Dnssec in combination with hostname based site-2-site vpn

Hi Friends,
We are currently using a Cisco 887VA-K8-SEC to connect to a Cisco ASA 55XX.
This is based on hostname resolving to for example: myvpnentry.mydomain.nl
It all works fine. But i want to add dnssec verification on the Cisco 887VA to
make sure the vpn hostname resolves to a valid ip.
I have looked through many cli guides but couldn't find dnssec.
Can someone tell me if this is at all possible on a Cisco 887VA or any other
Cisco router?
Thanks.
Patrick.

Please note: I AM USING:
JkOptions ForwardKeySize ForwardURICompat -ForwardDirectories
And that's what's supposed to fix this problem in the first place, right??

Similar Messages

Issue with frames-based sites in Sf-3(L); Looking for confirmation

Is anyone else having issues with Safari 3 (Leopard) and frames-based sites? Specifically, frame sizes not being obeyed?
For example, phpMyAdmin's left Navi frame is, in most themes, supposed to be about 180px wide; if need be, the frame is coded to show scrollbars (again, in all the themes I've used so far anyway).
However, Safari 3.0.4 on Leopard apparently ignores this and resizes the left Navi frame to an unusably narrow width (for reasons unknown - it's not the the right frame is especially full or anything), with no scroll bars either! However, the very same phpMyAdmin site works fine in Firefox 2, where frame widths show up exactly as they are supposed to.
Is anyone else having or can duplicate this issue?

I've been having this problem for months, Safari 3 beta and now Safari 3 on Tiger as well as Leopard.

Web host with Safari-based site builder?

My current website host (XO) has "lost" my site and has decided to phase out its Site Builder, which I could use with Safari, in favor of its new Web Builder, which is only accessible with IE 6. As most of you know, there is no IE 6 available for Mac and MS has stopped supporting ANY IE for Mac. I don't know HTML and am not really interested in learning it. Does anyone know of a good, reliable web host with an easy site building program that is Safari-able?
Thanks!
Liz

I found a great one after searching for months. It's called macwebsitebuilder.com and it has everything! Easy to use and tons of feautres.

