traffic VPN to the ACL control? on 8.4 ASA

Similar Questions

• External ACL does not increment for traffic allowed through the site to site VPN

  Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.

  There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.

  There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.

  I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)

  Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.

  Thanks in advance

  Mark

  VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?

  Can you post the output of "sh run all the sysopt"

  Federico.

• Need of the ACL kung fu for VPN from Site to Site ACL problem

  Group,

  Have a little problem I know is related to ACL. I wanted to have a few experts to take a look at my config please. Here's the question:

  Attempt to create a site between two offices, but for some reason any that they cannot ping each other. It is a strange thing.

  97.XX.231.22 <-->71.xx.160.123

  I can ping both firewalls from the outside using a computer to another, but from the internal firewall utilities, they cannot ping each other. At the same time I can ping to their respective gateways.

  Secondly, I did an interior outside translation as you can see here for 80 & 443 preventing me from browsing http and https via VPN for Remote LAN, can it be modified to allow access? I can access when I dial in via VPN client but not via permanent VPN tunnel. Here is the config.

  no ip nat service sip 5060 udp port

  IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/0 overload

  IP nat inside source static tcp 10.41.14.103 80 71.xx.160.123 80 extensible

  IP nat inside source static tcp 10.41.14.103 71.xx.160.123 expandable 443 443

  IP route 0.0.0.0 0.0.0.0 71.xx.160.121

  IP route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent

  IP route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent

  IP route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent

  IP route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent

  IP route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent

  IP route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent

  IP route 208.67.188.32 255.255.255.224 10.41.14.99 2 Permanent

  IP route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent

  !

  auto discovering IP sla

  Logging trap errors

  host 192.168.10.29 record

  access-list 2 Note HTTP access class

  Note access-list category 2 CCP_ACL = 1

  Note access-list 2 Platinum LAN

  access-list 2 permit 10.41.14.0 0.0.0.255

  access-list 2 refuse any

  Access-list 101 remark rules Master

  Note access-list 101 category CCP_ACL = 1

  Note access-list 101 FaxFinder WWW traffic

  access-list 101 permit tcp any host 71.xx.160.123 eq www

  Note access-list 101 traffic HTTPS FaxFinder

  access-list 101 permit tcp any host 71.xx.160.123 eq 443

  Note access-list 101 NTP Time Protocol

  access-list 101 permit udp any host 71.xx.160.123 eq ntp

  Access-list 101 remark IPSEC protocols

  access-list 101 permit udp any host 71.xx.160.123 eq non500-isakmp

  Access-list 101 remark IPSEC protocols

  access-list 101 permit udp any host 71.xx.160.123 eq isakmp

  Note access-list 101 traffic ESP

  access-list 101 permit esp any host 71.xx.160.123

  Note the access list 101 General License

  access list 101 ip allow a whole

  Note access-list 102 CCP_ACL category = 2

  access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

  Note access-list 102 IPSec rule

  access-list 102 deny ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

  Note access-list 102 IPSec rule

  access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

  Access-list 102 remark Platinum LAN NAT rule

  access-list 102 permit ip 10.41.14.0 0.0.0.255 any

  Note category from the list of access-104 = 4 CCP_ACL

  Note access-list 104 IPSec rule

  access-list 104. allow ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

  Note access-list 108 CCP_ACL category = 4

  access-list 108 allow ip 10.41.14.0 0.0.0.255 any

  Note access-list 109 IPSec rule

  Note access-list 109 CCP_ACL category = 4

  access-list 109 allow ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

  Note access-list 110 CCP_ACL category = 4

  Note access-list 110 IPSec rule

  access-list 110 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

  not run cdp

  !

  allowed SDM_RMAP_1 1 route map

  corresponds to the IP 102

  There is more then one way how you can achieve this goal.

  (1) the best way is possible if the two VPN counterparts are IOS routers. Then you can migrate to virtual VPN - tunnel interfaces (VTI). With this, the external interface doesn't mix - and non-VPN-traffic VPN.

