Traffic UDP 8905 to default GW
Hello
I NAC deployment mode L2 OOB VGW and everything works fine. We see the FWSM, that has the L3 interface for VIRTUAL, bombarded by UDP port 8905 traffic local network access. I think that it is the case even after the PC have changed for access to the VLANS (as I see them in the list of online users and their switchport is in VIRTUAL local network access. Is this normal and how can we stop it from happening? I'm the host of the default discovery that is the IP of the CAM which of course is on a separate subnet. Please let me know
Thank you
Shaffeel
Shaffeel,
You are right on both counts.
HTH,
Faisal
Tags: Cisco Security
Similar Questions
-
ASA - that allows HTTP return traffic?
Hello
I'm just playing with a few ASA and ask yourself which allows return HTTP traffic in the firewall? Also, what other traffic is allowed by default as HTTP?
Traffic is from a security interface upper (inside, 100) to a lower (outside, 0) security interface. There is no ACLs not applied on all interfaces.
I ask because ICMP does not work unless inspection is on (global service-policy global_policy).
Thanks for any help.
Firewalls like ASA is with State so for TCP and UDP (albeit with UDP State is handled a little differently) if traffic is allowed a way it automatically allows him back.
So, when a connection is initiated, if it is permitted through the firewall that is recorded in the table of the State and when the return package arrives at the firewall level, if there is a matching entry, the traffic is allowed and there is no verification of the acl.
Registration is made on the IP source and destination port numbers, and for TCP it has also used the connection indicators.
ICMP uses ports so initially, that she could not be redirected and you had to allow him to return with an acl (if the traffic was less than the increase security level).
But then stateful inspection has been added for ICMP, as well, but you still must activate it Unlike TCP and UDP.
Jon
-
Could someone tell me what the command
The link below is very explicit.
http://www.Cisco.com/en/us/Tech/tk365/technologies_tech_note09186a008009437d.shtml
I used the controls only in laboratories.
Balanced traffic share is the default setting. So this means, that with a touch of "variance" command that you will have a share of traffic.
Share of traffic min is a configurable parameter and is useful in situations where you have a DS3 and a T1 connecting two routers (for example). You want the links to use for load balancing, but the preferred path is the DS3.
I think that "balanced traffic sharing" has been designed as an equivalent command to disable 'sharing of traffic minutes.
shares of balanced traffic = no traffic-share min
-
ASA 8.4. (1) VPN L2L can only be established through default gateway
Hi all!
We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.
On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.
We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.
It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.
Any advice?
Thank you!
Well well, (any, any) certainly does not help.
You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.
In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.
More precise best for NAT statement.
NAT (, PublicTESAVPNBackup) source static static destination
-
Client VPN access to VLAN native only
I have a router 2811 (config below) with VPN set up. I can connect through the VPN devices and access on the VLAN native but I can't access the 10.77.5.0 (VLAN 5) network (I do not access the 10.77.10.0 - network VLAN 10). This question has been plagueing me for quite a while. I think it's a NAT device or ACL problem, but if someone could help me I would be grateful. Client VPN IP pool is 192.168.77.1 - 192.168.77.10. Thanks for the research!
Current configuration: 5490 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
2811-Edge host name
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXX
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
AAA - the id of the joint session
!
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.77.5.1 10.77.5.49
DHCP excluded-address IP 10.77.10.1 10.77.10.49
!
dhcp Lab-network IP pool
import all
Network 10.77.5.0 255.255.255.0
router by default - 10.77.5.1
!
pool IP dhcp comments
import all
Network 10.77.10.0 255.255.255.0
router by default - 10.77.10.1
!
domain IP HoogyNet.net
inspect the IP router-traffic tcp name FW
inspect the IP router traffic udp name FW
inspect the IP router traffic icmp name FW
inspect the IP dns name FW
inspect the name FW ftp IP
inspect the name FW tftp IP
!
Authenticated MultiLink bundle-name Panel
!
voice-card 0
No dspfarm
!
session of crypto consignment
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
life 7200
!
Configuration group customer isakmp crypto HomeVPN
key XXXX
HoogyNet.net field
pool VPN_Pool
ACL vpn
Save-password
Max-users 2
Max-Connections 2
Crypto isakmp HomeVPN profile
match of group identity HomeVPN
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpn
!
