VPN Tunnel to the TOP but no traffic passing (PIX515)
I'll put up a remote engineers access to off-site to access my network (using the cisco vpn client). I use PIX 515E software version 7.0 (3) 20 as a vpn server. I can establish a tunnel, but I can't access network resources. I can ping the external interface of the PIX. This is my setup: internet-router-pix-dmz(server farm). Please find attached my setup. Thanks in advance.
After a glance at your policy, it seems that the Pool of IP, that is assigned to the clients behind the outside interface, runs behind the DMZ. I don't think it will work.
In addition, defined distribution policy seems to be backward. Im sure that you intend to send traffic FROM the IP pool to 196.26.12.64/26. Your acl split is the opposite.
In addition, your routing table does not contain a route for the 196 network, so the firewall will use the default route to the outside. If this is intentional, the clients and dst are on the outside, which is considered to be crossed. This is allowed on the SAA only with the same security setting configured.
Tags: Cisco Security
Similar Questions
-
877W customer VPN to the top, but no traffic
Hi guru of cisco
Help me please to solve the problem of traffic of VPN client. I am able to connect to cisco, but failed to get a network, except the router access.
I also want to block all P2P traffic except 1 IP 192.168.10.7.
Thank you
He is out of #show cry ipsec his
Interface: virtual-Access4
Tag crypto map: addr virtual-Access4-head-0, local a.a.a.aprotégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.10.251/255.255.255.255/0/0)
current_peer b.b.b.b port 56604
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 26, #pkts decrypt: 26, #pkts check: 26
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors-More - local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b
-More - path mtu 1500, mtu 1500 ip, ip mtu IDB virtual-Access4
-More - spi outgoing current: 0 x 66870874 (1720125556)
-More-
-More - esp sas on arrival:
-More - spi: 0xBDA0E6DE (3181438686)
-More - transform: esp-3des esp-sha-hmac.
-Other - running parameters = {Tunnel,}
-More - conn id: 369, flow_id: Motorola SEC 1.0:369, card crypto: Virtual-Access4-head-0
-More calendar - its: service life remaining (k/s) key: (4543855/3494)
-More size - IV: 8 bytes
-More - support for replay detection: Y
-Other - status: ACTIVE
-More-
-Other - arrival ah sas:
-More-
-More - CFP sas on arrival:
-More-
-More - outgoing esp sas:
-More - spi: 0 x 66870874 (1720125556)
-More - transform: esp-3des esp-sha-hmac.
-Other - running parameters = {Tunnel,}
-More - conn id: 370, flow_id: Motorola SEC 1.0:370, card crypto: Virtual-Access4-head-0
-More calendar - its: service life remaining (k/s) key: (4543859/3494)
-More size - IV: 8 bytes
-More - support for replay detection: Y
-Other - status: ACTIVE
-More-
-More - out ah sas:
-More-
-More - out CFP sas:And the config of the router:
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
sequence numbers service
No dhcp service
!
router host name
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
logging buffered 52000
recording console critical
enable secret 5
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authentication login ciscocp_vpn_xauth_ml_2 local
AAA of authentication ppp default local
AAA authorization exec default local
AAA authorization network default authenticated if
AAA authorization ciscocp_vpn_group_ml_1 LAN
AAA authorization network if authenticated local_auth
AAA authorization ciscocp_vpn_group_ml_2 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1933852417
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1933852417
revocation checking no
rsakeypair TP-self-signed-1933852417
!
!