  (2) if VTI is not possible, you can restrict the translation to only non - VPN traffic using a roadmap:

  object-group network RFC1918

  10.0.0.0 255.0.0.0

  172.16.0.0 255.240.0.0

  192.168.0.0 255.255.0.0

  NAT-SERVER - 10.41.14.103 allowed 10 route map

  corresponds to the TRAFFIC-NAT-SERVER IP - 10.41.14.103

  TRAFFIC-NAT-SERVER extended IP access list - 10.41.14.103

  deny ip host 10.41.14.103 object-group RFC1918

  permit tcp host 10.41.14.103 eq 80 a

  allow a host EQ 10.41.14.103 tcp 443

  IP nat inside source static 10.41.14.103 71.xx... map route NAT-SERVER - 10.41.14.103

  What makes that?

  When your server communicates with a system with an address in the range RFC1918, then the road map does not correspond and the translation is not used. It is you, the VPN scenario. But if the server communicates with a non-RFC1918 address, then the translation is used and the server can be reached.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• ASA 5520 8.0 (4) port depending on the ACLs vpn works not

  Hi all

  I have a problem with an ASA (5520 8.0 (4)) for lack of working with a port based acl for remote clients. I have a simple acl from a single line to split traffic, if I allowed the tunnel IP works fine, if I lock it up to TCP 3389 rdp will not work. I don't see anything in the logs and debug output, I did have a problem with a similar configuration (5510 8.0 (4) and I'm at a loss to explain it.)

  Everyone knows about this problem before? I have nat exclusions etc and as I said, the tunnel only works if the acl permits all IP traffic between client and server.

  THX in advance

  Split-tunnel list cannot IP, if you want to restrict which ports are are sent via the tunnel vpn for your clients vpn, you need to use VPN filters under Group Policy:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• What do the acl when configuring a router as gateway VPN?

  Hi all

  my predecessor has set up our VPN gateway on our secondary router. Here's the relevant part of the config.

  ISAKMP crypto group customer VPN-CLIENT-HOST configuration

  key XXXX-XXXX

  192.168.177.7 DNS 192.168.100.1

  win 192.168.177.7

  XXXX.local field

  pool SDM_POOL_1

  ACL 104

  Im still trying to catch up in a few areas of programming and Im not sure this that set the ACL in this command is for or how it will affect users who connect to the gateway.

  Can someone point me in the direction of a useful Cisco document or explain it please? Ive been everywhere on Cisco's Web site and keep it going round in circles (its as if Cisco wants to sell me something; his tent like out of a Vegas casino without having spent the slots)

  Thanks in advance.

  Paul

  Hello Paul,

  Parminder response is correct, this ACL is used to match the interesting traffic (which will be sent via encrypted VPN tunnel).

  You will need to classify the traffic originating from your end because it's the traffic that will be encrypted, in your ACL it (coming from the other site or customers) it is already encrypted and you'll decripted as soon as he arrive at your end.

  I hope this has been informative.

  Kind regards

  Julio

• Site to site VPN, I need all internet traffic to exit the site.

  I have 2 sites connected via a pair of SRX5308

  A = 192.168.1.0/24

  IP WAN = 1.1.1.1

  B = 192.168.2.0/24

  IP WAN = 2.2.2.2

  Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.

  On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.

  I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.

  Anyone have any ideas?

  I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.

  Thank you

  Dave.

  After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.

  (1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0

  (2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit

  (a) disable Netbios

  (b) select "None" from the drop-down list the remote IP address.

  (c) to apply the change

  3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit

  (a) disable Netbios

  (b) select "None" from the drop-down list the local IP address

  (c) to apply the change

  Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.

• Definition of VLAN ACL blocks all traffic inside of the vlan

  Hello

  I test a 7024 PowerConnect switch, do some VLAN and want to test the traffic between 2 PC connection to the vlan by default. So I put a PC on Port 1 and the other on Port 2.

  I am applying only a permit ICMP any any rule on this vlan. This implies a refusal rule everything.

  But now I can't ssh from one PC to another?

  the ACL is an ibound IP AC, but I thought that this does not affect traffic in the vlan? Or am I wrong thinking?

  We tested this installation type and got the same results as you. It seems to be normal behavior. If I get more specific information to this I will be sure to answer back with her.

