Unable to phase 1 estabislt of site to site VPN
Hi Experts,
Site-B(router)---Modem---Internet---Site-A(router)
I am trying to create a VPN Site-to-stie Ipsec between cisco2900 & cisco 861 and here is the scenario. Please find attached file connectivity diagram.
The issue is there is a modem provided by the ISP on Site-B and 861 cisco router is connected to that modem and the connection is given through RJ11 and there is no available on Site-B router ADSL port.
Based on the above mentioned scenario here is the config
Site b: -.
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key CITDENjan2014 address 80.227.xx.xx
Crypto ipsec transform-set ETH-Dxb-esp-3des esp-md5-hmac
tunnel mode
crypto map 1 VPN ipsec-isakmp
the value of 80.227.xx.xx peer
game of transformation-ETH-to-Dxb
match address 110
FA 4 interface
IP 192.168.1.254 255.255.255.0
VPN crypto card
IP route 0.0.0.0 0.0.0.0 192.168.1.1
IP access-list ext 110
ip permit 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
Screenshots of good will find ADSL modem for the information below
Double configuration on the LAN interface of the ADSL modem with ip address
I did port forwarding on the modem, although I did not port forwarding before I'm not sure whether it is correct or not.
Site-one router Config: -.
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key CITDENjan2014 address 197.156.xx.xx
Crypto ipsec transform-set Dxb ETH esp-3des esp-md5-hmac
tunnel mode
map-Dxb-Nigeria 20 ipsec-isakmp crypto
the value of 197.156.xx.xx peer
game of transformation-Dxb-to-ETH
match address 120
interface GigabitEthernet0/1
IP address 80.227.xx.xx 255.255.255.252
card crypto Dxb-to-Nigeria
IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/1 overload
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
Connects to router B-Site: -.
* 13:02:06.735 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (N) SA NEWS
* 13:02:06.735 Apr 16: ISAKMP: created a struct peer 80.227.xx.xx, peer port 1
* 13:02:06.735 Apr 16: ISAKMP: new position created post = 0x886B0310 peer_handle = 0x8000001D
* 13:02:06.735 Apr 16: ISAKMP: lock struct 0x886B0310, refcount 1 to peer crypto_isakmp_process_block
* 13:02:06.735 Apr 16: ISAKMP: 500 local port, remote port 1
* 13:02:06.735 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 88776 A 88 = call BVA
* 13:02:06.735 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:02:06.735 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
* 16 Apr 13:02:06.735: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 16 Apr 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:02:06.735 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* Apr 16
ETH - CIT # 13:02:06.735: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.735: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
* 13:02:06.739 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
* 16 Apr 13:02:06.739: ISAKMP: (0): pre-shared key local found
* 13:02:06.739 Apr 16: ISAKMP: analysis of the profiles for xauth...
* 13:02:06.739 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 13:02:06.739 Apr 16: ISAKMP: 3DES-CBC encryption
* 13:02:06.739 Apr 16: ISAKMP: MD5 hash
* 13:02:06.739 Apr 16: ISAKMP: group by default 2
* 13:02:06.739 Apr 16: ISAKMP: pre-shared key auth
* 13:02:06.739 Apr 16: ISAKMP: type of life in seconds
* 13:02:06.739 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 13:02:06.739 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
* 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
* 13:02:06.739 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
* 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
* 13:02:06.739 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 13:02:06.739 Apr 16: ISAKMP: (0): return real life: 86400
* 13:02:06.739 Apr 16: ISAKMP: (0): timer life Started: 86400.
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 245
* 13:02:06.739 Apr 16: ISAKMP (0): provider ID is NAT - T v7
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 157
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v3
* 16 Apr 13:02:06.739: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
* 16 Apr 13:02:06.739: ISAKMP: (0): provider ID is NAT - T v2
* 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1
* 16 Apr 13:02:06.739: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 16 Apr 13:02:06.739: ISAKMP: (0): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_SA_SETUP
* 13:02:06.739 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:02:06.739 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:02:06.739 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2
* 13:02:06.995 Apr 16: ISAKMP (0): packet received 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
* 13:02:06.995 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:02:06.999 Apr 16: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3
* 16 Apr 13:02:06.999: ISAKMP: (0): processing KE payload. Message ID = 0
* 16 Apr 13:02:07.027: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 13:02:07.027 Apr 16: ISAKMP: (0): pair found pre-shared key matching 80.227.xx.xx
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is DPD
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): addressing another box of IOS!
