VPN on ASA 5506 without internet access, help with NAT?
Hello
I have upgraded to a Cisco ASA 5505 to a 5506 X and as such have climbed to ASA 9.5
For this reason, I'm a bit stuck on how to implement the VPN. I followed the wizard and I can now establish inbound connections, but when connected (all traffic is tunnel) there is no internet connectivity.
Our offices internal (inside) network is 192.168.2.0/24
Our VPN pool is 192.168.4.0/24
I guess that I'm missing a NAT rule, but in all honesty, I'm a user ASDM and as everything is changed, I am struggling to recreate it?
Here is my config:
Result of the command: "sh run" : Saved : : Serial Number: JAD194306H5 : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.5(1) ! hostname ciscoasanew domain-name work.internal enable password ... encrypted names ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 192.168.3.4 255.255.255.0 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.2.197 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive clock timezone GMT 0 dns domain-lookup inside dns domain-lookup management dns server-group DefaultDNS name-server 192.168.2.199 domain-name work.internal same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network 173.0.82.0 host 173.0.82.0 object network 173.0.82.1 subnet 66.211.0.0 255.255.255.0 object network 216.113.0.0 subnet 216.113.0.0 255.255.255.0 object network 64.4.0.0 subnet 64.4.0.0 255.255.255.0 object network 66.135.0.0 subnet 66.135.0.0 255.255.255.0 object network a host 192.168.7.7 object network devweb host 192.168.2.205 object network DevwebSSH host 192.168.2.205 object network DEV-WEB-SSH host 192.168.2.205 object network DEVWEB-SSH host 192.168.2.205 object network vpn-network subnet 192.168.4.0 255.255.255.0 object network NETWORK_OBJ_192.168.4.0_24 subnet 192.168.4.0 255.255.255.0 object network NETWORK_OBJ_192.168.2.0_24 subnet 192.168.2.0 255.255.255.0 object-group network EC2ExternalIPs network-object host 52.18.73.220 network-object host 54.154.134.173 network-object host 54.194.224.47 network-object host 54.194.224.48 network-object host 54.76.189.66 network-object host 54.76.5.79 object-group network PayPal network-object object 173.0.82.0 network-object object 173.0.82.1 network-object object 216.113.0.0 network-object object 64.4.0.0 network-object object 66.135.0.0 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object icmp6 service-object icmp alternate-address service-object icmp conversion-error service-object icmp echo service-object icmp information-reply service-object icmp information-request access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh access-list outside_access_in remark AWS Servers access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive access-list outside_access_in extended permit ip any any inactive access-list outside_access_in remark Ping reply access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside access-list outside_access_in remark Alarm access-list outside_access_in extended permit tcp any interface outside eq 10001 access-list outside_access_in remark CCTV access-list outside_access_in extended permit tcp any interface outside eq 7443 access-list outside_access_in extended deny ip any any access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0 access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252 access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252 access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252 access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252 access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252 access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248 access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254 access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254 access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118 access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254 access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 16000 logging asdm-buffer-size 512 logging asdm warnings logging flash-bufferwrap mtu outside 1500 mtu inside 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 7200 no arp permit-nonconnected nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup ! object network obj_any nat (any,outside) dynamic interface object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.3.3 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=192.168.2.197,CN=ciscoasanew keypair ASDM_LAUNCHER crl configure snip dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! no threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ssl-client group-policy workVPN2016 internal group-policy workVPN2016 attributes dns-server value 192.168.2.199 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelall ipv6-split-tunnel-policy tunnelall default-domain value work.internal split-dns value work.internal split-tunnel-all-dns enable dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home reporting anonymous hpm topN enable Cryptochecksum: : end
Hi Ben-
What you are trying to accomplish is called VPN crossed. Depending on your initial configuration, you have 2 NAT problems. The first has to do with the NAT you place your order. In the code later that we are dealing with two NAT ASA 8.3 times and who are ranked 2 sections going on before and after the device NAT. object
My general rule for control of NAT is like this:
- Twice NAT (front) - use this section for exemptions from NAT or unusual configurations that have to go first
- Purpose of NAT - Use this section to the static NAT instructions for servers
- Twice NAT (after) - use this section to your global declarations of NAT, basically a catch-all
Then, never use 'all' as an interface for all training of NAT. This may seem like a good idea, but it will bite you. Remember, it is more the notion of control NAT, then 'all' interface is bit VPN configurations and similar DMZ. Always be specific about your interface for NAT pairs.