• After disconnection of the ACL AnyConnect not honored on ISA550W

  Once I have disconnect a session SSL - VPN (AnyConnect), the firewall blocks WAN > LAN traffic. I navigate to the firewall > access control > rules ACL page and click on the Reset button for the ISA550W to honor the rules.

  Hi Eric,.

  Thanks for providing this information.  We have been able to reproduce it here.  You can open a case with HWC so we can work on that with you?

  Let me know if you have problems opening a case with HWC.

  Thank you

  Brandon

• Cisco ASA 5510 L2L VPN on the backup interface

  OK, here is what I have and I even if I knew how to do this, but it has not worked for me.  I hope someone out there can help you.

  I have an ASA 5510 running 8.4 with double configuration of ISPs on 2 different interfaces: outside (primary), backup (backup).  I also have a site to site VPN ASA another in another city.  The VPN is now configured on the external interface and works very well.  What I wanted to do, is to make the VPN running on backup interface only.

  So, I changed the card encryption on the remote side to use the backup interface IP and created a tunnel-group for her.  Then, I created a map encryption for backup interface and activated ikev1 on it.  The default route is configured to use the external interface, so I created a static route that routes traffic destined for the external interface of the remote side to the backup interface default gateway.  I can get to establish tunnels, but no traffic passes through them.  I have however while I need a NAT device for the tunnel traffic to I created a NAT so but still no transmitted traffic.  I tried the packet - trace and he said: the traffic was allowed and show its crypto ipsec command, I see the configuration of the tunnel, but no traffic will pass through it.  Can anyone help?

  Ben,

  you use a code to version 8.4, I recommend starting by removing the config NAT statements at both ends. This version does not have the NAT and control, and if you don't need... I've seen instances with 8.4 (3) where a NAT even though apparently correct was causing not to pass through the traffic.

  Site A:

  NAT (inside, backup) source static obj-SiteALAN obj-SiteALAN static obj-SiteBLAN obj-SiteBLAN

  Site b:

  NAT (inside, outside) source static obj - 192.168.5.0 obj - 192.168.5.0 destination static obj - 192.168.3.0 obj - 192.168.3.0

  If possible, you should increase your AES encryption, but this is a personal point of view and should not stop the traffic through the links. You should be able to see the counters for the data transmitted / received are these incrementing?

  Do you have the ACLs that are from the inside to the outside and internal interface to the Interface of backup (duplicated.

  In this model, the control is the routing.

  Best regards

  Ju

  http://helpamunky.WordPress.com/

• Pass Cisco 871 and VPN to the SBS 2008 Server

  to precede the questions below, I'm responsible for COMPUTING internal with several years of site / offsite support. I also have very limited knowledge of the inner workings of a Cisco device. That said, I've beaten my head against a wall, trying to configure my router Cisco 871 to allow access to our internal server of SBS 2008 VPN hosting services. I think I, and properly configured the SBS 2008 Server.

  I use advanced IP services, version 12.4 (4) T7

  Here is the \windows\system32\conifg\system running

  Building configuration...

  Current configuration: 9414 bytes
  !
  version 12.4
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  hostname yourname
  !
  boot-start-marker
  boot-end-marker
  !
  Security of authentication failure rate 3 log
  Passwords security min-length 6
  logging buffered debugging 51200
  recording console critical
  enable secret 5 *.