* 16 Apr 13:02:07.027: ISAKMP: (2028): load useful vendor id of treatment
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID seems the unit/DPD but major incompatibility of 241
* 16 Apr 13:02:07.027: ISAKMP: (2028): provider ID is XAUTH
* 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
* 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
* 13:02:07.027 Apr 16: ISAKMP: receives the payload type 20
* 13:02:07.027 Apr 16: ISAKMP (2028): NAT found, both nodes inside the NAT
* 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM3
* 16 Apr 13:02:07.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
* 13:02:07.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.
* 13:02:07.027 Apr 16: ISAKMP: (2028): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:02:07.027 Apr 16: ISAKMP: (2028): former State = new State IKE_R_MM3 = IKE_R_MM4
ETH - CIT #.
ETH - CIT #.
* 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH...
* 13:02:17.027 Apr 16: ISAKMP (2028): increment the count of errors on his, try 1 5: retransmit the phase 1
* 16 Apr 13:02:17.027: ISAKMP: (2028): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:02:17.027: ISAKMP: (2028): 80.227.xx.xx my_port 500 peer_port 1 (R) package is sent MM_KEY_EXCH
* 13:02:17.027 Apr 16: ISAKMP: (2028): sending a packet IPv4 IKE.
Connects to the router Site-one: -.
* 13:15:28.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:15:28.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:15:28.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
* 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:28.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 16 Apr 13:15:28.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:15:28.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:15:28.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
DXB - CIT #.
* 13:15:38.109 Apr 16: ISAKMP (1263): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:15:38.109: ISAKMP: (1263): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:15:38.109: ISAKMP: (1263): retransmission due to phase 1 of retransmission
* 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:38.609 Apr 16: ISAKMP (1263): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 16 Apr 13:15:38.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:15:38.609: ISAKMP: (1263): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:15:38.609 Apr 16: ISAKMP: (1263): sending a packet IPv4 IKE.
DXB - CIT #.
* 13:15:47.593 Apr 16: ISAKMP: set new node 0 to QM_IDLE
* 13:15:47.593 Apr 16: ISAKMP: (1263): SA is still budding. Attached new request ipsec. (local 80.227.xx.xx, remote 197.156.xx.xx)
* 13:15:47.593 Apr 16: ISAKMP: error during the processing of HIS application: failed to initialize SA
* 13:15:47.593 Apr 16: ISAKMP: error while processing message KMI 0, error 2.
* 16 Apr 13:15:48.609: ISAKMP: (1263): transmit phase 1 MM_KEY_EXCH...
* 13:15:48.609 Apr 16: ISAKMP: (1263): peer does not paranoid KeepAlive.
* 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
* 13:15:48.609 Apr 16: ISAKMP: (1263): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (197.156.xx.xx peer)
* 13:15:48.609 Apr 16: ISAKMP: Unlocking counterpart struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
* 13:15:48.609 Apr 16: ISAKMP: delete peer node by peer_reap for 197.156.xx.xx: 23193AD4
DXB - CIT #.
DXB - CIT #.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1134682361 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 680913363 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): error suppression node 1740991762 FALSE reason 'IKE deleted.
* 13:15:48.609 Apr 16: ISAKMP: (1263): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 13:15:48.609 Apr 16: ISAKMP: (1263): former State = new State IKE_I_MM5 = IKE_DEST_SA
DXB - CIT #.
