AnyConnect Client/Remote Site-to-Site connect to Remote Site-To-Site via HQ Hairpin.

I'm trying to get my Remote Sites and my Remote AnyConnect Clients to be able to communicate with each other.
Remote ASA5505 <--> ASA5510 HQ <--> Remote ASA5505
AnyConnect <--> ASA5510 HQ <--> Remote ASA5505
The ASAs are running 8.3(2)
I've googled many of the Hairpin configs, and have the 'same-security-traffic permit intra-interface' command in the Config, which it is and then having the proper NAT exclusion in there. Many of the config examples seem to reference the deprecated NAT commands that do not work on 8.3(2)
I have in the Config
object network Network-HQ
subnet 10.0.0.0 255.255.0.0
object network Network-Site1
subnet 10.1.0.0 255.255.0.0
object network Network-Site2
subnet 10.2.0.0 255.255.0.0
object network Network-Site3
subnet 10.3.0.0 255.255.0.0
object network Network-AnyCon
subnet 10.100.0.0 255.255.0.0
object-group network REMOTE_NETWORK
network-object object Network-Site1
network-object object Network-Site2
network-object object Network-Site3
network-object object Network-AnyCon
object-group network LOCAL_NETWORK
network-object object NETWORK-HQ
nat (inside,outside) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
nat (outside,outside) source static REMOTE_NETWORK REMOTE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
same-security-traffic permit intra-interface
I also have an Access List on the Outside Interface
access-group outside_access_in in interface outside
So I toyed around with access-Lists too and Added the following:
access-list outside_access_in extended permit ip object-group LOCAL_NETWORK object-group REMOTE_NETWORK
access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group REMOTE_NETWORK
access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group LOCAL_NETWORK
Still No Love.
In the Configs that used the deprecated NAT they also mentioned that the NAT statements needed to be first in the list. I'm not sure how to order them.
Any Suggestions would be helpful.
Thanks!

Please remove this object from REMOTE_NETWORK
object-group network REMOTE_NETWORK
no network-object object Network-AnyCon
Lets say this: 10.1.0.10 is permitted to access via the tunnels to all remote-LANs via site-to-site tunnels.
Lets create a dynamic-nat, so that your remote-in clients can access remote-lans as if they are coming from HQ directly.
object network HQ-UNUSED-IP
description: this is permited to traves to remote all sites
network-object host 10.1.0.10
nat (outside,outside) source dynamic Network-AnyCon HQ-UNUSED-IP destination static REMOTE_NETWORK REMOTE_NETWORK
Please remove these below lines, because tunnel bound traffic does not go via the acl filters put on outside interface.
no access-list outside_access_in extended permit ip object-group LOCAL_NETWORK object-group REMOTE_NETWORK
no access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group REMOTE_NETWORK
no access-list outside_access_in extended permit ip object-group REMOTE_NETWORK object-group LOCAL_NETWORK
Hope this helps.
Thanks
Rizwan Rafeek

Similar Messages

Error 751011 - Mac OSX anyconnect client

Hi all,
I'm running into the following error when I use a Mac OSX anyconnect client when I try to connect. Our Windows 7 anyconnect clients login just fine.
3
Oct 25 2013
16:19:54
751011
Local:x.x.x.x:4500 Remote:y.y.y.y:34573 Username:Unknown Failed user authentication. Error: General Failure
%ASA-3-751011: Local: localIP:port Remote:remoteIP:port Username:
username/group Failed user authentication. Error: error
A failure occured during user authentication within EAP for an IKE        version 2 remote access connection.
• localIP:port—The local IP address and        port number
• remoteIP:port—The remote IP address        and port number
• username/group—The username or group        associated with this connection attempt
• error—The error string that indicates        the specific error
Any ideas of what could be causing this? We are using certifcate and LDAP for AAA.
Thanks in Advance.
Bill

Hi Harry,
I have resolved the issue. I didn't realize that I had to have the Mac Anyconnect pkg file copied to the flash of the ASA. Once I did that the authentication issue went away.
Bill

Microsoft Lync not working thru Anyconnect client

We are trying to establish video connection thru Anyconnect client. When made request from one user to another user on Anyconnect, one user does receive a request, but no connection get established. Any suggestion would be helpful.

