Cisco ASA5505 multiple public ip nat problem

Similar Messages

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• Problem with traffic over Remote Access VPN (Cisco ASA5505)

  Hi
  I've changed the VPN IP pool on a previously functioning VPN setup on a Cisco ASA5505, I've updated IP addresses everywhere it seemed appropriate, but now the VPN is no longer working. I am testing with a Cisco IPSec client, but the same happens with the AnyConnect client. Clients connect, but cannot access resources on the LAN. Split tunneling also doesn't work, internet is not accessible once VPN is connected.
  I found a NAT exempt rule to not be correctly specified, but after fixing this, the problem still persists.
  : Saved:ASA Version 8.2(1) !hostname ciscoasadomain-name our-domain.comenable password xxxxxxxx encryptedpasswd xxxxxxxx encryptednamesname 172.17.1.0 remote-vpn!interface Vlan1 nameif inside security-level 100 ip address 10.1.1.2 255.0.0.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group adslrealm ip address pppoe setroute !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone SAST 2dns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNS name-server 10.1.1.138 name-server 10.1.1.54 domain-name our-domain.comsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network utobject-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list no_nat extended permit ip 10.0.0.0 255.0.0.0 remote-vpn 255.255.255.0 access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 access-list outside_access_in extended permit tcp any interface outside eq https access-list outside_access_in extended permit tcp any interface outside eq 5061 access-list outside_access_in extended permit tcp any interface outside eq 51413 access-list outside_access_in extended permit udp any interface outside eq 51413 access-list outside_access_in extended permit tcp any interface outside eq 2121 access-list outside_access_in extended permit udp any interface outside eq 2121 access-list inside_access_out extended deny ip any 64.34.106.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.20.0 255.255.255.0 access-list inside_access_out extended deny ip any 69.25.21.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.76.0 255.255.255.0 access-list inside_access_out extended deny ip any 72.5.77.0 255.255.255.0 access-list inside_access_out extended deny ip any 216.52.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 74.201.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 64.94.0.0 255.255.0.0 access-list inside_access_out extended deny ip any 69.25.0.0 255.255.0.0 access-list inside_access_out extended deny tcp any any eq 12975 access-list inside_access_out extended deny tcp any any eq 32976 access-list inside_access_out extended deny tcp any any eq 17771 access-list inside_access_out extended deny udp any any eq 17771 access-list inside_access_out extended permit ip any any pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500ip local pool VPNPool 172.17.1.1-172.17.1.254icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list no_natnat (inside) 1 10.0.0.0 255.0.0.0static (inside,outside) tcp interface 5061 10.1.1.157 5061 netmask 255.255.255.255 static (inside,outside) tcp interface https 10.1.1.157 4443 netmask 255.255.255.255 static (inside,outside) tcp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) udp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 static (inside,outside) tcp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 static (inside,outside) udp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 access-group outside_access_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyaaa-server AD protocol ldapaaa-server AD (inside) host 10.1.1.138 ldap-base-dn dc=our-domain,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn cn=ciscoasa,cn=Users,dc=ourdomain,dc=com server-type auto-detectaaa authentication ssh console AD LOCALaaa authentication telnet console LOCAL http server enable 4343http 0.0.0.0 0.0.0.0 outsidehttp 10.0.0.0 255.0.0.0 insidehttp remote-vpn 255.255.255.0 insidesnmp-server host inside 10.1.1.190 community oursnmpsnmp-server host inside 10.1.1.44 community oursnmpno snmp-server locationno snmp-server contactsnmp-server community *****snmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto dynamic-map dyn1 1 set transform-set FirstSetcrypto dynamic-map dyn1 1 set reverse-routecrypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map mymap 1 ipsec-isakmp dynamic dyn1crypto map mymap interface outsidecrypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa crl configurecrypto ca trustpoint CA1 revocation-check crl none enrollment retry period 5 enrollment terminal fqdn ciscoasa.our-domain.com subject-name CN=ciscoasa.our-domain.com, OU=Department, O=Company, C=US, St=New York, L=New York keypair ciscoasa.key crl configurecrypto ca certificate chain ASDM_TrustPoint0 certificate xxxxxxx    ...  quitcrypto ca certificate chain CA1 certificate xxxxxxxxxxxxxx    ...  quit certificate ca xxxxxxxxxxxxx    ...  quitcrypto isakmp enable outsidecrypto isakmp policy 1 authentication rsa-sig encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400ssh 10.0.0.0 255.0.0.0 insidessh timeout 5console timeout 0vpdn group adslrealm request dialout pppoevpdn group adslrealm localname username6@adslrealmvpdn group adslrealm ppp authentication papvpdn username username6@adslrealm password ********* store-localvpdn username username@adsl-u password ********* store-localvpdn username username2@adslrealm password ********* dhcpd auto_config outside!threat-detection basic-threatthreat-detection scanning-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server x.x.x.x source outsidessl trust-point ASDM_TrustPoint0 outsidewebvpn port 4343 enable outside svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 svc enablegroup-policy defaultgroup internalgroup-policy defaultgroup attributes dns-server value 10.1.1.138 10.1.1.54 split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value our-domain.comgroup-policy DfltGrpPolicy attributes dns-server value 10.1.1.138 10.1.1.54 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel address-pools value VPNPool webvpn  svc ask none default svcusername person1 password xxxxxxx encryptedusername admin password xxxxxxxx encrypted privilege 15username person2 password xxxxxxxxx encryptedusername person3 password xxxxxxxxxx encryptedtunnel-group DefaultRAGroup general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group DefaultRAGroup ipsec-attributes trust-point CA1tunnel-group OurCompany type remote-accesstunnel-group OurCompany general-attributes address-pool VPNPooltunnel-group OurCompany webvpn-attributes group-alias OurCompany enable group-url https://x.x.x.x/OurCompany enabletunnel-group OurIPSEC type remote-accesstunnel-group OurIPSEC general-attributes address-pool VPNPool default-group-policy defaultgrouptunnel-group OurIPSEC ipsec-attributes pre-shared-key * trust-point CA1!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map type inspect sip sip-map parameters  max-forwards-validation action drop log  state-checking action drop log  rtp-conformance policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect netbios   inspect tftp   inspect icmp   inspect pptp   inspect sip sip-map !             service-policy global_policy globalprompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxx: end
  I've checked all the debug logs I could think of and tried various troubleshooting steps. Any ideas?
  Regards
  Lionel

