Question regarding full mesh with ASA5505 vpn tunnels.

Similar Questions

• ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

  Hello

  I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

  My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

  192.168.1.0/24-> 192.168.3.0/24

  192.168.2.0/24-> 192.168.3.0/24

  10.1.1.0/24-> 192.168.3.0/24

  -> 192.168.3.0/24 10.1.2.0/24

  10.1.10.0/24-> 192.168.3.0/24

  10.2.10.0/24-> 192.168.3.0/24

  The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

  192.168.1.25/32-> 10.10.10.83/32

  192.168.1.25/32-> 10.10.10.47/32

  192.168.1.26/32-> 10.10.10.83/32

  192.168.1.26/32-> 10.10.10.47/32

  Here's the info to other VPN (copy & pasted from the config)

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

  permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

  permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 1 match address outside_1_cryptomap

  peer set card crypto outside_map 1 24.180.14.50

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  card crypto outside_map 2 match address eInfomatics_1_cryptomap

  peer set card crypto outside_map 2 66.193.183.170

  card crypto outside_map 2 game of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 24.180.14.50 type ipsec-l2l

  IPSec-attributes tunnel-group 24.180.14.50

  pre-shared key *.

  tunnel-group 66.193.183.170 type ipsec-l2l

  IPSec-attributes tunnel-group 66.193.183.170

  pre-shared key *.

  Thanks in advance

  -Matt

  Hello

  The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

  So you can probalby try adding the following

  card crypto outside_map 2 pfs group2 set

  I think he'll simply enter as

  card crypto outside_map 2 set pfs

  Given that the 'group 2' is the default

  -Jouni

• ASA5505 vpn tunnel

  I have 2 asa5505. I created a site to site vpn tunnel using two LANs. (example 192.168.1.0 & 192.1689.2.0).

  I then tried to do another series of local ip (e.g. 192.168.3.0 & 192.168.4.0) uses the same group of tunnel, the same external termination points. A set of ip addresses is for data and one for ip phones. VLAN 1 is not used, vlan 2 is inside the interface vlan 3 is apart from the interface, and vlan 4 is the 2nd interface named phones. First data networks are working properly, but data from ip phones does not circulate. I can't ping on the other side. I put vlan 4 will not provide to interface vlan 2 and set security on 100 at both ends. Here are two independent networks that do not need to talk to each other. Is there a reason that someone can think why it wouldn't work?

  Depending on how the phone subnet is connected on the SAA.

  If your subnet phone is connected to a separate interface on the ASA (for example: an interface that you named "phones"), you must create a new access list and assign it to the "phones" interface

  Example:

  access list phones-sheep ip 192.168.3.0 allow 255.255.255.0 192.168.4.0 255.255.255.0

  NAT (phones) - access list 0 phones-sheep

  On the other hand, if the subnet of the phone is connected to the ASA via the inside of the interface, IE: phone subnet is routed through the inside interface of the ASA, just add the line in the existing ACL inside interface.

  Example:

  Currently inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:

  access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

  Here is an example of configuration with 2 internal interfaces (inside and dmz) for the tunnel vpn site-to-site for your reference:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

  In the example configuration, it uses the same sheep ACL for the interfaces inside and the demilitarized zone. I would recommend that you create a different ACL for the NAT statement for each interface instead of use the same ACL on both interfaces.

  Hope that helps.

• Help with a VPN tunnel between ASA 5510 and Juniper SSG20

  Hello

  We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

  After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

  Main branch
  1.1.1.2                                 1.1.1.1
  -----                                               -----------
  192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
  -----                                               -----------
  192.168.8.254 192.168.1.254

  According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

  Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

  It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

  Help is very appreciated.

  Thank you

  1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

  SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

  You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

  management-private access

  To initiate the ping of the private interface ASA:

  ping 192.168.1.254 private

  2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

  Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

  Hope that helps.

• With NAT VPN tunnels

  I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

  Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

  I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

  The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

  Is this possible? I am attaching a schema, which could help.

  Hello

  Yes, this should be possible. Lets say you allocate 10.112.2.250 as the address that you use to present the external server 192.168.10.10.

  On your ASA device

  public static 10.112.2.250 (exterior, Interior) 192.168.10.10 netmask 255.255.255.255

  You will need to make sure that when the system tries to connect to 10.112.2.250 it is routed to the device of the SAA.

