Telemetry MP problem
Hi all
I hope someone can help with this problem. My laptop keeps freezing. In my view, it is a problem with the Defender, but I'm no expert (actually, far from it)
Problem event name: MpTelemetry
Signature of the 01:2152759308 problem
Signature of the problem 02: not specified
Signature of the problem 03: ScanFile
Signature of the problem 04: 2.1.6805.0
Signature of the problem 05: Microsoft Antimalware (BCF43643-A118-4432-AEDE-D861FCBCFCDE)
Signature of the 06 problem: not specified
Signature of the problem 07: unspecified
The system version: 6.0.6002.2.2.0.768.3
Locale ID: 2057
I don't understand any of this, but I hope it helps
Thank you
Gorset
Hi Gorsey,
(1) since when are you facing this problem?
(2) remember to make changes to the computer?
Method 1: run the fixit available in the link below and check if that makes a difference
Difficulty of Windows system performance slow computer problems
Method 2: Clean boot the computer, and check to see if the problem persists
Follow step 1 in the link below,
How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7
http://support.Microsoft.com/kb/929135
If everything works well after a clean boot, you can deduce that some third-party services are at the origin of the problem.
Continue with the remaining steps to pin-point on the third party service.
After find you the program that is causing the problem, you will have to perhaps to update or install a newer version of the program, if you rarely use that you should consider uninstalling the software.
Important: n ' forget not the computer to start normal follow step 7 in the link.
Method 3: Download and install all the available Windows updates
Thank you, and in what concerns:
Ajay K
Microsoft Answers Support Engineer
---------------------------------------------------------------------------------------------------------
Visit our Microsoft answers feedback Forum and let us know what you think.
Tags: Windows
Similar Questions
-
Executable Antimalware MP telemetry indicates a problem in Vista
Antimalware Service executable. Telemetry of MP.
Vista Ultimate 64 bit OS.
Microsoft Security Essentials.
All Windows updates and Essentials updates are automatically checked manually and installed every day! The entire system and printer drivers are the most recent available.
Previous questions and answers to this problem and in this forum seem to be addressed to this problem of Malware defender and has happened to users for a long time.
On July 12 I started to receive 2 reports in "Problems Windows has indicated".
1 Antimalware Service executable. Telemetry of MP.
Whenever I turn on my PC, this problem is listed in the issues page. I can't report to windows and it remains on the page in bold.
I ran a full Scan in Essentials and no malware, viruses or spyware are.
2 spooler subsystem App. printer to print not the causes.
Many users seem to be encoutering this problem. There seems to be several answers on how to fix the problem, but nothing of what Microsoft can do to fix it. The answer to my question in this forum about this problem is so long and so detailed and so complicated and with the language I do not understand that it will take me months looking for every possible way to fix the print spooler.
Is it just a coincidence that these two problems arose on the same date? Or is the malware that I can't remove causeing the problem of print spooler?
The MpTelemetry is part of the Microsoft Security Essentials.
I suggest that you double-click the entries in reports on the problems and Solutions for details. View MpTelemetry information in the Microsoft Security Essentials forum so that their experts can check something abnormal.
Display information of a coil problem in the hardware forum and drivers. A person should be able to guide through a solution.
-
turn off the prompt of telemetry
Windows XP, Firefox 17.
I can't turn off the prompt of telemetry. If I change '2' to '0' to the subject: config, it jumps right back to 2 and does not leave my changes or permanent. Clicking 'No' to the command prompt only works for the session. Help!
You are welcome.
There's only one file prefs.js with valid content.
If other software (security) maintains a lock on files or protect it from the changes to the files then Firefox is not able to update content and you have problems. -
telemetry MP Microsoft Antimalware (BCF43643-A118-4432-AEDE-D861FCBCFCDE)
OK I have my computer blue screen failure and this is what I find the error.
telemetry MP Microsoft Antimalware (BCF43643-A118-4432-AEDE-D861FCBCFCDE)
Restore point:
Try typing F8 at startup and in the list of Boot selections, select Mode safe using ARROW top to go there > and then press ENTER.
Try a restore of the system once, to choose a Restore Point prior to your problem...
Click Start > programs > Accessories > system tools > system restore > choose another time > next > etc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If restore work not and you do not have a Vista DVD from Microsoft, do a repair disc to do a Startup Repair:
Download the ISO on the link provided and make a record of repair time it starts.
Go to your Bios/Setup, or the Boot Menu at startup and change the Boot order to make the DVD/CD drive 1st in the boot order, then reboot with the disk in the drive.
At the startup/power on you should see at the bottom of the screen either F2 or DELETE, go to Setup/Bios or F12 for the Boot Menu.
When you have changed that, insert the Bootable disk you did in the drive and reboot.
http://www.bleepingcomputer.com/tutorials/tutorial148.html
Link above shows what the process looks like and a manual, it load the repair options.
NeoSmart containing the content of the Windows Vista DVD 'Recovery Centre', as we refer to him. It cannot be used to install or reinstall Windows Vista, and is just a Windows PE interface to recovering your PC. Technically, we could re-create this installation with downloadable media media freely from Microsoft (namely the Microsoft WAIK, several gigabyte download); but it is pretty darn decent of Microsoft to present Windows users who might not be able to create such a thing on their own.
Read all the info on the website on how to create and use:
http://NeoSmart.net/blog/2008/Windows-Vista-recovery-disc-download/
ISO Burner: http://www.snapfiles.com/get/active-isoburner.html
It's a very good Vista startup repair disk.
You can do a system restart tool, system, etc it restore.
It is NOT a disc of resettlement.
And the 32-bit is what normally comes on a computer, unless 64-bit.
See you soon.
Mick Murphy - Microsoft partner
-
Report problems & Solution
Hello:
I have a laptop - Vista-32 operating system. Can someone help me with these items. I keep getting the following errors - ' hpsudelpacks.exe. Windows Defender Command Line Utility (telemetry Mp) & hpqddsvc. I dial the number 800 several times but failed to get any help. I did a system restore, but the problem is not going away. I really need someone to help me here.
Hello
1.hpsudelpacks.exe
This file is in relation to HP Total Care Advisor. This software has a lot of bugs. Just uninstall it and your problem will be solved.
2hpqddsvc
See this topic. In the second message written by Dexter you will find solution about this problem too.
-
Problem with editing KB2538242 update for visual c ++ 2005
Hello
I have a problem when I try to install the KB2538242 update. I tried many solutions on the internet and nothing worked. I really need to make it work without having to reinstall the system. This is the error that is displayed.
Back up the data and do a clean install is what I think :/
Do not charge anything until all the important updates are installed
Except for the kb3112343 if you want telemetry 10 installed windows upgrade.
I would also like to as soon as you arrive at the change of office that your windows update set for this to keep all sorted properly updates
-
sfc / scannow found problems and do not understand how to fix
I had this problem for a while and it s driving me crazy. Everyone told me to reinstall Windows, and I... twice!
These items in the folder of papers of sfc are:
2015-08-02 07:16:44, info CSI 00000246 [SR] cannot repair the military record [l:18 {9}] "MSDTC. JOURNAL"of the Microsoft-Windows-COM-DTC-Runtime, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, type neutral, TypeName neutral, neutral public key in the store, file is missing
2015-08-02 07:16:45, info CSI 00000248 [SR] cannot repair the military record [l:24 {12}] "utc.app.json" Microsoft-Windows-Unified-telemetry-Client, Version = 6.1.7601.18869, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, type neutral, TypeName neutral, neutral to the public key in the store, hash mismatch "
2015-08-02 07:16:45, CSI Info 0000024a [SR] cannot repair the military record [l:66 {33}] 'telemetry. "ASM - WindowsDefault.json" Microsoft-Windows-Unified-telemetry-client, Version = 6.1.7601.18869, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, type neutral, TypeName neutral, neutral to the public key in the store, hash mismatch
2015-08-02 07:16:45, CSI Info 0000024b [SR] cannot repair the military record [l:18 {9}] "MSDTC. JOURNAL"of the Microsoft-Windows-COM-DTC-Runtime, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, type neutral, TypeName neutral, neutral public key in the store, file is missing
2015-08-02 07:16:45, CSI Info 0000024 c [SR] this element is referenced by [l:198 {99}] "Microsoft-Windows-Foundation-Package ~ 31bf3856ad364e35 ~ x 86 ~ ~ 6.1.7601.17514.WindowsFoundationDelivery '.
