ASA VPN issues
Hello all,
Recently I was given a task on trying to configure VPN on the ASA 5505, but so far I have been unsuccessful. When i try to use the Cisco VPN Client Version 4x it gets to the authentication part asking for a username and password. When I use the Username and Password I set up on the ASA 5505 it tries to connect but ends up quiting.
This is the error that I recieve when it fails to connect
497 14:50:35.125 04/08/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=492CEC08824CD9A6 R_Cookie=CDF742B9C3431974) reason = DEL_REASON_IKE_NEG_FAILED
I have read every single walk through on the ASA 5505 on how to configure the device for VPN, and it just seems like i am missing something somewhere.
Thanks in advance!
actually i got this to work.
If anyone else has these problems, here is what I went by
http://www.compedia4us.com/2008/08/configu...-using-asa.html
Thank you!
Similar Messages
-
Yet Another ASA VPN Licensing Question :)
I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario. Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
1. Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?
2. Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need? I'm assuming this is correct >> ASA5525VPN-PM250K9
Thanks!It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method. -
Hi,
I am trying to connect vpn client (Win XP) and its works just fine. It is also communicating with radius server and internal network no issues in that. However, when using vpn client on Win 7 it does not connect. I can see from the debug in firewall that phase 2 is complete, but the client does not connect and I can see the error 809 in Win 7 (32 bit and 64 bit) clients. I would really appreciate if anyone can just guide me in right direction. Please see below the code that is working fine for XP.
nat (inside,outside) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp route-lookup
aaa-server int-radius-group protocol radius
aaa-server int-radius-group (inside) host 172.16.5.100
key ***
radius-common-pw ***
crypto ipsec ikev1 transform-set RA-VPN-Set-3desmd5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-3desmd5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes128sha esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes128sha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256sha esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256sha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256md5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256md5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-dessha esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-dessha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-3dessha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-3dessha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-desmd5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-desmd5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192md5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192md5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192sha esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192sha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aesmd5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aesmd5 mode transport
crypto dynamic-map dyn-ra-vpn 65000 set ikev1 transform-set RA-VPN-Set-3desmd5 RA-VPN-Set-aes128sha RA-VPN-Set-aes256s-dessha RA-VPN-Set-3dessha RA-VPN-Set-desmd5 RA-VPN-Set-aes192md5 RA-VPN-Set-aes192sha RA-VPN-Set-aesmd5
crypto dynamic-map dyn-ra-vpn 65000 set reverse-route
crypto map ASA-VPN-SITE 65000 ipsec-isakmp dynamic dyn-ra-vpn
crypto map ASA-VPN-SITE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
group-policy RA-VPN-GP internal
group-policy RA-VPN-GP attributes
dns-server value 172.16.5.31 172.16.5.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value mydomain.com
intercept-dhcp enable
client-firewall none
tunnel-group DefaultRAGroup general-attributes
address-pool ra-vpn-ippool
authentication-server-group int-radius-group
default-group-policy RA-VPN-GP
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
Thanks & Regards
RohitWe are using VPN client v5.0.05.0290 without a problem. Here is a link that I found initially when testing with Windows 7 and the VPN client...maybe it will help you resolve your issue.
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx
I didn't have to use this procedure on windows 7 pro 32bit.
On a different note, can you pass traffic to hosts on your internal LAN by IP address or hostname? I found an issue using the AnyConnect client - I didn't configure the connection profile to tell the connecting client what our internal domain name was...so my clients weren't able to make connections inbound withougt manually appending the domain name to the end of the hostname...shot in the dark...
Good Luck!!
"please rate me if post helpful" -
Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month. -
Dear All,
I have configured remote access vpn without using split tunnel.Everything is working fine.I can access all the inside network which is allowed in acl.
I am facing strange issue now. I have created a pool for remote access vpn with a range 192.168.5.8/29.I can access my internal subnets 10.10.0.0/16.
I have below acess-list for acl-in.
access-list acl-in extended permit ip object-group vpnclients 192.168.5.8 255.255.255.248
object-group network vpnclients
network-object host 10.110.100.26
network-object host 10.106.100.15
network-object host 10.10.10.6
network-object host 10.10.20.82
network-object host 10.110.100.48
network-object host 10.10.20.53
network-object host 10.10.20.54
network-object host 10.60.100.1
network-object host 10.10.10.75
network-object host 10.10.20.100
network-object host 10.10.130.136
network-object host 10.106.100.16
network-object host 10.106.100.9
network-object host 10.170.100.1
network-object host 10.170.100.2
network-object host 10.170.100.21
network-object host 10.101.100.20
network-object host 10.170.100.25
So whichever IPs i have called in vpnclient group is able to access via RA vpn.Issue is when i try to access internal network of 192.168.198.0/24, i am able to access it without adding in vpnclient group. Even for 192.168.197.0/24,192.168.197.0/24 the same. But for 10.10.0.0/16 we can access only after adding in vpnclient group. Any one has face this issue before. Is this because of same network i mean 192.168.0.0 something like that.There is no other staement in acl-in for 192.168.0.0
Regards
-Danesh AhammadHi,
If i read correctly you made the RA vpn "without" split tunnel, correct? if that is the case, all of the traffic will traverse the vpn connection (tunnel all) , the access-list "acl-in" is of no use to it.
try converting it to use split tunnel, i am sure that way you can not access resources that are not mentioned in the list.
~Harry -
Any ideas how to better troubleshoot VPN issue?
Hi,
I've recently upgraded my WLAN router to a brand new AVM FRITZ!Box WLAN 7390, in part for its VPN capabilities.
So far, I've been unable to create a working connection.
AVM's VPN is based on Cisco IPSec, and they provide a step-by-step procedure on how configure a Mac-based VPN connection (http://www.avm.de/de/Service/Service-Portale/Service-Portal/VPN_Interoperabilita et/16206.php - unfortunately only available in German, sorry). Following it, I still can't get it to work. Contacting their support I got first the same procedure and after pointing out I already followed it a "we don't support other vendors".
Funny enough, I got a second VPN connection to my work's VPN server just fine, though admittedly there we have a true Cisco box.
My initial setup was based on a 192.x.x.x net on my AVM, I could establish a VPN connection but coudn't ping/ssh/http/you-name-the-protocol in either direction. Our companies net is a 10.x.x.x net so, and as I have also VMware fusion running on my Mac with DHCP enabled on a different 192.x.x.x net plus a third 192.x.x.x net from my Wifi access I decided to reconfigure my AVM net to a 172.x.x.x net and stop VMware services for the tests (ie simplify as much as I could to help troubleshoot).
Alas, instead of being able to establish a non-working VPN connection, now I ain't able to get the tunnel up. IKE Phase 1 completes but Phase 2 doesn't.
Here's the relevant section from kernel.log:
Dec 30 11:47:57 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
Dec 30 11:47:57 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 11:47:57 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 11:47:57 jupiter racoon[1910]: IPSec connecting to server 77.x.x.x
Dec 30 11:47:57 jupiter racoon[1910]: Connecting.
Dec 30 11:47:57 jupiter racoon[1910]: IPSec Phase1 started (Initiated by me).
Dec 30 11:47:57 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 11:47:58 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
Dec 30 11:47:58 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Dec 30 11:47:58 jupiter racoon[1910]: IPSec Phase1 established (Initiated by me).
Dec 30 11:47:58 jupiter racoon[1910]: IPSec Extended Authentication requested.
Dec 30 11:47:58 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 11:48:01 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 11:48:01 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 11:48:01 jupiter racoon[1910]: IPSec Extended Authentication sent.
Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 11:48:02 jupiter racoon[1910]: IPSec Extended Authentication Passed.
Dec 30 11:48:02 jupiter racoon[1910]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 11:48:02 jupiter racoon[1910]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 11:48:02 jupiter racoon[1910]: IPSec Network Configuration requested.
Dec 30 11:48:03 jupiter racoon[1910]: IPSec Network Configuration established.
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (MODE-Config).
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.77.7.14.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.77.7.14/32.
Dec 30 11:48:03 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 11:48:03 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 11:48:03 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 11:48:03 jupiter configd[16]: IPSec Phase1 established.
Dec 30 11:48:03 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.77.7.14, subnet: 255.255.255.255, destination: 172.77.7.14).
Dec 30 11:48:03 jupiter racoon[1910]: IPSec Phase2 started (Initiated by me).
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 11:48:03 jupiter configd[16]: network configuration changed.
Dec 30 11:48:03 jupiter configd[16]: IPSec port-mapping update for en1 ignored: VPN is the Primary interface. Public Address: ac4d070e, Protocol: None, Private Port: 0, Public Port: 0
Dec 30 11:48:03 jupiter configd[16]:
Dec 30 11:48:03 jupiter configd[16]: setting hostname to "jupiter.local"
Dec 30 11:48:03 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:06 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:07 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:09 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:12 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:13 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:15 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:18 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:21 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:24 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:25 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:27 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: transmit success. (Phase2 Retransmit).
Dec 30 11:48:30 jupiter racoon[1910]: IKE Packet: receive success. (Information message).