TP-self-signed-1933852417 crypto pki certificate chain
certificate self-signed 01
30820252 308201BB A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31393333 38353234 6174652D 3137301E 170 3130 30383137 31323438
31365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 39333338 65642D
35323431 3730819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C0D8 05ECA4BC 68540261 576BAD7D 23F29679 B60A7B38 35211BCF 78F2271C
2FDB24CC B 949640, 9 D68C9308 58BAAB0A 5FBD8123 42 12922 F2AE7C93 6EF24910
AD777AB3 DD923F06 CB6B6106 9C08AA81 E7CEB073 1F6BC114 B0B1756D ECF976CC
C0073FB2 2C056FD9 7F361152 0DCB08C4 3EA559F5 575EF2F4 1A5FD373 552348B 0
010001A 3 7 509F0203 HAS 1 130101 FF040530 030101FF 30250603 307830 0F060355
551D 1104 1E301C82 1A6A6572 6963686F 2 D 727472 72696368 6F2E636F 312E6A65
2E6E7A30 1 230418 30168014 E1FAAC42 678187 3 D2BFEF05 6F70C504 1F060355
00D12F67 301D 0603 551D0E04 160414E1 FAAC426F 678187 2 BFEF0500 70C5043D
D12F6730 0D06092A 864886F7 0D DFC4C826 E8C4CD12 010104 05000381 8100A 630
4D8C4BB8 B9928B43 4C8B91A2 F6A400B5 97EB0BF7 7ACFE10A BA90056B 6E34FE2F
DAC133EC F0E847DD A7AA6B78 C01AE543 597E7149 85 HAS 17614 EEFEFF4B 076E1758
44A250D9 3DE2EF88 63233AF0 7D2DD2BD 1221D59C 0731CFE3 26B31F88 13F48ACC
ED2972C5 FCCF6D43 681BF350 CE01C5E9 41E9705A CJF
quit smoking
dot11 syslog
!
dot11 WIFI ssid
open authentication
authentication wpa key management
Comments-mode
ascii secret 7 WPA - psk
!
no ip source route
IP cef
!
!
!
!
no ip bootp Server
no ip domain search
IP domain name of domain
Server dhcp IP 192.168.10.10
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
receive window 256-tunnel L2TP
!
aes encryption password
!
!
username admin privilege 15 very secret 5 secret
username privilege 15 7 n1ck passes
!
!
crypto ISAKMP policy 1
preshared authentication
!
crypto ISAKMP policy 2
preshared authentication
!
crypto ISAKMP policy 3
preshared authentication
!
crypto ISAKMP policy 4
BA 3des
md5 hash
preshared authentication
Group 2
life 3600
crypto ISAKMP key 6 key address c.c.c.c
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto nat keepalive 10
!
Configuration group customer isakmp crypto EasyVPN
key 6 key
DNS 192.168.10.10
domain domain
pool SDM_POOL_1
ACL 100
Save-password
include-local-lan
Max-users 2
netmask 255.255.255.0
!
Configuration group customer crypto isakmp ASA
key 6 key
pool SDM_POOL_1
Firewall are u there
include-local-lan
PFS
Max-users 2
Max-Connections 1
netmask 255.255.255.0
!
ISAKMP crypto group configuration of VPN client
key 6 key
DIAL-IN pool
ACL 103
include-local-lan
Max-users 2
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
Group of EasyVPN identity match
match of group identity ASA
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp CiscoCP_Profile2-ike-profile-1 profile
identity VPN group match
client authentication list ciscocp_vpn_xauth_ml_2
ISAKMP authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-model 5
!
!
Crypto ipsec transform-set esp - esp-sha-hmac ASA-IPSEC
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA2-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
security-association value 900 idle time
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
Profile of crypto ipsec CiscoCP_Profile2
Set the security association idle time 1200
game of transformation-ESP-3DES-SHA1
set of isakmp - profile CiscoCP_Profile2-ike-profile-1
!
!
map SDM_CMAP_1 2 ipsec-isakmp crypto
the value of c.c.c.c peer
game of transformation-ASA-IPSEC
match address 160
!
Crypto ctcp
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
class-map match-all P2P
Description speed limit P2P
match the edonkey Protocol
bittorrent Protocol game
fasttrack Protocol game
gnutella Protocol game
match Protocol kazaa2
class-map correspondence-any BLOCK
match Protocol kazaa2
bittorrent Protocol game
match the edonkey Protocol
gnutella Protocol game
fasttrack Protocol game
!
!
Policy-map BLOCK_INTERNET
class BLOCK
bandwidth 8
!
!
Bridge IRB
!
