Return VPN traffic flows do not on the tunnel

Similar Questions

• isShowing() returns true when I do not see the image

  Hello friends,
  Why isShowing() returns true when I do not see the image?
  
  See you soon,.
  André Uhres
  

  import java.awt.*;
  import java.awt.event.*;
  import java.awt.image.*;
  import java.util.logging.*;
  import javax.swing.*;
  
  public class IsShowingDemo extends JFrame {
  
      private JTextArea jTextArea1;
  
      public IsShowingDemo() {
          jTextArea1 = new JTextArea();
  
          setDefaultCloseOperation(WindowConstants.EXIT_ON_CLOSE);
          setTitle("IsShowingDemo");
  
          jTextArea1.setBackground(new java.awt.Color(255, 255, 204));
          jTextArea1.setEditable(false);
          jTextArea1.setLineWrap(true);
          jTextArea1.setText("Please iconify this window or take some other window "
                  + "to front so that this one is hidden. "
                  + "Then double click the white tray icon.");
          jTextArea1.setWrapStyleWord(true);
          getContentPane().add(jTextArea1, BorderLayout.CENTER);
  
          setSize(400, 300);
          setLocationRelativeTo(null);
  
          BufferedImage image = new BufferedImage(16, 16, BufferedImage.TYPE_INT_ARGB);
          Graphics2D graphics = image.createGraphics();
          graphics.fillOval(2, 2, 12, 12);
          setIconImage(image);
          installTrayicon(image);
      }
  
      private void installTrayicon(final Image image) {
          TrayIcon icon = new TrayIcon(image, "IsShowingDemo", null);
          icon.addActionListener(new ActionListener() {
  
              @Override
              public void actionPerformed(final ActionEvent e) {
                  boolean showing = IsShowingDemo.this.isShowing();
                  JOptionPane.showMessageDialog(null, "frame is showing = " + showing
                          + ", \ndo you see the frame?");
              }
          });
          try {
              SystemTray.getSystemTray().add(icon);
          } catch (AWTException ex) {
              Logger.getLogger(IsShowingDemo.class.getName()).log(Level.SEVERE, null, ex);
          }
      }
  
      public static void main(final String args[]) {
          EventQueue.invokeLater(new Runnable() {
  
              public void run() {
                  new IsShowingDemo().setVisible(true);
              }
          });
      }
  }

  Because the image shows according to Java. They could be overlapped by other windows or is reduced to a minimum is not something that Java checks in this method.

  If you want to make visible by the user you will need to use something like:

  if(TestShowing.this.getExtendedState() == Frame.ICONIFIED) {
    TestShowing.this.setExtendedState(JFrame.NORMAL);
  }
  TestShowing.this.toFront();
  

  But make sure it is visible to the user would require native lib I think (or take a screenshot and are looking for your setting here).

• Portable flow does not fill the TV screen.

  When I connect my laptop Lenovo to my Sansung HDTV with a HDMI cable to watch football, image does not fill the full screen. ANC, someone tell me how to solve this - in terms laymans!

  Hi Stevie H,

  This would happen if the screen resolution is not set correctly on the computer.

  I suggest that you set the resolution of the screen on the computer and check if it helps.

  (a) open settings display by clicking the Start button, clicking Control Panel, appearance and personalization, customization, and then clicking display settings.

  (b) pursuant to the resolution, move the slider to the desired resolution, then click apply.

  HDTV: Frequently asked questions

  http://Windows.Microsoft.com/en-us/Windows-Vista/HDTV-frequently-asked-questions

  Connect your computer to a TV

  http://Windows.Microsoft.com/en-us/Windows-Vista/connect-your-computer-to-a-TV

  I hope this helps!

  Halima S - Microsoft technical support.

  Visit our Microsoft answers feedback Forum and let us know what you think.

• Tunnel of Split VPN Setup ASA to force inside the tunnel for single address

  Hi all

  We have an ASA with IPSec VPN facility to addresses Internet of Tunnel from Split.  We have an Internet address that must come from the external interface of the ASA.  I have added this address to the list of split tunnel and confirmed on the client that is the road to the tunnel, but I'm not able to get to this address via the VPN.

  How the ASA to allow this unique Internet address to come via the VPN and route back on the same interface to the Internet and the return traffic to back up in the client VPN tunnel.