Crypto-map dynamic vpnclient 10
Set transform-set vpn
HomeVPN Set isakmp-profile
market arriere-route
!
dynamic vpn 65535 vpnclient ipsec-isakmp crypto map
!
username secret privilege 15 5 XXXX XXXX
username secret privilege 15 5 XXXX XXXX
Archives
The config log
hidekeys
!
IP port ssh XXXX 1 rotary
!
interface Loopback0
IP 172.17.1.10 255.255.255.248
!
interface FastEthernet0/0
DHCP IP address
IP access-group ENTERING
NAT outside IP
inspect the FW on IP
no ip virtual-reassembly
automatic duplex
automatic speed
No cdp enable
vpn crypto card
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
No cdp enable
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
IP 10.77.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
IP 10.77.5.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
IP 10.77.10.1 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet0/1/0
no ip address
Shutdown
automatic duplex
automatic speed
!
router RIP
version 2
10.0.0.0 network
network 172.17.0.0
network 192.168.77.0
No Auto-resume
!
IP pool local VPN_Pool 192.168.77.1 192.168.77.10
no ip forward-Protocol nd
!
IP http server
no ip http secure server
overload of IP nat inside source list NAT interface FastEthernet0/0
!
IP extended INBOUND access list
permit tcp any any eq 2277 newspaper
permit any any icmp echo response
allow all all unreachable icmp
allow icmp all once exceed
allow tcp any a Workbench
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
allow an esp
allowed UDP any eq field all
allow udp any eq bootps any eq bootpc
NAT extended IP access list
IP 10.77.5.0 allow 0.0.0.255 any
IP 10.77.10.0 allow 0.0.0.255 any
IP 192.168.77.0 allow 0.0.0.255 any
list of IP - vpn access scope
IP 10.77.1.0 allow 0.0.0.255 192.168.77.0 0.0.0.255
IP 10.77.5.0 allow 0.0.0.255 192.168.77.0 0.0.0.255
!
access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.77.5.1 eq bootps
access-list 100 permit udp 10.77.10.0 0.0.0.255 eq bootpc host 10.77.5.1 eq bootps
access-list 100 deny tcp 10.77.10.0 0.0.0.255 any eq telnet
access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.5.0 0.0.0.255
access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.1.0 0.0.0.255
access ip-list 100 permit a whole
!
control plan
!
Line con 0
session-timeout 30
password 7 XXXX
line to 0
line vty 0 4
Rotary 1
transport input telnet ssh
line vty 5 15
Rotary 1
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
WebVPN cef
!
end
If you want to say, that after the way nat rules which I have proposed, you lost the connection to the VLAN native, so yes, it's because the subnet VLANs native has not been included in this acl with Deny statement. So that the ACL should look like this:
NAT extended IP access list
deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255
deny ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255 //This is not respected
allow an ip
In addition, if you want to go throug the other tunnel inside the subnet not listed above, then you should include that subnet to the NAT exemption rule with Deny statement.
-
Configuration of remote VPN on 2811 boredom
I try to configure VPN remote access for customers, but could not connect remotely using Cisco VPN client. This is the current configuration on the router. I think I'm almost there and may miss a few commands. Thank you very much for the research.
Current configuration: 4758 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
FCC-1811-router host name
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXX
!
AAA new-model
!
AAA authentication login vpnauthen local
AAA authorization vpnauthor LAN
!
AAA - the id of the joint session
!
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.35.5.1 10.35.5.49
DHCP excluded-address IP 10.35.5.100 10.35.5.254
DHCP excluded-address IP 10.35.10.1 10.35.10.9
!
FCC-Admin dhcp IP pool
import all
Network 10.35.5.0 255.255.255.0
router by default - 10.35.5.1
!
pool IP dhcp FCC comments
import all
Network 10.35.10.0 255.255.255.0
router by default - 10.35.10.1
!
IP domain name faithcountrychapel.net
inspect the IP router-traffic tcp name FW
inspect the IP router traffic udp name FW
inspect the IP router traffic icmp name FW
inspect the IP dns name FW
inspect the name FW ftp IP
inspect the name FW tftp IP
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
voice-card 0
No dspfarm
!
username secret privilege 15 5 XXXX XXXX
username secret privilege 15 5 XXXX XXXX
username secret privilege 15 5 XXXX XXXX
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto FCCVPN
key XXXX
pool vpnpool
!
Crypto ipsec transform-set esp-3des esp-md5-hmac vpnset
!
