Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)

Similar Questions

• Can not pass traffic from the VPN client to remote VPN site to site

  Hello

  I can't get the traffic flowing between my VPN clients and my remote site-to-site VPN, I did step by step in this link:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

  my firewall says that the package is abandoned by statefull inspection.

  But this should be the command "same-security-traffic..." "this problem must be resolved

  % ASA-6-302020: built ICMP incoming connections for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

  % ASA-6-302020: built outgoing ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

  % ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

  % ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

  Is it all what you might think that I'm missing?

  Best regards

  Erik

  Erik,

  Please check it out because no decaps means the ASA does not what it is the other side of the tunnel.

  If you send traffic and you will see the crypt increment... but nothing in return... 99% sure that the problem is at the other end.

  Federico.

• VPN site to site thanks to a pair of asa 5505 does not pass traffic

  the configurations are fairly simple. Ping between the two lan pc fails. "show isakmp crypto his" and "crypto ipsec to show his" got out, if.

  Please refer to the attached text and diagram files.

  I'm pre-configures the ASA, for external interfaces have ip addresses private for the moment.

  all entries are welcome.

  Thank you!

  Your look simple configurations.

  As the Phase 1 and Phase 2 SAs are coming, the VPN seems correct.

  We see program leaving ASA1 and decaps ASA2, but no return traffic seems to come in.

  I suspect a problem with the host 192.168.102.5. Can you capture the top packages and check that it receives traffic initiated from the host 192.168.101.5 (side ASA1) and he answers with the ASA2 as its default gateway?

• Site-to-Site VPN Ping does not

  I configured a vpn site-to site between two firewalls ASA 5505. Establishes the tunnel, but the icmp traffic does not pass. In fact, ping worked twice, but only at random. I need to work on a regular basis. I have attached the configurations as well as an output of the packet - trace both of the ASA and the IPSec and its ISAKMP. Thanks for any help you can provide.

  ASA Configuration 1:

  ASA Version 8.0 (3)

  !

  hostname asa1

  activate the encrypted password of A.zMQonBIU0NmOC0

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.1.50.253 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 1.1.1.1 255.255.255.240

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  OMV1AjIsWknnKr9H encrypted passwd

  boot system Disk0: / asa803 - k8.bin

  passive FTP mode

  acl_out list extended access permit tcp any host 63.76.12.195 eq smtp

  acl_out list extended access permit tcp any host 63.76.12.195 eq www

  acl_out list extended access permit tcp any host 63.76.12.195 eq 3389

  acl_out list extended access permit tcp any host 63.76.12.195 eq ftp

  acl_out list extended access permit tcp any host 63.76.12.195 eq ftp - data

  acl_out list extended access permit tcp any host 63.76.12.195 eq telnet

  acl_out list extended access permit tcp any host 63.76.12.195 eq 5800

  acl_out list extended access permit tcp any host 63.76.12.195 eq 5900

  acl_out list extended access permit tcp any host 63.76.12.195 eq https

  acl_out list extended access permit tcp any host 63.76.12.196 eq www

  acl_out list extended access permit tcp any host 63.76.12.196 eq https

  acl_out list extended access permit tcp any host 63.76.12.196 eq smtp

  acl_out list extended access permit tcp any host 63.76.12.196 eq 3389

  acl_out list extended access permit icmp any one

  access-list 101 extended allow ip 10.1.50.0 255.255.255.0 10.1.40.0 255.255.255.0

  access-list 101 extended allow ip 10.1.50.0 255.255.255.0 10.1.51.0 255.255.255.0

  vpn-fargo extended ip 10.1.50.0 access list allow 255.255.255.0 10.1.51.0 255.255.255.0

  pager lines 24

  Enable logging

  debug logging in buffered memory

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool ippool 10.1.40.1 - 10.1.40.254

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow all outside

  ASDM image disk0: / asdm - 523.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  (Inside) NAT 0-list of access 101