Dec 30 11:48:33 jupiter configd[16]: IPSec disconnecting from server 77.x.x.x
Dec 30 11:48:33 jupiter racoon[1910]: IPSec disconnecting from server 77.x.x.x
Dec 30 11:48:33 jupiter racoon[1910]: IKE Packet: transmit success. (Information message).
Dec 30 11:48:33 jupiter racoon[1910]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: service_ending_verify_primaryservice, waiting for PrimaryService. status = 1
Dec 30 11:48:33 jupiter configd[16]:
Dec 30 11:48:33 jupiter configd[16]: network configuration changed.
Dec 30 11:48:33 jupiter configd[16]: SCNC Controller: ipv4_state_changed, done waiting for ServiceID.
Dec 30 11:48:33 jupiter configd[16]:
Dec 30 11:48:33 jupiter configd[16]: setting hostname to "jupiter"
When connecting to my work-place it looks like:
Dec 30 12:33:14 jupiter configd[16]: IPSec connecting to server <mycompanyismybusiness>.ch
Dec 30 12:33:14 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 12:33:14 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 12:33:14 jupiter racoon[1976]: IPSec connecting to server 62.x.x.x
Dec 30 12:33:14 jupiter racoon[1976]: Connecting.
Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 started (Initiated by me).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 12:33:14 jupiter racoon[1976]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 12:33:14 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 12:33:14 jupiter racoon[1976]: IPSec Phase1 established (Initiated by me).
Dec 30 12:33:15 jupiter racoon[1976]: IPSec Extended Authentication requested.
Dec 30 12:33:15 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 12:33:21 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication sent.
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Extended Authentication Passed.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration requested.
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Network Configuration established.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (MODE-Config).
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 10.100.1.18.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 10.100.1.129.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: SPLIT-INCLUDE.
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration: DEF-DOMAIN = iw.local.
Dec 30 12:33:21 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 12:33:21 jupiter configd[16]: installed route: (address 10.100.1.0, gateway 10.100.1.18)
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 started (Initiated by me).
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 12:33:21 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase1 established.
Dec 30 12:33:21 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 10.100.1.18, subnet: 255.255.255.0, destination: 10.100.1.18).
Dec 30 12:33:21 jupiter configd[16]: network configuration changed.
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Dec 30 12:33:21 jupiter racoon[1976]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Dec 30 12:33:21 jupiter racoon[1976]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Dec 30 12:33:21 jupiter racoon[1976]: IPSec Phase2 established (Initiated by me).
Dec 30 12:33:21 jupiter configd[16]: IPSec Phase2 established.
An earlies test in a Starbucks around here had the same result, during looking at the netstat -nr output I found I got onto a 10.x.x.x net on the Wifi and still could connect to the (different) 10.x.x.x net at work.
My TCP/IP Networking course was around 2000, but the default route seen in the non-working log section looks like bullsh*t to me anyhow: DEFAULT-ROUTE = local-address 172.77.7.14/32
On the other hand, the Phase 2 message seem to indicate a different mode for Phase 2 between the working and the non-working one.
This is from the exported config of my AVM box:
**** CFGFILE:vpn.cfg
* /var/flash/vpn.cfg
* Wed Dec 28 16:01:09 2011
vpncfg {
connections {
enabled = yes;
conn_type = conntype_user;
name = "[email protected]";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 172.77.7.14;
remoteid {
key_id = "<mykeyismybusiness>";
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "<mykeyismybusiness>";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = yes;
xauth {
valid = yes;
username = "<myuserismybusiness>";
passwd = "<mypasswordismybusiness>";
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
phase2remoteid {
ipaddr = 172.22.7.14;
phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
accesslist =
"permit ip 172.22.7.0 255.255.255.240 172.22.7.14 255.255.255.255";
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
// EOF
**** END OF FILE ****
I also noticed an extra "IPSec port-mapping update for en1 ignored" message in the non-working log section, but I'm not sure a) how significant that might be, and b) how to find out what the ignored update might have been to decide whether not ignoring it would help.
A quick test with the AnyConnect Client from Cisco didn't help either, apparently it establishes an https connection first as I got a window which certificate details from my QNAP behind the AVM Box (I got a port forward for https to it)
So I'm looking for any ideas how to better troubleshoot this VPN issue...
Many thanks in advance!
BR,
AlexOk, found a small typo in my config (had at one point a 172.77.7.14 instead of the 172.22.7.14), no I can also connect from the 172.x.x.x net but still no ping etc. The relevant section of the log looks now like this:
Dec 30 16:44:27 jupiter configd[16]: IPSec connecting to server <myservernameismybusiness>.dyndns.info
Dec 30 16:44:27 jupiter configd[16]: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
Dec 30 16:44:28 jupiter configd[16]: IPSec Phase1 starting.
Dec 30 16:44:28 jupiter racoon[2183]: IPSec connecting to server 77.x.x.x
Dec 30 16:44:28 jupiter racoon[2183]: Connecting.
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 started (Initiated by me).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Dec 30 16:44:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:44:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Phase1 established (Initiated by me).
Dec 30 16:44:28 jupiter racoon[2183]: IPSec Extended Authentication requested.
Dec 30 16:44:28 jupiter configd[16]: IPSec requesting Extended Authentication.
Dec 30 16:44:31 jupiter configd[16]: IPSec sending Extended Authentication.
Dec 30 16:44:31 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 16:44:31 jupiter racoon[2183]: IPSec Extended Authentication sent.
Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Dec 30 16:44:32 jupiter racoon[2183]: IPSec Extended Authentication Passed.
Dec 30 16:44:32 jupiter racoon[2183]: IKE Packet: transmit success. (Mode-Config message).
Dec 30 16:44:32 jupiter racoon[2183]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Dec 30 16:44:32 jupiter racoon[2183]: IPSec Network Configuration requested.
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Network Configuration established.
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (MODE-Config).
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration started.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 172.22.7.14.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: SAVE-PASSWORD = 1.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.22.7.1.
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 172.22.7.14/32.
Dec 30 16:44:33 jupiter configd[16]: host_gateway: write routing socket failed, command 2, No such process
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 starting.
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 started (Initiated by me).
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Dec 30 16:44:33 jupiter configd[16]: IPSec Network Configuration established.
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase1 established.
Dec 30 16:44:33 jupiter configd[16]: event_callback: Address added. previous interface setting (name: en1, address: 192.168.43.242), current interface setting (name: utun0, family: 1001, address: 172.22.7.14, subnet: 255.255.255.255, destination: 172.22.7.14).
Dec 30 16:44:33 jupiter configd[16]: network configuration changed.
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Dec 30 16:44:33 jupiter racoon[2183]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Dec 30 16:44:33 jupiter racoon[2183]: IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
Dec 30 16:44:33 jupiter racoon[2183]: IPSec Phase2 established (Initiated by me).
Dec 30 16:44:33 jupiter configd[16]: IPSec Phase2 established.
Dec 30 16:44:43 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:44:48 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:44:48 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:03 jupiter configd[16]: setting hostname to "jupiter.local"
followed by lots of:
Dec 30 16:45:03 jupiter racoon[2183]: IKE Packet: receive failed. (MODE-Config).
Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:08 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:08 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:28 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:28 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:29 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:29 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:45:49 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:45:49 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:45:50 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:45:50 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:46:10 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:46:10 jupiter racoon[2183]: IKE Packet: receive success. (Information message).
Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: transmit success. (Information message).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Information-Notice: transmit success. (R-U-THERE?).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
Dec 30 16:46:30 jupiter racoon[2183]: IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
Dec 30 16:46:30 jupiter racoon[2183]: IKE Packet: receive success. (Information message). -
SAPGUI Java 7.20 Rev 6 download and VPN issue
Dear SAP friends please help.
We are trying to connect to SAP via a Mac running Lion and a VPN with SAPGUI for Java Rev 5. We get the logon successfully but never get further than the licence message. We have updated to the latest Java and also tried it in 32 bitz mode. We are unable to download the latest Rev 6 (due to my user authorisation) but we still think this is a VPN issue. Can you please help? I enclose the trace which shows the point at which is stops.