To this end, here is what I suggest that your NAT configuration should resemble:
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup!object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh !nat (inside,outside) after-auto source dynamic any interfacenat (outside,outside) after-auto source dynamic any interfaceThe key is that you need a NAT device explicitly reflecting the VPN traffic. PSC
Tags: Cisco Security
Similar Questions
-
I have a stand-alone computer (no internet access) with firefox to run the Java Player. I have internet access on another computer in order to download files and hover over things to the stand-alone computer to install. That do and where can I download and how I install on the stand-alone computer.
Thank you
Leroy
Hi, to get the Offline Installer that you can use on the computer without internet access, please visit https://java.com/en/download/help/windows_offline_download.xml
-
How to disconnect a network unidentified without internet access?
My laptop running Windows 7 says I'm connected to a network not identified without internet access and allow me to connect to my wireless home connection, but there is no internet connection is. The only way that I can use internet on my PC is if I connect my phone and use the internet tethering from there, (which sometimes is not recognized).
Please help on how to disconnect a network not identified!
Hello
You can't disconnect from it.
It's good because of the inability of the computer to connect to your network.
It detects that there is something there, but it can connect to it.
Assuming that it is wireless and the wireless router signal is strong, and it broadcasts its SSID (wireless network name).
-------------------------
These steps and tell us where is the breaking point.
Check the Device Manager for the wireless card valid entry.
http://www.ezlan.NET/Win7/net_dm.jpg
If there is no valid entry, remove any entry from fake and re - install the drivers for the wireless card.
Check network connections to make sure that you have a network icon/entry wireless connection, and that the properties of the icon (right-click on the icon) are correctly configured with the TCP/IPv4 protocol in the properties of network connections.
http://www.ezlan.NET/Win7/net_connection_tcp.jpg
------------------
The wireless card drivers much also install utility wireless of the seller.
Make sure that if there are teas from Wireless Utility of seller does not work with the native Windows wireless utility (Service WLAN).
----------------
Make sure you firewall No. preventing / blocks wireless components to join the network.
Some 3rd party software firewall continue to block the same aspects it traffic Local, they are turned Off (disabled). If possible set up the firewall correctly, otherwise totally uninstall and get rid of its remaining processes that permit the own local network traffic flow.
If the 3rd party software is uninstalled, or disables, make sure Windows native firewall is active .
party like Hello and NetMagic 3rd network managers can block local traffic too.
---------------------------
Stack TCP/IP work should look like.
Right-click on the wireless network connection card, select status, details and see if she got an IP address and the rest of the settings.
http://www.ezlan.NET/Win7/status-NIC.jpg
Description is the data of the card making.
The physical address is MAC of the card number.
The xx must be a number between 0 and 255 (all xx even number).
YY should be between 0 and 255
ZZ should be between 0 and 255 (zz all the same number.)
The date of the lease must be valid at the present time.
* Note 1. IP that starts with 169.xxx.xxx.xxx isn't valid functional IP.
* Note 2. There could be an IPv6 entries too. However, they are not functional for Internet or LAN traffic. They are necessary for Win 7 homegroup special configuration.
---------------------------------------------------
A message in the small window that says connected wireless doesn't means that you are really a valid functional connection.
Above everything is OK, you must be able to connect to the router.
