Under NAT VPN server static. All advice?
Hello
Is it possible to configure a VPN server in DMZ under a static NAT translation? I have 2911 as a border router, another 2951 as a firewall with four areas - inside1, inside2, external, DMZ. All IP addressing between edge and the firewall is private. Web and mail servers work in the DMZ under the static NAT. It is - I can also configure VPN server in the DMZ under the static NAT? Clients to establish VPN tunnels will work with DMZ servers (other) only. Thank you!
Yes, this can be done. For the IPSec VPN, just make sure that NAT-Traversal is not disabled.
Sent by Cisco Support technique iPad App
Tags: Cisco Security
Similar Questions
-
How to put all through traffic the easy vpn client VPN server
Hi people
I want to ask you, how to put all of the server the easy vpn client VPN traffic through.
I mean, I have a server vpn at home, and if I connect to the vpn from outside server, to be with an IP address of my home.
There is the configuration up to now. Where is the problem?
ROUTER1 #sh running-config
Building configuration...
Current configuration: 5744 bytes
!
! Last configuration change at 19:51:18 UTC Wed Sep 4 2013 by cska
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
ROUTER1 hostname
!
boot-start-marker
usbflash0:CVO boot-BOOT Setup. CFG
boot-end-marker
!
!
!
AAA new-model
!
!
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
!
Service-module wlan-ap 0 autonomous bootimage
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-1604488384
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1604488384
revocation checking no
!
!
TP-self-signed-1604488384 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 04050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31363034 34383833 6174652D 3834301E 170 3133 30383239 31313539
32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36303434 65642D
38383338 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100CD 57 F1436ED2 8D9E8B99 B6A76D45 FE56716D D99765A9 1722937C F5603F9F
528E27AF 87A24C3D 276FBA1C A5E7C580 CE99748E 39458C 74 862C 2870 16E29F75
7A7930E1 15FA5644 D7ECF257 BF46C470 A3A17AEB 7AB56194 68BFB803 144B7B10
D3722BDD D1FD5E99 8068B77D A1703059 9F0578C7 F7473811 0421490D 627F25C5
4 HAS 250203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 141B 1326 C111DF7F 9F4ED888 EFE2999A 4C50CDD8 06 12301
03551D0E 04160414 1B1326C1 11DF7F9F 4ED888EF E2999A4C 50CDD812 300 D 0609
2A 864886 04050003 81810096 BD0C2B16 799DB6EE E2C9B7C4 72FEAAAE F70D0101
FF87465C FB7C5248 CFA08E68 522EA08A 4B18BF15 488D D53D9A43 CB400B54 8006
CB21BDFB AA27DA9C C79310B6 BC594A7E D6EDF81D 0DB7D2C1 9EF7251B 19A 75403
211B1E6B 840FE226 48656E9F 67DB4A93 CE75045B A986F0AD 691EE188 7FB86D3F
E43934FA 3D62EC90 8F37590B 618B0C
quit smoking
IP source-route
!
!
!
!
CISCO dhcp IP pool
import all
network 192.168.1.0 255.255.255.0
DNS-server 195.34.133.21 212.186.211.21
default router 192.168.1.1
!
!
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
license udi pid CISCO892W-AGN-E-K9 sn FCZ1530C209
!
!
username privilege 15 secret 5 cska $1$ $8j6G 2sMHqIxJX8MQU6vpr75gp1
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto VPNGR
vpngroup key
DNS 212.186.211.21 195.34.133.21
WINS 8.8.8.8
domain chello.at
pool SDM_POOL_1
ACL 120
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
match of group identity VPNGR
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
security association idle time 86400 value
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
Bridge IRB
!
!
!
!
interface Loopback0
192.168.4.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
no ip address
Shutdown
automatic duplex
automatic speed
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
interface GigabitEthernet0
Description Internet
0023.5a03.b6a5 Mac address
customer_id GigabitEthernet0 dhcp IP address
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
!
wlan-ap0 interface
description of the Service interface module to manage the embedded AP
192.168.9.2 IP address 255.255.255.0
ARP timeout 0
!
interface GigabitEthernet0 Wlan
Description interface connecting to the AP the switch embedded internal
!
interface Vlan1
no ip address
Bridge-Group 1
Bridge-Group 1 covering-disabled people
!
interface BVI1
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
local IP SDM_POOL_1 192.168.4.3 pool 192.168.4.245
IP forward-Protocol ND
!
!
IP http server
local IP http authentication
IP http secure server
overload of IP nat inside source list 110 interface GigabitEthernet0
IP nat inside source static tcp 192.168.1.5 3389 interface GigabitEthernet0 3389
IP nat inside source static udp 192.168.1.5 3389 interface GigabitEthernet0 3389
IP nat inside source static tcp 192.168.1.5 21 interface GigabitEthernet0 21
IP nat inside source static udp 192.168.1.5 21 interface GigabitEthernet0 21
IP nat inside source static tcp 192.168.1.4 3389 interface GigabitEthernet0 3390
IP nat inside source static udp 192.168.1.4 3389 interface GigabitEthernet0 3390
overload of IP nat inside source list 120 interface GigabitEthernet0
IP route 0.0.0.0 0.0.0.0 dhcp
!
exploitation forest esm config
access list 101 ip allow a whole
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access list 111 permit tcp any any eq 3389
access-list 120 allow ip 192.168.4.0 0.0.0.255 any
!
!
!
!
!
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
!
Line con 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin udptn ssh telnet
line to 0
line vty 0 4
privilege level 15
preferred transport ssh
entry ssh transport
transportation out all
!
Thanks in advance
To do this you must make the following changes:
(1) disable split Tunneling by deleting the ACL of your configuration of the client group.
(2) enable NAT for VPN traffic by adding 'ip nat inside' to your virtual model of the client network to the ACL that controls your PAT.Edit: Theses are the changes to your config (also with a little cleaning):
Configuration group customer isakmp crypto VPNGR
No 120 LCD
!
type of interface virtual-Template1 tunnel
IP nat inside
!
no nat ip inside the source list 120 interface GigabitEthernet0 overload
!
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
no access-list 120 allow ip 192.168.4.0 0.0.0.255 any
Sent by Cisco Support technique iPad App
-
How can I get all the connections on a windows 2008 r2 through a VPN server?
How can I route all internet connections on a Windows 2008 Standard r2 through a VPN server?
When I try to run just on an account administrator through regular networking, it hits the vpn in offline mode when someone else that the administrator is trying to distance in.
I have to use a vpn, because I'm on a school network and have permission to use the server, but I have to do my own static IP address. My solution for the static IP address, he ran through a VPN with data unlimited which ended with a dedicated static IP address.
Everything on the server works when comes the administrator will connect. Site Internet/game/file Services/Ect.
Post in the Windows Server Forums:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/ -
NAT VPN tunnel and still access Internet traffic
Hello
Thank you in advance for any help you can provide.
I have a server with the IP 192.168.1.9 that needs to access a subnet remote from 192.168.50.0/24, through the Internet. However, before the server can access the remote subnet, the server IP must be NAT'ed to 10.1.0.1 because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.
