VPN tunnel look up but no ping
Hello
I got a pix that had two tunnels of work will a 5510 and a single 5520. Today the tunnel VPN to our 5520 has stopped working but if I sh shout to isa its two tunnels were QM_IDLE for the State. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the side of pix.
I'm looking for commands or something to try that might help...
This ACL line overlaps Cryptography real ACL 'Outside_cryptomap_20 '.
Outside_cryptomap_10 list extended access permits ip data center-Interior - 255.255.254.0 AC office network 255.255.255.0
Please please delete above the line, then disable all tunnels so he renegotiates the SA correct.
Tags: Cisco Security
Similar Questions
-
Problem with Site-to-Site VPN. VPN tunnel is broken but can ping
OK, so I am trying to understand why I can't not only appears when I sh crypto isakmp his or sh crypto ipsec his. I did the basic to site vpn settings to another and I can't ping on both networks fine no problem. So, when I ping from one pc to the address 172.16.0.0 192.168.0.0 network network there is no problem at all because the pings are very well received. But when I go to sh crypto isakmp sa, there's simply nothing and I can't for the life of understand me why. I watched my sh run for both routers and all seems well, but I guess I could be overlooking something. I would really appreciate if someone could help me to diagnose this problem.
I've attached my plotter file of package and two routers use the binary password. I also have the sh run two routers also attached.
I'm not on any of the router 172.16.0.0/24 only 172.16.0.0/16 and I think that is the question.
In Crypto ACL you have on the router of branch:
!
S2S-VPN-TRAFFIC extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
If it should not be:
!
S2S-VPN-TRAFFIC extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
and coursed mirrored on the main router.
If this isn't the case, you are saying that some ping between 192.168.0.x and 172.16.0.x is going ok. Can you please indicate exactly that one? I could see that you have attached a package tracer, but I couldn't open it.
-
VPN tunnel is up but cannot ping LAN stations
Hello
I'm trying to set up easy vpn server on cisco 881/k9 router.
Using the version of cisco vpn client 5.0, I can connect to the vpn server.
Can get the IP address of the LAN subnet on the vpn client.
On the side of vpn, I can see the vpn session using isakmp crypto #show her
But I can't ping from client vpn to any LAN station.
Someone please check my setup and find out.
This is my first time setting on the router cisco VPN.
Building configuration...
Current configuration: 5938 bytes
!
! Last configuration change at 01:38:31 UTC Thursday, April 21, 2011 by evantage
!
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname FarEastP
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
recording console critical
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-3333835941
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3333835941
revocation checking no
rsakeypair TP-self-signed-3333835941
!
!
TP-self-signed-3333835941 crypto pki certificate chain
certificate self-signed 01
30820240 308201A 9 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 33333333 38333539 6174652D 3431301E 170 3131 30343230 31363434
30355A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 33333338 65642D
33353934 3130819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
810094A 1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A 145915 E67EF01D 350558E3
040B 6379 E6360CB3 4 D 0360DA61 184225 AAB44CA5 6BE23D05 55DAA45A 4647 5 FEB
6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
DD926D88 25 23143 11 C 66750 68267 C 61 C38B62C4 3B16E5AE AC91B2F8 ABA3546D
02 30203 010001A 3 68306630 1 130101 FF040530 030101FF 30130603 0F060355 D
551D 1104 08466172 45617374 50301F06 23 04183016 8014E95E 03551D 0C300A82
66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092 HAS 8648 86F70D01 01040500
03818100 05803840 EFBF9A3B F4D64899 8E03C836 34861307 57193CC5 DA510446
E4081D1A 2CF243BF 41AC9F36 83DAE9DB 9480F154 7CF792A5 76C1452C EEFD8661
8443DC4C 8E507A8F B2ECCAEB CDE26E41 E477E290 79AE5D72 FD81057C B5DCE1C2
36E0F740 65108014 A8992360 92F0423D E14F9240 1D162BC3 EFBB75A2 9E64ABC6 D76BE894
quit smoking
no ip source route
!
!
DHCP excluded-address 192.168.1.1 IP 192.168.1.100
DHCP excluded-address IP 192.168.1.201 192.168.1.254
!
dhcp pool IP CCP-pool1
network 192.168.1.0 255.255.255.0
domain FarEastP
default router 192.168.1.1
DNS-server 192.168.1.2 165.21.83.88
!
!
no ip cef
no ip domain search
name-server IP 192.168.1.2
name of the IP-server 165.21.83.88
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FHK142971LH
!
