Traffic UDP 8905 to default GW

Hello

I NAC deployment mode L2 OOB VGW and everything works fine. We see the FWSM, that has the L3 interface for VIRTUAL, bombarded by UDP port 8905 traffic local network access. I think that it is the case even after the PC have changed for access to the VLANS (as I see them in the list of online users and their switchport is in VIRTUAL local network access. Is this normal and how can we stop it from happening? I'm the host of the default discovery that is the IP of the CAM which of course is on a separate subnet. Please let me know

Thank you

Shaffeel

Shaffeel,

You are right on both counts.

HTH,

Faisal

Tags: Cisco Security

Similar Questions

  • ASA - that allows HTTP return traffic?

    Hello

    I'm just playing with a few ASA and ask yourself which allows return HTTP traffic in the firewall? Also, what other traffic is allowed by default as HTTP?

    Traffic is from a security interface upper (inside, 100) to a lower (outside, 0) security interface. There is no ACLs not applied on all interfaces.

    I ask because ICMP does not work unless inspection is on (global service-policy global_policy).

    Thanks for any help.

    Firewalls like ASA is with State so for TCP and UDP (albeit with UDP State is handled a little differently) if traffic is allowed a way it automatically allows him back.

    So, when a connection is initiated, if it is permitted through the firewall that is recorded in the table of the State and when the return package arrives at the firewall level, if there is a matching entry, the traffic is allowed and there is no verification of the acl.

    Registration is made on the IP source and destination port numbers, and for TCP it has also used the connection indicators.

    ICMP uses ports so initially, that she could not be redirected and you had to allow him to return with an acl (if the traffic was less than the increase security level).

    But then stateful inspection has been added for ICMP, as well, but you still must activate it Unlike TCP and UDP.

    Jon

  • balanced traffic share

    Could someone tell me what the command

    The link below is very explicit.

    http://www.Cisco.com/en/us/Tech/tk365/technologies_tech_note09186a008009437d.shtml

    I used the controls only in laboratories.

    Balanced traffic share is the default setting. So this means, that with a touch of "variance" command that you will have a share of traffic.

    Share of traffic min is a configurable parameter and is useful in situations where you have a DS3 and a T1 connecting two routers (for example). You want the links to use for load balancing, but the preferred path is the DS3.

    I think that "balanced traffic sharing" has been designed as an equivalent command to disable 'sharing of traffic minutes.

    shares of balanced traffic = no traffic-share min

  • ASA 8.4. (1) VPN L2L can only be established through default gateway

    Hi all!

    We have an ASA 5510, with two internet connections. A destined for VPN l2l and the other to access inet users in general.

    On asa 8.04, I configured the encryption on inteface "VPNAccess" card and a static route on the remote peer L2L with access internet VPN, the default rotue pointed the router General inet.

    We bought a new firewall with 8.4.1 and now asa only tries to open the remote if peer traffic is on the default gateway.

    It does not take into account routes more specific (I mean longer masks) and always tries to use the gateway by default, but only for VPN, if I do a trace to that peer route, it uses the routing table correctly.

    Any advice?

    Thank you!

    Well well, (any, any) certainly does not help.

    You need to be more specific, otherwise, even once, as suggested earlier, he does not know which interface to use because you don't have specify it.

    In addition, you must also be precise with the source network and destination. Otherwise, the firewall will not know which interface the subnet should be connected to.

    More precise best for NAT statement.

    NAT (, PublicTESAVPNBackup) source static static destination

  • Client VPN access to VLAN native only

    I have a router 2811 (config below) with VPN set up.  I can connect through the VPN devices and access on the VLAN native but I can't access the 10.77.5.0 (VLAN 5) network (I do not access the 10.77.10.0 - network VLAN 10).  This question has been plagueing me for quite a while.  I think it's a NAT device or ACL problem, but if someone could help me I would be grateful.  Client VPN IP pool is 192.168.77.1 - 192.168.77.10.  Thanks for the research!

    Current configuration: 5490 bytes

    !

    version 12.4

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    encryption password service

    !

    2811-Edge host name

    !

    boot-start-marker

    boot-end-marker

    !

    enable secret 5 XXXX

    !

    AAA new-model

    !

    AAA authentication login userauthen local

    AAA authorization groupauthor LAN

    !

    AAA - the id of the joint session

    !

    IP cef

    No dhcp use connected vrf ip

    DHCP excluded-address IP 10.77.5.1 10.77.5.49

    DHCP excluded-address IP 10.77.10.1 10.77.10.49

    !

    dhcp Lab-network IP pool

    import all

    Network 10.77.5.0 255.255.255.0

    router by default - 10.77.5.1

    !

    pool IP dhcp comments

    import all

    Network 10.77.10.0 255.255.255.0

    router by default - 10.77.10.1

    !

    domain IP HoogyNet.net

    inspect the IP router-traffic tcp name FW

    inspect the IP router traffic udp name FW

    inspect the IP router traffic icmp name FW

    inspect the IP dns name FW

    inspect the name FW ftp IP

    inspect the name FW tftp IP

    !

