reverse path

Similar Questions

• What is the difference between Unicast RPF and Reverse Path Forwarding?

  I am confused between Unicast RPF and Reverse Path Forwarding function.

  What is the difference between Unicast RPF and Reverse Path Forwarding?

  Because they have all two please check the address of the source of each package before sending it to the destination too?

  Reverse Path Forwarding is used only when the network want to build a tree shared multicast communication and then we must use Unicast RPF after creation of the shared tree?

  The mechanism of the RPF is mainly used to ensure no loop of routing traffic.

  As you probably already read, it does by ensuring that his route to the source address of a packet received is accessible via the same interface that the packet is entered in the. Think of the notion of "root port" in STP. all root ports are similar to the root, sunflower follow the Sun. Therefore, it is naturally a loop prevention mechanism.

  With multicast traffic, it is quite likely to create multiple loops of routing the nature of 'destination' traffic. For this reason, using a mechanism as the RPF to ensure you are on the "road to the root" (to say) to the source originating multicast traffic. Otherwise if you're not then you either receive this traffic route in a loop, or a suboptimal path.

  uRPF works essentially the same way, except that it is done for unicast traffic instead. Now with unicast traffic your flow is from a source and directs to a single destination. Given that, as the fact that you are using a dynamic routing algorithm (which allows to select the path to a destination), you can have loops of your network for unicast traffic flow routing; of course there may be exceptions to pitfalls of configuration route redistribution.

  However RPF when it is applied to traffic unicast can add another advantage, and it's verification IP source. That's why we can use it as a security mechanism to ensure that data are from where it is supposed to come.

  On the limit of the L2, you then have mechanisms such as guard source IP to ensure that the correct host is not usurpation of their IP address.

  By analogy RPF can be used for checking at source for multicast traffic, and it is intrinsically that however, the most important role is so that it can be used to guarantee without loop routing of multicast traffic.

  I hope that helped clear things upwards and not confused you any more with all this.

• ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure

  I worked on it for a while and just have not found a solution yet.

  I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it.  I followed the example of ASA 8.x split Tunnel but still miss me something.

  My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1

  I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:

  5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
  5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
  5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT

  I tried several things with NAT, but were not able to go beyond that.  Does anyone mind looking at my config running and help me with this?  Thanks a bunch!

  -Tim

  Couple to check points.

  name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool

  inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool

  Looks like that one

  inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow

• Check IP unicast reverse path does not

  I configured the ip ip verify unicast reverse path on a Cisco 2611 runs code 12.3 (26). IP cef is enabled at level global but disabled using the no command of cef of cache to route ip on all interfaces except the interface WAN face (serial 0/0).

  !

  interface Serial0/0

  Description connected to the internet

  bandwidth 768

  IP 100.100.20.10 255.255.255.252

  Check IP unicast reverse path

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  property intellectual accounting-access violations

  NAT outside IP

  route IP cache flow

  no ip mroute-cache

  no fair queue

  No cdp enable

  !

  Whenever I reboot the router, it works for awhile, then no longer works. The traffic meter see ip Unicast RPF drop unexpectedly closed escalating after a few minutes and stays where it stopped.

  Industrial property statistics:

  RCVD: 35015 total, 346 local destination

  format 0 errors, 0 checksum error, 0 number of bad jumps

  0 unknown protocol, 17 not a gateway

  security failures 0, 0 bad options, 0 with options

  Opts: 0 end, nop 0, 0, 0 route open source basic security

  timestamp 0, 0 extended security, road record 0

  0 stream ID, 0 source route strict, alert 0, cipso 0 0 ump

  0 other

  Frags: 0 up, 0 time 0 could not back up

  0 fragmented, fragments of 0, 0 could not fragment

  BCAST: 6 received, 0 envoys

  MCAST: 0 a 0 a received, sent

  Envoy: 265 generated, 23074 transmitted

  Drop: 1 encapsulation failure, 0 pending, 0 without adjacency

  120 none route, 467 unicast RPF, 0 forced fall

  options 0 denied

  Fall: 0 packets with source IP address zero

  Fall: 0 packages with inner loop back IP address

  Can anyone think of a reason it works for a few seconds after starting, and then stops?

  [edit]

  I took out the declaration route ip cache flow thought that was up here the problem, but still no change in the meter.

  There are several ways you can use for the same purpose, here are some examples:

  > LCD

  > Policy Based Routing + ACL (two interfaces, scoring on one, deletion via ACL)

  > MPF 'drop' keyword

  > Black Hole routing (Routes null 0)

  > uRPF

  Each method has its advantages and disadvantages, ACLs and static routes are difficult to maintain and operate. ACL with the keyword "log" is process switched, making it slower.

  Routing black hole works by sending a spoofed traffic (hit the Bogon) to Null0 Null0 being a direct adjacency (sort of the interface) of all routers CEF, it is relatively faster.

  uRPF is commonly used with Blackhole triggered remote routing (RTBH). For example, we manage a large organization with several points of entry into the network. Now you know that your network is under attack from back of Source 1.2.3.0/24 with RTBH, all border routers have active uRPF and there is an internal router, known as a 'Router Trigger. You could inject a route in your area of IGP, something like:

  IP route 1.2.3.0 255.255.255.0 null0 tag 255

  And then all the edge routers would receive this route and with the help of uRPF drop all packets 'source' from the network of the attacker. The process is a little more complicated than that, but I hope you get the idea.

