Dynamic routing alternative between ASA and edge routers?

Similar Messages

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• Font sizes between  Photoshop and Edge - Any Accurate conversion table?

  I have been trying to make sense of the font sizes between  Photoshop and Edge. It seems that the conversion tables I have found do not actually give the right numbers and I am wondering if there is a table from Adobe that would make it easy to have the right size rather than an approximation.
  I prefer to use text in Edge rather than Photoshop for many different reasons one being dynamic text.
  For example a font in Photoshop in a 780 x 475 image is 8pt - In Edge, according to conversion tables it should be 11 px but it is totally wrong. It needs to be closer to 30 px to be about the same.
  So, Adobe Team, any documentation on that?

  By the way, I have to correct the numbers but they still do not make too much sense. The artist gave me a 300 dpi file so of course the px size what wrong. After converting the file to 72 dpi, the font size happens to be 33.33 pt or 40 px which is now way too big in Edge.  It looks like the size my just be the same 33.33 pt would be 33.33 px. Is this correct?

• Load balance between DLSw and CIP routers

  Take a look on this environment:
  - 4 routers receiving all DLSw peers and circuits
  - 4 routers with CIP boards connected to 2 mainframes
  All CIP routers are configured with same MAC address. All routers (DLSw and CIP) are connected on a Ethernet LAN switching, so this traffic are pure LLC2.
  How I can balance the traffic between DLSw and CIP routers ?
  Thank's in advance.

  I am not sure if I totally understand the topology. Let me rephrase it. Please correct me if I misunderstand the topology. In a data centre, there are 4 DLSw routers terminating DLSw peer connections from the remote sites. In the same data centre, there are 4 CIP routers which connects to 2 mainframes. CSNA is configured on all CIP router, which uses the same MAC. You configure transparent bridging on the DLSw routers, which connect to the same ethernet switches as the CIP routers. You configure SR/TLB on the CIP routers; so that all LLC2 circuits coming from the DLSw routers connect through the ethernet interfaces of the CIP routers.
  Do you want the LLC2 circuits from a DLSw router load balance across 4 CIP routers? As duplicate MAC address is not allowed, there is no way to connect all 4 DLSw routers and CIP 4 routers on the same VLAN.
  I can think of a couple of workarounds.
  1. Enable SNASw on the 4 DLSw routers. Create a VDLC port on all 4 DLSw routers. The MAC address of the VDLC interface is the same. The VDLC MAC address is pointed by the remote SNA stations. Each DLSw router uses one of the CIP routers as DLUS.
  2. If this is the case, create 4 VLANs on the ethernet switches. Connect a pair of DLSw router and CIP router to each VLAN.

• Route Redistribution between RIP and OSPF

  Hi all,
      I'm building my home lab and having difficutly to get this part of router redistribution work. 
      I can't ping from PC, Server and SW1 to R2's int f0/0, f0/1 and SW2's G0/1.
      I can't ping from R1 to R2's f0/1, SW2
      Vice versa,  I can't ping from SW2 to R2's f0/0, R1's f0/0 & f0/1, SW1, PC and Server.
       Also, I can't ping from R2 to R1's f0/1, SW1, Server and PC.
     I think the reason cause these ping's failure is I didn't config the Route Redistribution between RIP and OSPF(on R2)correctly.  I strugled for hours to change comand around but still can't figure it out. I attached my Topology and config. file to you and please help!
  smartd1011

  Hi,
  On R1, you should not be advertising 10.0.0.0/24 via OSPF => redistribution will handle that
  On R1, you should not be advertising 20.0.0.0/24 via EIGRP => redistribution will handle that
  On R2, you should not be advertising 30.0.0.0/24 via OSPF => redistribution will handle that
  On R2, you should not be advertising 20.0.0.0/24 via RIP=> redistribution will handle that
  On R2, under your rip process, you should put a  metric to RIP otherwise it would redistributed with infinite metric (i.e. 16). Btw, you did put a seed metric on your EIGRP redistribution which is fine.
  Also if you're talking RIP with switch2 and would like to send rip updates to him, you remove your passive interface statement
  your rip statement should be somethin like that : 
  router rip
  version 2
  redistribute ospf 1 metric 5
  passive-interface FastEthernet0/0
  network 30.0.0.0
  no auto-summary
  HTH

