EasyVPN :crypto ipsec client ezvpn xauth
Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
username cisco password 5 121A0C0411045D5679
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngrp
key cisco123
save-password
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Goldcoast
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
archive
log config
hidekeys
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.
Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva.
Similar Messages
-
Policy based l2l ipsec vpn - Need XAUTH problem
Hi,
I have a problem that I can see some solutions for but they do not work.
I have a p2p IPSec vpn that worked before I added a remote access VPN configuration (which works perfectly).
As per documentation I employed isakmp policy to allow the mixed tunnels. Now whenever I try to send traffic across the l2l link I am getting the following debug results which tell me the remote router is demanding XAUTH.
Sep 8 09:53:12: ISAKMP:(2015):Total payload length: 12
Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) MM_KEY_EXCH
Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Need XAUTH
Sep 8 09:53:12: ISAKMP: set new node 1635909437 to CONF_XAUTH
Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Sep 8 09:53:12: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Sep 8 09:53:12: ISAKMP:(2015): initiating peer config to [source]. ID = 1635909437
Sep 8 09:53:12: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:12: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:12: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 8 09:53:12: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Sep 8 09:53:12: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:20: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...
Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Sep 8 09:53:27: ISAKMP (2015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Sep 8 09:53:27: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:27: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:28: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:36: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 CONF_XAUTH 1635909437 ...
Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Sep 8 09:53:42: ISAKMP (2015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
Sep 8 09:53:42: ISAKMP:(2015): retransmitting phase 2 1635909437 CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015): sending packet to [source] my_port 500 peer_port 500 (R) CONF_XAUTH
Sep 8 09:53:42: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 8 09:53:44: ISAKMP (2015): received packet from [source] dport 500 sport 500 Global (R) CONF_XAUTH
Sep 8 09:53:44: ISAKMP: set new node 2054552354 to CONF_XAUTH
Sep 8 09:53:44: ISAKMP:(2015): processing HASH payload. message ID = 2054552354
Sep 8 09:53:44: ISAKMP:(2015): processing DELETE payload. message ID = 2054552354
Sep 8 09:53:44: ISAKMP:(2015):peer does not do paranoid keepalives.
So it looks like Phase 1 is completing sans XAUTH.
Here is my crypto configurations:
crypto keyring s2s
pre-shared-key address [source] key [key]
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 5
encr 3des
authentication pre-share
lifetime 28800
crypto isakmp policy 10
authentication pre-share
lifetime 28800
crypto isakmp client configuration group [RA_GROUP]
key [key2]
dns 192.168.7.7
wins 192.168.7.222
domain ninterface.com
pool SDM_POOL_1
acl 100
max-users 6
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ISA_PROF
keyring s2s
match identity address [source] 255.255.255.255
crypto isakmp profile softclient
match identity group [RA_GROUP]
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_grop_ml_1
client configuration address respond
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set VPN_T_BW esp-3des esp-sha-hmac
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set trans-rem esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto dynamic-map [RA_GROUP] 77
set transform-set trans-rem
set isakmp-profile softclient
reverse-route
crypto map clientmap client authentication list RAD_GRP
crypto map clientmap isakmp authorization list rtr-remote
crypto map clientmap client configuration address respond
crypto map clientmap 77 ipsec-isakmp dynamic [RA_GROUP]
crypto map [RA_GROUP] client configuration address respond
crypto map remote-map isakmp authorization list rtr-remote
crypto map rtp 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
It's a bit of a dogs breakfast as I am just now implementing policy.
I was successful at blocking xauth before I was using policy by adding no_xauth to the end of my key statement but I cannot work out how to add this while using policy.
I'm betting something simple I've missed.
Thanks for your help!Ok so on investigation I can see that my 3am hackjob was worse than I thought :|
I can see that above I have 2 different crypto maps where I thought I had combined them into one. I have now changed
crypto map rtp 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
to
crypto map clientmap 10 ipsec-isakmp
set peer [source]
set transform-set MY-SET
set pfs group2
match address 111
Still getting the same problem so I'll keep investigating but if anything sticks out let me know
b -
Hello,
I am trying using an Easy VPN connection on Cisco 800 router from a remote Cisco VPN client on a laptop. I don't know if it's important but I get some error debuging isakmp and ipsec that I would like to know why they appear when connecting through EZVPN.