  Concerning

  Farrukh

• denied due to failure of reverse path of NAT

  I have an ASA5505 (ASDM 7.1 basic licence (3), ASA) 9 () (2) and I am confused about "declined due to the failure of reverse NAT".

  My IP pattern is as follows:

  INSIDE = 10.0.1.0/24

  DMZ =172.16.0.0/24

  VPN_Pool = 172.16.20.0/24

  PROBLEM: Vpn users can connect to the ASA but can't reach anything on the LAN or DMZ.

  TRIAGE: I ran the plotter of package with the following result:

  ALB - ASA # packet - trace entry inside tcp 172.16.20.2 1234 172.16.0.2 80

  Phase: 1
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 172.16.0.0 255.255.255.0 DMZ

  Phase: 2
  Type: NAT
  Subtype: volatile
  Result: ALLOW
  Config:
  Additional information:

  Phase: 3
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 4
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 5
  Type: NAT
  Subtype: volatile
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 7
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New feed created with id 6415 package sent to the next module

  Result:
  input interface: inside
  entry status: to the top
  entry-line-status: to the top
  the output interface: DMZ
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  -QUESTION?

  The error received is «...» Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:172.16.20.1/52036(LOCAL\user) DMZ:172.16.0.2/3389 dst refused due to the failure of the path reverse NAT."

  What NAT rules I have to apply to allow users access to the LAN/DMZ resources?

  Current NAT is the following:

  1 (DMZ) to dynamic interface of the DMZ_NET source (outdoor)
  translate_hits = 1623, untranslate_hits = 34
  Source - origin: 172.16.0.0/27, translated: (MY-real-IP-DELETED) / 21
  2 (inside) to the obj_any interface dynamic source (external)
  translate_hits = No. 2851, untranslate_hits = 121
  Source - origin: 0.0.0.0/0, translated: (MY-real-IP-DELETED) / 21

  THANKS IN ADVANCE FOR HELP!

  The pool of addresses for VPN users must have an exemption for all DMZ NAT or inside networks, they will use. They appear as out of addresses (even if they receive a local private IP address) based on their interface of penetration.

  Therefore, without an exemption from costs of NAT, traffic back to them is NATted by one of your two NAT rules above (while incoming traffic was not NATted). So the message of «asymmetric NAT rules» matched to flow forward and backward

  Your plotter package them specified as inside and so you have a false positive indication would be given to the movement.

• Stuck on reverse path

  Someone knows how to fix this? I can't rebuild the paths (theres too may) and I tried to cut and paste inside to a new path and that has not worked. I think the person who built the original path built large and reverse and then cropped the document flush outside the path. Please see attached jpg for more details. I played a bit with the tool edge refine, but this isn't really what I'm looking for. Thanks in advance.

  Select this path with the Selection tool to trace (the black arrow) and in the Options bar, change button to subtract from shape area to add it to the form area

• Question of failure path reverse NAT

  Hello

  Using a sense 9.3 3 ASA 5512 - x running. I have Anyconnect VPN configured to PAT the subnet of remote access to one of the inside of the interfaces (because of internal routing restrictions).

  For example...

  Remote subnet: 192.168.10.0/24

  Internal subnet: 192.168.1.0/24

  Internal interface: 192.168.1.254

  All remote access clients behind 192.168.1.254 and it works correctly until I have add a dynamic NAT rule for outbound traffic, then I start to see the errors "reverse path NAT failure" when VPN clients try to access internal resources.

  network of the LAN1 object
  subnet 192.168.1.0 255.255.255.0
  NAT dynamic interface (indoor, outdoor)

  Is there a way to circumvent this problem, because all the remote access clients are hidden behind the interface address?

  Thanks for any help.

  Hello

  Instead of making nat under Group, have you tried to do globally as:

  NAT (inside_101_infrastructure, outside) static dynamic source of destination interface LAN-GROUP ANYCONNECT_VPN_SUBNET ANYCONNECT_VPN_SUBNET

  Thank you

  PS: Please do not forget to rate and score as good response if this solves your problem

• Path failure reverse that of NAT

  Hello guys,.

  We are having a problem between two ASAs Web VPN. These are two test environments, but we need connectivity between the two to move quantities of lare of data from and to. The ASA at Site 1 (ASA 1) running 8.3 code and the ASA at Site 2 executes code 8.2. The VPN is online, but will not reach the traffic. Site 2 can send but not receive and 1 Site can receive but not send. Errors only I got at site 1 and it's below

  Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.255.1.100 inside: 172.16.1.20 (type 8, code 0) rejected due to the failure of reverse path of NAT

  Site 1 is a dish network. There is an ASA used as gateway, but the local network is simply a flat class B subnet. No VLAN additional routing, only switches back to eachother on the same subnet. Tursted network is 172.16.0.0/16

  Site 2 is a little more complex. It has a binding to a 6500 Cisco ASA that hosts a FWSM. Networks that have need to talk the VPN is behind the FWSM and is 10.255.1.0/24. I have attached a diagram. The ASA at Site 2 doesn't have a link on the 10.255.1.0, but it has a road to access the network of 10.255.255.x. Currently 2 ASA can see the 10.255.1.0 network with no problems. We need this 10.255.1.0 network to the 172.16.0.0 network via VPN on Site 1.