• Miix 2 10" led diod on the switch filter between display and edge frame

  Hello,
  i have Lenovo Miix 2 10" and i find out, that indicative led diod on the switch filter between display and edge frame of tablet when is the dark.
  It is obvious in the night and tablet is moderately incline...
  https://onedrive.live.com/redir?resid=2193765AA1BD42F1!7232&authkey=!AJ7TZCTfNtVztuI&v=3&ithint=phot...
  Is it reason for reclaim?
  Thanks
  sg

  Hi chuck72352,
  after you have sorted your data, you can use the InRange Function. Combined with a "search 1D Array" you'll get the range you really want.
  Mike
  Attachments:
  ArraySubset.PNG ‏25 KB

• How to use the private subnet between ASA and Router

  Guys,
  Here is the context:
  I am connecting to 2 ISPs for load sharing traffic coming from my private network.
  The 2 links from the ISPs terminate in the router which connects to an ASA via a private subnet, back to my private network.
  I have configured PBR in the router, to prefer ISP1 for trafic coming from my internal servers X, Y, Z  (public addresses, no need for the ASA to translate).  The router  should send any other traffic coming from the rest of my private address space, servers W, V, U  (after translation by ASA) to ISP2.
  So far so good.  The default route defined on ASA points to the internal LAN interface of the Router (private ip address). How can I route this subnet used between the ASA and Router? Being a private address I have to translate it to something (public) before the router can send it out. But translate to what?
  Alternatively I could use a public subnet. But I do not have any.How do I get aroung this?
  Regards
  Ndaungwe

  You have IP addresses on the direct interface links to the ISP's?? You ccould use those IP addresses with NAT overload.

• Connection dropped between ASA and router

  Hi,
  Last night Internet traffic was going from my 2811 router to the Internet via my ASA 5510 (as it should do and in accordance with my route-map policy) but, when I came in this morning, traffic wasn't going via my ASA as my route-map policy specified, it was going straight to the Internet via my Gateway of Last Resort (an SDSL router). When I did a ping between the ASA and the 2811 router, traffic started to be routed via the ASA again, as specified by the Route-Map policy. Does anyone know what caused this to happen?
  Thanks,
  Jaime

  Ensure your ACL configured properly in your device or may be you did any changes recently.

• Packet Loss between ASA and 871

  We are running a Cisco ASA 5505 and remote clients are 871's. We currently use a EasyVPN configuration between the single ASA and our 13 871's.
  Today (1) out of the (13) tunnels is experiencing packet loss. I have power cycles the broadband router on the 871 end and the 871 and the situation still exists.
  Does anyone know what would cause this and how to troubleshoot it?
  Thanks,
  Jason

  Have you contact broadband provider on the 871 side to rule out any issues on the link? what broadband ADSLAM pppoa? start first rulling out physical issues WAN interface, LAN interface stats and work your way up, is this is something that suddenly developped? from what you post indicates it seems this tunnel have been fine, it could be broadband link issues but fist investigate with provider to go the next step.
  what do you see in 871 router logs in terms of links, turn on logging informational before staring debugg proceedures.
  HTH
  Jorge

• Voice over ip configuration between 2600 and 1700 routers

  Hi,
  I have the following set up:
  2 offices with full T1 to the internet; one using a cisco 2600 router with FXS cards and the other using a 1700 router with FXS cards as well. I was asked to configure VOIP between the two sites and the PBX tech gave me at each office trunks which I connected to the FXS interfaces. The goal will be that the PBX guy be able to program the PBX with extension numbers of his choice and get the calls between the offices using the internet connection. I do not have a lot of experience setting up VOIP and I wonder if someone out there might have a similar environment.
  According to the PBX tech, this trunk lines are loop start.
  Thanks in advance for any ideas,
  Uriel Naranjo.

  It should be fairly straight forward. On the 2600 you will need to configure a voip dial-peer pointing to the remote site and pots dial peer to terminate a call on to the 2600 and you do the same on the 1700.
  Check out the sample configurations on the following URL:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca621.html#5593
  disregard the rsvp portion and just simply configure your routers to pass voip traffic. You can do QoS later depending on the load and traffic.

• Routing issue with ASA and UC540 phone system - at ASA???