DXB - CIT #shoc cry
DXB - CIT #sho isa scream his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
197.156.XX.XX 80.227.xx.xx MM_NO_STATE 1263 ACTIVE (deleted)
IPv6 Crypto ISAKMP Security Association
* 16 Apr 13:16:17.593: IPSEC (key_engine): request timer shot: count = 2,.
local (identity) = 80.227.xx.xx:0, distance = 197.156.xx.xx:0,
local_proxy = 192.168.10.0/255.255.255.0/256/0,
remote_proxy = 192.168.1.0/255.255.255.0/256/0
* 16 Apr 13:16:17.609: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 80.227.xx.xx:500, distance = 197.156.xx.xx:500,
local_proxy = 192.168.10.0/255.255.255.0/256/0,
remote_proxy = 192.168.1.0/255.255.255.0/256/0,
Protocol = ESP, transform = esp-3des esp-md5-hmac (Tunnel),
lifedur = 3600 s and KB 4608000,
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
* 16 Apr 13:16:17.609: ISAKMP: (0): profile of THE request is (NULL)
* 13:16:17.609 Apr 16: ISAKMP: created a struct peer 197.156.xx.xx, peer port 500
* 13:16:17.609 Apr 16: ISAKMP: new created position = 0x23193AD4 peer_handle = 0 x 80001862
* 13:16:17.609 Apr 16: ISAKMP: lock struct 0x23193AD4, refcount 1 to peer isakmp_initiator
* 13:16:17.609 Apr 16: ISAKMP: 500 local port, remote port 500
* 13:16:17.609 Apr 16: ISAKMP: set new node 0 to QM_IDLE
* 13:16:17.609 Apr 16: ISAKMP: find a dup her to the tree during the isadb_insert his 270A2FD0 = call BVA
* 13:16:17.609 Apr 16: ISAKMP: (0): cannot start aggressive mode, try the main mode.
* 13:16:17.609 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-07 ID NAT - t
* 16 Apr 13:16:17.609: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 16 Apr 13:16:17.609: ISAKMP: (0): built the seller-02 ID NAT - t
* 13:16:17.609 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
* 13:16:17.609 Apr 16: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
* 16 Apr 13:16:17.609: ISAKMP: (0): Beginner Main Mode Exchange
* 16 Apr 13:16:17.609: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_NO_STATE
* 13:16:17.609 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:16:17.865 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_NO_STATE 197.156.xx.xx
* 13:16:17.865 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:16:17.865 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
* 16 Apr 13:16:17.865: ISAKMP: (0): treatment ITS payload. Message ID = 0
* 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 13:16:17.869 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared key local found
* 13:16:17.869 Apr 16: ISAKMP: analysis of the profiles for xauth... ciscocp-ike-profile-1
* 16 Apr 13:16:17.869: ISAKMP: (0): pre-shared xauth authentication
* 13:16:17.869 Apr 16: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
* 13:16:17.869 Apr 16: ISAKMP: 3DES-CBC encryption
* 13:16:17.869 Apr 16: ISAKMP: MD5 hash
* 13:16:17.869 Apr 16: ISAKMP: group by default 2
* 13:16:17.869 Apr 16: ISAKMP: pre-shared key auth
* 13:16:17.869 Apr 16: ISAKMP: type of life in seconds
* 13:16:17.869 Apr 16: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
* 13:16:17.869 Apr 16: ISAKMP: (0): atts are acceptable. Next payload is 0
* 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts: real life: 0
* 13:16:17.869 Apr 16: ISAKMP: (0): Acceptable atts:life: 0
* 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his vpi_length:4
* 13:16:17.869 Apr 16: ISAKMP: (0): fill atts in his life_in_seconds:86400
* 13:16:17.869 Apr 16: ISAKMP: (0): return real life: 86400
* 13:16:17.869 Apr 16: ISAKMP: (0): timer life Started: 86400.
* 16 Apr 13:16:17.869: ISAKMP: (0): load useful vendor id of treatment
* 16 Apr 13:16:17.869: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
* 13:16:17.869 Apr 16: ISAKMP (0): provider ID is NAT - T RFC 3947
* 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
* 16 Apr 13:16:17.869: ISAKMP: (0): package 197.156.xx.xx my_port 500 peer_port 500 (I) sending MM_SA_SETUP
* 13:16:17.869 Apr 16: ISAKMP: (0): sending a packet IPv4 IKE.
