN

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup myvpn address pptppool pool

vpngroup myvpn Server dns 192.168.5.44

vpngroup myvpn by default-field xxxxxxxxx.local

vpngroup split myvpn No. - nat tunnel

vpngroup idle 1800 myvpn-time

vpngroup myvpn password *.

Telnet 192.168.5.0 255.255.255.0 LAN

Telnet timeout 5

SSH 192.168.5.0 255.255.255.0 LAN

SSH timeout 30

Console timeout 0

VPDN group pptpusers accept dialin pptp

VPDN group ppp authentication pap pptpusers

VPDN group ppp authentication chap pptpusers

VPDN group ppp mschap authentication pptpusers

VPDN group ppp encryption mppe 128 pptpusers

VPDN group pptpusers client configuration address local pptppool

VPDN group pptpusers customer 192.168.5.44 dns configuration

VPDN group pptpusers pptp echo 60

VPDN group customer pptpusers of local authentication

VPDN username password xxx *.

VPDN username password xxx *.

VPDN enable WAN

dhcpd address 192.168.5.200 - 192.168.5.220 LAN

dhcpd 192.168.5.44 dns 8.8.8.8

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable LAN

username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

Terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxx

: end

I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!

Thank you very much

Trevor

"No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:

do not allow any No. - nat icmp access list a whole

No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any

No No. - nat access list permit icmp any any echo response

No No. - nat access list permit icmp any any source-quench

No No. - nat access list permit all all unreachable icmp

No No. - nat access list do not allow icmp all once exceed

No No. - nat access list only allowed icmp no echo

You must have 1 line as follows:

access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

Please 'clear xlate' after the changes described above.

In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.

Hope that helps.

Problem with VPN compatibility between 2811 and 2911

Hello

I would ask anyone had problems with the implementation of a VPN tunnel between 2811 and 2911?

The IPSec VPN is established, but for some reason, I cannot ping the side LAN across LAN to the other end of the VPN router?

All experience would be highly appreciated

Thank you

IPSec VPN can be smoothly between routers cisco (and not nesesserely cisco) set up, so there should be no problem in your case.

If you say that this tunnel is established successfully, then the problem most likely related to routing problems between sites or incorrect configured crypto-acl. Check if the hosts located on both sites have correct routing information on how to get to subnets on the other site.

Make more accurate assumptions, it would be helpful that you provide config on both sites and describe your topology.

PPTP VPN pix 501 question

I'm relatively new to the security stuff. I'm a guy of the voice. I created a Pix 501 for IPSEC VPN and works very well. Then I tried it setting up PPTP VPN. I use Windows XP to connect. It connects fine, but I can't ping to the inside interface on the PIX. I can do this by using IPSEC. Any ideas? Here is my config:

:

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password * encrypted

passwd * encrypted

host name *.

domain name *.

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit icmp any any echo response

access-list 80 allow ip 10.0.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.5.0 255.255.255.0

access-list ip 10.0.0.0 sheep allow 255.255.255.0 192.168.6.0 255.255.255.0

pager lines 24

opening of session

emergency logging console

Outside 1500 MTU

Within 1500 MTU

IP address outside of *. *. *. * 255.255.255.0

IP address inside 10.0.0.1 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool pool1 192.168.5.100 - 192.168.5.200

IP local pool pool2 192.168.6.100 - 192.168.6.200

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

Access-group 101 in external interface

Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Sysopt connection permit-l2tp

Crypto ipsec transform-set high - esp-3des esp-sha-hmac

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto dynamic-map cisco 4 strong transform-set - a

Crypto-map dynamic dynmap 10 transform-set RIGHT

Cisco dynamic of the partners-card 20 crypto ipsec isakmp

partner-map interface card crypto outside

card crypto 10 PPTP ipsec-isakmp dynamic dynmap

ISAKMP allows outside

ISAKMP key * address 0.0.0.0 netmask 0.0.0.0

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 8

ISAKMP strategy 8 3des encryption

ISAKMP strategy 8 md5 hash

8 2 ISAKMP policy group

ISAKMP life duration strategy 8 the 86400

vpngroup address pool1 pool test

vpngroup default-field lab118 test

vpngroup split tunnel 80 test

vpngroup test 1800 idle time

Telnet timeout 5

SSH 10.0.0.0 255.0.0.0 inside

SSH 192.168.5.0 255.255.255.0 inside

SSH 192.168.6.0 255.255.255.0 inside

SSH timeout 5

management-access inside

Console timeout 0

VPDN PPTP-VPDN-group accept dialin pptp

VPDN group PPTP-VPDN-GROUP ppp authentication chap

VPDN group PPTP-VPDN-GROUP ppp mschap authentication

VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto

VPDN group VPDN GROUP-PPTP client configuration address local pool2

VPDN group VPDN GROUP-PPTP client configuration dns 8.8.8.8

VPDN group VPDN GROUP-PPTP pptp echo 60

VPDN group VPDN GROUP-PPTP client for local authentication

VPDN username bmeade password *.

VPDN allow outside

You will have to connect to an internal system inside and out run the PIX using pptp.

For ssh access the PIX, you will also need additional configuration, see the section on code PIX pre 7.x, section access ssh to the security apparatus .

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#C4

Concerning

Problem with PIX 501-&gt; L2L 1721 VPN

Similar Questions

Maybe you are looking for

Problem with PIX 501-> L2L 1721 VPN