  Having an issue with routing from the PC at .242 to the CUE server at 10.1.10.1. The CUE server is built into the UC540 phone system. It is an internal piece of software that is used for voicemail and management. The UC540 is not only a call router, it is also an IOS router. It has it's own WAN connection as does the ASA.
  Here are some facts:
  1. Can ping the UC540's internal CUE server from the PC ( ping to 10.1.10.1 )
  2. Can ping the UC540's VLAN 1 address from the PC ( ping to 10.1.10.1 )
  3. The ASA is the default gateway for the PC.
  4. I have a route inserted at the asa that is:
                 route 10.1.10.1 255.255.255.0 10.19.250.254 1
  5. I have a nat statement that prevents NAT from occuring but I don't think this is necessary as the 10.1.10.0/24 network isn't otherwise defined on the      ASA.
  6. I cannot pull up a web page when I point the browser on the PC to the 10.1.10.1 address
  7. I CAN pull up a web page on the PC when I create a static route on the PC iteslf :
                 route add 10.1.10.1 mask 255.255.255.0 10.19.250.254
       Is is only with this route that I am able to get to the web GUI on the phone system.
  8. The phone system has a loopback interface at 10.1.10.2 that serves as the gateway for the internal CUE server, the internal CUE server is at      10.1.10.1
  9. The switch is a 2960 and has a trunk port to the phone system to allow for the voice vlan which is at 10.1.1.0/24, no issues with this vlan and phones      are connecting to the system fine.
  Since I can get the GUI to come up when I set a static route on the PC, then I would assume that the routing in the phone system with it's internal server is fine as it wouldn't work otherwise. Since I can successfully ping the CUE server from the PC, that would lead me to believe that the ASA's routing is setup correctly..... TCP traffic doesn't seem to get to/from the CUE server.
  Here are the routing tables:
  ASA:
  Gateway of last resort is xxx.xxx.xxx.xxx to network 0.0.0.0
  C    xxx.xxx.xxx.xxx 255.255.255.252 is directly connected, outside
  S    172.16.100.100 255.255.255.255 [1/0] via 38.97.193.65, outside
  S    10.1.10.0 255.255.255.252 [1/0] via 10.19.250.254, inside
  C    10.19.250.0 255.255.254.0 is directly connected, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.xx, outside
  The UC540 phone system's router side:
  Gateway of last resort is xx.xx.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via xx.xx.xx.xx
        10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks
  C        10.1.1.0/24 is directly connected, BVI100
  L        10.1.1.1/32 is directly connected, BVI100
  C        10.1.10.0/30 is directly connected, Loopback0
  S        10.1.10.1/32 is directly connected, Integrated-Service-Engine0/0
  L        10.1.10.2/32 is directly connected, Loopback0
  C        10.19.250.0/23 is directly connected, BVI1
  L        10.19.250.254/32 is directly connected, BVI1
        XX.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C       XX.XX.XX.XX/29 is directly connected, FastEthernet0/0
  L        XX.XX.XX.XX/32 is directly connected, FastEthernet0/0
        172.16.0.0/24 is subnetted, 1 subnets
  S        172.16.100.0 [1/0] via 10.19.250.1
  The UC540's internal CUE server:
  Main Routing Table:
             DEST            GATE            MASK                     IFACE
        10.1.10.0            0.0.0.0           255.255.255.252       eth0
          0.0.0.0             10.1.10.2         0.0.0.0                    eth0
  Any help appreciated!!!
  Thanks!

  Hello,
  Where you able to solve this problem? It does sound like an issue with TCP state checking on the ASA. The Firewall needs to see both sides of the traffic but the return traffic is going from your UC540 direct to the PC. The firewall essentially kills the traffic.
  I would recommend disabling TCP state checking on the ASA and see if it works. Otherwise, you will need to stub route the UC540 as a separate VLAN off the ASA which needs to route through the ASA to reach the PC.
  Here is a info page on the TCP State Bypass:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
  Please let me know how it works out.

• Call alternating between earpiece and loudspeaker

  I have a Sony Z1The last few days when i answer a call I will start the call using the ear speaker (phone held to ear) however after a while the phone begins to alternate between the ear speaker and the loudspeaker and eventually after about 15 seconds i just have to end the call.  I don't know if it was an app update on the phone or my SW3 update that is causing the issue.
  I have tried clearing a few apps but that does not seem to have helped.
  Now not sure if linked but i have a new set of Sony Bluetooth earphones also that sometimes starts and stops when playing music.  I thought it might have beenthe earphone battery going flat but it was doing it also when fully charged.
  Anyone had similar?  I have seen the post where calls go directly to loudspeaker but i thought this was different.