Many thanks
Andrew
16.11. 17:36:05.118 CALL: <CONTROL SHELLID="101">
16.11. 17:36:05.118 CALL: <PROPERTY VALUE="0" NAME="120"/>
16.11. 17:36:05.118 CALL: <PROPERTY VALUE="0" NAME="300"/>
16.11. 17:36:05.118 CALL: </CONTROL>
16.11. 17:36:05.118 CALL: </CONTROLS>
16.11. 17:36:05.118 CALL: <COPY id="copy">
16.11. 17:36:05.118 CALL: <GUI id="gui">
16.11. 17:36:05.118 CALL: <METRICS id="metrics" X3="1440" X2="7" X1="7" X0="283" Y3="900" Y2="20" Y1="12" Y0="283"/>
16.11. 17:36:05.118 CALL: </GUI>
16.11. 17:36:05.118 CALL: </COPY>
16.11. 17:36:05.118 CALL: </DATAMANAGER>
16.11. 17:36:05.119 CALL: Call 1042: #3#.setMoreDataIndicator(true);
16.11. 17:36:05.122 CON: GuiNiNetConnection: sending DIAG data to writer thread for modus 0
ERROR #############################
16.11. 17:37:10.018 ERROR: GuiNiReaderThread: read failed: Error: connection to partner '172.23.200.109:3200' broken
16.11. 17:37:10.018 ERROR:
16.11. 17:37:10.018 ERROR: Wed Nov 16 17:37:10 2011
16.11. 17:37:10.018 ERROR: Release 720
16.11. 17:37:10.018 ERROR: Component NI (network interface), version 40
16.11. 17:37:10.018 ERROR: rc = -6, module nixxi.cpp, line 5087
16.11. 17:37:10.018 ERROR: Detail NiIRead: P=172.23.200.109:3200; L=10.64.10.112:53387
16.11. 17:37:10.018 ERROR: System Call recv
16.11. 17:37:10.018 ERROR: Error No 60
16.11. 17:37:10.018 ERROR: 'Operation timed out'
ERROR #############################
16.11. 17:37:10.018 CON: -
16.11. 17:37:10.018 CON: GuiNiNetConnection: sending DIAG data to connection for modus -1
ERROR #############################
16.11. 17:37:10.234 ERROR: GuiConnection: Connection closed
16.11. 17:37:10.234 ERROR: Error: connection to partner '172.23.200.109:3200' broken
16.11. 17:37:10.234 ERROR:
16.11. 17:37:10.234 ERROR: Wed Nov 16 17:37:10 2011
16.11. 17:37:10.234 ERROR: Release 720
16.11. 17:37:10.234 ERROR: Component NI (network interface), version 40
16.11. 17:37:10.234 ERROR: rc = -6, module nixxi.cpp, line 5087
16.11. 17:37:10.234 ERROR: Detail NiIRead: P=172.23.200.109:3200; L=10.64.10.112:53387
16.11. 17:37:10.234 ERROR: System Call recv
16.11. 17:37:10.234 ERROR: Error No 60
16.11. 17:37:10.234 ERROR: 'Operation timed out'
ERROR #############################
ERROR #############################Hello Andrew,
some version of the VPN client on Lion seems to have a known issue according to SAP internal discussions.
I found someone telling, that with F5 SSL VPN Plugin 7000.2011.0907.01, it is working again.
It seems to be available from https://connectfp.sap.com.
For uninstalling old F5 version, see http://support.f5.com/kb/en-us/solutions/public/3000/800/sol3826.html
(many "seems", because I am still on Snow Leopard and can not talk about this issue from my own experience)
Regarding user authorization for downloading software in Service MarketPlace, please refer to [note 1037574|https://service.sap.com/sap/support/notes/1037574].
Best regards
Rolf-Martin -
Airport Extreme 802.11n New Firmware Release (VPN ISSUE)
The info accompanying the release of today's firmware upgrade makes no mention of a fix to the VPN problems. Does anyone know if the new firmware had any effect on the problem?
Mac Pro Mac OS X (10.4.9) 4 GB RamOur VPN is now working (checkpoint)
For me the firmware update initially seemed to fix the VPN issue, but after closer inspection there still seems to be something wrong with it. (We are using CheckPoint.) My Wintel-box that has been provided by my employee is still having issues with connecting to our exchange server and the network drives do not seem to be working all that realiable. Probably a configuration issue, but do you have any ideas on where to start looking for a solution?
br,
-Joose -
We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.
Thanks for your reply. This is already set allong with the following.
icmp permit any inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
When I do an inspect on the ping packets from the remote LAN I get an interesting result.
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected -
Confused with this ASA - VPN config issue
Hello. Can anyone help me here? I am new to the ASA config and commands. Everything works well, enough, on this ASA except the VPN. A client can connect but cannot access anything inside or outside. Here is the config. Can someone please take a look and tell me why VPN is not working? I don't want to set up split-tunneling, I would prefer everything to go through the firewall. Also, if you see something else wrong (or have a better implementation) then please let me know.
ASA Version 8.4(2)
hostname FIREWALL_NAME
enable password Some_X's_here encrypted
passwd Some_X's_here encrypted
names
interface Ethernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/0.22
description Public Internet space via VLAN 22
vlan 22
nameif Public_Internet
security-level 0
ip address 1.3.3.7 255.255.255.248
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/1.42
description Private LAN space via VLAN 42
shutdown
vlan 42
nameif Private_CDATA
security-level 100
ip address 10.30.136.1 255.255.255.0
interface Ethernet0/1.69
description Private LAN space via VLAN 69
vlan 69
nameif Private_ODATA
security-level 100
ip address 10.30.133.1 255.255.255.0
interface Ethernet0/1.95
description Private LAN space via VLAN 95
shutdown
vlan 95
nameif Private_OVOICE
security-level 100
ip address 192.168.102.254 255.255.255.0
interface Ethernet0/1.96
description Private LAN space via VLAN 96
shutdown
vlan 96
nameif Private_CVOICE
security-level 100
ip address 192.168.91.254 255.255.255.0
interface Ethernet0/1.3610
description Private LAN subnet via VLAN 3610
shutdown
vlan 3610
nameif Private_CeDATA
security-level 100
ip address 10.10.100.18 255.255.255.240
interface Ethernet0/1.3611
description Private LAN space via VLAN 3611
shutdown
vlan 3611
nameif Private_CeVOICE
security-level 100
ip address 10.10.100.66 255.255.255.252
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.69.1 255.255.255.0
management-only
banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
banner exec
banner exec ,
banner exec .';
banner exec .-'` .'
banner exec ,`.-'-.`\
banner exec ; / '-'
banner exec | \ ,-,
banner exec \ '-.__ )_`'._ \|/
banner exec '. ``` ``'--._[]--------------*
banner exec .-' , `'-. /|\
banner exec '-'`-._ (( o )
banner exec `'--....(`- ,__..--'
banner exec '-'`
banner exec
banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest
extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CD_3610-GW
host 10.10.100.17
description First hop to 3610
object network CV_3611-GW
host 10.10.100.65
description First hop to 3611
object network GW_22-EXT
host 1.3.3.6
description First hop to 22
object service MS-RDC
service tcp source range 1024 65535 destination eq 3389
description Microsoft Remote Desktop Connection
object network HDC-LAN
subnet 192.168.200.0 255.255.255.0
description DC LAN subnet
object network HAM-LAN
subnet 192.168.110.0 255.255.255.0
description HAM LAN subnet
object service MSN
service tcp source range 1 65535 destination eq 1863
description MSN Messenger
object network BCCs
host 2.1.8.1
description BCCs server access
object network ODLW-EXT
host 7.1.1.5
description OTTDl
object network SWINDS-INT
host 10.30.133.67
description SWINDS server
object network SWINDS(192.x.x.x)-INT
host 192.168.100.67
description SWINDS server
object service YMSG
service tcp source range 1 65535 destination eq 5050
description Yahoo Messenger
object service c.b.ca1
service tcp source range 1 65535 destination eq citrix-ica
description Connections to the bc portal.
object service c.b.ca2
service tcp source range 1 65535 destination eq 2598
description Connections to the bc portal.
object service HTTP-EXT(7001)
service tcp source range 1 65535 destination eq 7001
description HTTP Extended on port 7001.
object service HTTP-EXT(8000-8001)
service tcp source range 1 65535 destination range 8000 8001
description HTTP Extended on ports 8000-8001.
object service HTTP-EXT(8080-8081)
service tcp source range 1 65535 destination range 8080 8081
description HTTP Extended on ports 8080-8081.
object service HTTP-EXT(8100)
service tcp source range 1 65535 destination eq 8100
description HTTP Extended on port 8100.
object service HTTP-EXT(8200)
service tcp source range 1 65535 destination eq 8200
description HTTP Extended on port 8200.
object service HTTP-EXT(8888)
service tcp source range 1 65535 destination eq 8888
description HTTP Extended on port 8888.
object service HTTP-EXT(9080)
service tcp source range 1 65535 destination eq 9080
description HTTP Extended on port 9080.
object service ntp
service tcp source range 1 65535 destination eq 123
description TCP NTP on port 123.
object network Pl-EXT
host 7.1.1.2
description OPl box.
object service Pl-Admin
service tcp source range 1 65535 destination eq 8443
description Pl Admin portal
object network FW-EXT
host 1.3.3.7
description External/Public interface IP address of firewall.
object network Rs-EXT
host 7.1.1.8
description Rs web portal External/Public IP.
object network DWDM-EXT
host 2.1.2.1
description DWDM.
object network HM_VPN-EXT
host 6.2.9.7
description HAM Man.
object network SIM_MGMT
host 2.1.1.1
description SIM Man.
object network TS_MGMT
host 2.1.1.4
description TS Man.
object network TS_MGMT
host 2.1.2.2
description TS Man.
object service VPN-TCP(1723)
service tcp source range 1 65535 destination eq pptp
description For PPTP control path.
object service VPN-UDP(4500)
service udp source range 1 65535 destination eq 4500
description For L2TP(IKEv1) and IKEv2.
object service VPN-TCP(443)
service tcp source range 1 65535 destination eq https
description For SSTP control and data path.
