Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

Similar Messages

• DPD on client-2-site IPSEC VPN

  Hello
  I have configured the both client-2-site and site-2-site IPSEC tunnels on my ASR routers.
  Although I have the keepalive feature enabled on the router, the client-2-site tunnels are not disconnected in case of client to router connectivity breakdown.
  At the same time site-2-site tunnels are being disconnected by the DPD.
  The DPD is configured as follows
  "crypto isakmp keepalive 60 10 periodic"
  Does anybody can help me with this issue?
  Thank you in advance
  Regards
  Lukasz

  Czesc Lukasz,
  We had two common culprits recently:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto16377
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty52047
  That COULD explain what you're seeing. Check them out, if you're running something newer - we might as well have a TAC case open so we can pull debugs and see.
  M.

• Cisco ASA 5505 site to site IPSec VPN with RV220W issue

  I have a ASA5505 connected to RV220W through IPSec VPN. When  using SMB to transfer large file, the ASA5505 will show error message:
  CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1561
  The error message from the debug crypto engine. When  the message show, the speed of the transfer will slow down quickly, and  even no data can be go through between ASA and the RV220W. But the IPSec  SA and the IKE SA is active, and can ping the inside network in both  site.
  Both ASA5505 and the RV220W has been updated the latest firmware. I have surf the Google but no such related issue found.
  Any suggestions on where to look would be much appreciated.
  Thanks in advance
  Terry

  Hi Ted thanks for your reply and information.
  The strange things happened in RV220W shows the IPSec sa is expired, but the ASA5505 IPSec and IKEv1 sa is active. Inside both site internal network can ping to other side, but cant transfer file through Windows SMB. It seems when I transfer over 4GBytes of file, it will start happening and required clear IPSec and IKEv1 sa so that the VPN tunnel will start up again.
  I am already surrander for this issue......

• Setting up site to site IPSec VPN with RV 120W

  Hi All,
  I am looking to set up a site to site VPN between a local and remote office, with a RV 120w as the gateway at either side. Aside from changing the remote site's IP and Subnet, what do I need to do to get this functional? to call myself a well tooled novice would be appropriate. Any help is appreciated.
  Thanks,
  Scott

  You will most likely need to call the Cisco Small Business Support Center at 1-866-606-1866 so that
  we can assist you in setting up the Gateway to Gateway VPN Tunnel.
  THANKS
  Rick Roe
  Cisco Small Business Support Center

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

  Hi All,
  I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
  2811 having C2800NM-ADVIPSERVICESK9-M
  2811 router connects to the Internet SW then connects to the Internet router.
  Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
  Below is router config for VPN & NAT
  crypto keyring ISR_Keyring
    pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp keepalive 10
  crypto isakmp profile isa-profile
     keyring ISR_Keyring
     self-identity user-fqdn [email protected]
     match identity user vpn-proxy.websense.net
  crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
  crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
  set peer vpn.websense.net dynamic
  set transform-set ESP-NULL-SHA
  set isakmp-profile isa-profile
  match address 101
  interface FastEthernet0/1
  description connected to Internet
  ip address 216.222.208.101 255.255.255.128
  ip access-group HVAC_Public in
  ip nat outside
  ip virtual-reassembly
  duplex full
  speed 100
  no cdp enable
  crypto map GUEST_WEB_FILTER
  access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
  access-list 103 permit ip 192.168.8.0 0.0.3.255 any
  ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
  ip nat inside source list 103 interface FastEthernet0/1 overload
  ip nat inside source route-map nonat pool mypool overload

  How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
  Check
  show crypto isakmp sa
  show crypto ipsec sa
  show crypto session
  You'd better remove the preshared key from your post.

• I have a PC and a need help to configure my external hard disk on my network. Thanks

  I have a PC and a need help to configure my external hard disk on my network. Thanks

  If you mean you wish to plug a USB drive into the Airport Extreme router (or TC not express) that is easy..
  The disk must be formatted FAT32.. as if.. stay away from FAT .. or HFS+ ie Mac OS extended Journaled.
  Format the disk on a Mac is best.. and even use GUID partition scheme not MBR.
  The PC has no issue writing and reading files because this is a network drive.. The PC does not write to the drive.. it writes files to the Airport OS which writes and reads the disk and passes the info using standard windows SMB.. To the windows computer it will be a Windows NT server.. FAT32 setup.
  If your setup is different.. to my hugely guessed assumptions.. give details.. always helps to have.. make and model.
  Make and model of disk.. make and model of router.. how the setup will be done.. what windows OS you run.. etc etc.
  As it stands your question could have nothing to do with apple at all.. other than you posted in a forum so I guess there is something apple in there somewhere.