  I need to get to the address is 213.92.42.118. Here's the config relavent (let me know if I left anything):

  interface GigabitEthernet0/0
  nameif outside
  IP 1.1.1.1 255.255.255.0
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  name 10.80.177.0 VPN_Pool
  Outbound_Ports tcp service object-group
  port-object eq www
  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  access-list extended users allow icmp a whole
  access-list extended users enable a tcp
  access-list extended users allow udp a whole
  users_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
  standard access list users_splitTunnelAcl allow 192.168.43.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed 192.168.40.0 255.255.255.0
  users_splitTunnelAcl list standard access allowed host 213.92.42.118

  FWOB list extended access permit tcp any any Outbound_Ports object-group

  Global (LUXCVGASA01e) 2 1.1.1.1

  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0
  NAT 0 access-list sheep (LUXCVGASA01i)

  Any help is appreciated.

  -Jeff

  Hi Jeff,

  Just had a chance to look through the Setup and I guess that configured nat is incorrect.

  access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
  NAT 0 access-list sheep (LUXCVGASA01i)
  NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0

  Global (LUXCVGASA01e) 2 1.1.1.1

  The access-list says sheep that ALL traffic goes to the pool of the VPN to go UN-natted. So, when you try to access the public ip address via the tunnel VPN, the traffic the ASA, ASA then performs a search destination NAT and matches the nat command "nat (LUXCVGASA01i) 0 access-list sheep." If the ASA detects a destination NAT translation, it will bypass route search and uses the destination NAT translation to determine the output interface (in this scenario, the output interface is LUXCVGASA01i.

  So, to resolve this problem, change the acl sheep from "any to VPN_Pool 255.255.255.0" inside"to the network VPN_Pool 255.255.255.0.

  clear xlate and re-initialization of the tunnel, and this should solve the problem.

  Let me know if that answers your query.

  Kind regards

  Manisha masseur

• Cannot ping vpn client of 1721 cli on the tunnel endpoint

  I have a 1721 fortunately supporting ipsec vpn client connections. With one small exception, everything works perfectly fine.

  The VPN pool is 10.10.10.1 - 10.10.10.254

  The interface internal f0 is attributed to 192.168.1.254/24.

  In my example:

  Ip address of the VPN client is 10.10.10.5

  The host address of an arbitrary machine on the internal lan is 192.168.1.151

  I am able to ping 192.168.1.151 10.10.10.5

  I'm * not * able to ping 10.10.10.5 192.168.1.254 using the cli on the 1721.

  There is a very good reason to want to solve this problem. I would like to be able to access a tftp server on the client vpn directly from the router in order to download the new startup-config files. Is it possible to get the traffic of vpn-/ tunnel-point endpoint client tftp to travel through the tunnel?

  When you ping from the CLI on the router, the packet will be from the external interface, not the IP address fa0 interface. The VPN client and the router only built a tunnel from the 10.10.10.5 address the 192.168.1.0 network, then the router not cryptera a package that her origin is outside the IP address.

  Try to ping extended to 10.10.10.5 and source of 192.168.1.254 package and see if it works. If it does, you will have also to the source of your TFTP packets from inside interface, you can do with:

  IP tftp source interface fa0

• Site VPN to IPsec with PAT through the tunnel configuration example

  Hello

  as I read a lot about vpn connections site-2-site
  and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

  now, I got suite facility with two locations A and B.

  192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
  172.16.16.0/24 Site has

  ---------------------------------------------------------------------------

  Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
  Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

  ---------------------------------------------------------------------------

  Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
  witch need to access a server terminal server on the SITE b.

  As I have no influence on where and when guests pop up in my Site.
  I would like to hide them behind a single ip address to SITE B.

  If in the event that a new hosts need access, or old hosts can be deleted,
  its as simple as the ACL or conviniently inlet remove the object from the network.

  so I guess that the acl looks like this:

  ---------------------------------------------------------------------------

  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
  access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
  VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

  ---------------------------------------------------------------------------

  But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
  address for the translation of PAT?

  something like this he will say, it must be treated according to the policy:

  NAT (1-access VPN INVOLVED-HOST internal list)

  Now how do I do that?
  The rest of the config, I guess that will be quite normal as follows:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of AA peers. ABM CC. DD
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

  ---------------------------------------------------------------------------

  On SITE B

  the config is pretty simple:

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set of peer SITE has IP
  card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
  outside_map card crypto 1 lifetime of security set association, 3600 seconds

  outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

  ---------------------------------------------------------------------------

  Thank you for you're extra eyes and precious time!