!
username admin privilege 15 secret 5 $1$ W2eu$ lr. TpEfJuOE1iKQjFPHIT /.
username privilege 15 secret 5 evantage P602 $1$$ 8TeJh5.SCHsY2TGd0.TnD1
username privilege 5 secret 5 sshukla $1$ oflM$ cHZdlpLdWr.nn1UwiCEs7.
username privilege 5 secret 5 rtandon $1$ yGAU$ BxJ6eQqG32WeI2gI4BDWh1
sagrawal privilege 5 secret 5 username $1$ $1Kkz E6NOTt9LCXiGTarAxrc/i1
username secret privilege 5 asarie $5 1. CVw $0ohz3WtLqU8USiMBqxIjA.
username secret privilege 5 rbiyani 5 $1$ KkY / $02lEPCahuIpzoQcXln2yD.
username privilege 5 secret 5 clovejoy $1$ WMbu$ t.er4RPRTnYNNwwkVGMuX.
username privilege 5 secret 5 Lakshmi $1$ ZMC4$ Sjlcmcw2uvhzU9bwEw1Us.
username privilege 5 secret 5 benmansour yPMa $1$$ I.q.7NW2uQo0s5FTHkxZM1
username secret privilege 5 usha 5 $1$ bX1I$ X6X4eSSeq48k0Kq8Qt7Rn.
username privilege 5 secret 5 aditya $1$ w2Vt$ HOz81M2UfLeni.PNUX2aJ.
!
!
synwait-time of tcp IP 10
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 10
!
ISAKMP crypto group configuration of VPN client
TP!zlflN\2\4go,xtP+xFapuWlKDvr#dVrS6L4TF5NJl2GXugUgv%LfQ+!drgUK key
DNS 192.168.1.2 165.21.83.88
fareastp field
pool SDM_POOL_1
ACL 101
max - 20 users
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map DYNVPN 1
game of transformation-ESP-3DES-SHA
!
!
map clientmap client to authenticate crypto list ciscocp_vpn_xauth_ml_1
card crypto clientmap isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address map clientmap crypto answer
clientmap card crypto 65535-isakmp dynamic ipsec DYNVPN
!
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
WAN description $ ES_WAN$
IP 119.75.60.170 255.255.255.252
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface Vlan1
LAN description
IP 116.12.248.81 255.255.255.240 secondary
IP 192.168.1.1 255.255.255.0
penetration of the IP stream
IP nat inside
IP virtual-reassembly
!
local IP SDM_POOL_1 192.168.1.201 pool 192.168.1.254
local IP POOL_2 10.10.1.2 pool 10.10.1.200
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source static tcp 192.168.1.2 1723 1723 interface FastEthernet4
IP nat inside source static tcp 192.168.1.4 5003 interface FastEthernet4 5003
IP nat inside source static tcp 192.168.1.4 16000 16000 FastEthernet4 interface
IP nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
overload of IP nat inside source list 111 interface FastEthernet4
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 119.75.60.169
!
recording of debug trap
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
endThe VPN pool assigned to the VPN client must be in another unique subnet as internal networks.
Please also post all your ACL to see if NAT and crypto ACL has been set up correctly.
Your NAT ACL must include "deny ip" above all permit declarations.
-
Hello
I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.
is hell config please kindly and I would like to know what might happen.
hostname horse
domain evergreen.com
activate 2KFQnbNIdI.2KYOU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
ins-guard
!
interface GigabitEthernet0/0
LAN description
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description CONNECTION_TO_FREEMAN
nameif outside
security-level 0
IP 196.1.1.1 255.255.255.248
!
interface GigabitEthernet0/2
Description CONNECTION_TO_TIGHTMAN
nameif backup
security-level 0
IP 197.1.1.1 255.255.255.248
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
boot system Disk0: / asa844-1 - k8.bin
boot system Disk0: / asa707 - k8.bin
passive FTP mode
clock timezone WAT 1
DNS server-group DefaultDNS
domain green.com
network of the NETWORK_OBJ_192.168.2.0_25 object
Subnet 192.168.2.0 255.255.255.128
network of the NETWORK_OBJ_192.168.202.0_24 object
192.168.202.0 subnet 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any
access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any
Access extensive list permits all ip a OUTSIDE_IN
gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0
gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
backup of MTU 1500
mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination
!
network obj_any object
dynamic NAT interface (inside, backup)
Access-group interface inside INSIDE_OUT
Access-group OUTSIDE_IN in interface outside
Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10
Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
monitor SLA 100
type echo protocol ipIcmpEcho 212.58.244.71 interface outside
Timeout 3000
frequency 5
monitor als 100 calendar life never start-time now
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
backup of crypto backup_map interface card
Crypto ikev1 allow outside
Crypto ikev1 enable backup
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
!