!
interface Loopback0
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
Description $ES_WAN$
no ip redirection
no ip unreachable
no ip proxy-arp
PVC 0/100
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
!
interface virtual-Template1
Description $FW_INSIDE$
BVI1 IP unnumbered
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
peer default ip address dhcp
PPP mppe auto encryption required
ms-chap-v2, ms-chap PPP authentication PAP
!
interface virtual-Template2
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
type of interface virtual-Template3 tunnel
Description $FW_INSIDE$
Unnumbered IP Dialer0
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
tunnel type of interface virtual-table 5
Description $FW_INSIDE$
BVI1 IP unnumbered
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile2 ipsec protection profile
!
interface Dot11Radio0
no ip address
penetration of the IP stream
route IP cache flow
!
algorithms for encryption tkip encryption mode
!
SSID WIFI
!
Speed basic - 1.0 basic - 2.0 basic - 5.5 Basic6.0 basic - 9.0 basic-11, 0-12, 0-basic basic-18, 0 24 basic, basic 0-36, 0 48 basic, basic 0-54, 0
root of station-role
No cdp enable
Bridge-Group 1
Bridge-group subscriber-loop-control 1
Bridge-Group 1 covering-disabled people
Bridge-Group 1 block-unknown-source
No source of bridge-Group 1-learning
unicast bridge-Group 1-floods
!
interface Vlan1
no ip address
IP nat inside
IP virtual-reassembly
Bridge-Group 1
Bridge-Group 1 covering-disabled people
!
interface Vlan2
Description $FW_INSIDE$
IP 192.168.11.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
interface Dialer0
Description $OUTSIDE$ $FW_OUTSIDE$
the negotiated IP address
IP access-group sdm_dialer0_in in
IP access-group 101 out
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
Dialer-Group 1
PPP pap sent-name of user username 7 password password
PPP ipcp dns request
failure to track PPP ipcp
map SDM_CMAP_1 crypto
out of service-policy BLOCK_INTERNET
!
interface Dialer1
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
!
interface BVI1
Description $FW_INSIDE$
IP address 192.168.10.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
NBAR IP protocol discovery
IP nat inside
IP virtual-reassembly
route IP cache flow
!
local IP DIAL-IN 192.168.10.251 pool 192.168.10.253
local IP SDM_POOL_1 192.168.10.50 pool 192.168.10.51
no ip classless
IP forward-Protocol ND
!
IP flow-cache timeout active 1
The Dot11Radio0 flow-export source IP
IP flow-export version 9
192.168.10.200 IP flow-export destination 9996
!
IP http server
local IP http authentication
IP http secure server
The dns server IP
IP nat inside source static tcp 192.168.10.19 443 Dialer0 443 interface
IP nat inside source static tcp 192.168.10.8 Dialer0 5900 5900 interface
IP nat inside source udp static a.a.a.a 500 Dialer0 500 interface
IP nat inside source static tcp 192.168.10.130 9090 interface Dialer0 9090
overload of IP nat inside source list NAT_INTERNET interface Dialer0
IP nat inside source udp static a.a.a.a 4500 Dialer0 4500 interface
IP nat inside source static tcp 192.168.10.9 1723 1723 Dialer0 interface
IP nat inside source static udp 192.168.10.150 514 interface Dialer0 514
IP nat inside source static tcp 192.168.10.150 Dialer0 1468 1468 interface
!
NAT_INTERNET extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
NAT_INTERNET_1 extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
sdm_dialer0_in extended IP access list
Note the category CCP_ACL = 1
enable ahp c.c.c.c one host
Note allow all
allow an ip
allow a host c.c.c.c esp
permit any isakmp udp host c.c.c.c eq
all eq non500-isakmp udp host c.c.c.c permit
enable ahp c.c.c.c one host
allow a host c.c.c.c esp
IP 192.168.17.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
refuse the host ip 209.239.31.195 no matter what paper
refuse the host ip 98.108.59.171 no matter what paper
!
recording of debug trap
logging 192.168.10.150
Note access-list 1 #NAT INTERNET USERS.