  When traffic comes from site 2 VPN rises with success, but traffic does not reach. I see newspapers FWSM and ASA showing traffic hitting the two, so I'm confident traffic successfully left Site 2. Site is where I get the above error. When I come from the traffic of the Site 1, I don't see anything on the Site 2 ASA or FWSM. This seems to be a problem on Site A ASAbut's NAT configurations you want that I just post let me know.

  Thanks in advance to all those who help!

  Hello

  You have the crypto_acl of the two extremes? I mean it takes an acl mirrored at both ends and you have the rule no. - nat configured for this?

  Tell your site 1: ASA 8.3

  access-list extended allow ip 172.16.0.0 255.255.0.0 10.255.1.0 255.255.255.0

  network locallan object

  subnet 172.16.0.0 255.255.0.0

  network remotelan object

  10.255.1.0 subnet 255.255.255.0

  NAT (inside, outside) source locallan destination locallan static static remote lan remotelan

  Say your site 2: ASA 8.2

  access-list extended allow ip 10.255.1.0 255.255.255.0 172.16.0.0 255.255.0.0

  access-list no. - nat extended ip 10.255.1.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

  NAT (inside) - access list 0 no - nat

  Concerning

  Knockaert

• Reverse the direction of the pasted path?

  I have a path on a shape layer and I copy this path in the Position of another layer (so I can animate this layer along the way).

  But I need the inversion that moves the stuck position.

  So I need instead of the movement object to the right, left right left.

  I tried to change the setting of 'Reverse Path Direction' on the path before copy/paste, but who don't seem to do anything.

  CC OF 2015

  Choose all keys > right click > keyframe assistant > time-reverse keyframe

• Pitfalls of severity 1, ' Deny check reverse ICMP trace of.

  Hello

  I have 1.2.0.0/19, but the 1.2.24/whatever is not in use (I did only use the first 24 bit-19 network).

  I have not 172.16.0/whatever on any interface.

  My wan interface is simply called wan.

  These severity 1, I get:

  <161>% 1 ASA-106021: refuse check reverse path 172.16.0.3 to 1.2.24.168 on the wan interface ICMP

  The router (2821) in front of my ASA removes all the packages coming from 10/8, 172.16/16 and 192.168/16 networks of its Wan, so Im do not know how this can be.

  How serious is this is it? What exactly does it mean? How can I know who is doing this so I can prevent it falling into my record?

  Hello 3moloz123,

  How many times do you get? If this happens often enough, you can make a capture of packets outside your ASA and correspond to all traffic from 172.16.0.3.

  If you are certain that no traffic whose source 172.16.0.3 address out of your router, intended for your ASA, having penetrated originally on a different router interface, traffic can be that your ASA with the source address 172.16.0.3, intended for 1.2.24.168, with a MAC of your router, hairpining out of your router, and heading to your ASA. The ASA then drops the package due to the verification of the RPF.

  If your router supports the out ACL, you can apply to the interface which faces the ASA. However, it should only be applied temporarily until you can find the real source of the traffic. Have you done an about 172.16.0.3 (or inside your ASA) packet capture to see if 172.16.0.3 is sending traffic to 1.2.24.168?

  Thank you

  Blayne Dreier

  Cisco TAC team climbing

  * Please see our Podcasts *.

  TAC security show: http://www.cisco.com/go/tacsecuritypodcast

  TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758

• Morphing path problem

  Hello

  I'm running a problem trying to turn two forms (created using Illustrator).

  Here are the steps I took: (the problem is in bold)

  1. Imported two Illustrator files in AE and put them on the timeline in two distinct layers.
  2. Converted the two forms of vector layers
  3. Paths of alterations to two shape layers.
  4. Copy/Pasted the path of Shape1 on the timeline for Shape2.
  5. Changed 'First Vertex Point' for the two paths so that they are in the corresponding positions.
  6. After step # 5, morphing between the two railways retained 'twisty - effect' during Interpolation.
     
     I did some research and discovered that the other summits have been numbered probably not elsewhere due to I made them in Illustrator.
  7. To address the problem of summits, I copied the path of Shape2 and stuck in Illustrator, I used the "Reverse Path Direction" tool in the attributes Panel. (To do this, I pasted the path, then you press Command-8, then past the meaning of the path).
  8. Once the meaning of the path has been reversed, I pasted the path for Shape2 in the timeline for Shape1 and got the desired morph I wanted to (much more natural, non-twisty)
  9. However, now, the path for Shape2 moves to the upper-left corner of the Composition during Interpolation and I don't know why.  I checked and there is no enabled for movement of position keyframes.  (Anchor point for path crosses the top left of the computer)
     
     When I try to drag the way back in its normal position, the entire layer is moved.
     
     The problem seems to be solved when I paste the path in a different group in the same layer, however, I still have to manually set the positioning.  This workaround is problematic for the project I am working because the forms that I work with several paths. and by dragging each a return to manual position is not accurate, nor it is time-saving.  Note: I have not been able to enter values numerically position to solve this problem.  He has lived it all physical dragging.)
     