  Colin

  You want to PAT the traffic that goes through the tunnel?

  list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

  PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

  NAT (inside) 1 access list PAT

  Global (outside) 1 192.168.0.3 255.255.255.255

  Then, the VPN ACL applied to the card encryption:

  list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

  Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

  The interesting thing is that traffic can only be activated from your end.

  The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

  Is that what you are looking for?

  Federico.

• Database will return no error, but does not delete the table

  Hello

  I'm developing an application that uses a database (SQLite). I would like to delete and re-create a table in the database (this table is the kind of a cache).

  When I run the following code, I get no error but chrome / ripple-> resources-> "Web SQL", I still see the old structure of the table.

  Do you have any idea what the problem might be or how I can solve it?

         db.transaction(
              function (tx) {
                  tx.executeSql('DROP TABLE IF EXISTS users',[],function (tx, res) {}, function (tx, err) {alert(err.message)});
                  tx.executeSql('CREATE TABLE users (firstname, lastname, phonenumber, emailadd, company)',[],function (tx, res) {}, function (tx, err) {alert(err.message)});
                  for (var i = 0; i < oPerson.length; i++) {
                      tx.executeSql('INSERT INTO users (firstname, lastname, phonenumber, emailadd, company) VALUES ("' + oPerson[i].Firstname + '", "' + oPerson[i].Lastname + '", "' + oPerson[i].Phonenumber + '", "' + '", "' + oPerson[i].Emailadd + '", "' + oPerson[i].Company + '")');
                      iUsers = iUsers + 1;
                  }
              }
  
          );
  

  Thank you very much

  Roberto.

  Hello Roberto,

  There was a problem with your INSERT INTO string where you have provided additional value which did not exist as a database column. Change

   oPerson[i].Phonenumber + '", "' + '", "' + oPerson[i].Emailadd
  

  TO

   oPerson[i].Phonenumber + '", "' +  oPerson[i].Emailadd
  

  Here's a complete code that must run:

  var db = openDatabase('mydb', '2.0', 'Test DB', 4 * 1024 * 1024);
  var iUsers = 0;
  var oPerson = [{Firstname: 'Joe',
      Lastname: 'Smith',
      Phonenumber: '1800CALLJOE',
      emailadd: '[email protected]',
      Company: 'Photojam'},
      {Firstname: 'Jack',
      Lastname: 'Smith',
      Phonenumber: '1800JACK999',
      emailadd: '[email protected]',
      Company: 'Photojam'}
      ];
  db.transaction(
              function (tx) {
                  tx.executeSql('DROP TABLE IF EXISTS users',[],function (tx, res) {}, function (tx, err) {alert(err.message)});
                  tx.executeSql('CREATE TABLE users (firstname, lastname, phonenumber, emailadd, company)',[],function (tx, res) {}, function (tx, err) {alert(err.message)});
                  for (var i = 0; i < oPerson.length; i++) {
                      tx.executeSql('INSERT INTO users (firstname, lastname, phonenumber, emailadd, company) VALUES ("' + oPerson[i].Firstname + '", "' + oPerson[i].Lastname + '", "' + oPerson[i].Phonenumber + '", "' + oPerson[i].Emailadd + '", "' + oPerson[i].Company + '")');
                      iUsers = iUsers + 1;
                  }
              }
  
          );
  

  Let me know if there are problems!

  See you soon,.

  James

• ASA in ASA VPN-encrypted packets "get lost" in the tunnel

  Hello

  We have a VPN site-to site between ASAs. Both on the v9.1.6 code. On distance ASA, it also has to do NAT source and destination. We see the traffic 'interesting' made from the results of the remote side in ipsec SA. Late has ITS correspondent. Corresponding spinnakers. However, the remote end HIS watch packets encrypted, decrypted none. Late ASA shows no packets encrypted/decrypted. So, how can I "lose" packages in my VPN tunnel if both ends have matching SAs/SPIs?

  Best regards

  Richard

  Hello

  Could be incorrect rules NAT or an access list refusing ESP packets somewhere in the path between the two ASAs.

• AnyConnect VPN full tunnel could not access the site to site VPN

  I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.

  It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.

  I checked the IP addresses of network anyconnect are part of the tunnel on both sides.

  My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.

  Any help would be appreciated.