object service VPN-UDP(500)
service udp source range 1 65535 destination eq isakmp
description For L2TP(IKEv1) and IKEv2.
object network RCM
host 6.1.8.2
description RCM
object network RCM_Y
host 6.1.8.9
description RCM Y
object network r.r.r.c163
host 2.1.2.63
description RCV IP.
object network r.r.r.c227
host 2.1.2.27
description RCV IP.
object network v.t.c-EXT
host 2.5.1.2
description RTICR
object service VPN-TCP(10000)
service tcp source range 1 65535 destination eq 10000
description For TCP VPN over port 1000.
object service BGP-JY
service tcp source range 1 65535 destination eq 21174
description BPG
object network KooL
host 192.168.100.100
description KooL
object network FW_Test
host 1.3.3.7
description Testing other External IP
object network AO_10-30-133-0-LAN
range 10.30.133.0 10.30.133.229
description OLS 10.30.133.0/24
object network AC_10-30-136-0-LAN
subnet 10.30.136.0 255.255.255.0
description CLS 10.30.136.0/24
object network NETWORK_OBJ_192.168.238.0_27
subnet 192.168.238.0 255.255.255.224
object-group network All_Private_Interfaces
description All private interfaces
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
network-object 10.10.100.16 255.255.255.240
network-object 10.10.100.64 255.255.255.252
network-object 192.168.102.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service cb.ca
description All ports required for cb.ca connections.
service-object object c.b.ca1
service-object object c.b.ca2
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq snmp
object-group service FTP
description All FTP ports (20 + 21)
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service HTTP-EXT
description HTTP Extended port ranges.
service-object object HTTP-EXT(7001)
service-object object HTTP-EXT(8000-8001)
service-object object HTTP-EXT(8080-8081)
service-object object HTTP-EXT(8100)
service-object object HTTP-EXT(8200)
service-object object HTTP-EXT(8888)
service-object object HTTP-EXT(9080)
object-group service ICMP_Any
description ICMP: Any Type, Any Code
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object icmp
object-group service NTP
description TCP and UPD NTP protocol
service-object object ntp
service-object udp destination eq ntp
object-group service DM_INLINE_SERVICE_3
group-object FTP
group-object HTTP-EXT
group-object ICMP_Any
group-object NTP
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object ip
object-group service DM_INLINE_SERVICE_4
group-object NTP
service-object tcp destination eq daytime
object-group network SWINDS
description Both Internal IP addresses (192 + 10)
network-object object SWINDS-INT
network-object object SWINDS(192.x.x.x)-INT
object-group service IM_Types
description All messenger type applications
service-object object MSN
service-object object YMSG
service-object tcp-udp destination eq talk
service-object tcp destination eq aol
service-object tcp destination eq irc
object-group service SNMP
description Both poll and trap ports.
service-object udp destination eq snmp
service-object udp destination eq snmptrap
object-group service DM_INLINE_SERVICE_2
group-object FTP
service-object object MS-RDC
service-object object Pl-Admin
group-object SNMP
object-group network DM_INLINE_NETWORK_1
network-object object FW-EXT
network-object object Rs-EXT
object-group network AMV
description connections for legacy AM
network-object object DWDM-EXT
network-object object HAM_MGMT
network-object object SIM_MGMT
network-object object TS_MGMT
network-object object TS_MGMT
object-group service IKEv2_L2TP
description IKEv2 and L2TP VPN configurations
service-object esp
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
object-group service PPTP
description PPTP VPN configuration
service-object gre
service-object object VPN-TCP(1723)
object-group service SSTP
description SSTP VPN configuration
service-object object VPN-TCP(443)
object-group network RvIPs
description Rv IP addresses
network-object object RCM
network-object object RCM_Y
network-object object r.r.r.c163
network-object object r.r.r.c227
network-object object v.t.c-EXT
object-group service Rvs
description Rv configuration.
service-object object VPN-TCP(10000)
service-object object VPN-UDP(500)
object-group service DM_INLINE_SERVICE_5
service-object object BGP-JY
service-object tcp destination eq bgp
object-group network Local_Private_Subnets
description OandCl DATA
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
access-list Public/Internet_access_out remark Block all IM traffic out.
access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
access-list Public/Internet_access_out remark Allow access to BMC portal
access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
access-list Public/Internet_access_out remark Allow basic services out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow WhoIS traffic out.
access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
access-list Public/Internet_access_out remark Allow Network Time protocols out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
access-list Public/Internet_access_out remark Allow BPG traffic out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow Kool server out.
access-list Public/Internet_access_out extended permit ip object KooL any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging mail notifications
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu Public_Internet 1500
mtu Private_CDATA 1500
mtu Private_ODATA 1500
mtu Private_OVOICE 1500
mtu Private_CVOICE 1500
mtu Private_CeDATA 1500
mtu Private_CeVOICE 1500
mtu management 1500
ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
ip verify reverse-path interface Public_Internet
ip verify reverse-path interface Private_CDATA
ip verify reverse-path interface Private_ODATA
ip verify reverse-path interface Private_OVOICE
ip verify reverse-path interface Private_CVOICE
ip verify reverse-path interface Private_CeDATA
ip verify reverse-path interface Private_CeVOICE
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Public_Internet
no asdm history enable
arp timeout 14400
nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
access-group Public/Internet_access_out out interface Public_Internet
route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Private_ODATA) host 10.30.133.21
timeout 5
nt-auth-domain-controller Cool_Transformer_Name
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.69.0 255.255.255.0 management
snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
snmp-server location OT
snmp-server contact [email protected]
snmp-server community Some_*s_here
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
sysopt noproxyarp Public_Internet
sysopt noproxyarp Private_CDATA
sysopt noproxyarp Private_ODATA
sysopt noproxyarp Private_OVOICE
sysopt noproxyarp Private_CVOICE
sysopt noproxyarp Private_CeDATA
sysopt noproxyarp Private_CeVOICE
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_Internet_map interface Public_Internet
crypto ikev1 enable Public_Internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 10.30.133.0 255.255.255.0 Private_ODATA
ssh 192.168.69.0 255.255.255.0 management
ssh timeout 2
ssh version 2
console timeout 5
dhcprelay server 10.30.133.13 Private_ODATA
dhcprelay enable Private_CDATA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.30.133.13 prefer
ntp server 132.246.11.227
ntp server 10.30.133.21
webvpn
group-policy AO-VPN_Tunnel internal
group-policy AO-VPN_Tunnel attributes
dns-server value 10.30.133.21 10.30.133.13
vpn-tunnel-protocol ikev1
default-domain value ao.local
username helpme password Some_X's_here encrypted privilege 1
username helpme attributes
service-type nas-prompt
tunnel-group AO-VPN_Tunnel type remote-access
tunnel-group AO-VPN_Tunnel general-attributes
address-pool AO-VPN_Pool
authentication-server-group AD
default-group-policy AO-VPN_Tunnel
tunnel-group AO-VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key Some_*s_here
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
smtp-server 192.168.200.25
prompt hostname context
no call-home reporting anonymous
Thanks,
Jeff.I tried those commands but this started getting messy and so I looked at the current config and it was not the same as what I originally posted. Looks like some changes were implemented but not saved so the config that I posted what slightly different. Thank you for all your suggestions. Here is the new config, confirmed as the current running and saved config. Same situation as before though. I can connect using the Cisco VPN client but can only ping myself and can't get out to the Internet or access anything internal. If someone can take a look it would be greatly appreciated. The main difference is the VPN pool has been set as a subset of the 10.30.133.0 network instead of using a separate subnet (VPN pool is 10.30.133.200 - 10.30.133.230).
ASA Version 8.4(2)
hostname FIREWALL_NAME
enable password Some_X's_here encrypted
passwd Some_X's_here encrypted
names
interface Ethernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/0.22
description Public Internet space via VLAN 22
vlan 22
nameif Public_Internet
security-level 0
ip address 1.3.3.7 255.255.255.248
interface Ethernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
interface Ethernet0/1.42
description Private LAN space via VLAN 42
shutdown
vlan 42
nameif Private_CDATA
security-level 100
ip address 10.30.136.1 255.255.255.0
interface Ethernet0/1.69
description Private LAN space via VLAN 69
vlan 69
nameif Private_ODATA
security-level 100
ip address 10.30.133.1 255.255.255.0
interface Ethernet0/1.95
description Private LAN space via VLAN 95
shutdown
vlan 95
nameif Private_OVOICE
security-level 100
ip address 192.168.102.254 255.255.255.0
interface Ethernet0/1.96
description Private LAN space via VLAN 96
shutdown
vlan 96
nameif Private_CVOICE
security-level 100
ip address 192.168.91.254 255.255.255.0
interface Ethernet0/1.3610
description Private LAN subnet via VLAN 3610
shutdown
vlan 3610
nameif Private_CeDATA
security-level 100
ip address 10.10.100.18 255.255.255.240
interface Ethernet0/1.3611
description Private LAN space via VLAN 3611
shutdown
vlan 3611
nameif Private_CeVOICE
security-level 100
ip address 10.10.100.66 255.255.255.252
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.69.1 255.255.255.0
management-only
banner exec WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
banner exec
banner exec ,
banner exec .';
banner exec .-'` .'
