VPN tunnel via Cisco to SBS 2008 RRAS router

Similar Questions

• VPN tunnel via PPPoE connection

  The remote site uses a PPPoE DSL connection on a wic etihernet. We have the work of setting up PPPoE, but we are unable to establish the VPN tunnel. When the tunnel is activated, since the PIX debugging logs show the following:

  PEER_REAPER_TIMERIPSEC (ipsec_prepare_encap_request): fragmentation, IP packet<>

  0 > greater than the effective mtu 1444

  IPSec (ipsec_prepare_encap_request): fragmentation, IP <1500>packet greater than e

  effective MTU 1444

  IPSec (ipsec_prepare_encap_request): fragmentation, IP <1500>packet greater than e

  effective MTU 1444

  On the router when the encryption card is linked to the Dialer, debug information indicates the following:

  Sep 15 12:17:31.111: IPSEC (adjust_mtu): setting ip mtu of 1500 to 1444.

  local (identity) = *. *. *. *, distance = *. *. *. *,

  local_proxy = 192.168.50.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

  Sep 15 12:17:31.115: IPSEC (adjust_mtu): setting mtu of 1500 path to 1444.

  local (identity) = *. *. *. *, distance = *. *. *. *,

  local_proxy = 192.168.50.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

  Sep 15 12:17:31.115: IPSEC (adjust_mtu): setting ip mtu of 1500 to 1444.

  local (identity) = *. *. *. *, distance = *. *. *. *,

  local_proxy = 192.168.50.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 192.168.0.0/255.255.240.0/0/0 (type = 4)

  Sep 15 12:18:16.984: ISAKMP (0:0): no BID in demand

  Sep 15 12:18:16.988: ISAKMP (0:0): profile of THE request is (NULL)

  Sep 15 12:18:16.988: ISAKMP: 0 local port, remote port 0

  Sep 15 12:18:16.988: ISAKMP: set new node 0 to QM_IDLE

  If I run the following command on the router, test crypto isakmp. * *. *. * *. *. *. * ESP. I get the following information from the journal of debugging on the router. In the journal of Pix I start reporting the fragmentation, IP <1500>packet greater than the effective mtu 1444.

  Sep 15 12:18:16.988: ISAKMP: insert his with his 82121DD4 = success

  Sep 15 12:18:16.988: ISAKMP (0:1): cannot start aggressive mode, try main MB

  FEL

  Sep 15 12:18:16.988: ISAKMP: looking for a key for *. *. *. * in default: success

  Sep 15 12:18:16.988: ISAKMP (0:1): found peer pre-shared key matching *. *. *. *

  .62

  Sep 15 12:18:16.992: ISAKMP (0:1): built the seller-07 ID NAT - t

  Sep 15 12:18:16.992: ISAKMP (0:1): built of NAT - T of the seller-03 ID

  Sep 15 12:18:16.992: ISAKMP (0:1): built the seller-02 ID NAT - t

  Sep 15 12:18:16.992: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  Sep 15 12:18:16.992: ISAKMP (0:1): former State = new State IKE_READY = IKE_I_MM1

  Sep 15 12:18:16.992: ISAKMP (0:1): early changes of Main Mode

  Sep 15 12:18:16.992: ISAKMP (0:1): package is sent to *. *. *. * my_port 0 wee

  r_port 0 (I) MM_NO_STATE

  Sep 15 12:18:20.440: ISAKMP: ke received message (1/1)

  Sep 15 12:18:20.440: ISAKMP: set new node 0 to QM_IDLE

  Sep 15 12:18:20.444: ISAKMP (0:1): SA is still budding. Attached is the new ipsec applicant

  She St. (local *. *. *. * distance *. *. *. *)

  Sep 15 12:18:26.996: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  Sep 15 12:18:26.996: ISAKMP (0:1): will increment the error counter on his: broadcast

  Phase 1

  I tried setting the IP MTU size to 1492 and 1500 on the interface of the router Dialer but I still get the same case. You have any ideas or places to look. We are able to establish a VPN tunnel from this location with a Linksys VPN router or router Drakor. This same router also works when you are using a DSL connection, requiring no PPPoE.

  Thank you

  JUan

  Remove this line on the router:

  IP nat inside source list Dialer1 160 interface overload

  because this would cause the NAT router all encrypted packets which you don't want. On the PIX, you must change this:

  NAT (inside) 0-list of access splittunnel

  to reference the ACL sheep or add the 192.168.50.0 subnet in the ACL splittunnel.

  On the PIX, enter in the following (I know they are there already):

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 dmz

  then save the config and rebooting, it must get rid of the MTU messages.

• 2 VPN tunnels on ASA common; A PRI a BKP at the same address-end peer

  Hi all

  I have an ASA 5505 branch that has 2 circuits ISP.  I have a data center ASA who has 1 ISP circuit. I have a VPN tunnel between the primary circuit ASA branch and the ASA circuit data center.  I would like to implement the ASA branch for the redundancy of the SLA so I can use primary and backup circuits, but two configs tunnel going to the same address-end peer, since the data center has only 1 ASA. I read that an ASA cannot have several tunnels to the same peer address because the ASA may have 1 SA by peer address.