track 10 rtr 100 accessibility
Telnet 192.168.200.0 255.255.255.0 inside
Telnet 192.168.202.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.202.0 255.255.255.0 inside
SSH 192.168.200.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 15
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group vpntunnel strategy
Group vpntunnel policy attributes
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpntunnel_splitTunnelAcl
field default value green.com
internal vpntunnell group policy
attributes of the strategy of group vpntunnell
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl
field default value green.com
Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password
attributes of user name THE
VPN-group-policy gbnlvpn
tunnel-group vpntunnel type remote access
tunnel-group vpntunnel General attributes
address VPNPOOL pool
strategy-group-by default vpntunnel
tunnel-group vpntunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group vpntunnell remote access
tunnel-group vpntunnell General-attributes
address VPNPOOL2 pool
Group Policy - by default-vpntunnell
vpntunnell group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565
Hello
1 - Please run these commands:
"crypto isakmp nat-traversal 30.
"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.
The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.
Please let me know.
Thank you.
-
VPN tunnel is up, but traffic will not travel
Does not include why it does not work. I perform extended ping but no ping at all when before he did. I made a few changes since a new T1 has been installed. Any who take a quick look at this config...
------------------------------
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key MYKEY address YYY. YYY. YYY. YYY
!
Crypto ipsec transform-set esp-3des esp-md5-hmac TUNNELSET
!
crypto map ipsec-isakmp TUNNEL 1
defined peer YYY. YYY. YYY. YYY
game of transformation-TUNNELSET
match address BIZ - hq
!
interface Loopback1
address IP XXX.XXX. XXX.9 255.255.255.248
NAT outside IP
IP virtual-reassembly
card crypto TUNNEL
Crypto ipsec df - bit clear
!
interface FastEthernet0/0/3
Description LOCAL_LAN_INTERFACE
!
interface Serial0/1/0
address IP XXX.XXX. XXX.2 255.255.255.252
NAT outside IP
IP virtual-reassembly
encapsulation ppp
!
interface Vlan1
IP 192.168.150.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
IP route 0.0.0.0 0.0.0.0 XXX.XXX. XXX.1
!
nat T1 XXX.XXX IP pool. XXX.9 XXX.XXX. XXX.9 netmask 255.255.255.248
IP nat inside source overload map route sheep pool T1
!
DONOTNAT extended IP access list
deny ip 192.168.150.0 0.0.0.255 192.100.100.0 0.0.0.255
deny ip 192.168.150.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 192.168.150.0 allow 0.0.0.255 any
BIZ - hq extended IP access list
IP 192.168.150.0 allow 0.0.0.255 192.100.100.0 0.0.0.255
IP 192.168.150.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 20 allow NN. NN.162.160 0.0.0.31
access-list 20 allow NN. NN.197.192 0.0.0.31
access-list 20 permit 192.168.150.0 0.0.0.255
access-list 20 allow 192.168.9.0 0.0.0.255
!
sheep allowed 10 route map
corresponds to the IP DONOTNAT
You must ensure that the peer set x.x.x.x and isakmp crypto key xxxx address x.x.x.x on the other router point effectively to the new ip address of your router...
Yes, you can finish on the loopback interface is the command to do this:
crypto map-name-address-id of interface card
When you the interface id is your loopback interface...
For more information on this command, please see the following link:
Please rate this message if it helps!
Kind regards
-
VPN connection is established but cannot ping subnet
Hello, I have a 851 router that I'm trying to learn with, I have a config of work that makes me online and has a basic firewall and dhcp for clients. Then, I wanted to add a VPN using the 851 and the Cisco VPN client.
Using this tutorial "http://www.cisco.com/en/US/customer/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml."
I was able to get partially to my goal as I can establish a vpn and it shows me 192.168.1.0 as the route secure, but I don't ping or communicate with anything with in the 192.168.1.1 network.
Try this one too.
Instead of using access-list in declaration of NAT, use the route map and see if it solves the problem.
1 deny traffic Ipsec in NAT access list.
access-list 120 refuse 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 allow 192.168.1.0 0.0.0 all
2. create a roadmap
sheep allowed 10 route map
corresponds to the IP 120
3. no nat ip within the source list 1 interface FastEthernet4 overload
4 ip nat inside source map route sheep interface FastEthernet4 overload
5 disable the ip nat translation *.
Then check.
HTH
Sangaré
-
Allowing ports through a VPN tunnel question
I have a VPN tunnel established and I can ping above but my application fails and I think its because I encouraged not 2 ports (ports TCP 19813 and 19814) through. I'm not clear how should I do for allowing these ports through. I need to add a statement to permit to access my list 'sheep' or what I need to add a statement of license to my list of access interface "external"?