    Authenticated MultiLink bundle-name Panel

    !

    voice-card 0

    No dspfarm

    !

    session of crypto consignment

    !

    crypto ISAKMP policy 1

    BA aes 256

    preshared authentication

    Group 2

    life 7200

    !

    Configuration group customer isakmp crypto HomeVPN

    key XXXX

    HoogyNet.net field

    pool VPN_Pool

    ACL vpn

    Save-password

    Max-users 2

    Max-Connections 2

    Crypto isakmp HomeVPN profile

    match of group identity HomeVPN

    client authentication list userauthen

    ISAKMP authorization list groupauthor

    client configuration address respond

    !

    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpn

    !

    Crypto-map dynamic vpnclient 10

    Set transform-set vpn

    HomeVPN Set isakmp-profile

    market arriere-route

    !

    dynamic vpn 65535 vpnclient ipsec-isakmp crypto map

    !

    username secret privilege 15 5 XXXX XXXX

    username secret privilege 15 5 XXXX XXXX

    Archives

    The config log

    hidekeys

    !

    IP port ssh XXXX 1 rotary

    !

    interface Loopback0

    IP 172.17.1.10 255.255.255.248

    !

    interface FastEthernet0/0

    DHCP IP address

    IP access-group ENTERING

    NAT outside IP

    inspect the FW on IP

    no ip virtual-reassembly

    automatic duplex

    automatic speed

    No cdp enable

    vpn crypto card

    !

    interface FastEthernet0/1

    no ip address

    automatic duplex

    automatic speed

    No cdp enable

    !

    interface FastEthernet0/1.1

    encapsulation dot1Q 1 native

    IP 10.77.1.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    interface FastEthernet0/1.5

    encapsulation dot1Q 5

    IP 10.77.5.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    interface FastEthernet0/1.10

    encapsulation dot1Q 10

    IP 10.77.10.1 255.255.255.0

    IP access-group 100 to

    IP nat inside

    IP virtual-reassembly

    !

    interface FastEthernet0/0/0

    no ip address

    Shutdown

    automatic duplex

    automatic speed

    !

    interface FastEthernet0/1/0

    no ip address

    Shutdown

    automatic duplex

    automatic speed

    !

    router RIP

    version 2

    10.0.0.0 network

    network 172.17.0.0

    network 192.168.77.0

    No Auto-resume

    !

    IP pool local VPN_Pool 192.168.77.1 192.168.77.10

    no ip forward-Protocol nd

    !

    IP http server

    no ip http secure server

    overload of IP nat inside source list NAT interface FastEthernet0/0

    !

    IP extended INBOUND access list

    permit tcp any any eq 2277 newspaper

    permit any any icmp echo response

    allow all all unreachable icmp

    allow icmp all once exceed

    allow tcp any a Workbench

    allow udp any any eq isakmp

    permit any any eq non500-isakmp udp

    allow an esp

    allowed UDP any eq field all

    allow udp any eq bootps any eq bootpc

    NAT extended IP access list

    IP 10.77.5.0 allow 0.0.0.255 any

    IP 10.77.10.0 allow 0.0.0.255 any

    IP 192.168.77.0 allow 0.0.0.255 any

    list of IP - vpn access scope

    IP 10.77.1.0 allow 0.0.0.255 192.168.77.0 0.0.0.255

    IP 10.77.5.0 allow 0.0.0.255 192.168.77.0 0.0.0.255

    !

    access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps

    access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.77.5.1 eq bootps

    access-list 100 permit udp 10.77.10.0 0.0.0.255 eq bootpc host 10.77.5.1 eq bootps

    access-list 100 deny tcp 10.77.10.0 0.0.0.255 any eq telnet

    access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.5.0 0.0.0.255

    access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.1.0 0.0.0.255

    access ip-list 100 permit a whole

    !

    control plan

    !

    Line con 0

    session-timeout 30

    password 7 XXXX

    line to 0

    line vty 0 4

    Rotary 1

    transport input telnet ssh

    line vty 5 15

    Rotary 1

    transport input telnet ssh

    !

    Scheduler allocate 20000 1000

    !

    WebVPN cef

    !

    end

    If you want to say, that after the way nat rules which I have proposed, you lost the connection to the VLAN native, so yes, it's because the subnet VLANs native has not been included in this acl with Deny statement. So that the ACL should look like this:

    NAT extended IP access list

    deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255

    deny ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255 //This is not respected

    allow an ip

    In addition, if you want to go throug the other tunnel inside the subnet not listed above, then you should include that subnet to the NAT exemption rule with Deny statement.

