Question on ISAKMP POLICY < priority > GROUP?

Good evening everyone,

I have a few questions about affecting an isakmp group a 4th connection. I read that Im only allowed to use the Group 1,2,5 (on pix to pix firewall), but I've exhausted all 3 groups with my existing connection and Im currently adding another office off site to the network but can't understand how, need whether in 3des as well.

These are my configs to the 3 existing work sites, how could I add the site 4th with 3des encryption?

Crypto ipsec transform-set esp-3des esp-md5-hmac AAA

Crypto ipsec transform-set esp-3des esp-md5-hmac BBB

Crypto ipsec transform-set esp-3des esp-md5-hmac CCC

vpn_remote 10 ipsec-isakmp crypto map

vpn_remote crypto 10 card matches the address AAA

card crypto vpn_remote 10 peers set www.xxx.yyy.zzz

card crypto vpn_remote 10 transform-set AAA

vpn_remote crypto 20 card matches the address BBB

card crypto vpn_remote 20 peers set www.xxx.yyy.zzz

vpn_remote crypto 20 card value transform-set BBB

vpn_remote 30 ipsec-isakmp crypto map

correspondence address 30 card crypto vpn_remote CCC

card crypto vpn_remote 30 peers set www.xxx.yyy.zzz

CCC vpn_remote 30 transform-set card crypto

vpn_remote interface card crypto outside

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 md5 hash

10 1 ISAKMP policy group

ISAKMP life duration strategy 10 86400

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

part of pre authentication ISAKMP policy 30

ISAKMP policy 30 3des encryption

ISAKMP policy 30 md5 hash

political group 30 ISAKMP 5

ISAKMP duration strategy of life 30 86400

Thank you in advance, I hope someone can give me some input on this.

CYM

You need not to N isakmp policy to support associations N IKE. You can use one for all remote locations. You could live with isakmp policy 10 and use the Group Diffie-Hellman 1 2 or 5 (do not need all three). Just make sure that there are individual cryptographic cards for each site (unless your doing dynamic VPN).

Also you do not need separate transform-sets because you use the same encryption methods in all three sets of transformation that you have defined.

If you do not want to change the configs that above, all you have to do is to create a key isakmp, as well as a new instance of crypto 40 for the 4th remote site map.

Tags: Cisco Security

Similar Questions

  • Disable the default ISAKMP policy?

    Y at - there no way to disable or change the default ISAKMP policy?  I created the number 20 of the police, which is used in a VPN site-to site in vain for a quarterly PCI analysis the results come back in due to stage successful 1 authentication with encryption DES/DH768.  I reproduce these results with the help of ike-scan with explicit parameters OF/DH768.

    This is a 2600 router and I just upgraded to 12.4 IOS (23) because I came across (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html) Cisco documentation which says that 12.4 (20) introduced the "no crypto isakmp default policy" - but I do not see this command still available to me.  Here are the results of sh crypto isakmp policy:

    Priority protection suite 20

    encryption algorithm: three key triple a

    hash algorithm: Secure Hash Standard

    authentication method: pre-shared Key

    Diffie-Hellman group: #2 (1024 bits)

    lifetime: 86400 seconds, no volume limit

    Default protection suite

    encryption algorithm: - Data Encryption STANDARD (56-bit keys).

    hash algorithm: Secure Hash Standard

    authentication method: Rivest-Shamir-Adleman Signature

    Diffie-Hellman group: #1 (768 bits)

    lifetime: 86400 seconds, no volume limit

    Any help would be greatly appreciated!

    Hello Anthony,.

    I saw the link you provided.  It seems that this command was introduced in12.4 (20), T... note the T.  This indicates that it is only in the T-train train or technology and only seen in some other 12.4 T code or the train from 15.x newert.

    You say that your router is runnign 12.4 (23) implicitly code Mainline (M).