  !
  No aaa new-model
  !
  resources policy
  !
  PCTime-5 timezone clock
  PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
  IP subnet zero
  no ip source route
  IP cef
  !
  !
  !
  !
  synwait-time of tcp IP 10
  no ip bootp Server
  "yourdomain.com" of the IP domain name
  name of the IP-server 65.24.0.168
  name of the IP-server 65.24.0.196
  property intellectual ssh time 60
  property intellectual ssh authentication-2 retries
  inspect the IP name DEFAULT100 appfw DEFAULT100
  inspect the IP name DEFAULT100 cuseeme
  inspect the IP name DEFAULT100 ftp
  inspect the IP h323 DEFAULT100 name
  inspect the IP icmp DEFAULT100 name
  inspect the IP name DEFAULT100 netshow
  inspect the IP rcmd DEFAULT100 name
  inspect the IP name DEFAULT100 realaudio
  inspect the name DEFAULT100 rtsp IP
  inspect the IP name DEFAULT100 sqlnet
  inspect the name DEFAULT100 streamworks IP
  inspect the name DEFAULT100 tftp IP
  inspect the IP udp DEFAULT100 name
  inspect the name DEFAULT100 vdolive IP
  inspect the name DEFAULT100 http urlfilter IP
  inspect the IP router-traffic tcp name DEFAULT100
  inspect the IP name DEFAULT100 https
  inspect the IP dns DEFAULT100 name
  urlfilter IP interface-source FastEthernet4
  property intellectual urlfilter allow mode on
  urlfilter exclusive-area IP Deny. Facebook.com
  refuse the urlfilter exclusive-domain IP. spicetv.com
  refuse the urlfilter exclusive-domain IP. AddictingGames.com
  urlfilter exclusive-area IP Deny. Disney.com
  urlfilter exclusive-area IP Deny. Fest
  refuse the urlfilter exclusive-domain IP. freeonlinegames.com
  refuse the urlfilter exclusive-domain IP. hallpass.com
  urlfilter exclusive-area IP Deny. CollegeHumor.com
  refuse the urlfilter exclusive-domain IP. benmaller.com
  refuse the urlfilter exclusive-domain IP. gamegecko.com
  refuse the urlfilter exclusive-domain IP. ArmorGames.com
  urlfilter exclusive-area IP Deny. MySpace.com
  refuse the urlfilter exclusive-domain IP. Webkinz.com
  refuse the urlfilter exclusive-domain IP. playnow3dgames.com
  refuse the urlfilter exclusive-domain IP. ringtonemecca.com
  refuse the urlfilter exclusive-domain IP. smashingames.com
  urlfilter exclusive-area IP Deny. Playboy.com
  refuse the urlfilter exclusive-domain IP. pokemoncrater.com
  refuse the urlfilter exclusive-domain IP. freshnewgames.com
  refuse the urlfilter exclusive-domain IP. Toontown.com
  urlfilter exclusive-area IP Deny .online-Funny - Games.com
  urlfilter exclusive-area IP Deny. ClubPenguin.com
  refuse the urlfilter exclusive-domain IP. hollywoodtuna.com
  refuse the urlfilter exclusive-domain IP. andkon.com
  urlfilter exclusive-area IP Deny. rivals.com
  refuse the urlfilter exclusive-domain IP. moregamers.com
  !
  policy-name appfw DEFAULT100
  http request
  port-bad use p2p action reset alarm
  port-abuse im action reset alarm
  Yahoo im application
  default action reset service
  service-chat action reset
  Server deny name scs.msg.yahoo.com
  Server deny name scsa.msg.yahoo.com
  Server deny name scsb.msg.yahoo.com
  Server deny name scsc.msg.yahoo.com
  Server deny name scsd.msg.yahoo.com
  Server deny name messenger.yahoo.com
  Server deny name cs16.msg.dcn.yahoo.com
  Server deny name cs19.msg.dcn.yahoo.com
  Server deny name cs42.msg.dcn.yahoo.com
  Server deny name cs53.msg.dcn.yahoo.com
  Server deny name cs54.msg.dcn.yahoo.com
  Server deny name ads1.vip.scd.yahoo.com
  Server deny name radio1.launch.vip.dal.yahoo.com
  Server deny name in1.msg.vip.re2.yahoo.com
  Server deny name data1.my.vip.sc5.yahoo.com
  Server deny name address1.pim.vip.mud.yahoo.com
  Server deny name edit.messenger.yahoo.com
  Server deny name http.pager.yahoo.com
  Server deny name privacy.yahoo.com
  Server deny name csa.yahoo.com
  Server deny name csb.yahoo.com
  Server deny name csc.yahoo.com
  audit stop trail
  aol im application
  default action reset service
  service-chat action reset
  Server deny name login.oscar.aol.com
  Server deny name toc.oscar.aol.com
  Server deny name oam - d09a.blue.aol.com
  audit stop trail
  !
  !
  Crypto pki trustpoint TP-self-signed-1955428496
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1955428496
  revocation checking no
  rsakeypair TP-self-signed-1955428496
  !
  !
  TP-self-signed-1955428496 crypto pki certificate chain
  certificate self-signed 01
  308201B 8 A0030201 02020101 3082024F 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31393535 34323834 6174652D 3936301E 170 3032 30333031 30303035
  33315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 39353534 65642D
  32383439 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100CB6B E980F044 5FFD1DAE CBD35DE8 E3BE2592 DF0B2882 2F522195 4583FA03
  40F4DAC6 CEAD479F A92607D4 1 B 033714 51C3A84D EA837959 F5FC6508 4D71F8E6
  5B124BB3 31F0499F B0E871DB AF354991 7D45F180 5D8EE435 77C8455D 2E46DE46
  67791F49 44407497 DD911CB7 593E121A 0892DF33 3234CF19 B2AE0FFD 36A640DC
  2 010001 HAS 3 990203 AND 77307530 1 130101 FF040530 030101FF 30220603 0F060355 D
  1104 1B 301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 551D
  301F0603 C 551 2304 18301680 145566 4581F9CD 7 5F1A49FB 49AC9EC4 678908FF
  2A301D06 04160414 5566 745 81F9CD5F 1A49FB49 AC9EC467 8908FF2A 03551D0E
  300 D 0609 2A 864886 818100B 3 04050003 903F5FF8 A2199E9E EA8CDA5D F70D0101
  60B2E125 AA3E511A C312CC4F 0130563F 28D3C813 99022966 664D52FA AB1AA0EE
  9A5C4823 6B19EAB1 7ACDA55F 6CEC4F83 5292 HAS 867 BFC65DAD A2391400 DA12860B
  5A 523033 E6128892 B9BE68E9 73BF159A 28D47EA7 76E19CC9 59576CF0 AF3DDFD1
  3CCF96FF EB5EB4C9 08366F8F FEC944CA 248AC7
  quit smoking
  secret of username admin privilege 15 5 *.