* 13:16:17.869 Apr 16: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:16:17.869 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
* 13:16:18.157 Apr 16: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP 197.156.xx.xx
* 13:16:18.157 Apr 16: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 13:16:18.157 Apr 16: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
* 16 Apr 13:16:18.157: ISAKMP: (0): processing KE payload. Message ID = 0
* 16 Apr 13:16:18.181: ISAKMP: (0): processing NONCE payload. Message ID = 0
* 13:16:18.181 Apr 16: ISAKMP: (0): pair found pre-shared key matching 197.156.xx.xx
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is the unit
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.181: ISAKMP: (1264): provider ID is DPD
* 16 Apr 13:16:18.181: ISAKMP: (1264): load useful vendor id of treatment
* 16 Apr 13:16:18.185: ISAKMP: (1264): addressing another box of IOS!
* 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
* 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
* 13:16:18.185 Apr 16: ISAKMP: receives the payload type 20
* 13:16:18.185 Apr 16: ISAKMP (1264): NAT found, both nodes inside the NAT
* 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
* 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM4
* 13:16:18.185 Apr 16: ISAKMP: (1264): send initial contact
* 13:16:18.185 Apr 16: ISAKMP: (1264): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
* 13:16:18.185 Apr 16: ISAKMP (1264): payload ID
next payload: 8
type: 1
address: 80.227.xx.xx
Protocol: 17
Port: 0
Length: 12
* 13:16:18.185 Apr 16: ISAKMP: (1264): the total payload length: 12
* 16 Apr 13:16:18.185: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:16:18.185 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
* 13:16:18.185 Apr 16: ISAKMP: (1264): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
* 13:16:18.185 Apr 16: ISAKMP: (1264): former State = new State IKE_I_MM4 = IKE_I_MM5
DXB - CIT #.
* 13:16:28.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:16:28.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:16:28.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
* 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
* 13:16:28.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 1 5: retransmit the phase 1
* 16 Apr 13:16:28.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:16:28.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
DXB - CIT #.
* 13:16:28.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #u all
All possible debugging has been disabled
DXB - CIT #.
DXB - CIT #.
* 13:16:38.157 Apr 16: ISAKMP (1264): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH 197.156.xx.xx
* 16 Apr 13:16:38.157: ISAKMP: (1264): package of phase 1 is a duplicate of a previous package.
* 16 Apr 13:16:38.157: ISAKMP: (1264): retransmission due to phase 1 of retransmission
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1134682361
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 680913363
* 13:16:38.609 Apr 16: ISAKMP: (1263): purge the node 1740991762
* 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH...
* 13:16:38.657 Apr 16: ISAKMP (1264): increment the count of errors on his, try 2 of 5: retransmit the phase 1
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
DXB - CIT #.
* 16 Apr 13:16:38.657: ISAKMP: (1264): transmit phase 1 MM_KEY_EXCH
* 16 Apr 13:16:38.657: ISAKMP: (1264): package 197.156.xx.xx my_port 4500 peer_port 4500 (I) sending MM_KEY_EXCH
* 13:16:38.657 Apr 16: ISAKMP: (1264): sending a packet IPv4 IKE.
Hello
your configuration looks correct. I was wondering that nat work very well, because I do not see ip nat inside and ip nat outside configured on A router.
Please chceck whether ESP (50) is permitted (probably VPN passthrough) modem and also try to allow UDP 4500 (IPSEC NAT - T).
Best regards
Jan
Tags: Cisco Security
Similar Questions
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Unable to connect to a Web site? used several times before. says the dns server is incorrect or does not exsist? help someone?
If it is hosted by GoDaddy, it's maybe out of service. There is a DDoS (denial of Service) attack to GoDaddy for the moment.
You could try again later and see if it returns. -
Unable to pass traffic between ASA Site to Site VPN Tunnel
Hello
I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.
I've also attached the ASA5505 config and the ASA5510.
This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.