  Here are the relevant parts of my config:

  (Domestic network is 192.168.0.0/24,

  the AnyConnect network is 192.168.10.0/24,

  site to site VPN network is 192.168.2.0/24)

  --------------------------------------------------------------------------------------

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface

  the DM_INLINE_NETWORK_1 object-group network
  object-network 192.168.0.0 255.255.255.0
  object-network 192.168.10.0 255.255.255.0
  inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0

  outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0

  mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 1 192.168.10.0 255.255.255.0
  access-outside group access component software snap-in interface outside
  Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
  WebVPN
  allow outside
  AnyConnect essentials
  SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
  SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
  enable SVC
  tunnel-group-list activate
  internal AnyConnectGrpPolicy group strategy
  attributes of Group Policy AnyConnectGrpPolicy
  WINS server no
  value of 192.168.0.33 DNS server 192.168.2.33
  VPN-session-timeout no
  Protocol-tunnel-VPN l2tp ipsec svc
  Split-tunnel-policy tunnelall
  the address value AnyConnectPool pools
  type tunnel-group AnyConnectGroup remote access
  attributes global-tunnel-group AnyConnectGroup
  address pool AnyConnectPool
  authentication-server-group SERVER1_AD
  Group Policy - by default-AnyConnectGrpPolicy
  tunnel-group AnyConnectGroup webvpn-attributes
  the aaa authentication certificate
  activation of the Group _AnyConnect alias

  Your dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:

   global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

• Dynamic L2L Tunnel - the Tunnel is up, will not pass the LAN traffic

  Hello everyone. I am repurposing an ASA for my business at a remote site and must use a dynamic Configuration of L2L with Split tunneling active. We used these in the past and they work a lot, and I've referenced Cisco official documentation for the implementation. Currently, I am having a problem where I am unable to pass traffic on the local remote network over the VPN tunnel (it does even not raise the tunnel of form). However, if I run the following command in the ASA remote:

  Ping inside the 192.168.9.1

  I receive the ICMP responses. In addition, this traffic causes the VPN Tunnel to be created as indicated by show ISA SA:

  1 peer IKE: xx.xx.xx.xx

  Type: L2L role: initiator

  Generate a new key: no State: MM_ACTIVE

  Here is the IP addressing scheme:

  Network remotely (with the ASA problem): 192.168.12.0/24

  Basic network (Hub): 192.168.9.0/24

  Other rays: 192.168.0.0/16

  Config:

  ASA Version 8.2 (1)
  !
  hostname xxxxxxxxx
  domain xxxxxxxxxxx.local
  activate the xxxxxxxx password
  passwd xxxxxxxxx
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  192.168.12.1 IP address 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address dhcp setroute
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone CST - 6
  clock to summer time recurring CDT
  DNS server-group DefaultDNS
  domain xxxxxxxx.local
  permit same-security-traffic intra-interface
  to_hq to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
  inside_nat0_outbound to access extended list ip 192.168.12.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
  pager lines 24
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.0.0 255.255.0.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 10 correspondence address to_hq
  crypto outside_map 10 card game CORE peers. ASA. WAN. INTELLECTUAL PROPERTY
  outside_map crypto 10 card value transform-set ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet 192.168.0.0 255.255.0.0 inside
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd 192.168.9.2 dns 208.67.222.222
  !
  dhcpd address 192.168.12.101 - 192.168.12.131 inside
  rental contract interface 86400 dhcpd inside
  dhcpd xxxxxxxxx.local area inside interface
  dhcpd ip interface 192.168.9.50 option 66 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  tunnel-group basis. ASA. WAN. Type of IP ipsec-l2l
  tunnel-group basis. ASA. WAN. IPSec-attributes of intellectual property
  pre-shared key xxxxxxxxxxxx
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  inspect the icmp
  !
  global service-policy global_policy
  context of prompt hostname

  Once the tunnel is in place, LAN to the Remote Site traffic won't pass through the VPN Tunnel any upward. On the side of ASA Core, I was able to Telnet in the ASA distance very well, but could not ping the Remote Access Point.

  Someone at - it a glimpse of my problem?

  Hello

  Add:

  NAT (inside) 0-list of access inside_nat0_outbound

• Capture packets for VPN traffic

  Hi team,

  Please help me to set the ACL and capture for remote access VPN traffic.

  To see the amount of traffic flows from this IP Source address.