• How to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configrations

  how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
  before ver 8.3 and after version 8.3 ...8.4.. 9 versions..

  Hi,
  To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
  Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
  If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
  Hope this helps
  - Jouni

• HT2480 I need help syncing my computer outlook email (through Yahoo) with my Iphone. when I delete an email on my computer is it still in my inbox on my phone.  Any help is appreciated.

  I need help syncing my computer outlook email (through Yahoo) with my iphone.  When I delete an email on my computer it is still in my inbox on my phone. Please help.

  Your computer is probably set up to access your Yahoo mail using POP3. POP3 does not synchronize with the server. For full synchronization, you will need to use IMAP instead. See the Yahoo mail help pages for instructions on how to configure your mail client.

• Site-2-Site IPSEC VPN tunnel will not come up.

  Hello Experts,
  Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
  show run | s crypto
  crypto pki token default removal timeout 0
  crypto isakmp policy 1
  encr aes
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
  crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
  mode transport
  crypto map ICQ-2-ILAND 1 ipsec-isakmp
  set peer A.A.A.A
  set transform-set ESP-AES128-SHA
  match address iland_london_s2s_vpn
  crypto map ICQ-2-ILAND
  The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
  The command Sh crypto isakmp sa displays the following
  show crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  A.A.A.A    B.B.B.B   MM_NO_STATE       1231 ACTIVE (deleted)
  IPv6 Crypto ISAKMP SA
  show crypto session
  Crypto session current status
  Interface: GigabitEthernet0/0
  Session status: DOWN-NEGOTIATING
  Peer: A.A.A.A port 500
    IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
    IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
    IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
          Active SAs: 0, origin: crypto map
    IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  The debug logs from the debug crypto isakmp command are listed below.
  ISAKMP:(0): local preshared key found
  Dec  6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
  Dec  6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  Dec  6 08:51:52.019: ISAKMP:      encryption AES-CBC
  Dec  6 08:51:52.019: ISAKMP:      keylength of 128
  Dec  6 08:51:52.019: ISAKMP:      hash SHA
  Dec  6 08:51:52.019: ISAKMP:      default group 2
  Dec  6 08:51:52.019: ISAKMP:      auth pre-share
  Dec  6 08:51:52.019: ISAKMP:      life type in seconds
  Dec  6 08:51:52.019: ISAKMP:      life duration (basic) of 28800
  Dec  6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
  Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
  Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
  Dec  6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
  Dec  6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
  Dec  6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
  Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Dec  6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
  Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
  Dec  6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Dec  6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
  Dec  6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Dec  6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
  Dec  6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Dec  6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
  Dec  6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
  Dec  6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
  Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
  Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
  Dec  6 08:51:52.175: ISAKMP:received payload type 20
  Dec  6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
  Dec  6 08:51:52.175: ISAKMP:received payload type 20
  Dec  6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
  Dec  6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Dec  6 08:51:52.179: ISAKMP:(1227):Send initial contact
  Dec  6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  Dec  6 08:51:52.179: ISAKMP (1227): ID payload
          next-payload : 8
          type         : 1
          address      : B.B.B.B
          protocol     : 17
          port         : 500
          length       : 12
  Dec  6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
  Dec  6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Dec  6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Dec  6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
  Dec  6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
  Dec  6 08:51:52.315: ISAKMP (1227): ID payload
          next-payload : 8
          type         : 1
          address      : A.A.A.A
          protocol     : 17
          port         : 0
          length       : 12
  Dec  6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
  Dec  6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
  Dec  6 08:51:52.315: ISAKMP:received payload type 17
  Dec  6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
  Dec  6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
  Dec  6 08:51:52.315: ISAKMP:(1227):SA authentication status:
          authenticated
  Dec  6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
  Dec  6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/,  and inserted successfully 2B79E8BC.
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
  Dec  6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
  Dec  6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  Dec  6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
  Dec  6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
          spi 0, message ID = 2554750723, sa = 0x2B78D574
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
  Dec  6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
  Dec  6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
  Dec  6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
  Dec  6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
  Dec  6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
  Dec  6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
  Dec  6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
  Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
  Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
  would appreciate any help you can provide.
  Regards,
  Sidney Dsouza

  Hi Anuj,
  thanks for responding. Here are the logs from the debug crypto ipsec
  Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
      local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
      remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
      protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
  Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  thats all that appeared after pinging the remote subnet.

