4215 EoS and cisco general EoS policy

Similar Messages

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• IPSEC between Fortinet and Cisco SA540

  Hi,
  We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised. Can you help me out to resolve the issue.
  Regards,
  Satish.

    Hello Venkatasatish,
  I gonna send you an example of VPN between Cisco ASA 8.2 version and Fortigate mr4.
  In my example i gonna use the following environments:
  Cisco ASA "Zones"
  Inside: 192.168.1.0/24     "Asa inside interface Ip address 192.168.1.1"
  Outside: 200.200.200.0/29  "Asa outside interface Ip address 200.200.200.1"
  Fortigate "Zones"
  inside: 172.16.1.0/24     "Asa inside interface Ip address 172.16.1.1"
  outside: 201.201.201.0/29  "Asa outside interface Ip address 201.201.201.1"
  =================================> VPN Script of ASA <=================================
  access-list inside_access_in remark Firewall rule from ASA to Fortigate
  access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 log notifications
  access-group inside_access_in in interface inside
  access-list VPN_NONAT remark Nonat to VPN traffic over VPN
  access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
  access-list CryptoMap_ASA_to_Fortigate remark VPN Site-to-Site to Fortigate Site
  access-list CryptoMap_ASA_to_Fortigate extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
  nat (inside) 0 access-list VPN_NONAT
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map OUTSIDE_map 1 match address CryptoMap_ASA_to_Fortigate
  crypto map OUTSIDE_map 1 set peer 201.201.201.1
  crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
  crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
  crypto map OUTSIDE_map interface outside
  group-policy GP_TO_FORTIGATE internal
  group-policy GP_TO_FORTIGATE attributes
  vpn-idle-timeout none
  vpn-tunnel-protocol IPSec
  tunnel-group 201.201.201.1 type ipsec-l2l
  tunnel-group 201.201.201.1 general-attributes
  default-group-policy GP_TO_FORTIGATE
  tunnel-group 201.201.201.1 ipsec-attributes
  pre-shared-key cisco123
  =================================> VPN Script for Fortigate ==============================
  Phase 1:
  FORTIGATE# config vpn ipsec phase1-interface  "enter"
  FORTIGATE (phase1-interface) # edit 200.200.200.1 "enter"
          set interface "outside"
          set keylife 86400
          set mode main
          set dhgrp 2
          set proposal 3des-sha1
          set remote-gw 200.200.200.1
          set psksecret ENC cisco123
          next "to apply the configuration"
  Phase 2
  FORTIGATE# config vpn ipsec phase2-interface
      edit 200.200.200.1
          set keepalive enable
          set pfs disable
          set phase1name "200.200.200.1"
          set proposal 3des-sha1
          set dst-subnet 192.168.1.0 255.255.255.0
          set keylifeseconds 3600
          set src-subnet 172.16.1.0 255.255.255.0
          next "to apply the configuration"
  Config route to VPN: I am using 100 entry, you need to take a look at your firewall.
  FORTIGATE# config router static "enter"
  FORTIGATE (static) # edit 100 "enter"
  FORTIGATE (100) #  set device "200.200.200.1"
                     set distance 1
                     set dst 192.168.1.0 255.255.255.0
  Create a Rule: in my example I´m using any to any over VPN, but you can to filter based on network environments.
  FORTIGATE # config firewall policy "enter"
  FORTIGATE (policy) # edit 100 "enter"
  config firewall policy
      edit 100
          set srcintf "200.200.200.1"
          set dstintf "inside"
              set srcaddr "all"            
              set dstaddr "all"            
          set action accept
          set schedule "always"
              set service "ANY"            
          set logtraffic enable
          set comments "Access from VPN ASA site"
  FORTIGATE (policy) # edit 101 "enter"
  config firewall policy
      edit 101
          set srcintf "inside"
          set dstintf "200.200.200.1"
              set srcaddr "all"            
              set dstaddr "all"            
          set action accept
          set schedule "always"
              set service "ANY"            
          set logtraffic enable
          set comments "Access to VPN ASA Site"
  After that, please start a traffic between private network, 192.168.1.0 and 172.16.1.0/24.
  Please let me know about it!
  Good luck.
  Fabio Jorge Amorim

• Communication problem between Cisco 3560 and Cisco SG300.

  Dear Support,
  I have a Cisco SG300 and Cisco 3560 switches.
  3560 is my Core Switch and SG300 is access switch.
  From 3560 VLAN information is not passed to SG300.
  3560 Configuration:
  interface GigabitEthernet0/23
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,2,10,11
  switchport mode trunk
  SG300 Configuration:
  interface gigabitethernet49
  spanning-tree link-type point-to-point
  switchport mode general
  switchport general allowed vlan add 2,10-11 tagged
  macro description switch
  Please suggest how this issue is resolve.
  Regards,
  JItesh Mahajan.