We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT. It is the only gateway on our network.
I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:
access-list 106 allow host ip 192.168.1.9 192.168.50.0 0.0.0.255
NAT extended IP access list
refuse the host ip 192.168.1.9 192.168.50.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 anyroute allowed ISP 10 map
corresponds to the IP NATIP nat EMDVPN 10.1.0.1 pool 10.1.0.1 netmask 255.255.255.0
IP nat inside source list 106 pool EMDVPN
IP nat inside source map route ISP interface FastEthernet0/1 overloadWhen the server (192.168.1.9) attempts to ping on the subnet of 192.168.50.0/24 devices, the VPN tunnel is established successfully. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed since the external IP address of the router (FastEthernet0/1) at 10.1.0.1.
The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication. Internet access is not possible. However, maybe I missed something, or one of you experts can help me. Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?
Once again, thank you for any help you can give.
Alex
Hello
Rather than use a pool for NAT
192.168.1.9 - 10.1.0.1 > 192.168.50.x
ACL 102 permit ip 192.168.1.9 host 192.168.50.0 0.0.0.255
RM-STATIC-NAT route map permit 10
corresponds to the IP 102IP nat inside source static 192.168.1.9 10.1.0.1 card expandable RM-STATIC-NAT route
ACL 101 deny host ip 192.168.1.9 192.168.50.0 0.0.0.255
ACL 101 by ip 192.168.1.0 0.0.0.255 any
overload of IP nat inside source list 101 interface FastEthernet0/1VPN access list will use the source as 10.1.0.1... *.
Let me know if it works.
Concerning
M
-
Hello
I configured easy VPN server on Cisco 1841 & got a form of address IP VPN hen but unfortunately not able to access private or servers on the local network, address maybe because I can NATing.
Please advice?
I have attached the file of Configuration of the router.
Kind regards
Alain R.Aljabi
Hello
Need to get around the NAT for VPN IP address Pool. Please follow it below URL that explains how to work around NAT (static) with route map. This configuration should get your VPN works.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml
Kind regards
Arul
* Please note the useful messages *.
-
asa5512 V8.6 nat web server cannot access
Hi all
asa5512 V8.6 nat web server cannot access.
my home pc can access www.cisco.com, but external client cannot access my web server inside...
all of my config, I do not know what is wrong.
Thank youe help.
ciscoasa #.
See the ciscoasa # running
ciscoasa # show running-config
: Saved
:
ASA 1.0000 Version 2
!
ciscoasa hostname
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP XXX1 255.255.255.240
!
interface GigabitEthernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Description link to 3560 G0/1
Speed 1000
full duplex
nameif inside
security-level 100
192.168.1.13 IP address 255.255.255.0
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
!
time-range k3used
absolute starting 08:00 January 1, 2008
daily periodical 0:00 to 23:59
periodical daily 09:00-18:00
!
passive FTP mode
clock timezone BeiJing 8
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
network object obj - 192.168.200.0
192.168.200.0 subnet 255.255.255.0
network object obj - 192.168.1.2
host 192.168.1.2
network object obj - 192.168.1.2 - 01
host 192.168.1.2
network object obj - 192.168.1.19
Home 192.168.1.19
network object obj - 192.168.1.20
host 192.168.1.20
network object obj - 192.168.1.88
Home 192.168.1.88
network object obj - 192.168.1.1
host 192.168.1.1
network object obj - 192.168.1.2 - 02
host 192.168.1.2
network object obj - 192.168.1.6
host 192.168.1.6
object obj - X.X.X.3 network
Home X.X.X.3
object obj-tcp-source-eq-25 service
tcp source eq smtp service
obj-tcp-source-eq-110 service object
tcp source eq Microsoft pop3 service
object obj - X.X.X.10 network
Home X.X.X.10
obj-tcp-source-eq-8086 service object
tcp source eq 8086 service
obj-tcp-source-eq-80 service object
tcp source eq www service
network object obj - 192.168.1.1 - 01
host 192.168.1.1
obj-tcp-source-eq-3389 service object
source eq 3389 tcp service
obj-tcp-source-eq-9877 service object
tcp source eq 9877 service
obj-tcp-source-eq-21 service object
tcp source eq ftp service
object obj-tcp-source-eq-20 service
tcp source eq ftp service - data
network object obj - 192.168.2.88
Home 192.168.2.88
network object obj - 192.168.2.88 - 01
Home 192.168.2.88
network object obj - 192.168.2.88 - 02
Home 192.168.2.88
network object obj - 192.168.1.19 - 01
Home 192.168.1.19
network object obj - 192.168.2.2
host 192.168.2.2
network object obj - 192.168.2.2 - 01
host 192.168.2.2
network object obj - 192.168.2.2 - 02
host 192.168.2.2
network object obj - 192.168.3.2
host 192.168.3.2
network object obj - 192.168.3.2 - 01
host 192.168.3.2
network object obj - 192.168.3.2 - 02
host 192.168.3.2
object obj - X.X.X.9 network
Home X.X.X.9
obj-tcp-source-eq-8087 service object
tcp source eq 8087 service
network object obj - 192.168.1.200
host 192.168.1.200
network object obj - 192.168.1.200 - 01
host 192.168.1.200
network object obj - 192.168.1.30
host 192.168.1.30
network object obj - 192.168.1.30 - 01
host 192.168.1.30
network object obj - 192.168.1.1 - 02
host 192.168.1.1
object obj - X.X.X.6 network
Home X.X.X.6
obj-tcp-source-eq-8088 service object
tcp source eq 8088 service
network object obj - 192.168.3.5
Home 192.168.3.5
network object obj - 192.168.3.5 - 01
Home 192.168.3.5
network object obj - 192.168.3.5 - 02
Home 192.168.3.5
network object obj - 192.168.3.5 - 03
Home 192.168.3.5
network object obj - 192.168.3.5 - 04
Home 192.168.3.5
network object obj - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network object obj - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
network object obj - 192.168.4.0
subnet 192.168.4.0 255.255.255.0
network object obj - 192.168.5.0
192.168.5.0 subnet 255.255.255.0
network object obj - 192.168.6.0
192.168.6.0 subnet 255.255.255.0
network object obj - 192.168.7.0
192.168.7.0 subnet 255.255.255.0
network object obj - 192.168.8.0
192.168.8.0 subnet 255.255.255.0
vpn_list to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.200.0 255.255.255.0
vpn_list to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended deny ip any host 58.215.78.113
access-list 101 extended deny ip any host 61.139.126.81
access-list 101 extended deny ip any host 61.152.94.154
access-list 101 extended allow host ip 192.168.4.2 all
access-list 101 extended allow host ip 192.168.4.3 all
access-list 101 extended allow host ip 192.168.4.4 all
access-list 101 extended allow host ip 192.168.4.5 all
access-list 101 extended allow host ip 192.168.4.7 everything
access-list 101 extended permit ip host 192.168.4.8 all
access-list 101 extended permit ip host 192.168.4.9 all
access-list 101 extended permit ip host 192.168.4.10 all
access-list 101 extended allow host ip 192.168.4.11 all
access-list 101 extended allow host ip 192.168.4.12 all
access-list 101 extended allow host ip 192.168.4.13 all
access-list 101 extended allow host ip 192.168.4.14 all
access-list 101 extended allow host ip 192.168.4.15 all
access-list 101 extended allow host ip 192.168.4.16 all
access-list 101 extended allow host 192.168.4.18 ip everything
access-list 101 extended allow host ip 192.168.4.19 all
access-list 101 extended allow host ip 192.168.4.20 all
access-list 101 extended allow host ip 192.168.4.180 all
access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any
access-list 101 extended allow host ip 192.168.2.176 all
access-list 101 extended allow icmp a whole
access-list 101 extended allow host ip 192.168.2.3 everything
access-list 101 extended allow host ip 192.168.2.164 all
access-list 101 extended allow host ip 192.168.2.171 all
access-list 101 extended allow host ip 192.168.2.142 all
access-list 101 extended allow host ip 192.168.2.180 all