  !
  !
  Policy-map sdmappfwp2p_DEFAULT100
  !
  !
  !
  !
  !
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface FastEthernet4
  Description $$$ FW_OUTSIDE$ $ES_WAN$ ETH - WAN
  address IP dhcp client id FastEthernet4
  IP access-group 101 in
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  inspect the DEFAULT100 over IP
  IP virtual-reassembly
  route IP cache flow
  automatic duplex
  automatic speed
  sdmappfwp2p_DEFAULT100 of service-policy input
  out of service-policy sdmappfwp2p_DEFAULT100
  !
  interface Vlan1
  Description $ETH - SW - LAUNCH$ $INTF - INFO - HWIC-$4ESW $ES_LAN$ $FW_INSIDE$
  the IP 192.168.0.1 255.255.255.0
  IP access-group 100 to
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP nat inside
  IP virtual-reassembly
  route IP cache flow
  IP tcp adjust-mss 1452
  !
  IP classless
  !
  !
  IP http server
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  the IP nat inside source 1 list the interface FastEthernet4 overload
  IP nat inside source static tcp 192.168.0.100 1723 1723 interface FastEthernet4
  IP nat inside source static tcp 192.168.0.100 25 25 FastEthernet4 interface
  IP nat inside source static tcp interface 192.168.0.100 80 80 FastEthernet4
  IP nat inside source static tcp 192.168.0.100 interface FastEthernet4 443 443
  IP nat inside source static tcp 192.168.0.100 interface FastEthernet4 987 987
  !
  recording of debug trap
  Note access-list 1 INSIDE_IF = Vlan1
  Remark SDM_ACL category of access list 1 = 2
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 100 remark self-generated by the configuration of the firewall Cisco SDM Express
  Access-list 100 = 1 SDM_ACL category note
  access-list 100 deny ip 255.255.255.255 host everything
  access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
  access ip-list 100 permit a whole
  access list 101 remark self-generated by the configuration of the firewall Cisco SDM Express
  Note access-list 101 = 1 SDM_ACL category
  access-list 101 permit tcp any any eq 1723
  access-list 101 permit tcp any any eq 987
  access-list 101 permit tcp any any eq 443
  access-list 101 permit tcp any any eq www
  access-list 101 permit tcp any any eq smtp
  access-list 101 permit udp host 65.24.0.169 eq field all
  access-list 101 permit udp host 65.24.0.168 eq field all
  access-list 101 permit udp host 24.29.1.219 eq field all
  access-list 101 permit udp host 24.29.1.218 eq field all
  access-list 101 permit udp any eq bootps any eq bootpc
  access-list 101 deny ip 192.168.0.0 0.0.0.255 any
  access-list 101 permit icmp any any echo response
  access-list 101 permit icmp any one time exceed
  access-list 101 permit everything all unreachable icmp
  access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 172.16.0.0 0.15.255.255 all
  access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
  access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 255.255.255.255 host everything
  access-list 101 deny ip any one
  not run cdp
  !
  !
  control plan
  !
  connection of the banner ^ CCCCCAuthorized access only!
  Unplug IMMEDIATELY if you are not an authorized user. ^ C
  !
  Line con 0
  local connection
  no activation of the modem
  telnet output transport
  line to 0
  local connection
  telnet output transport
  line vty 0 4
  privilege level 15
  local connection
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  end