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) 1.1.1.2 tcp ftp 10.1.50.3 ftp netmask 255.255.255.255

  static (inside, outside) 1.1.1.2 tcp ftp - data 10.1.50.3 ftp - data netmask 255.255.255.255

  static (inside, outside) 1.1.1.2 tcp telnet 10.1.50.3 telnet netmask 255.255.255.255

  static (inside, outside) tcp 1.1.1.2 5800 10.1.50.102 5800 netmask 255.255.255.255

  static (inside, outside) 1.1.1.2 tcp 5900 10.1.50.102 5900 netmask 255.255.255.255

  static (inside, outside) 1.1.1.2 tcp 3389 10.1.50.5 3389 netmask 255.255.255.255

  static (inside, outside) 1.1.1.3 10.1.50.6 netmask 255.255.255.255

  Access-group acl_out in interface outside

  Route outside 0.0.0.0 0.0.0.0 1.1.1.0 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  card crypto mymap 20 match address vpn-fargo

  card crypto mymap 20 peers set 2.2.2.2

  card crypto mymap 20 transform-set RIGHT

  crypto mymap 20 card value reverse-road

  mymap outside crypto map interface

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  crypto ISAKMP ipsec-over-tcp port 10000

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 inside

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  internal group vpn3000 strategy

  attributes of the strategy group vpn3000

  value of server WINS 10.1.50.5

  value of 10.1.50.5 DNS server 10.1.50.6

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value 101

  asa1.com value by default-field

  disable authentication of the user

  the address value ippool pools

  encrypted vpn Tw.atDK7GScnXkMJ password username

  vpn tunnel-group type remote access

  VPN tunnel-group general attributes

  Group Policy - by default-vpn3000

  jtvpn group of tunnel ipsec-attributes

  pre-shared-key *.

  tunnel-group 2.2.2.2 type ipsec-l2l

  2.2.2.2 tunnel-group ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  inspect the icmp error

  !

  global service-policy global_policy

  context of prompt hostname

  : end

  ASA 2 configuration:

  ASA Version 8.2 (1)

  !

  hostname asa2

  activate the encrypted password of A.zMQonBIU0NmOC0

  1vU9VISnc.IQ6OSN encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 10.1.51.253 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 2.2.2.2 255.255.255.240

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  vpn - dsm extended ip 10.1.51.0 access list allow 255.255.255.0 10.1.50.0 255.255.255.0

  IP 10.1.51.0 allow Access-list extended sheep 255.255.255.0 10.1.50.0 255.255.255.0

  access outside-access list extended icmp permitted an echo

  outside-access extended access list permit icmp any any echo response

  outside-access extended access list permit all all unreachable icmp

  access outside-access allowed list icmp exceed all once

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow all outside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0 access-list sheep

  NAT (inside) 1 0.0.0.0 0.0.0.0

  access-outside group access component software snap-in interface outside

  Route outside 0.0.0.0 0.0.0.0 2.2.2.0 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto mymap 10 correspondence address vpn - dsm

  card crypto mymap 10 set peer 1.1.1.1

  card crypto mymap 10 game of transformation-ESP-3DES

  crypto mymap 10 card value reverse-road

  mymap outside crypto map interface

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 inside

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  tunnel-group 1.1.1.1 type ipsec-l2l

  tunnel-group 1.1.1.1 ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  inspect the icmp error

  !

  global service-policy global_policy

  context of prompt hostname

  : end

  Packet trace of ASA1:

  asa1 (config) # entry packet - trace within the icmp 10.1.50.253 1 1 detailed 10.1.51.253

  Phase: 1

  Type: FLOW-SEARCH

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Not found no corresponding stream, creating a new stream

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 0.0.0.0 0.0.0.0 outdoors

  Phase: 3

  Type: ACCESS-LIST

  Subtype:

  Result: DECLINE

  Config:

  Implicit rule

  Additional information:

  Direct flow from returns search rule:

  ID = 0xd49dcce0, priority = 500, area = allowed, deny = true

  Hits = 5, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.1.50.253, mask is 255.255.255.255, port = 0

  DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: drop

  Drop-reason: flow (acl-drop) is denied by the configured rule

  Packet trace of ASA2:

  asa2 (config) # entry packet - trace within the icmp 10.1.51.253 1 1 detailed 10.1.50.253

  Phase: 1

  Type: FLOW-SEARCH

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Not found no corresponding stream, creating a new stream

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 10.1.50.0 255.255.255.0 outside

  Phase: 3

  Type: ACCESS-LIST

  Subtype:

  Result: DECLINE

  Config:

  Implicit rule

  Additional information:

  Direct flow from returns search rule:

  ID = 0xc9583648, priority = 500, area = allowed, deny = true

  hits = 9, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

  SRC ip = 10.1.51.253, mask is 255.255.255.255, port = 0

  DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  output interface: outside

  the status of the output: to the top

  output-line-status: to the top

  Action: drop

  Drop-reason: flow (acl-drop) is denied by the configured rule

  ASA 1 IPSec security association:

  peer address: 2.2.2.2

  Tag crypto map: dynmap, seq num: 10, local addr: 1.1.1.1

  local ident (addr, mask, prot, port): (10.1.50.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (10.1.51.0/255.255.255.0/0/0)

  current_peer: 2.2.2.2

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  decaps #pkts: 5, #pkts decrypt: 5, #pkts check: 5

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  endpt local crypto. : 1.1.1.1, remote Start crypto. : 2.2.2.2

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

  current outbound SPI: 1F3E7E3A

  SAS of the esp on arrival:

  SPI: 0x1DFAE5E0 (502982112)

  transform: esp-3des esp-md5-hmac no

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 77824, crypto-card: dynmap

  calendar of his: service life remaining (KB/s) key: (3824999/28036)

  Size IV: 8 bytes

  support for replay detection: Y

  outgoing esp sas:

  SPI: 0x1F3E7E3A (524189242)

  transform: esp-3des esp-md5-hmac no

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 77824, crypto-card: dynmap

  calendar of his: service life remaining (KB/s) key: (3825000/28034)

  Size IV: 8 bytes

  support for replay detection: Y

  ASA 1 ISAKMP Security Association:

  1 peer IKE: 2.2.2.2

  Type: L2L role: answering machine

  Generate a new key: no State: MM_ACTIVE

  ASA 2 IPSec security association:

  peer address: 1.1.1.1

  Tag crypto map: mymap, seq num: 10, local addr: 2.2.2.2

  list of access vpn - dsm allowed ip 10.1.51.0 255.255.255.0 10.1.50.0 255.255.255.0

  local ident (addr, mask, prot, port): (10.1.51.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (10.1.50.0/255.255.255.0/0/0)

  current_peer: 63.76.12.194

  #pkts program: 5, #pkts encrypt: 5, #pkts digest: 5

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 5, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  endpt local crypto. : 2.2.2.2, remote Start crypto. : 1.1.1.1

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

  current outbound SPI: 1DFAE5E0

  SAS of the esp on arrival:

  SPI: 0x1F3E7E3A (524189242)

  transform: esp-3des esp-md5-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 81920, crypto-map: mymap

  calendar of his: service life remaining (KB/s) key: (4374000/27900)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  outgoing esp sas:

  SPI: 0x1DFAE5E0 (502982112)

  transform: esp-3des esp-md5-hmac no compression

  running parameters = {L2L, Tunnel}

  slot: 0, id_conn: 81920, crypto-map: mymap

  calendar of his: service life remaining (KB/s) key: (4373999/27900)

  Size IV: 8 bytes

  support for replay detection: Y

  Anti-replay bitmap:

  0x00000000 0x00000001

  ASA 2 ISAKMP Security Association:

  1 peer IKE: 1.1.1.1

  Type: L2L role: initiator

  Generate a new key: no State: MM_ACTIVE

  Hi Mike,.

  I see the following in your configuration:

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  Sequence number of Th for the peer 2.2.2.2 is 20 so we first hit the dynamic map that could cause this problem.

  To avoid this, I suggest you do the following:

  No map mymap 10-isakmp ipsec crypto dynamic dynmap

  map mymap 65535-isakmp ipsec crypto dynamic dynmap

  To validate this fact, if you look at the SA on ASA1 ipsec, you will find that it was negotiated with dymap (card crypto seq 10) and not 20!

  ASA 1 IPSec security association:

  peer address: 2.2.2.2

  Tag crypto map: dynmap, seq num: 10, local addr: 1.1.1.1

  local ident (addr, mask, prot, port): (10.1.50.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (10.1.51.0/255.255.255.0/0/0)

  current_peer: 2.2.2.2

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  decaps #pkts: 5, #pkts decrypt: 5, #pkts check: 5

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  Hope this helps!

  See you soon,.

  Manasi!

• Site to Site VPN tunnel is not come between 2 routers

  Dear all,

  I have 2 routers for branch which is configured for VPN site-to-site, but the tunnel does not come!

  I ran debug and I enclose herwith output for your kind review and recommendation. I also enclose here the 2 routers configs branch.

  Any idea on why the Site to site VPN is not coming?

  Kind regards

  Haitham

  You guessed it!

  Just because you have re-used the same card encryption for LAN to LAN and vpn-client traffic.