  However, if I have my branch ASA configured for redundancy of the SLA, then only 1 tunnel would at once, which I think would affect the requirement of SA above.

  Can someone tell me if this is possible?

  Thank you.

  Hi Dean,

  You're right about things als because only link will be active at a time.

  On the ASA branch, you can apply the same encryption card to two primary and secondary circuit. You use just ALS to determine how this ASA branch will reach the address of peer card crypto (IP addr of ASA Data Center).

  I wrote an article about a similar scenario here: http://resources.intenseschool.com/using-vpn-tunnels-as-backup-links-primary-and-backup-vpn-tunnels-on-cisco-asa/

• FAILURE OF VPN TUNNEL

  Hello guys,.

  I have an ASA 5505 firewall tries to create a VPN tunnel from site to site with a router of 2621 running Advanced IP services. The tunnel keeps do not and I don't know why. Below is the config.

  !
  hostname SeCuReWaLL
  domain default.domain.invalid
  activate 2KFQnbNIdI.2KYOU encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  name 192.168.2.0 outside
  name 192.168.3.0 inside
  !
  interface Vlan1
  Description of network links extended to outside of the
  nameif outside
  security-level 0
  192.168.2.101 IP address 255.255.255.0
  !
  interface Vlan2
  Description within a private network
  nameif inside
  security-level 100
  address 192.168.3.1 IP 255.255.255.0
  !
  interface Ethernet0/0
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Ethernet0/2
  Shutdown
  !
  interface Ethernet0/3
  Shutdown
  !
  interface Ethernet0/4
  Shutdown
  !
  interface Ethernet0/5
  Shutdown
  !
  interface Ethernet0/6
  Shutdown
  !
  interface Ethernet0/7
  Shutdown
  !
  boot system Disk0: / asa822 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  domain default.domain.invalid
  allow inside_access_in to access extended list ip inside outside 255.255.255.0 255.255.255.0
  outside_access_in list extended access permit icmp any any echo response
  site_router to access extended list ip inside 255.255.255.0 allow 192.168.5.0 255.255.255.0
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 625.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access site_router
  NAT (inside) 1 inside 255.255.255.0
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
  Outdoor 192.168.5.0 255.255.255.0 192.168.2.107 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  HTTP inside 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-sha-hmac secure_set
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  peer set card crypto ipsec_map 10 192.168.2.107
  card crypto ipsec_map 10 transform-set secure_set
  ipsec_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 5
  lifetime 28800
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd dns 192.168.2.1
  !
  dhcpd address 192.168.3.10 - 192.168.3.40 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
  tunnel-group 192.168.2.107 type ipsec-l2l
  IPSec-attributes tunnel-group 192.168.2.107
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:a6ffc4e9572dbee8e526c3013a96a510
  : end

  !
  InternetRouter hostname
  !
  boot-start-marker
  boot-end-marker
  !
  !
  No aaa new-model
  no location network-clock-participate 1
  No network-clock-participate wic 0
  IP cef
  !
  !
  !
  !
  no ip domain search
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  !
  crypto ISAKMP policy 10
  BA 3des
  md5 hash
  preshared authentication
  Group 5
  lifetime 28800
  key cisco address 192.168.2.101 crypto ISAKMP xauth No.
  !
  !
  Crypto ipsec transform-set esp-3des secure_set
  !
  ipsec_map 10 ipsec-isakmp crypto map
  defined peer 192.168.2.101
  Set transform-set secure_set
  match the address router_site
  !
  !
  !
  !
  interface Loopback0
  192.168.5.1 IP address 255.255.255.0
  !
  interface FastEthernet0/0
  IP 192.168.2.107 255.255.255.0
  automatic duplex
  automatic speed
  ipsec_map card crypto
  !
  interface Serial0/0
  no ip address
  Shutdown
  !
  interface FastEthernet0/1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  interface Serial0/1
  no ip address
  Shutdown
  !
  IP route 192.168.3.0 255.255.255.0 192.168.2.101
  !
  !
  IP http server
  no ip http secure server
  !
  router_site extended IP access list
  ip licensing 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
  !
  !
  !
  !
  control plan
  !
  !
  !
  Voice-port 1/0/0
  !
  Voice-port 1/0/1
  !
  Voice-port 1/1/0
  !
  Voice-port 1/1/1
  !
  !
  !
  !
  !
  !
  !
  !
  Line con 0
  exec-timeout 0 0
  Synchronous recording
  line to 0
  line vty 0 4
  opening of session
  !
  !
  end

  InternetRouter #debug isakmp crypto
  Crypto ISAKMP debug is on
  InternetRouter #ping
  Protocol [ip]:
  Target IP address: 192.168.3.10
  Number of repetitions [5]:
  Size of datagram [100]:
  Timeout in seconds [2]:
  Extended commands [n]: y
  Address source or interface: 192.168.5.1
  Type of service [0]:
  Set the DF bit in the IP header? [None]:
  Validate the response data? [None]:
  Data model [0xABCD]:
  In bulk, Strict, Record, Timestamp, Verbose [no]:
  Scan the range of sizes [n]:
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.3.10, time-out is 2 seconds:
  Packet sent with the address source 192.168.5.1