  All that top has been configured with the SDM interface. I hope someone here can take a look at this and see what my question is, and why I can't connect through the router.

  All thanks in advance to help me with this.

  Jason

  Based on your description, I am assuming that you are trying the traffic PPTP passthrough via the router 871, and the PPTP Protocol ends on your SBS 2008 Server.

  If this is the correct assumption, PPTP uses 2 protocols: TCP/1723 and GRE. Your configuration only allow TCP/1723, but not the GRE protocol.

  On 101 ACL, you must add "allow accord any any" before the declarations of refusal:

  101 extended IP access list

  1 allow any one

  I guess that the PPTP control connection works fine? Are you able to telnet to the router outside the ip address of the interface on port 1723?

• You try to run a Site to site VPN and remote VPN from the same IP remotely

  We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.

  Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.

  My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.

  Hi John,.

  Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.

  CSCuc75090  Details of bug

  The crypto IPSec Security Association are created by dynamic crypto map to static peers

  Symptom:

  When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.

  Conditions:

  It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.

  The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.

  Workaround solution:

  N/A

  Some possible workarounds are:

  Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.

  Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.

  Below some information:

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

  Hope this helps,

  Luis.

• A Site to remote access VPN behind the same public IP address

  Got a problem quite stupid.  We have a VPN from Site to Site configured for a new data center, which will be responsible for general traffic management.  In addition, some users need to use use a VPN client to access certain areas.  The firewall at the Office only has a public IP address, so the two will come to the Site to Site VPN for remote access from the same source.

  This seems a problem with legacy Cisco VPN clients because encryption card matches the entry VPN site-to-site, even if they use VPN clients.  A good/simple solution to solve this problem?

  Some newspapers (198.18.85.23) is the address public IP for the office and the tom.jones is the user.  192.168.1.0/24 is the pool of the VPN client.

  January 7, 2014 19:12:52 ASA5515: % 713130-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, transaction mode attribute unhandled received: 5

  January 7, 2014 19:12:52 ASA5515: % 737003-5-ASA: PISG: DHCP not configured, no viable servers found for tunnel-group "Corp-VPN.

  January 7, 2014 19:12:52 ASA5515: % 713119-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, PHASE 1 COMPLETED

  January 7, 2014 19:12:52 ASA5515: % ASA-3-713061: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, IPSec tunnel rejecting: no entry for crypto for proxy card remote proxy 192.168.1.4/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside

  January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, error QM WSF (P2 struct & 0x00007fff28dab560, mess id 0x37575f3c).

  January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, peer table correlator Removing failed, no match!