2015-08-02 07:16:45, CSI Info 0000024e [SR] cannot repair the military record [l:24 {12}] "utc.app.json" Microsoft-Windows-Unified-telemetry-Client, Version = 6.1.7601.18869, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, type neutral, TypeName neutral, neutral to the public key in the store, hash mismatch "
2015-08-02 07:16:45, CSI 0000024f [SR] Info this item is referenced by [l:158 {79}] "' Package_168_for_KB3068708 ~ 31bf3856ad364e35 ~ x 86 ~ ~ 6.1.1.0.3068708 - 604_neutral_GDR" "
2015-08-02 07:16:45, Info CSI 00000251 [SR] cannot repair the military record [l:66 {33}] 'telemetry. "ASM - WindowsDefault.json" Microsoft-Windows-Unified-telemetry-client, Version = 6.1.7601.18869, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, type neutral, TypeName neutral, neutral to the public key in the store, hash mismatch
2015-08-02 07:16:45, Info CSI 00000252 [SR] this element is referenced by [l:158 {79}] "' Package_168_for_KB3068708 ~ 31bf3856ad364e35 ~ x 86 ~ ~ 6.1.1.0.3068708 - 604_neutral_GDR" "
2015-08-02 07:16:45, info CSI 00000254 [SR] full repair
------------------------------------------------------------------------------------------------------------------------------------------------
Please don't tell me to reinstall. I would just like some who knows something about computers and Windows 7, what for and how to solve it individually if need be.
Thank you
Richard
Please don't tell me to reinstall. I would just like some who knows something about computers and Windows 7, what for and how to solve it individually if need be.
Richard,
Additional information: does not hurt to try first to Canadian techrecommendation.
See if there is a clue in this https://technet.microsoft.com/en-us/library/ee619779 (WS.10) .aspx>
`~`
-
ASA 5515 - Anyconnect - inside the subnet connection problem
Hi all
I have a problem with the connection to the Interior/subnet using Anyconnect SSL VPN.
ASA worm. 5515
Please find below of configuration:
User access audit
ASA1 # show running-config
: Saved
:
ASA 9.1 Version 2
!
hostname ASA1
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
mask of local pool swimming POOLS-for-AnyConnect 10.0.70.1 - 10.0.70.50 IP 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP A.A.A.A 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
192.168.64.1 IP address 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 20
address IP B.B.B.B 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
network of the OBJ_GENERIC_ALL object
subnet 0.0.0.0 0.0.0.0
network outside_to_inside_FR-Appsrv01 object
Home 192.168.64.232
network outside_to_dmz_fr-websvr-uat object
Home 10.20.20.14
network inside_to_dmz object
192.168.64.0 subnet 255.255.255.0
gtc-tomcat network object
Home 192.168.64.228
network of the USA-Appsrv01-UAT object
Home 192.168.64.223
network of the USA-Websvr-UAT object
Home 10.20.20.13
network vpn_to_inside object
10.0.70.0 subnet 255.255.255.0
extended access list acl_out permit everything all unreachable icmp
acl_out list extended access permit icmp any any echo response
acl_out list extended access permit icmp any one time exceed
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 3389
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 28080
acl_out list extended access permit tcp any object outside_to_inside_FR-Appsrv01 eq 9876
acl_out list extended access permit udp any object outside_to_inside_FR-Appsrv01 eq 1720
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq www
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq https
acl_out list extended access permit tcp any object outside_to_dmz_fr-websvr-uat eq 3389
acl_out list extended access permit tcp any object USA-Appsrv01-UAT eq 9876
acl_out list extended access permit udp any eq USA-Appsrv01-UAT object 1720
acl_out list extended access permit tcp any object USA-Websvr-UAT eq www
acl_out list extended access permit tcp any USA-Websvr-UAT eq https object
acl_out list extended access permit tcp any object USA-Websvr-UAT eq 3389
acl_out list extended access permit tcp any object USA-Appsrv01-UAT eq 3389
acl_dmz list extended access permit icmp any any echo response
acl_dmz of access allowed any ip an extended list
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 8080
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 8081
acl_dmz list extended access permitted tcp object object to outside_to_dmz_fr-websvr-uat gtc-tomcat eq 3389
acl_dmz list extended access permitted tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8080
acl_dmz list extended access permitted tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8081
access extensive list ip 192.168.64.0 gtcvpn2 allow 255.255.255.0 10.0.70.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT dynamic interface of OBJ_GENERIC_ALL source (indoor, outdoor)
NAT (inside, outside) static source all all static destination vpn_to_inside vpn_to_inside
!
network outside_to_inside_FR-Appsrv01 object
NAT static x.x.x.x (indoor, outdoor)
network outside_to_dmz_fr-websvr-uat object
NAT (dmz, outside) static x.x.x.x
network of the USA-Appsrv01-UAT object
NAT static x.x.x.x (indoor, outdoor)
network of the USA-Websvr-UAT object
NAT (dmz, outside) static x.x.x.x
Access-group acl_out in interface outside
Access-group acl_dmz in dmz interface
Route outside 0.0.0.0 0.0.0.0 B.B.B.B 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.64.204 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ASA1
GTCVPN2 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate of 19897d 54
308201cf 30820138 a0030201 02020419 897d 864886f7 0d 010105 5430 0d06092a
0500302c 3111300f 06035504 03130851 57455354 32343031 17301506 092a 8648
09021608 51574553 54323430 31343132 30333034 30333237 301e170d 86f70d01
5a170d32 34313133 30303430 3332375a 302 c 3111 55040313 08515745 300f0603
53543234 30311730 1506092a 864886f7 010902 16085157 45535432 34303081 0d
9f300d06 092 has 8648 86f70d01 01010500 03818d 00 30818902 818100a 2 5e873d21
dfa7cc00 ee438d1d bc400dc5 220f2dc4 aa896be4 39843044 d0521010 88 has 24454
b4b1f345 84ec0ad3 cac13d47 a71f367a 2e71f5fc 0a9bd55f 05d 75648 72bfb9e9
c5379753 26ec523d f2cbc438 d234616f a71e4f4f 42f39dde e4b99020 cfcd00ad
73162ab8 1af6b6f5 fa1b47c6 d261db8b 4a75b249 60556102 03010001 fa3fbe7c
300 d 0609 2a 864886 f70d0101 8181007a 05050003 be791b64 a9f0df8f 982d162d
b7c884c1 eb183711 05d676d7 2585486e 5cdd23b9 af774a8f 9623e91a b3d85f10
af85c009 9590c0b3 401cec03 4dccf99a f1ee8c01 1e6f0f3a 6516579c 12d9cbab
59fcead4 63baf64b 7adece49 7799f94c 1865ce1d 2c0f3ced e65fefdc a784dc50
350e8ba2 998f3820 e6370ae5 7e6c543b 6c1ced
quit smoking
Telnet 192.168.64.200 255.255.255.255 inside
Telnet 192.168.64.169 255.255.255.255 inside
Telnet 192.168.64.190 255.255.255.255 inside
Telnet 192.168.64.199 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_GTCVPN2 group strategy
attributes of Group Policy GroupPolicy_GTCVPN2
WINS server no
value of 192.168.64.202 DNS server 192.168.64.201
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list gtcvpn2
field default value mondomaine.fr
username cHoYQ5ZzE4HJyyq password of duncan / encrypted
username Aosl50Zig4zLZm4 admin password / encrypted
password encrypted sebol U7rG3kt653p8ctAz user name
type tunnel-group GTCVPN2 remote access
attributes global-tunnel-group GTCVPN2
Swimming POOLS-for-AnyConnect address pool
Group Policy - by default-GroupPolicy_GTCVPN2
tunnel-group GTCVPN2 webvpn-attributes
enable GTCVPN2 group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory 19
Subscribe to alert-group configuration periodic monthly 19
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0b972b3b751b59085bc2bbbb6b0c2281
: end
ASA1 #.I can connect to the ASA from outside with the Anyconnect client, split tunneling works well unfortunately I can't ping anything inside the network, VPN subnet: 255.255.255.0, inside the 192.168.64.x 255.255.255.0 subnet 10.0.70.x
When connecting from the outside, cisco anyconnect is showing 192.168.64.0/24 in the tab "details of the trip.