access-list 1 permit 192.168.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
access-list 100 permit ip 192.168.10.0 host everything
Note access-list 101 RULES for FW to the INTERNET
access-list 101 deny ip no matter what newspaper to host 121.22.6.121
access-list 101 deny ip no matter what newspaper to host 74.120.10.51
access-list 101 deny ip no matter what newspaper to host 112.230.192.99
access-list 101 deny ip no matter what newspaper to host 61.55.167.19
access list 101 ip allow a whole
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
Note access-list 101 Cisco_VPN_10000
access-list 101 permit tcp 119.224.0.0 0.0.255.255 connect any EQ 10000
Note access-list 101 Cisco_VPN_500
access-list 101 permit udp any any eq non500-isakmp log
Note access-list 101 Cisco_VPN_4500
access-list 101 permit udp any any eq isakmp newspaper
access-list 101 permit tcp any host a.a.a.a eq 81
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 169.254.0.0 0.0.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 all
access-list 101 deny ip 224.0.0.0 0.15.255.255 all
Note access-list 101 OWA
access-list 101 permit tcp any any eq 443 newspaper
Note access-list 101 port VNC
access-list 101 permit tcp 119.224.0.0 0.0.255.255 connect any EQ 5900
Note access-list 101 service CRM 8081
access-list 101 permit tcp any any eq 8081 newspaper
Note access-list 101 Syslog to ASA1
access-list 101 permit udp host c.c.c.c eq syslog all eq syslog
Note access-list 101 Syslog for ASA2
access-list 101 permit udp any any eq syslog
access-list 102 tcp refuse any any eq 445 newspaper
Note access-list 103 CCP_ACL category = 4
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
Note access-list 115 CCP_ACL category = 16
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 refuse ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 allow ip 129.168.10.0 0.0.0.255 any
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
Server SNMP ifindex persist
not run cdp
!
!
!
sheep allowed 10 route map
corresponds to the IP 150
!
!
control plan
!!
Line con 0
no activation of the modem
line to 0
line vty 0 4
password password 7
authentication of the local connection
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
end1. use a "pool of ip" vpn client in a subnet that does not overlap with any of your internal network.
Currently two IP pools are overlapping with subnet of the interface BVI1.
2. ensure that VPN traffic is bypassed by NAT.
-
Tunnel established but no traffic passing on the Site 2 Site VPN
I have a cisco 2900 series construction of a site-2-site of the ASA 5510 vpn tunnel. The tunnel works out very well, but I can't get the traffic through the tunnel. I have read several other posts and tried a lot of suggestion (probably to break things in the process). I don't know if I'm not nat all messed up or if my access lists on the router are goofy. Any help is greatly appreciated.
THE ASA CONFIG:
ASA 4,0000 Version 1
!
hostname test-fw
domain ficticious.localnames of
!
interface Ethernet0/0
nameif outside
security-level 0
IP address *. *. * 255.255.255. *.
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.3.2 255.255.255.0
!
interface Ethernet0/2
nameif DMZ - TNS
security-level 10
IP 192.168.31.1 255.255.255.0
interface Ethernet0/3
nameif DMZ-SMTP
security-level 9
192.168.32.1 IP address 255.255.255.0
!
interface Management0/0
nameif cradelpoint
security-level 1
192.168.254.1 IP address 255.255.255.0
!