  Dear Aleksandra,
  Below Configuration is right or wrong for 3560 and SG300.
  3560 Configuration:
  interface GigabitEthernet0/23
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan remove VLAN 1
  switchport native vlan 1
  switchport trunk allowed vlan 1,2,10,11
  switchport mode trunk
  SG300 Configuration:
  interface gigabitethernet49
  spanning-tree link-type point-to-point
  switchport mode general
  switchport general allowed vlan add 2,10-11 tagged
  macro description switch
  Regards,
  JItesh Mahajan.

• What is the difference in the features between Cisco prime 1.2 and Cisco prime 1.4 ?

  Dears,
  Please i need to know what is the difference in the features between Cisco prime infrastructure 1.2 and Cisco prime 1.4.
  Already i see the release note for each one but the release indicate only the New feature for every one. so i need to know the difference between them not new features.
  Wait your kind feedback plz
  Regards,

  Hi,
  New Features and Enhancements
  The following topics describe new features and enhancements in Cisco Prime Infrastructure 1.4.
  Management Support for WLC Release 7.5
  Support for 802.11ac Module
  Support for Cisco AP 700
  Policy Classification Engine
  FlexConnect Audit Support
  Autonomous AP Support
  Client Stateful Switchover
  Cable Modem Monitoring
  Support for Secure File Transfer Protocol
  and please go through the link and check the data sheet for further clearance.
  http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/datasheet-c78-729879.html

• DAP using LDAP and Cisco Attributes

  I would like to be able to set up a Dynamic Access Policy with the criteria that if all of the following:
  cisco.grouppolicy=Sales
  ldap.memberOf=Remote_Access
  can have specific set of access. My Connection profile is using a Radius server to authenticate and assign the Group Policy.
  Is it possible to accomplish this? since it doesn't seem to work for me.

  Hi Luis,
  if you want to use LDAP attributes in your DAP policy, then you have to use LDAP for authentication or authorization in your tunnel-group.
  So you will either have to replace radius with ldap for authentication, OR keep radius for authentication and add ldap for authorization on top.
  hth
  Herbert

• FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]

  Hi Cisco People
  I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time‏ ranges.
  Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .) 
  +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
  +         User          +++++++++++++++++++++++   Cisco 2600          +++++++++++++++++++++   Network      +
  +                          +                                           +   Terminal Serv     +                                      +    Devices      +
  +++++++++++++++                                           +++++++++++++++++                                      +++++++++++++
                                                                                          (NAS)
                                                                                              +
                                                                                              +
                                                                                 +++++++++++++++     
                                                                                +   FreeRadius      +
                                                                                +++++++++++++++
  Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
  users
  =============
  cisco Auth-Type := System
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15"
  clients.conf
  ==============
  client 192.168.1.1 {
    secret = SECRET_KEY
    shortname = termserver
    nastype = cisco
  A typical transaction would be :
  Access-Request
  =======
          NAS-IP-Address = 192.168.1.1
          NAS-Port = 35
          NAS-Port-Type = Async
          User-Name = "cisco"
          Calling-Station-Id = "1.1.1.1"
          User-Password = "cisco"
  Access-Accept
  =======
          Service-Type = NAS-Prompt-User
          Cisco-AVPair = "shell:priv-lvl=15"
  This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
  users
  =============
  cisco Auth-Type := System
    Service-Type = NAS-Prompt-User,
    cisco-avpair = "shell:priv-lvl=15",
    Session-Timeout = 20
  Cisco Terminal Server
  ==============
  aaa new-model
  aaa authentication login default group radius local none
  aaa authorization exec default group radius if-authenticated 
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa accounting connection default start-stop group radius
  After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
          Service-Type = NAS-Prompt-User
          Cisco-AVPair = "shell:priv-lvl=15"
          Session-Timeout = 20
  But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
  1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
  2. Is the 2600 terminal server  with [IOS 12.1(3)T] compliant with RFC 2865?
  3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
  Thanks
  Frank

  Frank,
  I think you should use the login time s well:
  Login-Time
  Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
  The following line will grant Alice access only between 08:00 and 18:00 each day.
  "alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
  The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
  http://www.packtpub.com/article/getting-started-with-freeradius
  http://wiki.freeradius.org/config/Users
  yes, the terminal server is RFC 2865 compliant.
  Rate if Useful :)
  Sharing knowledge makes you Immortal.
  Regards,
  Ed

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• VPN between RV042 and Cisco 2801