    The last T code for 2600 seems to be a 12.4 (15) T, so it does seem that you can enable this feature in order to disable the default policies.  It also seems that the 2600 series retired as no new code is released March 27, 2010.

    http://www.Cisco.com/en/us/products/HW/routers/ps259/prod_eol_notices_list.html

    Looks like you can be out of luck and may need to look for in buying a newer model router to get the newest software support and the ability to disable the default isakmp suite.

    Of course, it is noted that while they can establish a session ISKMP, however, they will really be authenticated by the router in message MM 5 as most people use internal cases for certificates on the VPN.

    I hope this helps.

    Kind regards

    Craig

  • How does Card Crypto knows what ISAKMP policy to use?

     ip access-list extended ACL_SITE1_TO_SITE2 permit ip 10.0.12.0 0.0.0.255 10.0.22.0 0.0.0.255 ! crypto isakmp policy 10 encr aes hash sha256 authentication pre-share group 14 crypto isakmp policy 20 encr aes 256 hash sha512 authentication pre-share group 16 crypto isakmp key cisco123 address 200.0.2.2 ! crypto ipsec transform-set [TRANS_SET]PHASE_2 esp-aes esp-sha256-hmac mode tunnel ! crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2 11 ipsec-isakmp set peer 200.0.2.2 set transform-set [TRANS_SET]PHASE_2 match address ACL_SITE1_TO_SITE2 ! interface FastEthernet0/0 ip address 200.0.1.1 255.255.255.0 crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2

    How does Card Crypto knows what ISAKMP policy to use, or use of the ISAKMP policy at all?

    It comes from "ipsec-isakmp?

    I mean... I do not see any "set isakmp policy 10" in the Crypto map

    This is what he chooses just the top-down approach?

    As part of the negotiation of the phase 1 and is a top-down proposal based on the sequence number.  You can get the details in tunnel using configuration:

    Debug crypto ISAKMP

    Cisco IOS has built/strategies default ISAKMP, but the pre 15.x versions were terrible default.  New default values are strong, although I still like to configure them myself.

  • What are the differences between the services and site domain group policy and group policy?

    What are the differences between the services and site domain group policy and group policy?

    Server must wonder about the Technet site.  http://social.technet.Microsoft.com/forums/en-us/home

  • Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN

    Hi all

    I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941.  I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here.  Have I not IOS bad? I thought that a picture of K9 would do the trick.

    Any suggestions are appreciated

    That's what I get:

    Router (config) #crypto?
    CA Certification Authority
    main activities key long-term
    public key PKI components

    SEE THE WORM

    Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Updated Thursday, March 10, 10 22:27 by prod_rel_team

    ROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)

    The availability of router is 52 minutes
    System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
    System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
    Last reload type: normal charging
    Reload last reason: reload command

    This product contains cryptographic features...

    Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
    Card processor ID FTX142281F4
    2 gigabit Ethernet interfaces
    2 interfaces Serial (sync/async)
    Configuration of DRAM is 64 bits wide with disabled parity.
    255K bytes of non-volatile configuration memory.
    254464K bytes of system CompactFlash ATA 0 (read/write)

    License info:

    License IDU:

    -------------------------------------------------
    Device SN # PID
    -------------------------------------------------
    * 0 FTX142281F4 CISCO1941/K9

    Technology for the Module package license information: "c1900".

    ----------------------------------------------------------------
    Technology-technology-package technology
    Course Type next reboot
    -----------------------------------------------------------------
    IPBase ipbasek9 ipbasek9 Permanent
    security, none none none
    given none none none

    Configuration register is 0 x 2102

    You need get the license of security feature to configure the IPSec VPN.

    Currently, you have 'none' for the security feature:

    ----------------------------------------------------------------
    Technology-technology-package technology
    Course Type next reboot
    -----------------------------------------------------------------
    IPBase ipbasek9 ipbasek9 Permanent
    security, none none none
    given none none none

    Here is the information about the licenses on router 1900 series:

    http://www.Cisco.com/en/us/partner/docs/routers/access/1900/hardware/installation/guide/Software_Licenses.html

  • How do I know what isakmp policy is in use?

    If you have a fully established (phase 1 and 2) VPN, y at - it a show command that allows you to see what isakmp policy is selected for this tunnel?