  HTH

  Jon

• question links to site 2 site VPN with authentication cert

  Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?

  Thank you very much!

  Hello

  You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

  Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".

  Please pass a note and mark as he corrected the post helpful!

  David Castro,

  Kind regards

• Questions of VPN tunnel

  People,

  You can help me understand how I can fix the following issues I have with a 1721 router (Version 12.3 (8) T5) and client VPN 4.6.01.x please.

  BTW, the server at 192.168.3.2 is a file, DNS, WINS server and proxy for the LAN environment. All the staff of the PC is required to use the proxy but visitors on the 192.168.2.0 network can access the internet directly.

  Back to my questions. I have the obligation to set up a VPN tunnel to connect to a PC that is running Terminal Server services / remote desktop on a PC to 192.168.1.9. When running the VPN software on the laptop I get a login prompt and everything seems fine. I ping the addresses of router and that works.

  But the three things I don't understand:

  1. I can't telnet with great success to the loopback address of the router, as well as other addresses 192.168.x.x. very well, but why is it possible that I can telnet to the 192.168.4.1 loopback address?

  2. I can't DRC to the server on 192.168.3.2. The server can (and) accepts connections on a subnet, I created the network of 192.168.6.x I put up as VLAN6 on SEA4 (the port of spare on the map of ether 4 ports). The only thing I did not in the configuration of the interface was the nat ip within the statement.

  3. I can't do a nslookup through the tunnel VPN (delays all the time) and neither can I http to the IIS server on the same 192.168.3.2 box. What I mean here is that other applications seem to work except telnet!)

  Then...:

  Why the telnet is so special? I thought that if I could telnet to the router, then I should be able to access the server. And before ask you, there is no firewall or whatever it is executed on the server by stopping this stupid connections. Hey, I'm the guy from router, not the jockey of server!

  I've managed to misinterpret the statement "corresponds to the address 105" in the cryptomap? The ACL would reflect the traffic flow both ways?

  I should have a statement of hash in the section of "crypto isakmp policy 5. The client indicates that the connection is OK then why should I need it?

  I appreciate your time to help. I was scratching my head a lot in the last two days.

  Timothy

  Your NAT config, it is what kills you here. You can telnet to the router interface, because then the NAT configuration does not take effect (because NAT doesn't happen for passing traffic THROUGH the router, FOR her). You must refuse the IPSec traffic to be NAT would have, otherwise, it does not match the encryption access list and is not encrypted on the way back.

  Your 100 access list is incorrect, remove it and add in the following:

  access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255

  access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

  That said NAT VPN traffic does 192.168.5.0, but NAT do it if he goes anywhere else (Internet).

  Also, you seem to have defined a map static encryption for your customer traffic, it is not used and may cause you problems with the list of access-105. Follow these steps to get rid of it and just use the dynamic encryption card:

  no card crypto clientmap 1

  You just need to have dynamic instance map (number 20) crypto left in your config file.

• Between Cisco ASA VPN tunnels with VLAN + hairpin.

  I have two Cisco ASA (5520 and 5505) both with version 9.1 (7) with Over VPN and Security Plus licenses. I try to understand all the internet a traffic tunnel strategy VLAN especially on the 5520 above the 5505 for further routing to the internet (such as a hair/u-turn hairpin). A few warnings:

  1. The 5505 has a dynamically assigned internet address.
  2. The 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).
  3. The 5520 cannot be a client of ezvpn due to its current role as a server of webvpn (anyconnect).

  Let me know if I need to post my current config. Basically, I'm starting from scratch after several attempts.

  Thank you!

  1. The 5505 has a dynamically assigned internet address.

  You can use the following doc to set up the VPN and then this document to configure Hairping/U tuning

  2. the 5505 has sometimes no device turned on behind her, bringing interfaces down to the inside (which can cause problems from site to site).

  Make sure that the interface is connected to a switch so that it remains all the TIME.

  3. 5520 the may not be a ezvpn customer due to she has current as one role anyconnect webvpn ()) server.

  You can use dynamic VPN with normal static rather EZVPN tunnel.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• VPN tunnel with U-turn

  Hello

  I am trying to understand the functioning of DNS with u-turn. I'm looking for in the configuration of VPN tunnel between ASA 5510 (main office) and PIX 506 (remote).