Connection to the router means that you can enter the IP of the router base in an address bar in one go, being able to connect and configure the router menus see.
If it doesn't connect to the router, journal newspaper from any computer that can connect to the router wirelessly with a wire, disable wireless security, make sure that the wireless SSID broadcast is enabled and try to connect with no. wireless security.
Enable security wireless after you eat to make a functional connection.
Jack - Microsoft MVP, Windows networking. WWW.EZLAN.NET
-
Licenses without Internet access?
How can I get licensed ESXi without internet access? When you try to apply my license in the client, it tries to connect. These servers are in a manufacturing environment and do not have access to the internet.Thanks again for the help. This community is very valuable.
The vSphere Client, you go to Configuration and then click Licensing?
-
How to create network without internet access
I have three devices: air mac, mini ipad and iphone OS. but I can't access the internet.
How can I create a network without internet access?
Maybe I just need another router, but sometimes, I just take my mac and iphone. It is impossible to get the router with me everywhere.
-
With the help of Creative cloud on a desktop computer in a rural area without Internet access
I have a subscription to creative cloud for my home office. I soon will participate in a photography workshop in a rural area with NO INTERNET ACCESS. I don't own a laptop and you carry my office instead, we remain. I know that the software is installed on the machine and I should be fine with its use without online access, rectification? I'm also right in thinking it will "not be considered" as being used on a second computer, because while I use it on this trip I won't have access to the Internet and so no IP address?
Hello
The only thing that could cause problem, is if your workshop is more than a month long. While using applications downloaded from creative cloud, internet access is necessary once a month for a routine license check. Here are some creative cloud FAQ:
http://www.Adobe.com/products/creativecloud/FAQ.html
Do I need a continuous Internet access to use my Creative Suite apps?
Because your Creative Suite applications are installed directly on your computer, you will not have a continuous Internet connection to use on a daily basis. However, you need to be online when you install and license your software and at least once every 30 days thereafter. The software warns you when you connect to the Internet for a license status check.
Note: If the product can not check your permit at the 30-day mark, a 7 days period. However, if you are not able to access the internet within 7 days, your applications will be blocked (Soucre: http://forums.adobe.com/message/4513667#4513667)
As for your second question - as long as you use the same device that you already have your applications installed, you have always only a single device registered to your account.
If you have any other questions, feel free to post here again.
See you soon!
-
PSE10 - how to get help online on PC without Internet access?
Hello
Our company bought several licenses of Photoshop Elements 10 and I would like the installation of packages in order to be able to install it with SCCM (formelly named SMS) on PC.
The question we have is that the PC in our society do not have Internet access, so users cannot, after the installation, download the online help... and since there is currently not out included help, it means that they have no help at all.
Can you let us know where the aid in question is copied when it is downloaded, so that our packaging team will be able to download these files from a PC with Internet access, then add them together, so that our users will be able to read the help (F1), even if they have no Internet access?
Thanks a lot for your answer
Yes you can do so by changing the settings in the Adobe help Manager
Open Adobe Help.exe location: c:\program files (x 86) \Adobe\Adobe help
Then in the prefrences download section, you can select the products you want to get offline help
In the update section select manually
In the section "local content": select the product, and then click UPDATE
When using offline is downloaded, and then in the general section, select Yes (this will make the default value of local aid)
Now if you can switch to offline mode and press F1 in the program, it will open local help
It could be useful!
-
Impossible to reconnect the VPN to ASA on the internet
Hello
I ASA5540 running IOS 8.04 - K8, users are able to the VPN connection over the internet but impossible to reconnect the VPN when users disconnected abnormally (abnormally means they are not manually disconnect, VPN disconnect everything manually without problem occur). ASA showing an active session of the disconnected user and the user having reason 433 at the re-login VPN.
Any suggestion and recommendation for this case.
Awaiting your repies.
Thank you very much.