Do you have "same-security-traffic permit intra-interface" configured on ASA?
Yers
Also, are you able to ping between the 2 AnyConnect clients when they are both connected?
Yes
Do you have any Windows personal firewall or any other personal firewall that might be blocking inbound connection towards the PC where you connect from?
No
One can initiate a session, but it just doesn't establish.

ITunes cannot connect to remote speakers / Airport Express

Hi Guys
This is a quick post with a problem & solution.
I've been searching for ages tonight to find a solution to my problem:
'iTunes suddenly cannot connect to my Airport Express Speakers" and could not find one answer on here, only a mixture of replies all over the net.
So, just incase some people are still looking for an answer:
What I did...
1. Go to System Preferences, Network.
2. Click Advanced, on the TCP/IP tab, set "Configure IPv6" to Off.
Open up Airport Utility, go to the Music tab, set a password (I did this just for the sake of seeing whether iTunes noticed that the Airport was now password protected, then atleast you know it's talking!)
3. Open iTunes, go to preferences.
4. Click on the devices tab, untick "Look for remote speakers connected with Airplay, Allow iTunes control from Remote Speakers, Forget All Remotes.
5. Close iTunes
6. Open iTunes, retick "Look for remote speakers connected with Airplay, Allow iTunes control from Remote Speakers, Forget All Remotes.
7. Connect to remote speakers worked!

thanks Simius,
I just tried what you said to do, i had it in Automatic, but when I momenterely switched to manual the fields were all blank so I left them that way and turned on to automatic as you said and left it in auto, then tried to change itunes speaker to remote airplay and it didn t work.
so i don t know what else to do, I read alot about this in the last few days the bug seems to be related to the newest itunes upgrade and with the presence of the IP6V not turned off completely.
in the old system one could turn it off completely, now the off button is gone.
there are work around using terminal, I tried that but it doens t recognize my commands, so it didn t work either.
anybody has any idea?
thansk a lot
D.

Connecting Multiple Remote Sites with VPN Passthrough

I have several Win2003SBS sites requiring VPN passthrough from remote clients some using the VPN Connectoid supplied with the SBS (on the RWW - "Download Connection Manager". The requirement is for an DSL modem router with at least 10 tunnels which also supports GRE. The device should support ADSL2 as a minimum and SDSL is preferred.
A more detailed diagram is attached. Access to the Web Server will be required from both the LAN and WAN sides later.
Any suggestions please?

3700 Series multiservice access routers supports GRE, SDSL, ADSL.Refer the following URL for more information
http://cisco.com/en/US/products/hw/routers/ps282/products_data_sheet09186a00800921f0.html

Connection from remote sites (Frame Relay WAN) to AS/400 dissapears

Hello,
We have the following problem appearing in our environment:
All connections from remote sites dissapears unexpected from AS/400. After 2-3 minutes remote users get normal connectivity again.
The environment is the the following:
Frame Relay/ATM WAN (Frame Relay on remote sites and ATM in datacenter) comes to Cisco 7204VXR router which connected to LAN switch with 10/100/1000 ports. AS/400 with Fast Ethernet interface also connected to the similar LAN switch. CEF is enabled on the router, IOS version 12.4.3a. We have ETHSTD *ALL parameter set on AS/400. Remote users uses TCP/IP and Telnet but there are a number of 5494 controllers wich uses SNA.
We got the problem for the first time after we enabled CEF on the router.
I suspect that the cause of problem is Ethernet frames of different standards due to ETHSTD *ALL, but can neither reproduce the problem nor understand why it behaves so.
Have anybody had similar problem?
I would be very thanksfull if somebody can help me to solve it.
Thank you in advance.
//Mikhail Galiulin