Do you know if I'm missing something? (internal subnet to subnet route vpn?)
Thank you
Use your internal subnet ASA as its default gateway? If this isn't the case, it will take a route pointing to the ASA inside the interface.
You can perform a packet - trace as:
Packet-trace entry inside tcp 192.168.64.2 80 10.0.70.1 1025
(simulation of traffic back from a web server inside a VPN client)
-
Problem with ASA 5505 VPN remote access
After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?
Here is the cfg running of the ASA
----------------------------------------------------------------------------------------
: Saved
:
ASA Version 8.4 (1)
!
hostname NCHCO
enable encrypted password xxxxxxxxxxxxxxx
xxxxxxxxxxx encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
network of the NCHCO object
Subnet 192.168.2.0 255.255.255.0
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
network object obj - 192.168.2.64
subnet 192.168.2.64 255.255.255.224
network object obj - 0.0.0.0
subnet 0.0.0.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the Web server object network
the FINX object network
Home 192.168.2.11
rdp service object
source between 1-65535 destination eq 3389 tcp service
Rdp description
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0
inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224
outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
LAN_Access list standard access allowed 192.168.2.0 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
outside_access_in list extended access permit tcp any object FINX eq 3389
outside_access_in_1 list extended access allowed object rdp any object FINX
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 649.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0
NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64
NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
the FINX object network
NAT (inside, outside) interface static service tcp 3389 3389
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http *. **. ***. 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform
IKEv1 crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
Crypto ikev1 allow inside
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHCO group policy
NCHCO group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1
value by default-field NCHCO.local
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username NCHvpn99 password dhn. JzttvRmMbHsP encrypted
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
IKEv1 pre-shared-key *.
type tunnel-group NCHCO remote access
attributes global-tunnel-group NCHCO
address pool VPN_Pool
Group Policy - by default-NCHCO
IPSec-attributes tunnel-group NCHCO
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
ASDM image disk0: / asdm - 649.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
---------------------------------------------------------------------------------------------------------------
And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:
---------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7601 Service Pack 1
Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\
1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026
Try to find a certificate using hash Serial.
2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027
Found a certificate using hash Serial.
3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011
RELOADED successfully certificates in all certificate stores.
4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002
Start the login process
5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is NOT behind a NAT device
21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F
SPLIT_NET #1
= 192.168.2.0 subnet
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local
46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710
47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11
49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now
57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">
59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify is set to 28800 seconds
60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***
61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059
IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)
62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025
OUTGOING ESP SPI support: 0xAAAF4C1C
63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026
Charges INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001
Launch VAInst64 for controlling IPSec virtual card
66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.70/255.255.255.0
DNS = 192.168.2.1, 8.8.8.8
WINS = 0.0.0.0 0.0.0.0
Domain = NCHCO.local
Split = DNS names
67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A
A secure connection established
72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001
Did not find the smart card to watch for removal
75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0x1c4cafaa in the list of keys
78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0xc5bfbe3e in the list of keys
80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F
Assigned WILL interface private addr 192.168.2.70
81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037
Configure the public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046
Define indicator tunnel set up in the registry to 1.
83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205276
85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276
88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019
Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205277
91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277
94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205278
96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278
---------------------------------------------------------------------------------------------------------------
Any help would be appreciated, thanks!
try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.
-
I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.
1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.
2. cannot access other networks except the network associated with the inside interface natively.
3. I can not ping to the internet from inside, be it on the VPN or not.
I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.
Here is the config:
Output of the command: "sh run".
: Saved
:
ASA Version 8.4 (1)
!
hostname BVGW
domain blueVector.com
activate qWxO.XjLGf3hYkQ1 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 10
IP 5.29.79.10 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.1.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 172.19.1.1 255.255.255.0
management only
!
passive FTP mode
DNS server-group DefaultDNS
domain blueVector.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the subject of WiFi network
172.17.100.0 subnet 255.255.255.0
WiFi description
the object to the Interior-net network
172.17.1.0 subnet 255.255.255.0
network of the NOSPAM object
Home 172.17.1.60
network of the BH2 object
Home 172.17.1.60
the EX2 object network
Home 172.17.1.61
Description internal Exchange / SMTP outgoing
the Mail2 object network
Home 5.29.79.11
Description Ext EX2
network of the NETWORK_OBJ_172.17.1.240_28 object
subnet 172.17.1.240 255.255.255.240
network of the NETWORK_OBJ_172.17.200.0_24 object
172.17.200.0 subnet 255.255.255.0
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
network-object BH2
network-object NOSPAM
Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group
Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0
mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source EX2 Mail2
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination
NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
!
the object to the Interior-net network
NAT (inside, outside) dynamic interface
network of the NOSPAM object
NAT (inside, outside) static 5.29.79.12
Access-group Outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1
Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1
Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1
Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1
Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1
Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server blueVec protocol ldap
blueVec AAA-server (inside) host 172.17.1.41
LDAP-base-dn DC = adrs1, DC = net
LDAP-group-base-dn DC = EIM, DC = net
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net
microsoft server type
Enable http server
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 inside
http 24.32.208.223 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
authentication crack
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 172.17.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 172.17.1.100 - 172.17.1.200 inside
dhcpd 4.2.2.2 dns 8.8.8.8 interface inside
dhcpd lease interface 100000 inside
dhcpd adrs1.net area inside interface
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
internal blueV group policy
attributes of the strategy of group blueV
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
value by default-field ADRS1.NET
internal blueV_1 group policy
attributes of the strategy of group blueV_1
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
adrs1.NET value by default-field
username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA
username gwhitten attributes
VPN-group-policy blueV
rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username
attributes of username rparker
VPN-group-policy blueV
username mhale encrypted password privilege 0 2reWKpsLC5em3o1P
username mhale attributes
VPN-group-policy blueV
VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password
username VpnUser2 attributes
VPN-group-policy blueV
Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password
username Vpnuser3 attributes
VPN-group-policy blueV
username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb
username VpnUser1 attributes
VPN-group-policy blueV
username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS
username dcoletto attributes
VPN-group-policy blueV
username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0
username jmcleod attributes
VPN-group-policy blueV
rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username
rhanna attributes username
VPN-group-policy blueV
username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk
username rheimann attributes
VPN-group-policy blueV
username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo
username jwoosley attributes
VPN-group-policy blueV
2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username
kdavis username attributes
VPN-group-policy blueV
username mbell encrypted password privilege 0 adskOOsnVPnw6eJD
username mbell attributes
VPN-group-policy blueV
bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username
bmiller username attributes
VPN-group-policy blueV
type tunnel-group blueV remote access
tunnel-group blueV General-attributes
address VPN2 pool
authentication-server-group blueVec
Group Policy - by default-blueV_1
blueV group of tunnel ipsec-attributes
IKEv1 pre-shablue-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:2491a825fb8a81439a6c80288f33818e
: end
Any help is appreciated!
-Roger
Hey,.
Unfortunately, I do not use ASDM myself but will always mention things that could be done.
You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active
You have the following line under the "group policy"
Split-tunnel-policy tunnelspecified
You will also need this line
Split-tunnel-network-list value
Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?