  • Configuration of remote VPN on 2811 boredom

    I try to configure VPN remote access for customers, but could not connect remotely using Cisco VPN client.  This is the current configuration on the router.  I think I'm almost there and may miss a few commands.  Thank you very much for the research.

    Current configuration: 4758 bytes

    !

    version 12.4

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    encryption password service

    !

    FCC-1811-router host name

    !

    boot-start-marker

    boot-end-marker

    !

    enable secret 5 XXXX

    !

    AAA new-model

    !

    AAA authentication login vpnauthen local

    AAA authorization vpnauthor LAN

    !

    AAA - the id of the joint session

    !

    IP cef

    No dhcp use connected vrf ip

    DHCP excluded-address IP 10.35.5.1 10.35.5.49

    DHCP excluded-address IP 10.35.5.100 10.35.5.254

    DHCP excluded-address IP 10.35.10.1 10.35.10.9

    !

    FCC-Admin dhcp IP pool

    import all

    Network 10.35.5.0 255.255.255.0

    router by default - 10.35.5.1

    !

    pool IP dhcp FCC comments

    import all

    Network 10.35.10.0 255.255.255.0

    router by default - 10.35.10.1

    !

    IP domain name faithcountrychapel.net

    inspect the IP router-traffic tcp name FW

    inspect the IP router traffic udp name FW

    inspect the IP router traffic icmp name FW

    inspect the IP dns name FW

    inspect the name FW ftp IP

    inspect the name FW tftp IP

    property intellectual auth-proxy max-nodata-& 3

    property intellectual admission max-nodata-& 3

    !

    voice-card 0

    No dspfarm

    !

    username secret privilege 15 5 XXXX XXXX

    username secret privilege 15 5 XXXX XXXX

    username secret privilege 15 5 XXXX XXXX

    !

    crypto ISAKMP policy 10

    BA 3des

    preshared authentication

    Group 2

    !

    Configuration group customer isakmp crypto FCCVPN

    key XXXX

    pool vpnpool

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac vpnset

    !

    Crypto-map dynamic dynmap 10

    Set transform-set vpnset

    !

    card crypto client vpnmap of authentication list vpnauthen

    card crypto isakmp authorization list vpnauthor vpnmap

    client configuration address card crypto vpnmap answer

    vpnmap 10 card crypto ipsec-isakmp dynamic dynmap

    !

    interface Loopback0

    IP 172.16.1.1 255.255.255.240

    !

    interface FastEthernet0/0

    DHCP IP address

    IP access-group ENTERING

    NAT outside IP

    inspect the FW on IP

    no ip virtual-reassembly

    automatic duplex

    automatic speed

    No cdp enable

    vpnmap card crypto

    !

    interface FastEthernet0/1

    no ip address

    automatic duplex

    automatic speed

    No cdp enable

    !

    interface FastEthernet0/1.1

    encapsulation dot1Q 1 native

    IP 10.35.1.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    interface FastEthernet0/1.5

    encapsulation dot1Q 5

    IP 10.35.5.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    !

    interface FastEthernet0/1.10

    encapsulation dot1Q 10

    IP 10.35.10.1 255.255.255.0

    IP access-group 100 to

    IP nat inside

    IP virtual-reassembly

    !

    IP local pool vpnpool 10.35.5.200 10.35.5.254

    no ip forward-Protocol nd

    IP http server

    no ip http secure server

    overload of IP nat inside source list NAT interface FastEthernet0/0

    !

    IP extended INBOUND access list

    permit any any icmp echo response

    allow all all unreachable icmp

    allow icmp all once exceed

    permit tcp any any eq 22

    allow tcp any a Workbench

    allowed UDP any eq field all

    allow udp any eq bootps any eq bootpc

    NAT extended IP access list

    IP 10.35.5.0 allow 0.0.0.255 any

    IP 10.35.10.0 allow 0.0.0.255 any

    !

    access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps

    access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.35.5.1 eq bootps

    access-list 100 permit udp 10.35.10.0 0.0.0.255 eq bootpc host 10.35.5.1 eq bootps

    access-list 100 deny tcp 10.35.10.0 0.0.0.255 any eq telnet

    access-list 100 deny ip 10.35.10.0 0.0.0.255 10.35.5.0 0.0.0.255

    access-list 100 deny ip 10.35.10.0 0.0.0.255 10.35.1.0 0.0.0.255

    access ip-list 100 permit a whole

    !

    control plan

    !

    Line con 0

    password 7 XXXX

    line to 0

    line vty 0 4

    transport input telnet ssh

    line vty 5 15

    transport input telnet ssh

    !

    Scheduler allocate 20000 1000

    !

    end

    It should probably add this to your INBOUND acl

    allow udp any any eq isakmp

    permit any any eq 4500 udp

    allow an esp

  • Site to Site VPN issues

    Hello

    I have created a new site to site vpn connection and can't know why it does not work.