    Perhaps you would like to try to use "debug crypto isakmp" to see the negotiation of phase 1, if you have the option to disconnect and reestablish the tunnel.

    hope this helps

    http://www.Cisco.com/en/us/docs/iOS/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

  • window of 2008: ' I can't open Group Policy Management "group policy to manage, you must log on to the computer with a domain user account.

    Hi, please advise, I can't open Group on win Server 2008 policy management, it is said
    "To manage Group Policy, you must log on to the computer with a domain user account.

    Hi Cucu KurniaPutra,

    Thanks for asking this question to Microsoft Community!

    The problem occurs in Windows Server 2008 Network, please post your request on the Microsoft TechNet forums to get help.

    Here is the link:

    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

    It will be useful. For any other corresponding Windows help, do not hesitate to contact us and we will be happy to help you.

    Kind regards!

  • Provisioning of users of automated Seggregate using Access Policy-Diff groups/Org

    Hello

    By default, users created in IOM - via GTC / via self-registration / via administrator - they all are assigned to the "All Users" group Can we assign these users to another group, defined by the user, for example "trialgroup", default and Unassign the group "All Users". If so, how can we do?

    This issue is related to another question of mine:

    I want to avoid all the users that are created in the IOM system - to be all together put in service to a single IT resource in my case OID directly via the access policy that can be applied to each group. I want to keep the system extensible for future purposes. And the only way is to the provision of resources direct seggregate via access through different 'groups' strategy. So the solution I could think about was to assign all users who are currently created (via GTC and via the load mass in IOM) to a separate group and assign a policy of access to the group so that in the future if another resource comes into picture then the system can be extended by creating more groups and design of individual to separate for the same access policies.

    Is it makes sense?

    Please provide your inputs! Advice/suggestions/ideas are welcome.

    TIA,
    -oidm.

    I'm actually not sure, what you want to achieve form the content of this post. If you mean that you don't want each user to IOM to be configured in OID automatically via the access policy, then I suppose that in this case you aplly the ALL_USERS group access strategy.

    Well I miss the flow of your question, but here's what you can based on my understanding:

    (1) forget the ALL_USERS group. We cannot do anything about it. Any created user will be a part of this group, and you cannot delete a user in this group.
    (2) instead of what you can do is create another group, such as trialgroup and all users a member of this group as well. It would be simple to do. See the next step. Use the addMemberUser() of addMemberUser interface API.
    (3) create an adapter of the entity with an added javatask, which takes a username entry and assigns this user to this group (trialgroup) in the use of the IOM above API. Mount this adaptation for the trigger for insertion after the Manager of data objects "users." (He also has an other entity ootb adapter that adds all users to the Group of ALL_USERS).

    (4) attach your strategy of access to this group.
    (5) now you are also free to expand your system by creating more groups and access policies. It shouldn't be a problem.

    Thank you

    Sunny

  • ISE / Active Directory: question to get the users group

    Hello

    There is a strange problem:

    -Patch 1.2 ISE 8

    -No WLC, autonomous AP

    In authentication, we check wireless IEEE 802.11 (RADIUS) and cisco-av-pair (ssid), then we use AD.

    We have 3 SSID, so 3 rules, a GIVEN, one INVITED, one for the INTERNET.

    In a settlement more than grant permission of APs to save to WDS authentication: user in the local database.

    In the authorization, we check cisco-av-pair (ssid) and the Group of users AD, then we allow access.

    (so 3 rules) and a more to allow the basic internal for WDS.

    We have something strange:

    -Sometimes users can connect, but later they can't: the newspaper permission rejects the user because the ad group is not seen.