  * 01:49:47.699 Mar 1: ISAKMP: ke received message (1/1)
  * 01:49:47.699 Mar 1: ISAKMP: (0:0:N / A:0): THE application profile is (NULL)
  * 01:49:47.699 Mar 1: ISAKMP: created a struct peer 192.168.2.101, peer port 500
  * 01:49:47.699 Mar 1: ISAKMP: new created position = 0x8553C778 peer_handle = 0 x 80000013
  * 01:49:47.699 Mar 1: ISAKMP: lock struct 0x8553C778, refcount IKE peer 1 for isakmp_initiator
  * 01:49:47.699 Mar 1: ISAKMP: 500 local port, remote port 500
  * 01:49:47.699 Mar 1: ISAKMP: set new node 0 to QM_IDLE
  * 01:49:47.703 Mar 1: insert his with his 84074CC8 = success
  * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): cannot start aggressive mode, try the main mode.
  * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): found peer pre-shared key matching 192.168.2.101
  * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built the seller-07 ID NAT - t
  * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built of NAT - T of the seller-03 ID
  * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): built the seller-02 ID NAT - t
  * 01:49:47.703 Mar 1: ISAKMP: (0:0:N / A:0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  * 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): former State = new State IKE_READY = IKE_I_MM1

  * 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): early changes of Main Mode
  * 01:49:47.707 Mar 1: ISAKMP: (0:0:N / A:0): send package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_NO_STATE
  * 01:49:47.711 Mar 1: ISAKMP (0:0): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_NO_STATE
  * 01:49:47.711 Mar 1: ISAKMP: (0:0:N / A:0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 01:49:47.711 Mar 1: ISAKMP: (0:0:N / A:0): former State = new State IKE_I_MM1 = IKE_I_MM2

  * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): treatment ITS payload. Message ID = 0
  * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
  * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibilite.123
  * 01:49:47.715 Mar 1: ISAKMP: (0:0:N / A:0): provider ID is NAT - T v2
  * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
  * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 194
  * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): found peer pre-shared key matching 192.168.2.101
  * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): pre-shared key local found
  * 01:49:47.719 Mar 1: ISAKMP: analysis of the profiles for xauth...
  * 01:49:47.719 Mar 1: ISAKMP: (0:0:N / A:0): audit ISAKMP transform 1 against the policy of priority 10
  * 01:49:47.719 Mar 1: ISAKMP: 3DES-CBC encryption
  * 01:49:47.719 Mar 1: ISAKMP: MD5 hash
  * 01:49:47.719 Mar 1: ISAKMP: group by default 5
  * 01:49:47.719 Mar 1: ISAKMP: pre-shared key auth
  * 01:49:47.723 Mar 1: ISAKMP: type of life in seconds
  * 01:49:47.723 Mar 1: ISAKMP: life (basic) of 28800
  * 01:49:47.723 Mar 1: ISAKMP: (0:0:N / A:0): atts are acceptable. Next payload is 0
  * 1 Mar 01:49:48.119: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
  * 1 Mar 01:49:48.119: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 123
  * 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID is NAT - T v2
  * 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
  * 1 Mar 01:49:48.123: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 194
  * 01:49:48.123 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 01:49:48.123 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM2 = IKE_I_MM2

  * 1 Mar 01:49:48.127: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_SA_SETUP
  * 01:49:48.127 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 01:49:.48.131 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM2 = IKE_I_MM3

  * 01:49:48.383 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_SA_SETUP
  * 01:49:48.383 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 01:49:48.383 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM3 = IKE_I_MM4

  * 1 Mar 01:49:48.387: ISAKMP:(0:1:SW:1): processing KE payload. Message ID = 0
  * 1 Mar 01:49:48.887: ISAKMP:(0:1:SW:1): processing NONCE payload. Message ID = 0
  * 01:49:48.887 Mar 1: ISAKMP: (0:1:SW:1): found peer pre-shared key matching 192.168.2.101
  * 01:49:48.891 Mar 1: ISAKMP: (0:1:SW:1): SKEYID generated State
  * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
  * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is the unit
  * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
  * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID seems the unit/DPD but major incompatibility of 145
  * 1 Mar 01:49:48.891: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
  * 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
  * 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): speaking to another box of IOS!
  * 1 Mar 01:49:48.895: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
  * 01:49:48.895 Mar 1: ISAKMP: (0:1:SW:1): supplier code seems the unit/DPD but hash mismatch
  * 01:49:48.895 Mar 1: ISAKMP: receives the payload type 20
  * 01:49:48.895 Mar 1: ISAKMP: receives the payload type 20
  * 01:49:48.895 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM4 = IKE_I_MM4

  * 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): send initial contact
  * 01:49:48.899 Mar 1: ISAKMP: (0:1:SW:1): ITS been pr.e using id ID_IPV4_ADDR type shared-key authentication
  * 01:49:48.899 Mar 1: ISAKMP (0:134217729): payload ID
  next payload: 8
  type: 1
  address: 192.168.2.107
  Protocol: 17
  Port: 500
  Length: 12
  * 01:49:48.903 Mar 1: ISAKMP: (0:1:SW:1): the total payload length: 12
  * 1 Mar 01:49:48.903: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  * 01:49:48.907 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 01:49:48.907 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM4 = IKE_I_MM5