  What is causing the path to move over the Interpolation and how can I prevent it?

  I hope I was able to articulate the problems I encounter.  Any ideas would be greatly appreciated.

  Thanks in advance!

  In addition, some other info:

  Computer: Macbook Pro 13 retina "(end of 2012)
  Processor: 2.9 GHz Intel Core i7

  Memory: 8 GB 1600 MHz DDR3 (6.5 GB dedicated to active Adobe products)

  Graphics card: Intel HD Graphics 4000 1536 MB

  
  Using After Effects CC (13.5.0.347)

  Thank you, once again!

  on the way to Morphing:

  to create smoother transitions in the shape on the form, you can use the interpolation of mask - it creates intermediate keyframes between two path keyframes. Read about it here: management and animation of paths form and masks in After Effects . Unfortunately, this is for mask paths and not form. but you're smart - you can copy the path of a mask, do your thing and then paste it back. or maybe you don't have the form anyway. see if it works.

  on Offset of the path:

  I was able to reproduce the problem. Here's how I see it: when you convert layers have forms Ae, they get some position attributes so that they will be placed in the same position. Note If you click UU you get the changed properties:

  

  When you paste the path of illustrator you paste on a layer that has a lag of transformations and that is why your layer is up there.

  This, I do not understand:

  "To address the problem of summits, I copied Shape2 path and stuck in Illustrator, I used the"Reverse Path Direction"tool in the attributes Panel. (To do this, I pasted the path, then you press Command-8, then past the meaning of the path). »

  you don't need to copy paste EI AI and back when you can copy paste the original layer of AI to Ae. to do this, copy - paste only once. You can copy paste paths of the EI and ch AE too.

  Here's my suggested solutions (choose a! not all of them):

  1 reverse the way AI - save the file and convert the layer shape again - this way, you have no copy paste the way AI, but only of the Ae.

  2 reset the transformations and properties of position for the Group shape. then copy paste will be exactly where is your path.

  3. If you don't really need forms, you can work with layer masks and copy paste like crazy to AI without lag

• Make a linear path to a path of circle

  I'm relatively new to Illustrator and trying to figure out how to change a linear object in a circle object. Below, you will see that I have a "River Road" (really just also spaced "waves" on a straigh line) in blue and a circular ring in yellow (crossed out red).

  I want to wrap the "River Road" to replace the internal path race red of the donut/circle. [I would also like to make a second version with the 'waves' on the outside of the ring/circle, so help would both be great.] Basically, I want to take an anchor to the end of the path of the 'River' and wrap it around a circular path until it meets the other end anchor.

  I tried using effect-> Warp-> Arc, and then copy the path and reflect, however, does not produce the effect of CRA real semicircle (see below).

  I read another thread here on the a with an 'art brush', but I don't know how to do this without more details than that post of the contours. If anyone knows how to do this with the art brush, I would be grateful orientation.

  Or any idea for my goal - a doughnut with the waves on the inside edge (and then again on the outer edge).

  CommCo,

  An Artbrush like a wave will keep the number of ridges and stretched to fit the path, it is applied to.

  You can:

  (1) create the wave as a continuous path with the correct number of coats of arms;

  (2) drag it to the paletee/panel shapes and drop it on the button new brush, just use the default values and name;

  (3) select the path (inside/outside), and then click the brush of wave.

  If you have ridges on the opposite side of a path, you can either create an another Artbrush checking everywhere, Flip or reverse paths (one way is to use the free reverse script here: http://park12.wakwak.com/~shp/lc/et/en_aics_script.html).

  And you can adjust the height of the wave/thickness by changing the weight of the race in the stroke palette/Panel.

• Cisco 877W DHCP does not automatically fill the Windows/Mac customers with DNS server entries

  I have a 877W which was operational on Verizon for about 5 years. It never automatically distributed info DNS server for customers who get DHCP issued IP address. I have to manually enter the DNS entries to each client.  What happened to other sites where I've got installed on AT & T as well as 877 unified communications.

  Here is the config. Thanks in advance for the help.

  Building configuration...