Problem with script based site creation

I created a simple bash script that would create the folder structues and more imporatnatly, the http-conf files for the given sites. However, while the script works... and all seems well... in short time, the server will place all conf files into a "sites-previous-unusable" folder.
Here is the other confusing part. Everything was working late last week, but when I got back to the servers from a long weekend... server.app could not tell that apache was running. After a few re-openings of server.app, eventually it starting failing on being able to read the server config.
If anyone could help... please... any input or suggestions would be greatly appreciated.
Recap of issues we are seeing:
Apache begins to ignore all virtuals, and routes all to the default directory (/var/empty)
All conf files get moved to a "sites-previous-unusable" directory in /etc/apache2
What we are trying to do...
We are trying to automate the process of creating folder and domain/subdomain structures for the design and development of our client sites. (see below script). Being that we have hundredes of sites... so an automated process is very much needed as server.app is a horrible interface for anything more then 5.
-Michael
#! /bin/bash
# =======================
# Siteup Script 1.0
# Released:
# =======================
# =======================
# The Script can only be run
# under root level privileges
# =======================
ROOT_UID=0     # Only users with $UID 0 have root privileges.
E_NOTROOT=67   # Non-root exit error.
if [ "$UID" -ne "$ROOT_UID" ]
then
echo "Must be root to run this script."
exit $E_NOTROOT
fi
# =======================
#          set functions
# =======================
# =======================
# functions: make_vhost
# Description:
# =======================
function make_index
cat <<- _EOF_
          <!doctype html>
          <html>
                    <head>
                              <title>PLaceholder For: $DNAME</title>
                              <meta charset="utf-8" />
                    </head>
                    <body>
                    <header>
                              <h1>Placeholder</h1>
                    </header>
                    <content>
                              <div>Client Domain: $DNAME</div>
                              <div>File Location: $ROOTDIR/$FPATH</div>
                    </content>
                    <footer>
                              <div>Copyleft 2010 - Our Company</div>
                    </footer>
                    </body>
          </html>
_EOF_
# =======================
# functions: make_vhost
# Description:
# =======================
function make_vhost {
cat <<- _EOF_
<VirtualHost 192.168.23.13:80>
          ServerAdmin [email protected]
          ServerName $SITE
          Alias /apache-resources "/etc/apache2/resources"
          DirectoryIndex index.html index.htm index.php
          DocumentRoot $PNAME/$FNAME/$DNAME/$FPATH
          <Directory $PNAME/$FNAME/$DNAME/$FPATH>
                    AllowOverride All
                    Order allow,deny
                    Allow from all
                    # Tell Apache to add theme support to autoindex
                    <IfModule mod_autoindex.c>
                              Options Indexes FollowSymLinks MultiViews
                              IndexOptions +FancyIndexing
                              IndexOptions +VersionSort
                              IndexOptions +HTMLTable
                              IndexOptions +FoldersFirst
                              IndexOptions +IconsAreLinks
                              IndexOptions +IgnoreCase
                              IndexOptions +SuppressRules
                              IndexOptions +SuppressDescription
                              IndexOptions +SuppressHTMLPreamble
                              IndexOptions +XHTML
                              IndexOptions +IconWidth=16
                              IndexOptions +IconHeight=16
                              IndexOptions +NameWidth=*
                              IndexOrderDefault Descending Name
                              IndexStyleSheet /apache-resources/css/autoindex.css
                              HeaderName /apache-resources/include/header.html
                              ReadmeName /apache-resources/include/footer.html
                              IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
                    </ifModule>
          </Directory>
          ErrorLog          $PLOGS/$FNAME/$DNAME/error_log
          CustomLog          $PLOGS/$FNAME/$DNAME/access_log combined
</VirtualHost>
_EOF_
# =======================
#               header
# =======================
clear
# =======================
# set domain name variable
# =======================
# echo "==> Enter new domain name (domain.com): " ; read FQDN
read -p "==> Enter new domain name (domain.com): " FQDN
# =======================
# set support variables
# =======================
HOSTNAME=`echo $FQDN |awk -F. '{ print $1 }'`
DOMAIN=`echo $FQDN |awk -F. '{$1="";OFS="." ; print $0}' | sed 's/^.//' `
DNAME=$FQDN
FNAME=`echo ${FQDN:0:1} | tr 'a-zA-Z' 'A-Za-z'`
PNAME="/Users/Shared/ClientDomains"
PLOGS="/var/log/apache2"
ROOTDIR="$PNAME/$FNAME/$DNAME"
# =======================
# create needed directories
# =======================
mkdir -vp $ROOTDIR/archive && chmod 0777 $ROOTDIR/archive
mkdir -vp $ROOTDIR/digital-assets
mkdir -vp $ROOTDIR/digital-assets/design && chmod 0777 $ROOTDIR/digital-assets/design
mkdir -vp $ROOTDIR/digital-assets/images && chmod 0777 $ROOTDIR/digital-assets/images
mkdir -vp $ROOTDIR/instances
mkdir -vp $ROOTDIR/staging
mkdir -vp $ROOTDIR/production
mkdir -vp $ROOTDIR/templates
mkdir -vp $ROOTDIR/subdomains
mkdir -vp $ROOTDIR/subdomains/emailers
mkdir -vp $ROOTDIR/subdomains/landingpages
mkdir -vp $ROOTDIR/subdomains/sweepstakes
mkdir -vp $PLOGS/$FNAME/$DNAME
touch $PLOGS/$FNAME/$DNAME/access_log
touch $PLOGS/$FNAME/$DNAME/error_log
SDOMAIN=( "production" "staging" "templates" "emailers" "landing" "sweepstakes" )
SPATHS=( "production" "staging" "templates" "subdomains/emailers" "subdomains/landingpages" "subdomains/sweepstakes" )
ASIZE=${#SDOMAIN}
for ((i=0;i<$ASIZE;i++)); do
          if [ -z ${SDOMAIN[${i}]} ]
          then
                    continue
          else
                    SITE="${SDOMAIN[${i}]}.$HOSTNAME.ourcompany.com"
                    FPATH=${SPATHS[${i}]}
                    # =======================
                    # build index.html file
                    # =======================
                    # We actually only want this for the first 3
                    if [ $i -lt "3" ]
                    then
                              make_index > "$ROOTDIR/$FPATH/index.html"
                    fi
                    # =======================
                    # build vhost config file
                    # =======================
                    ACONF="0000_192.168.23.13_80_$SITE.conf"
                    make_vhost > /etc/apache2/sites/$ACONF
          fi
done
# =======================
#    exit
# =======================
apachectl restart
exit