Crypto-map dynamic dynmap 10
Set transform-set vpnset
!
card crypto client vpnmap of authentication list vpnauthen
card crypto isakmp authorization list vpnauthor vpnmap
client configuration address card crypto vpnmap answer
vpnmap 10 card crypto ipsec-isakmp dynamic dynmap
!
interface Loopback0
IP 172.16.1.1 255.255.255.240
!
interface FastEthernet0/0
DHCP IP address
IP access-group ENTERING
NAT outside IP
inspect the FW on IP
no ip virtual-reassembly
automatic duplex
automatic speed
No cdp enable
vpnmap card crypto
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
No cdp enable
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
IP 10.35.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
IP 10.35.5.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
IP 10.35.10.1 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
IP local pool vpnpool 10.35.5.200 10.35.5.254
no ip forward-Protocol nd
IP http server
no ip http secure server
overload of IP nat inside source list NAT interface FastEthernet0/0
!
IP extended INBOUND access list
permit any any icmp echo response
allow all all unreachable icmp
allow icmp all once exceed
permit tcp any any eq 22
allow tcp any a Workbench
allowed UDP any eq field all
allow udp any eq bootps any eq bootpc
NAT extended IP access list
IP 10.35.5.0 allow 0.0.0.255 any
IP 10.35.10.0 allow 0.0.0.255 any
!
access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.35.5.1 eq bootps
access-list 100 permit udp 10.35.10.0 0.0.0.255 eq bootpc host 10.35.5.1 eq bootps
access-list 100 deny tcp 10.35.10.0 0.0.0.255 any eq telnet
access-list 100 deny ip 10.35.10.0 0.0.0.255 10.35.5.0 0.0.0.255
access-list 100 deny ip 10.35.10.0 0.0.0.255 10.35.1.0 0.0.0.255
access ip-list 100 permit a whole
!
control plan
!
Line con 0
password 7 XXXX
line to 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end
It should probably add this to your INBOUND acl
allow udp any any eq isakmp
permit any any eq 4500 udp
allow an esp
-
Hello
I have created a new site to site vpn connection and can't know why it does not work.
All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?
!
vpn hostname
domain name
activate the encrypted password of Pp6RUfdBBUU
ucU7iJnNlZ passwd / encrypted
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address 87.117.xxx.xx 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP address 78.129.xxx.x 255.255.255.128
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain msiuk.com
permit same-security-traffic inter-interface
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
EQ object of port 8080
port-object eq www
EQ object of the https port
Http81 tcp service object-group
port-object eq 81
DM_INLINE_TCP_3 tcp service object-group
port-object eq 81
port-object eq www
the DM_INLINE_NETWORK_1 object-group network
host of the object-Network 172.19.60.52
host of the object-Network 172.19.60.53
host of the object-Network 172.19.60.68
host of the object-Network 172.19.60.69
host of the object-Network 172.19.60.84
host of the object-Network 172.19.60.85
host of the object-Network 172.19.60.86
access-list extended basic permit icmp any any echo response
access-list extended basic permit icmp any one time exceed
access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx
permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group
access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128
SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0
access list allow extended permit ip any one
MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203
MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0
SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
Access SMTP-NAT NAT (inside) 1 list
NAT (inside) 1 10.1.1.0 255.255.255.0
NAT (inside) 1 10.2.2.0 255.255.255.0
Access-group basic in external interface
Access-group allow external interface
Access-group allow the interface inside
Access-group allow the interface inside
Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1
Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1
Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1
Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1
Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform
Crypto ipsec transform-set esp-3des esp-md5-hmac kwset
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES
card crypto VPNPEER 1 corresponds to the address MATCHJLS
card crypto VPNPEER 1 set peer 94.128.xxx.xx
card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto VPNPEER 10 corresponds to the address MATCHVPN3
card crypto VPNPEER 10 set peer 94.128.xxx.xx
crypto VPNPEER 10 the transform-set jlstransformset value card
card crypto VPNPEER 10 set nat-t-disable
card crypto VPNPEER 30 corresponds to the address MATCHVPN2
card crypto VPNPEER 30 212.118.xxx.xx peer value
card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto VPNPEER 30 the value reverse-road map
card crypto VPNPEER 40 corresponds to the address MATCHVPN4
VPNPEER 40 crypto map set peer 94.128.xxx.xx
crypto VPNPEER 40 the transform-set kwset value card
card crypto VPNPEER 50 corresponds to the address MATCHVPN3
card crypto VPNPEER 50 set pfs
card crypto VPNPEER 50 set peer 94.128.xxx.xx
card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA
card crypto VPNPEER 50 set nat-t-disable
card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP
VPNPEER interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 3600
Crypto isakmp nat-traversal 3600
crypto ISAKMP disconnect - notify
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
SSH version 2
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
value of VPN-filter MATCHKW
Protocol-tunnel-VPN IPSec l2tp ipsec
internal CLIENTGROUP group policy
CLIENTGROUP group policy attributes
value of server DNS 10.1.1.10 10.1.1.2
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLITTUN
msiuk.local value by default-field
Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q
tunnel-group msi type remote access
msi General attributes tunnel-group
address LOCPOOL pool
Group Policy - by default-CLIENTGROUP
MSI group tunnel ipsec-attributes
pre-shared key *.