  This from the DOC CD

  No.-xauth

  (Optional) Use this keyword if the router to router IP Security (IPSec) is on the same card encryption as a virtual private network (VPN) - client - to-Cisco-IOS IPSec. This keyword prevents the router causing the peer for the information of extended authentication (Xauth) (username and password).

• Site to Site VPN configuration does not

  Hello

  I just tried to set up a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act as the 'Internet' to allow connectivity between the two networks.

  My VPN on ASA1 and ASA2 configs are below:

  ASA1

  Note to outside_cryptomap_1 to access list VPN traffic to encrypt
  outside_cryptomap_1 to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.10.0 255.225.255.0

  Crypto ikev1 allow outside
  IKEv1 crypto policy 1
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400

  tunnel-group 11.11.11.2 type ipsec-l2l
  IPSec-attributes tunnel-Group 11.11.11.2
  Cisco pre-shared key IKEv1

  Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
  card crypto outside_map 1 match address outside_cryptomap_1
  peer set card crypto outside_map 1 11.11.11.2
  card crypto outside_map 1 set of transformation-AES-SHA
  outside_map interface card crypto outside

  ASA2

  Note to outside_cryptomap_1 to access list VPN traffic to encrypt
  permit access list extended ip 172.16.10.0 outside_cryptomap_1 255.255.255.0 10.10.10.0 255.225.255.0

  Crypto ikev1 allow outside
  IKEv1 crypto policy 1
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400

  tunnel-group 12.12.12.2 type ipsec-l2l
  IPSec-attributes tunnel-group 12.12.12.2
  Cisco pre-shared key IKEv1

  Crypto ipsec transform-set ikev1 AES - SHA esp-aes-256 esp-sha-hmac
  card crypto outside_map 1 match address outside_cryptomap_1
  peer set card crypto outside_map 1 12.12.12.2
  card crypto outside_map 1 set of transformation-AES-SHA
  outside_map interface card crypto outside

  I can ping with the ASA2 ASA1, but when I try to test the VPN trying from one PC to another, I get nothing.

  I tried a few commands show and they came out absolutely empty... as I have not configured:

  SH in detail its crypto isakmp

  There are no SAs IKEv1

  There are no SAs IKEv2

  SH crypto ipsec his

  There is no ipsec security associations

  Anyone have any ideas?

  Hi martin,

  Your configs are quite right. I tried your script, its works really well. Here's the configs & outputs.
  What I mentioned in the previous note follow this.

  --------------------

  ASA1

  ASA1 (config) # sh run
  : Saved
  :
  ASA Version 8.0 (2)
  !
  hostname ASA1
  activate 8Ry2YjIyt7RRXU24 encrypted password
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  IP 12.12.12.2 255.255.255.0
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  10.10.10.2 IP address 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  2KFQnbNIdI.2KYOU encrypted passwd
  passive FTP mode
  extended vpn 10.10.10.0 ip access list allow 255.255.255.0 172.16.10.0 255.255.255.0
  pager lines 24
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout, uauth 0:05:00 absolute
  dynamic-access-policy-registration DfltAccessPolicy
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac tset
  card crypto cmap 1 match for vpn
  card crypto cmap 1 set peer 11.11.11.2
  card crypto cmap 1 transform-set tset
  cmap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  md5 hash
  Group 5
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  !
  !
  tunnel-group 11.11.11.2 type ipsec-l2l
  IPSec-attributes tunnel-Group 11.11.11.2
  pre-shared-key *.
  context of prompt hostname
  Cryptochecksum:00000000000000000000000000000000
  : end
  ASA1 (config) #.
  ---------------------

  ASA2 (config) # sh run
  : Saved
  :
  ASA Version 8.0 (2)
  !
  hostname ASA2
  activate 8Ry2YjIyt7RRXU24 encrypted password
  names of
  !
  interface Ethernet0/0
  nameif outside
  security-level 0
  IP 11.11.11.2 255.255.255.0
  !
  interface Ethernet0/1
  nameif inside
  security-level 100
  IP 172.16.10.2 255.255.255.0
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  2KFQnbNIdI.2KYOU encrypted passwd
  passive FTP mode
  extended vpn 172.16.10.0 ip access list allow 255.255.255.0 10.10.10.0 255.255.255.0
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout, uauth 0:05:00 absolute
  dynamic-access-policy-registration DfltAccessPolicy
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac tset
  card crypto cmap 1 match for vpn
  card crypto cmap 1 set peer 12.12.12.2
  card crypto cmap 1 transform-set tset
  cmap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 1
  preshared authentication
  3des encryption
  md5 hash
  Group 5
  life 86400
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  !
  !
  !
  tunnel-group 12.12.12.2 type ipsec-l2l
  IPSec-attributes tunnel-group 12.12.12.2
  pre-shared-key *.
  context of prompt hostname
  Cryptochecksum:00000000000000000000000000000000
  : end
  ASA2 (config) #.