    All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?

    !

    vpn hostname

    domain name

    activate the encrypted password of Pp6RUfdBBUU

    ucU7iJnNlZ passwd / encrypted

    names of

    DNS-guard

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP address 87.117.xxx.xx 255.255.255.252

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP address 78.129.xxx.x 255.255.255.128

    !

    interface Ethernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    boot system Disk0: / asa822 - k8.bin

    passive FTP mode

    DNS server-group DefaultDNS

    domain msiuk.com

    permit same-security-traffic inter-interface

    DM_INLINE_TCP_1 tcp service object-group

    EQ port 3389 object

    EQ object of port 8080

    port-object eq www

    EQ object of the https port

    Http81 tcp service object-group

    port-object eq 81

    DM_INLINE_TCP_3 tcp service object-group

    port-object eq 81

    port-object eq www

    the DM_INLINE_NETWORK_1 object-group network

    host of the object-Network 172.19.60.52

    host of the object-Network 172.19.60.53

    host of the object-Network 172.19.60.68

    host of the object-Network 172.19.60.69

    host of the object-Network 172.19.60.84

    host of the object-Network 172.19.60.85

    host of the object-Network 172.19.60.86

    access-list extended basic permit icmp any any echo response

    access-list extended basic permit icmp any one time exceed

    access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive

    access-list extended basic permit tcp any host 78.129.xxx.xx eq www

    access-list extended basic permit tcp any host 78.129.xxx.xx eq https

    access-list extended basic permit tcp any host 78.129.xxx.xx eq https

    access-list extended basic permit tcp any host 78.129.xxx.xx

    permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group

    access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0

    Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128

    SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0

    access list allow extended permit ip any one

    MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203

    MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0

    SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx

    MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx

    Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-625 - 53.bin

    don't allow no asdm history

    ARP timeout 14400

    Global (1 interface external)

    NAT (inside) 0 access-list SHEEP

    Access SMTP-NAT NAT (inside) 1 list

    NAT (inside) 1 10.1.1.0 255.255.255.0

    NAT (inside) 1 10.2.2.0 255.255.255.0

    Access-group basic in external interface

    Access-group allow external interface

    Access-group allow the interface inside

    Access-group allow the interface inside

    Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1

    Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1

    Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1

    Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1

    Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    AAA authentication enable LOCAL console

    the ssh LOCAL console AAA authentication

    Enable http server

    http 0.0.0.0 0.0.0.0 outdoors

    No snmp server location

    No snmp Server contact

    Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform

    Crypto ipsec transform-set esp-3des esp-md5-hmac kwset

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES

    card crypto VPNPEER 1 corresponds to the address MATCHJLS

    card crypto VPNPEER 1 set peer 94.128.xxx.xx

    card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto VPNPEER 10 corresponds to the address MATCHVPN3

    card crypto VPNPEER 10 set peer 94.128.xxx.xx

    crypto VPNPEER 10 the transform-set jlstransformset value card

    card crypto VPNPEER 10 set nat-t-disable

    card crypto VPNPEER 30 corresponds to the address MATCHVPN2

    card crypto VPNPEER 30 212.118.xxx.xx peer value

    card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

    crypto VPNPEER 30 the value reverse-road map

    card crypto VPNPEER 40 corresponds to the address MATCHVPN4

    VPNPEER 40 crypto map set peer 94.128.xxx.xx

    crypto VPNPEER 40 the transform-set kwset value card

    card crypto VPNPEER 50 corresponds to the address MATCHVPN3

    card crypto VPNPEER 50 set pfs

    card crypto VPNPEER 50 set peer 94.128.xxx.xx

    card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA

    card crypto VPNPEER 50 set nat-t-disable

    card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP

    VPNPEER interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 3600

    Crypto isakmp nat-traversal 3600

    crypto ISAKMP disconnect - notify

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 0.0.0.0 0.0.0.0 inside

    SSH timeout 60

    SSH version 2

    Console timeout 0

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal GroupPolicy1 group strategy

    attributes of Group Policy GroupPolicy1

    value of VPN-filter MATCHKW

    Protocol-tunnel-VPN IPSec l2tp ipsec

    internal CLIENTGROUP group policy

    CLIENTGROUP group policy attributes

    value of server DNS 10.1.1.10 10.1.1.2

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list SPLITTUN

    msiuk.local value by default-field

    Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q

    tunnel-group msi type remote access

    msi General attributes tunnel-group

    address LOCPOOL pool

    Group Policy - by default-CLIENTGROUP

    MSI group tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group msi ppp-attributes

    ms-chap-v2 authentication

    tunnel-group 212.118.xxx.xx type ipsec-l2l

    212.118.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    tunnel-group 94.128.xxx.xx type ipsec-l2l

    94.128.xxx.XX group of tunnel ipsec-attributes

    pre-shared key *.