tunnel-group msi ppp-attributes
ms-chap-v2 authentication
tunnel-group 212.118.xxx.xx type ipsec-l2l
212.118.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
!
class-map ftpdefault
match default-inspection-traffic
class-map default inspection
!
!
Policy-map global_policy
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:b251877ef24a1dc161b594dc052c44
: end
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
Hello
OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.
It seems that you get no traffic back from the remote end
This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.
If you go ask about this since the admins of the remote site, let us know how to do the thing.
If you found this information useful, please note the answer/answers and naturally ask more if necessary
-Jouni
-
Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates
Hello world
Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:
https://supportforums.Cisco.com/message/3688980#3688980
I had the great help but unfortunatedly my problem is a little different and connection problem. Here, I summarize once again our configurations:
hostname pix535 8.0 (4)
all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:
interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
IP 70.169.X.X 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
!
interface Ethernet2
Vlan30 description
nameif dmz2
security-level 50
IP 30.30.30.30 255.255.255.0
OSPF cost 10
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface......
Global interface 10 (external)
Global (dmz2) interface 10
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 inside8 255.255.255.0
NAT (inside) 10 Vlan10 255.255.255.0
NAT (inside) 10 vlan50 255.255.255.0
NAT (inside) 10 192.168.0.0 255.255.255.0
NAT (inside) 10 192.168.1.0 255.255.255.0
NAT (inside) 10 192.168.10.0 255.255.255.0
NAT (inside) 10 pix-inside 255.255.0.0Crypto isakmp nat-traversal 3600
-------
Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):
#1: when the PC uses static NAT, it is good of outgoing VPN:
54 packets captured
1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0#2: same PC with Dynamic NAT, VPN connection fails:
70 packets captured
1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
70 packages shownWe had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.
Sean
Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.
VPN-udp-class of the class-map
corresponds to the list of access vpn-udp-acl
vpn-udp-policy policy-map
VPN-udp-class
inspect the amp-ipsec
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 768
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the http
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the pptp
inspect the amp-ipsec
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
IP verify reverse path to the outside interface
Thank you
Rizwan James
-
ASA 5505 ipsec vpn connection fails
Hello
I'm trying to configure a Cisco ASA 5505 for Remote Clients.
I use the ASDM interface and used assistants start and ipsec for my setup, but im hit a stumbling block.
To last make it work 2 days I have tried a number of configuration changes to try to make this work but didn't, so I did a factory reset and passed by the assistants, once again, I have a clean Setup that I hope someone can help me.
Currently I have an IP public static 81.137.x.x and I use a Netgear ADSL router, which transfers (UDP 500) VPN traffic to 192.168.171.35 (port wan on the ASA 5505).
The Cisco ASA has a default address of 192.168.1.1
I use the Cisco Client 5.0.06.0160.
I have configured the client to use authentication group with the same credentials as configuration through the wizard and im using Transparent Tunneling IPSec over UDP.
I have attached 2 documents
running_config.txt - what is shows the current configuration of ASA
Journal - View.txt - display of error messages displayed in the real-time log viewer when I try to connect from the remote client.
I'm not sure if I need to do on the other that additional configurations for my setup simply run the wizards.
Any help would be appreciated.
Thank you
Hello Philippe,
According to the lines in the journal, there is a problem of routing for ip vpn applicant address. ASA couldn't find the definition of route suitable for the return traffic. Add a default route to unknown destinations could solve this problem. As I see you are using modem netgear as a default gateway for your ASA. I write example of command line for this purpose.
Route outside 0.0.0.0 0.0.0.0 NetGear_LAN_IP_Address 1
Ufuk Güler
-
Cisco 877 VPN router LAN access
I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.