  * 01:49:48.907 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) MM_KEY_EXCH
  * 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): payload ID for treatment. Message ID = 0
  * 01:49:48.911 Mar 1: ISAKMP (0:134217729): payload ID
  next payload: 8
  type: 1
  address: 192.168.2.101
  Protocol: 17
  Port: 0
  Length: 12
  * 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): peer games * no * profiles
  * 1 Mar 01:49:48.911: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 0
  * 01:49:48.915 Mar 1: ISAKMP: received payload type 17
  * 1 Mar 01:49:48.915: ISAKMP:(0:1:SW:1): load useful vendor id of treatment
  * 1 Mar 01:49:48.915: ISAKMP:(0:1:SW:1): vendor ID is DPD
  * 01:49:48.915 Mar 1: ISAKMP: (0:1:SW:1): SA authentication status:
  authenticated
  * 01:49:48.915 Mar 1: ISAKMP: (0:1:SW:1): SA has been authenticated with 192.168.2.101
  * 01:49:48.915 Mar 1: ISAKMP: attempts to insert a 192.168.2.107/192.168.2.101/500/ peer and inserted 8553 778 successfully.
  * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1.): O State of LD = new State IKE_I_MM5 = IKE_I_MM6

  * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  * 01:49:48.919 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM6 = IKE_I_MM6

  * 01:49:48.923 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  * 01:49:48.923 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

  * 01:49:48.927 Mar 1: ISAKMP: (0:1:SW:1): start Quick Mode Exchange, M - ID of 590019425
  * 1 Mar 01:49:48.931: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
  * 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): entrance, node-590019425 = IKE_MESG_INTERNAL, IKE_INIT_QM
  * 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_QM_READY = IKE_QM_I_QM1
  * 01:49:48.931 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  * 01:49:48.935 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  * 01:49:48.939 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) QM_IDLE
  * 01:49:48.939 Mar 1: ISAKMP: node set 330122531 to QM_IDLE
  * 1 Mar 01:49:48.943: ISAKMP:(0:1:SW:1): HASH payload processing. Message ID = 330122531
  * 1 Mar 01:49:48.943: ISAKMP:(0:1:SW:1): treatment protocol NOTIFIER INVALID_ID_INFO 1
  0, message ID SPI = 330122531, a = 84074CC8
  * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): the peer is not paranoid KeepAlive.

  * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (ext. 192.168.2.101)
  * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): remove error node 330122531 FALSE reason 'informational (en) st.
  Success rate is 0% (0/5)
  InternetRouter #ate 1 "
  * 01:49:48.943 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  * 01:49:48.947 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

  * 01:49:48.947 Mar 1: ISAKMP (0:134217729): packet received 192.168.2.101 dport 500 sport Global 500 (I) QM_IDLE
  * 01:49:48.951 Mar 1: ISAKMP: node set-412204705 to QM_IDLE
  * 1 Mar 01:49:48.951: ISAKMP:(0:1:SW:1): sending package to 192.168.2.101 my_port 500 peer_port 500 (I) QM_IDLE
  * 01:49:48.951 Mar 1: ISAKMP: (0:1:SW:1): purge the node-412204705
  * 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

  * 01:49:48.955 Mar 1: ISAKMP: (0:1:SW:1): removal of HIS State "No reason" why (I) QM_IDLE (ext. 192.168.2.101)
  * 01:49:48.955 Mar 1: ISAKMP: Unlocking IKE struct 0x8553C778 for isadb_mark_sa_deleted(), count 0
  * 01:49:48.959 Mar 1: ISAKMP: delete peer node by peer_reap for 192.168.2.101: 8553 778
  * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): error in node-590019425 FALSE reason for deletion "deleted IKE."
  * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): node error 330122531 FALSE reason for deletion "removed IKE."
  * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  * 01:49:48.959 Mar 1: ISAKMP: (0:1:SW:1): former State = new State IKE_DEST_SA = IKE_DEST_SA

  Hello

  I gave a quick scan here for the configuration on both devices, found two or three commands are missing from the configuration of the ASA

  ASA
  ---

  card crypto ipsec_map 10 correspondence address site_router

  outside_access_in list extended access udp allowed any any eq 500
  outside_access_in list extended access udp allowed any any eq 4500
  outside_access_in list extended access allow esp a whole

  I'm assuming pre shared key defined on ASA cisco is the same on router

  On router
  ---------

  Try running the following commands: -.

  No crypto ipsec transform-set esp-3des secure_set
  Crypto ipsec transform-set esp-3des esp-sha-hmac secure_set

  At the time of the opening of the tunnel, please gather at the debug crypto isa 127 output and debug crypto ipsec 127 of ASA

  You can also check the configuration below document link

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  Ignore the map route on router configuration contained in the above document *.

  HTH...