  Current configuration: 7987 bytes
  !
  version 12.4
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  Cod of hostname
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered debugging 51200
  recording console critical
  enable secret 5 jSwA $1$ $ 3B5lJNqm0ewh
  !
  AAA new-model
  !
  !
  AAA authentication local-to-remote login
  local remote of the AAA authorization network
  !
  AAA - the id of the joint session
  !
  resources policy
  !
  PCTime-6 timezone clock
  PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
  IP subnet zero
  IP cef
  No dhcp use connected vrf ip
  DHCP excluded-address IP 192.168.7.1 192.168.7.19
  DHCP excluded-address IP 192.168.7.70 192.168.7.254
  !
  IP dhcp pool sdm-pool1
  import all
  network 192.168.7.0 255.255.255.0
  router by default - 192.168.7.1
  DNS-server 68.238.96.12 68.238.112.12
  !
  !
  inspect the IP name DEFAULT100 cuseeme
  inspect the IP name DEFAULT100 ftp
  inspect the IP h323 DEFAULT100 name
  inspect the IP icmp DEFAULT100 name
  inspect the IP name DEFAULT100 netshow
  inspect the IP rcmd DEFAULT100 name
  inspect the IP name DEFAULT100 realaudio
  inspect the name DEFAULT100 rtsp IP
  inspect the IP name DEFAULT100 esmtp
  inspect the IP name DEFAULT100 sqlnet
  inspect the name DEFAULT100 streamworks IP
  inspect the name DEFAULT100 tftp IP
  inspect the tcp IP DEFAULT100 name
  inspect the IP udp DEFAULT100 name
  inspect the name DEFAULT100 vdolive IP
  synwait-time of tcp IP 10
  IP domain name cods.com
  name of the IP-server 68.238.96.12
  name of the IP-server 68.238.112.12
  property intellectual ssh time 60
  property intellectual ssh authentication-2 retries
  !
  !
  Crypto pki trustpoint TP-self-signed-437228204
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 437228204
  revocation checking no
  rsakeypair TP-self-signed-437228204
  !
  !
  TP-self-signed-437228204 crypto pki certificate chain
  certificate self-signed 01
  30820254 308201BD A0030201 02992101 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
  69666963 34333732 32383230 34301E17 303731 30313632 33333131 0D 6174652D
  395A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
  532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3433 37323238 642D
  06092A 86 4886F70D 01010105 32303430 819F300D 00308189 02818100 0003818D
  BF73E16C 24A3FB0B A44C83C8 45ACEC75 163C2F0A 87836F7F A43FEB72 0EF26AFA
  C7F35ED6 CBCC6853 5E82B0A6 1FD8020B F3630023 AB30B870 B3155EE6 86988910
  4ACF5121 1CBFF4DC B705DF1E 5D0D698F 06493 D 3DD8D036 42 FE450D21 E26A4DAF
  CE6BA806 81A9F451 0246698E DA7B49E3 160F115C E1104FA9 31FA3C15 CD 782 279
  02030100 01A37E30 7C300F06 03551 D 13 0101FF04 05300301 01FF3029 0603551D
  20821E63 11042230 6F64732E 6F666472 63697479 6E677370 69707069 72696E67
  732E636F 6D301F06 23 04183016 24 D 77493 80142FA3 03551D 52CF7094 B847B6EB
  1385E2E5 0F3A301D 0603551D 0E041604 142FA324 D7749352 CF7094B8 47B6EB13
  85E2E50F 3A300D06 092 HAS 8648 01040500 03818100 076EE499 12F46D79 86F70D01
  375B7EA6 C9279DA4 B32723B5 908C9FB8 D42CB978 BB24A8FE 73579A3D CA 5130, 87
  B7716644 7E13710D C6E6360C D0A36F7B F62540E2 0C33523B E50396B9 2EF66FA7
  56519E62 E55EAF3C E1D9BEC9 3AE67B59 75E61F06 B649E90A 2798F755 7A020F0A
  F8BDABFA 1EE37B6A A918560D DA45AD70 801BC66E 94D1468E
  quit smoking
  username privilege 15 secret $5 1jgO$sGD@#l4yTtLtYoEZbh/Wl steal551.
  !
  !
  door-key crypto vpn_ddaus
  pre-shared key address 0.0.0.0 0.0.0.0 - key stealthfortyfor5
  door-key crypto vpn_rmlfk
  address of pre-shared-key 205.30.134.22 key stealthfortyfor5
  !
  crypto ISAKMP policy 10
  md5 hash
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 30
  BA 3des
  preshared authentication
  Group 2
  invalid-spi-recovery crypto ISAKMP
  ISAKMP crypto keepalive 20
  !
  Configuration group isakmp crypto VPNRemote client
  key ConnectNow45
  pool ippool
  ISAKMP crypto vpnclient profile
  VPNRemote identity group match
  client authentication list for / remote
  Remote ISAKMP authorization list
  client configuration address respond
  Crypto isakmp CODS_DDAUS profile
  key ring vpn_ddaus
  function identity address 0.0.0.0
  Crypto isakmp CODS_RMLFK profile
  key ring vpn_rmlfk
  function identity address 205.30.134.22 255.255.255.255
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  !
  Crypto-map dynamic dynmap 10
  Set transform-set RIGHT
  vpnclient Set isakmp-profile
  Crypto-map dynamic dynmap 12
  Set transform-set RIGHT
  CODS_DDAUS Set isakmp-profile
  !
  !
  MYmap 1 ipsec-isakmp crypto map
  defined by peer 205.30.134.22
  Set transform-set RIGHT
  CODS_RMLFK Set isakmp-profile
  match address CODS_to_RMFLK
  map mymap 65535-isakmp ipsec crypto dynamic dynmap
  !
  Bridge IRB
  !
  !
  interface Loopback10
  IP 1.1.1.1 255.255.255.0
  !
  ATM0 interface
  no ip address
  route IP cache flow
  No atm ilmi-keepalive
  DSL-automatic operation mode
  !
  point-to-point interface ATM0.1
  Description $FW_OUTSIDE$ $ES_WAN$
  Check IP unicast reverse path
  inspect the DEFAULT100 over IP
  NAT outside IP
  IP virtual-reassembly
  PVC 0/35
  aal5snap encapsulation
  !
  Bridge-Group 2
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface Dot11Radio0
  no ip address
  no ip-cache cef route
  no ip route cache
  !
  encryption vlan 1 tkip encryption mode
  !
  SSID tsunami
  VLAN 1
  open authentication
  authentication wpa key management
  Comments-mode
  WPA - psk ascii 7 14231A0E01053324363F363B36150E050B08585E
  !
  base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0 54.0
  root of station-role
  !
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route cache
  no link-status of snmp trap
  No cdp enable
  Bridge-Group 1
  Bridge-group subscriber-loop-control 1
  Bridge-Group 1 covering-disabled people
  Bridge-Group 1 block-unknown-source
  No source of bridge-Group 1-learning
  unicast bridge-Group 1-floods
  !
  interface Vlan1
  Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW $FW_INSIDE$
  no ip address
  IP tcp adjust-mss 1452
  Bridge-Group 1
  !
  interface BVI1
  Description $ES_LAN$ $FW_INSIDE$
  192.168.7.1 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  route IP cache flow
  IP tcp adjust-mss 1412
  !
  interface control2
  IP 70.14.49.134 255.255.255.0
  NAT outside IP
  IP virtual-reassembly
  crypto mymap map
  !
  local pool IP 10.10.10.1 ippool 10.10.10.254
  IP classless
  IP route 0.0.0.0 0.0.0.0 70.14.49.1
  !
  IP http server
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  overload of IP nat inside source list 133 interface control2
  !
  CODS_to_RMFLK extended IP access list
  IP 192.168.7.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
  !
  recording of debug trap
  access-list 1 permit 192.168.7.0 0.0.0.255
  access-list 100 remark self-generated by the configuration of the firewall Cisco SDM Express
  Access-list 100 = 1 SDM_ACL category note
  access-list 100 deny ip 70.14.49.0 0.0.0.255 any
  access-list 100 deny ip 255.255.255.255 host everything
  access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
  access ip-list 100 permit a whole
  access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
  access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 133 deny ip 192.168.7.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
  access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
  access-list 133 allow ip 192.168.7.0 0.0.0.255 any
  not run cdp
  mymap permit 10 route map
  corresponds to the IP 111
  set ip next-hop 1.1.1.2
  !
  !
  control plan
  !
  Bridge Protocol ieee 1
  1 channel ip bridge
  Bridge Protocol ieee 2
  IP road bridge 2
  connection of the banner ^ CAuthorized access only!
  Unplug IMMEDIATELY if you are not an authorized user. ^ C
  !
  Line con 0
  no activation of the modem
  telnet output transport
  line to 0
  telnet output transport
  line vty 0 4
  privilege level 15
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  end