• Needs help to know the different versions of forms with their compatibility

  Needs help to know the different versions of forms with their compatibility with different databases and operating systems.
  Kindly give the details or any suitable link for the same.
  please consider it as on urgent basis.
  regards,
  rajesh

  Rajesh,
  the certification matrix is available on metalink.oracle.com. You need a support contract to access this information.
  Frank

• Need help for XE client

  hi i´m a student particularly im new in databes so oracle and i thought that begin with Oracle Database XE Client is a good idea in order to learn and introduce oracle to my self.
  i have installed Oracle Database XE Client on WinXp home when installing it just showed me "transactoin server" port 2030 ; well my problem is next according to installation guide 2.4.1 Configuring for Microsoft Internet Explorer
  To configure Microsoft Internet Explorer to connect to the Oracle Database XE
  Database Home Page:
  1. From the Start menu, select Control Panel, then Internet Options.
  2. In the Internet Options dialog box, click the Security tab.
  3. Under Security, select Local Intranet and then select Sites.
  4. In the Local Intranet dialog box, select Advanced.
  5. Under Add this Web site to the zone, enter the following site:
  127.0.0.1 i did it.
  Now i have read about installation for XE client and i should see Database Home Page. but i can´t . some one to help?

  The client software is only used to connect to a database server installed on a remote machine. It sounds like you need to download and install the server software, which has the actual database. Note that if you install the database on a machine, you don't need the client software on that machine, so you may want to de-install the client software before you install the database server software.

• How to nat subnets before establishing site to site ipsec vpn tunnel?

  Hello,
  Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
  Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
  Existing device: Cisco 5510 where I need to do this NAT.
  Existing scenario in short: I have created vlans on asa by creating sub interfaces.
  Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
  Done ipsec vpn setup inc phase 1 & 2.
  Now tried to ping remote hosts but not reachable.
  Pls advice how to make it work.
  I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.

  Hello. Pls find my answers inline
  I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
  Answer: Thats correct.
  Later on it seems that you have configured this to some interface on the ASA?
  Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
  So  are you attempting to NAT some other LAN networks to this single NAT  network before the traffic heads to the L2L VPN connection on your ASA?
  Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
  Can  you then mention what are the source networks and source interfaces for  these networks? What is the destination network at the remote end of  the L2L VPN connection?
  Answer:    Source networks =  10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series.  Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
  Do  you want to just do a NAT Pool of the 192.168.50.0/24 network for all  your Internet users OR does the remote end also have to be able to  connect to some of your sites hosts/servers?
  Answer:  Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
  The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me.

• ASA 5505 Site to Site IPSec VPN WILL NOT CONNECT

  I've spent 2 days already trying to get 2 ASA 5505's to connect using an IPSec vpn tunnel. I cannot seem to figure out what im doing wrong, im using 192.168.97.0 and 192.168.100.0 as my internal networks that i'm trying to connect over a directly connected link on the outside interfaces with 50.1.1.1 and 50.1.1.2 as the addresses (all /24). I also tried with and currently without NAT enabled. Here are the configs for both ASA's, the vpn config was done by the ASDM, however i have also tried the command line apporach with no success. I have followed various guides to the letter online, starting from an empty config and from factory default. I have also tried the 8.4 IOS.
  ASA 1 Config
  ASA Version 8.3(2)
  hostname VIC
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.97.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 50.1.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  boot system disk0:/asa832-k8.bin
  ftp mode passive
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.97.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
  ASA2 Config
  ASA Version 8.3(2)
  hostname QLD
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 50.1.1.2 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  ftp mode passive
  object network SITEA
  subnet 192.168.97.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object SITEA
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static SITEA SITEA
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.100.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 50.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 50.1.1.1 type ipsec-l2l
  tunnel-group 50.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
  : end

  Hello Mitchell,
  Thank you for letting us know the resolution of this topic.
  Please answer the question as answered so future users can learn from this topic.
  Regards,
  Julio

• RV180W ipsec vpn with multiple networks

  Hello,
  I am setting up a customer site.  One side is RV180W and the other side is Checkpoint 500W.
  RV180W side
  LAN - 192.168.100.0/24
  Checkpoint side
  LAN - 172.26.1.0/24
  VOIP - 172.26.2.0/24
  Need to setup an ipsec tunnel between the site.  However, from the RV180W side, I can only ping the VOIP network, but not LAN.  Need help.  I have heard that RV180W only can talk to one remote network via ipsec, correct?  Any other way to workaround this other than changing out the RV180W?  Thanks.
  Ho

  Hi Tom,
  I have a similar situation, needing to setup 3 tunnels to the same endpoint.  Each tunnel has a different remote LAN setting, but I can only get one tunnel to work at a time.  I have to disable the other two.  For more details, see my posting: https://supportforums.cisco.com/message/3781143#3781143
  How can I setup 3 IPSEC tunnels to the same endpoint?
  Marshall