I was just doing the same thing. Although I realize this post is getting old.
I did it by using:
strRegEnv   = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\SAPLOGON_INI_FILE"
NwEngine.Shell.SetRegValue strRegEnv, "REG_SZ", "(FILE LOCATION)"
I placed that at the "On end Install" and "On end Update" Level.
if the reg value is not already present, it will be created.
If the reg value does exist, it is replaced.
Hope that helps.

Site-to-Site VPN with Sophos Software-Based UTM

I'm looking to build out a cloud environment with a vendor, and need a site-to-site VPN to be established between the vendor's environment and my environment. Since I am using a Cisco ASA 5510, they have suggested the use of the software-based Sophos UTM firewall on their end to establish the tunnel.
Has anyone had any experience with configuring VPN tunnels between Sophos and Cisco firewalls? If so, what are your experiences? Any drawbacks or shortcomings?

Go over these links, best way is to do them through cli, it is easier to understand the implementation flow.
Pix to PIx Static Dynamic ( L2L Vpn)
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
Router to Router Ipsec Static and Dynamic
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
You may want to also hit this link for IPsec basics to understand the statndard and syntax in Ipsec implementation and what command does, it comes it handy when doing Ipsec through cli.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

How to combine with JSP??

I am a newble to Flex 2
I am confuse that how can i combine with JSP to send and
retrive data with mysql ??
I have seen some examples that juz make a linking with jsp
which is printed to XML format for data extracting.
But how to insert and retrive data dynamically?
Some people say that it can directly programming mxml in .jsp
by importing mxml tag library....and finally complie on the web
server. But .... Wazz is the reason i have to buy flex builder.....
Are there any way i can program with jsp in flex 2 ?
i am sorry for my poor english
any help will be highly appreciated

Eran,
Can you elaborate on what you're looking for?
UCM comes with a number of sample custom element forms. These forms are leveraged within a pretty strict context of the site studio contributor. The primary api is javascript based.
I don't believe you would be restricted on the types of custom element forms you can create if you're implementing into a jsp/x site. I believe the issue is mostly dependent on how you're calling the SS contributor.
-ryan

Setting up site to site vpn with cisco asa 5505

I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!

Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
hash sha   ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
hash sha   ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map    ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP:      hash SHA
Mar 2 16:18:42.947: ISAKMP:      default group 2
Mar 2 16:18:42.947: ISAKMP:      auth RSA sig
Mar 2 16:18:42.947: ISAKMP:      life type in seconds
Mar 2 16:18:42.947: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
          next-payload : 6
          type         : 2
          FQDN name    : R2
          protocol     : 17
          port         : 500
          length       : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
          next-payload : 6
          type         : 2
          FQDN name    : ASA1
          protocol     : 0
          port         : 0
          length       : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
          authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP:   attributes in transform:
Mar 2 16:18:43.079: ISAKMP:      SA life type in seconds
Mar 2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP:      SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
          (proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083:         lifetime of 3600 seconds
Mar 2 16:18:43.083:         lifetime of 4608000 kilobytes
Mar 2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
        (proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083:         has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083:         lifetime of 3600 seconds
Mar 2 16:18:43.083:         lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg

How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication
Identity provider here is Oracle identity provider
harika kakkireni

Hi,
The following materials for your reference:
Consuming List.asmx on a claims based sharepoint site
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
Sharepoint Claims based authentication and Single Sign on
http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
Best Regards
Dennis Guo
TechNet Community Support

Satellite L650: Some combinations with the FN button do not work on W7x64

Hello,
System
<h3>Satellite L650-1KU</h3>Part number
<h3><span class="partNo">PSK1LE-01700MRU</h3>
I have install Windows by myself - this laptop haven't any OS from factory.
Installed Windows 7 x64, all drivers and utilites from Toshiba driver site for windows 7 x64 accessible for my laptop model.
I have no any unknown devices in Windows Device manager, all drivers installed and all hardware components woks fine i.e. wifi or bluetooth or web camera.
But I still can't use some of keyboard combinations with Fn button. Not all, just five combinations do not work: Fn+F2 power modes, Fn+F4 hibernate, Fn+1,2 zoom and Fn+F8 wirelles devices.
From search I have found only mentions about Fn+1,2 zoom - this funtion provide some util named Toshiba Zoom but on download page no any Toshiba Zoom for my laptop model and W7.
Looks like there must be installed some additional utils from vendor for handling this combinations but I cant find any additional info or soft on driver download page.
May be there are some utils what shold be located in lists of drivers/soft for 32 bit windows and it will be fine for 64 bit one?
All combinations which works fine like volume +- Fn+3 Fn+4 or mute Fn+ESC does not shows any popus at moment of pressing, just <span class="short_text"><span class="hps">perform <span class="hps">its <span class="hps">function <span class="hps">without any indication.
Dear users and support, can you help me what I should install from additional utils to provide support for combinations Fn+F2 power modes, Fn+F4 hibernate Fn+1,2 zoom and Fn+F8 wirelles devices?
Message was edited by: Gimli_r

Have you installed the Toshiba Value Added Package?
Have a look on the Toshiba support/downloads website. Ensure you install the Win7 64bit version of TVAP designed for the L650 series.
Updating the BIOS may also help.

Issue with Internet facing site and Intranet sites

Hello All,
I have migrated the SP2013 environment using database attach method for our intranet site. We also working on the
SP2013 Internet facing site using the same content database as Internet site.
When I extended the web application for Internet facing site, zone to
Internet and these are the URLs: The Intranet website URL is
https://intranet.contoso.com/SitePages/home.aspx (Root Site) and
SP2013 Internet facing site http://contoso.com (not a root site and publishing site template)
However, I found on the http://contoso.com users can still access the
http://contoso.com/SitePages/home with same content as Intranet.
After done some Google search, bloggers mentioned to have move https://intranet.contoso.com/SitePages/home.aspx to another site collection so that Internet facing site can exist root site.
Can 2 we have to two root sites in same web application? I need the content database to be same so that managers can check
Internet facing site and after signing into SP2013, redirects to
Internet site.
Which is the best option to achieve this with same content database.
Please advice.
Regards,
Aroh
Aroh Shukla