    Example:

    1 OK:

    Details of authentication

    Timestamp of source 2014-05-15 11:43:19.064
    Receipt of timestamp 2014-05-15 11:43:19.065
    Policy Server RADIUS
    Event 5200 successful authentication

    All user GROUPS are observed:

      fake
    AD ExternalGroups XX/users/admexch
    AD ExternalGroups XX/users/glkdp
    AD ExternalGroups x/users/gl journal writing
    AD ExternalGroups XX/users/pcanywhere
    AD ExternalGroups XX/users/wifidata
    AD ExternalGroups XX/computer/campus/recipients/aa computer
    AD ExternalGroups XX/computer/campus/recipients/aa business and cited
    AD ExternalGroups campus of XX/computer/campus/recipients/aa
    AD ExternalGroups XX/users/aiga_creches
    AD ExternalGroups XX/users/domain admins
    AD ExternalGroups XX/users/used. the domain
    AD ExternalGroups XX/users/replication group does the rodc password is denied
    AD ExternalGroups XX/microsoft exchange security groups/exchange view only administrators
    AD ExternalGroups Directors of XX/microsoft exchange security groups Exchange public folders
    AD ExternalGroups XX/users/certsvc_dcom_access
    AD ExternalGroups XX/builtin/Administrators
    AD ExternalGroups XX/builtin/users
    AD ExternalGroups XX/builtin/account operators
    AD ExternalGroups XX/builtin/server operators
    AD ExternalGroups distance of XX/builtin/users of the office to
    AD ExternalGroups XX/builtin/access dcom certificate service
    RADIUS user name xx\cennelin
    IP address of the device 172.25.2.87
    Called-Station-ID 00: 3A: 98:A5:3E:20
    CiscoAVPair SSID = CAMPUS
    SSID campus of

    2 NO OK no later than:

    Details of authentication

    Timestamp of source 2014-05-15 16:17:35.69
    Receipt of timestamp 2014-05-15 16:17:35.69
    Policy Server RADIUS
    Event Endpoint 5434 conducted several failed authentications of the same scenario
    Reason for failure 15039 rejected by authorization profile
    Resolution Authorization with the attribute ACCESS_REJECT profile was chosen due to the corresponding authorization rule. Check the appropriate rule political authorization results.
    First cause

    Selected authorization profile contains ACCESS_REJECT attribute

    .../...

    Only 3 user groups are observed:

    Other attributes

    ConfigVersionId 5
    Port of the device 1645
    DestinationPort 1812
    RadiusPacketType AccessRequest
    Username host/xxxxxxxxxxxx
    Protocol RADIUS
    NAS-IP-Address 172.25.2.80
    NAS-Port 51517
    Framed-MTU 1400
    State 37CPMSessionID = b0140a6f0000C2E15374CC7F; 32SessionID = RADIUS/189518899/49890;
    Cisco-nas-port 51517
    IsEndpointInRejectMode fake
    AcsSessionID RADIUS/189518899/49890
    DetailedInfo Successful authentication
    SelectedAuthenticationIdentityStores CDs
    DomaineAD XXXXXXXXXXX
    AuthorizationPolicyMatchedRule By default
    CPMSessionID b0140a6f0000C2E15374CC7F
    EndPointMACAddress 00-xxxxxxxxxxxx
    ISEPolicySetName By default
    AllowedProtocolMatchedRule CDM-PC-PEAP
    IdentitySelectionMatchedRule By default
    HostIdentityGroup Endpoint identity groups: profile: workstation
    Model name Cisco
    Location Location #All locations #Site - CDM
    Type of device Device Type #All type #Cisco - terminals
    IdentityAccessRestricted fake
    AD ExternalGroups XX/users/computers in the domain
    AD ExternalGroups XX/users/certsvc_dcom_access
    AD ExternalGroups XX/builtin/access dcom certificate service
    Called-Station-ID 54:75:D0:DC:5 B: 7 C
    CiscoAVPair SSID = CAMPUS

    If you have an idea, thank you very much,

    Kind regards

    Eventually, the AD he loses connectivity with ISE

  • Question of 2012 of R2 group key Distribution Server configuration.

    Hi all

    I searched online for more information on the problems of kdssvc. and addition of KDSRoot keys that have been problematic.

    In looking Site and Services snap-in and display of the Service node information I see the Server Configuration file, but no input config key Distribution of Service Group.