access-list 101 extended allow host ip 192.168.2.149 all
access-list 101 extended allow host ip 192.168.2.201 all
access-list 101 extended allow host ip 192.168.2.170 all
access-list 101 extended allow host ip 192.168.2.168 all
access-list 101 extended allow host ip 192.168.2.103 everything
access-list 101 extended allow host ip 192.168.2.34 all
access-list 101 extended allow host ip 192.168.2.174 all
access-list 101 extended allow host ip 192.168.2.199 all
access-list 101 extended allow host ip 192.168.2.253 everything
access-list 101 extended allow host ip 192.168.2.236 all
access-list 101 extended allow host ip 192.168.2.214 all
access-list 101 extended allow host ip 192.168.2.110 everything
access-list 101 extended allow host ip 192.168.2.127 all
access-list 101 extended allow host ip 192.168.2.178 all
access-list 101 extended allow host ip 192.168.2.21 all
access-list 101 extended allow host ip 192.168.2.24 all
access-list 101 extended allow host ip 192.168.2.251 all
access-list 101 extended allow host ip 192.168.2.33 all
access-list 101 extended allow host ip 192.168.2.120 all
access-list 101 extended allow host ip 192.168.2.85 all
access-list 101 extended allow host ip 192.168.2.137 all
access-list 101 extended allow host ip 192.168.2.113 all
access-list 101 extended allow ip 192.168.2.20 host everything
access-list 101 extended allow host ip 192.168.2.101 everything
access-list 101 extended allow host ip 192.168.2.106 all
access-list 101 extended allow host ip 192.168.2.140 all
access-list 101 extended allow host ip 192.168.2.215 all
access-list 101 extended allow host ip 192.168.2.107 all
access-list 101 extended allow host ip 192.168.2.234 all
access-list 101 extended allow host ip 192.168.2.15 all
access-list 101 extended allow host ip 192.168.2.55 all
access-list 101 extended allow host ip 192.168.2.41 all
access-list 101 extended permit ip host 192.168.2.13 all
access-list 101 extended allow host ip 192.168.2.133 everything
access-list 101 extended allow host ip 192.168.2.73 all
access-list 101 extended allow host ip 192.168.2.172 all
access-list 101 extended allow host ip 192.168.2.175 all
access-list 101 extended allow host ip 192.168.2.88 all
access-list 101 extended allow host ip 192.168.2.188 all
access-list 101 extended allow host ip 192.168.2.136 all
access-list 101 extended allow host ip 192.168.2.74 all
access-list 101 extended allow host ip 192.168.2.12 everything
access-list 101 extended allow host ip 192.168.2.100 everything
access-list 101 extended allow host ip of 192.168.2.102 everything
access-list 101 extended allow host ip 192.168.2.152 all
access-list 101 extended allow ip 192.168.2.4 host everything
access-list 101 extended allow host ip 192.168.2.5 everything
access-list 101 extended allow host ip 192.168.2.6 everything
access-list 101 extended allow host ip 192.168.2.14 all
access-list 101 extended allow host ip 192.168.2.19 all
access-list 101 extended permit ip host 192.168.2.16 all
access-list 101 extended allow host ip 192.168.2.17 all
access-list 101 extended allow host ip 192.168.2.18 all
access-list 101 extended allow host ip 192.168.2.22 all
access-list 101 extended allow host ip 192.168.2.23 all
access-list 101 extended allow host ip 192.168.2.115 all
access-list 101 extended allow host ip 192.168.2.116 all
access-list 101 extended allow host ip 192.168.2.117 all
access-list 101 extended allow host ip 192.168.2.118 all
access-list 101 extended allow host ip 192.168.2.119 all
access-list 101 extended allow host ip 192.168.2.150 all
access-list 101 extended allow host ip 192.168.2.128 all
access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any
access-list 101 extended allow ip 192.168.3.2 host everything
access-list 101 extended allow host ip 192.168.3.3 everything
access-list 101 extended permit ip host 192.168.3.4 everything
access-list 101 extended allow host ip 192.168.3.5 all
access-list 101 extended allow host ip 192.168.3.6 all
access-list 101 extended allow host ip 192.168.3.7 all
access-list 101 extended allow host ip 192.168.3.8 all
access-list 101 extended allow host ip 192.168.3.9 all
access-list 101 extended allow host ip 192.168.3.10 everything
access-list 101 extended allow host ip 192.168.3.11 all
access-list 101 extended allow host ip 192.168.3.12 all
access-list 101 extended allow host ip 192.168.3.13 all
access-list 101 extended allow host ip 192.168.3.14 all
access-list 101 extended allow host ip 192.168.3.15 everything
access-list 101 extended allow host ip 192.168.3.16 all
access-list 101 extended allow host ip 192.168.3.17 everything
access-list 101 extended allow host ip 192.168.3.18 all
access-list 101 extended allow host ip 192.168.3.19 all
access-list 101 extended allow host ip 192.168.3.20 everything
access-list 101 extended permit ip host 192.168.3.21 all
access-list 101 extended allow host ip 192.168.3.22 all
access-list 101 extended allow host ip 192.168.3.23 all
access-list 101 extended allow host ip 192.168.3.24 everything
access-list 101 extended allow host ip 192.168.3.25 all
access-list 101 extended allow host ip 192.168.3.26 all
access-list 101 extended allow host ip 192.168.3.27 all
access-list 101 extended allow host ip 192.168.3.28 all
access-list 101 extended allow host ip 192.168.3.29 all
access-list 101 extended allow host ip 192.168.3.30 all
access-list 101 extended allow host ip 192.168.3.31 all
access-list 101 extended allow host ip 192.168.3.32 all
access-list 101 extended allow host ip 192.168.3.33 all
access-list 101 extended allow host ip 192.168.3.34 all
access-list 101 extended allow host ip 192.168.3.35 all
access-list 101 extended allow host ip 192.168.3.36 all
access-list 101 extended allow host ip 192.168.3.37 all
access-list 101 extended allow host ip 192.168.3.38 all
access-list 101 extended allow host ip 192.168.3.39 all
access-list 101 extended allow host ip 192.168.3.40 all
access-list 101 extended allow host ip 192.168.3.41 all
access-list 101 extended allow host ip 192.168.3.42 all
access-list 101 extended allow host ip 192.168.3.43 all
access-list 101 extended allow host ip 192.168.3.86 all
access-list 101 extended allow host ip 192.168.3.88 all
access-list 101 extended allow host ip 192.168.3.89 all
access-list 101 extended allow host ip 192.168.3.56 all
access-list 101 extended allow host ip 192.168.3.55 all
access-list 101 extended allow host ip 192.168.3.96 all
access-list 101 extended allow host ip 192.168.3.97 all
access-list 101 extended allow host ip 192.168.3.98 all
access-list 101 extended allow host ip 192.168.3.116 all
access-list 101 extended allow host ip 192.168.3.111 all
access-list 101 extended allow host ip 192.168.3.175 all
access-list 101 extended allow host ip 192.168.3.176 all
access-list 101 extended allow host ip 192.168.3.201 all
access-list 101 extended allow host ip 192.168.3.202 all
access-list 101 extended allow host ip 192.168.3.203 all
access-list 101 extended allow host ip 192.168.3.204 all
access-list 101 extended allow host ip 192.168.3.205 all
access-list 101 extended allow host ip 192.168.3.206 all
access-list 101 extended allow host ip 192.168.3.207 all
access-list 101 extended allow host ip 192.168.3.208 all
access-list 101 extended allow host ip 192.168.3.209 all
access-list 101 extended allow host ip 192.168.3.210 all
access-list 101 extended allow host ip 192.168.3.213 all
access-list 101 extended allow host ip 192.168.3.214 all
access-list 101 extended allow host ip 192.168.3.215 all
access-list 101 extended allow host ip 192.168.3.101 all
access-list 101 extended allow host ip 192.168.3.102 all
access-list 101 extended allow host ip 192.168.3.103 all
access-list 101 extended allow host ip 192.168.3.106 all
access-list 101 extended allow host ip 192.168.3.107 all
access-list 101 extended allow host ip 192.168.3.152 all
access-list 101 extended allow host ip 192.168.3.151 all