    !

    class-map ftpdefault

    match default-inspection-traffic

    class-map default inspection

    !

    !

    Policy-map global_policy

    !

    global service-policy global_policy

    context of prompt hostname

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:b251877ef24a1dc161b594dc052c44

    : end

    ASDM image disk0: / asdm-625 - 53.bin

    don't allow no asdm history

    Hello

    OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.

    It seems that you get no traffic back from the remote end

    This could mean one of the following things

    • Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
    • Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
    • Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
    • etc.

    As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.

    If you go ask about this since the admins of the remote site, let us know how to do the thing.

    If you found this information useful, please note the answer/answers and naturally ask more if necessary

    -Jouni

  • Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates

    Hello world

    Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:

    https://supportforums.Cisco.com/message/3688980#3688980

    I had the great help but unfortunatedly my problem is a little different and connection problem.  Here, I summarize once again our configurations:

    hostname pix535 8.0 (4)

    all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:

    interface GigabitEthernet0
    Description to cable-modem
    nameif outside
    security-level 0
    IP 70.169.X.X 255.255.255.0
    OSPF cost 10
    !
    interface GigabitEthernet1
    Description inside 10/16
    nameif inside
    security-level 100
    IP 10.1.1.254 255.255.0.0
    OSPF cost 10
    !
    !
    interface Ethernet2
    Vlan30 description
    nameif dmz2
    security-level 50
    IP 30.30.30.30 255.255.255.0
    OSPF cost 10
    !
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface

    ......

    Global interface 10 (external)
    Global (dmz2) interface 10
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 10 inside8 255.255.255.0
    NAT (inside) 10 Vlan10 255.255.255.0
    NAT (inside) 10 vlan50 255.255.255.0
    NAT (inside) 10 192.168.0.0 255.255.255.0
    NAT (inside) 10 192.168.1.0 255.255.255.0
    NAT (inside) 10 192.168.10.0 255.255.255.0
    NAT (inside) 10 pix-inside 255.255.0.0

    Crypto isakmp nat-traversal 3600

    -------

    Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):

    #1: when the PC uses static NAT, it is good of outgoing VPN:

    54 packets captured
    1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
    4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
    5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
    6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
    7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
    8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
    9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
    10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
    11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
    12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
    13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
    14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
    15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
    16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
    17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
    18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
    19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
    20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
    21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
    22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
    23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
    24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
    25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
    26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
    27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
    28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
    29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
    30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
    31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
    32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
    33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
    34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
    35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
    36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
    37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
    38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
    39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
    40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
    41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
    42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
    43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
    44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
    45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
    46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
    47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
    48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
    49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
    50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
    51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
    52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
    53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
    54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0

    #2: same PC with Dynamic NAT, VPN connection fails:

    70 packets captured
    1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
    4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
    5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
    6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
    7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
    8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
    9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
    10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
    11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
    12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
    13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
    14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
    15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
    16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
    17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
    18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
    19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
    20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
    21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
    22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
    23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
    24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
    25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
    26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
    27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
    28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
    30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
    31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
    33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
    34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
    35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
    36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
    37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
    38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
    39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
    40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
    41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
    42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
    43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
    44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
    45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
    46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
    47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
    48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
    49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
    50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
    51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
    52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
    53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
    54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
    55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
    56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
    57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
    58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
    59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
    60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
    61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
    62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
    63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
    64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
    65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
    66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
    67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
    68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
    69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
    70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
    70 packages shown

    We had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.

    Sean

    Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.

    VPN-udp-class of the class-map

    corresponds to the list of access vpn-udp-acl

    vpn-udp-policy policy-map

    VPN-udp-class

    inspect the amp-ipsec

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    message-length maximum 768

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the http

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the pptp

    inspect the amp-ipsec

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    IP verify reverse path to the outside interface

    Thank you

    Rizwan James

  • ASA 5505 ipsec vpn connection fails

    Hello

    I'm trying to configure a Cisco ASA 5505 for Remote Clients.

    I use the ASDM interface and used assistants start and ipsec for my setup, but im hit a stumbling block.

    To last make it work 2 days I have tried a number of configuration changes to try to make this work but didn't, so I did a factory reset and passed by the assistants, once again, I have a clean Setup that I hope someone can help me.

    Currently I have an IP public static 81.137.x.x and I use a Netgear ADSL router, which transfers (UDP 500) VPN traffic to 192.168.171.35 (port wan on the ASA 5505).

    The Cisco ASA has a default address of 192.168.1.1

    I use the Cisco Client 5.0.06.0160.

    I have configured the client to use authentication group with the same credentials as configuration through the wizard and im using Transparent Tunneling IPSec over UDP.