To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT
VPN-CLIENT-PAT-SOURCE network object-group
object-network 172.17.200.0 255.255.255.0
NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE
In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work
I could myself try the following configuration of NAT
object-group, network LAN-NETWORKS
object-network 10.2.0.0 255.255.255.0
object-network 10.3.0.0 255.255.255.128
object-network 10.10.10.0 255.255.255.0
object-network 172.17.100.0 255.255.255.0
object-network 172.18.1.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.30.0 255.255.255.0
object-group, network VPN-POOL
object-network 172.17.200.0 255.255.255.0
NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL
Add ICMP ICMP Inspection
Policy-map global_policy
class inspection_default
inspect the icmp
or alternatively
fixup protocol icmp
This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.
-Jouni
-
ASA IPSEC site-to-site with NAT problem
Hello
I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.
I have a site-to-site between two locations:
Site A is 192.168.0.0/24
Site B is 192.168.4.0/24
I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.
Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.
The system of site B can also ping 10.57.4.50.
Here's the running configuration:
ASA 8.3 Version (2)
!
hostname fw1
domain name
activate the
password encrypted passwd
encrypted names of
!
interface Vlan1
Description city network internal
nameif inside
security-level 100
IP 192.168.9.1 255.255.255.0
!
interface Vlan2
Description Internet Public
nameif outside
security-level 0
IP 173.166.117.186 255.255.255.248
!
interface Vlan3
DMZ (CaTV) description
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Vlan5
PD Network description
nameif PDNet
security level 95
the IP 192.168.0.1 255.255.255.0
!
interface Vlan10
Description Network Infrastructure
nameif InfraNet
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan13
Description wireless comments
nameif Wireless-comments
security-level 25
IP 192.168.1.1 255.255.255.0
!
interface Vlan23
nameif StateNet
security-level 75
IP 10.63.198.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk vlan 1 native
switchport mode trunk
Speed 100
full duplex
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/5
switchport access vlan 23
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk vlan 1 native
switchport mode trunk
Shutdown
!
exec banner restricted access
banner restricted access connection
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain name
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service of the IMAPoverSSL object
destination eq 993 tcp service
IMAP over SSL description
service of the POPoverSSL object
tcp destination eq 995 service
POP3 over SSL description
service of the SMTPwTLS object
tcp destination eq 465 service
SMTP with TLS description
network object obj - 192.168.9.20
Home 192.168.9.20
object obj-claggett-https network
Home 192.168.9.20
network of object obj-claggett-imap4
Home 192.168.9.20
network of object obj-claggett-pop3
Home 192.168.9.20
network of object obj-claggett-smtp
Home 192.168.9.20
object obj-claggett-imapoverssl network
Home 192.168.9.20
object obj-claggett-popoverssl network
Home 192.168.9.20
object obj-claggett-smtpwTLS network
Home 192.168.9.20
network object obj - 192.168.9.120
Home 192.168.9.120
network object obj - 192.168.9.119
Home 192.168.9.119
network object obj - 192.168.9.121
Home 192.168.9.121
object obj-wirelessnet network
subnet 192.168.1.0 255.255.255.0
network of the Clients_sans_fil object
subnet 192.168.1.0 255.255.255.0
object obj-dmznetwork network
Subnet 192.168.2.0 255.255.255.0
network of the FD_Firewall object
Home 74.94.142.229
network of the FD_Net object
192.168.6.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
object obj-TownHallNet network
192.168.9.0 subnet 255.255.255.0
network obj_InfraNet object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NHDOS_Firewall object
Home 72.95.124.69
network of the NHDOS_SpotsHub object
Home 192.168.4.20
network of the IMCMOBILE object
Home 192.168.0.112
network of the NHDOS_Net object
subnet 192.168.4.0 255.255.255.0
network of the NHSPOTS_Net object
10.57.4.0 subnet 255.255.255.0
network of the IMCMobile_NAT_IP object
Home 10.57.4.50
service EmailServices object-group
Description of e-mail Exchange Services / Normal
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq imap4 service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_1
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq smtp service
object-group service DM_INLINE_SERVICE_2
service-object, object IMAPoverSSL
service-object, object POPoverSSL
service-object, object SMTPwTLS
the purpose of the tcp destination eq https service
the purpose of the tcp destination eq pop3 service
the purpose of the tcp destination eq smtp service
the obj_clerkpc object-group network
PCs of the clerk Description
network-object object obj - 192.168.9.119
network-object object obj - 192.168.9.120
network-object object obj - 192.168.9.121
the TownHall_Nets object-group network
object-network 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.9.0 255.255.255.0
the DOS_Networks object-group network
network-object 10.56.0.0 255.255.0.0
network-object, object NHDOS_Net
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
StateNet_access_in list extended access permitted ip object-group obj_clerkpc one
permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0
PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip
PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks
outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group
outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks
pager lines 24
Enable logging
Test1 logging level list class debug vpn
logging of debug asdm
E-mail logging errors
address record
logging level
-l errors ' address of the recipient Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
MTU 1500 Wireless-comments
MTU 1500 StateNet
MTU 1500 InfraNet
MTU 1500 PDNet
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 635.bin
don't allow no asdm history
ARP timeout 14400
NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net
NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net
public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks
!
network obj_any object
NAT static interface (indoor, outdoor)
object obj-claggett-https network
NAT (inside, outside) interface static tcp https https service
network of object obj-claggett-imap4
NAT (inside, outside) interface static tcp imap4 imap4 service
network of object obj-claggett-pop3
NAT (inside, outside) interface static tcp pop3 pop3 service
network of object obj-claggett-smtp
NAT (inside, outside) interface static tcp smtp smtp service
object obj-claggett-imapoverssl network
NAT (inside, outside) interface static tcp 993 993 service
object obj-claggett-popoverssl network
NAT (inside, outside) interface static tcp 995 995 service
object obj-claggett-smtpwTLS network
NAT (inside, outside) interface static tcp 465 465 service
network object obj - 192.168.9.120
NAT (inside, StateNet) 10.63.198.12 static
network object obj - 192.168.9.119
NAT (all, StateNet) 10.63.198.10 static
network object obj - 192.168.9.121
NAT (all, StateNet) 10.63.198.11 static
object obj-wirelessnet network
NAT (Wireless-Guest, outside) static interface
object obj-dmznetwork network
interface static NAT (all, outside)
network obj_InfraNet object
NAT (InfraNet, outside) static interface
Access-group outside_access_in in interface outside
Access-group StateNet_access_in in the StateNet interface
Access-group PDNet_access_in in interface PDNet
Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 5443
http 192.x.x.x 255.255.255.0 inside
http 7.x.x.x 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set 72.x.x.x counterpart
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 set pfs
card crypto outside_map 2 peers set 173.x.x.x
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 192.168.9.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.9.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd outside auto_config
!
dhcpd address dmz 192.168.2.100 - 192.168.2.254
dhcpd dns 8.8.8.8 8.8.4.4 dmz interface
dhcpd enable dmz
!
dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments
dhcpd enable Wireless-comments
!
a basic threat threat detection
a statistical threat detection host number rate 2
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 63.240.161.99 prefer external source
NTP server 207.171.30.106 prefer external source
NTP server 70.86.250.6 prefer external source
WebVPN
attributes of Group Policy DfltGrpPolicy
internal FDIPSECTunnel group strategy
attributes of Group Policy FDIPSECTunnel
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
support for username
password encrypted privilege 15 tunnel-group 72.x.x.x type ipsec-l2l
72.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 173.x.x.x type ipsec-l2l
tunnel-group 173.x.x.x General-attributes
Group Policy - by default-FDIPSECTunnel
173.x.x.x group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
192.168.9.20 SMTP server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76
: end
If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.