  Currently all the jobs in the remote offices are connected through VPN tunnel between PIX506 and VPN 3000 to a hub, so that they use the internal DNS server at the main office. I need to use u-Turn on ASA to allow remote surfing the net users. With u-Turn config, remote workstation still will use DNS server in the main office to resolve the IP addresses?

  Thank you

  LF

  Hey Forman.

  SplitDNS and Splittunneling are both used with remote access clients. In your case, that you try to configure a site to site VPN tunnel, so to 'divide' traffic you will use the crypto acl to set valuable traffic to the VPN. However, this ACL uses IP addresses in order to determine whether the traffic must be encrypted or not, this is why your DNS lookup would have to occur before the traffic is encrypted. Then, you can set the DNS server for the remote network to be the DNS through the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is able to resolve names.

  In the previous case where you use u-turn, all gets automatically tunnele so you don't have to worry about your DNS queries in the tunnel.

  I hope that this explains the behavior.

  Kind regards

  ATRI.

• Question of access list for Cisco 1710 performing the 3DES VPN tunnel

  I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

  For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

  My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

  Any input or assistance would be greatly appreciated.

  Map Test 11 ipsec-isakmp crypto

  ..

  match address 120

  Interface Ethernet0

  ..

  card crypto Test

  IP nat inside source overload map route sheep interface Ethernet0

  access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 allow ip 192.168.100.0 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 130

  He would go through the interface e0 to the Internet in clear text without going above the tunnel

  Jean Marc

• Need help with Config VPN on ASA5505

  Our client has a seller who needs to establish a VPN tunnel to their own router that sits behind our firewall.

  Concentrator VPN (seller) ASA5505 customer (7.2) <------> <------->3750 Switch <------->VPN router (Vendor)

  Here is the implementation of information:

  ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3

  ASA inside the Interface - 172.20.58.13/30

  3750 switch Interface connected to ASA - DG - 172.20.58.13 and 172.20.58.14/30

  3750 switch Interface connected to router VPN - 172.20.58.21

  The Interface of the VPN router connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21

  I have also attached a Visio for that and the current configuration of execution of ASA and 3750. We have no access to the router VPN TNS.

  Our responsibility is to everything just to make sure that the tunnel rises.

  You kindly help me with this?

  Here is what I intend to do:

  (1) create a static NAT on the ASA Public Private IP Address of the VPN router

  Public - 208.64.1x.x5 / 28

  Private - 172.20.58.21 / 30

  Will be the ASA automatically ARP for this address or do we I have to configure another interface on the ASA with this public IP address?

  (2) what would the access on the ASA list?

  (3) the customer gave us some config to copy the stuff on the SAA so that they can create the tunnel but I couldn't put these commands in the SAA. How this would apply and which interface?

  Access to firewall: the information below is about access between the VPN router and the

  VPN concentrator. If a firewall/router is present in front of the VPN services must be

  permit:

  allow a host 208.224.x.x esp

  allow a host 208.224.x.x gre

  permit any isakmp udp host 208.224.x.x eq

  permit any eq non500-isakmp udp host 208.224.x.x

  allow a host 204.8.x.x esp

  allow a host 204.8.x.x gre

  permit any isakmp udp host 204.8.x.x eq

  permit any eq non500-isakmp udp host 204.8.x.x

  permit tcp 206.x.x.0 0.0.0.255 any eq 22

  permit tcp 206.x.x.0 0.0.0.255 any eq telnet

  allow a udp host 208.224.x.x

  allow a udp host 208.224.x.x

  Can someone help me with the commands I need to run it on the ASA? The 5505 running 7.2 code (4).

  Thanks in advance.

  HS

  Your steps are correct, you need to configure static NAT and the list of access to allow access.

  Static NAT would be as follows:

  static (inside, outside) 208.64.1x.x5 172.20.58.21 netmask 255.255.255.255

  You also need a road inside interface-oriented join 172.20.58.21:

  Route inside 172.20.58.21 255.255.255.255 172.20.58.14

  You have already access list on the external interface? If you have, then just add in the existing access list, if you don't have it, and then add the following:

  access list outside-acl permit udp any host 208.64.1x.x5 eq 500

  access list outside-acl permit udp any host 208.64.1x.x5 eq 4500

  access list outside-acl allow esp any host 208.64.1x.x5

  Access-group acl outside in external interface

  If you also have an inside interface access list, you must also allow passing traffic by as follows:

  access-list allow host 172.20.58.21 udp any eq 500

  access-list allow host 172.20.58.21 udp any eq 4500

  access-list allow host esp 172.20.58.21 all

  If you have not had any access inside the interface list, then you don't need to configure it.