So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)
Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.
In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?
Appreciate the help:
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec localtime
encryption password service
!
hostname My877Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
clock timezone CST 9 30
!
Crypto pki trustpoint TP-self-signed-901674690
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 901674690
revocation checking no
rsakeypair TP-self-signed-901674690
!
!
TP-self-signed-901674690 crypto pki certificate chain
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
dot11 syslog
IP cef
!
!
inspect the IP router-traffic tcp name _OUTBOUND_
inspect the IP router traffic udp name _OUTBOUND_
inspect the name _OUTBOUND_ http IP
inspect the IP name _OUTBOUND_ https
inspect the IP dns _OUTBOUND_ name
inspect the IP router traffic icmp name _OUTBOUND_
no ip domain search
IP domain name mydomain.com.au
Name A.B.C.D IP-server
IP-name x.y.z.w Server
!
aes encryption password
!
!
username admin privilege 15 secret 5 #$% ^ & *.
Admin2 username privilege 15 secret 5 #$% ^ & *.
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600
!
ISAKMP crypto group configuration of VPN client
key 6 #$%^&_)(*&^%$%^&*(&^$
DNS 192.168.100.5
domain mydomain.com.au
pool VPN
ACL 100
Max-users 5
Max-Connections 1
netmask 255.255.255.0
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
!
Crypto-map dynamic dynmap 11
Set transform-set vpn1
market arriere-route
!
!
list of card crypto dynmap customer VPN authentication
card crypto dynmap VPN isakmp authorization list
client configuration address card crypto dynmap initiate
client configuration address card crypto dynmap answer
dynmap 11 card crypto ipsec-isakmp dynamic dynmap
!
Archives
The config log
hidekeys
!
!
!
type of class-card inspect VPN-match-all traffic
game group-access 100
!
!
type of policy-card inspect PCB-pol-outToIn
class type inspect VPN traffic
inspect
!
!
!
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description LAN_INTERFACE
IP 192.168.100.1 address 255.255.255.0
no ip redirection
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1452
!
interface Dialer0
ADSL description
the negotiated IP address
IP access-group 101 in
Check IP unicast reverse path
no ip redirection
no ip unreachable
no ip proxy-arp
inspect the _OUTBOUND_ over IP
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap 7 76478678786 password
card crypto dynmap
!
local pool IP VPN 192.168.200.1 192.168.200.10
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
!
no ip address of the http server
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
the IP nat inside source 1 interface Dialer0 overload list
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any eq 443 newspaper
access-list 101 permit tcp any any eq smtp newspaper
access-list 101 permit tcp any any eq 1352 newspaper
access-list 101 permit tcp A.B.C.D host any newspaper
access-list 101 permit tcp host x.y.z.w any log
access-list 101 permit tcp host r.t.g.u any log
access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
Dialer-list 1 ip protocol allow
not run cdp
!
!
route allowed sheep 11 map
corresponds to the IP 102
!
!
control plan
!
Banner motd ^ C
Unauthorized access prohibited! ^ C
!
Line con 0
exec-timeout 20 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
entry ssh transport
!
max-task-time 5000 Planner
x.x.x.x SNTP server
y.y.y.y SNTP server
endMy877Router #.
Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.
Can you please try to connect by a different ISP and see if that makes a difference?
You can also try to connect from another PC and see if that makes a difference?
The configuration on the router seems correct to me.
-
How to block an IP address with a WRVS4400N router?
I have kept an eye on my label of report IPS lately and have observed a large number of attacks ICMP_SMURF and BACK from the Chinese ip address. I know that I can probably block the ip criminalized through the ip acl tab according to the firewall settings, but I'm kind of a newbie
Everyone keeps to view an example of how I can block certain ip addresses to my router?
Hmm. honestly: If you have difficulties of implementation through this before web interface very simple and right you should either not do it at all (or may cause more pose a problem and then nothing) or have someone else who knows these things for you to do...
You create a new rule:
Action: reject
Service: all THE
Journal: not verified
Connect the prefix: vacuum
Interface source: WAN
Source: Single - IP address internet address should be blocked
Destination: ANY
Scheduling: by default, i.e. at any time.That's all.
The default allow rule everything should appear as 2 rule in the ACL table then. If not, you will need to add a 2nd rule allowing all traffic, as does the default rule. Rules are evaluated in the order in order until a match is found.