  Kind regards
  Mohit

• Conflict of IPSec between IPSec and business VPN tunnels

  I crushed a 2821 current c2800nm-adventerprisek9 - mz.124 - 22.YB8 at home with 2 gre IPSec tunnels for personal use, and my office will be held that a customer based IPSec VPN to connect to the corporate VPN.  My problem is that when I want to connect to the corporate VPN, I see packages being encrypted and sent, but I would have never received the return packets.  It seems that the IPSec VPN tunnels with IPSec from my office and router packages conflict trying to decrypt and gives this error.  (I removed the public addresses for anonymity)

  CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec would be package IPSEC a bad spi to destaddr = "myaddress", prot = 50, spi = 0xDB32344E (3677500494), port = "corpvpn".

  When I remove the card encryption off-side WAN router, my Office VPN works immediately.  I can change the configuration, either on the side of the IPSec GRE tunnels, but has no way for me to change any configuration on the corporate VPN.  Does anyone know of a workaround on the cisco router?  I can provide the running configs or view orders.

  The 2821 also performs NAT overload for internet access.

  Hello, Reed.

  1. try to remove the interface crypto map and add "protection... profile ipsec tunnel." "to your VTI:

  Crypto ipsec IPSEC profile

  solid Set trans

  int g0/0

  No crypto map card

  int tu1

  Ipsec IPSEC protection tunnel profile

  int tu2

  Ipsec IPSEC protection tunnel profile

  2. try to force your corpVPN to use encapsulation UDP instead of ESP.

• Lost the VPN tunnel between 2 site when internal client using client vpn

  We currently have VPN tunnel connected to the remote desktop using router VPN Hotbrick 2.

  When 1 of the internal computer try to connect to another server VPN customer using Cisco VPN Client v4.8, she will appear in drop/disable/loss of the tunnel between us VPN and remote offices. The tunnel is still established but no traffice between site 2. (cannot all ping)

  What are the causes of the problem? Hotbrik problem? Customer Cisco VPN setting or something else?

  I don't know what causes the problem. Help, please. Thanks in advance.

  Hello

  The problem is that your NAT device will not translating properly, and when the 2nd customer triggers (ISAKMP packets-UDP 500) connections port isn't transalated, so for the SAA is as the first user tries to connect again, then it rejects the initial connection.

  The trick is, as you have discovered, use global UDP.

  The problem is that UDP 10000 is not a standard, so you need to check if multiple users can be connected at the same time behind the same NAT device.

  If this is not the case, use the NAT transparency standard industry (UDP 4500). This should be configured only on the SAA.

  Please rate if this helped.

  Kind regards

  Daniel

• NAT on IPSEC tunnel on cisco router

  Hello.

  I have a central router works as a Hup with two talks about routers, but rays routers has the same encryption domain network (the same local Network Segment), I need to do a nat on one of VPN tunnels to avoid conflicts in the concentrator, router. Can anyone help me?.

  Sent by Cisco Support technique iPad App

  NAT is performed before the encryption and decryption, so you should be able to configure your NAT as you please.

  Example:

  http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

• SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

  Hi all.

  I really need help on this one.

  The office 1 installer running SBS2008 Office 2 running Server 2008.

  Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

  Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

  Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

  Each firm has its own DNS server and acts as a domain controller

  How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

  Is it so simple that the addition of another pool internal IP for each DNS server?

  Thanks in advance for your help.

  Hello

  Your Question is beyond the scope of this community.

  I suggest that repost you your question in the Forums of SBS.

  https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

  "Windows Small Business Server 2011 Essentials online help"

  https://msdn.Microsoft.com/en-us/library/home-client.aspx

  TechNet Server forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• Pass Cisco 871 and VPN to the SBS 2008 Server

  to precede the questions below, I'm responsible for COMPUTING internal with several years of site / offsite support. I also have very limited knowledge of the inner workings of a Cisco device. That said, I've beaten my head against a wall, trying to configure my router Cisco 871 to allow access to our internal server of SBS 2008 VPN hosting services. I think I, and properly configured the SBS 2008 Server.

  I use advanced IP services, version 12.4 (4) T7

  Here is the \windows\system32\conifg\system running

  Building configuration...

  Current configuration: 9414 bytes
  !
  version 12.4
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  hostname yourname
  !
  boot-start-marker
  boot-end-marker
  !
  Security of authentication failure rate 3 log
  Passwords security min-length 6
  logging buffered debugging 51200
  recording console critical
  enable secret 5 *.