access-list 101 extended allow host ip 192.168.3.153 all
access-list 101 extended allow host ip 192.168.3.195 all
access-list 101 extended allow host ip 192.168.3.45 all
access-list 101 extended allow host ip 192.168.3.46 all
access-list 101 extended allow host ip 192.168.3.199 all
access-list 101 extended allow host ip 192.168.3.157 all
access-list 101 extended refuse 192.168.3.0 ip 255.255.255.0 any
access-list 101 extended allow tcp a whole
access list 101 scope ip allow a whole
vpnclient_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
2 extended access-list permit ip 192.168.2.0 255.255.255.0 any
3 extended access-list allow ip 192.168.3.0 255.255.255.0 any
4 extended access-list allow ip 192.168.4.0 255.255.255.0 any
access-list extended 500 k permit ip host XXX1 everything
access-list extended 500 k allow icmp host XXX1 everything
access-list 102 extended allow host ip 192.168.1.6 everything
access-list extended 100 permit tcp any host 192.168.1.1 eq www
access-list extended 100 permit tcp any host 192.168.1.1 eq 8080
access-list extended 100 permit tcp any host X.X.X.4
access-list extended 100 permit ip any host X.X.X.4
access-list extended 100 permit icmp any host X.X.X.4
access-list extended 100 permit tcp any host 192.168.1.6 eq smtp
access-list extended 100 permit tcp any host 192.168.1.6 eq pop3
access-list extended 100 permit tcp any host 192.168.1.6 eq www
access-list extended 100 permit tcp any host 192.168.1.6
access-list 100 scope ip allow any host 192.168.1.6
access-list extended 100 permit icmp any host 192.168.1.6
access-list extended 100 permit tcp any host 192.168.1.19 eq 3389
access-list extended 100 permit tcp any host 192.168.1.20 eq 3389
access-list extended 100 permit tcp any host 192.168.1.88 eq 3389
access-list extended 100 permit tcp any host X.X.X.12
access-list extended 100 permit ip any host X.X.X.12
access-list extended 100 permit icmp any host X.X.X.12
access-list extended 100 permit tcp any host 192.168.1.6 eq 8086
access-list extended 100 permit tcp any host 192.168.1.1 eq 3389
access-list extended 100 permit tcp any host 192.168.1.6 eq 3389
access-list extended 100 permit tcp any host 192.168.1.6 eq ftp
access-list extended 100 permit tcp any host 192.168.1.6 eq ftp - data
access-list extended 100 permit tcp any host 192.168.2.88 eq 3389
access-list extended 100 permit tcp any host 192.168.2.88 eq 12172
access-list extended 100 permit tcp any host 192.168.2.2 eq 3389
access-list extended 100 permit tcp any host 192.168.2.2 eq 9116
access-list extended 100 permit tcp any host 192.168.3.2 eq 25243
access-list extended 100 permit tcp any host 192.168.3.2 eq 3389
access-list extended 100 permit tcp any host 192.168.1.200 eq www
access-list extended 100 permit tcp any host 192.168.1.200 eq 12001
access-list extended 100 permit tcp any host 192.168.1.30 eq 3389
access-list extended 100 permit tcp any host 192.168.3.5 eq 4160
access-list extended 100 permit tcp any host 192.168.3.5 eq 11111
access-list extended 100 permit tcp any host 192.168.3.5 eq 3389
access-list extended 100 permit tcp any host X.X.X.10
access-list extended 100 permit udp any host 192.168.2.88 eq 12172
access-list extended 100 permit udp any host 192.168.2.2 eq 9116
access-list extended 100 permit udp any host 192.168.3.2 eq 25243
access-list extended 100 permit udp any host 192.168.3.5 eq 4170
access-list extended 100 permit udp any host 192.168.3.5 eq 11111
access-list extended 100 permit ip any host X.X.X.10
access-list extended 100 permit tcp any host 192.168.1.6 eq 8087
access-list extended 100 permit tcp any host X.X.X.9
access-list extended 100 permit ip any host X.X.X.9
access-list extended 100 permit tcp any host 192.168.1.30 eq www
access-list extended 100 permit tcp any host X.X.X.5
access-list extended 100 permit ip any host X.X.X.5
access-list extended 100 permit icmp a whole
access-list extended 100 permit tcp any host 192.168.1.6 eq 8088
access-list extended 100 permit ip any host X.X.X.6
access-list extended 100 permit tcp any host X.X.X.6
access list extended 100 permit tcp host 61.186.169.129 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 61.186.169.129 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 61.186.169.129 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 61.186.169.129 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 61.186.169.129 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 61.186.169.130 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 61.186.169.130 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 61.186.169.130 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 61.186.169.130 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 61.186.169.130 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 61.186.169.131 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 61.186.169.131 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 61.186.169.131 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 61.186.169.131 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 61.186.169.131 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 61.186.169.132 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 61.186.169.132 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 61.186.169.132 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 61.186.169.132 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 61.186.169.132 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 61.186.169.133 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 61.186.169.133 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 61.186.169.133 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 61.186.169.133 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 61.186.169.133 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 61.186.169.129 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 61.186.169.130 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 61.186.169.131 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 61.186.169.132 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 61.186.169.133 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 61.186.169.129 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 61.186.169.130 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 61.186.169.131 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 61.186.169.132 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 61.186.169.133 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 183.64.106.194 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 183.64.106.194 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 183.64.106.194 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 183.64.106.194 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 183.64.106.194 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 183.64.106.194 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 183.64.106.194 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 183.64.106.195 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 183.64.106.195 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 183.64.106.195 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 183.64.106.195 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 183.64.106.195 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 183.64.106.195 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 183.64.106.195 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 14.107.162.32 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 14.107.162.32 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 14.107.162.32 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 14.107.162.32 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 14.107.162.32 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 14.107.162.32 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 14.107.162.32 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 14.107.247.121 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 14.107.247.121 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 14.107.247.121 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 14.107.247.121 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 14.107.247.121 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 14.107.247.121 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 14.107.247.121 X.X.X.2 time-range k3used