-
Problem VPN ASA 5505 8.3 (1) a site
Hello
My problem is with VPN site-to-site. It's between ASA5505 8.3 (1) and Pix 501 6.3 (5). The tunnel is created between them and it's good, here you have the results to see the crypto ipsec's and isakmp his
ciscoasa # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 91.X.X.57
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
ciscoasa # sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 79.X.X.2
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 91.X.X.57
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 3757, #pkts decrypt: 3757, #pkts check: 3757
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 79.X.X.2/0, remote Start crypto. : 91.X.X.57/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: F1C2FD46
current inbound SPI: 1BCF8C49
SAS of the esp on arrival:
SPI: 0x1BCF8C49 (466586697)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 376832, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373665/20348)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xF1C2FD46 (4056087878)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 376832, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20348)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
But the problem is, as you can see in a show crypto ipsec sa, there is now traffic to a remote network of ASA
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
I have a single device on the remote network sends data to a sysloger on the local network and it works fine, all received messages but not other way to traffic.
To make sure that I go see the Nat and packet - trace entry inside tcp 192.168.10.7 1024 192.168.11.250 80 and looks like SHEEP works very well and traffic is allowed, but still once anything gets into the tunnel of local network
Results
ciscoasa # sh nat
Manual NAT policies (Section 1)
1 (one) to (all) source static sheep sheep sheep destination static sheep
translate_hits = 0, untranslate_hits = 38770
2 (inside) for the service public static obj - the source (on the outside) TCP1433 TCP1433 79.X.X.5 192.168.10.7
translate_hits = 0, untranslate_hits = 95
3 (inside) to the source (external) static obj - 192.168.10.7 interface service zzz zzz
translate_hits = 0, untranslate_hits = 19
4 (inside) of the (whole) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
translate_hits = 17, untranslate_hits = 0
5 (inside) of the (whole) source static obj - obj - static 192.168.10.0 192.168.10.0 obj - obj-destination 10.1.1.1 10.1.1.1
translate_hits = 134, untranslate_hits = 0
6 (inside) to the (whole) source static obj - 10.1.1.1 obj - 10.1.1.1 destination static obj - 192.168.10.0 obj - 192.168.10.0
translate_hits = 0, untranslate_hits = 0
7 (inside) of the (whole) source static obj - 192.168.0.0 obj - 192.168.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
translate_hits = 172, untranslate_hits = 53
Auto NAT policies (Section 2)
1 (inside) (outside) source static obj - 192.168.10.3 service TCP 3389 3389 79.X.X.5
translate_hits = 12, untranslate_hits = 4823
2 (inside) (outside) source static obj - 192.168.10.5 79.X.X.3 DNS
translate_hits = 341869, untranslate_hits = 41531
3 (inside) (outside) source static obj - 192.168.10.3 - 01 79.X.X.5 service TCP 444 444
translate_hits = 0, untranslate_hits = 0
4 (inside) to the source (external) static obj - 192.168.10.7 tcp 3389 3389 service interface
translate_hits = 21, untranslate_hits = 751
5 (inside) (outside) source static obj - 192.168.10.7 - 02 interface tcp 8080 https service
translate_hits = 0, untranslate_hits = 100
6 (inside) (outside) source static obj - 192.168.10.11 79.X.X.5 TCP smtp smtp service
translate_hits = 2, untranslate_hits = 18838
7 (inside) (outside) source static obj - 192.168.10.11 - 01 udp 443 443 service 79.X.X.5
translate_hits = 0, untranslate_hits = 0
8 (inside) (outside) source static obj - 192.168.10.11 - 02 79.X.X.5 tcp https https service
translate_hits = 221, untranslate_hits = 9770
9 (inside) (outside) source static obj - 192.168.10.11 - 03 79.X.X.5 tcp https https service
translate_hits = 0, untranslate_hits = 0
10 (inside) (outside) source static obj - 192.168.10.15 79.X.X.5 service tcp www 81
translate_hits = 0, untranslate_hits = 34
11 (inside) (outside) source static obj - 192.168.10.26 79.X.X.5 service TCP 8080 8080
translate_hits = 9, untranslate_hits = 4407
12 (inside) (outside) source static obj - 192.168.10.26 - 01 79.X.X.5 tcp 8080 www service
translate_hits = 0, untranslate_hits = 578
13 (inside) (outside) source static obj - 192.168.10.220 79.X.X.6 service TCP 3389 3389
translate_hits = 0, untranslate_hits = 41
14 (inside) (outside) source static obj - 192.168.10.220 - 1 79.X.X.6 tcp https https service
translate_hits = 0, untranslate_hits = 3
15 (inside) to the obj_any interface dynamic source (external)
translate_hits = 410005, untranslate_hits = 144489
16 (invited) to dynamic interface of the source (outside) obj_any-01
translate_hits = 19712, untranslate_hits = 4490
ciscoasa # packet - trace entry inside tcp 192.168.10.7 1024 192.168.11.250 80
Phase: 1
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.11.250/80 to 192.168.11.250/80
Phase: 2
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group inside_out in interface inside
access-list extended inside_out permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Additional information:
Direct flow from returns search rule:
ID = 0xd9886ae8, priority = 13, area = allowed, deny = false
hits = 18503, user_data = 0xd6581290, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd80c87c8, priority = 0, sector = inspect-ip-options, deny = true
hits = 1047092, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
Direct flow from returns search rule:
ID = 0xd9859830, priority = 6, area = nat, deny = false
hits = 2107, user_data = 0xd83a9b48, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = any
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd8114d98, priority = 0, domain = host-limit, deny = false
hits = 674350, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd83a9960, priority = 70, domain = encrypt, deny = false
hits = 26732, user_data = 0xce165c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
Direct flow from returns search rule:
ID = 0xd98d1d70, priority = 6, area = nat-reversed, deny = false
hits = 1419, user_data = 0xd83a9b48, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xd9bda388, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 486, user_data is 0x13492cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.11.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.10.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xd8192ab0, priority = 0, sector = inspect-ip-options, deny = true
hits = 1169899, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1293619 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
It is a complete config for ASA
VPN
Network local 192.168.10.0/24
remote network 192.168.11.0/24
Config
:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain.com domain name
activate the password * encrypted
passwd * encrypted
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 79.X.X.2 255.255.255.248
!