Remote users have an IP address of 172.16.5.x 24 and they're trying to connect to users on the 192.168.200.x 24 192.168.201.x 24. I can't do a ping of the 24 192.168.200.x to the 172.16.5.0/24.
The commands below are what I currently have in my PIX.
My current sheep-access list:
IP 192.168.201.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0
IP 192.168.200.0 allow Access-list sheep 255.255.255.0 172.16.5.0 255.255.255.0
My current outside of the access-list interface:
acl_inbound list access permit tcp any host xx.xx.xx.xx eq smtp
acl_inbound list access permit tcp any host xx.xx.xx.xx eq - ica citrix
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq 500
acl_inbound esp allowed access list any host xx.xx.xx.xx
acl_inbound list access permit icmp any any echo response
access-list acl_inbound allow icmp all once exceed
acl_inbound list all permitted access all unreachable icmp
acl_inbound list access permit tcp any host xx.xx.xx.xx eq www
acl_inbound list access permit tcp any host xx.xx.xx.xx eq https
first of all, you disable the commnad "sysopt connection permit-ipsec" on the pix? with this enabled command, which is enabled by default, the pix will ignore any ACLs for encrypted traffic. so if you have Hell no this command, then the acl that you applied on the outside int won't make a difference.
However, if "sysopt connection permit-ipsec" is always on, and then all the port/protocol should be allowed.
you said you could do a ping of 192.168.200.0 to 172.16.5.0. How about you 172.16.5.0 to 192.168.200.0 and 192.168.201.0?
also, just wondering if the vpn lan-to-lan or access remote vpn (i.e. using the cisco vpn client).
-
How to change an existing in ASDM VPN tunnel?
I currently have a VPN tunnel together upwards, but to change some of the configurations as making ikev2, replacing the SHA512 hash and change it in the DH group 14. I intend to do this in ASDM. I already created a group of tunnel ikev2 that I put the tunnel and created a Card Crypto that is configured with the right proposal ikev2 IPSec and Diffie-Hellman group. All other configurations such as the IP of Peer address and subnets configured and I'll work with the engineers at the other end of the tunnel to ensure that configurations are, I want to just make sure I'm not missing anything. Someone at - he never comes to change the configuration of an existing ASDM so tunnel, and it worked correctly? Here are the steps that I have will be taken as well as those I've already mentioned:
-Edit the connection profile so that the name of group policy use the correct tunnel that was created for ikev2
-Enter the pre-shared key local and remote pre-shared key ikev2 tab
-Change the IKE Policy so that it uses the ikev2 policy that was created to use SHA512
-Modify the IPSEC proposal so that it uses AES256-SHA512
-THE CRYPTO MAP IS ALREADY CREATED
-Change the secret of transfer perfect in group 14
Hello
Let me go through your questions to clarify this double:
1. If I have a Crypto map applied to my external interface with a proposal of IPSec of ikev1 can I just add a proposal ikev2 in this Crypto map as well?
If you have a card encryption applied to different peers outside and 3 with different order number, you will need to replace the proposal for the peer using IKEv2: IKEv2 IKEv1, the others must continue to use their IKEv1 IPSec proposal.
2. so can I add an ikev2 with AES256 SHA512 hash proposal to my 123.123.123.456 tunnel group and continue to have all three tunnel groups always pass traffic? What happens if I add the proposal ikev2, but REMOVE the ikev1 this group of tunnel proposal because I don't want this group of tunnel use one other than AES256-SHA512 hash?
123.123.123.456 - ikev2 - AES256-SHA512
I would like to expand this a little more, if her counterpart 123.123.123.456, must use IKEv2, you need to declare the IKEv2 in the tunnel group and add the relevant "Local and remote PSK"--> is for phase 1, and this means that it will use the IKEv2 defined policy before, and IPSec IKEv2 proposal is on phase 2, where the encryption card is you will need to replace the IKEv1 and use IPSec IKEv2 proposal. That way it will use for the phase 1 of the policy of IKEv2, that you set and defined transformation IKEv2, by making this change make sure that both sides are mirrored with IKEv2 and IPSec policy projects, as well as the tunnel will remain and will come with the new proposals.
This custom affect no matter what another tunnel, as long as you change the settings to the correct tunnel group and do not delete all the proposals, simply remove the profile connection, those employees.
3. you know what I mean? All groups of three tunnels on that off interface use different cryptographic cards, with only two of the three using ikev1 as a proposal of IPSec. Which will work?
You can only have one card encryption applied by interface, and 3 tunnels using different sequence number with the same crypto map name, you cannot 2 tunnels on the same card encryption using IKEV1, and always in the same encryption card have the third tunnel using IKEv2 (different transformation defined using IKEv2). This custom cause no problem.