boot system Disk0: / asa844-1 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain ficticious.local
network object obj - 172.16.3.2
host 172.16.3.2
network object obj - 172.16.7.2
Home 172.16.7.2
network object obj - 172.16.10.2
Home 172.16.10.2
network object obj - 172.16.13.2
Home 172.16.13.2
network object obj - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
network object obj - 192.168.4.0
subnet 192.168.4.0 255.255.255.0
network object obj - 192.168.5.0
192.168.5.0 subnet 255.255.255.0
network object obj - 192.168.6.0
192.168.6.0 subnet 255.255.255.0
network object obj - 192.168.7.0
192.168.7.0 subnet 255.255.255.0
network object obj - 192.168.8.0
192.168.8.0 subnet 255.255.255.0
network object obj - 192.168.9.0
192.168.9.0 subnet 255.255.255.0
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.0
network object obj - 192.168.12.0
255.255.255.0 subnet 192.168.12.0
network object obj - 192.168.13.0
192.168.13.0 subnet 255.255.255.0
network object obj - 192.168.15.0
192.168.15.0 subnet 255.255.255.0
network object obj - 192.168.16.0
192.168.16.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 192.168.32.10
Home 192.168.32.10
network of the NETWORK_OBJ_192.168.20.0 object
host 192.168.20.0
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.3.0_24 object
subnet 192.168.3.0 255.255.255.0
network object obj - 192.168.0.0_16
Subnet 192.168.0.0 255.255.0.0
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0network of the NETWORK_OBJ_192.168.3.0 object
host 192.168.3.0
network of the NETWORK_OBJ_192.168.3.144_28 object
subnet 192.168.3.144 255.255.255.240
network object obj - 192.168.50.11
network object obj - 192.168.30.10
host 192.168.30.10
network object obj - 192.168.40.10
Home 192.168.40.10
network object obj - 192.168.70.10
Home 192.168.70.10
network object obj - 192.168.150.10
Home 192.168.150.10
network object obj - 192.168.160.10
Home 192.168.160.10
network object obj - 10.10.10.10
host 10.10.10.10
network object obj - 192.168.120.10
Home 192.168.120.10access-list extended Out-In deny an ip
outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
information recording console
registration of information monitor
debug logging in buffered memory
recording of debug trap
debugging in the history record
asdm of logging of informationOutside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ - TNS
MTU 1500 DMZ-SMTP
cradelpoint MTU 1500no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP deny everything outside
ICMP deny any inside
ICMP deny all DMZ - TNSARP timeout 14400
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.3.144_28 NETWORK_OBJ_192.168.3.144_28 non-proxy-arp-search to itinerary
NAT (inside, outside) static source all all NETWORK_OBJ_192.168.0.0_24 of NETWORK_OBJ_192.168.0.0_24 static destination
!
network object obj - 172.16.3.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.7.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.10.2
NAT dynamic interface (indoor, outdoor)
network object obj - 172.16.13.2
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.3.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.4.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.5.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.6.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.7.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.8.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.9.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.10.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.12.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.13.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.15.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.16.0
NAT dynamic interface (indoor, outdoor)
network object obj - 10.1.0.0
NAT dynamic interface (indoor, outdoor)
network object obj - 192.168.32.10
NAT (DMZ-SMTP, outside) static 12.200.89.172
network object obj - 192.168.50.11Route outside 0.0.0.0 0.0.0.0 *. *. *. * 1
Route inside 10.1.0.0 255.255.0.0 192.168.3.1 1
Route inside 10.10.0.0 255.255.0.0 192.168.3.1 1
Route inside 10.200.0.0 255.255.0.0 192.168.3.1 1
Route inside 172.16.3.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.7.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.10.2 255.255.255.255 192.168.3.1 1
Route inside 172.16.13.2 255.255.255.255 192.168.3.1 1
Route inside 192.168.4.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.5.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.6.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.7.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.8.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.9.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.10.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.12.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.13.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.15.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.16.0 255.255.255.0 192.168.3.1 1
external route 192.168.20.0 255.255.255.0 *. *. *. * 1
Route inside 192.168.30.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.40.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.50.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.70.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.120.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.150.0 255.255.255.0 192.168.3.1 1
Route inside 192.168.160.0 255.255.255.0 192.168.3.1 1card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto 1 ikev1 transform-set cradelpoint_vpn set outside_map
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outsideTelnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 10.1.2.13 Server prefer
SSL-trust outside ASDM_TrustPoint0 pointtunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map IPSclass
match any
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map IPSpolicy
class IPSclass
IPS inline help
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
class class by default
Statistical accounting of user
!Router config:
Current configuration: 2605 bytes
!
! Last modification of the configuration at 18:39:30 UTC Tuesday, August 7, 2012
! NVRAM config update at 19:50:03 UTC Monday, August 6, 2012
! NVRAM config update at 19:50:03 UTC Monday, August 6, 2012
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec!
router host name
!
boot-start-marker
boot-end-marker
!
!
activate the bonnefin password
!
No aaa new-model
!
!
No ipv6 cef
IP source-route
IP cef
!
!
!
!
!
name-server IP 192.168.100.1
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki token removal timeout default 0
!!
!