  Hello

  Can you try to remove the IMPORT ALL of the dhcp pool

  RES
  Paul

  Sent by Cisco Support technique iPad App

• TCP Window Scaling issues

  We have Cisco 2800 to each of our four locations that are managed by our ISP. We had problems with them, I got them to send me the configuration files of one of them, but nothing jumps out to me.

  You must disable TCP Window Scaling/tuning on all our Machines 7/Server Windows 2012 (by running netsh interface tcp set global autotuning = disabled in the command line)

  If we have not this is very slow to load even a Web page and cannot download a file (even something as small as 2 MB). Mobile devices have no hope to work on our network now because of this. This isn't a question on our XP remaning machines bit, but I think that XP did not use Window Scaling is the reason.

  Any ideas what could be causing this? I intend to replace it soon with our own routers, because they do not want to configure the secondary interfaces for our VLAN, but in the meantime I need this job.

  Thanks in advanced for any help.

  Here is the Config with Sensative information deleted

  version 12.3
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  !
  hostname REMOVED
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 8192 debugging
  no logging console
  enable secret REMOVED
  !
  no aaa new-model
  !
  resource policy
  !
  mmi polling-interval 60
  no mmi auto-configure
  no mmi pvc
  mmi snmp-timeout 180
  ip subnet-zero
  ip cef
  !
  !
  no ip dhcp use vrf connected
  !
  ip inspect name DEFAULT100 cuseeme
  ip inspect name DEFAULT100 ftp
  ip inspect name DEFAULT100 h323
  ip inspect name DEFAULT100 icmp
  ip inspect name DEFAULT100 netshow
  ip inspect name DEFAULT100 rcmd
  ip inspect name DEFAULT100 realaudio
  ip inspect name DEFAULT100 rtsp
  ip inspect name DEFAULT100 esmtp
  ip inspect name DEFAULT100 sqlnet
  ip inspect name DEFAULT100 streamworks
  ip inspect name DEFAULT100 tftp
  ip inspect name DEFAULT100 tcp
  ip inspect name DEFAULT100 udp
  ip inspect name DEFAULT100 vdolive
  no ip ips deny-action ips-interface
  !
  no ftp-server write-enable
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  crypto pki trustpoint TP-self-signed-REMOVED
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-REMOVED
  revocation-check none
  rsakeypair TP-self-signed-REMOVED
  !
  !
  crypto pki certificate chain TP-self-signed-REMOVED
  certificate self-signed 01
  REMOVED
  quit
  !
  class-map match-all VOIP
  match access-group 120
  !
  !
  policy-map VOIP
  class VOIP
  priority 1000
  class class-default
  !
  !
  !
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key REMOVED address 0.0.0.0 0.0.0.0
  no crypto isakmp ccm
  !
  !
  crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
  !
  crypto ipsec profile SDM_Profile1
  set transform-set VPN
  !
  crypto ipsec profile SDM_Profile2
  set transform-set VPN
  !
  !
  !
  !
  !
  interface Tunnel0
  description $FW_INSIDE$
  bandwidth 3000
  ip address 10.10.200.1 255.255.255.0
  ip access-group 101 in
  no ip redirects
  ip mtu 1400
  ip nhrp authentication VPN
  ip nhrp map multicast dynamic
  ip nhrp network-id 100000
  ip nhrp holdtime 360
  ip virtual-reassembly
  ip route-cache flow
  ip tcp adjust-mss 1360
  ip ospf network broadcast
  ip ospf priority 20
  delay 10
  tunnel source FastEthernet0/1
  tunnel mode gre multipoint
  tunnel key 100000
  tunnel protection ipsec profile SDM_Profile1
  !
  interface Null0
  no ip unreachables
  !
  interface Loopback0
  ip address 192.168.210.1 255.255.255.255
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip route-cache flow
  !
  interface FastEthernet0/0
  description $FW_INSIDE$
  ip address 10.10.100.1 255.255.255.0
  ip access-group 100 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  ip route-cache flow
  ip policy route-map server-nat
  duplex auto
  speed auto
  no mop enabled
  service-policy output VOIP
  !
  interface FastEthernet0/1
  description $FW_OUTSIDE$
  ip address IP REMOVED NETMASK REMOVED
  ip access-group 102 in
  ip verify unicast reverse-path
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip inspect DEFAULT100 out
  ip virtual-reassembly
  ip route-cache flow
  load-interval 30
  duplex auto
  speed auto
  no mop enabled
  !
  interface FastEthernet0/1/0
  load-interval 30
  !
  interface FastEthernet0/1/1
  !
  interface FastEthernet0/1/2
  !
  interface FastEthernet0/1/3
  !
  router ospf 100
  log-adjacency-changes
  passive-interface FastEthernet0/0
  passive-interface FastEthernet0/1
  passive-interface FastEthernet0/1/0
  network 10.10.100.0 0.0.0.255 area 0
  network 10.10.200.0 0.0.0.255 area 0
  network 10.10.201.0 0.0.0.255 area 0
  network 192.168.210.1 0.0.0.0 area 0
  !
  ip classless
  ip route 0.0.0.0 0.0.0.0 REMOVED
  ip route REMOVED NETMASK REMOVED
  ip route REMOVED NETMASK REMOVED
  ip route REMOVED NETMASK REMOVED
  !
  ip flow-capture ip-id
  ip flow-capture mac-addresses
  ip flow-top-talkers
  top 10
  sort-by bytes
  cache-timeout 30000
  !
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat pool nat REMOVED netmask REMOVED
  ip nat inside source list 150 interface FastEthernet0/1 overload
  !
  access-list 100 deny   ip 10.10.200.0 0.0.0.255 any