Thank you
Adam
Hello
Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.
So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.
I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.
THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.
-Jouni
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
I have a couple of site to site VPN working properly on an ASA 5515. Don't know what is on the other side, as I haven't seen them. I configured a SSL vpn for remote users who must be able to access resources on remote sites. I got access to the network of site without any problems and and have added the range of IP addresses for remote users to links from site to site, but I am unable to connect. Anyone who has this performance, it would be greatly appreciated if you can help.
Hi mbluemel,
You need to configure the remote side to allow traffic from the remote side for SSL VPN users.
This list of documents the measures taken to achieve this: -.http://www.petenetlive.com/kb/article/0000040.htm
For more information: -.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Greetings. We have a site 2 site vpn 2 asa5510-based work. The two sites are accessible internel network hosts, but we are unable to access all the services (such as the TFTP or CA)? or even ping hosts in the remote site of our local asa5510 network. It seems that ASA attempts to send packets directly through the default gw, bypasing the vpn tunnel. Any help would be very appreciate.
PS We checked the ACLs on both devices, so more than likely, this is not the problem.
Hello
Since you did not include public ip address of the external interface in the Crypto ACL, it's why he's not going in the tunnel.
Add Crypto ACL a statement where qualify you this statement outside the public ip address of the interface source and mirror image in the remote device.
HTH
Sangaré
Pls rate helpful messages
-
Site to Site VPN Cisco IOS 1941 15.0 (1) M1
Hello
I am currently developing a Site VPN site between an ASA and a router in 1941. Configuring VPN on the SAA seems to be ok, because it works without problem with router 1841 with IOS 12.4 to the other site. The same VPN configuration on the new router in 1941 with M1 IOS 15.0 (1) does not work. It seems that the access to the crypto map list is the problem. The router never start the VPN connection. When the ASA attempts to establish the VPN, the debugging of the router log shows:
...
* 14:37:52.263 may 5: ISAKMP: (1007): proposal of IPSec checking 1
* 14:37:52.263 may 5: ISAKMP: turn 1, ESP_3DES
* 14:37:52.263 may 5: ISAKMP: attributes of transformation:
* 14:37:52.263 may 5: ISAKMP: type of life in seconds
* 14:37:52.263 may 5: ISAKMP: life of HIS (basic) of 28800
* 14:37:52.263 may 5: ISAKMP: type of life in kilobytes
* 14:37:52.263 may 5: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
* 14:37:52.263 may 5: ISAKMP: program is 1 (Tunnel)
* 14:37:52.263 may 5: ISAKMP: authenticator is HMAC-SHA
* 14:37:52.263 may 5: ISAKMP: group is 2
* 14:37:52.263 may 5: ISAKMP: (1007): atts are acceptable.
* 5 May 14:37:52.263: ISAKMP: (1007): IPSec policy invalidated proposal with error 32
* 5 May 14:37:52.263: ISAKMP: (1007): politics of ITS phase 2 is not acceptable! (local... remote control...)...
Any clue?
Concerning
Claudia
The configuration of the router:
version 15.0
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco1941
!
No aaa new-model
!
No ipv6 cef
no ip source route
IP cef
!
IP domain name xyz.de
!
Authenticated MultiLink bundle-name Panel
!
Crypto pki trustpoint TP-self-signature-...
!
TP-self-signature-... crypto pki certificate chain
quit smoking
license udi pid CISCO1941/K9 sn...
!
username privilege 15 secret 5 xyz $1$...
!
redundancy
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto key... address 1.2.3.4
invalid-spi-recovery crypto ISAKMP
!
Crypto ipsec transform-set esp-3des esp-sha-hmac tsAsa
!
ASA 10 ipsec-isakmp crypto map
defined peer 1.2.3.4
Set transform-set tsAsa
PFS group2 Set
match address 100
!
interface GigabitEthernet0/0
Description * inside *.
IP 10.100.100.1 255.255.255.0
automatic duplex
automatic speed
!
!
interface GigabitEthernet0/1
IP 5.6.7.8 255.255.255.240
IP access-group 111 to
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
card crypto asa
!