!
redundancy
crypto ISAKMP policy 2
preshared authentication
address of crypto isakmp key 6 IBETYOUCANTGUESS *. *. *. *
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac cradelpoint_vpn
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to *. *. *. *
set peer *. *. *. *
Set transform-set cradelpoint_vpn
match address 100
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
no ip addressShutdown
!
interface GigabitEthernet0/0
no ip address
IP nat inside
IP virtual-reassembly in
automatic duplex
automatic speed
No cdp enable
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
the IP 192.168.0.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
No cdp enable
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
No cdp enable
!
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
No cdp enable
!
interface GigabitEthernet0/1
DHCP IP address
automatic duplex
automatic speed
No cdp enable
map SDM_CMAP_1 crypto
!
interface Serial0/0/0
no ip address
Shutdown
no fair queue
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
overload of IP nat inside source list 110 interface GigabitEthernet0/1
overload of IP nat inside source list sheep interface GigabitEthernet0/1
IP route 0.0.0.0 0.0.0.0 192.168.100.1 254
IP route 0.0.0.0 0.0.0.0 192.168.100.1 254
IP route 192.168.3.0 255.255.255.0 192.168.3.1
!
Access-list 100 = 4 SDM_ACL category note
Note access-list 100 IPSec rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
!
!
!
!
sheep allowed 10 route map
corresponds to the IP 110
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
endAhh, looks like the CradelPoint router could have dropped the ESP package, as we can see the router is to encrypt the packets, but the ASA receives nothing / decrypts, which means it does not even reach the ASA.
Activate the NAT - T, so ESP is encapsulated in UDP/4500.
On ASA:
Crypto isakmp nat-traversal 30
-
VPN tunnel between the concentrator 3005 and router Cisco 827
I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.
There is a router of perimeter with access set up in front of the 3005 list.
I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)
I get the following message appears when I try to ping a local host in the Central site.
Can Anyoune give me the correct steps to 827 and 3005.
Thank you
CCNP Ansar.
------------------------------------------------------------------------------------------------------
Debug crypto ISAKMP
encryption of debugging engine
Debug crypto his
debug output
------------------
1d20h: IPSEC (sa_request):,.
(Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.
local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),
remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),
Protocol = ESP, transform = esp - esp-md5-hmac.
lifedur = 3600 s and KB 4608000,
SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D
1d20h: ISAKMP: ke received message (1/1)
1d20h: ISAKMP: 500 local port, remote port 500
1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Former State = new State IKE_READY = IKE_I_MM1
1d20h: ISAKMP (0:1): early changes of Main Mode
1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...
1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE
1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...
1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1
1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE
1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE
1d20h: IPSEC (key_engine): request timer shot: count = 1,.
You must also allow the esp Protocol in your ACL.
access-list 101 permit esp any host x.x.x.x (address of the hub)
Hope this helps,
-Nairi
-
print jobs in the queue from the computer to the top, but do not print
1400 series all-in-one print jobs in the queue from the computer to the top, but do not print. Scan and copy functions are fine. What is the problem?
chrismcgo wrote:
I've upgraded to a new computer with windows 7 a month ago. The printer worked fine until last week. I tried the remedy proposed to other Hp users, but the computer will not accept the software provided with the printer, so the printer is always offline. Any other suggestions?
I suggest the following: disconnect the cable USB, then download the full driver recommended from HP here. Once the download is complete, run the Setup program. Do not connect the USB cable until the installation program invites you to do.
-
An easy - how bounce a VPN tunnel from the command line?
I think I know the answer, but must ensure. Is - what the command to bounce a VPN?
his clear crypto ipsec peer
Just to check - this command does not delete the config, but simply bounces, right?
For customers of IOS VPN...
your order will only cause me to generate a new key when I send more traffic... just tried...
For the ASA VPN Clients we have
ASA - fw # vpn - sessiondb logoff?
all the all sessions
proxy email Email-Proxy sessions
specific session to Index the index
specific sessions address IP IPAddress
IPsec LAN-to-LAN l2l sessions
name user name specific sessions
sessions specific Protocol
remote access remote IPsec sessions
sessions of customer VPN SSL SVC
Group-Tunnel tunnel-group sessions
Mgmt of VPN VPN - lb load balancing sessions
WebVPN WebVPN sessions
-
Is it possible to build a vpn tunnel to the DMZ on a pix 515 interface?