    I have attached 2 documents

    running_config.txt - what is shows the current configuration of ASA

    Journal - View.txt - display of error messages displayed in the real-time log viewer when I try to connect from the remote client.

    I'm not sure if I need to do on the other that additional configurations for my setup simply run the wizards.

    Any help would be appreciated.

    Thank you

    Hello Philippe,

    According to the lines in the journal, there is a problem of routing for ip vpn applicant address. ASA couldn't find the definition of route suitable for the return traffic. Add a default route to unknown destinations could solve this problem. As I see you are using modem netgear as a default gateway for your ASA. I write example of command line for this purpose.

    Route outside 0.0.0.0 0.0.0.0 NetGear_LAN_IP_Address 1

    Ufuk Güler

  • Cisco 877 VPN router LAN access

    I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.

    So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)

    Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.

    In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?

    Appreciate the help:

    version 12.4
    no service button
    horodateurs service debug datetime msec
    Log service timestamps datetime msec localtime
    encryption password service
    !
    hostname My877Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 XXXXXXXXXX
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    connection of local AAA VPN authentication.
    AAA authorization exec default local
    local authorization AAA VPN network
    !
    !
    AAA - the id of the joint session
    clock timezone CST 9 30
    !
    Crypto pki trustpoint TP-self-signed-901674690
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 901674690
    revocation checking no
    rsakeypair TP-self-signed-901674690
    !
    !
    TP-self-signed-901674690 crypto pki certificate chain
    certificate self-signed 01
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    quit smoking
    dot11 syslog
    IP cef
    !
    !
    inspect the IP router-traffic tcp name _OUTBOUND_
    inspect the IP router traffic udp name _OUTBOUND_
    inspect the name _OUTBOUND_ http IP
    inspect the IP name _OUTBOUND_ https
    inspect the IP dns _OUTBOUND_ name
    inspect the IP router traffic icmp name _OUTBOUND_
    no ip domain search
    IP domain name mydomain.com.au
    Name A.B.C.D IP-server
    IP-name x.y.z.w Server
    !
    aes encryption password
    !
    !
    username admin privilege 15 secret 5 #$% ^ & *.
    Admin2 username privilege 15 secret 5 #$% ^ & *.
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    life 3600
    !
    ISAKMP crypto group configuration of VPN client
    key 6 #$%^&_)(*&^%$%^&*(&^$
    DNS 192.168.100.5
    domain mydomain.com.au
    pool VPN
    ACL 100
    Max-users 5
    Max-Connections 1
    netmask 255.255.255.0
    !
    86400 seconds, duration of life crypto ipsec security association
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
    !
    Crypto-map dynamic dynmap 11
    Set transform-set vpn1
    market arriere-route
    !
    !
    list of card crypto dynmap customer VPN authentication
    card crypto dynmap VPN isakmp authorization list
    client configuration address card crypto dynmap initiate
    client configuration address card crypto dynmap answer
    dynmap 11 card crypto ipsec-isakmp dynamic dynmap
    !
    Archives
    The config log
    hidekeys
    !
    !
    !
    type of class-card inspect VPN-match-all traffic
    game group-access 100
    !
    !
    type of policy-card inspect PCB-pol-outToIn
    class type inspect VPN traffic
    inspect
    !
    !
    !
    !
    ATM0 interface
    no ip address
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    route IP cache flow
    No atm ilmi-keepalive
    PVC 8/35
    aal5mux encapsulation ppp Dialer
    Dialer pool-member 1
    !
    DSL-automatic operation mode
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    Description LAN_INTERFACE
    IP 192.168.100.1 address 255.255.255.0
    no ip redirection
    no ip proxy-arp
    IP nat inside
    IP virtual-reassembly
    route IP cache flow
    IP tcp adjust-mss 1452
    !
    interface Dialer0
    ADSL description
    the negotiated IP address
    IP access-group 101 in
    Check IP unicast reverse path
    no ip redirection
    no ip unreachable
    no ip proxy-arp
    inspect the _OUTBOUND_ over IP
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    route IP cache flow
    Dialer pool 1
    No cdp enable
    Authentication callin PPP chap Protocol
    PPP chap hostname [email protected] / * /
    PPP chap 7 76478678786 password
    card crypto dynmap
    !
    local pool IP VPN 192.168.200.1 192.168.200.10
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
    IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
    IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
    IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
    IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
    IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
    the IP nat inside source 1 interface Dialer0 overload list
    !
    access-list 1 permit 192.168.100.0 0.0.0.255
    access-list 100 permit ip 192.168.200.0 0.0.0.255 any
    access-list 101 permit tcp any any eq 443 newspaper
    access-list 101 permit tcp any any eq smtp newspaper
    access-list 101 permit tcp any any eq 1352 newspaper
    access-list 101 permit tcp A.B.C.D host any newspaper
    access-list 101 permit tcp host x.y.z.w any log
    access-list 101 permit tcp host r.t.g.u any log
    access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
    access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
    access-list 101 deny ip any any newspaper
    access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
    access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
    Dialer-list 1 ip protocol allow
    not run cdp
    !
    !
    route allowed sheep 11 map
    corresponds to the IP 102
    !
    !
    control plan
    !
    Banner motd ^ C
    Unauthorized access prohibited! ^ C
    !
    Line con 0
    exec-timeout 20 0
    no activation of the modem
    line to 0
    line vty 0 4
    privilege level 15
    entry ssh transport
    !
    max-task-time 5000 Planner
    x.x.x.x SNTP server
    y.y.y.y SNTP server
    end

    My877Router #.

    Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.

    Can you please try to connect by a different ISP and see if that makes a difference?

    You can also try to connect from another PC and see if that makes a difference?

    The configuration on the router seems correct to me.

  • How to block an IP address with a WRVS4400N router?

    I have kept an eye on my label of report IPS lately and have observed a large number of attacks ICMP_SMURF and BACK from the Chinese ip address.  I know that I can probably block the ip criminalized through the ip acl tab according to the firewall settings, but I'm kind of a newbie

    Everyone keeps to view an example of how I can block certain ip addresses to my router?

    Hmm. honestly: If you have difficulties of implementation through this before web interface very simple and right you should either not do it at all (or may cause more pose a problem and then nothing) or have someone else who knows these things for you to do...

    You create a new rule:

    Action: reject
    Service: all THE
    Journal: not verified
    Connect the prefix: vacuum
    Interface source: WAN
    Source: Single - IP address internet address should be blocked
    Destination: ANY
    Scheduling: by default, i.e. at any time.

    That's all.

    The default allow rule everything should appear as 2 rule in the ACL table then. If not, you will need to add a 2nd rule allowing all traffic, as does the default rule. Rules are evaluated in the order in order until a match is found.

  • Bug of Linksys WRT54GC Mode of operation of "router"?

    I use a Linksys WRT54GC router and I experience a behavior that I don't expect.
    You give me your opinion?
    This is the case:

    My assumption of "Gateway" or "Router" operating Mode is:
    Gateway mode means NAT that makes invisible LAN subnet side WAN addresses. NAT is disabled by activating the Mode of operation of 'Gateway' to 'router '.

    I have connected a PC (192.168.2.100) to port the router WAN and another (192.168.23.100) PC on a LAN (192.168.23.1) of the router (192.168.2.2) port.
    When I switch my WRT54GC "Router" mode I can't always ping the PC on the site of the side router LAN WAN. SPI Firewall protection and block anonymous Internet requests are disabled. Firewalls on both computers is disabled.

    I saw a similar problem at the forum "Connecting two routers via WAN" 08/28/2008 Victor Tang.

    Don't you think that it is a bug in the mode of operation of the WRT54GC software?

    I reported the bug to Linksys.

    My first experience with Linksys technical support is very good.

    They take the serious problem, ask for the discharge of Wireshark and send me an update of the firmware of the router.

    This fixes the bug with the mode of operation, now I can without NAT on and outside, very well!

    I don't have firmware update earlier because the release notes did not mention my bug, I read in the forum a lot of users having problems after the update of the firmware, so I followed the policy do not update unless it can solve your problem.

    There are some things perhaps worth mentioning:

    You should be careful to use the right firmware for your router.

    Not only the model of the router is too important, the hardware version and too country!

    I've got a WRT54GC, hardware version 1, and it is the type of the EU.

    Of this material, there's also a different US with versions of firmware version!

    The latest version of the firmware to the US type is v1.60.1, the latest version of the EU type is 1.60.0 v.

    Thus, you should take care of this website, you download the update to get the right version and read the release notes. These release notes, you can check if your current firmware version is part of the history of this firmware, so you know that you have the right one. I was so very accurate because many have reported problems in the forum with updates.

    Now I'm able to Exchange traffic between computers and printers in different subnets and I can access the Internet from each subnet gateway I want.

    It is important to think about the configuration of your PC and routing tables.

    The firewall on the computers must be configured on the additional subnet.

    A PC has a default gateway to reach a device on another subnet.

    Most of the time these are devices on the Internet, so if you create additional internal subnets that your traffic will be by default will be send to the Internet and will be lost. To define additional gateways where your additional subnet can be found to avoid this.

    This can be done on a PC with the command: route add (IE 192.168.23.0 mask 255.255.255.0 192.168.2.2) or you define a static route to your router (the latter is preferable).

    The problems I've had, forced me to consider how does networking, with the help of the users on this forum, I would conclude that this is a bug, with the support of very good Linksys everything now works as expected.

    Thank you.

  • Pls help a "Newbie"!

    Hello people,

    I am trying to set up a 1200 - straight out of the box, so by default (no radio on, set to receive the IP from a DHCP server, etc..).