access list extended 100 permit tcp host 61.128.208.106 host 192.168.1.2 eq 5872 times-range k3used
access list extended 100 permit tcp host 61.128.208.106 host 192.168.1.2 eq 8088 times-range k3used
access list extended 100 permit tcp host 61.128.208.106 host 192.168.1.2 eq 3389 times-range k3used
allowed extended access list 100 tcp host 61.128.208.106 host 192.168.1.19 eq www time-range k3used
access-list extended 100 permit tcp host 61.128.208.106 X.X.X.2 time-range k3used
access-list extended 100 permit ip host 61.128.208.106 X.X.X.2 time-range k3used
access-list extended 100 permit icmp host 61.128.208.106 X.X.X.2 time-range k3used
access-list 100 extended tcp refuse any host 192.168.1.2 eq 5872
access-list 100 extended tcp refuse any host 192.168.1.2 eq 8088
access-list 100 extended tcp refuse any host 192.168.1.2 eq 3389
access-list 100 extended tcp refuse any host 192.168.1.19 eq www
access-list 100 extended tcp refuse any host X.X.X.2
access-list extended 100 deny ip any host X.X.X.2
access-list extended 100 refuse icmp any host X.X.X.2
pager lines 24
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool 192.168.200.1 - 192.168.200.20 mask 255.255.255.0 vpn_pool
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) source static obj - obj - 192.168.1.0 destination 192.168.1.0 static obj - 192.168.200.0 obj - 192.168.200.0 non-proxy-arp
NAT (inside, all) source static obj - 192.168.200.0 obj - 192.168.200.0 destination static obj - 192.168.1.0 obj - 192.168.1.0 non-proxy-arp
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.3 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.3 service obj-tcp-source-eq-110 obj-tcp-source-eq-110
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-8086 obj-tcp-source-eq-80
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-3389 obj-tcp-source-eq-9877
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-21 obj-tcp-source-eq-21
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.10 service obj-tcp-source-eq-20 obj-tcp-source-eq-20
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.9 service obj-tcp-source-eq-8087 obj-tcp-source-eq-80
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.6 service obj-tcp-source-eq-8088 obj-tcp-source-eq-80
NAT (inside, outside) source static obj - 192.168.1.6 obj - X.X.X.3 service obj-tcp-source-eq-80 obj-tcp-source-eq-80
NAT (inside, outside) source dynamic obj - 192.168.1.6 obj - X.X.X.3
!
network object obj - 192.168.1.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.200.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.1.2
NAT (inside, outside) Static X.X.X.2 5872 5872 tcp service
network object obj - 192.168.1.2 - 01
NAT (inside, outside) Static X.X.X.2 8088 8088 tcp service
network object obj - 192.168.1.19
NAT (inside, outside) Static X.X.X.12 tcp 3389 8001 service
network object obj - 192.168.1.20
NAT (inside, outside) Static X.X.X.12 tcp 3389 8002 service
network object obj - 192.168.1.88
NAT (inside, outside) Static X.X.X.12 tcp 3389 12345 service
network object obj - 192.168.1.1
NAT (inside, outside) Static X.X.X.4 tcp www www service
network object obj - 192.168.1.2 - 02
NAT (inside, outside) Static X.X.X.2 service tcp 3389 8005
network object obj - 192.168.1.1 - 01
NAT (inside, outside) Static X.X.X.10 tcp 3389 9876 service
network object obj - 192.168.2.88
NAT (inside, outside) Static X.X.X.10 tcp 3389 3129 service
network object obj - 192.168.2.88 - 01
NAT (inside, outside) Static X.X.X.10 12172 12172 tcp service
network object obj - 192.168.2.88 - 02
NAT (inside, outside) Static X.X.X.10 service udp 12172 12172
network object obj - 192.168.1.19 - 01
NAT (inside, outside) Static X.X.X.2 service tcp www 8056
network object obj - 192.168.2.2
NAT (inside, outside) Static X.X.X.10 3389 3128 tcp service
network object obj - 192.168.2.2 - 01
NAT (inside, outside) Static X.X.X.10 9116 9116 tcp service
network object obj - 192.168.2.2 - 02
NAT (inside, outside) Static X.X.X.10 service udp 9116 9116
network object obj - 192.168.3.2
NAT (inside, outside) Static X.X.X.10 25243 25243 tcp service
network object obj - 192.168.3.2 - 01
NAT (inside, outside) Static X.X.X.10 service udp 25243 25243
network object obj - 192.168.3.2 - 02
NAT (inside, outside) Static X.X.X.10 tcp 3389 3130 service
network object obj - 192.168.1.200
NAT (inside, outside) Static X.X.X.10 service tcp www 1114
network object obj - 192.168.1.200 - 01
NAT (inside, outside) Static X.X.X.10 12001 12001 tcp service
network object obj - 192.168.1.30
NAT (inside, outside) Static X.X.X.5 tcp www www service
network object obj - 192.168.1.30 - 01
NAT (inside, outside) Static X.X.X.10 tcp 3389 9878 service
network object obj - 192.168.1.1 - 02
NAT (inside, outside) Static X.X.X.4 8080 8080 tcp service
network object obj - 192.168.3.5
NAT (inside, outside) Static X.X.X.10 4160 4160 tcp service
network object obj - 192.168.3.5 - 01
NAT (inside, outside) Static X.X.X.10 service udp 4170 4170
network object obj - 192.168.3.5 - 02
NAT (inside, outside) Static X.X.X.10 11111 11111 tcp service
network object obj - 192.168.3.5 - 03
NAT (inside, outside) Static X.X.X.10 tcp 3389 3127 service
network object obj - 192.168.3.5 - 04
NAT (inside, outside) Static X.X.X.10 11111 11111 udp service
network object obj - 192.168.2.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.3.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.4.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.5.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.6.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.7.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.8.0
NAT dynamic interface (indoor, outdoor)
Access-group 100 in external interface
Access-group 101 in the interface inside
Route outside 0.0.0.0 0.0.0.0 X.X.X.14 1
Route inside 192.168.2.0 255.255.255.0 192.168.1.12 1
Route inside 192.168.3.0 255.255.255.0 192.168.1.12 1
Route inside 192.168.4.0 255.255.255.0 192.168.1.12 1
Route inside 192.168.5.0 255.255.255.0 192.168.1.12 1
Route inside 192.168.6.0 255.255.255.0 192.168.1.12 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set esp - esp-md5-hmac ikev1 vpn_set
Crypto-map dynamic vpn_map 10 set transform-set vpn_set ikev1
Crypto-map dynamic vpn_map 10 the value reverse-road
vpnmap 10 card crypto ipsec-isakmp dynamic vpn_map
vpnmap interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 0.0.0.0 0.0.0.0 inside
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
SSH version 1
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.43.244.18
internal group vpnclient strategy
vpnclient group policy attributes
value of server DNS 61.128.128.68
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpnclient_splitTunnelAcl
cisco 3USUcOPFUiMCO4Jk encrypted password username
type tunnel-group vpn_group remote access
tunnel-group vpn_group General-attributes
address vpn_pool pool
Group Policy - by default-vpnclient
vpn_group group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map 500 k
matches the access list 500 k
class-map inspection_default
match default-inspection-traffic
class-map 2
matches the access list 2
PAM-class 3
matches the access list 3
class-map 4
corresponds to the list of access-4
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Policy-map 500 k
500 k class
Policy-map 2
class 2
class 3
class 4
!