    I don't see anything online that would allow me to recreate the Configuration of the server. Is there a way to re - generate the Cryptography keys properly here and allow me to move forward with additions of Cle_principale. I have a 2003 with a r2 dc 2012 functional area in the field of parent and child.

    In the test of items off I see kds configs are always available and kdsrootkey can be created after the deletion of the entry of the Server Configuration. I'm looking for documents of deep dive on the subject.

    Any help is greatly appreciated.

    David.

    This issue is beyond the scope of this site and must be placed on Technet or MSDN

    http://social.technet.Microsoft.com/forums/en-us/home

    http://social.msdn.Microsoft.com/forums/en-us/home

  • Questions through the residential, computer group, not to run.

    original title: homegroup

    Hello
    On my Samsung laptop 150N, I have windows 7starter. I min on ordinarzue peinxioal I ain Windows 7 Ultimate which has set up a group of residence (home, non-commercial).
    I connect this group with Notepad, following asked me the password and define the "residence Grou.But on the group that the computer does not appear! (On the main computer, Notepad appears!) I I has used the program for windows eresoudre the problem, nothing to do. I uninstall and reinstall theresidential group, same problem.

    If I change the password for access to the group, the laptop immediately warned me thepassword changed while the laptop is plugged into the group, but cannot see.
    He can advise me?

    In fact, this problem exists since I change the printer before the market.
    Thanks in advance
    Pluni

    Hi Pluni Almoni,

    Follow these methods in the order and see if the problem is resolved.

    Method 1: Temporarily disable the antivirus software and disable firewall also if all installed and check if the problem persists on the computer on which you are facing this problem with.

    Disable the anti-virus software

    http://Windows.Microsoft.com/en-us/Windows7/disable-antivirus-software

    If the problem is resolved, you may need to contact the manufacturer of the program for the settings that can be changed or if there are other updates for this program.

    Note: Antivirus software can help protect your computer against viruses and other security threats. Have a computer without any security software can cause a potential danger to your computer. Therefore, make sure to activate the firewall and security software once you are finished with the test.

    Method 2: Network discovery may be blocking you to see other computers and devices on the network. Check if so on network discovery. If the discovery network on your computer setting is set to off, you won't see other computers and devices on the network.

    To change your network discovery setting, follow these steps:

    a. Open advanced by clicking the Start button, then on sharing settings Control Panel. In the search box, type network, click network and sharing Center, and then in the left pane, click on change advanced sharing settings.

    b. click the chevron to expand the current network profile.

    c. click turn on network discovery, and then click save changes. If you are prompted for an administrator password or a confirmation, type the password or provide confirmation.

    For more information, visit the below mentioned link:

     

    Why can I not see other computers on my network?

    http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-see-other-computers-on-my-network

    You can also check the below links:

    Why I can't join a homegroup?

    http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-join-a-HomeGroup

    Homegroup: recommended links

    http://Windows.Microsoft.com/en-us/Windows7/HomeGroup-recommended-links

    Homegroup from start to finish

    http://Windows.Microsoft.com/en-us/Windows7/help/HomeGroup-from-start-to-finish?T1=tab02

    Hope this information helped!

  • Question of ISAKMP

    I'm pretty new to VPN stuff and I'm not exactly an expert in cisco IOS, however, I have a version of cisco IOS on a 2800 series router 12.3 (could not give you the exact model atm because I'm not at work)

    Anyway, if I understand the documentation, when I run a command encryption, I should get an option for isakmp (which I do not). I was able to generate a RSA key for ssh access. If I do not have ISAKMP support, can someone point me to a guide of VPN configuration that does not use ISAKMP?

    Hi Todd,

    Some info.

    Rgds,

    AK

  • Question rtf - summary of each group to the list of folders

    Hello

    I got a list of records and he SUM and group these elements have shown as output.  Need help.