4. what Group Policy DfltGrpPolicy? Currently use all my groups of tunnel, but it is configured for ikev1. I'm not really sure what role is in everything it can so I simply add ikev2?
Default group policy is added by default to all your groups of tunnel (connection profile), whenever create you one default group policy is inherited him by default, you can change to group policy that you can create, group policy is a set of attributes that will be used to define something or limit , for example, for a site, you can configure a VPN filter (filters the traffic that goes through the tunnel), now back to your topic, you define the protocols that will be negotiated as for an L2L IKEv1 or IKEv2, Anyconnect SSL or IKEv2, on default group policy, and so on, it is therefore important that you add the IKEv2 , so trading will be permitted, or both to create a new group policy and add the IKEv2 Protocol; and in the tunnel group, add the group policy relevant, that you just created.
I hope that this is precisely, keep me posted!
Please go to the note, and mark it as correct this post and the previous that it helped you!
David Castro,
-
Connected to the ASA via the "VPN Client" software, but cannot ping devices.
I have a network that looks like this:
I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.
I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).
On the SAA, including the "logging console notifications" value, I notice the following message is displayed:
"% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.
I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?
Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac
Hello
You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"
You would probably need
NAT (inside) 0-list of access inside_nat0_outside
He must manage the NAT0
Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.
I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.
-Jouni
-
Cisco ASA 5520 cannot ping between VPN Tunnels
I have the main site and sites A and B. A to connect to the hand and B connects to the main. I can ping from A hand and has for main. I can ping from main to B and B to main. However, I can not ping from A to B. A and B are sonicwall 2040 and main is a 5520. The question should not be with the 5520 none allowing traffic between the two VPN Tunnels, but I can't understand why it does not work. Can someone give an idea on that? Thanks in advance.
Hello
I see that you use ASDM. Always makes my eyes bleed when I need to look at the DM_INLINE of named objects and try to make sense the CLI format
Seems to me that there are problems with the NAT.
If you don't mind a small break between the main Site and remote locations, I'd say changing some follows the NAT configuration
Remove old
no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 non-proxy-arp-search of route static destination
no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 non-proxy-arp-search of route static destination
Add a new
object-group network NETWORK-2790
object-network 10.217.0.0 255.255.255.0
object-network 10.217.1.0 255.255.255.0
object-group network NETWORK-3820
object-network 10.216.0.0 255.255.255.0
object-network 10.216.1.0 255.255.255.0
object-group network NETWORK-COLO
object-net 10.8.0.0 255.255.255.0
destination of NETWORK of NETWORK-2790-2790 static NAT (outside, outside) static source NETWORK - 3820 - 3820
NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 2790 - 2790
NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 3820 - 3820
The first new line of configuring NAT manages the NAT0 configuration for traffic between SiteA and SiteB. The following configurations of NAT 2 manage the NAT0 for traffic between the main Site - hand Site SiteA - SiteB
-Jouni
-
VPN connects but cannot ping or access resources
I hope this is an easy fix and it's something that I am missing. I've been looking at this for several hours.
Scenario:
I Anyconnect Essentials so I use the SSL connection
I changed my domain name and external IP in my setup, I write.
My VPN connection seems to work very well. In fact, I was able to connect to 3 locations with 3 different external IP address.
1 location, I get IP address 192.168.30.10, as it should. I can ping 192.168.1.1, but not the 192.168.1.6 which is my temporary resource, the firewall is disabled on 192.168.1.6.
2 location, I get an IP of 192.168.30.11, as it should. I was able to ping 192.168.30.10, could not sue 192.168.1.1 as the place closed.
Any help would be appreciated, it's getting late so I hope I gave enough details. I feel so close but yet so far.
See the ciscoasa # running
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 22.22.22.246 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
ICMP-type of object-group ALLOWPING
echo ICMP-object
ICMP-object has exceeded the time
response to echo ICMP-object
Object-ICMP traceroute
Object-ICMP source-quench
ICMP-unreachable object
access-list 10 scope ip allow a whole
10 extended access-list allow icmp a whole
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.30.10 - 192.168.30.25 255.255.255.0 IP local pool SSLClientPoolNew
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 192.168.1.0 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 22.22.22.245 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl 10
WebVPN
SVC request no svc default
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow inside
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 2 image
enable SVC
tunnel-group-list activate
internal SSLClientPolicy group strategy
attributes of Group Policy SSLClientPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
field default value mondomaine.fr
the address value SSLClientPoolNew pools
WebVPN
SVC Dungeon-Installer installed
time to generate a new key of SVC 180
SVC generate a new method ssl key
SVC value vpngina modules
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol webvpn
username test encrypted password privilege 15 xxxxxxxxxxxxxx
username ljb1 password encrypted xxxxxxxxxxxxxx
type tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
Group Policy - by default-SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:ed683c7f1b86066d1d8c4fff6b08c592
: end
Patrick,
'Re missing you the excemption NAT. Please add the following and try again:
access-list allowed sheep ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
NAT (inside) 0 access-list sheep
Let us know if you still have problems after that.