Business Requirement:
Content Managers want to control internal Internet site (https://intranet.contoso.com) (with default zone, port 443, Root site) and also want to have SP2013 Internet site (with Internet zone
http://www.contoso.com (not a root site and publishing site template)), Anonymous access at Web Application level. I configured the site architecture
to have intranet zone as default zone and extended Web Application for Internet facing site with Anonymous site. This the current site architecture
Because content managers do not want to duplicate public site (Internet facing site) with will be shared with some lists that are stored in intranet site.
For e.g. a sub site named “News and Events” will be shared with Public site as well as Internet users. Therefore, if a manger wants to update a list in the public site, it should reflect in intranet site as well. Thus, managers
don’t want to have separate database but same content database.
Problem:
I have extended web application to have different Internet zone, the site URL looks this: http://www.contoso.com/sites/public with publishing template and Anonymous access. Managers want to have public site URL to be just
http://www.contoso.com and not   http://www.contoso.com/SitePages/Home.aspx. As I am using path based site collection for extending site collection, I am
getting this URL http://www.contoso.com/SitePages/Home.aspx
We also tried host named site collection, but it does not provide anonymous access and keep on asking for user credentials.
Q1: We want to have Intranet and Public site with same content database as per business requirements, Shall I following link       http://sharepoint.stackexchange.com/questions/81172/moving-content-db-for-a-site-collection-to-another-db-server?
Q2: Because I am constrained that I don’t want to have separate web application, (I know, its not regular requirement), how could achieve this requirements?
Q3: Do have to completely re-design web site architecture, with
www.contoso.com as main web application, then copy Intranet site collection and move this to
www.contoso.com/intranet using
Move-SPSite command
Any kind of pointer and help will be highly appreciated as I am struggling for 2 weeks to solve this.
Regards,
Aroh
Aroh Shukla

CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

Azure Site to Site VPN with Cisco ASA 5505

I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?

Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal

ASA 5505 Site-to-Site VPN with multiple networks

Hi,
I have 2 Cisco ASAs 5505 in the different places with a created connection Site-to-Site VPN. It’s working fine in the networks where they are (10.1.1.0/24 and 10.2.1.0/24 respectively).
Additionally to the ASA1 are connected two subnets: 10.1.2.0/24 and 10.1.3.0/24 and the ASA2 is connected to one subnet: 10.2.2.0/24
A problem is when I’m trying to get to a host in the subnet behind the ASA2 from the subnet behind the ASA1 and vice versa.
Any help would be greatly appreciated.

It's all about the crypto ACL. You have to combine all networks behind ASA1 with all networks behind ASA2. You can use object-groups for that to handle it. What's the config of your crypto ACL?
Sent from Cisco Technical Support iPad App

Bug? Mailto: in combination with Office 2013 Spell Checking.

Dear community,
For one of our sollutions we use the mailto protocol to send a hyperlink which users can use to automatically open a predefined new-email-window.
This works fine with Office Professional Plus 2010 [EN-US] (32bit) in combinatione with Microsoft Office Language Pack 2010 - Dutch/Nederlands (32bit).
However, Office Professional Plus 2013 [EN-US] (32bit), in combination with Microsoft Office Language Pack 2013 - Dutch/Nederlands (32bit), crashes whenever the spellingcheck is started.
The mailto-command we use to reproduce this problem is (enter command in Internet Explorer, open with Outlook):
mailto:[email protected]?subject=%20Actie%20vereist&body=%5b2103162%2f335159076094968874376260057075247208793%5d
During analyses we concluded:
- Office Configuration Analyzer Tool 1.2 (Full Scan) did not find any related issues.
- Spellchecker crashes while checking the text within the body.
- Uninstalling Microsoft Office Language Pack 2013 - Dutch/Nederlands solves the problem, but obviosly, we want to keep the Dutch spelling check functionality.
- Standard Englsh (U.S.) spellchecking functions without problems.
- This problem is reproducable on any computer running Office Professional Plus 2013 [EN-US] in combination with the Dutch (Nederlands) spelling check. Tried multiple hardware configurations (Intel based) and multiple OS's (Windows 7 Enterprise
(64bit), Windows 8.1 Enterprise (64bit), Windows 8.1 Pro (64bit). All with the same result.
Is there way to solve this issue, without loosing Outlook 2013 as client and Dutch Spelling Check capabilities?
Kind regards,
Leon Kandelaars.