    XML

    AgendaValue
    one1
    one2
    one2
    b3
    b3

    Output

    RTF

    AgendaValue
    one1
    one2
    one2
    Total5
    b3
    b7
    Total10

    Thank you

    Here's how I implemented the data

    1

    one

    1

    2

    one

    2

    3

    one

    2

    4

    one

    1

    5

    b

    2

    6

    b

    3

    7

    b

    1

    Here is a screenshot of the rtf mentioned above using as Mathieu Sundarasamy-Oracle

    Here is the result

  • Simple question, physical Mac associated with groups of ports to get hidden on switches?

    It's kind of hard to explain, but I'll try my best.  I just solved a problem related to the connectivity of the virtual machine with the network boys.  I provided them with the physical Mac associated VMNIC1 "00:18:FE:33:A4:47" I told them it was corrected in eight port.  When they logged on their switch they could not see at all, finally however when they tag with 208 port VLAN which is be one VM port groups configured with a virtual machine on that they were suddenly able to see the Mac of the VM that routes via VMNIC1 '00:18:FE:33:A4:47 '.

    For any reference later in order to learn and better understand things in the future can someone clarify how this works.  ESX hide/mask the physical Mac for Mac in the VM in this case, it was a former host ESX3.5 but I guess 5.5 would have done the same thing?

    Hello

    Welcome to the communities.

    I think that not only ESX hyper v too hide physical MAC and all VNIC have unique MAC id

    who play cluster type of role, the NETWORK load balancing configuration.

    Its my practical experience.

    ______________________________________________________________________

  • AS the question of the clause with Group By

    Hello everyone. I have a simple query that calculates the number of 3 expressions. It is supposed to cluster by region and province as well, but is rather the TOTAL number for each expression in the areas of the region and the province. What I am doing wrong? This is my query:

    SELECT TABLE1. Province. "
    TABLE1. "' Region '.
    (SELECT (COUNT (TABLE1." "" 'Nationality')) "
    FROM TABLE1
    WHERE (TABLE1. "' Nationality ' <>'United States '.
    AND TABLE1. ("' <>"Nat1"nationality")
    OR (TABLE1. "" Medical <>""MEDICAL SUR ".
    AND TABLE1. ("" <>Region ""CONUS")
    ) "TCN COUNT."
    (SELECT (COUNT (TABLE1." "" 'Nationality')) "
    FROM TABLE1
    WHERE (TABLE1. ("' Nationality ' = 'United States')
    OR (TABLE1. "" Medical <>""MEDICAL SUR ".
    AND TABLE1. ("" <>Region ""CONUS")
    ) "US COUNT."
    (SELECT (COUNT (TABLE1." "" 'Nationality')) "
    FROM TABLE1
    WHERE (TABLE1. ("" Nationality "="Nat1")
    OR (TABLE1. "" Medical <>""MEDICAL SUR ".
    AND TABLE1. ("" <>Region ""CONUS")
    ) 'HCN COUNT. "
    FROM TABLE1
    GROUP BY TABLE1. "" Province. "
    TABLE1. "" Region ";

    Any help would be appreciated. Thank you.

    Aqua

    Because you spend not all values of the inner query to external...

    Are you looking for this?

    SELECT      TABLE1."Province",
         TABLE1."Region",
         sum (
           case when (
                 TABLE1."Nationality" != 'United States'
                 AND TABLE1."Nationality" !=  'Nat1'
                  )
                OR (
                TABLE1."Medical" != 'ON MEDICAL'
                AND TABLE1."Region" != 'CONUS'
                 ) then 1 else 0 end
             ) "TCN COUNT",
         sum (
           case when (
                TABLE1."Nationality" = 'United States'
                  )
                OR (
                TABLE1."Medical" 'ON MEDICAL'
                AND TABLE1."Region" 'CONUS'
                    ) then 1 else 0 end
             ) "US COUNT",
         sum (
           case when (
                TABLE1."Nationality" = 'Nat1'
                   )
                  OR (
                   TABLE1."Medical" 'ON MEDICAL'
                   AND TABLE1."Region" 'CONUS'
                     ) then 1 else 0 end
             ) "HCN COUNT"
    FROM TABLE1
    GROUP BY TABLE1."Province",TABLE1."Region";
    

Maybe you are looking for