global service-policy global_policy
context of prompt hostname
remote anonymous reporting call invites 2
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-Group 13 monthly periodic inventory
Subscribe to alert-group configuration periodic monthly 13
daily periodic subscribe to alert-group telemetry
Cryptochecksum:ecead54d7c85807eb47c7cdaf7d7e82a
: end
ciscoasa# $
ciscoasa #.
ciscoasa #.
Hello
You have changed the source IP address of the order I suggested?
There is no reason to use the 192.168.1.1 IP address as the source of this command "packet - trace" that the source will NEVER be this IP address, because it is a private IP not routable on the public Internet.
Then you can try with the order I suggested.
entry Packet-trace out tcp 1.1.1.1 12345 61.186.236.4 80
I guess that the above command / test failed because you were using the real server IP address as the IP source for the test.
-Jouni
-
PlayBook &; cisco Easy VPN Server 831
I don't seem to be able to connect to my router 831 cisco easy vpn server is configured by using my Blackberry Playbook. Looking at the console of the router I can see Debugging but don't know what it means. I have attached debugging as well as glued my setup, if someone is able to help me at all it would be much appreciated. Thank you very much.
Current configuration: 2574 bytes
!
version 12.3
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
enable secret 5 $1$ FM71$ y4ejS2icnqX79b9gD92E81
enable password xxxx
!
username privilege 15 password 0 $1$ W1fA CRWS_Ritesh $ o1oSEpa163775446
username privilege 15 secret 5 shamilton wFLF $1$ $ 8eRxnrrgVHMXXC0bXdEGi1
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
AAA - the id of the joint session
IP subnet zero
no ip Routing
!
!
audit of IP notify Journal
Max-events of po verification IP 100
No ftp server enable write
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP xauth timeout 15 crypto!
ISAKMP crypto client configuration group ciscogroup
(deleted) 0 key
DNS 172.16.60.246 172.16.60.237
pool SDM_POOL_3
ACL 100
Save-password
include-local-lan
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
!
!
!
interface Ethernet0
IP 172.16.60.241 255.255.255.0
IP nat inside
no ip route cache
!
interface Ethernet1
DHCP IP address
NAT outside IP
no ip route cache
automatic duplex
map SDM_CMAP_1 crypto
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet2
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet3
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet4
no ip address
automatic duplex
automatic speed
!
local IP SDM_POOL_1 172.16.60.190 pool 172.16.60.199
pool of local SDM_POOL_2 192.168.1.1 IP 192.168.1.100
local IP SDM_POOL_3 172.16.61.100 pool 172.16.61.150
IP nat inside source overload map route SDM_RMAP_1 interface Ethernet1
IP classless
!
IP http server
no ip http secure server
!
Remark SDM_ACL category of access list 1 = 2
access-list 1 permit 172.16.60.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
access-list 100 permit ip 172.16.60.0 0.0.0.255 any
public RO SNMP-server community
Enable SNMP-Server intercepts ATS
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 120 0
password xxxxx
length 0
!
max-task-time 5000 Planner
!
endStace,
*Mar 1 06:40:15.258: ISAKMP: transform 1, ESP_AES
*Mar 1 06:40:15.258: ISAKMP: attributes in transform:
*Mar 1 06:40:15.262: ISAKMP: SA life type in seconds
*Mar 1 06:40:15.262: ISAKMP: SA life duration (basic) of 10800
*Mar 1 06:40:15.262: ISAKMP: encaps is 61443
*Mar 1 06:40:15.262: ISAKMP: key length is 256
*Mar 1 06:40:15.262: ISAKMP: authenticator is HMAC-SHA
*Mar 1 06:40:15.262: ISAKMP (0:14): atts are acceptable.
*Mar 1 06:40:15.262: ISAKMP (0:14): IPSec policy invalidated proposal
*Mar 1 06:40:15.262: ISAKMP (0:14): phase 2 SA policy not acceptable! (local 14
The other end offers AES 256 and SHA IPSec transform set.
While you have configured:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Suggestion:
Add a new set of transofrm and apply it under crypto map.
HTH,
Marcin
-
WRT320N and internal VPN server
I just bought a router Linksys 320N to replace another competing router.
I am trying to connect to my VPN server from outside my network. I have the external IP to my network. I install the new router 320N, like the old router.
the dmz ip value the vpn server's internal ip address
set forwarding port in 1723, the two, internal ip address of the vpn server
I have a way to test the vpn when I'm inside my network. So I can look at the VPN server to connect and see the request to come in the server happens to expire with the Linksys 320 N hung.
If I have the old router plugged, the vpn connects.
The above settings are the same settings I have on both routers.
Help, please.
I don't think that the problem is CHAP. I think the problem is the GRE tunnel. Check with a sniffer network on the server and the client can help see if the ACCORD is sent at one end but never received at the other end.
1 make sure that the options under the Security tab of passthrough are all turned on.
2. try different forwarding configurations, for example only the DMZ host configuration but no port redirects. Configure the single forward TCP 1723 port and no DMZ host. See if it makes a difference.
-
I have a Nat problem that is confounding me.
Today, in our lab, I have a video server that is on the subnet 10.16. 42.91/26
This subnet is managed by a L3 with L3 routing switch to the rest of the network.
I need this test server on a WAN access emulated to validate the performance of the Executive Office.
The WAn emulator is all set up and works fine
Now I would like to extend this slow acess outside the laboratory, so that everyone can test the slow lane of their office.
Do this, I added a 2nd router between subnet of video server and the rest of the network
I want to NAT the 10.16.42.91 address to 10.16. .91 44,
Such as... anyone 10.16.44.91 SEO through the slow lane, and anyone using 10.16.42.91 through the GigE
The NAting router is a 881 running 15.3
Should be hide nat return traffic would be routed through the NAT router
I tried several nat configs, but remain confused.