interface Vlan12
prior to interface Vlan1
nameif comments
security-level 80
192.168.4.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
boot system Disk0: / asa831 - k8.bin
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 192.168.10.11
domain.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network object obj - 192.168.0.0
Subnet 192.168.0.0 255.255.0.0
network object obj - 192.168.2.0
Subnet 192.168.2.0 255.255.255.128
network object obj - 10.0.0.0
subnet 10.0.0.0 255.0.0.0
network object obj - 192.168.10.2
host 192.168.10.2
network object obj - 192.168.10.2 - 01
host 192.168.10.2
network object obj - 192.168.10.3
host 192.168.10.3
network object obj - 192.168.10.2 - 02
host 192.168.10.2
network object obj - 192.168.10.2 - 03
host 192.168.10.2
network object obj - 192.168.10.3 - 01
Home 192.168.10.7
network object obj - 192.168.10.5
host 192.168.10.5
newserver network object
Home 192.168.10.7
New SQL Server description
network object obj - 192.168.10.7
Home 192.168.10.7
network of the A_79.X.X.6 object
Home 79.X.X.6
network of the PublicServer_NAT1 object
Home 192.168.10.7
zzz service object
service source eq 1 65535 udp syslog destination range
Syslog description
purpose of the 79.X.X.5 network
Home 79.X.X.5
service of the TCP1433 object
destination service tcp source eq 1433 1 65535 range
Description TCP1433
network object obj - 192.168.10.220
Home 192.168.10.220
network object obj - 192.168.10.220 - 1
Home 192.168.10.220
network object obj - 192.168.10.222
Home 192.168.10.222
network object obj - 192.168.10.2 - 04
host 192.168.10.2
network object obj - 192.168.10.7 - 02
Home 192.168.10.7
network object obj - 192.168.10.11
Home 192.168.10.11
network object obj - 192.168.10.11 - 01
Home 192.168.10.11
network object obj - 192.168.10.11 - 02
Home 192.168.10.11
network object obj - 192.168.10.11 - 03
Home 192.168.10.11
network object obj - 192.168.10.26
Home 192.168.10.26
network object obj - 192.168.10.26 - 01
Home 192.168.10.26
network object obj - 192.168.10.15
Home 192.168.10.15
network object obj - 192.168.10.11 - 04
Home 192.168.10.11
network object obj - 10.1.1.1
host 10.1.1.1
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.0
network object obj - 192.168.10.220 - 2
Home 192.168.10.220
network vpn-local object
192.168.10.0 subnet 255.255.255.0
object network vpn - ru
subnet 192.168.11.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
object-group service syslog udp
Service Description syslog group
port-object eq syslog
object-group service udp zzzz
port-object eq syslog
object-group service sss udp
port-object eq syslog
object-group network sheep
object-network 192.168.10.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
outside_all of access allowed any ip an extended list
VPN_splitTunnelAcl list standard access allowed 192.168.0.0 255.255.0.0
VPN_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.128
inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 192.168.2.0 255.255.255.128
access-list extended inside_out allow ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended inside_out permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
scope of the inside_out to the list of permitted any one ip access
inside_out to the access list extended 192.168.11.0 allowed any ip 255.255.255.0
inside_out to the list of access permit tcp host 192.168.10.2 any eq smtp
inside_out to the list of access permit tcp any any eq smtp
access-list extended inside_out allow udp 192.168.10.0 255.255.255.0 host 10.1.1.1
access-list extended inside_out permit udp host 10.1.1.1 192.168.10.0 255.255.255.0
inside_out to the list of allowed extensive access icmp host 192.168.10.7 all
inside_out to the list of allowed extensive access a whole icmp
outside_zzz list of allowed ip extended access any external interface
outside_zzz list extended access permit tcp host 87.X.X.73 host 79.X.X.5 eq 1433
outside_zzz tcp extended access list refuse any host 79.X.X.5 eq 1433
outside_zzz list extended access permitted tcp 207.126.144.0 255.255.240.0 eq 79.X.X.5 the smtp host
outside_zzz tcp extended access list refuse any host 79.X.X.5 eq smtp
outside_zzz access-list extended permit ip any host 79.X.X.5
outside_zzz of access allowed any ip an extended list
permit access list extended ip 192.168.10.0 outside_in 255.255.255.0 192.168.11.0 255.255.255.0
access extensive list ip 192.168.11.0 outside_in allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.11.0 outside_in allow 255.255.255.0 any
outside_in list extended access permit tcp any host 192.168.10.15 eq 81
outside_in list extended access permit ip any host 192.168.10.5
access-list outside_in extended permit ip any host 79.X.X.4
outside_in list extended access permit tcp host 82.X.X.166 host 192.168.10.7 eq 1433
outside_in list extended access permit tcp host 84.X.X.30 host 192.168.10.7 eq 1433
outside_in list extended access tcp refuse any host 192.168.10.7 eq 1433
outside_in list extended access permit tcp any host 192.168.10.3 eq 444
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 host 192.168.10.11 eq 444
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 eq smtp host 192.168.10.11
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 host 192.168.10.2 eq smtp
outside_in list extended access tcp refuse any host 192.168.10.11 eq smtp
outside_in list extended access tcp refuse any host 192.168.10.2 eq smtp
outside_in list extended access permit tcp any host 192.168.10.2 eq smtp
outside_in list extended access permit udp any host 192.168.10.2 eq 443
outside_in list extended access permit tcp any host 192.168.10.3 eq 3389
outside_in list extended access permit tcp any host 192.168.10.2 eq 4125
outside_in list extended access permit tcp any host 192.168.10.11 eq https
outside_in list extended access permit tcp any host 192.168.10.2 eq https
outside_in list extended access allowed esp all the host 91.X.X.57
outside_in list extended access permit tcp any host 192.168.10.3 eq 1433
access-list extended outside_in permit ip host 91.X.X.57 all
access-list outside_in extended permit ip any host 79.X.X.5
access-list outside_in extended permit ip any host 79.X.X.2
outside_in list extended access permit tcp any host 79.X.X.6 eq 3389
outside_in list extended access permit tcp any host 192.168.10.220 eq 3389
outside_in list extended access permit tcp any host 79.X.X.5 eq 81
access extensive list permits all ip a outside_in
outside_in list extended access permit tcp host 91.X.X.178 host 192.168.10.7 eq 1433
outside_in list extended access permit tcp host 87.X.X.73 host 192.168.10.7 eq 1433
access-list extended qnap permit ip host 192.168.10.26 all
access-list extended qnap permit ip any host 192.168.10.26
phone_bypass list extended access allowed host 10.1.1.1 ip 192.168.10.0 255.255.255.0
permit phone_bypass to access extended list ip 192.168.10.0 255.255.255.0 host 10.1.1.1
phone_bypass list extended access allowed host 10.1.1.1 ip 192.168.2.0 255.255.255.0
phone_bypass to access extended list ip 192.168.2.0 allow 255.255.255.0 host 10.1.1.1
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
extended vpn 192.168.11.0 ip access list allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
exploitation forest-size of the buffer 1024000
logging asdm-buffer-size 512
logging buffered information
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
Comments of MTU 1500
mask of local pool RemoteVPN 192.168.2.20 - 192.168.2.100 IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 631.bin
enable ASDM history
ARP timeout 14400
NAT (any, any) source static sheep sheep sheep destination static sheep
NAT source service (Interior, exterior) static obj - 192.168.10.7 79.X.X.5 TCP1433 TCP1433
NAT (inside, outside) source static obj - 192.168.10.7 interface service zzz zzz
NAT (inside, all) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
NAT (inside, all) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 10.1.1.1 obj - 10.1.1.1
NAT (inside, all) source static obj - 10.1.1.1 obj - 10.1.1.1 destination static obj - 192.168.10.0 obj - 192.168.10.0
NAT (inside, all) source static obj - 192.168.0.0 obj - 192.168.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
!
network object obj - 192.168.10.3
NAT (inside, outside) static service tcp 3389 3389 79.X.X.5
network object obj - 192.168.10.3 - 01
NAT (inside, outside) static 79.X.X.5 tcp 444 444 service
network object obj - 192.168.10.5
NAT (inside, outside) public static dns 79.X.X.3
network object obj - 192.168.10.7
NAT (inside, outside) interface static service tcp 3389 3389
network object obj - 192.168.10.220
NAT (inside, outside) static service tcp 3389 3389 79.X.X.6
network object obj - 192.168.10.220 - 1
NAT (inside, outside) static 79.X.X.6 tcp https https service
network object obj - 192.168.10.7 - 02
NAT (inside, outside) interface static tcp 8080 https service
network object obj - 192.168.10.11
NAT (inside, outside) static 79.X.X.5 tcp smtp smtp service
network object obj - 192.168.10.11 - 01
NAT (inside, outside) udp 443 443 service 79.X.X.5 static
network object obj - 192.168.10.11 - 02
NAT (inside, outside) static 79.X.X.5 tcp https https service
network object obj - 192.168.10.11 - 03
NAT (inside, outside) static 79.X.X.5 tcp https https service
network object obj - 192.168.10.26
NAT (inside, outside) static 79.X.X.5 8080 8080 tcp service
network object obj - 192.168.10.26 - 01
NAT (inside, outside) static 79.X.X.5 tcp 8080 www service
network object obj - 192.168.10.15
NAT (inside, outside) static 79.X.X.5 tcp 81 www service
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT dynamic interface (guest, outdoor)
Access-group inside_out in interface inside
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 79.X.X.1 1
Route inside 10.0.0.0 255.0.0.0 192.168.10.4 1
Route outside 10.1.1.1 255.255.255.255 192.168.10.4 1
Route outside 192.168.11.0 255.255.255.0 79.X.X.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS Protocol RADIUS AAA server
reactivation impoverishment deadtime mode 1
AAA-server RADIUS (inside) host 192.168.10.7
key *.