-
Bug of Linksys WRT54GC Mode of operation of "router"?
I use a Linksys WRT54GC router and I experience a behavior that I don't expect.
You give me your opinion?
This is the case:My assumption of "Gateway" or "Router" operating Mode is:
Gateway mode means NAT that makes invisible LAN subnet side WAN addresses. NAT is disabled by activating the Mode of operation of 'Gateway' to 'router '.I have connected a PC (192.168.2.100) to port the router WAN and another (192.168.23.100) PC on a LAN (192.168.23.1) of the router (192.168.2.2) port.
When I switch my WRT54GC "Router" mode I can't always ping the PC on the site of the side router LAN WAN. SPI Firewall protection and block anonymous Internet requests are disabled. Firewalls on both computers is disabled.I saw a similar problem at the forum "Connecting two routers via WAN" 08/28/2008 Victor Tang.
Don't you think that it is a bug in the mode of operation of the WRT54GC software?
I reported the bug to Linksys.
My first experience with Linksys technical support is very good.
They take the serious problem, ask for the discharge of Wireshark and send me an update of the firmware of the router.
This fixes the bug with the mode of operation, now I can without NAT on and outside, very well!
I don't have firmware update earlier because the release notes did not mention my bug, I read in the forum a lot of users having problems after the update of the firmware, so I followed the policy do not update unless it can solve your problem.
There are some things perhaps worth mentioning:
You should be careful to use the right firmware for your router.
Not only the model of the router is too important, the hardware version and too country!
I've got a WRT54GC, hardware version 1, and it is the type of the EU.
Of this material, there's also a different US with versions of firmware version!
The latest version of the firmware to the US type is v1.60.1, the latest version of the EU type is 1.60.0 v.
Thus, you should take care of this website, you download the update to get the right version and read the release notes. These release notes, you can check if your current firmware version is part of the history of this firmware, so you know that you have the right one. I was so very accurate because many have reported problems in the forum with updates.
Now I'm able to Exchange traffic between computers and printers in different subnets and I can access the Internet from each subnet gateway I want.
It is important to think about the configuration of your PC and routing tables.
The firewall on the computers must be configured on the additional subnet.
A PC has a default gateway to reach a device on another subnet.
Most of the time these are devices on the Internet, so if you create additional internal subnets that your traffic will be by default will be send to the Internet and will be lost. To define additional gateways where your additional subnet can be found to avoid this.
This can be done on a PC with the command: route add
(IE 192.168.23.0 mask 255.255.255.0 192.168.2.2) or you define a static route to your router (the latter is preferable). The problems I've had, forced me to consider how does networking, with the help of the users on this forum, I would conclude that this is a bug, with the support of very good Linksys everything now works as expected.
Thank you.
-
Hello people,
I am trying to set up a 1200 - straight out of the box, so by default (no radio on, set to receive the IP from a DHCP server, etc..).
Our guy periphery who would normally install this kit has resigned with notice very short and took all the information with him... so I went trying to set up this device with no information another PDF I downloaded from Cisco.
My normal line of work is to install PC-based process control systems, so I'm used to dealing with networks, even though CAN-Bus, Profibus and these other flavors - however, I also installed "wired ethernet", so to understand the basics and I'm very practical.
I made my own console drive and can now sucessfully communicate with the 1200 via a Hyperterminal session. I've set up an IP address and some other basic elements, but I'm stuck now. I am trying to connect to the unit of 1200 via the ethernet port to use the graphical interface to continue setting up (because I guess that's the easiest way for someone like me). However, I can't connect to the 1200 that way - and Yes, I have updated my PC network card an IP in the same range etc. and uses a cable etc. I also installed an applet called "IPSU", and who cannot 'see' the 1200 either.
When I'm in a console session, if I use the 'Ping' command built into the 1200 software, I get a success report of 100% in the INVESTIGATION period, I have implemented in the 1200 (do not know if this prooves anything if...)
Is there a PDF primer that explains all the choices that are available in the CLI?
How to invoke the "express setup" option in the console?
Hope someone can help me with what must seem like basics to you guys...
PS - It could be useful that I describe my request... It's really basic, base if I could do it with one (I dare say) type, but for the beach consumer product I need (so 'good' antenna's agenda). I hang the 1200 to a switch that is part of a system of environmental control effect of greenhouse. The AP is to allow farmers freedom to walk around the greenhouse with HP IPAQ, so that they can be in contact with the PC, who oversees the various control systems, the host PC performs a very locked down NT4.5 platform with a WEB server set up. The IPAQ simply uses their internet Explorer integrated app to post a link to the host through the AP. We've done that before, but then our network guys left us, as I explained above... ho - hum!