Diagram below... Would appreciate any suggestions
Thanks in advance
Wes
You need two things-
(1) for the return shipping back to the 881 you need for NAT overload all users IPS to the 10.16.42.x on the 881 interface IP. You have the Interior facing users that makes it a lot easier if-
access-list 101 permit ip 10.0.0.0 0.0.0.255 host 10.16.44.91
IP nat inside source list 101 interface overload<- where="" is="" the="" one="" facing="" the="">->
Note that I'm not entirely sure the exact order of treatment regarding two statements of NAT, so in the acl above where you have the 10.16.44.91 host, you might need to change it to the real server IP. Try the above first.
(2) a NAT for server-
source 10.16.42.91 IP NAT outside static 10.16.44.91 netmask 255.255.255.255
Edit - I'm assuing you have already assigned 'ip nat inside' to the interface on the 881 to users and the 'ip nat outside' on the interface to the server.
Jon
-
ASA VPN server and vpn client router 871
Hi all
I have ASA 5510 as simple VPN server and 871 router as simple VPN client. I want to have the user ID and permanent password on 871 and not to re - enter username and password since 871 uses dynamic IP address and every time I have to ' cry ipsec client ezvpn xauth "and type user name and password.
any suggestions would be much appreciated.
Thank you
Alex
Do "crypto ipsec client ezvpn show ' on 871, does say:
...
Save password: refused
...
ezVPN server dictates the client if it can automatically connect with saved password.
Set "enable password storage" under the group policy on the ASA.
Kind regards
Roman
-
Access to the internal mail (Exchange) by centimeters remote VPN server
Hi all
I have a problem in the configuration of ASA 5510 to access my internal mail (Exchange) through remote access VPN server
one... I have set up my D-Link ADSL router to port before the SMPTP (25) & POP3 (110) to the external interface of ASA 5510 (192.168.5.101 255.255.255.0)
b. How can I configure ASA 5510 (using ASDM) to portforward (SMTP POP3 110 25) to my internal mail server with IP 192.168.50.2 255.255.255.0
c. my internal LAN network (192.168.50.0 255.255.255.0) is coordinated at 10.1.1.0 255.255.255.224 for vpn clients
d. my IP of mail server (192.168.50.2 255.255.255.0) will also be translated while clients are accessing content through remote VPN access
e.What IP (Exchange of IP of the server (192.168.50.2) do I have to set up in Microsoft Outlook (incoming & outgoing mail server), vpn clients receive using a NAT IP 10.1.1.10
Here's my configuration details of access remote vpn
: Saved
: Written by enable_15 at 13:42:51.243 UTC Thursday, November 27, 2008
!
ASA Version 7.0 (6)
!
hostname xxxx
domain xxxx
enable the encrypted password xxxxx
XXXXX encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP 192.168.5.101 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.50.101 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
!
interface Management0/0
nameif management
security-level 100
management only
IP 192.168.1.1 255.255.255.0
!
passive FTP mode
list of access inside the _nat0_outbound extended permits all ip 10.1.1.0 255.255.255.224
allow a standard vpn access list
outside_cryptomap_dyn_20 list of allowed ip extended access any 10.1.1.0 255.255.255.224
vpn-ip-pool 10.1.1.10 mask - 255.255.255.0 IP local pool 10.1.1.25
Global interface 10 (external)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 192.168.5.1 (D-Link ADSL router LAN IP) 1
internal vpn group policy
attributes of vpn group policy
Split-tunnel-policy excludespecified
Split-tunnel-network-list value vpn
WebVPN
xxxxx xxxx of encrypted password privilege 0 username
attributes of username xxxxx
Strategy-Group-VPN vpn
WebVPN
ASDM image disk0: / asdm - 508.bin
don't allow no asdm history
ARP timeout 14400
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-SHA edes-esp esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card outside_map 655535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
tunnel vpn ipsec-ra group type
VPN tunnel-group general attributes
ip vpn-pool address pool
Group Policy - by default-vpn
Tunnel vpn ipsec-attributes group
pre-shared-key *.
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
dhcpd lease 3600
dhcpd ping_timeout 50
enable dhcpd management
!
Policy-map global_policy
class inspection_default
inspect the dns-length maximum 512
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
: end
So can someone help me, how can I configure these tasks
You can without problem
-
Easy VPN server on 1811 configuration
I'm trying to configure easy VPN server on my router from 1811 to allow remote users to access resources on our corporate network. I used the wizard to perform the configuration for the easy VPN, but when I test the VPN it fails to check the dependent components. He said to me that AAA authentication, authorization and Global Address Pool are all "not configured." I have configured AAA on MDS under additional tasks, so I don't know where I am going wrong. Any help is greatly appreciated.
Brandon,
the below URL - provide almost all the examples of configuration for the 18xx series.
http://conft.com/en/us/products/ps5853/prod_configuration_examples_list.html
HTH.
-
SDM &; easy VPN server problem
I'm having a problem setting up an easy VPN server using Cisco Security
Device Manager Version 2. 0a on a router in 1711 with IOS 12.3 (7) XR3.
I have reset the router to the factory defects since the opening screen of SDM.
Connect to 10.10.10.1
User: cisco
Password: Cisco
Start SDM for the initial router configuration dialog box.
Don't use CNS
On basic configuration screen:
Hostname set to router
Domain: test.com
Synchronize time with local PC
Change the user name
New user name: root
password: xyzzy123
password: xyzzy1234
The LAN Interface Setup screen
IP address set to 10.1.1.1
Subnet: 255.255.255.0
Active DHCP server
Start IP: 10.1.1.50
End IP: 10.1.1.70
DNS Configuration screen
Primary: 45.45.45.45
Secondary: 45.45.45.46
Use for DHCP Clients
WAN Configuration screen
Ethernet selected without Encapsulation PPOE
No dynamic (DHCP Client) host name
Advanced options screen
Selected for VLAN1 port address translation
After reading the summary, I chose the FINISH. Asked if dialog box I have
you want to set up a basic firewall, I selected YES. I left all the
secure by default items selected. I clicked FINISH. SDM detected that the
DHCP client on the untrusted external interface and asked if I wanted to
allow DHCP traffic through the firewall. I selected YES. The configuration
has been delivered.
Save the running-config startup-config and reloaded the router.
Released and renewed my ip address and then reconnected in 1711 from new
user name and password. SDM restarted.
Has begun the task of configuration and choose to set up an easy VPN server.
The opening screen had a command prompt to enable AAA. I launched the selected task
After that the AAA commands have been delivered to the router.
I chose the interface FastEthernet0 menu drop-down
IKE proposals - selected default all the
Transform set - selected default all the
Group authorization / policy research - Selected Local only
Add the user name: User1
Password: local1
Encrypt with MD5
Privilege: 2
Group permission/User Group Policies
Add political group: tunnel
Preshared key: sharedkey
Selected new address Pool: 10.1.1.80 to 10.1.1.90
Test after you have configured the selected button.
Exit this screen, there was a warning SDM on the NAT with ACL rules
have to be converted into NAT rules with course maps. I clicked YES to let
SDM convert rules.