  Hope that helps.

• LRT224 impossible to deal simultaneously with more than one VPN tunnel?

  We have configured a client to gateway VPN tunnel group and six in the tunnels of single user gateway on a LRT224. Each unique connection works perfectly using Shrew soft client. But when we try to connect with a second tunnel, the first tunnel disconnects. It seems that the LRT224 cannot process more than one VPN tunnel at the same time? Is there any configuration, that we would have missed?

  TLR log seem to indicate that the Shrew Soft customers use all 192.168.30.0 that their IP address instead of a random IP address in this range.

  Try to set each Shrew Soft client with a specific IP address in the 192.168.30.1 - 50 rank instead of ' use virtual adapter and address randomly.

• I have a question regarding windows mail. I was send and receive mail with no problems until last Thursday. I can still receive mail, but I can not send.

  / * moved from answers Feedback * /.
   
  I have a question regarding windows mail. I was send and receive mail with no problems until last Thursday. I can still receive mail, but I can not send. My email is with bellsouth.net and comes in my computer through windows Messaging.  I spent an hour and a half on the phone with bellsouth, and they say that the problem is with my windows mail.  I tried to use a restore date, and that did not help either. I will post a copy of this message, as I keep getting.  Your server suddenly put an end to the connection. The possible causes for this include server problems, network problems, or a long period of inactivity. Object 't', counts: 'mail.bellsouth.net', server: 'mail.bellsouth.net', Protocol: SMTP, Port: 25, secure (SSL): no, error number: 0x800CCC0F thanks for any help.

  Sometimes, WinMail settings get screwed up and you must remove the account and then add it back back.  Make sure first that the antivirus software not interfere (see www.oehelp.com/OETips.aspx#3).   Delete your account completely, then close WinMail.  Then compact and repair the database of WinMail (see www.oehelp.com/WMUtil/).  Add your account to mail back once again, and then make sure you have the correct settings under Tools | Accounts | Mail | Properties | Servers and | Advanced to what AT & T Specifies to WinMail (or OE).  Then see if it works.

  Steve

• RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

  Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

  In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

  Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

  System log
  Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
   
  Time
  Type of event Message
  2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
  2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
  2 sep 03:36:02 2009 VPN Log Main Mode initiator
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
  2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
  2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
  2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
  2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
  2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
  2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

  PFS - off on tada and linksys router does not support the samsung lol! connected!

• Allowing ports through a VPN tunnel question

  I have a VPN tunnel established and I can ping above but my application fails and I think its because I encouraged not 2 ports (ports TCP 19813 and 19814) through. I'm not clear how should I do for allowing these ports through. I need to add a statement to permit to access my list 'sheep' or what I need to add a statement of license to my list of access interface "external"?

  Remote users have an IP address of 172.16.5.x 24 and they're trying to connect to users on the 192.168.200.x 24 192.168.201.x 24. I can't do a ping of the 24 192.168.200.x to the 172.16.5.0/24.

  The commands below are what I currently have in my PIX.

  My current sheep-access list:

  IP 192.168.201.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0

  IP 192.168.200.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0

  My current outside of the access-list interface:

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq smtp

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq - ica citrix

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq 500

  acl_inbound esp allowed access list any host xx.xx.xx.xx

  acl_inbound list access permit icmp any any echo response

  access-list acl_inbound allow icmp all once exceed

  acl_inbound list all permitted access all unreachable icmp

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq www

  acl_inbound list access permit tcp any host xx.xx.xx.xx eq https

  first of all, you disable the commnad "sysopt connection permit-ipsec" on the pix? with this enabled command, which is enabled by default, the pix will ignore any ACLs for encrypted traffic. so if you have Hell no this command, then the acl that you applied on the outside int won't make a difference.

  However, if "sysopt connection permit-ipsec" is always on, and then all the port/protocol should be allowed.

  you said you could do a ping of 192.168.200.0 to 172.16.5.0. How about you 172.16.5.0 to 192.168.200.0 and 192.168.201.0?

  also, just wondering if the vpn lan-to-lan or access remote vpn (i.e. using the cisco vpn client).