Part of the problem may be where you applied your IP address.
You should put your IP address on the "BVI1" interface, not the ethernet or radios.
BVI stands for "Virtual Interface bridged" and is the logic element that identifies the management system.
IPSU is a simple utility to assign an address without having to the console in the AP. To use IPSU, you need either the MAC assress (to get or set an IP address) or IP address (for the MAC of the AP).
As you mentioned, once you have an IP address on the BVI UI:
Enable
config t
int BVI1
IP addr xx.xx.xx.xx mm.mm.mm.mm (k-x is address, me s are the mask)
No tap
^ Z (; Control Z - back mode)
You should be able to use a web browser to complete the configuration via the GUI (including an "Express Setup")
If you browse through your locked-down system, you may need to loosen to the top of your firewall software (if you have one) to allow traffic.
The default value is SSID for Cisco 'tsunami' - with the AP connected to the wired network and your clients configured for the SSID "tsunami", you should be able to pass traffic back and forth. The IP address of the access point is strictly for management.
From the console, you can check the status of the interfaces with a 'show ip interface brief' (abbreviated as sh ip int br) it will show you the address and the State of each interface he knows.
In regards to the primer, start with the "Configuration Guides" (do a search on the main site on 'AP1200 configuration Guide').
There is also a guide to the CLI commands, but I think you need a paid account of Cisco SmartNet for access. It used to be on the same pages with the software download pages.
I hope that you get, so we can get you the information that will allow to continue with the configuration of the system (encryption, authorization, etc.).
Good luck
Scott
-
LAN-to-LAN tunnel between VPN 3000 and Cisco 1721
Hello
I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).
When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.
However, I would like to Turn off encryption for some time getting the speed improvements, so I changed
Encryption = null esp (in 1721) and to "null" in VPN-3000.
Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721
% C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0
Has anyone seen this behavior?
All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?
Thanx------Naman
Naman,
Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.
Kurtis Durrett
-
Two interfaces WAN ISP in the same network
Hello world
I am faced with a really simple but delicate scenario. My ISP gives me IP addresses public 2, both in the same network. They also gave me the default gateway which is of course in the same network too.
I need two fully operational ip addresses, but I realized that I can't have two interfaces (routed interfaces) in the same network segment. I have just a single router (Cisco 2911). A friend told me that I might be able to set this up using VRF, but as far as I have read, there is no way to use VRF to achieve this.
Is it possible to use two (or more) ip addresses to redirect traffic to the same default gateway in the same router?
Thank you!
Miguel
Hi Miguel,.
If you want just your 2911 have set up two public IP addresses, you can set one of them as secondary IP address. Suppose that 192.0.2.1/29 is your default gateway, and 192.0.2.2/29 and 192.0.2.3/29 are your IP addresses. So to have both configured, you'd:
interface Gigabit0/0/0 ip address 192.0.2.2 255.255.255.248 ip address 192.0.2.3 255.255.255.248 secondary
And voila - that should do the trick :) Best regards, Peter
Maybe you are looking for
-
How to replace keyboard on Pavilion dv4-1548
I am trying to replace the keyboard on my laptop Pavilion DV4-1548. Any help would be appreciated. Thanx.
-
error message when you try to use outlook express 6
I tried for a less than 2 weeks. to send mails from craigslist & they are not sent. always an error message. Help
-
Windows Media Player 12 - How can you save a video?
Sounds stupid I know! but cannot find "" file, save as ". When I play music, I have the upper tool bar file, display, game tools, help. I opened a video and the best I can find is save as playlist. In WMP 11, I had the top toolbar and could use the f
-
False positive for test seek funnel with Dell PC Checkup?
I run PC Checkup of Dell occasionally and the other day I ran and got a failure for a WD 2 TB my Passport (external USB) drive. Specifically, according to Dell PC Checkup, he failed to test search funnel. I had no problem with the drive at all, so I
-
5.2 of the ACS and Cisco ACE RBAC does not...
Would be grateful for help here if it can be provided. I am configuring GANYMEDE auth for a Cisco ACE through our 5.2 ACS server. I think that I installed everything correctly but when I connect with my GANYMEDE account it gives me only monitor netwo