Kind regards
Arsalan
Hello
under the tunnel-group, try to reduce the keepalive interval... Can help detect that the peer is down faster...
Best wishes
McLaughlin
-
How to fix without internet access?
I'm trying to access the internet. When I get it is with just a bar, and the area that I live in has a few connections available. was this a connection has four bars and I can't access the net. now, it's crazy there four bars, didn't say no internet access, how can I get rid of this and have access.
How does this relate to the features of Windows Update?
Help us help you: start by reading this post 'sticky '...
What information to post in the Windows Update forum
http://answers.Microsoft.com/thread/1467f44b-ee27-4F7D-98d7-f1c4b35b3395 -
Hi, I would like to exist offline / without internet for a while. I downloaded several of my different and deleted email accounts mbox files. I would like to see the emails in offline mode. Can I do this with Thunderbird? Thanks for your time, Jen.
under 'Tools' > 'account settings '.
on the left are the server settings - choose
Uncheck the "check for new messages at startup '.
Uncheck "automatically check for new messages every minute _.
Uncheck the "automatically download new messages. -
How to install a pppoe network miniport driver extended wan without internet access?
I have a yellow excalmation point on the network driver and currently do not have internet access. I tried to re - install the player, but he says it was blocked as a result does not not with windows. If I could download the driver to a flash drive and reinstall on my father'd computer, hopefully that will solve my problem.
Hello
What is the brand and model of the computer?
Yes, you can download the appropriate drivers for the device to another computer and transfer it to the computer of the problem. You can install the drivers and let us know the results.
-
Creative cloud without internet access subscription
Is there a way to get the subscription creative cloud for my work with usage of internet every month by paying the year in its entirety. My workstation isn't online and may not be, it is part of an internal network.
Hi there - creative cloud FAQ States that you must have the internet connection at least once per month:
http://www.Adobe.com/products/creativecloud/FAQ.html
Do I need a continuous Internet access to use my Creative Suite apps?
Because your Creative Suite applications are installed directly on your computer, you will not have a continuous Internet connection to use on a daily basis. However, you need to be online when you install and license your software and at least once every 30 days thereafter. The software warns you when you connect to the Internet for a license status check.
... However, you may be able to call customer service to update your status of license in person. I'll try to contact the customer service:
- 800-833-6687 (M - F, 05:00 - 19:00'S)
- or live chat.
An alternative solution because it is to install one or more applications on a secondary computer you use outside the network inside, say, a personal laptop. As the Cloud creative license allows use on both devices, you could fill the monthly check of license through applications on your secondary computer. This would validate your Kidscentive together, and all devices and applications that are linked.
Whatever it is, I would contact the customer just to be safe.
See you soon! Good luck
-
Will Flex web apps run on a computer without internet access?
We have developed a FLEX web application that uses resources on the intranet (back-end servers inside our company). The PC on which we run the FLEX has access to the intranet application, but has NO access to the internet.
The FLEX application fails with the error 2032.
My Question:
FLEX app need to access internet? Application cannot run a FLEX on a PC that does not have internet access?
as long as the back-end server is available on the INTRANET (within the company).
Hello
your application may be trying to access the internet to download the RSL files (the default location is an adobe url) - try to copy the RSL (.swz) files in the folder bin-debug/release in the same intranet folder as your swf and see if that fixes it
-
Cisco ASA Cisco 831 routing static. help with ACL, maybe?
Hi all
What should be a simple task turns out to be difficult and I really need help.
The Cisco ASA obviously isn't a strong point on mine and could do with a point in the right direction. I hope that this will allow me to learn more about the ASA 5505.
OK so I have an ASA 5505. VLAN 1 is 192.168.254.1 and VLAN 2 DHCP of my cable modem.
I have a cisco 831 Ethernet router that will sit between my main LAN and my LAN test I want to implement for multicasting. the Cisco 831 has 1 Ethernet as 192.168.254.254 and Ethernet 0 is 10.1.1.1.