  !
  No aaa new-model
  !
  resources policy
  !
  PCTime-5 timezone clock
  PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
  IP subnet zero
  no ip source route
  IP cef
  !
  !
  !
  !
  synwait-time of tcp IP 10
  no ip bootp Server
  "yourdomain.com" of the IP domain name
  name of the IP-server 65.24.0.168
  name of the IP-server 65.24.0.196
  property intellectual ssh time 60
  property intellectual ssh authentication-2 retries
  inspect the IP name DEFAULT100 appfw DEFAULT100
  inspect the IP name DEFAULT100 cuseeme
  inspect the IP name DEFAULT100 ftp
  inspect the IP h323 DEFAULT100 name
  inspect the IP icmp DEFAULT100 name
  inspect the IP name DEFAULT100 netshow
  inspect the IP rcmd DEFAULT100 name
  inspect the IP name DEFAULT100 realaudio
  inspect the name DEFAULT100 rtsp IP
  inspect the IP name DEFAULT100 sqlnet
  inspect the name DEFAULT100 streamworks IP
  inspect the name DEFAULT100 tftp IP
  inspect the IP udp DEFAULT100 name
  inspect the name DEFAULT100 vdolive IP
  inspect the name DEFAULT100 http urlfilter IP
  inspect the IP router-traffic tcp name DEFAULT100
  inspect the IP name DEFAULT100 https
  inspect the IP dns DEFAULT100 name
  urlfilter IP interface-source FastEthernet4
  property intellectual urlfilter allow mode on
  urlfilter exclusive-area IP Deny. Facebook.com
  refuse the urlfilter exclusive-domain IP. spicetv.com
  refuse the urlfilter exclusive-domain IP. AddictingGames.com
  urlfilter exclusive-area IP Deny. Disney.com
  urlfilter exclusive-area IP Deny. Fest
  refuse the urlfilter exclusive-domain IP. freeonlinegames.com
  refuse the urlfilter exclusive-domain IP. hallpass.com
  urlfilter exclusive-area IP Deny. CollegeHumor.com
  refuse the urlfilter exclusive-domain IP. benmaller.com
  refuse the urlfilter exclusive-domain IP. gamegecko.com
  refuse the urlfilter exclusive-domain IP. ArmorGames.com
  urlfilter exclusive-area IP Deny. MySpace.com
  refuse the urlfilter exclusive-domain IP. Webkinz.com
  refuse the urlfilter exclusive-domain IP. playnow3dgames.com
  refuse the urlfilter exclusive-domain IP. ringtonemecca.com
  refuse the urlfilter exclusive-domain IP. smashingames.com
  urlfilter exclusive-area IP Deny. Playboy.com
  refuse the urlfilter exclusive-domain IP. pokemoncrater.com
  refuse the urlfilter exclusive-domain IP. freshnewgames.com
  refuse the urlfilter exclusive-domain IP. Toontown.com
  urlfilter exclusive-area IP Deny .online-Funny - Games.com
  urlfilter exclusive-area IP Deny. ClubPenguin.com
  refuse the urlfilter exclusive-domain IP. hollywoodtuna.com
  refuse the urlfilter exclusive-domain IP. andkon.com
  urlfilter exclusive-area IP Deny. rivals.com
  refuse the urlfilter exclusive-domain IP. moregamers.com
  !
  policy-name appfw DEFAULT100
  http request
  port-bad use p2p action reset alarm
  port-abuse im action reset alarm
  Yahoo im application
  default action reset service
  service-chat action reset
  Server deny name scs.msg.yahoo.com
  Server deny name scsa.msg.yahoo.com
  Server deny name scsb.msg.yahoo.com
  Server deny name scsc.msg.yahoo.com
  Server deny name scsd.msg.yahoo.com
  Server deny name messenger.yahoo.com
  Server deny name cs16.msg.dcn.yahoo.com
  Server deny name cs19.msg.dcn.yahoo.com
  Server deny name cs42.msg.dcn.yahoo.com
  Server deny name cs53.msg.dcn.yahoo.com
  Server deny name cs54.msg.dcn.yahoo.com
  Server deny name ads1.vip.scd.yahoo.com
  Server deny name radio1.launch.vip.dal.yahoo.com
  Server deny name in1.msg.vip.re2.yahoo.com
  Server deny name data1.my.vip.sc5.yahoo.com
  Server deny name address1.pim.vip.mud.yahoo.com
  Server deny name edit.messenger.yahoo.com
  Server deny name http.pager.yahoo.com
  Server deny name privacy.yahoo.com
  Server deny name csa.yahoo.com
  Server deny name csb.yahoo.com
  Server deny name csc.yahoo.com
  audit stop trail
  aol im application
  default action reset service
  service-chat action reset
  Server deny name login.oscar.aol.com
  Server deny name toc.oscar.aol.com
  Server deny name oam - d09a.blue.aol.com
  audit stop trail
  !
  !
  Crypto pki trustpoint TP-self-signed-1955428496
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1955428496
  revocation checking no
  rsakeypair TP-self-signed-1955428496
  !
  !
  TP-self-signed-1955428496 crypto pki certificate chain
  certificate self-signed 01
  308201B 8 A0030201 02020101 3082024F 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31393535 34323834 6174652D 3936301E 170 3032 30333031 30303035
  33315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 39353534 65642D
  32383439 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100CB6B E980F044 5FFD1DAE CBD35DE8 E3BE2592 DF0B2882 2F522195 4583FA03
  40F4DAC6 CEAD479F A92607D4 1 B 033714 51C3A84D EA837959 F5FC6508 4D71F8E6
  5B124BB3 31F0499F B0E871DB AF354991 7D45F180 5D8EE435 77C8455D 2E46DE46
  67791F49 44407497 DD911CB7 593E121A 0892DF33 3234CF19 B2AE0FFD 36A640DC
  2 010001 HAS 3 990203 AND 77307530 1 130101 FF040530 030101FF 30220603 0F060355 D
  1104 1B 301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 551D
  301F0603 C 551 2304 18301680 145566 4581F9CD 7 5F1A49FB 49AC9EC4 678908FF
  2A301D06 04160414 5566 745 81F9CD5F 1A49FB49 AC9EC467 8908FF2A 03551D0E
  300 D 0609 2A 864886 818100B 3 04050003 903F5FF8 A2199E9E EA8CDA5D F70D0101
  60B2E125 AA3E511A C312CC4F 0130563F 28D3C813 99022966 664D52FA AB1AA0EE
  9A5C4823 6B19EAB1 7ACDA55F 6CEC4F83 5292 HAS 867 BFC65DAD A2391400 DA12860B
  5A 523033 E6128892 B9BE68E9 73BF159A 28D47EA7 76E19CC9 59576CF0 AF3DDFD1
  3CCF96FF EB5EB4C9 08366F8F FEC944CA 248AC7
  quit smoking
  secret of username admin privilege 15 5 *.