Hi Martin,
Cisco 7200 itself can access AS/400 as well as all other hosts in the same with AS/400 LAN. There is no any outage in communications which goes to another LAN segment via Netscreen firewall while the communication via Cisco is down. Only those hosts which connected via Cisco are experiencing the problem. I can not say where the traceroute from AS/400 stucks (there are other people who maintain the machine and they never could catch the exact moment of outage).
To turn off CEF I treat as the last option actually and unfortunatelly there is no guarantee that software upgrade will help (we have 12.4.3a now).
So first of all I'm trying to understan WHY it happens because I can not see any systematics in the problem appearance. It can happen 3 times under 2 days and then dissapear for 1-2 months...
//Mikhail Galiulin

Deploying unity connection at remote site with CUCM at central site

I am planning to deploy Unity connection at remote site while the CUCM is at central site only. Will appreciate of someone can shd some light on this, has anyone already deplyed same scenario , any specific requirements to take care of please ?
Thanks in advnace,
AB

AB,
Yes, having your Unity Connection server at a different location than your CUCM is supported.
I cannot really help you with specifc requirements as it largely depends on exactly how you intend to deploy it and what features you intend to enable. Clustering, Digital Networking, Unified Inbox, etc.. all have their own additional requirements the whole of which would not fit into a message board post.
However, specific bandwidth and latency requirements are listed in the "System Requirements for Cisco Unity Connection Release 8.X. http://www.cisco.com/en/US/partner/docs/voice_ip_comm/connection/8x/requirements/8xcucsysreqs.html
The SRND and the System Requirements should get you on the right track. I would encourage you to read both documents fully and then come back with any specific design questions you may have.
-Steven

Problem in connecting to remote site

I have set up an FTP user in the remote server which works
perfectly fine when I click test connection. Now when I click the
remote view or upload a file or connect to remote server I get this
message -"Waiting for server" then I get this error message
"Connection to the remote host is lost.Click the Connect button to
reconnect". I have disabled my firewall too. This has been driving
me crazy for a long time. Any source of help would be of great
help.
Thanx in advance.

What do you have in the Host directory field of your Remote
site's
definition? It sounds like you don't have the right
information here....
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"surenr" <[email protected]> wrote in
message
news:e2b9k2$eab$[email protected]..
>I tried using passive FTP in the remote dite definition.
It seems to be
>working
> but I am not able to view any of the remote site folders
or upload any
> files.
> When I click the test button I get this message:
Macromedia Dreamweaver MX
> successfully connected to your web server.
>
>

Java.sql.SQLException: Connection to remote site no longer valid

Hi
Somebody can help me with this ?
java.sql.SQLException: Connection to remote site no longer valid
Sometimes this error message appears in the moment when the next code execute, the database is Informix 10
public BeanOutParametersSMS siantelSMS(BeanArgumentsSMS bean)
throws SQLException, NumberFormatException,
NullPointerException, Exception {
String sql = "execute procedure SP_SMS_MKT(?,?,?,?,?,?,?,?,?)";
CallableStatement cs = null;
ResultSet rs = null;
BeanOutParametersSMS out = new BeanOutParametersSMS();
String salesForce = "";
try {
cs = connection.prepareCall(sql);
s.setString(1, bean.getAction());
cs.setString(2, "R0" + bean.getRegion());
cs.setString(3,bean.getCveclientesms());
cs.setString(4,bean.getPuerto());
cs.setString(5,bean.getCveproducto());
if (cs.execute()) {
rs = cs.getResultSet();
if (rs.next()) {
out.setActionInvoked(rs.getString(1));
out.setCode(rs.getString(2));
out.setPuerto(rs.getString(3));
out.setCveproducto(rs.getString(4)); etc ....
note. The stored procedure connecting with two databases (informix 10 & informix 9)

Where do you close the connection and statement/result set?