  Source: Remote VPN IP (syringe) 10.10.10.10 access

  Destination: any

  That's what I've done does not

  extended VPN permit tcp host 10.10.10.10 access list all

  interface captures CAP_VPN VPN access to OUTSIDE gross-list data type

  Hello

  If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:

  list of allowed extended VPN ip host 10.10.10.10 access everything

  Capture interface outside access, VPN CAP_VPN-list

  Then with:

  See the capture of CAP_VPN

  You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:

    https:// /capture//pcap capname--> CAP

  For more details of capture you can find it on this link

  Let me know if you could get the information that you were trying to achieve.

  Please Don t forget to rate and score as correct the helpful post!

  David Castro,

  Kind regards

• Force traffic into the tunnel?

  No IPSEC applied anywhere yet.

  If you have 2 routers configured back to back with the physical interfaces tunnel interfaces - which way will be the traffic travels above?

  Answer - It will follow the path of the routing table that I guess. OSPF or static or other routes.

  Series enough.

  Now add one IPSEC.

  OSPF fails as IPSEC does not support multicast.

  Series enough.

  Now, add IPSEC and GRE to the mix. Apply card crypto both physical and tunnel interfaces.

  Included here is the common ACL associated with free WILL. That is: -.

  access-list 100 permit will host [address physical source] [address physical destination]

  It's the ACL that is supposed to define what traffic is 'interesting' and which must be encrypted.

  We will repeat the question: what should be the traffic?

  I guess it's the same answer. Refer to the routing table.

  But that traffic is encrypted? Answer - ONLY traffic destined to the IP tunnel interface.

  If you ping from physics to physics, it will be clear.

  Question - do you need to force ALL traffic to the bottom of the tunnel interface in the order so he could match the ACL and therefore get encrypted?

  How do accomplish us this?

  Discussion and debate would be greatly appreciated.

  He

  Only traffic with the source/destination of the tunnel interfaces - you just encapsulate & encrypt what happens / leaves the tunnel. If you have two sites connected through a VPN IPSEC, 'interesting' traffic for VPN is the source/destination on tunnel interfaces you need to LAN traffic in the tunnel interfaces. If you have either the static routes, or run you a dynamic routing such as OSPF or EIGRP Protocol.

  You may have a default route pointing to the firewall, a routing protocol dynamic running - so that all "internal" traffic will take place on the tunnel = encrypted vpn to a remote site, while all the 'internet' traffic routes to the firewall and leaves normally.

  HTH

• How to install the VPN Client and the tunnel from site to site on Cisco 831

  How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator?  I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward.  I could only put on the side of the hub.  If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.

  Thank you.

  The dynamic map is called clientmap
  The static map is called mymap

  You should have:

  no card crypto not outmap 10-isakmp ipsec dynamic dynmap
  map mymap 10-isakmp ipsec crypto dynamic clientmap

  interface Ethernet1
  crypto mymap map

  Federico.

• my world event working on the Simulator, but not on the device

  Hi guys,.

  I'm using BB bold 9000. I have attached directly to the device and debugging. I'm getting "background switch detected for myapp (261) that does NOT have the tunnels open - defocus is NOT called" on the device debugging. but it works fine on the Simulator (my ultimate task is slaughtering an application from another application) any idea?

  Thank you

  Thank you guys, it's worked.

• Keep up the tunnel

  I have a router with a static IP address 881, acting as a router at Headquarters.  I have then several remote site (also 881 s) routers that have dynamic IP addresses.  I configured IPsec tunnels, which are made from the dynamic IP sites to the HQ router successfully.  I'm trying to find a way to keep the tunnel going down due to inactivity.  It does not always have to be a lot of back and forth, traffic, so left to itself, the tunnel finally breaks down.  The problem with this is that only the side dynamic IP can connect again.  I need to prevent that from happening, so that the router HQ can send traffic in the tunnel, even if no traffic not elapsed during a prolonged period of time.

  I tried "crypto isakmp keepalive 30 10 periodicals", but it doesn't seem to do anything.

  Any help would be appreciated.

  Thank you.

  DPD go on IKE ITS not IPsec Security Association.

  You can install a simple SLA probes on distance 880 s to ping tunnel from the local LAN (s) of remote addresses behind HQ 881 interfaces. This should maintain the tunnels. An ICMP packet every 5 minutes should cuause not extra pressure on the boxes.