  Hi
  The bulk of the devices are not even routing through the ASA, internal devices such as IP phones, printers, etc. There is also large wastage of IP addresses which needs to be sorted out at some stage.
  Outside IP address is 196.215.40.160. The DSL modem is configured as an LLC bridge.
  Here are the debug logs when connecting if this helps at all. Nothing is logged when a connection is attempted though.
  Regards
  Lionel
  Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 765Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ISA_KE payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Fragmentation VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  FalseOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal RFC VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 03 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 02 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received xauth V6 VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Cisco Unity client VIDOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received DPD VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, Connection landed on tunnel_group OurIPSECOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing IKE SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 2Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ISAKMP SA payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ke payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing nonce payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Generating keys for Responder...Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Cisco Unity VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing xauth V6 VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing dpd vid payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Traversal VID ver 02 payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Fragmentation VID + extended capabilities payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing VID payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Send Altiga/Cisco VPN3000/Cisco ASA GW VIDOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMPOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hashOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing notify payloadOct 15 17:08:51 [IKEv1]: Group = OurIPSEC, IP = 197.79.9.227, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT deviceOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Processing MODE_CFG Reply attributes.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary DNS = 10.1.1.138Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary DNS = 10.1.1.54Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary WINS = clearedOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: split tunneling list = split-tunnelOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: IP Compression = disabledOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Split Tunneling Policy = Split NetworkOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Setting = no-modifyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Bypass Local = disableOct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, User (person2) authenticated.Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg ACK attributesOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 164Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg Request attributesOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 net mask!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for DNS server address!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for WINS server address!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received unsupported transaction mode attribute: 5Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Application Version!Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Client Type: iPhone OS  Client Application Version: 7.0.2Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Banner!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Default Domain Name!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split DNS!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split Tunnel List!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Local LAN Include!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for PFS setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Save PW setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for FWTYPE!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for backup ip-sec peer list!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Client Browser Proxy Setting!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth enabled)Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Assigned private IP address 172.17.1.1 to remote userOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, construct_cfg_set: default domain = our-domain.comOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Send Client Browser Proxy Attributes!Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg replyOct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210Oct 15 17:09:03 [IKEv1 DECODE]: IP = 197.79.9.227, IKE Responder starting QM: msg id = c9359d2eOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progressOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completedOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 1 COMPLETEDOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, Keep-alive type for this connection: DPDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P1 rekey timer: 3420 seconds.Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 284Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR ID received172.17.1.1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received remote Proxy Host data in ID Payload:  Address 172.17.1.1, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received local IP Proxy Subnet data in ID Payload:   Address 10.0.0.0, Mask 255.0.0.0, Protocol 0, Port 0Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, QM IsRekeyed old sa not found by addrOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-TraversalOct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Remote Peer configured for crypto map: dyn1Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IPSec SA Proposal # 1, Transform # 6 acceptable  Matches global IPSec SA entry # 1Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE: requesting SPI!IPSEC: New embryonic SA created @ 0xCB809F40,     SCB: 0xC9613DB0,     Direction: inbound    SPI      : 0x96A6C295    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got SPI from key engine: SPI = 0x96a6c295Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, oakley constucting quick modeOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec SA payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec nonce payloadOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing proxy IDOct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Transmitting Proxy Id:  Remote host: 172.17.1.1  Protocol 0  Port 0  Local subnet:  10.0.0.0  mask 255.0.0.0 Protocol 0  Port 0Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payloadOct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Responder sending 2nd QM pkt: msg id = c9359d2eOct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 152Oct 15 17:09:06 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + NONE (0) total length : 52Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payloadOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, loading all IPSEC SAsOct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Security negotiation complete for User (person2)  Responder, Inbound SPI = 0x96a6c295, Outbound SPI = 0x09e97594IPSEC: New embryonic SA created @ 0xCB8F7418,     SCB: 0xC9F6DD30,     Direction: outbound    SPI      : 0x09E97594    Session ID: 0x0001D000    VPIF num  : 0x00000002    Tunnel type: ra    Protocol   : esp    Lifetime   : 240 secondsIPSEC: Completed host OBSA update, SPI 0x09E97594IPSEC: Creating outbound VPN context, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x00000000    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: New outbound encrypt rule, SPI 0x09E97594    Src addr: 10.0.0.0    Src mask: 255.0.0.0    Dst addr: 172.17.1.1    Dst mask: 255.255.255.255    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound encrypt rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: New outbound permit rule, SPI 0x09E97594    Src addr: 196.215.40.160    Src mask: 255.255.255.255    Dst addr: 197.79.9.227    Dst mask: 255.255.255.255    Src ports      Upper: 4500      Lower: 4500      Op   : equal    Dst ports      Upper: 41593      Lower: 41593      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed outbound permit rule, SPI 0x09E97594    Rule ID: 0xC9242228Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got a KEY_ADD msg for SA: SPI = 0x09e97594IPSEC: Completed host IBSA update, SPI 0x96A6C295IPSEC: Creating inbound VPN context, SPI 0x96A6C295    Flags: 0x00000026    SA   : 0xCB809F40    SPI  : 0x96A6C295    MTU  : 0 bytes    VCID : 0x00000000    Peer : 0x001E7FCC    SCB  : 0x985C5DA5    Channel: 0xC6691360IPSEC: Completed inbound VPN context, SPI 0x96A6C295    VPN handle: 0x0020190CIPSEC: Updating outbound VPN context 0x001E7FCC, SPI 0x09E97594    Flags: 0x00000025    SA   : 0xCB8F7418    SPI  : 0x09E97594    MTU  : 1492 bytes    VCID : 0x00000000    Peer : 0x0020190C    SCB  : 0x99890723    Channel: 0xC6691360IPSEC: Completed outbound VPN context, SPI 0x09E97594    VPN handle: 0x001E7FCCIPSEC: Completed outbound inner rule, SPI 0x09E97594    Rule ID: 0xCB5483E8IPSEC: Completed outbound outer SPD rule, SPI 0x09E97594    Rule ID: 0xC9242228IPSEC: New inbound tunnel flow rule, SPI 0x96A6C295    Src addr: 172.17.1.1    Src mask: 255.255.255.255    Dst addr: 10.0.0.0    Dst mask: 255.0.0.0    Src ports      Upper: 0      Lower: 0      Op   : ignore    Dst ports      Upper: 0      Lower: 0      Op   : ignore    Protocol: 0    Use protocol: false    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound tunnel flow rule, SPI 0x96A6C295    Rule ID: 0xCB7CFCC8IPSEC: New inbound decrypt rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound decrypt rule, SPI 0x96A6C295    Rule ID: 0xCB9BF828IPSEC: New inbound permit rule, SPI 0x96A6C295    Src addr: 197.79.9.227    Src mask: 255.255.255.255    Dst addr: 196.215.40.160    Dst mask: 255.255.255.255    Src ports      Upper: 41593      Lower: 41593      Op   : equal    Dst ports      Upper: 4500      Lower: 4500      Op   : equal    Protocol: 17    Use protocol: true    SPI: 0x00000000    Use SPI: falseIPSEC: Completed inbound permit rule, SPI 0x96A6C295    Rule ID: 0xCBA7C740Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Pitcher: received KEY_UPDATE, spi 0x96a6c295Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P2 rekey timer: 3417 seconds.Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Adding static route for client address: 172.17.1.1 Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 2 COMPLETED (msgid=c9359d2e)