  -------------------------
  OUTPUTS:

  *********************

  ASA1 (config) # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 11.11.11.2
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  ---------------------

  ASA1 (config) # sh crypto ipsec his
  Interface: outside
  Tag crypto map: cmap, seq num: 1, local addr: 12.12.12.2

  access vpn ip 10.10.10.0 list allow 255.255.255.0 172.16.10.0 255.255.255.0
  local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
  current_peer: 11.11.11.2

  #pkts program: 50, #pkts encrypt: 50, #pkts digest: 50
  #pkts decaps: 49, #pkts decrypt: 49, #pkts check: 49
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 50, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 12.12.12.2, remote Start crypto. : 11.11.11.2

  ------------------------
  ASA2 (config) # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 12.12.12.2
  Type: L2L role: answering machine
  Generate a new key: no State: MM_ACTIVE

  ------------------------

  ASA2 (config) # sh crypto ipsec his
  Interface: outside
  Tag crypto map: cmap, seq num: 1, local addr: 11.11.11.2

  access vpn ip 172.16.10.0 list allow 255.255.255.0 10.10.10.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.16.10.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
  current_peer: 12.12.12.2

  #pkts program: 49, #pkts encrypt: 49, #pkts digest: 49
  #pkts decaps: 50, #pkts decrypt: 50, #pkts check: 50
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 49, #pkts comp failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 11.11.11.2, remote Start crypto. : 12.12.12.2
  -------------------------

• a Web site is moved to google for me and for others, other sites, safari works, but not firefox

  This also happens to other users of this Web site.
  This has happened with ff 15 which kept freezing up and with ff 16 Beta that does not freeze.
  I rebooted everything without success.
  Webmaster said other similar complaints

  You are welcome

• Site to site VPN, I need all internet traffic to exit the site.

  I have 2 sites connected via a pair of SRX5308

  A = 192.168.1.0/24

  IP WAN = 1.1.1.1

  B = 192.168.2.0/24

  IP WAN = 2.2.2.2

  Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.

  On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.

  I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.

  Anyone have any ideas?

  I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.

  Thank you

  Dave.

  After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.

  (1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0

  (2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit

  (a) disable Netbios

  (b) select "None" from the drop-down list the remote IP address.

  (c) to apply the change

  3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit

  (a) disable Netbios

  (b) select "None" from the drop-down list the local IP address

  (c) to apply the change

  Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.

• Call the Web browser program compiles in 4.2 and upward but not 4.1

  I wrote a very simple application that when launched, opens the browser and takes you to a predefined binding. The following code compiles and works very well on the 4.2 and upward, but I can't seem to compile in the jde 4.1:

  package vwr;
  
  import net.rim.blackberry.api.browser.Browser;
  import net.rim.blackberry.api.browser.BrowserSession;
  import net.rim.device.api.ui.UiApplication;
  
  public class vwr extends UiApplication {
  public static void main(String[] args){
  vwr instance = new vwr();
  instance.enterEventDispatcher();
  }
  
  public vwr() {
  BrowserSession site = Browser.getDefaultSession();
  site.displayPage("http://www.google.com");
  site.showBrowser();
  System.exit(0);
  }
  }
  

  When I compile 4.1, I get an error related to the site.showBrowser (); command. But as I mentioned, the above code compiles and works fine on OS 4.2 and above. Is there a simple solution for this?

  Thank you in advance.

  Nevermind, I found a solution that works. Here's the code. I hope that someone else will find useful.

  import net.rim.blackberry.api.browser.Browser;
  import net.rim.blackberry.api.browser.BrowserSession;
  import net.rim.device.api.ui.UiApplication;
  
  public class vwr extends UiApplication {
  public static void main(String[] args) {
       vwr instance = new vwr();
       instance.enterEventDispatcher();
    }
  
  public vwr() {
      BrowserSession site = Browser.getDefaultSession();
      site.displayPage("www.google.com");
      System.exit(0);
    }
  }
  

• Ipad Cisco ipsec VPN connects but not access to the local network

  Hi guys,.