Remote SQL DB Instance Connection error while deplyting the Standalone Primary Site

Hi
I am getting error as The RPC server is unavailable .(Exception from HRESULT:0x8000706BA)
while adding the Remote SQL DB named instance. I am also attaching ConfigMgr Setup log can you please advice..
Windows Firewall is turned off on SCCM Primary Site server and SQL DB server.
I am able to telnet over port 1433 of SQL DB server, Dynamic Port is not Configured for SQL DB Named Instance its only on TCP 1433.
Shailendra Dev

Hi,
Please confirm the ports below are allowed.
Site Server --> SQL Server
During the installation of a site that will use a remote SQL Server to host the site database, you must open the following ports between the site server and the SQL Server:
Server Message Block (SMB) TCP 445
RPC Endpoint Mapper UDP TCP 135
RPC TCP DYNAMIC (See note 6, Dynamic ports)
Reference:https://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

ASA 5505. VPN Site-to-Site does not connect!

Hello!
Already more than a week ago, as we had a new channel of communication from MGTSa (ONT terminal Sercomm RV6688BCM, who just barely made in the "bridge" - was forced to make the provider in order to receive our white Cisco Ip-address), and now I'm trying too much more than a week to raise between our offices firm VPN IKEv1 IPsec Site-to-Site tunnel.
Configurable and use the wizard in ASDM and handles in CLI, the result of one, the connection does not rise.
Version Cisco 9.2 (2), the image of Cisco asa922-k8.bin, version license Security Plus, version ASDM 7.2 (2).
What I'll never know ...
Full configuration and debug enclose below.
Help, what can follow any responses, please! I was quite exhausted!
Config:
Result of the command: "sh run"
: Saved
: Serial Number: XXXXXXXXXXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)
hostname gate-71
enable password F6OJ0GOws7WHxeql encrypted
names
ip local pool vpnpool 10.1.72.100-10.1.72.120 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.72.254 255.255.255.0
interface Vlan2
nameif outside_mgts
security-level 0
ip address 62.112.100.R1 255.255.255.252
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group MGTS
name-server 195.34.31.50
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NET72
subnet 10.1.72.0 255.255.255.0
object network obj-0.0.0.0
host 0.0.0.0
object network Nafanya
host 10.1.72.5
object network obj-10.1.72.0
subnet 10.1.72.0 255.255.255.0
object network NET61
subnet 10.1.61.0 255.255.255.0
object network NETWORK_OBJ_10.1.72.96_27
subnet 10.1.72.96 255.255.255.224
object network NETT72
subnet 10.1.72.0 255.255.255.0
object network NET30
subnet 10.1.30.0 255.255.255.0
object network NETWORK_OBJ_10.1.72.0_24
subnet 10.1.72.0 255.255.255.0
object-group service OG-FROM-INET
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp-udp destination eq echo
object-group network DM_INLINE_NETWORK_1
network-object object NET30
network-object object NET72
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip object NET72 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip 10.1.72.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Nafanya any inactive
access-list inside_access_in extended permit object-group OG-FROM-INET any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip any any log alerts
access-list outside_mgts_access_in extended permit object-group OG-FROM-INET any any
access-list outside_mgts_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_mgts_access_in extended deny ip any any log alerts
access-list outside_mgts_cryptomap extended permit ip 10.1.72.0 255.255.255.0 object NET61
access-list VPN-ST_splitTunnelAcl standard permit 10.1.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside_mgts 1500
ip verify reverse-path interface outside_mgts
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside_mgts) source static NET72 NET72 destination static NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 no-proxy-arp route-lookup
nat (inside,outside_mgts) source static NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 destination static NET61 NET61 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside_mgts) dynamic obj-0.0.0.0
object network NET72
nat (inside,outside_mgts) dynamic interface dns