  Started to happen again today however the cache was empty. This time however the call alternated between all the options (earpiece, speaker and headphones). I conducted a factory reset and it still occurred. I am now stuck for answers.
  Another issue I am getting at the same time is my wifi disconnects and says ' temporarily avoiding poor signal ' when the signal in the wifi section shows full wifi signal?
  UPDATE;
  I had been getting notifications in the notification bar that 'Smart Connect' had headset connected when there was definetly no headset connected.  During a call it was again alternating between the different options of earpiece, headset and bluetooth.  I subsequently uninstalled allupdates for Smart connect, but i still had call issues.  I have now disabled smart connect and will wait to see if this solves the issue.  I am now hopeful that this is the problem.  Next would be to find out if it is a software or hardware issue.

• Can't get L2L VPN up between ASA and Fortinet (IKEv2)

  Hi,
  I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
  The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
  Configuration from the ASA:
  crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
   protocol esp encryption 3des
   protocol esp integrity sha-1
  crypto map VPN 100 match address ABC
  crypto map VPN 100 set pfs group5
  crypto map VPN 100 set peer x.x.x.x
  crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
  crypto map VPN 100 set security-association lifetime seconds 28800
  crypto map VPN interface outside
  crypto ikev2 policy 10
   encryption aes-256 3des
   integrity sha256 sha
   group 5
   prf sha256
   lifetime seconds 86400
  crypto ikev2 enable outside
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
   ikev2 remote-authentication pre-shared-key blablabla
   ikev2 local-authentication pre-shared-key blablabla
  Debugs say that there is no matching policy:
  IKEv2-PROTO-3: (97): Get peer authentication method
  IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
  IKEv2-PROTO-3: (97): Verify authentication data
  IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
  IKEv2-PROTO-2: (97): Processing auth message
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Received Policies:
  ESP: Proposal 1:  3DES SHA96
  IKEv2-PROTO-1: (97): Failed to find a matching policy
  IKEv2-PROTO-1: (97): Expected Policies:
  IKEv2-PROTO-5: (97): Failed to verify the proposed policies
  IKEv2-PROTO-1: (97): Failed to find a matching policy

  Dear Robert,
  The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
  1. sh crypto ipsec sa
  2. sh crypto isakmp sa
  3. debug crypto isa 255
  4. debug crypto ipsec 255

• Issue bringing up VPN between ASA and Checkpoint - HELP

  Hi all
  We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
  on the ASA I see the following
  any ideas what this is ?
  7
  Jan 30 2014
  11:52:03
  715065
  IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

  Phase 2 failures means several things:
  Encryption domain (interesting traffics) fail to match.  Checkpoint tends to supper net network together, by design,
  Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
  Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
  - output of "uname -a" and "fw ver"
  - is this Nokia, Windows or Secureplatform Checkpoint?
  - run the following commands on the firewall:  "debug ike off", "debug ike trunc"  and send you the ike.elg file.  That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong. 
  Disable/turn OFF kilobytes timeouts is not the solution. 

• Transfer files between ASA and a host across a VPN

  Hello Guys,
  I have a Remote Access VPN between an ASA and a Windows PC, the issue that I'm seeing is that I can't transfer files between the ASA and my PC across the VPN.
  The first time I thought that because the size of the file and some issue with my ADSL service bandwidth could be the problem. However, I tried to copy the running config of the ASA to my PC and is also impossible. I received this error:
  ASA# copy running-config tftp:
  Source filename [running-config]?
  Address or name of remote host []? 10.10.10.2   ----> This is the address of my PC over the VPN tunnel
  Destination filename [running-config]? ASA-Config04032014
  Cryptochecksum: f5a9f8cb 9f63b2e5 e8c99e36 9498cb50
  %Error writing tftp://10.10.10.2/ASA-Config04032014 (Timed out attempting to connect)
  Does anybody had this kind of problem before?
  Thanks in advance,

  I was wondering if I transfer files between a PC and Mac via Ethernet cable can I reverse the transfer from a Mac to a Pc?
  Yes. Start Windows File Sharing on the Mac and then access it on the PC.
  (47464)