!
ATM0/0/0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
!
IP forward-Protocol ND
!
IP route 0.0.0.0 0.0.0.0 1.2.3.5
!
access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 allow esp 1.2.3.4 host 5.6.7.8
access-list 111 permit udp host 1.2.3.4 host 5.6.7.8 eq isakmp
access-list 111 allow ahp host 1.2.3.4 5.6.7.8
access-list 111 deny ip any any newspaper....
end
Try to do this:
IP route 10.10.10.0 255.255.255.0 interface Ge0/1
Route IP 1.2.3.4 255.255.255.255 by default-gateway-to-Ge0/1
The rest of your config looks very good.
-
You try to run a Site to site VPN and remote VPN from the same IP remotely
We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.
Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.
My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.
Hi John,.
Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.
CSCuc75090 Details of bug
The crypto IPSec Security Association are created by dynamic crypto map to static peers
Symptom:
When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.
Conditions:
It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.
The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.
Workaround solution:
N/A
Some possible workarounds are:
Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.
Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.
Below some information:
Hope this helps,
Luis.
-
Hello
I am facing a problem in my site to site VPN configuration, router management site gets the address public IP of the DHCP server as I have built a dynamic crypto map on the router HQ
First phase ISAKMP is operational running, I am trying to ping the LAN 192.168.85.0 for the HQ 172.16.12.0 LAN but it won't go through and when I check the ipsec security associations I can see that packets are encrypted on the side of the branch and decrypted on the side of HQ but the HQ router no PING response at all and he saw not encrypted packets
I have attached my configurations, I had to hide some information just for safety
Help, please!
Mostafa
Hello Mustafa,
Havinf a glance at your config, it seems you have not correctly configured on your HQ NAT exemption.
ip access-list extended NAT deny ip 172.16.12.0 0.0.0.255 192.168.75.0 0.0.0.255 deny ip 172.16.12.0 0.0.0.255 172.16.20.0 0.0.0.255 permit ip 172.16.12.0 0.0.0.255 any deny ip 172.16.12.0 0.0.0.255 192.168.85.0 0.0.0.255
In this interesting ACL traffic is refused in the last. So it is not exempted from NAT, as ACL are processed in top-down, your valuable traffic is already matching permit statement in NAT ACL therefore subject to NAT on HQ. Refuse the declaration of exemption, interesting traffic NAT should precede the statement of license.
HTH
"Please note useful posts.
-
Hi all
After you follow the guides on the site to site VPN and NAT I am very close with this, but suspect a minor error here. It was difficult to apply some of the examples of cisco worked the additional complexity here (VLANS, routing to an address static IP), as well as due to inexperience with some routing commands.
Requirements:
-Provide internet access for three local networks (10.10.10.0/29 for the management of the router, 192.168.1.0/24 for the most of the PC, 172.22.81.160/28 for a PC for VPN and wireless)
-Set up a VPN site-to site between 172.22.81.160 and a remote VPN router to 194.73. ***. ***
-Transfer all 172.22.81.160 traffic destined to the 195.218 IP only. ***. (cited to me as 195.218.***.***/32) over the site to site VPN
MBM may be confusing that 195.218. ***. is a public IP address, where I would normally expect a private IP address. This has been checked and confirmed. It's certainly accessible only via the VPN tunnel. So far, everything works as expected, except for the VPN. Cisco diagnosis report that everything is going well except for the tunnel are declining and no traffic going back 195.218. ***. ***
I have not spotted the error, help appreciated!
My next step would be to simplify the config by removing unnecessary commands one by one and then check again against examples and manual. Attached config.
Kind regards
John
References:
http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...
http://www.Cisco.com/c/en/us/support/docs/security-VPN/IPSec-negotiation...
Requirements of VPN:
IKE Phase 1
Diffie-Hellman group: 2
Version of IKE: IKEv1
IKE Lifetime: 86400
Aggressive mode: No.