• Problem with VPN timeout on Cisco ASA5505

  Hi i'm sorry if it's vague, but i'm coming here without any  config simply because i don't have access.
  At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
  We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
  The problem we have will be the disconnection.
  We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
  The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
  Me and the other user can get frequent Disconnection in a day, but  it's all random (1 days i can get disconnected 0 times and the next day 3 times)
  I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
  The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
  On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
  1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
  2) When i check my VPN connection it simply disconnected alone.
  Thanks for possible solutions.   (also the windows client had another PC Before and she said it never disconnected, but it started on new PC)  (Before she was on WinXP)
  Thanks

  Hi i'm sorry if it's vague, but i'm coming here without any  config simply because i don't have access.
  At work we have 1 Cisco ASA5505 which is used for IPSEC VPN only.
  We have 4-5 users that work 100% from the VPN (8h per day 40h per week)
  The problem we have will be the disconnection.
  We have 1 user that will never never never have the problem (he can stay log all 8h if he wants to)
  The 2nd user can get disconnected, but mostly if the VPN stays on for too long without any action.
  Me and the other user can get frequent Disconnection in a day, but  it's all random (1 days i can get disconnected 0 times and the next day 3 times)
  I am using Mac OS 10.7 (just like the one that never gets disconnected and the one that gets disconnected randomly)
  The other person who gets disconnected alot is on Windows 7 32 bits with Cisco Client.
  On my side when i get disconnected there is 2 problem i see (it will happen to the windows person too)
  1) When i'm working on servers sometimes i won't be able to click anywhere and i see that my connection is still on, so i need to close it manually wait 2 minutes then reconnect.
  2) When i check my VPN connection it simply disconnected alone.
  Thanks for possible solutions.   (also the windows client had another PC Before and she said it never disconnected, but it started on new PC)  (Before she was on WinXP)
  Thanks

• HT5590 Use caching server with multiple public Addresses?