  !
  !
  Policy-map sdmappfwp2p_DEFAULT100
  !
  !
  !
  !
  !
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface FastEthernet4
  Description $$$ FW_OUTSIDE$ $ES_WAN$ ETH - WAN
  address IP dhcp client id FastEthernet4
  IP access-group 101 in
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  inspect the DEFAULT100 over IP
  IP virtual-reassembly
  route IP cache flow
  automatic duplex
  automatic speed
  sdmappfwp2p_DEFAULT100 of service-policy input
  out of service-policy sdmappfwp2p_DEFAULT100
  !
  interface Vlan1
  Description $ETH - SW - LAUNCH$ $INTF - INFO - HWIC-$4ESW $ES_LAN$ $FW_INSIDE$
  the IP 192.168.0.1 255.255.255.0
  IP access-group 100 to
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP nat inside
  IP virtual-reassembly
  route IP cache flow
  IP tcp adjust-mss 1452
  !
  IP classless
  !
  !
  IP http server
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  the IP nat inside source 1 list the interface FastEthernet4 overload
  IP nat inside source static tcp 192.168.0.100 1723 1723 interface FastEthernet4
  IP nat inside source static tcp 192.168.0.100 25 25 FastEthernet4 interface
  IP nat inside source static tcp interface 192.168.0.100 80 80 FastEthernet4
  IP nat inside source static tcp 192.168.0.100 interface FastEthernet4 443 443
  IP nat inside source static tcp 192.168.0.100 interface FastEthernet4 987 987
  !
  recording of debug trap
  Note access-list 1 INSIDE_IF = Vlan1
  Remark SDM_ACL category of access list 1 = 2
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 100 remark self-generated by the configuration of the firewall Cisco SDM Express
  Access-list 100 = 1 SDM_ACL category note
  access-list 100 deny ip 255.255.255.255 host everything
  access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
  access ip-list 100 permit a whole
  access list 101 remark self-generated by the configuration of the firewall Cisco SDM Express
  Note access-list 101 = 1 SDM_ACL category
  access-list 101 permit tcp any any eq 1723
  access-list 101 permit tcp any any eq 987
  access-list 101 permit tcp any any eq 443
  access-list 101 permit tcp any any eq www
  access-list 101 permit tcp any any eq smtp
  access-list 101 permit udp host 65.24.0.169 eq field all
  access-list 101 permit udp host 65.24.0.168 eq field all
  access-list 101 permit udp host 24.29.1.219 eq field all
  access-list 101 permit udp host 24.29.1.218 eq field all
  access-list 101 permit udp any eq bootps any eq bootpc
  access-list 101 deny ip 192.168.0.0 0.0.0.255 any
  access-list 101 permit icmp any any echo response
  access-list 101 permit icmp any one time exceed
  access-list 101 permit everything all unreachable icmp
  access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 172.16.0.0 0.15.255.255 all
  access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
  access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 255.255.255.255 host everything
  access-list 101 deny ip any one
  not run cdp
  !
  !
  control plan
  !
  connection of the banner ^ CCCCCAuthorized access only!
  Unplug IMMEDIATELY if you are not an authorized user. ^ C
  !
  Line con 0
  local connection
  no activation of the modem
  telnet output transport
  line to 0
  local connection
  telnet output transport
  line vty 0 4
  privilege level 15
  local connection
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  end

  All that top has been configured with the SDM interface. I hope someone here can take a look at this and see what my question is, and why I can't connect through the router.

  All thanks in advance to help me with this.

  Jason

  Based on your description, I am assuming that you are trying the traffic PPTP passthrough via the router 871, and the PPTP Protocol ends on your SBS 2008 Server.

  If this is the correct assumption, PPTP uses 2 protocols: TCP/1723 and GRE. Your configuration only allow TCP/1723, but not the GRE protocol.

  On 101 ACL, you must add "allow accord any any" before the declarations of refusal:

  101 extended IP access list

  1 allow any one

  I guess that the PPTP control connection works fine? Are you able to telnet to the router outside the ip address of the interface on port 1723?

• SBS 2008 - Server 2008 site to site vpn problem.

  Hi all

  I have a box of SBS 2008 I want to add another server to the remote site (standard 2008). Currently, VPN works great on SBS and I can compose anywhere via the pptp network and join.