  January 7, 2014 19:12:52 ASA5515: % 713259-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, Session is be demolished. Reason: political crypto card not found

  January 7, 2014 19:12:52 ASA5515: % ASA-4-113019: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, disconnected Session. Session type: IKEv1, duration: 0 h: 00 m: 02s, xmt bytes: 0, RRs bytes: 0, right: not found card crypto policy

  January 7, 2014 19:12:53 ASA5515: % 713904-5-ASA: IP = 198.18.85.23, encrypted packet received with any HIS correspondent, drop

  Hello

  Don't know if this will work, but you can try the following configuration (with the rest of the VPN configuration)

  list-access CLIENT VPN ip enable any 192.168.1.0 255.255.255.0

  card crypto OUTSIDE_map 4 is the VPN CLIENT address

  card crypto OUTSIDE_map 4 set peer 198.18.85.23

  card crypto OUTSIDE_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-3DES-SHA

  The idea would be to have the ACL matches the VPN full Tunnel that the Client attempts to establish. (destination "any" from the point of view of the customer, the ASAs view source)

  I tested briefly on my own SAA by connecting from an IP address to which the ASA offers free VPN in L2L. But as I don't have the operational L2L VPN, I can't really verify the VPN L2L at the moment. Thus, certain risks may be involved if you can afford it.

  -Jouni

• WLAN Access Denied for active MAC address in the ACL

  I have a pretty great list ACL (Access Control) and I've never had a problem with it in the past, but I just got a new laptop and same computer when I save the MAC address and reboot the router I always get the "WLAN Access Denied" error for access from your laptop.

  I did all the "sanity checks" to ensure that the password is correct and that other devices still work.

  I had the MAC address of the laptop the same way, I always have, I see the MAC address in the Logs in the access denied message and copy it from there, in the access list. I did it with more than 20 other devices successfully, I'm not sure what is different about this one MAC address... I confirm through ipconfig on the laptop that the MAC address I use is correct.

  When I turn off ACL, I can connect without any problem of the laptop.

  Any thoughts? I am very familiar with computers and you can do an advanced troubleshooting, I do not know infrastructure and networks of the stuff so I don't know where to start here.

  Any ideas on how I can fix this would be appreciated!

  You may have hit a limit of the ACL. A test, remove a device from your list and see if your laptop will connect. This would confirm if you have contributed the most to list ACL on the router...

• Configuration of the ACL to restrict access via SSH/Telnet

  You want to shoot a SSH/Telnet access to ISP address/IP of my switch interface.  Since the Dells have no strict vty/con interface to apply an ACL I guess I just have to match on an interface instead.  Using the ACL below.  Problem is that applying it kills telnet/ssh sessions completely and does them in.  Replaced the iPs in the wrong example with IPs.  Confirm that my public IP address is 112.94.236.58.  You will see a 112.94.236.56/29 with a permit instruction.

  TEST from the list of access permitted tcp 111.126.50.0 255.255.255.0 111.126.50.16 255.255.255.0 eq 22

  TEST from the list of access permitted tcp 111.126.50.0 255.255.255.0 111.126.50.16 255.255.255.0 eq telnet

  TEST tcp allowed access list 112.94.236.56 255.255.255.248 111.126.50.16 255.255.255.0 eq 22

  TEST the access permitted tcp 112.94.236.56 list 255.255.255.248 111.126.50.16 255.255.255.0 eq telnet

  TEST from the list of access permitted tcp 112.94.254.0 255.255.255.128 111.126.50.16 255.255.255.0 eq 22

  TEST from the list of access permitted tcp 112.94.254.0 255.255.255.128 111.126.50.16 255.255.255.0 eq telnet

  TEST the access permitted tcp 112.94.248.176 list 255.255.255.248 111.126.50.16 255.255.255.0 eq 22

  TEST the access permitted tcp 112.94.248.176 list 255.255.255.248 111.126.50.16 255.255.255.0 eq telnet

  access list tcp TEST refuse any 111.126.50.16 255.255.255.0 eq 22

  access list tcp TEST refuse any 111.126.50.16 255.255.255.0 eq telnet

  TEST the ip access list allow a whole

  111.126.50.16 is the switch

  Maybe I should use a destination host in the ACL instead?  (edit, nope, tried with a subnet of 255 s all, same problem)

  The ACL is created using the command access-list config mode.  On the interface it won't let me use ip access-class.

  Figured it out.  Kept, see references to "MACL", think why I needed a MAC access control list.

  Nope.

  Dell world, this means access control list management.