    Our guy periphery who would normally install this kit has resigned with notice very short and took all the information with him... so I went trying to set up this device with no information another PDF I downloaded from Cisco.

    My normal line of work is to install PC-based process control systems, so I'm used to dealing with networks, even though CAN-Bus, Profibus and these other flavors - however, I also installed "wired ethernet", so to understand the basics and I'm very practical.

    I made my own console drive and can now sucessfully communicate with the 1200 via a Hyperterminal session. I've set up an IP address and some other basic elements, but I'm stuck now. I am trying to connect to the unit of 1200 via the ethernet port to use the graphical interface to continue setting up (because I guess that's the easiest way for someone like me). However, I can't connect to the 1200 that way - and Yes, I have updated my PC network card an IP in the same range etc. and uses a cable etc. I also installed an applet called "IPSU", and who cannot 'see' the 1200 either.

    When I'm in a console session, if I use the 'Ping' command built into the 1200 software, I get a success report of 100% in the INVESTIGATION period, I have implemented in the 1200 (do not know if this prooves anything if...)

    Is there a PDF primer that explains all the choices that are available in the CLI?

    How to invoke the "express setup" option in the console?

    Hope someone can help me with what must seem like basics to you guys...

    PS - It could be useful that I describe my request... It's really basic, base if I could do it with one (I dare say) type, but for the beach consumer product I need (so 'good' antenna's agenda). I hang the 1200 to a switch that is part of a system of environmental control effect of greenhouse. The AP is to allow farmers freedom to walk around the greenhouse with HP IPAQ, so that they can be in contact with the PC, who oversees the various control systems, the host PC performs a very locked down NT4.5 platform with a WEB server set up. The IPAQ simply uses their internet Explorer integrated app to post a link to the host through the AP. We've done that before, but then our network guys left us, as I explained above... ho - hum!

    Part of the problem may be where you applied your IP address.

    You should put your IP address on the "BVI1" interface, not the ethernet or radios.

    BVI stands for "Virtual Interface bridged" and is the logic element that identifies the management system.

    IPSU is a simple utility to assign an address without having to the console in the AP. To use IPSU, you need either the MAC assress (to get or set an IP address) or IP address (for the MAC of the AP).

    As you mentioned, once you have an IP address on the BVI UI:

    Enable

    config t

    int BVI1

    IP addr xx.xx.xx.xx mm.mm.mm.mm (k-x is address, me s are the mask)

    No tap

    ^ Z (; Control Z - back mode)

    You should be able to use a web browser to complete the configuration via the GUI (including an "Express Setup")

    If you browse through your locked-down system, you may need to loosen to the top of your firewall software (if you have one) to allow traffic.

    The default value is SSID for Cisco 'tsunami' - with the AP connected to the wired network and your clients configured for the SSID "tsunami", you should be able to pass traffic back and forth. The IP address of the access point is strictly for management.

    From the console, you can check the status of the interfaces with a 'show ip interface brief' (abbreviated as sh ip int br) it will show you the address and the State of each interface he knows.

    In regards to the primer, start with the "Configuration Guides" (do a search on the main site on 'AP1200 configuration Guide').

    There is also a guide to the CLI commands, but I think you need a paid account of Cisco SmartNet for access. It used to be on the same pages with the software download pages.

    I hope that you get, so we can get you the information that will allow to continue with the configuration of the system (encryption, authorization, etc.).

    Good luck

    Scott

  • LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

    Hello

    I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

    When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

    However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

    Encryption = null esp (in 1721) and to "null" in VPN-3000.

    Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

    % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

    Has anyone seen this behavior?

    All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

    Thanx------Naman

    Naman,

    Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

    Kurtis Durrett

  • Two interfaces WAN ISP in the same network

    Hello world

    I am faced with a really simple but delicate scenario. My ISP gives me IP addresses public 2, both in the same network. They also gave me the default gateway which is of course in the same network too.

    I need two fully operational ip addresses, but I realized that I can't have two interfaces (routed interfaces) in the same network segment. I have just a single router (Cisco 2911). A friend told me that I might be able to set this up using VRF, but as far as I have read, there is no way to use VRF to achieve this.

    Is it possible to use two (or more) ip addresses to redirect traffic to the same default gateway in the same router?

    Thank you!

    Miguel

    Hi Miguel,.

    If you want just your 2911 have set up two public IP addresses, you can set one of them as secondary IP address. Suppose that 192.0.2.1/29 is your default gateway, and 192.0.2.2/29 and 192.0.2.3/29 are your IP addresses. So to have both configured, you'd:

    interface Gigabit0/0/0 ip address 192.0.2.2 255.255.255.248 ip address 192.0.2.3 255.255.255.248 secondary
    And voila - that should do the trick :) Best regards, Peter

Maybe you are looking for