Raga
-
Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2
I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.
I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.
I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================Here is a skeleton of the FWa configuration:
name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interfaceinterface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-objectoutside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outboundcard crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.=========================================================
FWb:
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-networkinterface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-objectinside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip hostoutside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outsidetunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.Ping Successul FWa inside the interface on FWb
FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWbFWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72===========================
Unsuccessful ping of FWa to inside2 on FWb interfaceFWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....==================================================================================
Unsuccessful ping of Fwa to a host of related UI inside2 on FWb
FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72=======================
Thank you
Hi odelaporte2,
Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.
This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.
It may be useful
-Randy-
-
VPN tunnel upward, but no traffic?
I decided to take a Cisco 1800 series router and try to put in place. Up to now I can get out, and everything seems fine. I then tried to configure a VPN tunnel between this router and a sonicwall router secure.
Now the problem is the GUI of SonicWall and Cisco say that this tunnel is mounted. But I can't access internal networks...
So my cisco LAN is 192.168.11.0 255.255.255.0
and the Sonic Wall is 192.168.1.0 255.255.255.0
They can talk even if the tunnel is up. I was hitting my head, and running through the tutorials and just can not understand.
Here's proof that we have achieved at least the first phase:
inbound esp sas:
spi: 0xD1BC1B8E(3518765966)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4541007/2298)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEoutbound esp sas:
spi: 0xAE589C1E(2925042718)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4541027/2297)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
So here's my config: (what Miss me?)
Current configuration : 3972 bytes
!
version 12.4 no service pad
service tcp-keepalives-in service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CompsysRouter
!
boot-start-marker
boot-end-marker
!
enable secret *****************
enable password ***********
!
aaa new-model
!
!
!
aaa session-id common
ip cef
!
!
!
!
no ip domain lookup
ip domain name ********.local
ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw dns timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 !
!
crypto pki trustpoint TP-self-signed-1821875492 enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1821875492 revocation-check none
rsakeypair TP-self-signed-1821875492 !
!
crypto pki certificate chain TP-self-signed-1821875492 certificate self-signed 01 30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383231 38373534 3932301E 170D3130 31323130 32333433
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323138
37353439 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC57 E44AB177 3594C4C7 E88B1A4F CE4FD392 87CDB75C 2A6A6B1A 87D10791
0134F1FC 54A84BB6 08A40213 35B9DD0A FD813D2F 1C778D01 3F8EBEB0 C4793850
F52F7906 FDBC56A5 A4829AC5 4180DDA7 F54E3AAD DD1D4537 F1F19F11 9AE8A8A0
91C98934 233CF608 1447DA83 41B09E55 4A0FF674 8D060945 07D3F3F9 8EA7B412
5FD30203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D436F6D 70737973 526F7574 6572301F 0603551D 23041830
168014DC A9938F71 7CCF0E6D 8BC5DFA5 033DD7E4 0F605130 1D060355 1D0E0416
0414DCA9 938F717C CF0E6D8B C5DFA503 3DD7E40F 6051300D 06092A86 4886F70D
01010405 00038181 00148C2F AA7CA155 463B56F2 324FE1ED 3682E618 75E3048F
93E1EA61 3305767A FA93567B AA93B107 83A2F3D6 8F773779 E6BF0204 DC71879A
5F7FC07F 627D8444 48781289 7F8DC06A BC9057B1 4C72AE1F B64284BE 94C6059C
7B6B8A5D 83375B86 3054C760 961E8763 91767604 5E0E0CE3 3736133A E51ACF26
14F3C7C5 60E08BE3 88 quit
username jdixon secret 5 $*****************
!
!
ip ssh time-out 60 ip ssh authentication-retries 2 !
!
crypto isakmp policy 1 encr aes 256 authentication pre-share
group 2 lifetime 28800 crypto isakmp key address !
!
crypto ipsec transform-set compsys esp-aes 256 esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer set transform-set compsys
match address 101 !
!
!
interface FastEthernet0/0
ip address "LOCAL ROUTER OUTSIDE" 255.255.255.248 ip access-group Inbound in ip nat outside
ip inspect myfw out
ip virtual-reassembly
duplex auto
speed auto
no keepalive
crypto map vpn
!
interface FastEthernet0/1
ip address 192.168.11.1 255.255.255.0 ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 !