The ASA I have an interior route 10.0.0.0 255.0.0.0 192.168.254.254.
On the Cisco 831, there is a route 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic via Cisco 831 to the ASA 5505 and internet, for example I can ping 8.8.8.8 and access everything on my main local network, but the other wan of any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.
Where I'm going wrong? I did all my access to my a whole ASA, but it is still unable to do anything.
I will attached my configs with deleted passwords here and would like a good kick in the right direction. Without a doubt, it's something simple I'm missing and I'm sure it's with the ACL on the ASA 5505 like the packet tracer said that the package is abandoned due to the ACL
Thank you. :)
Thus, all traffic between these two LANs will travel on ASA, on the same interface.
Then please add this command in the global configuration of the ASA:
permit same-security-traffic intra-interface -
IPsec VPN Phase 2 does not. Need help with the debug output
Is someone can you please tell me why I can't establish ipsec Phase 2 negotiations. I'm trying to connect a 2651XM to a Pix 501.
Here are the isakmp debug and release of ipsec and configs. I checked the keys are the same. And sets of transformations look ok. No idea why its not working?
What is the bottom tell me?
===========================================================
01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
01:32:37: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
01:32:37: ISAKMP:(0:2:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
===============================================================================
ISAKMP (0): start Quick Mode Exchange, M - ID - 1154286426:bb32fca6
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2224366689, message ID = 1503891776
ISAKMP (0): removal of spi 1629787524 message ID = 3140680870
to return to the State is IKMP_NO_ERR_NO_TRANS
pixfirewall #.
pixfirewall # sh crypto is
ISAKMP (0): start Quick Mode Exchange, M - ID 400184159:17da535f
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2649583861, message ID = 1778335964 a.
ISAKMP (0): removal of spi 4117818781 message ID = 400184159
status code returned is IKMP_NO_ERR_NO_TRANSkmp its
Total: 1
Embryonic: 0
Src DST in the meantime created State
1.1.1.2 1.1.1.3 QM_IDLE 0 0
pixfirewall #.
ISAKMP (0): start Quick Mode Exchange, M - ID 923039456:370476e0
crypto_isakmp_process_block: CBC 1.1.1.2 1.1.1.3 dest
ISAKMP (0): processing NOTIFY payload Protocol 14 2
SPI 2163779852, message ID = 2746774364
ISAKMP (0): removal of spi 212465792 message ID = 923039456
to return to the State is IKMP_NO_ERR_NO_TRANSexiClosure of session
CCC cryp #sh
CCC #sh crypto isakmp his
status of DST CBC State conn-id slot
1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVECCC #ping 192.168.1.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.1, time-out is 2 seconds:
.....
Success rate is 0% (0/5)CCC #ping 192.168.1.5
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
CCC #debug isakmp crypto
Crypto ISAKMP debug is on
CCC #debug crypto ipsec
Crypto IPSEC debugging is on
Crypto CCC talkative #debug
detailed debug output debug is on
CCC #ping 192.168.1.5Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:
.....
Success rate is 0% (0/5)
CCC #.