banner exec ,`.-'-.`\
banner exec ; / '-'
banner exec | \ ,-,
banner exec \ '-.__ )_`'._ \|/
banner exec '. ``` ``'--._[]--------------*
banner exec .-' , `'-. /|\
banner exec '-'`-._ (( o )
banner exec `'--....(`- ,__..--'
banner exec '-'`
banner exec
banner exec frickin' sharks with frickin' laser beams attached to their frickin' heads
banner login WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
banner asdm WARNING!! Access to this device is restricted to those individuals with specific permissions. If you are not an authorized user, disconnect now. Any attempts to gain unauthorized access will be prosecuted to the fullest extent of the law.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CD_3610-GW
host 10.10.100.17
description First hop to 3610
object network CV_3611-GW
host 10.10.100.65
description First hop to 3611
object network GW_22-EXT
host 1.3.3.6
description First hop to 22
object network Ts-LAN
host 192.168.100.4
description TS
object service MS-RDC
service tcp source range 1024 65535 destination eq 3389
description Microsoft Remote Desktop Connection
object network HDC-LAN
subnet 192.168.200.0 255.255.255.0
description DC LAN subnet
object network HAM-LAN
subnet 192.168.110.0 255.255.255.0
description HAM LAN subnet
object service MSN
service tcp source range 1 65535 destination eq 1863
description MSN Messenger
object network BCCs
host 2.1.8.1
description BCCs server access
object network ODLW-EXT
host 7.1.1.5
description OTTDl
object network SWINDS-INT
host 10.30.133.67
description SWINDS server
object network SWINDS(192.x.x.x)-INT
host 192.168.100.67
description SWINDS server
object service YMSG
service tcp source range 1 65535 destination eq 5050
description Yahoo Messenger
object service c.b.ca1
service tcp source range 1 65535 destination eq citrix-ica
description Connections to the bc portal.
object service c.b.ca2
service tcp source range 1 65535 destination eq 2598
description Connections to the bc portal.
object service HTTP-EXT(7001)
service tcp source range 1 65535 destination eq 7001
description HTTP Extended on port 7001.
object service HTTP-EXT(8000-8001)
service tcp source range 1 65535 destination range 8000 8001
description HTTP Extended on ports 8000-8001.
object service HTTP-EXT(8080-8081)
service tcp source range 1 65535 destination range 8080 8081
description HTTP Extended on ports 8080-8081.
object service HTTP-EXT(8100)
service tcp source range 1 65535 destination eq 8100
description HTTP Extended on port 8100.
object service HTTP-EXT(8200)
service tcp source range 1 65535 destination eq 8200
description HTTP Extended on port 8200.
object service HTTP-EXT(8888)
service tcp source range 1 65535 destination eq 8888
description HTTP Extended on port 8888.
object service HTTP-EXT(9080)
service tcp source range 1 65535 destination eq 9080
description HTTP Extended on port 9080.
object service ntp
service tcp source range 1 65535 destination eq 123
description TCP NTP on port 123.
object network Pl-EXT
host 7.1.1.2
description OPl box.
object service Pl-Admin
service tcp source range 1 65535 destination eq 8443
description Pl Admin portal
object network FW-EXT
host 1.3.3.7
description External/Public interface IP address of firewall.
object network Rs-EXT
host 7.1.1.8
description Rs web portal External/Public IP.
object network DWDM-EXT
host 2.1.2.1
description DWDM.
object network HM_VPN-EXT
host 6.2.9.7
description HAM Man.
object network SIM_MGMT
host 2.1.1.1
description SIM Man.
object network TS_MGMT
host 2.1.1.4
description TS Man.
object network TS_MGMT
host 2.1.2.2
description TS Man.
object service VPN-TCP(1723)
service tcp source range 1 65535 destination eq pptp
description For PPTP control path.
object service VPN-UDP(4500)
service udp source range 1 65535 destination eq 4500
description For L2TP(IKEv1) and IKEv2.
object service VPN-TCP(443)
service tcp source range 1 65535 destination eq https
description For SSTP control and data path.
object service VPN-UDP(500)
service udp source range 1 65535 destination eq isakmp
description For L2TP(IKEv1) and IKEv2.
object network RCM
host 6.1.8.2
description RCM
object network RCM_Y
host 6.1.8.9
description RCM Y
object network r.r.r.c163
host 2.1.2.63
description RCV IP.
object network r.r.r.c227
host 2.1.2.27
description RCV IP.
object network v.t.c-EXT
host 2.5.1.2
description RTICR
object service VPN-TCP(10000)
service tcp source range 1 65535 destination eq 10000
description For TCP VPN over port 1000.
object service BGP-JY
service tcp source range 1 65535 destination eq 21174
description BPG
object network KooL
host 192.168.100.100
description KooL
object network FW_Test
host 1.3.3.7
description Testing other External IP
object network AO_10-30-133-0-LAN
subnet 10.30.133.0 255.255.255.0
description OLS 10.30.133.0/24
object network AC_10-30-136-0-LAN
subnet 10.30.136.0 255.255.255.0
description CLS 10.30.136.0/24
object-group network All_Private_Interfaces
description All private interfaces
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
network-object 10.10.100.16 255.255.255.240
network-object 10.10.100.64 255.255.255.252
network-object 192.168.102.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service cb.ca
description All ports required for cb.ca connections.
service-object object c.b.ca1
service-object object c.b.ca2
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq snmp
object-group service FTP
description All FTP ports (20 + 21)
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
object-group service HTTP-EXT
description HTTP Extended port ranges.
service-object object HTTP-EXT(7001)
service-object object HTTP-EXT(8000-8001)
service-object object HTTP-EXT(8080-8081)
service-object object HTTP-EXT(8100)
service-object object HTTP-EXT(8200)
service-object object HTTP-EXT(8888)
service-object object HTTP-EXT(9080)
object-group service ICMP_Any
description ICMP: Any Type, Any Code
service-object icmp alternate-address
service-object icmp conversion-error
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object icmp unreachable
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 membership-query
service-object icmp6 membership-reduction
service-object icmp6 membership-report
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 neighbor-solicitation
service-object icmp6 packet-too-big
service-object icmp6 parameter-problem
service-object icmp6 router-advertisement
service-object icmp6 router-renumbering
service-object icmp6 router-solicitation
service-object icmp6 time-exceeded
service-object icmp6 unreachable
service-object icmp
object-group service NTP
description TCP and UPD NTP protocol
service-object object ntp
service-object udp destination eq ntp
object-group service DM_INLINE_SERVICE_3
group-object FTP
group-object HTTP-EXT
group-object ICMP_Any
group-object NTP
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object ip
object-group service DM_INLINE_SERVICE_4
group-object NTP
service-object tcp destination eq daytime
object-group network SWINDS
description Both Internal IP addresses (192 + 10)
network-object object SWINDS-INT
network-object object SWINDS(192.x.x.x)-INT
object-group service IM_Types
description All messenger type applications
service-object object MSN
service-object object YMSG
service-object tcp-udp destination eq talk
service-object tcp destination eq aol
service-object tcp destination eq irc
object-group service SNMP
description Both poll and trap ports.
service-object udp destination eq snmp
service-object udp destination eq snmptrap
object-group service DM_INLINE_SERVICE_2
group-object FTP
service-object object MS-RDC
service-object object Pl-Admin
group-object SNMP
object-group network DM_INLINE_NETWORK_1
network-object object FW-EXT
network-object object Rs-EXT
object-group network AMV
description connections for legacy AM
network-object object DWDM-EXT
network-object object HAM_MGMT
network-object object SIM_MGMT
network-object object TS_MGMT
network-object object TS_MGMT
object-group service IKEv2_L2TP
description IKEv2 and L2TP VPN configurations
service-object esp
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
object-group service PPTP
description PPTP VPN configuration
service-object gre
service-object object VPN-TCP(1723)
object-group service SSTP
description SSTP VPN configuration
service-object object VPN-TCP(443)
object-group network RvIPs
description Rv IP addresses
network-object object RCM
network-object object RCM_Y
network-object object r.r.r.c163
network-object object r.r.r.c227
network-object object v.t.c-EXT
object-group service Rvs
description Rv configuration.
service-object object VPN-TCP(10000)
service-object object VPN-UDP(500)
object-group service DM_INLINE_SERVICE_5
service-object object BGP-JY
service-object tcp destination eq bgp
object-group network Local_Private_Subnets
description OandCl DATA
network-object 10.30.133.0 255.255.255.0
network-object 10.30.136.0 255.255.255.0
object-group service IPSec
description IPSec traffic
service-object object VPN-UDP(4500)
service-object object VPN-UDP(500)
access-list Public/Internet_access_out remark Block all IM traffic out.
access-list Public/Internet_access_out extended deny object-group IM_Types object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Access from SWINDS to DLM portal
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_1 object-group SWINDS object ODLW-EXT
access-list Public/Internet_access_out remark Allow access to BMC portal
access-list Public/Internet_access_out extended permit object-group cb.ca object-group Local_Private_Subnets object BCCs
access-list Public/Internet_access_out remark Allow basic services out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_3 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow WhoIS traffic out.