  I am trying to connect our ipads to vpn to access network resources. IPSec cisco ipad connects but not lan access and cannot ping anything not even not the interfaces of the router.

  If I configure the vpn from cisco on a laptop, it works perfectly, I can ping all and can access resources on the local network if my guess is that the traffic is not going in the tunnel vpn between ipad and desktop.

  Cisco 877.

  My config is attached.

  Any ideas?

  Thank you

  Build-in iPad-client is not useful to your configuration.

  You have three options:

  (1) remove the ACL of your vpn group. Without split tunneling client will work.

  2) migrate legacy config crypto-map style. Here, you can use split tunneling

  3) migrate AnyConnect.

  The root of the problem is that the iPad Gets the split tunneling-information. But instead of control with routing traffic should pass through the window / the tunnel and which traffic is allowed without the VPN of the iPad tries to build a set of SAs for each line in your split-tunnel-ACL. But with the model-virtual, SA only is allowed.

• VPN does not pass traffic

  I've set up a remote access VPN between a Cisco ASA 5510 and a remote access client. VPN connects successfully, but no network traffic is able to be passed. I have attached my setup. Any help would be greatly appreciated.

  Mike,

  Glad to know that your problem is solved.

  If you don't mind, could, you update the Forum saying that the responses solved your problem, while others may benefit by looking at the answers.

  Thank you

  Arul

• AnyConnect VPN connected but not in LAN access

  Hello

  I just connfigured an ASA to remote VPN. I think everything works but I do not have access

  for customers in the Local LAN behind the ASA.

  PC <==internet==>outside of the SAA inside<=LAN=> PC

  After AnyConnect has established the connection I can ping inside the Interface of the ASA

  but I can't Ping the PC behind the inside Interface.

  Here is the config of the ASA5505:

  : Saved

  :

  ASA Version 8.2 (1)

  !

  asa5505 hostname

  activate 8Ry2YjIyt7RRXU24 encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 192.168.178.254 255.255.255.0

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  Shutdown

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  passive FTP mode

  Inside_ICMP list extended access permit icmp any any echo response

  Inside_ICMP list extended access permit icmp any any source-quench

  Inside_ICMP list extended access allow all unreachable icmp

  Inside_ICMP list extended access permit icmp any one time exceed

  access-list outside_cryptomap_2 note ACL traffic von ASA5505 zur ASA5510

  outside_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

  no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

  no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.178.0 255.255.255.0

  tunnel of splitting allowed access list standard 192.168.1.0 255.255.255.0

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.1.10 - 192.168.1.15 255.255.255.0 IP local pool SSLClientPool

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access no_NAT

  NAT (inside) 1 192.168.1.0 255.255.255.0

  Access-group Inside_ICMP in interface outside

  Route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

  Route outside 192.168.10.0 255.255.255.0 192.168.178.230 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set-3DESSHA FRA esp-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  card crypto outside_map 2 match address outside_cryptomap_2