00:51:24: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:24: ISAKMP: node set 1268073006 to QM_IDLE
00:51:24: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1268073006
00:51:24: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1268073006
00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:24: ISAKMP: turn 1, AH_SHA
00:51:24: ISAKMP: attributes of transformation:
00:51:24: ISAKMP: program is 1 (Tunnel)
00:51:24: ISAKMP: type of life in seconds
00:51:24: ISAKMP: life of HIS (basic) of 28800
00:51:24: ISAKMP: type of life in kilobytes
00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:24: ISAKMP: authenticator is HMAC-SHA
00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:24: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:24: ISAKMP: turn 1, ESP_3DES
00:51:24: ISAKMP: attributes of transformation:
00:51:24: ISAKMP: program is 1 (Tunnel)
00:51:24: ISAKMP: type of life in seconds
00:51:24: ISAKMP: life of HIS (basic) of 28800
00:51:24: ISAKMP: type of life in kilobytes
00:51:24: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:24: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:24: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:24: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:24: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:51:24: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:24: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:51:24: ISAKMP: node set-429221146 to QM_IDLE
00:51:24: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-429221146
00:51:24: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:24: ISAKMP: (0:1:SW:1): purge the node-429221146
00:51:24: ISAKMP: (0:1:SW:1): node 1268073006 REAL reason «QM rejec» error suppression
Ted. "
00:51:24: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 1268073006: status = IKE_QM_READY
00:51:24: ISAKMP: (0:1:SW:1): entrance, node 1268073006 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:24: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:51:24: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
with 1.1.1.3
00:51:54: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:54: ISAKMP: node set-500877443 to QM_IDLE
00:51:54: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID =-500877443
00:51:54: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID =-500877443
00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:54: ISAKMP: turn 1, AH_SHA
00:51:54: ISAKMP: attributes of transformation:
00:51:54: ISAKMP: program is 1 (Tunnel)
00:51:54: ISAKMP: type of life in seconds
00:51:54: ISAKMP: life of HIS (basic) of 28800
00:51:54: ISAKMP: type of life in kilobytes
00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:54: ISAKMP: authenticator is HMAC-SHA
00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:54: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:51:54: ISAKMP: turn 1, ESP_3DES
00:51:54: ISAKMP: attributes of transformation:
00:51:54: ISAKMP: program is 1 (Tunnel)
00:51:54: ISAKMP: type of life in seconds
00:51:54: ISAKMP: life of HIS (basic) of 28800
00:51:54: ISAKMP: type of life in kilobytes
00:51:54: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:51:54: ISAKMP: (0:1:SW:1): atts are acceptable.
00:51:54: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:54: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:51:54: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:51:54: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:54: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:51:54: ISAKMP: node set-701693099 to QM_IDLE
00:51:54: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-701693099
00:51:54: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:54: ISAKMP: (0:1:SW:1): purge the node-701693099
00:51:54: ISAKMP: (0:1:SW:1): node-500877443 error suppression REAL reason "QM rejec.
Ted. "
00:51:54: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node-500877443: State = IKE_QM_READY
00:51:54: ISAKMP: (0:1:SW:1): entrance, node-500877443 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:54: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:52:14: ISAKMP: (0:1:SW:1): purge the node 1268073006
CCC #sh crypto isakmp his
status of DST CBC State conn-id slot
1.1.1.2 1.1.1.3 QM_IDLE 1 0 ACTIVECCC #ping 192.168.1.5
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.1.5, time-out is 2 seconds:00:52:44: ISAKMP: (0:1:SW:1): purge node-500877443...
00:52:50: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:52:50: ISAKMP: node set 1186613650 to QM_IDLE
00:52:50: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 1186613650
00:52:50: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 1186613650
00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:52:50: ISAKMP: turn 1, AH_SHA
00:52:50: ISAKMP: attributes of transformation:
00:52:50: ISAKMP: program is 1 (Tunnel)
00:52:50: ISAKMP: type of life in seconds
00:52:50: ISAKMP: life of HIS (basic) of 28800
00:52:50: ISAKMP: type of life in kilobytes
00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:52:50: ISAKMP: authenticator is HMAC-SHA
00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
00:52:50: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:52:50: ISAKMP: turn 1, ESP_3DES
00:52:50: ISAKMP: attributes of transformation:
00:52:50: ISAKMP: program is 1 (Tunnel)
00:52:50: ISAKMP: type of life in seconds
00:52:50: ISAKMP: life of HIS (basic) of 28800
00:52:50: ISAKMP: type of life in kilobytes
00:52:50: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:52:50: ISAKMP: (0:1:SW:1): atts are acceptable.