  According to the Apple documentation, to use the caching server, all clients need to share the same public address via nat. On my network with many macs, this would appear to make the caching service useless, as we have multiple public addresses to which our clients are nat'ed (a full class C, to be exact). Is there anyway around this restriction, or am I simply going to be unable to use what looks like it would be a highly usefull service?

  Yes, the multiple internal/private subnets mapping to a single public IP is very common in the education/enterprise arena. It is the basic hub-spoke topology:
  where all spokes connect to needed resources at the hub, and only the hub is connected to the Internet. In the case of K-12 education, we need to run a content filter (by Federal rules) on student Internet connectivity. The most efficient way to do that is to locate the filter (along with other servers and resources) at the hub and then route all Internet traffic through the hub. Each spoke (and the hub) is a different internal/private network subnet ... 10.65.x.x, 10.66.x.x, etc. In my case I have 3M from each spoke to the hub, and then 45M from the hub to the Internet.
  In the "old" days ... pre 10.8 ... we had (and still have for some of our oler 10.4 computers) a software update server at each spoke, and computers at each spoke were configured (with the Apple software update script) to get their updates from the update server at their spoke ... iApps as well as OS apps. This worked perfectly!
  Now that Apple, in their Orwellian attempt to monitor and control iApps, has introduced this "either-or" attitude about using a local update server OR caching server  (but not giving you the option to get iApps from the local update server) they have really hurt schools like mine. Without being able to serve all updates locally on each spoke, updating becomes impossible when you are tryiing to udpate a lab full of computers, and the iApp alone is 1.2G for EACH computer ...and now it must come from the Internet since the caching server is 'broken.'
  I currently have case open with Apple Enterprise Support, and will now also get my K-12 Apple Support Tech invloved. I will share this info with them. Perhaps there is some solution that I do not know about, or perhaps there will be a solution created by Apple for situations like mine. I can't see being the only one with this problem, I just think that I may be one of the first to notice it due to my limiited bandwith situation.
  Thanks for your insight. Your original post got me thinking and enabled me to identify what *I* feel is the problem. I will keep this thread updated.
  M:>

• Open NAT problems with Xbox One .

  When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?

  Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .

• Cisco Aironet 1300 Series wireless birdge problem

  Hi,
  first one, i'm sorry for my english.
  I have a very big problem with the bridge. I can't configure the nonRoot bridge. It's not possible for me to turn on the radio. The software and hardware are always disable...
  The SSID management is configured with the same SSID.
  For the test, there isn't encryption.
  thanks a lot for your help
  G.Vincent

  Hi,
  Thank you for your answer.
  The root birdge is a 1310G-E-K9-R
  Tne non root bridge is a 1310G-E-K9-R
  To configure the bridge, I have followed the cisco documentation.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058f53e.shtml
  The root configuration:
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  dot11 activity-timeout bridge default 1
  dot11 ssid martinshotels
  guest-mode
  infrastructure-ssid
  username Cisco password xxx
  username administrator privilege 15 password xxx
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid martinshotels
  station-role root bridge
  distance 1
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.0.250 255.255.255.0
  no ip route-cache
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  The non root configuration :
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname apNonRoot
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  dot11 activity-timeout bridge default 1
  dot11 ssid martinshotels
  guest-mode
  infrastructure-ssid
  username Cisco password xxx
  username administrator privilege 15 password xxx
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid martinshotels
  station-role non-root bridge
  mobile station scan 2417
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.0.251 255.255.255.0
  no ip route-cache
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  Thanks a lot for your help