  peer set card crypto outside_map 2 192.168.178.230

  card crypto outside_map 2 game of transformation-FRA-3DESSHA

  outside_map interface card crypto outside

  Crypto ca trustpoint localtrust

  registration auto

  domain name full cisco - asa5505.fritz.box

  name of the object CN = cisco - asa5505.fritz.box

  sslvpnkeypair key pair

  Configure CRL

  Crypto ca certificate chain localtrust

  certificate fa647850

  3082020b a0030201 30820174 020204fa 0d06092a 64785030 864886f7 0d 010104

  0500304 06035504 03131763 6973636f 617361 35353035 2e667269 2d 3120301e a

  747a2e62 6f783126 30240609 2a 864886 f70d0109 02161763 6973636f 2d 617361

  2e667269 35353035 747a2e62 6f78301e 170d 3132 31303132 31383434 31305a 17

  323231 30313031 38343431 06035504 03131763 6973636f 3120301e 305a304a 0d

  617361 35353035 2e667269 747a2e62 6f783126 2a 864886 30240609 f70d0109 2D

  6973636f 02161763 2d 617361 35353035 2e667269 747a2e62 6f783081 9f300d06

  d6279e1c 8181009f 092a 8648 86f70d01 01010500 03818d 30818902 00 38454fc 9

  705e1e58 762edc35 e64262fb ee55f47b 8d62dda2 102c8a22 c97e395f 2a9c0ebb

  f2881528 beb6e9c3 89d91dda f7fe77a4 2a1fda55 f8d930b8 3310a05f 622dfc8f

  d48ea749 7bbc4520 68 has 06392 d65d3b87 0270e41b 512a4e89 94e60167 e2fa854a

  87ec04fa e95df04f 3ff3336e c7437e30 ffbd90b5 47308502 03010001 300 d 0609

  2a 864886 04050003 81810065 cc9e6414 3c322d1d b191983c 97b474a8 f70d0101

  2e5c7774 9d54d3ec fc4ee92d c72eef27 a79ce95a da83424f b05721c0 9119e7ea

  c5431998 e6cd8272 de17b5ff 5b1839b5 795fb2a0 2d10b479 056478fa 041555dd

  bfe3960a 4fe596ec de54d58b a5fa187e 5967789a a26872ef a33b73ec 7d7673b9

  c8af6eb0 46425cd 2 765f667d 4022c 6

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  localtrust point of trust SSL outdoors

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image

  SVC disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 image

  enable SVC

  tunnel-group-list activate

  internal SSLClientPolicy group strategy

  attributes of Group Policy SSLClientPolicy

  VPN-tunnel-Protocol svc

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split tunnel

  the address value SSLClientPool pools

  WebVPN

  SVC Dungeon-Installer installed

  time to generate a new key of SVC 30

  SVC generate a new method ssl key

  SVC request no svc default

  username password asdm privilege Yvx83jxa2WCRAZ/m number 15

  hajo 2w8CnP1hHKVozsC1 encrypted password username

  hajo attributes username

  type of remote access service

  tunnel-group 192.168.178.230 type ipsec-l2l

  IPSec-attributes tunnel-group 192.168.178.230

  pre-shared-key *.

  type tunnel-group SSLClientProfile remote access

  attributes global-tunnel-group SSLClientProfile

  Group Policy - by default-SSLClientPolicy

  tunnel-group SSLClientProfile webvpn-attributes

  enable SSLVPNClient group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:0008564b545500650840cf27eb06b957

  : end

  What wrong with my setup.

  Concerning

  Hans-Jürgen Guenter

  Hello Hans,.

  You should change your VPN pool to be a different subnet within the network, for example: 192.168.5.0/24

  Then configure NAT exemption for traffic between the Interior and the pool of vpn.

  Based on your current configuration, the following changes:

  mask 192.168.5.10 - 192.168.5.15 255.255.255.0 IP local pool SSLClientPool

  no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0

  And then also to enable icmp inspection:

  Policy-map global_policy

  class inspection_default

  inspect the icmp

• Client VPN connects but no IP traffic is passed...

  I have a user in a hotel, his laptop was works well on remote connections previously, he gets the lock when it connects, but no IP traffic is passed. Is it pings it gets "host unreachable". I think he's behind a firewall of hotel, but nothing else that I can check to confirm? I was going to put the new client available for download (internet access works very well), he performs a version 4.7. I also tested his connection on a profile box test and it worked fine.

  UM... so it is able to authenticate so I don't think that he coulkd be blocked... double check you are using have traversed nat enabled on your PIX...

  ISAKMP nat-traversal 20

  I hope that helps... Rate if he does!

• Client VPN connects but not internal LAN access or Ping

  Hi all.

  I'm new on this forum and kindly asking for your help because I'm stuck.

  I have an ADSL router cisco 877 which I configured easy VPN server.
  Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.

  The configuration is below. Please let know us where I was going or what I missed.
  [code]

  Building configuration...