Hi Steve,
Thanks for your reaction.
Q - Do you mean Outlook crashes when we click the Spelling & Grammar button under Review tab?
A - Yeah, if you try to edit the mail and have 'check spelling as you type' activated, it wil crash as well.
Q - If we copy the email body and paste it to a new email message, will this issue continue?
Does this   issue happen with other Office 2013 programs? Please try to use 'spell check' in word and check if the same issue occurs.
A - If you copy the generated body to a new email or Word 2013, the spelling check will in both cases crash the application.
Q - In addition, we can also have a look at the event log to see if we can find anything useful.
A - The crash generates an "Application" "Hang error". I've generated 2 (1 with Outlook, 1 with Word):
Generated mail, spellcheck crashes Outlook:
Log Name:      Application
Source:        Application Hang
Date:          10-3-2015 9:52:31
Event ID:      1002
Task Category: (101)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxx.xxxx.xxx.nl
Description:
The program OUTLOOK.EXE version 15.0.4693.1000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 87c
Start Time: 01d05b0effb4e6f8
Termination Time: 0
Application Path: C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
Report Id: bf3cde85-c702-11e4-a8c6-485ab6f00dbb
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Application Hang" />
    <EventID Qualifiers="0">1002</EventID>
    <Level>2</Level>
    <Task>101</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-03-10T08:52:31.000000000Z" />
    <EventRecordID>14242</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxx.xxxx.xxx.nl</Computer>
    <Security />
</System>
<EventData>
    <Data>OUTLOOK.EXE</Data>
    <Data>15.0.4693.1000</Data>
    <Data>87c</Data>
    <Data>01d05b0effb4e6f8</Data>
    <Data>0</Data>
    <Data>C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE</Data>
    <Data>bf3cde85-c702-11e4-a8c6-485ab6f00dbb</Data>
    <Binary>55006E006B006E006F0077006E0000000000</Binary>
</EventData>
</Event>
Copied body to Word, spellcheck crashes Word:
Log Name:      Application
Source:        Application Hang
Date:          10-3-2015 9:57:15
Event ID:      1002
Task Category: (101)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxx.xxxx.xxx.nl
Description:
The program WINWORD.EXE version 15.0.4693.1000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 964
Start Time: 01d05b0fe8e683af
Termination Time: 0
Application Path: C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
Report Id: 6a7dd15f-c703-11e4-a8c6-485ab6f00dbb
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Application Hang" />
    <EventID Qualifiers="0">1002</EventID>
    <Level>2</Level>
    <Task>101</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-03-10T08:57:15.000000000Z" />
    <EventRecordID>14247</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxx.xxxx.xxx.nl</Computer>
    <Security />
</System>
<EventData>
    <Data>WINWORD.EXE</Data>
    <Data>15.0.4693.1000</Data>
    <Data>964</Data>
    <Data>01d05b0fe8e683af</Data>
    <Data>0</Data>
    <Data>C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE</Data>
    <Data>6a7dd15f-c703-11e4-a8c6-485ab6f00dbb</Data>
    <Binary>55006E006B006E006F0077006E0000000000</Binary>
</EventData>
</Event>

Maintenance view subset P = S in combination with a non-key.

We are trying to create a maintenance view with subset selection based
on a non-key field. However no dialog screen will be created in order to
select the right data (subset) for list display. We found a referenced
note of this problem: sap note nr 624459 "subset field is not
transferred" which is already available in the L7D system.
-> Does the subset P = S only work in combination with a key field?

Hi,
I presume the P = S works for only Primary Key combinations. For eg: If you create maintenance view on MARD table and give values P= S to say only MATNR and WERKS fields. You generate the Table Maintenance. You get the filter for Material and Plant but there is a button F7 new selection .. if you press that you can select the third key field Storage Location as well. Presumably it works for the key fields alone.
Cordially,
Shankar Narayanan.

Dnssec in combination with hostname based site-2-site vpn

Similar Messages

Maybe you are looking for