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
http server enable 444
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
Service resetoutside
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-SHA 256 - aes - esp esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card crypto outside_map 1 match for vpn
outside_map game 1 card crypto peer 91.X.X.57
card crypto outside_map 1 set of transformation-ESP-AES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
Crypto isakmp nat-traversal 3600
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 0
dhcpd dns 83.X.X.8 83.X.X.10
dhcpd outside auto_config
!
dhcpd address 192.168.10.50 - 192.168.10.100 inside
dhcpd dns 83.X.X.8 83.X.X.10 interface inside
dhcpd lease interface 600 inside
dhcpd interface to domain.com domain inside
!
Reviews of dhcpd address 192.168.4.50 - 192.168.4.100
Dhcpd lease 600 interface comments
Comments enable dhcpd
!
priority queue inside
priority-queue outdoors
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 93.170.32.1 Server
NTP 93.170.32.2 Server
NTP 89.145.68.17 Server prefer
WebVPN
allow outside
SVC image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 regex 'Windows NT'
SVC image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 2 regex "Windows CE"
enable SVC
Auto-signon allow ip 192.168.0.0 255.255.0.0 basic auth-type
internal l2l group policy
attributes of the l2l group policy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.10.11
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_splitTunnelAcl
value by default-field DOMAINl.local
internal VPNv group strategy
attributes of Group Policy VPNv
value of server DNS 192.168.10.11
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_splitTunnelAcl
field default value domain.com
password username test * encrypted privilege 0
username test attributes
VPN-group-policy VPNv
ID password cisco * encrypted
roger password username * encrypted privilege 15
attributes global-tunnel-group DefaultRAGroup
address pool RemoteVPN
attributes global-tunnel-group DefaultWEBVPNGroup
address pool RemoteVPN
Group-LOCAL RADIUS authentication server
type tunnel-group VPNv remote access
attributes global-tunnel-group VPNv
address pool RemoteVPN
Group-LOCAL RADIUS authentication server
Group Policy - by default-VPNv
IPSec-attributes tunnel-group VPNv
pre-shared key *.
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
management of the password password-expire-to-days 90
tunnel-group 91.X.X.57 type ipsec-l2l
IPSec-attributes tunnel-group 91.X.X.57
pre-shared key *.
!
Global class-card class
match default-inspection-traffic
class-map qnap_band
corresponds to the list of access qnap
The class-card phone
corresponds to the phone_bypass access list
!
!
Policy-map global_policy
Global category
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Policy-map qnap_access
class qnap_band
512000 64000 police entry
512000 64000 release of police
phone class
set the advanced options of the tcp-State-bypass connection
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect the pptp
inspect the rtsp
inspect the sip
inspect the skinny
Policy-map phone_bypass_policy
phone class
set the advanced options of the tcp-State-bypass connection
!
service-policy-international policy global
service-policy qnap_access to the inside interface
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see the vpnclient command exec mode
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Thanks in advance for any help.
Wojciech salvation,
Based on this info, I think that you can run in CSCtb53186, this bug has affected many versions before 8.3 and when fixed DEVs they were always be some details in waiting, and they created CSCtd36473 to these outstanding issues. CSCtd36473 is fixed on 8.3.1.1 intermediate version however is not fixed on 8.3.1 so I suggest you spend at least 8.3.2
Read this:
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 79.X.X.2list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 91.Y.Y.57#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 502, #pkts decrypt: 502, #pkts check: 502
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0outgoing esp sas:
SPI: 0xDE50E6EA (3729843946)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 425984, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/28234)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
VPN CTX = 0x015F913C
By peer IP = 192.168.11.0
Pointer = 0xD98CACD0
State = upwards
Flags = BA + ESP
ITS = 0X019235E7
SPI = 0xDE50E6EA
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filterhits = 0, user_data is0x15f913c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0hits = 44437, user_data is0xce165c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0As you can see above we are a different context to encrypt the traffic (not used with the spi of the sh cry ipsec his)
If you do the same packet tracer, but this time with the details of the key words at the end probs you will get to see that we use 0xce165c.
Just looked at your configuration again and before you do the upgrade please correct this:
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
extended vpn 192.168.11.0 ip access list allow 255.255.255.0 192.168.10.0 255.255.255.0
Just remove the second line:
no -access extended vpn ip 192.168.11.0 list allow 255.255.255.0 192.168.10.0 255.255.255.0
Also:
No outside_map interface card crypto outside
and then:
outside_map interface card crypto outside
See if that helps before perforrming upgrade,
Kind regards.
-
Problems connecting to help connect any and the Ipsec VPN Client
I have problems connecting with the VPN client connect no matter what. I can connect with the Ipsec VPN client in Windows 7 32 bit.
Here is my latest config running.
Thank you for taking the time to read this.
passwd encrypted W/KqlBn3sSTvaD0T
no names
name 192.168.1.117 kylewooddesk kyle description
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
domain wood.local
permit same-security-traffic intra-interface
object-group service rdp tcp
access rdp Description
EQ port 3389 object
outside_access_in list extended access permit tcp any interface outside eq 3389
outside_access_in list extended access permit tcp any interface outside eq 8080
outside_access_in list extended access permit tcp any interface outside eq 3334
outside_access_in to access extended list ip 192.168.5.0 allow 255.255.255.240 192.168.1.0 255.255.255.0
woodgroup_splitTunnelAcl list standard access allowed host 192.168.1.117
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240
outside_access_in_1 list extended access permit tcp any host 192.168.1.117 eq 3389
woodgroup_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.240
inside_nat0_outbound_1 to access extended list ip 192.168.5.0 allow 255.255.255.240 all
inside_test list extended access permit icmp any host 192.168.1.117
no pager
Enable logging
timestamp of the record
asdm of logging of information
Debugging trace record
Within 1500 MTU
Outside 1500 MTU
mask pool local Kyle 192.168.5.1 - 192.168.5.10 IP 255.255.255.0
IP local pool vpnpool 192.168.1.220 - 192.168.1.230
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (inside) 1 interface
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 1 0.0.0.0 0.0.0.0
public static interface 3389 (indoor, outdoor) 192.168.1.117 tcp 3389 netmask 255.255.255.255 dns
public static tcp (indoor, outdoor) interface 8080 192.168.1.117 8080 netmask 255.255.255.255
public static tcp (indoor, outdoor) interface 3334 192.168.1.86 3334 netmask 255.255.255.255
static (inside, upside down) 75.65.238.40 192.168.1.117 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
the files enable exploration
activate the entry in the file
enable http proxy
Enable URL-entry
SVC request no svc default
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3000
!
dhcpd address 192.168.1.100 - 192.168.1.130 inside
dhcpd allow inside
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
internal sslwood group policy
attributes of the strategy of group sslwood
VPN-tunnel-Protocol svc webvpn
WebVPN
list of URLS no
internal group woodgroup strategy
woodgroup group policy attributes
value of server DNS 8.8.8.8 8.8.4.4
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list woodgroup_splitTunnelAcl_1
mrkylewood encrypted Q4339wmn1ourxj9X privilege 15 password username
username mrkylewood attributes
VPN-group-policy sslwood
VPN - connections 3
VPN-tunnel-Protocol svc webvpn
value of group-lock sslwood
WebVPN
SVC request no webvpn default
tunnel-group woodgroup type remote access
tunnel-group woodgroup General attributes
address pool Kyle
Group Policy - by default-woodgroup
tunnel-group woodgroup ipsec-attributes
pre-shared key *.
type tunnel-group sslwood remote access
tunnel-group sslwood General-attributes
address pool Kyle
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
Group Policy - by default-sslwood
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
type of policy-card inspect dns MY_DNS_INSPECT_MAP
parameters
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
http https://tools.cisco.com/its/service/...es/DDCEService destination address
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:6fa8db79bcf695080cbdc1159b409360
: end
asawood (config) #.