  I added the RRAS branch again 2008 server role. Connection to the configured application, since VPN was already running on SBS, I just added to the request and the road. Both servers have user names Eric their numbering interfaces to, when I connect branch to SBS, he just connects in seconds, get IP address and routes are added, when I check the SBS it appears as inaccessible, when try to connect manually I either get error RRAS 0 or a pop up says the modem is already in use or not properly configured.

  Grateful if someone can the advice that I've spent 2 days on this.

  Thanx

  If you can repost this thread under http://blogs.technet.com/b/windowsserver/, you can get a lot of fruitful discussions, solutions...

• ASA Syslog via a VPN Tunnel

  Hi all

  I have a little problem concerning ASA and syslogs. I have a tunnel from site to site between a local ASA and ASA distance. Behind the ASA local, I have a central syslog server (which has no ASA as default gateway) which collects messages from all network devices and I want to get messages from the ASA remote as well.

  The tunnel protects traffic between local networks behind each ASA, which includes ASA inside remote interface as well. The problem is that if I specify on the SAA distance my syslog server it does not pass through the VPN tunnel. The ASA remote sees my server syslog as being 'outside' so he's using the external IP address as the source-interface for the syslog message. Which of course does not pass through the tunnel. As much as I know there is no way to configure the interface source for logging under the SAA, that you can do on a normal IOS router.

  I've found a few documents explaining this Setup on CCO, but they all imply I have extend the list for interesting traffic to access allow remote UDP/514 of the PIX traffic outside my local syslog server interface. This isn't something I want to do what I would get in routing complication in my LAN with a public IP address of the ASA remote.

  Any suggestions? I thought I could use some sort of NAT on the ASA remote so that all traffic for my local network a source the remote PIX is translated on the inside interface, which in theory should pass the package via the tunnel. I did not go so far.

  Any help is appreciated.

  Best regards

  Stefan

  You can define the interface that the ASA will use to send the newspapers "syslog_ip host record.

  Make sure you also do "access management".

  Then the SAA should source the syslogs from inside the interface, which is probably encrypted with the crypto ACL.

  I hope it helps.

  PK

• VPN tunnel between the concentrator 3005 and router Cisco 827

  I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

  There is a router of perimeter with access set up in front of the 3005 list.

  I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

  I get the following message appears when I try to ping a local host in the Central site.

  Can Anyoune give me the correct steps to 827 and 3005.

  Thank you

  CCNP Ansar.

  ------------------------------------------------------------------------------------------------------

  Debug crypto ISAKMP

  encryption of debugging engine

  Debug crypto his

  debug output

  ------------------

  1d20h: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

  local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

  remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

  Protocol = ESP, transform = esp - esp-md5-hmac.

  lifedur = 3600 s and KB 4608000,

  SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

  1d20h: ISAKMP: ke received message (1/1)

  1d20h: ISAKMP: 500 local port, remote port 500

  1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  Former State = new State IKE_READY = IKE_I_MM1

  1d20h: ISAKMP (0:1): early changes of Main Mode

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: IPSEC (key_engine): request timer shot: count = 1,.

  You must also allow the esp Protocol in your ACL.

  access-list 101 permit esp any host x.x.x.x (address of the hub)

  Hope this helps,

  -Nairi

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett

• ASA Cisco IPSEC VPN tunnel has not managed the traffic

  Hi guys

  I am trying to set up a new connection IPSEC VPN between a Cisco ASA 5520 (verion 8.4 (4)) and Checkpoint Firewall. I managed to establish the phases IKE and IPSEC and I can see the tunnel is UP. But I can't see any traffic through the tunnel. I checked the cryptomap both ends and try to test with a contionuous ping from within the network of the SAA.

  I made a screenshot of ICMP packets but cannot see in ASA. I welcomed the icmp inside ASA interface.

  I did a package tracer and it ends with a fall of vpn - filter the packets. But can not see any configured filters...

  Your help is very appreciated...

  Thank you

  You probably need to add nat negate statements:-something like.

  object-group network OBJ-LOCAL
  Network 10.155.176.0 255.255.255.0
  object-group network OBJ / remote
  object-network 192.168.101.0 255.255.255.0
  NAT static OBJ-LOCALOBJ-LOCAL source destination (indoor, outdoor) static OBJ-REMOTE OBJ-REMOTE-no-proxy-arp

  You are running 8.4 nat 0 has been amortized

• Internet via the VPN tunnel

  Hi I have a question.

  I hope one of you can help me.

  My problem is that I want to the internet using VPN tunnenl.

  I have a VPN connection with my ASA 5505 at home.

  I am able to access the entire inside of the devices. But I'm unable to access the internet.

  is it possible the internet using the internet connection I have at home.

  i'f played a bit with the following commands:

  same-security-traffic permits intera-interface &

   same-security-traffic permit intera-interface & split-tunnel-policy tunnelall

  ASA version: 9.1 2

  ASDM version: 7.1 (3)

  Greetings

  Palermo

  the client that is connected via VPN you are able to ping 4.2.2.2?

  If Yes, if you issue a nslookup google.com is the resolved name?

  If this isn't the case, then I think that the following command highlighted is the problem:

  Group Policy home-attributes VPNSSL
  WINS server no
  DNS server no
  Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client

  Try setting your DNS here server and test.

  --

  Please do not forget to select a correct answer and rate useful posts