Encryption: AES 256
Integrity: SHA2-256
Authetication method: pre-sharedIKE Phase 2
PFS: Yes
PFS DH group: 2
Life: 3600
Encryption: AES 256
Integrity: SHA2-256Good things! Happy that you guessed it sorted.
-
AnyConnect VPN full tunnel could not access the site to site VPN
I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.
It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.
I checked the IP addresses of network anyconnect are part of the tunnel on both sides.
My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.
Any help would be appreciated.
Here are the relevant parts of my config:
(Domestic network is 192.168.0.0/24,
the AnyConnect network is 192.168.10.0/24,
site to site VPN network is 192.168.2.0/24)
--------------------------------------------------------------------------------------
permit same-security-traffic inter-interface
permit same-security-traffic intra-interfacethe DM_INLINE_NETWORK_1 object-group network
object-network 192.168.0.0 255.255.255.0
object-network 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 1 192.168.10.0 255.255.255.0
access-outside group access component software snap-in interface outside
Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
enable SVC
tunnel-group-list activate
internal AnyConnectGrpPolicy group strategy
attributes of Group Policy AnyConnectGrpPolicy
WINS server no
value of 192.168.0.33 DNS server 192.168.2.33
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec svc
Split-tunnel-policy tunnelall
the address value AnyConnectPool pools
type tunnel-group AnyConnectGroup remote access
attributes global-tunnel-group AnyConnectGroup
address pool AnyConnectPool
authentication-server-group SERVER1_AD
Group Policy - by default-AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
the aaa authentication certificate
activation of the Group _AnyConnect aliasYour dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:
global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
-
Several subnets in the site to Site VPN
Hi guys,.
I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
You can find my design network attach to this subject.
This is my setup on the ASA:(1) NAT excemption for network traffic, go to the Site to site VPN.
NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0(2) the Accesslist with traffic to encrypt
object-group network 192.168.10.0
object-network 192.168.10.0 255.255.255.0object-group network 192.168.15.0
object-network 192.168.15.0 255.255.255.0the 192.168.38.0 object-group network
object-network 192.168.38.0 255.255.255.0the 192.168.31.0 object-group network
object-network 192.168.31.0 255.255.255.0object-group network STSVPN-LOCAL
Group-object 192.168.10.0
purpose of group - 192.168.15.0object-group network STSVPN-US
purpose of group - 192.168.38.0
purpose of group - 192.168.31.0ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American
(3) proposal phase 1
IKEv2 crypto policy 10
aes-256 encryption
sha256 integrity
Group 14
FRP sha256
second life 86400(4) proposal phase 2
Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
Protocol esp encryption aes-256
Protocol esp integrity sha-256(5) group tunnel
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 General attributes
Group Policy - by default-GrpPolicy-STSVPN-US
IPSec-attributes tunnel-group 14.4.4.4
IKEv2 remote-authentication pre-shared key abcd
IKEv2 authentication local pre-shared key abcdGroupPolicy
Group Policy GrpPolicy-STSVPN-US internal
Group Policy attributes GrpPolicy-STSVPN-US
value of VPN-filter STSVPN-US
Ikev2 VPN-tunnel-Protocol(5) crypto card
10 CM-STSVPN crypto card matches the address STSVPN-US
10 CM - STSVPN peer set 4.4.4.4 crypto card
card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
interface card crypto INT-STSVPN CM-STSVPN
Crypto ikev2 enable INT-STSVPN
/////////////////////////////////////////////////////////////////////The router configuration:
(1) part SA
proposal of crypto ikev2 ki2. PROP
encryption aes-cbc-256
sha256 integrity
Group 14
IKEv2 crypto policy ki2. POL
proposal ki2. PROP
ikev2 KR1 encryption keys
peer ASALAB
address 2.2.2.2
pre-shared key local abcd
pre-shared key remote abcd
Profile of crypto ikev2 ki2. TEACHER
match one address remote identity 2.2.2.2 255.255.255.255
address local identity 4.4.4.4
sharing front of remote authentication
sharing of local meadow of authentication
door-key local KR1
(2) TransformsetCrypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
tunnel mode(3) access-list
IP ACL extended access list. VPNIKE2
IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255
(5) crypto cardcrypto CM card. 30 VPN ipsec-isakmp
defined peer 2.2.2.2
the transform-set TS value. VPN2
group14 Set pfs
ki2 ikev2-profile value. TEACHER
match address ACL. VPNIKE2
//////////////////////////////////////////////////////////////////////This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.