  access-list 100 deny   ip host 255.255.255.255 any
  access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip any any
  access-list 100 deny   ip 10.10.201.0 0.0.0.255 any
  access-list 101 remark Tunnel ACL
  access-list 101 deny   ip REMOVED 0.0.0.7 any log
  access-list 101 deny   ip host 255.255.255.255 any log
  access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
  access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.110.0 0.0.0.255 log
  access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.120.0 0.0.0.255 log
  access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.130.0 0.0.0.255 log
  access-list 101 permit ip host 10.10.100.10 any log
  access-list 101 permit ip host 10.10.100.12 any log
  access-list 101 permit ip host 10.10.100.20 any log
  access-list 101 permit ip host 10.10.100.21 any log
  access-list 101 permit ip host 10.10.100.45 any log
  access-list 101 permit ip any host 10.10.100.10 log
  access-list 101 permit ip any host 10.10.100.12 log
  access-list 101 permit ip any host 10.10.100.20 log
  access-list 101 permit ip any host 10.10.100.21 log
  access-list 101 permit ip any host 10.10.100.45 log
  access-list 101 permit ospf any any
  access-list 101 permit icmp any any
  access-list 101 deny   ip 10.10.100.0 0.0.0.255 any log
  access-list 101 permit ip 10.10.110.0 0.0.0.255 10.10.100.0 0.0.0.255
  access-list 101 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255
  access-list 101 permit ip 10.10.130.0 0.0.0.255 10.10.100.0 0.0.0.255
  access-list 102 remark Outside ACL
  access-list 102 permit tcp host REMOVED host REMOVED eq 22
  access-list 102 permit tcp REMOVED 0.0.0.15 host REMOVED eq 22
  access-list 102 permit udp any host REMOVED eq non500-isakmp
  access-list 102 permit udp any host REMOVED eq isakmp
  access-list 102 permit esp any host REMOVED
  access-list 102 permit ahp any host REMOVED
  access-list 102 permit gre any host REMOVED
  access-list 102 permit icmp any host REMOVED echo-reply
  access-list 102 permit icmp any host REMOVED time-exceeded
  access-list 102 permit icmp any host REMOVED unreachable
  access-list 102 permit ip any host 10.10.100.10
  access-list 102 permit ip any host 10.10.100.12
  access-list 102 permit ip any host 10.10.100.20
  access-list 102 permit ip any host 10.10.100.21
  access-list 102 permit ip any host 10.10.100.45
  access-list 102 deny   ip 10.10.100.0 0.0.0.255 any
  access-list 102 deny   ip 10.10.200.0 0.0.0.255 any
  access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 102 deny   ip host 255.255.255.255 any
  access-list 102 deny   ip host 0.0.0.0 any
  access-list 103 permit ip REMOVED 0.0.0.15 any
  access-list 103 permit ip 10.10.200.0 0.0.0.255 any
  access-list 103 permit ip 10.10.100.0 0.0.0.255 any
  access-list 103 permit ip 10.10.110.0 0.0.0.255 any
  access-list 103 permit ip 10.10.120.0 0.0.0.255 any
  access-list 103 permit ip 10.10.130.0 0.0.0.255 any
  access-list 110 deny   ip host 10.10.100.12 10.10.110.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.12 10.10.130.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.10 10.10.110.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.10 10.10.130.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.20 10.10.110.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.20 10.10.130.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.21 10.10.110.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.21 10.10.130.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.45 10.10.110.0 0.0.0.255
  access-list 110 deny   ip host 10.10.100.45 10.10.130.0 0.0.0.255
  access-list 110 permit ip host 10.10.100.12 any
  access-list 110 permit ip host 10.10.100.10 any
  access-list 110 permit ip host 10.10.100.20 any
  access-list 110 permit ip host 10.10.100.21 any
  access-list 110 permit ip host 10.10.100.45 any
  access-list 120 permit udp any any eq 5060
  access-list 150 deny   ip host 10.10.100.10 any
  access-list 150 deny   ip host 10.10.100.12 any
  access-list 150 deny   tcp host 10.10.100.20 any eq 3389
  access-list 150 deny   ip host 10.10.100.21 any
  access-list 150 deny   tcp host 10.10.100.45 any eq 22
  access-list 150 deny   tcp host 10.10.100.45 any eq 443
  access-list 150 deny   udp host 10.10.100.45 any eq 5060
  access-list 150 deny   udp host 10.10.100.45 any range 10000 10500
  access-list 150 deny   ip 10.10.110.0 0.0.0.255 any
  access-list 150 deny   ip 10.10.120.0 0.0.0.255 any
  access-list 150 deny   ip 10.10.130.0 0.0.0.255 any
  access-list 150 permit ip 10.10.100.0 0.0.0.255 any
  !
  route-map server-nat permit 10
  match ip address 110
  set ip next-hop 10.10.200.3
  !
  !
  !
  !
  control-plane
  !
  !
  !
  !
  !
  !
  !
  !
  banner motd ^CC
  <@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
  Authorized access only
  <@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
  Disconnect IMEDIATELY if you are not an authorized user !
  ^C
  !
  line con 0
  login local
  transport output telnet
  line aux 0
  login local
  transport output telnet
  line vty 0 4
  access-class 103 in
  privilege level 15
  login local
  transport input ssh
  line vty 5 15
  access-class 103 in
  privilege level 15
  login local
  transport input ssh
  !
  end
  