I would like to know if it is possible to have a vpn tunnel ending on a DMZ interface rather then inside interface of a pix 3-way. All the examples of configuration, I found route traffic from the VPN client somewhere on the internet on the inside interface of the pix. I tried a sheep-access list of the demilitarized zone to the vpn client, but it does not work. According to me, because the vpn traffic goes to the safety higher by definition interface. Am I wrong?
Hello
You can do it in use (nat 0 dmz x.x.x.x y.y.y.y)
-
Two VPN tunnels on the same device with the same protected networks
There is a remote site that wants me to put in place two separate tunnels of VPN with the same internal IP at each end. FOR EXAMPLE
LAN = 10.212.170.201/32, 10.212.170.202/32
Remote network 192.168.0.0/24 =
I currently have a tunnel between the above:
End Point distance = 111.93.152.186
Local endpoint point = 198.205.115.252
Now, they want to set up a VPN for the same networks between:
End Point distance = 115.115.130.34
Local endpoint point = 198.205.115.252
It is my understanding that the Cisco ASA 5520 can do. The only way I've seen this done with Cisco hardware is to use two ASAs, but there may be a way to use the costs of road or some other tricks to make it happen.
I'm open to suggestions.
Is a backup?
In, specify endpoint remote second as a "backup" of the peer in the first virtual private network. Alone will be active at the time - but there are toggled if the VPN in first dies.
-
VPN - VPN easy hardware Client connects, but no traffic
Hello
I have a PIX 515E and 501 acting as a customer of material. Several remote location are connected as a easy VPN clients, a place to connect, but no traffic flows. I went from mode-extension-network client mode and I can connect through other network hosts.
I don't know why this 501 PIX we're different. There is no ACLs except which is extracted from the station.
Any ideas where I should look?
Thank you
Vince
A few quick comments:
1. I don't see 192.168.0.0 is part of this ACL inside_outbound_nat0_acl.
2. I see an instance of card crypto 40 with "incomplete" crypto card, which is actually not a correspondence address.
outside_map 40 ipsec-isakmp crypto map
peer set card crypto outside_map 40 216.27.161.109
outside_map card crypto 40 the transform-set ESP-DES-MD5 value
! Incomplete
Not sure if it's the current configuration of the pix. If there is an instance of card crypto with an incomplete correspondence address, all traffic will be encrypted.
Kind regards
Arul
-
On Pix VPN tunnel to the same subnet
I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.
This can help
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml
-
How to get to the VPN tunnel to the subnet 2/3
I have not yet tried something else a few years back I got on my back which head with an ASA firewall you cannot route traffic to a subnet of second or third (it's 2 or 3 jumps away) on a same VPN tunnel if you add routes to all LAN subnets in all required firewall and tunnels.
I know other manufacturers such as SonicWall, here you can do it, so the question is, is possible in the firewall Cisco ASA with version 7.07 and 7.2.4? If this is not the case, is it possible in a future release? and if this is not possible, how can I make it work? I can't work with a firewall router 1 LAN to LAN s 3?
Attached are also a network card for the visualization of all subnets.
Thanks in advance
Johan Mannerstrom
ICT technician
If the firewall HQ is already connected to LAN2 (way I mean), then you have even connect an interface on the firewall of HQ and in him giving an ip address that belongs to LAN2. As firewall HQ has a route to 192.168.20.0/24 and 18.0/24 and vice versa, that's enough.
And you're on the point on the rest of the steps you have provided regarding the config.
And of course, you must configure matching exemption to ACL and NAT image mirror on the remote VPN encryption too.
-
Site to Site VPN is in place, but no traffic passes through.
Hello. I'm sure this is a lot but I tear my hear and do not have cisco skills to solve this problem. I hope someone here can identify what's wrong in my setup.
Using the Cisco Configuration professional software, I created a VPN connection from site to site (between a cisco 1841 and 1811).
The tunnel seems to be upward, as routers are concerned, but I can't ping anything on the remote networks. I thought that road maps have had something to do with it, but I don't see what is worng with them.