192.168.31.0 subnet cannot communicate with 192.168.10.0
192.168.38.0 subnet cannot communicate with 192.168.15.0Hello Jay,
I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:
(1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:
address for correspondence card crypto 10 CM - STSVPN STSVPN-US
You must change this setting to avoid any problems with the negotiation of traffic:
no matching address card crypto 10 CM-STSVPN STSVPN-US
10 CM-STSVPN crypto card matches the address ACL_STSVPN-US
(2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
Group Policy attributes GrpPolicy-STSVPN-US
VPN-Filter VPN_filter valueKeep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.
(3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.
ASA:
card crypto 10 CM-STSVPN set group14 pfs
Router:
crypto CM card. 30 VPN ipsec-isakmp
No group14 set pfs
Hope this help you to raise the tunnel,
Luis.
-
IPSec site to site VPN cisco VPN client routing problem and
Hello
I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.
The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.
There are on the shelves, there is no material used cisco - routers DLINK.
Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.
Can someone help me please?
Thank you
Peter
RAYS - not cisco devices / another provider
Cisco 1841 HSEC HUB:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key x xx address no.-xauth
!
the group x crypto isakmp client configuration
x key
pool vpnclientpool
ACL 190
include-local-lan
!
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco
!
Crypto-map dynamic dynmap 10
Set transform-set 1cisco
!
card crypto ETH0 client authentication list userauthen
card crypto isakmp authorization list groupauthor ETH0
client configuration address card crypto ETH0 answer
ETH0 1 ipsec-isakmp crypto map
set peer x
Set transform-set 1cisco
PFS group2 Set
match address 180
card ETH0 10-isakmp ipsec crypto dynamic dynmap
!
!
interface FastEthernet0/1
Description $ES_WAN$
card crypto ETH0
!
IP local pool vpnclientpool 192.168.200.100 192.168.200.150
!
!
overload of IP nat inside source list LOCAL interface FastEthernet0/1
!
IP access-list extended LOCAL
deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
IP 192.168.7.0 allow 0.0.0.255 any
!
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
!
How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.
Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL
DE:
access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
TO:
access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255
Also change the ACL 190 split tunnel:
DE:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
TO:
access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.
Hope that helps.
-
Question creating a site to site vpn
I am trying to configure a site to site vpn to test and through http://www.ciscosecrets.info/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml still unable to establish a connection. I have attached the config for both the 5520's that I use. What Miss me.
Try this if you are pinging from the ASA
management-access inside
Maybe you are looking for
-
I can't make new tabs. When I click on the sign +, nothing happens.
I've had this problem for a few weeks now. I was hoping maybe after updating to Windows 7 I find the use of tabs, but it didn't. When I try to open a new tab in Firefox, nothing happens. Even if I right click and click 'New tab', nothing happens. I t
-
I can't uninstall my software!
My software is no longer right for some reason any and I can use is no longer my wireless adapter. I tried to uninstall the software, but it won't let me do that. He gets 2 bars in the uninstall and then freezes. Reinstallation does not work eithe
-
BlackBerry Smartphones outlook express email to work
I can't see the images that come to my blackberry to my express email account of prospects for work, any suggestions?
-
SYS password does not not in Dbcontrol?
DB: 11 R2The SYS password does not work in the DBcontrol.I've recreated the repository.I've reconfigured the Db control.the password works by connecting to DB by sqlplus.Any ideas what I need to do?ConcerningROEs
-
OBIEE 11 g: need to eliminate whitespace betweeen two reports on the dashboard
Hi all I created Report1 and I2. The reports contain only one pivot view (there is no title to view). On the dashboard, report 2 just under 1 report so that there is no space between them as REPORT1Report2 I put the report in a section on the dashboa