• Xbox360 WRT54GS ver. 6 NAT problems

  my xbox 360's NAT is set to strict and prevens me from connecting with a lot of otehr players and my wireless router is a WRT54GS ver. 6

  for xbox 360 having NAT problem... you need to call Xbox to ask for the port numbers to open...now if your isp is dsl then call them up and set the modem to bridge to set the rtr to pppoe...in this way we will be able eliminate the multiple NAT issues and for your xbox to work...
  CamZ

• VLAN on SRW2024 and Cisco ASA5505

  Hello All,
  Here is my current situtation:
  3 SRW2024s in one building and a Cisco ASA5505 to the Internet
  SRW2024 #1 and #2 are in the same room with one port each connected directly to the ASA. No VLANs setup at all.
  SRW2024 #3 is in another room with a direct connection to SRW2024 #1. Again no VLANs at all.
  So at this time all internal equipment has Internet access through the ASA. Nothing fancy there except NATing from external IPs to the internal IPs.
  This is what I am looking for:
  SRW2024 #3 is in a different room and will be what all the server equipment is connected to, so I would like a VLAN solely for that, so that the computer VLAN can talk back and forth to it. And also allow Internet access through the Internet VLAN
  SRW2024 #1 is almost completely full with Computers and VoIP phones
  SRW2024 #2 has plenty of free space, so what I wanted to create was a VLAN containing the first 4 ports that will be my Internet VLAN (this will be my connection to the Internet (port1), my VoIP PBX that needs direct Internet access (since I have failed multiple times to get it to work behind the ASA) (port2), and the outside interface of the ASA (port3). Then have the inside interface of the  ASA connected directly to the Computer VLAN so that all my computers (on the Computer VLAN)will be able to get Internet access and the ASA will do proper NATing to my e-mail server and a couple of other internal servers (on the Server VLAN).
  So how do I set this up properly in the SRW2024 and do I have to get the ASA involved in any capacity beyond the firewall/gateway functionality I am currently using now?

  1. Create you desired VLAN on the SRW2024. The default VLAN on the SRW2024 is VLAN 1, meaning this is the untagged VLAN. Configure a trunk port that connects SRW2024 #1 and SRW2024 #3, another trunk port that connects the ASA--- SRW2024 #1 and ASA --SRW2024#2. Make sure that all the trunk ports are member of all the VLANS that you have created on all the switch.
  2. Create VLANS on the Cisco ASA and create a trunk port that connects it to both the SRW2024#1 and SRW2024#2. You will also have to create a sub interface on the ASA that will router internet traffic between VLAN's.
  Note:if the ASA router has different default VLAN or native VLAN as the SRW2024 which is VLAN 1, you will have to set all the trunk ports on all the SRW2024 to general and indicate the VLAN ID that the ASA is using.

• ASA5512 iOS 9.3 inside nat problem

  Hi,
  I face some nat problem. i have ASA5512 iOS 9.3 its connect outside (ip: 37.10.1.2/29) for internet and inside (ip 10.78.61.1/24) for LAN and server.
  I configure dynamic nat for internet its work. In LAN switch has 4 VLAN one server VLAN ip add 10.88.61.0/24.
  Now i map a public ip 37.10.1.3 for server 10.88.61.10 from outside internet its work. But when i try to ping server public ip 37.10.1.3 from LAN its not ping but server local ip 10.88.61.10 ping from LAN.
  How can solve the issue i need to ping public ip from LAN. ALL LAN VLAN are nat on ASA outside interface (ip: 37.10.1.2/29).
  interface GigabitEthernet0/0
   description #### Connect TO Internet ####
   nameif outside
   security-level 0
   ip address 37.10.1.2 255.255.255.248 
  interface GigabitEthernet0/1
   description #### Connect TO Core Switch ####
   nameif inside
   security-level 100
   ip address 10.78.61.1 255.255.255.0
  access-list outside-in extended permit ip any any
  access-group outside-in in interface outside
  access-group outside-in in interface inside
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network obj_Ser
   host 10.88.61.10
  object network obj_Ser_WAN
   host 37.10.1.3
  nat (inside,outside) source static obj_Ser obj_Ser_WAN
  object network obj_any
   nat (inside,outside) dynamic 37.10.1.4 
  same-security-traffic permit intra-interface
  Thanks
  Afzal