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.11.55 3389 interface FastEthernet0/0 9999 !
ip access-list extended Inbound
permit icmp any any
permit gre host "REMOTE ROUTER" host "LOCAL ROUTER" permit esp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq isakmp
permit ahp host "REMOTE ROUTER" host "LOCAL ROUTER" permit udp host "REMOTE ROUTER" host "LOCAL ROUTER" eq non500-isakmp
permit ip host "REMOTE ROUTER" any
permit tcp any host "LOCAL ROUTER" eq 22 !
access-list 1 permit 192.168.11.0 0.0.0.255 access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 !
!
!
!
control-plane
!
!
!
line con 0 line aux 0 line vty 0 4 !
scheduler allocate 20000 1000 endNAT exemption is where it is a failure.
Please kindly change to as follows:
access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.11.0 0.0.0.255 any
IP nat inside source list 150 interface fastethernet0/0 overload
no nat ip within the source list 1 interface fastethernet0/0 overload
Hope that helps.
-
IPSEC VPN tunnel on issue of Zonebased Firewall
Help, please!
I'm trying to configure a router lab ISR1921 to build the VPN tunnel with vmware vshield edge. The configuration of the 1921 is pasted below. There is not a lot of adjustment on the side of vshield really and I'm sure both sides are adapting to phase 1 & 2.
The question I have: the tunnel can be built correctly and I also see from show crypto ipsec release encap and decap counters. However the devices on each side can communicate. That said, I can ping from 1921 to the IP of the internal interface of the vshield with IP source specified. But just no communication part and other...
I did debugs and only "error" messages are:
01:58:03.193 20 February: ISAKMP: (1001): error suppression node 1656104565 FALSE reason 'informational (in) State d1.
...
01:58:03.193 20 February: ISAKMP: (1001): purge the node-1657220080
I hope that I did a stupid thing to configure error, but I spent too much time on it. It is supposed to be a really simple installation... Please help!
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
Lab-1900 host name
!
boot-start-marker
boot system flash: c1900-universalk9-mz. Spa. 154 - 1.T1.bin
boot system flash: c1900-universalk9-mz. Spa. 151 - 4.M7.bin
boot system flash: c1900-universalk9-mz. Spa. 150 - 1.M4.bin
boot-end-marker
!
AAA new-model
!
AAA authentication login default local
authorization AAA console
AAA authorization exec default local
!
AAA - the id of the joint session
clock timezone AST - 4 0
clock to summer time recurring ADT 3 Sun Mar 2 Sun Nov 02:00 02:00
!
DHCP excluded-address IP 192.168.100.1 192.168.100.40
!
dhcp DHCPPOOL IP pool
import all
network 192.168.100.0 255.255.255.0
LAB domain name
DNS 8.8.8.8 Server 4.2.2.2
default router 192.168.100.1
4 rental
!
Laboratory of IP domain name
8.8.8.8 IP name-server
IP-server names 4.2.2.2
inspect the IP log drop-pkt
IP cef
No ipv6 cef
!
type of parameter-card inspect global
Select a dropped packet newspapers
Max-incomplete 18000 low
20000 high Max-incomplete
Authenticated MultiLink bundle-name Panel
!
redundancy
!
property intellectual ssh version 2
!
type of class-card inspect entire game ESP_CMAP
match the name of group-access ESP_ACL
type of class-card inspect the correspondence SDM_GRE_CMAP
match the name of group-access GRE_ACL
type of class-card inspect entire game PAC-cls-icmp-access
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect correspondence sdm-cls-VPNOutsideToInside-13
game group-access 154
class-card type check ALLOW-VPN-TRAFFIC-OUT match-all
match the ALLOW-VPN-TRAFFIC-OUT access group name
type of class-card inspect entire game PAC-cls-insp-traffic
match Protocol pptp
dns protocol game
ftp protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
http protocol game
type of class-card inspect entire game AH_CMAP
match the name of group-access AH_ACL
inspect the class-map match ALLOW VPN TRAFFIC type
match the ALLOW-VPN-TRAFFIC-OUT access group name
type of class-card inspect correspondence ccp-invalid-src
game group-access 126
type of class-card inspect entire game PAC-insp-traffic
corresponds to the class-map PAC-cls-insp-traffic
type of class-card inspect entire game SDM_VPN_TRAFFIC
match Protocol isakmp
match Protocol ipsec-msft
corresponds to the AH_CMAP class-map
corresponds to the ESP_CMAP class-map
type of class-card inspect correspondence ccp-icmp-access
corresponds to the class-ccp-cls-icmp-access card
type of class-card inspect the correspondence SDM_VPN_PT
game group-access 137
corresponds to the SDM_VPN_TRAFFIC class-map
!