Tests successful Easy VPN Server and client screen displays a warning
on the "crypto ipsec df - bit clear' needing to be defined." He was not a
way to put it in SDM and the search function had no success.
I copied the running-config to the startup-config and tested the router from a
connect remotely using a different ISP.
The results:
The SDM monitor shows the client connection, but the client cannot ping
any host on the LAN of the router. No one on the LAN can easy ping of VPN client
Assigned IP of VPN, but they can ping the client using the asigned IP ISP
address.
It seems that SDM not correctly configures the 1711 to route of the
VPN interface to the local network.
I enclose my 1711 Running Configuration generated by SDM.
Hello
I think that the reason why the ping is not successful is that your LAN IP address (connected to the VLAN interface) and the pool of IP addresses assigned to the client are in the same network.
You can try assigning a pool of IP addresses for VPn clients that is in another subnet (say 10.1.2.80 to 10.1.2.90) and then try to ping?
You can change the pool by means of configure-> additional tasks-> local swimming pools.
You can then disconnect the client on the Monitoring page and connect again.
Kind regards
Ravikumar
-
VPN needs access to all external internal vpn traffic traffic all in tunnel
Hello
Could someone help me find the problem?
I am ASA configuration as firewall + vpn server, essentially outside of the device's access T1 (there are two VLANS in inside via an iptables, outside of iptables is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).) VPN users are authenticated via authentication 2 factors (SDI, ip is 192.168.5.5) and get the ACL by local database. pool of VPN is 192.168.6.1 - 192.168.6.15. pool of VPN is coordinated to the external IP address
trying to access a remote host A from the host a is open for the IP and one specific Protocol. all vpn traffic are in the tunnel. the VPN user can connected and ACL vpnuser1_ONLY not working does not as expected.
Here is the part of configuration:
ASA Version 8.2 (2)
...........Route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1
Route inside companynet1 255.255.255.0 192.168.5.2 1
Route inside companynet2 255.255.255.0 192.168.5.2 1
Route inside companynet3 255.255.255.0 192.168.5.2 1
Route inside companynet4 255.255.255.0 192.168.5.2 1
...............
Route inside companynetn 255.255.255.0 192.168.5.2 1
NAT (inside) 4 vpnpool 255.255.255.0 outside <--------- is="" this="">--------->
Global (outside) 4 xx.10.194.238 netmask 255.255.255.255
Split-tunnel-policy tunnelall
.....................
vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 192.168.1.28 host 255.255.255.255 eq ssh connect
vpnuser1_ONLY list extended access permitted tcp vpnpool 255.255.255.0 74.2.23.195 host 255.255.255.255 eq ssh connect
............
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 8
VPN-idle-timeout 10
VPN-session-timeout 60
Protocol-tunnel-VPN l2tp ipsec
WebVPN
SVC Dungeon - install any
time to generate a new key of SVC 8
SVC generate a new method ssl key
SVC request no svc default
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
VPN - connections 1
VPN-idle-timeout 9
VPN-session-timeout 45
VPN-tunnel-Protocol svc
Split-tunnel-policy tunnelall
WebVPN
SVC Dungeon - install any
time to generate a new key of SVC 15
SVC generate a new method ssl key
client of dpd-interval SVC 30
dpd-interval SVC 30 bridge
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. For more information, contact your COMPUTER administrator.
disable the SVC routing-filtering-ignore
username vpnuser1 encrypted password xxxxxxx
username vpnuser1 attributes
VPN-group-policy GroupPolicy1
VPN-idle-timeout 6
VPN-session-timeout 20
VPN-filter value vpnuser1_ONLY
VPN-tunnel-Protocol svc
value of group-lock COMAVPN
type of remote access service
tunnel-group DefaultRAGroup webvpn-attributes
Disable group companyvpn aliases
type tunnel-group COMAVPN remote access
attributes global-tunnel-group COMAVPN
address (inside) vpnpool pool
address vpnpool pool
SDI Group-authentication server
authentication-server-group (inside) SDI
LOCAL authority-server-group
Group Policy - by default-GroupPolicy1
tunnel-group COMAVPN webvpn-attributes
activation of the Group companyremote alias
I did anything wrong / missing?
Thank you
Yijun
First of all, you can set "no nat-control" because once you have relieved of NAT, 'no nat-control' becomes disable anyway. 'No nat-control' is useful if you have no statement of NAT at all on the interface.
Second, if you can't access the outside inside which is because you must configure the NAT exemption. Not sure if you have configured it.
Here's the command:
access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
NAT (inside) 0 access-list sheep
You can then add all other subnets that are internal to the ACL sheep if you need VPN access.
Finally, for the error message deny on access-group "OUTSIDE", you would need check if you have configured "sysopt connection VPN-enabled'. If it is disabled, it will also check the "OUTSIDE" interface for VPN traffic.
-
Unable to connect to the VPN server
Hello
I'm on Sierra, iOS macOS 10 and Mac OS Server 5.2 (on a Mac mini). (All dated September 21, 2016)
Because PPTP is no longer supported, I am trying to create L2TP. Unfortunately, when I try to connect to the server, I get the error "the VPN server has failed. Please check the server address and try to reconnect. »
I do not think it is a problem of networking: back to my Mac is not enabled, the appropriate ports are transmission (UDP 500, 1701, 4500) and server says that the service is accessible.
When I check the logs from the server after a connection attempt, I find:
21/09/16 21:08:09.994 raccoon [75993]: can't find configuration.
21/09/16 21:08:13.285 raccoon [75993]: can't find configuration.
21/09/16 21:08:16.578 raccoon [75993]: can't find configuration.
21/09/16 21:08:19.884 raccoon [75993]: can't find configuration.
Any suggestions?
Does anyone know where the configuration file is supposed to be on the server, so I can look at?
Thanks for your help!
Hi Rick,
-Check that the folder/etc/racoon exist and the folder contains psk.txt and racoon.conf.
-Installed with the operating system.
Cheers, dwbrecovery
Maybe you are looking for
-
The song disappear from iTunes on my MacBook.
I have a song that shows as being in my library on my MacBook, but it is not. Some time ago I downloaded and then deleted. It disappeared from all my other devices but still present in iTunes on my MacBook. When I try to delete nothing happens, when
-
Designjet 130: Bland green to blue
I am trying to print a banner 24 "x 72" (plain paper) with a green background. What impression it fades to blue. The point where starts fading is different. Initially I thought that the yellow cartridge and print head may need to be replaced as blue
-
How can I find my own posts in this forum?
I tried to find my own posts here, and it seems impossible to get my own messages to see if there are new answers.
-
Power supply N6700B Low Profile pilot backward compatibility
Hello I've recently updated the instrument for the Agilent N6700B Low Profile Power Supply drivers on my system. I run LabView 8.2.1. For some reason, the new LabView VIs have all their VISA Instrument inputs and outputs incompatible with my previous
-
WINDOWS MEDIA PLAYER (windows 7) will not play. Correctly the MOV files.
I have download travels from my KODAK digital camera. Him are "transformed". MOV files. Him will not properly play using WINDOWS MEDIA PLAYER (windows 7). That is, the audio play... no video playback. I need to download REALPLAYER?