access-list Public/Internet_access_out extended permit tcp object-group Local_Private_Subnets any eq whois
access-list Public/Internet_access_out remark Allow Network Time protocols out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_4 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow all IP based monitoring traffic to Pl.
access-list Public/Internet_access_out extended permit ip object-group SWINDS object Pl-EXT
access-list Public/Internet_access_out remark Allow Management traffic to Pl-JY.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_2 object-group Local_Private_Subnets object Pl-EXT
access-list Public/Internet_access_out remark Allow FTP traffic to Grimlock and RS FTP.
access-list Public/Internet_access_out extended permit object-group FTP object-group Local_Private_Subnets object-group DM_INLINE_NETWORK_1
access-list Public/Internet_access_out remark Allow VPN traffic to AM-JY.
access-list Public/Internet_access_out extended permit object-group IKEv2_L2TP object-group Local_Private_Subnets object-group AMV
access-list Public/Internet_access_out remark Allow VPN traffic to RCm devices.
access-list Public/Internet_access_out extended permit object-group Rvs object-group Local_Private_Subnets object-group RvIPs
access-list Public/Internet_access_out remark Allow BPG traffic out.
access-list Public/Internet_access_out extended permit object-group DM_INLINE_SERVICE_5 object-group Local_Private_Subnets any
access-list Public/Internet_access_out remark Allow Kool server out.
access-list Public/Internet_access_out extended permit ip object KooL any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging mail notifications
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu Public_Internet 1500
mtu Private_CDATA 1500
mtu Private_ODATA 1500
mtu Private_OVOICE 1500
mtu Private_CVOICE 1500
mtu Private_CeDATA 1500
mtu Private_CeVOICE 1500
mtu management 1500
ip local pool AO-VPN_Pool 192.168.238.2-192.168.238.30 mask 255.255.255.224
ip verify reverse-path interface Public_Internet
ip verify reverse-path interface Private_CDATA
ip verify reverse-path interface Private_ODATA
ip verify reverse-path interface Private_OVOICE
ip verify reverse-path interface Private_CVOICE
ip verify reverse-path interface Private_CeDATA
ip verify reverse-path interface Private_CeVOICE
ip verify reverse-path interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Public_Internet
no asdm history enable
arp timeout 14400
nat (Private_ODATA,Public_Internet) source dynamic AO_10-30-133-0-LAN interface
nat (Private_CDATA,Public_Internet) source dynamic AC_10-30-136-0-LAN interface
nat (Private_ODATA,Public_Internet) source static any any destination static NETWORK_OBJ_192.168.238.0_27 NETWORK_OBJ_192.168.238.0_27 no-proxy-arp route-lookup
access-group Public/Internet_access_out out interface Public_Internet
route Public_Internet 0.0.0.0 0.0.0.0 1.3.3.6 1
route Private_CeDATA 10.0.0.0 255.0.0.0 10.10.100.17 1
route Private_CeDATA 10.1.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.3.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.5.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 10.11.106.74 255.255.255.255 10.10.100.17 1
route Private_CeDATA 10.30.128.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.130.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.131.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.132.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.134.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.30.135.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.67.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 10.224.0.0 255.255.0.0 10.10.100.17 1
route Private_CeDATA 4.1.1.19 255.255.255.255 10.10.100.17 1
route Private_CeDATA 1.1.1.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 1.1.1.13 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.24 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.27 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.11.29 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.17.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.64 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.66 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.147.110 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.19.251.57 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.56.105 255.255.255.255 10.10.100.17 1
route Private_CeDATA 172.21.57.152 255.255.255.255 10.10.100.17 1
route Private_CeDATA 192.168.3.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.9.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.20.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.21.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.30.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.31.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.40.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.41.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.50.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.60.0 255.255.255.0 10.10.100.17 1
route Private_CeVOICE 192.168.61.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.70.0 255.255.255.0 10.10.100.65 1
route Private_CeVOICE 192.168.101.0 255.255.255.0 10.10.100.65 1
route Private_CeDATA 192.168.110.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.168.200.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 192.251.177.0 255.255.255.0 10.10.100.17 1
route Private_CeDATA 2.1.2.7 255.255.255.255 10.10.100.17 1
route Private_CeDATA 2.1.2.74 255.255.255.255 10.10.100.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Private_ODATA) host 10.30.133.21
timeout 5
nt-auth-domain-controller Cool_Transformer_Name
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.69.0 255.255.255.0 management
snmp-server host Private_ODATA 10.30.133.67 poll community Some_*s_here version 2c
snmp-server location OT
snmp-server contact [email protected]
snmp-server community Some_*s_here
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
sysopt noproxyarp Public_Internet
sysopt noproxyarp Private_CDATA
sysopt noproxyarp Private_ODATA
sysopt noproxyarp Private_OVOICE
sysopt noproxyarp Private_CVOICE
sysopt noproxyarp Private_CeDATA
sysopt noproxyarp Private_CeVOICE
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Public_Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Public_Internet_map interface Public_Internet
crypto ikev1 enable Public_Internet
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 10.30.133.0 255.255.255.0 Private_ODATA
ssh 192.168.69.0 255.255.255.0 management
ssh timeout 2
ssh version 2
console timeout 5
dhcprelay server 10.30.133.13 Private_ODATA
dhcprelay enable Private_CDATA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.30.133.13 prefer
ntp server 132.246.11.227
ntp server 10.30.133.21
webvpn
group-policy AO-VPN_Tunnel internal
group-policy AO-VPN_Tunnel attributes
dns-server value 10.30.133.21 10.30.133.13
vpn-tunnel-protocol ikev1
default-domain value ao.local
username helpme password Some_X's_here encrypted privilege 1
username helpme attributes
service-type nas-prompt
tunnel-group AO-VPN_Tunnel type remote-access
tunnel-group AO-VPN_Tunnel general-attributes
address-pool AO-VPN_Pool
authentication-server-group AD
default-group-policy AO-VPN_Tunnel
tunnel-group AO-VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key Some_*s_here
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
service-policy global_policy global
smtp-server 192.168.200.25
prompt hostname context
no call-home reporting anonymous
Thanks in advance,
Jeff. -
I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.)
Post the config of your ASA and someone will be able to assist.
-
ASA 5505 Site to Site VPN issue
I have been trying to configure a siste to site vpn for a few days now, but not able to get it to connect. The only difference between the two, is one has a dynamic ip. this vpn isn't a priority, so there isn't a need to have the dynamic moved to a static at this time. Here is my configs on both ASA's. any help would be greatly appreciated. I replaced the IP's with x.x.x.x
ASA 1:
Result of the command: "SHOW RUN"
: Saved
ASA Version 9.0(1)
hostname ciscoasa
enable password Yn8Esq3NcXIHL35v encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPNDHCP 10.50.50.1-10.50.50.100 mask 255.0.0.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
switchport trunk allowed vlan 1,3,13
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
switchport trunk allowed vlan 1,3
switchport mode trunk
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.0.1 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif EP
security-level 100
ip address 192.168.20.254 255.255.255.0
boot system disk0:/asa901-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network GLE-A-Network
subnet 10.0.0.0 255.0.0.0
object network GLE-B-Network
subnet 192.168.2.0 255.255.255.0
object network Web-Server
host 10.0.61.230
object network obj-Guest
subnet 192.168.1.0 255.255.255.0
description Guest Wireless
object network Spiceworks
host 10.0.1.2
object network NETWORK_OBJ_10.50.50.0_25
subnet 10.50.50.0 255.255.255.128
object network Remote-Desktop-Services
host 10.0.1.2
object network Web-Server-SSL
host 10.0.23.1
object service RDP
service tcp source eq 3389 destination eq 3389
object network RemoteDesktop
host 10.0.61.240
object network obj-PerryCameras-1
host 10.0.36.1
object network obj-PerryCameras-2
host 10.0.36.1
object network obj-PerryCameras-3
host 10.0.36.1
object network DHCP-Server
host 10.0.1.1
object network GLE-B-Firewall
host X.X.X.X
object network EP-Network
subnet 192.168.26.0 255.255.255.0
object network EP-Firewall
host X.X.X.X
object network obj-BLDGa
subnet 192.168.33.0 255.255.255.0
object network FTP
host 10.0.61.230
object-group service SpiceworksPorts tcp
description https
port-object eq https
object-group service RemoteDesktopServices
service-object tcp-udp destination eq 3389
object-group service RDS tcp
description Remote Desktop Services
port-object eq 3389
port-object eq https
object-group service Phone1 tcp
port-object eq 5522
object-group service Phone udp
port-object range 10001 20000
port-object eq 5522
object-group service Phones tcp-udp
port-object range 10001 20000
port-object eq 5222
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PerryCameras tcp-udp
port-object eq 180
port-object eq 181
port-object eq 9000
object-group service Camera1 tcp-udp
port-object eq 9000
object-group service Camera2 tcp-udp
port-object eq 881
object-group service Camera3 tcp-udp
port-object eq 1801
access-list outside_cryptomap extended permit ip object GLE-A-Network object GLE-B-Network
access-list outside_access_in extended permit tcp any4 object Web-Server eq www
access-list outside_access_in extended permit tcp any object Web-Server-SSL eq https
access-list outside_access_in extended permit tcp any object RemoteDesktop eq 3389
access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-1 object-group Camera1
access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-2 object-group Camera2
access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-3 object-group Camera3
access-list outside_access_in extended permit tcp any4 object FTP eq ftp
access-list guest_in extended permit udp any4 host 208.67.222.222 eq domain
access-list guest_in extended permit udp any4 host 208.67.220.220 eq domain
access-list guest_in extended deny udp any4 any4 eq domain
access-list guest_in extended permit ip any4 any4
access-list EP_access_in extended permit object-group TCPUDP any4 any4 eq domain
access-list EP_access_in extended permit ip any4 any4
access-list outside_cryptomap_1 extended permit ip object GLE-A-Network object EP-Network
pager lines 24
logging enable
logging asdm informational
mtu Internal 1500
mtu outside 1500
mtu Guest 1500
mtu EP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Internal,outside) source static any any destination static NETWORK_OBJ_10.50.50.0_25 NETWORK_OBJ_10.50.50.0_25 no-proxy-arp route-lookup
nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static GLE-B-Network GLE-B-Network no-proxy-arp route-lookup
nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
nat (EP,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
object network obj_any
nat (Internal,outside) dynamic interface
object network Web-Server
nat (Internal,outside) static interface service tcp www www
object network obj-Guest
nat (Guest,outside) dynamic interface
object network Spiceworks
nat (Internal,outside) static interface service tcp 8080 8080
object network Web-Server-SSL
nat (Internal,outside) static interface service tcp https https
object network RemoteDesktop
nat (Internal,outside) static interface service tcp 3389 3389
object network obj-PerryCameras-1
nat (Internal,outside) static interface service tcp 9000 9000
object network obj-PerryCameras-2
nat (any,outside) static interface service tcp 881 881
object network obj-PerryCameras-3
nat (Internal,outside) static interface service tcp 1801 1801
object network FTP
nat (Internal,outside) static interface service tcp ftp ftp
access-group outside_access_in in interface outside
access-group guest_in in interface Guest
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 1:00:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PolicyServer protocol radius
aaa-server PolicyServer (Internal) host 10.0.1.1
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 Internal
http authentication-certificate Internal
snmp-server host Internal 10.200.200.11 community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer X.X.X.X
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Internal
crypto ikev2 enable outside
crypto ikev1 enable Internal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.229 Guest
dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
dhcprelay server 10.0.1.1 Internal
dhcprelay enable Guest
dhcprelay setroute Guest
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
dynamic-filter enable interface Internal
dynamic-filter enable interface outside
dynamic-filter enable interface Guest
dynamic-filter drop blacklist
ntp server 10.0.1.1 source Internal prefer
webvpn
anyconnect-essentials
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy VPNUSER internal
group-policy VPNUSER attributes
dns-server value 10.0.1.1 192.168.2.230
vpn-tunnel-protocol ikev1
username admin password kSXIy6qd1ZTBFL9/ encrypted
username danpoynter password XEQ0M75K1B1E6VtM encrypted privilege 0
username danpoynter attributes
vpn-group-policy VPNUSER
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:b29f5ff3b9db58467b0eb509bc068c2f
: end
ASA 2:
Result of the command: "SHOW RUN"
: Saved
ASA Version 9.0(1)
hostname ciscoasa
enable password TYEBBb7SkpIC3BiW encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool remotevpnusers 192.168.12.25-192.168.12.55 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 4
interface Ethernet0/2
switchport access vlan 3
switchport trunk allowed vlan 3-4
interface Ethernet0/3
switchport access vlan 20
interface Ethernet0/4
switchport access vlan 21
interface Ethernet0/5
switchport access vlan 22
interface Ethernet0/6
switchport access vlan 4
switchport trunk allowed vlan 3-4,20-22
switchport mode trunk
interface Ethernet0/7
interface Vlan1
nameif Management
security-level 100
ip address 192.168.31.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
interface Vlan3
description EP Guest Network
no forward interface Vlan4
nameif Guest
security-level 50
ip address 192.168.27.1 255.255.255.0
interface Vlan4
nameif Internal
security-level 100
ip address 192.168.26.254 255.255.255.0
interface Vlan20
description BLDG-A Subnet
nameif BLDG-A
security-level 100
ip address 192.168.20.254 255.255.255.0
interface Vlan21
nameif BLDG-B
security-level 100
ip address 192.168.21.254 255.255.255.0
interface Vlan22
nameif BLDG-C
security-level 100
ip address 192.168.22.254 255.255.255.0
boot system disk0:/asa901-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.12.0_26
subnet 192.168.12.0 255.255.255.192
object network NETWORK_OBJ_192.168.26.0_24
subnet 192.168.26.0 255.255.255.0
object network obj-KeoweeCameras
host 192.168.26.10
description Keowee Street Cameras
object network Inside
subnet 192.168.26.0 255.255.255.0
description Inside Network Route
object network Guest
subnet 192.168.27.0 255.255.255.0
description Guest Network Route
object network Internal
subnet 192.168.26.0 255.255.255.0
object network obj-HunterCameras
host 192.168.21.20
description Hunter Cameras
object network obj-Spiceworks
host 192.168.26.8
object network Electro-Polish-Network
subnet 192.168.26.0 255.255.255.0
object network GLE-Firewall
host x.x.x.x
object network GLE-Network
subnet 10.0.0.0 255.0.0.0
object network BLDG-A
subnet 192.168.20.0 255.255.255.0
object network BLDG-B
subnet 192.168.21.0 255.255.255.0
object network BLDG-C
subnet 192.168.22.0 255.255.255.0
object network DCG-Server01
host 192.168.26.9
object network NETWORK_OBJ_192.168.21.0_24
subnet 192.168.21.0 255.255.255.0
object network VPN-POOL
subnet 192.168.12.0 255.255.255.0
object network EP-VPN-Network
subnet 192.168.26.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service CameraSystem tcp-udp
port-object eq 18004
port-object eq 26635
port-object eq 76
access-list electroremote_splitTunnelAcl standard permit 192.168.26.0 255.255.255.0
access-list electroremote_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list electroremote_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0
access-list electroremote_splitTunnelAcl standard permit 192.168.22.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-KeoweeCameras object-group CameraSystem
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-HunterCameras object-group CameraSystem
access-list outside_access_in extended permit tcp any4 object obj-Spiceworks eq https
access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq https
access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq www
access-list Guest_access_in extended permit udp any4 host 208.67.222.222 eq domain
access-list Guest_access_in extended permit udp any4 host 208.67.220.220 eq domain
access-list Guest_access_in extended deny udp any4 any4 eq domain
access-list Guest_access_in extended permit ip any4 any4
access-list inside_access_in extended permit udp any4 host 208.67.222.222 eq domain
access-list inside_access_in extended permit udp any4 host 208.67.220.220 eq domain
access-list inside_access_in extended deny udp any4 any4 eq domain
access-list inside_access_in extended permit ip any4 any4
access-list Internal_access_in extended permit udp any4 host 208.67.222.222 eq domain
access-list Internal_access_in extended permit udp any4 host 208.67.220.220 eq domain
access-list Internal_access_in extended deny udp any4 any4 eq domain
access-list Internal_access_in extended permit ip any any4
access-list ip-qos extended permit ip 192.168.27.0 255.255.255.0 any
access-list ip-qos extended permit ip any 192.168.27.0 255.255.255.0
access-list electroremote_splittunnelacl standard permit 192.168.20.0 255.255.255.0
access-list electroremote_splittunnelacl standard permit 192.168.21.0 255.255.255.0
access-list electroremote_splittunnelacl standard permit 192.168.22.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.26.0 255.255.255.0 object GLE-Network
pager lines 24
logging enable
logging asdm informational
mtu Management 1500
mtu outside 1500
mtu Guest 1500
mtu Internal 1500
mtu BLDG-A 1500
mtu BLDG-B 1500
mtu BLDG-C 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (BLDG-A,outside) source static BLDG-A BLDG-A destination static VPN-POOL VPN-POOL
nat (BLDG-B,outside) source static BLDG-B BLDG-B destination static VPN-POOL VPN-POOL
nat (BLDG-C,outside) source static BLDG-C BLDG-C destination static VPN-POOL VPN-POOL
nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
nat (Internal,outside) source static Electro-Polish-Network Electro-Polish-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
nat (Internal,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
nat (outside,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
nat (Internal,outside) source static EP-VPN-Network EP-VPN-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static GLE-Network GLE-Network no-proxy-arp route-lookup
object network obj_any
nat (Internal,outside) dynamic interface
object network obj-KeoweeCameras
nat (Internal,outside) static x.x.x.x
object network Inside
nat (Internal,outside) dynamic interface
object network Guest
nat (Guest,outside) dynamic x.x.x.x
object network Internal
nat (Internal,outside) dynamic interface
object network obj-HunterCameras
nat (BLDG-B,outside) static x.x.x.x
object network obj-Spiceworks
nat (Internal,outside) static x.x.x.x service tcp https https
object network BLDG-A
nat (BLDG-A,outside) dynamic interface
object network BLDG-B
nat (BLDG-B,outside) dynamic interface
object network BLDG-C
nat (BLDG-C,outside) dynamic interface
object network DCG-Server01
nat (any,any) static x.x.x.x
access-group inside_access_in in interface Management
access-group outside_access_in in interface outside
access-group Guest_access_in in interface Guest
access-group Internal_access_in in interface Internal
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IAS protocol radius
aaa-server IAS (Internal) host 192.168.26.1
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.31.0 255.255.255.0 Management
http 192.168.26.0 255.255.255.0 Internal
http x.x.x.x 255.255.255.255 outside
http authentication-certificate Management
snmp-server host Internal 192.168.26.8 community ***** version 2c
snmp-server location Building A
snmp-server contact Dan Poynter
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map BLDG-B_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map BLDG-B_map interface BLDG-B
crypto map BLDG-A_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map BLDG-A_map interface BLDG-A
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable Internal
crypto ikev1 enable outside
crypto ikev1 enable Internal
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.26.0 255.255.255.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Internal
dhcpd auto_config outside
dhcpd address 192.168.27.50-192.168.27.100 Guest
dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
dhcprelay server 192.168.26.1 Internal
dhcprelay server 192.168.26.2 Internal
dhcprelay enable Guest
dhcprelay enable BLDG-A
dhcprelay enable BLDG-B
dhcprelay enable BLDG-C
dhcprelay setroute Guest
dhcprelay setroute BLDG-A
dhcprelay setroute BLDG-B
dhcprelay setroute BLDG-C
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy electroremote internal
group-policy electroremote attributes
dns-server value 192.168.26.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value electroremote_splitTunnelAcl
default-domain value electropolish.local
username epadmin password Iu2OqCfOGoYIZ5iC encrypted privilege 15
username epadmin attributes
service-type nas-prompt
tunnel-group electroremote type remote-access
tunnel-group electroremote general-attributes
address-pool remotevpnusers
authentication-server-group IAS
default-group-policy electroremote
tunnel-group electroremote ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map qos
description qos policy
match access-list ip-qos
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map qos
class qos
police output 1048500 1048576
police input 256000 256000
service-policy global_policy global
service-policy icmp_policy interface outside
service-policy qos interface Guest
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f2034bf1ad61529c601c097d6f60bad
: endHi,
Are you saying that all traffic is working from central site to remote site when remote sites devices are in the "inside" Vlan? All but the phones even if they are in the "inside" Vlan?