00:52:50: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:52:50: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.1.68.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:52:50: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:52:50: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:52:50: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:52:50: ISAKMP: node set-1113601414 to QM_IDLE
00:52:50: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-1113601414
00:52:50: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:52:50: ISAKMP: (0:1:SW:1): purge the node-1113601414
00:52:50: ISAKMP: (0:1:SW:1): node 1186613650 REAL reason «QM rejec» error suppression
Ted. "
00:52:50: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 1186613650: status = IKE_QM_READY
00:52:50: ISAKMP: (0:1:SW:1): entrance, node 1186613650 = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:52:50: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:52:50: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode has failed with the counterpart
with 1.1.1.3.
Success rate is 0% (0/5)
CCC #.
00:53:20: ISAKMP (0:134217729): received packet of 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:53:20: ISAKMP: node set 459446741 to QM_IDLE
00:53:20: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 459446741
00:53:20: ISAKMP:(0:1:SW:1): treatment ITS payload. Message ID = 459446741
00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:53:20: ISAKMP: turn 1, AH_SHA
00:53:20: ISAKMP: attributes of transformation:
00:53:20: ISAKMP: program is 1 (Tunnel)
00:53:20: ISAKMP: type of life in seconds
00:53:20: ISAKMP: life of HIS (basic) of 28800
00:53:20: ISAKMP: type of life in kilobytes
00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:53:20: ISAKMP: authenticator is HMAC-SHA
00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
00:53:20: ISAKMP: (0:1:SW:1): proposal of IPSec checking 1
00:53:20: ISAKMP: turn 1, ESP_3DES
00:53:20: ISAKMP: attributes of transformation:
00:53:20: ISAKMP: program is 1 (Tunnel)
00:53:20: ISAKMP: type of life in seconds
00:53:20: ISAKMP: life of HIS (basic) of 28800
00:53:20: ISAKMP: type of life in kilobytes
00:53:20: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
00:53:20: ISAKMP: (0:1:SW:1): atts are acceptable.
00:53:20: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = AH, transform = ah-sha-hmac (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:53:20: IPSEC (validate_proposal_request): part #2 of the proposal
(Eng. msg key.) Local INCOMING = 1.1.1.2, distance = 1.1.1.3.
local_proxy = 10.10.10.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 192.168.1.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 2
00:53:20: IPSEC (validate_transform_proposal): invalid local address 1.1.1.2
00:53:20: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:53:20: ISAKMP:(0:1:SW:1): politics of ITS phase 2 is not acceptable! (local 1.1.1.2 re)
Mote 1.1.1.3)
00:53:20: ISAKMP: node set-1692074376 to QM_IDLE
00:53:20: ISAKMP: (0:1:SW:1): Protocol to send NOTIFIER PROPOSAL_NOT_CHOSEN 2
SPI 2237255312, message ID =-1692074376
00:53:20: ISAKMP:(0:1:SW:1): sending package to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:53:20: ISAKMP: (0:1:SW:1): purge the node-1692074376
00:53:20: ISAKMP: (0:1:SW:1): REAL reason for node deletion 459446741 error "reject QM.
Ed ".
00:53:20: ISAKMP (0:134217729): unknown IKE_MESG_FROM_PEER, IKE_QM_EXCH entry:
node 459446741: status = IKE_QM_READY
00:53:20: ISAKMP: (0:1:SW:1): entrance, node 459446741 = IKE_MESG_FROM_PEER, IKE_QM_E
XCH
00:53:20: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_READY
00:53:40: ISAKMP: (0:1:SW:1): purge the node 1186613650
00:53:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, chang
State of Ed down
00:54:10: ISAKMP: (0:1:SW:1): purge the node 459446741===============================================================================
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
pixfirewall hostname
domain ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
permit 192.168.1.0 ip access list outside_cryptomap_20 255.255.255.0 10.10.10.0
255.255.255.0
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 10.10.1
255.255.255.0 0.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
1.1.1.3 outside IP address 255.255.255.0
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.10.10.0 255.255.255.0 inside
location of PDM 10.10.10.0 255.255.255.0 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Timeout xlate 0:05:00
Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR
p 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
outside_map 20 ipsec-isakmp crypto map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set 1.1.1.2
card crypto outside_map 20 game of transformation-Petaluma_VPN
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * 1.1.1.2 address netmask 255.255.255.255 No.-xauth No.-config-m
Ode
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Telnet timeout 5
SSH timeout 5
dhcpd address 192.168.1.5 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:8c0d4948407071d3515f1546cf8bc147
: end
pixfirewall #.