access-group inside_access_in in interface inside
access-group outside_mgts_access_in in interface outside_mgts
route outside_mgts 0.0.0.0 0.0.0.0 62.112.100.R 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.72.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_mgts_map 1 match address outside_mgts_cryptomap
crypto map outside_mgts_map 1 set pfs group1
crypto map outside_mgts_map 1 set peer 91.188.180.42
crypto map outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_mgts_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_mgts_map interface outside_mgts
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=gate-71
serial-number
ip-address 62.112.100.42
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d1964
60ae26ec 5f300d06 092a8648 86f70d01 01050500 03820101 00448753 7baa5c77
62857b65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a82781 44493217 38097952 003d5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df 193b8167 db835d76 98ffdb2b 8c8ab915
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate a39a2b54
30820377 3082025f a0030201 020204a3 9a2b5430 0d06092a 864886f7 0d010105
0500304b 3110300e 06035504 03130767 6174652d 36313137 30120603 55040513
c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f 362973a0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101
ff040403 02018630 1f060355 1d230418 30168014 0cea70bf 0d0e0c4b eb34a0b1
8242a549 5183ccf9 301d0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182
42a54951 83ccf930 0d06092a 864886f7 0d010105 05000382 0101004e 7bfe054a
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 96077966 2a97333b 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 4745a411 bf38afb6 ea56b957 4430f692
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 bd5f7b69 89183841 881409b5 f484f0e7
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside_mgts client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside_mgts
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.1.72.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
vpnclient server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup VPN-L2L password *****
vpnclient username aradetskayaL password *****
dhcpd auto_config outside_mgts
dhcpd update dns both override interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside_mgts
webvpn
enable outside_mgts
group-policy GroupPolicy_91.188.180.X internal
group-policy GroupPolicy_91.188.180.X attributes
vpn-tunnel-protocol ikev1
group-policy VPN-ST internal
group-policy VPN-ST attributes
dns-server value 195.34.31.50 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ST_splitTunnelAcl
default-domain none
username aradetskayaL password HR3qeva85hzXT6KK encrypted privilege 15
tunnel-group 91.188.180.X type ipsec-l2l
tunnel-group 91.188.180.X general-attributes
default-group-policy GroupPolicy_91.188.180.42
tunnel-group 91.188.180.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN-ST type remote-access
tunnel-group VPN-ST general-attributes
address-pool vpnpool
default-group-policy VPN-ST
tunnel-group VPN-ST ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: end
gate-71# sh crypto ikev1 sa
There are no IKEv1 SAs
gate-71# sh crypto ikev2 sa
There are no IKEv2 SAs
gate-71# sh crypto ipsec sa
There are no ipsec sas
gate-71# sh crypto isakmp
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 25
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 50
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
gate-71# sh crypto protocol statistics all
[IKEv1 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IPsec statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSL statistics]
Encrypt packet requests: 19331
Encapsulate packet requests: 19331
Decrypt packet requests: 437
Decapsulate packet requests: 437
HMAC calculation requests: 19768
SA creation requests: 178
SA rekey requests: 0
SA deletion requests: 176
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 6238
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 76
Failed requests: 9
gate-71# sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for self-signed certificate generation.
Trustpoint ASDM_TrustPoint1:
Configured for self-signed certificate generation.
If you need something more, then lay out!
Please explain why it is I do not want to work?