Are you sure you have the NAT configurations correctly on the remote site for the other LAN interface?
Are you seing any connections from the phones when they are in the original "inside" interface of the remote ASA? Dont they usually get the Call Manager IPs from the DHCP server and then connect with TFTP to the Call Manager after which they form a TCP/2000 port connection to the Call Manager? I'm not really familiar with Cisco Phones other than what I see on the firewalls from time to time.
Are you sure you remote ASA and Switch are configure correctly when you add the second Vlan to the switch? Can you see the phones on the remote ASA with "show arp" command when they are powered on?
There should not be identical security-levels on the interfaces of the remote ASA unless the phones need to connect to the other local "inside" network. Then it would be logical for the interfaces both to be security-level 100. Interface "outside" is usually set to 0.
Guess we would need to see the configurations for the ASAs to confirm that everything is in order.
- Jouni -
Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)
OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch?
Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
The ASA is connected to a checkpoint sub interface
Any help would be beneficial as im new to cisco ASAs
Thanks
MarkMark
If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
HTH
Rick -
Troubleshooting RPC issue over ASA VPN
Hello,
I have a IPSec VPN Tunnel between my corporate data center and a satellite service provider. I also have 2 trucks, A & B, with networks on them. These truck networks communicate via satellite to the provider base station, and then across the VPN tunnel to our corp. data center. The A & B truck networks each have a Windows Domain Controller that communicates to our DCs in the data center, for Active Directory replication. They are using RPC for this.
Both truck networks and servers were tested and worked perfectly when first tested and deployed.
ASA 5510 running IOS ver 8.2(1)
About a month ago, truck B lost it's ability to communicate via RPC to the DCs in the data center. Nothing has changed on the network on my side as well as the satellite provider side. I've looked through my VPN logs and firewall logs, but don't see anything that indicates a probable cause. There is no evidence of requests being denied on my firewall, and the VPN ACLS.
The one strange thing I've noticed when doing some tests is that I don't see interesting traffic hitting the ACL on the ASA when trying to PING or traceroute from the truck B server, or when the RPC request is being run. BTW, the truck B server can PING and traceroute over the VPN tunnel to servers in the data center just fine. And the reverse it also true. Just the RPC doesn't work.
Here's the RPC error output:
NtFrsApi Version Information
NtFrsApi Major : 0
NtFrsApi Minor : 0
NtFrsApi Compiled on: Feb 16 2007 20:10:33
ERROR - Cannot RPC to computer, odyssey; 00000721 (1825)
Below is a traceroute from the truck B server to the data center server. Notice the multiple entries for server accord?
I seem to remember that this kind of behavior occurs whent an IP Address is being Natted. Is that correct?
Any suggestions are greatly appreciated.Thanks Pranesh,
I haven't checked IPsec tunnel but I assumed that since I get successful connection to the VPN tunnel, the tunnel is up. I have very limited knowledge about this; still learning the basics for CCNA certification. The wiered thing is when I swap out ASA-5505 with home netgear router (at home), I don't have any problem accessing inside network at the temple. Therefore, my assumption is something is wrong on my ASA-5505 config at home (the confg is pasted in intitial post.). Please advise.
Again thank yo so much for your help. -
ASA VPN with LDAP authentication
We currently use a Cisco ASA (5510, 8.2) IPsec VPN client with RADIUS as a backend authentication service. We have configured IAS on one of our domain controllers to issue a RADIUS Accept/Deny based on the users' group membership within a "VPN Users" group. The IAS policy rules makes this very easy (it understands Windows group membership), and we like using groups because it is easy to send mail to all VPN users.
The things we don't like about using RADIUS is the idea that IAS has to be configured as a middleman service, and sometimes IAS does not always successfully start after a system reboot (we are not sure why).
We were wondering if it was possible to skip the middleman and use LDAP directly, pointing to our pool of domain controllers. There are many LDAP examples out on the net, but they consist of using an LDAP Attribute map to either use the "Remote Access Permission" of the user's DialIn profile, or by associating an AD group to a Cisco policy.
The former does not fit our model because it bypasses the group membership concept and requires VPN control via profile. The latter does not fit because, while we do have a "VPN Users" group to map in the affirmative, we do not have an inverse to map to a Deny policy. There is no "NOT" logical operator in the LDAP Attribute mapping.
Does anyone know a way to accomplish what we are after, using LDAP rather than RADIUS, where a single group can determine Accept (and more importantly, absence equals Deny)?Hi,
I believe that second option you've mentioned will work for you. Why? using that if you map single AD group to right cisco policy. then this will work the way you want; where absence means deny to other users.
Here is con fig example you may try:
Configuration for restricting access to a particular windows group on AD/LDAP
group-policy noaccess internal
group-policy noaccess attributes
vpn-simultaneous-logins 0
address-pools none
ldap attribute-map LDAP-MAP
map-name memberOf IETF-Radius-Class
map-value memberOf
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host
server-port 389
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
server-type microsoft
ldap-attribute-map LDAP-MAP
group-policy internal
group-policy attributes
vpn-simultaneous-logins 3
vpn-tunnel-protocol IPSec l2tp-ipsec ...
address-pools value
tunnel-group type remote-access
tunnel-group general-attributes
authentication-server-group LDAP-AD
default-group-policy noaccess
HTH
JK
-Plz rate helpful posts-
Maybe you are looking for
-
How can I install any software if they break libpng/jpeg?
So much software I install either through AUR or pacman requires libpng or whatnot to be a specific version, but when I upgrade them, it never fails to crash everything. Libpng and jpeg fail to run claiming x.12.so is not found and I need to run a ro
-
Raising Faults in a Sync Scenario.
Hello PI experts, I really need an answer to this question, most of the answers i find out about this is all negative. 'PI can't do that w/o BPM' Scenario: SOAP<->PI<->RFC(sync) Problem: in case of application specific errors, RFC response will have
-
Graphic designer haing trouble connecting an Epson 3880
I recently purchased the Epson Stylus Pro 3880 and use an Airport Extreme to hard wire connect via ethernet 2 macbook pros and my Apple TV. I want to be able to network the printer so that I can print from either computer. There is an open USB 2.0 po
-
How to copy a black and white layer to the mask of another layer.....
Earlier I asked, "How?" Got a reply, but the solution didn't work in PSE 10. After trial and error, I figured it out. When dealing with abstract art or even hair, it is too time consuming to make a mask pixel by pixel. Load the image you want to mas
-
Hello, Which library is used to make calls from OIM server to JBOSS layer to derive the details like.. who logged in? to show up in "my account" tab. ? Thanks,