=========================================================================
CCC #sh run
Building configuration...Current configuration: 1328 bytes
!
version 12.4
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
CCC host name
!
boot-start-marker
start the system flash c2600-adventerprisek9 - mz.124 - 25d.bin
boot-end-marker
!
!
No aaa new-model
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!!
!
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
address key crypto isakmp 1.1.1.3 cisco123
!
!
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
map Petaluma_1 1 ipsec-isakmp crypto
defined peer 1.1.1.3
game of transformation-Petaluma_VPN
match address 100
!
!
!
!
interface FastEthernet0/0
1.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface Serial0/0
no ip address
Shutdown
clock speed of 56000
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
!
IP forward-Protocol ND
IP route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip address of the http server
no ip http secure server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
line to 0
line vty 0 4
opening of session
!
!
endCCC #.
!
!
!
crypto ISAKMP policy 2
BA 3des
md5 hash
preshared authentication
Group 2
address key crypto isakmp 1.1.1.3 cisco123
!
!
Crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
map Petaluma_1 1 ipsec-isakmp crypto
defined peer 1.1.1.3
game of transformation-Petaluma_VPN
match address 100
!
!
!
!
interface FastEthernet0/01.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface Serial0/0
no ip address
Shutdown
clock speed of 56000
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
!
IP forward-Protocol ND
IP route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip address of the http server
no ip http secure server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255Hi David,
Overlooking the configuration of the router, it seems that you have applied the encryption card to the wrong interface.
interface FastEthernet0/0
1.1.1.2 IP 255.255.255.0
automatic speed
Half duplex
!
interface FastEthernet0/1
10.10.10.2 IP address 255.255.255.0
automatic duplex
automatic speed
card crypto Petaluma_1
Given that the pix will attempt to build a VPN tunnel to 1.1.1.2 map encryption Petaluma_1 must be applied to FastEthernet0/0, not FastEthernet 0/1.
Let me know if it helps.
Thank you
Loren
Maybe you are looking for
-
When you try to open a new tab, there is no answer. Cannot open new tab.
I go to 'file' and click on 'new tab '. There is no response. I click on the ' + '. No response.
-
How to add a record button on the front panel to save waveform data
Hi, I'm new kind of LabVIEW and I worked on a code for an agilent oscilloscope communicate via GPIB and so far it works well on the collection of these two analog channels one by one, "Not UNLIMITED" but it does the trick (vpp, Vrms, frequency, etc.)
-
How to reach an average of three analog inputs of the analog Arduino pins
Hi, I'm using Interface Labview for Arduino. I correctly interfaced Arduino with Labview and acquired of entry using the analog potentiometer. But now I want to take three signals at once and want to average there. If someone knows how to do it pleas
-
Update for Windows xp (kb898461)
I tried to install the update for windows xp (kb898461) but whenever I have download the process will stop and cancel the instalation.I tried different options but no one not working, can anyone help me please? What should I do?
-
BlackBerry Smartphones BB Desktoop Manager cannot recognize ITUNE?
Hello world I just bought a new media card, and now I have the ability, I want to synchronize my ITune best-loved songs on my BB Bold 9700... When I enter the music media left tab in the BB desktop software it tell me: ITune is not installed Please i