  Hi,
  Try this NAT:-
  nat (inside,inside) source static obj_Ser obj_Ser_WAN
  Thanks and Regards,
  Vibhor Amrodia

• Windows 2008 Server contacting multiple public IP on port 80 and 443

  Windows 2008 Server contacting multiple public IP on port 80 and 443
  Source : Microsoft Lync 2010
  Port : 80
  Destination : unknown.prolexic.com
  Source : Internet Explorer
  Port : 80
  Destination :a-0001.a-msedge.net
  Source : Internet Explorer
  Port : 443
  Destination :204.79.197.200
  Is this virus? how to stop the same?

  Org name of the IP shows Microsoft Corporation
  Since its hits on firewall , i will have to stop the same 
  but not sure for what its being contacted to these Ips
  OrgName:        Microsoft Corporation

• Cisco agent desktop has encountered a problem and needs to close error

  A Remote Hotline user is experiencing crashes with her desktop agent.  After logging into the program it generated the error message "The Cisco Agent Desktop has encountered a problem and needs to close"
  I have removed the agent from add remove programs, re installed it and attempted to run it logged in as an admin and using both mine and the user's agent credentials and the program still crashes.
  Agent desktop ver 5.0 Build 6.4.2.12  Windows XP 
  Any ideas?
  Regardes, Chet

  Thanks for the reply, this is what I did to resolve it:
  Fix:
  Uninstalled Desktop agent from add remove programs
  Re installed program
  Do a complete restart or the prog will continue to crash
  Test program by logging in with user’s credentials

• Encrypt/Decrypt data, multiple public keys using Bouncy castle api?

  Hi all.
  I need to implement encrypt/decrypt functionality of some data with many public keys using bouncy castle api and EnvelopedData class in java 1.4 SE.
  Could someone give me examples how to do it. I searched whole the internet and i could not find simple example.

  Hi thanks very much.
  I had a quick look at the examples. I will see if they could help me.
  Here is more specific what i want:
  Encrypt data with multiple public keys that are kept in .pkcs12 file.
  And decrypt the data using coresponding private key after that.
  I must use bouncy castle api for java 1.4 se.
  Best regards
  Edited by: menchev on Nov 13, 2008 8:26 AM

• Will multiple Lan cards cause problems using rmi?

  Will multiple Lan cards cause problems using rmi? If a host has two or more network cards (only one of which is Internet-enabled), how does RMI know which IP address to use? There seems to be a problem when such a client registers with an RMI service, and has a client-side callback method invoked by the server.

  You can tell RMI the address you want by defining java.rmi.server.hostname at the JVM which exports the remote object.

• Azureus Nat problem

  Hey
  I am running a 17 inch imac and experiencing some trouble with my bittorrent client Azureus.
  I simply never get the green smiley face. I read the wipi-help from Azureus and confirmed by using their instructions that I do have a NAT problem. I have no firewall running. I did continue reading the explanation in the Wiki but it seems to be PC oriented. Can anybody give me some good info to fix this problem?
  By the way will my downloads be faster when I do use a correctly configured NAT?
  Samuel
  PS I am not using a router just a ADSL Modem

  I had the same problem but turned off my firewall, opened the port 59981, turned my firewall back on & it worked straightaway, my d/l speed shot up frpom 20kb to 280kb. My only problem now is that when I am running azereus my internet connection sometimes drops and the only way round it seems to be turning off my mac & cable modem and rebooting. I'm on Telewest Blueyonder cable with a webstar cable modem and it only happens when I'm using Azereus.
  Very frustrating!!