When I launched a packet tracer from the CLI connection has gone! Hooray!
I just do not understand why it had not launched with the same settings?
As I understood MGTS finally required ports began to miss!

How to IPsec site to site vpn port forwarding to remote site?

Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
            quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 61.9.134.49
   lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
Thai

Is there anyone can help please?

SFTP receiver error: putFile: Could not connect to remote host; Reason: Unable to open Sftp client. SshReasonCode: CHANNEL_FAILURE

Hi,
When we try to send file over seeburger SFTP (receiver) we are getting the error as below.
Message processing failed. Cause: javax.resource.ResourceException: Fatal exception: javax.resource.ResourceException: >> Description: SFTP transaction error occured.>> Details: putFile: Could not connect to remote host; Reason: Unable to open Sftp client. SshReasonCode: CHANNEL_FAILURE>>SendingStatus: NOT_TRANSMITTED>>FaultCategory: COMMUNICATION_ERROR>>Retryable: true>>Fatal: true, >> Description: SFTP transaction error occured.>> Details: putFile: Could not connect to remote host; Reason: Unable to open Sftp client. SshReasonCode: CHANNEL_FAILURE>>SendingStatus: NOT_TRANSMITTED>>FaultCategory: COMMUNICATION_ERROR>>Retryable: true>>Fatal: true
But we are able to connect through filezilla . we are able to create and delete file using the same username and password which is being used in SFTP adapter.
we have imported the both dsa and rsa keys in SFTP partner folder in NWA. Even though we are getting same error.
Thanks,
Vinayak

Hi Ram,
we checked with network team and port 22 is open and they are able to ping to the target system.
we checked the seeburger logs and we see EOF received from remote site error:
Caused by: com.maverick.ssh.SshException: EOF received from remote side [Unknown cause]
#at com.maverick.ssh2.TransportProtocol.b(Unknown Source)
#at com.maverick.ssh2.TransportProtocol.i(Unknown Source)
#at com.maverick.ssh2.TransportProtocol.nextMessage(Unknown Source)
#at com.maverick.ssh.message.SshMessageRouter.d(Unknown Source)
#at com.maverick.ssh.message.SshMessageRouter.access$000(Unknown Source)
#at com.maverick.ssh.message.SshMessageRouter$_b.run(Unknown Source)
Thanks,
Vinayak.

AnyConnect client 3.1.04063 Windows 7 x64 users cannot make ssl connection

Over the past week several of my users have suddenly found they cannot connect with a previously working client. After the login banner is accepted they all get an error message "The certificate on the secure gateway is invalid. A VPN connection will not be established." Then another message "AnyConnect was not able to establish a conenction to the specified secure gateway. Please try connecting again." On the ASA 5540 logs I see successful authentication and then the device is trying to establish a ssl session which is denied and then connection is terminated.
I have verfied that the ssl certificates are valid and are installed in the trusted root certificates location. I have checked that ICS is disabled. I have checked that the vpn adapter display name is correct.
Does anyone have any ideas?

We are not using a self signed cert. We have a cert issued by the DoD. It seems like a user who had previously connected and is on Windows 7 x64 will not be able to connect. Users who have never connected and browse to the site will be able to successfully connect.
Additional information: I have cleared all DoD related certs and the server cert from the certmgr.msc on an affected Windows box. Uninstalled the AnyConnect application and all remnant files. Cleared SSL cache on both IE and Firefox browsers. I rebooted then tried connecting via the web address but am receiving the same issue.

OneDrive for Business (on Premise) "we can't connect to the specified sharepoint site..."

Hello
We have SharePoint 2013 SP1 and CU Sept. 2014.
Problem:
When a User tries to sync with a sharepoint subsite, he gets the message above in the title until we give him at the minimum "read" permissions on the top level site collection.
https://sitecollection/subsite <-- sync not working until read on sitecollection
The subsite has its own permissions, it doesnt inherit anything.
I tried to recreate this issue in our lab. What i got was this:
http://sitecollection/subsite <-- sync doesnt work without read permission on sitecollection
http://sitecollection/sitecollection/subsite <-- sync
works fine even without read permission on any sitecollection (just edit on subsite)
The question is:
Why does it behave like this?
I dont want to give everyone "read" permission on the root site collection. It must be an other way to sync on subsites!
Thanks for any response! Any help appreciated!
Regards
SharePoint_Dude

Hi,
I tested the same scenario per your post in my environment, however the libraries in subsites can be synced with OneDrive for Business.
I recommend to check the permission of the user in the subsite to see if the user has
Use Remote Interfaces permission.
If not, please select this and then check the results.
More reference:
https://nheylen.wordpress.com/2014/05/15/sync-error-we-cant-connect-to-the-specified-sharepoint-site/
Best regards,
Victoria Xia
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

AnyConnect Client/Remote Site-to-Site connect to Remote Site-To-Site via HQ Hairpin.

Similar Messages

Maybe you are looking for