  Hello Jason,

  you will find articles from may saying that MS AutoFix feature does not work well with some firewall stateful inspection and/or VPN.

  At CSC, I found another interesting:

  https://supportforums.Cisco.com/thread/2169557

  Maybe Joseph joins this discussion later with some new or additional information.

  Best regards

  Rolf

• Cisco VPN two LANs inside

  Hi all

  We hope that you do very well. I checked the other questions, but unfortunately, I have found nothing to do with my request. I'm just a newbie here. So, I really would appreciate if Pros help me here. Thank you!

  That is the problem. I've implemented an ASA 5505 VPN. I've set up two local networks (one that is directly connected to where I'm sitting and the other that I have connected to my local network by adding static route) where I ran this firewall. Now I want to access to two local networks of 'Outside' interface of ASA 5505.

  I can easily access the local network which is in my place but I can't access it when I come through VPN. Whereas, I ping the other ASA 5505 network and there is no problem. So far I have troubleshooted, I found that 'Failure of reverse path of NAT' is the error when I try to access the network by connecting via VPN

  Now, if you understand the scenario, I just need to know what is there that miss me.
  Your help will be very appreciated.

  Thank you!

  Kind regards
  Ali

  I apologize if I wasn't clear enough. To access resources across VPN, we must ensure that the traffic is exempt from nat.

  1 - assign any user who tries to connect VPN VPN 10.10.10.0_24 POOL.
  Yes, assign a VPN pool for different then 192.168.x.x or 10.10.x.x subnet so that it doesn't interfere with your current IP address.

  2 - Add a NAT which will translate this IP address of 10.10.10.0_24 to the IP 192.168.11.0_24.
  
  There is no need to translate IP addresses. We have just enough for more later translate them or nat exempt these as follows:

  NAT (inside, outside) source obj_internal destination obj_internal static static obj_remote obj_remote non-proxy-arp-search to itinerary

  This order States that translate obj_internal to obj_internal when it needs to access obj_remote. It is by essence, free translation or nat exempt.

  3. I should add an another NAT which will address 11.0 to 192.168.10.0 address.

  You don't need any other nat command.

  I hope this helps.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.