  Current configuration: 4574 bytes
  !
  version 12.4
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  boot-start-marker
  boot-end-marker
  !
  enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
  enable password 7 13151601181B54382F
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login internal_affairs_vpn_1 local
  AAA authorization exec default local
  AAA authorization internal_affairs_vpn_group_1 LAN
  !
  !
  AAA - the id of the joint session
  !
  Crypto pki trustpoint TP-self-signed-2122144568
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2122144568
  revocation checking no
  rsakeypair TP-self-signed-2122144568
  !
  !
  TP-self-signed-2122144568 crypto pki certificate chain
  self-signed certificate 03
  30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
  31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
  34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
  F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
  4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
  D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
  30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
  551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
  04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
  0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
  86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
  313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
  E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
  33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
  9142DD9E B6E9D74A 899A 9653
  quit smoking
  dot11 syslog
  IP cef
  No dhcp use connected vrf ip
  DHCP excluded-address IP 10.10.10.1
  !
  IP dhcp pool dhcplan
  Network 10.0.0.0 255.0.0.0
  DNS-server 196.0.50.50 81.199.21.94
  default router 10.10.10.1
  Rental 7
  !
  !
  property intellectual auth-proxy max-nodata-& 3
  property intellectual admission max-nodata-& 3
  name of the IP-server 81.199.21.94
  !
  !
  !
  VPN username password 7 095A5E07
  username fred privilege 15 password 7 1411000E08
  username ciscovpn password 7 01100F175804101F2F
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  ISAKMP crypto client configuration group internal_affairs_vpn
  key *.
  DNS 196.0.50.50 81.199.21.94
  pool ippool
  ACL 108
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
  !
  Crypto-map dynamic internal_affairs_DYNMAP_1 10
  Set transform-set RIGHT
  market arriere-route
  !
  !
  card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
  card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
  client configuration address card crypto internal_affairs_CMAP_1 answer
  ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
  !
  Archives
  The config log
  hidekeys
  !
  !
  !
  Bridge IRB
  !
  !
  interface Loopback0
  2.2.2.2 the IP 255.255.255.255
  !
  ATM0 interface
  no ip address
  ATM vc-per-vp 512
  No atm ilmi-keepalive
  PVC 0/32
  aal5snap encapsulation
  Protocol ip inarp
  !
  DSL-automatic operation mode
  Bridge-Group 1
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface Vlan1
  description of the local lan interface
  IP 10.10.10.1 255.0.0.0
  IP nat inside
  IP virtual-reassembly
  !
  interface BVI1
  internet interface Description
  IP 197.0.4.174 255.255.255.252
  NAT outside IP
  IP virtual-reassembly
  internal_affairs_CMAP_1 card crypto
  !
  IP local pool ippool 192.168.192.1 192.168.192.200
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 196.0.4.173
  !
  IP http server
  local IP http authentication
  IP http secure server
  IP nat inside source list interface BVI1 NAT overload
  IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
  !
  NAT extended IP access list
  allow an ip
  !
  access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
  !
  !
  !
  control plan
  !
  Bridge Protocol ieee 1
  1 channel ip bridge
  !
  Line con 0
  password 7 0216054818115F3348
  no activation of the modem
  line to 0
  line vty 0 4
  password 7 06160E325F59590B01
  !
  max-task-time 5000 Planner
  end

  Since this is a named ACL, you need to change ACL configuration mode:

  NAT extended IP access list

  Then, make the changes.

  Federico.

• Embedded YouTube videos work locally, but not after the FTP publishing. Works locally and on the web in all other browsers. Using FF 17.0.1 and Adobe Flash 11.5.502

  Found a Tube-video, which I embarked on one of the pages of my site. Using FF 17.0.1 and Adobe Flash 11.5.502, YouTube-videos work locally, but not after the FTP publishing.

  I work reasonable locally and on the web in all other browsers.

  Stupid FF?

  The HTML code is as follows:

  <table WIDTH="770" CELLPADDING="0" CELLSPACING="0">
    <tr VALIGN="TOP">
      <td VALIGN="top" ALIGN="left" width="463">
  <object WIDTH="340" HEIGHT="193">
        <param name="movie" value="http://www.youtube.com/v/N6GvuO_9tLY?fs=1?amp;hl=de_DE">
        <param name="allowFullScreen" value="true">
        <param name="allowscriptaccess" value="always"><embed SRC="http://www.youtube.com/v/N6GvuO_9tLY?fs=1?amp;hl=de_DE" TYPE="application/x-shockwave-flash" WIDTH="340" HEIGHT="193">
      </object>
  </td>
      <td VALIGN="top" ALIGN="left" width="403"></td>
      </tr>
  </table>

  I've experimented on the use of < iframe > instead of < object >. No change. Cache cleared on each attempt.

  Any thoughts?

  If it works in Firefox Safe mode and then disable all extensions (Tools > Modules > Extensions) and then try to find out who is causing by allowing an extension at a time until the problem reappears.

  Close and restart Firefox after each change through "file > exit ' (Mac: ' Firefox > leave";) Linux: "file > exit ')

  Alternatively, you can try to disable hardware acceleration in Firefox.

  • Tools > Options > advanced > General > Browsing: "use hardware acceleration when available.
  • https://support.Mozilla.org/KB/troubleshooting+extensions+and+themes