type of policy-card inspect self-out-pmap
class type inspect PCB-icmp-access
inspect
class class by default
Pass
policy-card type check out-self-pmap
class type inspect SDM_VPN_PT
Pass
class class by default
Drop newspaper
policy-card type check out-pmap
class type inspect PCB-invalid-src
Drop newspaper
class type inspect ALLOW VPN TRAFFIC OUT
inspect
class type inspect PCB-insp-traffic
inspect
class class by default
Drop newspaper
policy-card type check out in pmap
class type inspect sdm-cls-VPNOutsideToInside-13
inspect
class class by default
Drop newspaper
!
security of the area outside the area
safety zone-to-zone
safety zone-pair zp-self-out source destination outside zone auto
type of service-strategy inspect self-out-pmap
safety zone-pair zp-out-to source out-area destination in the area
type of service-strategy check out in pmap
safety zone-pair zp-in-out source in the area of destination outside the area
type of service-strategy inspect outside-pmap
source of zp-out-auto security area outside zone destination auto pair
type of service-strategy check out-self-pmap
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key iL9rY483fF address 172.24.92.103
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
IPSEC_MAP 1 ipsec-isakmp crypto map
Tunnel Sandbox2 description
defined by peer 172.24.92.103
Set security-association second life 28800
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 150
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
WAN description
IP 172.24.92.18 255.255.255.0
NAT outside IP
No virtual-reassembly in ip
outside the area of security of Member's area
automatic duplex
automatic speed
No mop enabled
card crypto IPSEC_MAP
Crypto ipsec df - bit clear
!
interface GigabitEthernet0/1
LAN description
IP 192.168.100.1 address 255.255.255.0
IP nat inside
IP virtual-reassembly in
Security members in the box area
automatic duplex
automatic speed
!
IP forward-Protocol ND
!
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
!
IP nat inside source map route RMAP_4_PAT interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 172.24.92.254
!
AH_ACL extended IP access list
allow a whole ahp
ALLOW-VPN-TRAFFIC-OUT extended IP access list
IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
ESP_ACL extended IP access list
allow an esp
TELNET_ACL extended IP access list
permit tcp any any eq telnet
!
allowed RMAP_4_PAT 1 route map
corresponds to the IP 108
!
1snmp2use RO SNMP-server community
access-list 108 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 allow ip 192.168.100.0 0.0.0.255 any
access-list 126 allow the ip 255.255.255.255 host everything
access-list 126 allow ip 127.0.0.0 0.255.255.255 everything
access-list 137 allow ip 172.24.92.0 0.0.0.255 any
access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 allow ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
control plan
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
access-class TELNET_ACL in
exec-timeout 0 0
Synchronous recording
transport of entry all
line vty 5 15
access-class TELNET_ACL in
exec-timeout 0 0
Synchronous recording
transport of entry all
!
Scheduler allocate 20000 1000
0.ca.pool.ntp.org server NTP prefer
1.ca.pool.ntp.org NTP server
!
end
NAT looks fine.
Please create an ACL with bidirecctional ACEs and add it as a group of access to the interface of penetration:
IP access-list extended 180
IP 192.168.100.0 allow 0.0.0.255 192.168.1.0 0.0.0.255 connect
ip permit 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 connect
allow an ip
interface GigabitEthernet0/1
IP access-group 180 to
IP access-group out 180
Generer generate traffic, then run the command display 180 access lists .
Also, if possible activate debug ip icmp at the same time.
Share the results.
Thank you
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
Maybe you are looking for
-
I use adobe flash player to watch videos. My flash player is up-to-date. However I have problems because my version of the flash shockwave in mozilla plugin is not updated. Some videos will display an error message saying "shockwave is obsolete. When
-
USB mouse loses power, freezes randomly, ceases to work, a solution
Running the SP3 XP, 32-bit home edition, P4 2.8 Dell 4600i. To run run a Dell USB keyboard and mouse USB ativa. These are the only two USB devices connected to my computer. All updates are underway. For a few months now, I got my mouse USB working
-
Remove Virus/worm Tux?
A free scan of Prevx shows a threat called Tux and source and WORK. Why Microsoft defender does not keep this kind of attack?
-
Backup and restore cannot start
Hi all, there I was wondering if someone could help or at least shed some light on this problem. I try to run "Backup and recovery of Dell" and it does not start with the message "Dell backup and restore has encountered a problem and needs to close.
-
* Original title: start Windows 7 I recently accidentally dropped my laptop and now whenever I try to turn it on, it gets frozen on the screen with the logo of "starting windows." When it disappears, the screen just goes black and nothing else happen