Just to let you know, the device of 1841 has already a VPN tunnel works to another site, in case that confuses everyone. Peers that I am concerned about are 141.0.59.x and 109.238.78.x.
Thank you very much.
Hi Haydin,
You have the following:
IP extended access list redirects the port
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 any
!
Not sure why you have the entire network here with any keyword, it is better to create a static translation of one by one.
Could you please remove it and give it a try?
IP extended access list redirects the port
no permit ip 192.168.1.0 0.0.0.255 any
Thanks in advance.
-
I DON'T KNOW WHY BUT MY MESSAGES IN MY INBOX ARE ALL MUDDLED UP.
USED TO SEE THE MOST RECENT AT THE TOP NOW, I TUNED THROUGH ALL THE EMAILS TO FIND THE RECEIPT TODAY'S MAIL? Help, please.Steve is of course correct. What mail client do you have?
-
I have vista home premium 32 bit on my laptop and I use Windows Mail and I'm having a problem. If a person of my company sends me it comes in fine. When I answer, however, they receive a mess of data at the top of the answer of the message that seems to give them all sorts of information on my laptop and computer-info. If I generate a new email to anyone in my company, they receive those fine. THUS, it seems that you answer is the question.
Any help out there? How can I remove these unwanted responses data (and transfers as well by the way)?
Thank you in advance for your help!
The problem has been resolved by validating my account in Windows Mail. I have no idea why it was right and necessary, as I had used it for 2 years, it started to arrive there shortly, but since there were no problems reported so that seems to have solved the problem. I'm sorry that I can not credit anyone with the answer because no one has suggested this solution and I found on yahoo and tried and it seems to have done the trick.
Thanks for trying to help. Still, I'll post here if I have any other questions or problems.
-
Problems with VPN tunnels after the upgrade to PIX 7.0
It seems that Cisco has revamped the VPN process on the new Version of PIX 7.0.
After I've upgraded, I noticed that AH (i.e. ah-sha-hmac, ah-md5-hmac) was no longer supported and all my container transformation games OH no were not converted.
Another question, if you have enabled on Versieon 6.3, names when you upgrade, tunnel groups will be created (formerly "identity isakmp crypto, crypto key
isakmp peer ') which will include a hostname (hostname of identity) instead of IP as it was to the point 6.3. Guess what... Nothing works! Having to delete and recreate it using the IP address. See an example...
tunnel-group OTHER_END type ipsec-l2l
IPSec-attributes tunnel-group OTHER_END
pre-shared-key *.
The above does not work... Having to recreate using the IP address mapped to OTHER_END...
tunnel-group 2.2.2.2 type ipsec-l2l
2.2.2.2 tunnel-group ipsec-attributes
pre-shared-key *.
Furthermore, I have problems with my racoon and freeswan extranet... Did someone recently updated with success and other gateways VPN provider (i.e. checkpoint, Freeswan and Racoon) work?
We found the solution for this problem. It appeared that the perfect forward secrecy is enabled at the other side. If a 'card crypto outside_map 10 set pfs' is necessary. With the pix 6.3 version that appears not to make the difference, the vpn works even with pfs disabled on the side of pix.
Maybe you are looking for
-
Missing iTunes Library only on 1 device
After listening to music all day on my iPhone iTunes 6 I exit the application and came back two hours later in an EMPTY library. I googled this question instructions and saw me go into itunes (MAC or Windows) and try to get back to the previous fold
-
Libretto U100: Light IN DC glow orange
A few days ago I bought a new Libretto U100, everything works fine without problems. But after that the battery has been charged, and I disconnect the computer from the domain controller, I can see the bright orange DC IN system indicator, why? The u
-
cannot connect to the reader store
It's my second sony ereader... both had the same problem. I can't access the reaer store and I AM connected to a wireless network. CANY help would be amazing
-
Can what software I use to draw on the pictures
Attempt to modify a photo being type the words on the parts of photo and image circle. Wondering what software is able to do this? Thank you
-
Equium M50 - how to replace the fan?
Hi all. I don't know much about computers, and this is my first post. My Equium M50-192 starts to turn after about 15-20 minutes. It is very hot and I can't hear the fan more. I guess that's the problem so to replace the fan. But how can I do? How do