  HI
  Kindly help me out. I'm configuring a p2p vpn between a cisco 2801 with IOS 12.3 and a linksys RV042. I'm getting following error on Linksys and Cisco respectively.
  [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
  Dec 19 02:40:42 2011
       VPN Log
      Received informational payload, type NO_PROPOSAL_CHOSEN
  dst             src             state               conn-id     slot    status
  x.x.x.x       x.x.x.x   MM_NO_STATE          0        0       ACTIVE
  Below are my config:
  Linksys RV042:
  Keying Mode: IKE with Preshared Key
  Phase1 DH Group: Group2
  Phase1 Encryption: 3DES
  Phase1 Authentication: MD5
  Phase1 SA Life Time: 28800
  Perfect forward secrecy : enabled
  Phase2 DH Group: Group2
  Phase2 Encryption: 3DES
  Phase2 Authentication: MD5
  Phase2 SA Life Time: 28800
  Preshared Key: xxxxxx
  Cisco 2801:
  crypto isakmp policy 11
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxxxxx address xxxxxx
  no crypto isakmp ccm
  crypto ipsec transform-set STRONGER esp-3des esp-md5-hmac
  crypto map myvpn 10 ipsec-isakmp
  set peer xxxxxx
  set transform-set STRONGER
  set pfs group2
  match address 103
  interface FastEthernet0/0
  ip address 10.0.0.56 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  no ip route-cache
  duplex auto
  speed auto
  no mop enabled
  interface FastEthernet0/1
  ip address xxxx xxxx
  ip nat outside
  ip virtual-reassembly
  no ip route-cache
  duplex auto
  speed auto
  crypto map myvpn
  ip nat pool branch xxxxxx xxxxx netmask 255.255.255.240
  ip nat inside source route-map nonat pool branch overload
  access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 permit ip 10.0.0.0 0.0.0.255 any
  snmp-server community public RO
  route-map nonat permit 10
  match ip address 110
  Rgards
  SAM

  Hi,
  It looks like you are using the default hash for the crypto isakmp policy and that your connection is failing on the phase 1 negotiation.  The default hash on the crypto isakmp policy is sha.  On the 2801 try adding hash md5.
  crypto isakmp policy 11
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  Let me know if that helps.
  Thank you,
  Jason NIckle

• Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

  We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
  We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

  Hi,
  So you have N7k acting as L3 with servers connected to 4510?.
  Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
  This will help narrow down if issue is between server to 4510 or 4510 to N7k.
  Thanks,
  Nagendra

• Mavericks VPN dropouts with native VPN client and Cisco IPSec

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

• Fire fox opens with tabs from preveous session not home page in tools under options and tab general I have start up with home page but all tabs from previous session open instead

  fire fox opens with tabs from preveous session not home page in tools under options and tab general I have start up with home page but all tabs from previous session open instead

  It is possible that there is a problem with the files [http://kb.mozillazine.org/sessionstore.js sessionstore.js] and sessionstore.bak in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile Folder]
  Delete [http://kb.mozillazine.org/sessionstore.js sessionstore.js] and sessionstore.bak in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile Folder]
  * Help > Troubleshooting Information > Profile Directory: Open Containing Folder
  If you see files sessionstore-##.js with a number in the left part of the name like sessionstore-1.js then delete those as well.
  Deleting sessionstore.js will cause App Tabs and Tab Groups to get lost, so you will have to create them again (make a note).
  See:
  * http://kb.mozillazine.org/Session_Restore

• HT4623 I have a Gen 4 Ipod Touch, it is still running with IOS 4. When i go to my settings and select General there is no Software Update button to choose from. How do i update my Ipod to the new IOS system?

  I have a Gen 4 Ipod Touch, it is still running with IOS 4. When i go to my settings and select <General> there is no <Software Update> button to choose from. How do i update my Ipod to the new IOS system?

  You have to hook it up to a computer and update it to ios 5 and then there will be a "software update" button.

• Transfer VOIP Calls Between Cisco Desk Phone and Cisco Jabber For IPhone 9.5

  Does anyone know how to transfer an active voip call from a Cisco IP Desk Phone to Cisco Jabber for IPhone?  I can transfer a call from Cisco Jabber for IPhone to my Cisco IP Desk Phone no problem.  I put the call on hold and then click "Resume" on my Cisco IP Desk Phone.  However I cannot do the same but the other way around.  If I put the call on hold on my Cisco IP Desk Phone, I see "no active call" on my Jabber client.  The only information I could find slighlty relevant was using the Mobility Key/Remote Destination Profile feature however this defeats the object as this will forward to an external number, e.g. mobile and I just want to transfer the call within the VOIP environment between the two devices that are using the same directory number.
  I am using Cisco Call Manager 9.1(2), Cisco Presence 9.1 and Cisco Jabber for IPhone 9.5.
  Any help would be greatly appreciated.
  Kind Regards,
  Paul Parker.

  Did you ever find an answer to this ?
  I am seeing the same behavior and trying so see if I can put calls on hold and pick them up both ways also.
  The only answer I seem to have found is to use park instead
  That would/should work but I would just prefer to hold/unhold
  Just not sure why we would not be able to hold/unhold on what is essentially a "shared" line
  Does anyone have this working for them ?