You also need to add the following:
WebVPN
tunnel-group-list activate
output
tunnel-group sslwood webvpn-attributes
activation of the Group sslwood alias
Let us know if it works.
-
Problem with updates on Windows 8 - Configuration has failed & returning Exchange
First of all
I want to apologize for asking questions about the problem which has been solved so many times...
... and yet it seems that no solution applies to / solved my problem.
Let me describe my situation and context "briefly":
I have install Windows 8 Pro, I have installed in September 2012. I had been provided with Win 7 and Win 8 activation as a computer SCIENCE student keys during my studies. I have not used 8 win a lot since I preferred Win 7 and I only wanted to test the 'product '.
Judging by the time when previous updates have been installed, the system was launched several times in March 2013, December 2013 and January 2014. After that, the system "folded" so far. When I launched the system on 26.07.2015 there was like 50 updates that have been prepared (or wanted to be installed... Let's say "pending"). About 30 of them installed successfully. Then I double-checked. I used to double check the availability of updates when some fail to install (mainly from my previous experience that sometimes an update is no longer necessary when another installs).
Now, to the point...
I have 133 major and 3 optional updates that want to be installed. Everything that I select (few of them), or all of them fail to install. Installation begins normally, then needs to restart (all) and during the nex to the top starting, the updates can "Configuring updates... 98% ' and then fail and are starting to go back.
The system is more or less vanilla installation with some basic drivers and the 3DMarks so I doubt that I've caused this problem.
I've been googling and try to solve this problem for 5 days now, here's what I found:
1. first of all, I tried sfc / scannow to see if there is any corruption. I received the message that some files were corrupted and could not be repaired. The launch of 6 and 7 of this order, I finally got the "Windows Resource Protection has not found any breach of integrity." (it is true however that I tried a lot of solutions in the meantime). However before that, the CBS.log newspaper included information that:
Cannot repair Member "utc.app.json" file
(also of telemetry ".") "ASM - WindowsDefault.json" and I think that 'Amd64\CNBJ2530. PBO' have been mentioned... several times)
But as I said, from this moment I do not have this problem.
2. because I had problem with CFS, I tried DISM.
ScanHealth gave:
The component store is repairable.
The operation completed successfully.However, RestoreHealth was not optimistic:
The restore operation failed. Be the source of repair was not found or the comp
onent store is not repairable.The journal includes:
Preparation of control system was updated.
Summary:
Operation: Detect and repair
Result of the operation: 0x0
Last successful step: any operation is complete.
Total of Corruption detected: 0
CBS manifest Corruption: 0
CBS damaged metadata: 0
Corruption shows CSI: 0
Corruption of the CSI metadata: 0
The Corruption of the CSI Payload: 0
Total fixed Corruption: 0
Repaired CBS manifest: 0
Manifesto of CSI repaired: 0
Repaired CSI payload: 0
CSI store metadata refreshed: true3. the 'solution' next I'm focused on a system reserved partition. I came to the information Windows 7 uses 100 MB Sys. Reserved partition while Windows 8 uses 350 MB. I think I stumbled on information that it can be connected to the problems so modified the partition of provision (safely, in regards to the system reserved partitions and Windows 8) and increased the extra partition of 250 MB. This however proves to not be connected.
4. some sources claimed that C:\Windows\SoftwareDistribution/download content may be the case. So after the Windows Update service has stopped I deleted the download content (I think on 1 try I deleted event pending.xml from WinSxS. Of course then I restarted the redownloaded updates of service, etc...
5. I tried the update servers MS Windows Diagnostic.cab (just for the record, this tool renames pending.xml among others). This diagnosis is always problems no matter how many times I launch. It shows sometimes 2, sometimes 3 questions for example:
Here are the main 'solutions' that I tried, but as you can guess, none of them worked. Just for the Windows registry has reported these problems viac Action Center:
And I also found some information in WindowsUpdate.log:
2015-08-02 01:27:28, error CSI 00000004@2015/8/1:23:27:28.681 (F) CMIADAPTER: failed. HRESULT = c004f01f [error facility = FACILITY_ITF, Code = 61471 (0xf01f)]
Element:
[163]""
[gle = 0 x 80004005]
2015-08-02 01:27:28, error CSI 00000005@2015/8/1:23:27:28.681 (F) CMIADAPTER: out with HRESULT = c004f01f code [error, facility = FACILITY_ITF, Code = 61471 (0xf01f)].
[gle = 0 x 80004005]2015-08-02 01:27:28, error [0x01803c] CSI 000000db Failed (F) execution of the installation queue item: SppInstaller ({1b265fd2-721c-4e59-ad55-9d102a5d1d7f}) with HRESULT c004f01f [error facility = FACILITY_ITF, Code = 61471 (0xf01f)]. Failure will not be ignored: a restoration will begin after all operations in the queue of the installer; Setup is reliable (2) [gle = 0 x 80004005]
Here, the infamous rollback is mentioned. I was not able to identify the exact update (or updated) what causes these cancellations so I hope it's something I could be helped with at least. The internet is full of KBs that this cause so I can't count on that, at least for now. I also want to note that I tried everything under boot. And also can not clean installation since I have no more join the MSDNAA where I had as a student activation key. I hope that I could upgrade to Windows 10 without him in the coming months, so that's why I concentrate on getting this environment to work and migrate to it in time.
I'll be very grateful to anyone who can help me with this problem.
In & out.
John
Given that no one could help you, I myself helped ^^.
First of all, to all those who have problems with the fact that their updates install suddenly, you must change the settings for Windows Update. Change the option other than an automaticall installation (I used the automatic download, manual installation). In this way, you can install the updates in smaller batches. Personally, I installed updates to 5 or 10 (or almost). The updates that have been tens of MB, I installed only. What struck me most surprised, I could (at the time) to install all updates. In the case where you wouldn't you know at least certainly update you need to solve the problems.
After all updates have been installed, I turned on the automatic download and installation.
Concerning
John
-
The question when opening PDFs with Adobe Acrobat Reader XI. "Msg: AcroRd32.exe - error system, the program cannot start because Telemetry.dll is missing from your computer." Try reinstalling the program to fix this problem. "It's Windows 7 Pro 64 bit. Ran A search of C: telemetry.dll and have not found on the computer. I have another computer running the same operating system and it does not get an error opening pdf file. I searched this computer and did not find this .dll either. 3 as soon as I hit him cancel a .dll error appears. The Tools menu appears to load after the mistake 3rd cancel and then file is opened in the reader. I ran the repair of the Adobe Reader XI on the computer that has the problem. There are other computers that get the same error. How to solve the problem of error message appear 3 x when opening file?
Hi Ron,
Try the steps below: -.
- Uninstall Adobe Reader, run this tool cleaning, Download Adobe Reader and Acrobat tool - Adobe Labs.
- Restart your computer.
- Re-install adobe Reader using this link Adobe - Adobe Acrobat Reader DC Distribution.
Let me know if the problem persists.
Kind regards
Nicos
Maybe you are looking for
-
AE last gen and stereo receiver: coupling with amplified speakers
Hello I have a TEAC A - H01 receiver I have also a speaker: WIFI Libratone Zipp powered only no Bluetooth. Finally, I have a last gen Airport Express. Here's what I can do: I can use my Libratone with my iPad air2 and Airplay for dissemination and to
-
Ultrabook 4-1112sa: Re: resetting the BIOS password
After three attempts of the bios password, it gives me the code (52386381) can anyone help?
-
Extend a control of the ring or enum
I have rings and enumerations on my front which is disabled and grayed out. When I click on one of them I turn it on. However, because it has been disabled in the first drop-down list does not open upward. I want the box to open on click, rather t
-
Could not find the word on my computer
Microsoft Word has disappeared from my compupter. I can't open documents, and I don't know what happened. Any suggestions?
-
Comments for network printer is no longer available in Windows 7
Windows 7 print, add comments/location section when adding printers & printing. In windows XP when you add a new network printer, it displays the name & comments, but in Windows 7, it displays only the name, use us common generic names for all printe