This router is configured with several site-to-site VPN connections and should use isakmp profile to use both types of VPN. The config I finally have used, from read posts and docs, is,
aaa new-model
aaa authentication login RAVPNAUTH local
aaa authorization network RAVPNAUTH local
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
lifetime 3600
##### crypto isakmp keys of site-to-site VPNs #####
crypto isakmp key ********** address **********
crypto isakmp key ********** address **********
crypto isakmp client configuration group RAVPNGRPRD
key RAVPNkey
pool RAVPNPoolRD
acl RAVPNRDACL
crypto isakmp profile RAVPNRD
match identity group RAVPNGRPRD
client authentication list RAVPNAUTH
isakmp authorization list RAVPNAUTH
client configuration address respond
#### crypto ipsec transforms ####
crypto ipsec transform-set vpn000 esp-3des esp-md5-hmac
crypto ipsec transform-set vpn001 esp-3des esp-md5-hmac
crypto ipsec transform-set vpn002 esp-3des esp-md5-hmac
crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac
crypto dynamic-map DYNRAVPNRD 10
set transform-set RAVPNRD
set isakmp-profile RAVPNRD
reverse-route
#### site-to-site crypto map tunnels ####
crypto map tunel 10 ipsec-isakmp
set peer peer-ip00
set transform-set vpn000
set pfs group2
match address 106
crypto map tunel 20 ipsec-isakmp
set peer peer-ip01
set transform-set vpn001
match address 161
crypto map tunel 1000 ipsec-isakmp dynamic DYNRAVPNRD
username USR password ....
interface ATM0.1 point-to-point
crypto map tunel
ip local pool RAVPNPoolRD 192.168.120.1 192.168.120.6
and the errors presented on debugging,
These occurs when connecting from Cisco VPN Client, connects OK and asks for user and password.
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Mar 12 13:06:24: ISAKMP:(0):Hash algorithm offered does not match policy!
.Mar 12 13:06:24: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x700C Unknown Attr: 0x7005
.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: MODECFG_HOSTNAME (0x700A)
.Mar 12 13:06:28: ISAKMP (0/2290): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7005)
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac comp-lzs }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
.Mar 12 13:06:29: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-md5-hmac }
.Mar 12 13:06:29: ISAKMP:(2290): IPSec policy invalidated proposal with error 256
Is this a normal process of matching isakmp and ipsec policies or am I missing anything?
RegardsHi there,
Your IPsec proposal is:
crypto ipsec transform-set RAVPNRD esp-aes esp-sha-hmac
You are not using AES-256, since the client tries all the options available, then you will see these logs in the ASA.
Hope to help.
Portu.
Please rate any helpful posts. -
Cisco ASA 5505 IPsec client VPN - Cannot connect to local hosts
I have created a Cisco IPsec vpn on my ASA using the VPN creation wizard. I am able to successfully connect to the vpn and seemingly join the network, but after I connect I am unable to connect to or ping any of the hosts on the network.
Checking the ASA I can see that a VPN session is open and my client reports that it is connected. If I attempt to ping the client from the ASA all packets are dropped.
I suspect it may be an issue with my firewall, but I am not really sure where to begin.
Here is a copy of my config, any pointers or tips are aprpeciated:
hostname mcfw
enable password Pt8fQ27yMZplioYq encrypted
passwd 2qaO2Gd6IBRkrRFm encrypted
names
interface Ethernet0/0
switchport access vlan 400
interface Ethernet0/1
switchport access vlan 400
interface Ethernet0/2
switchport access vlan 420
interface Ethernet0/3
switchport access vlan 420
interface Ethernet0/4
switchport access vlan 450
interface Ethernet0/5
switchport access vlan 450
interface Ethernet0/6
switchport access vlan 500
interface Ethernet0/7
switchport access vlan 500
interface Vlan400
nameif outside
security-level 0
ip address 58.13.254.10 255.255.255.248
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 58.13.254.11
network-object host 58.13.254.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
port-object eq 9000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host 58.13.254.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host 58.13.254.10 object-group http_8029
access-list outside_access_in remark ssh from outside to hub & studio
access-list outside_access_in extended permit tcp any host 58.13.254.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to hub
access-list outside_access_in extended permit object-group TCPUDP any host 58.13.254.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.251 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites (mediastudio/civicrm)
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.192
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm debugging
logging from-address [email protected]
logging recipient-address [email protected] level warnings
logging host dmz 192.168.10.90 format emblem
logging permit-hostdown
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
ip local pool OfficePool 192.168.0.80-192.168.0.90 mask 255.255.255.0
ip local pool VPN_Pool 192.168.0.91-192.168.0.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) 58.13.254.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) 58.13.254.11 192.168.10.30 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
static (dmz,inside) 192.168.0.251 192.168.10.251 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 58.13.254.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 59.159.40.188 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable outside
crypto isakmp enable public
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 59.159.40.188 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
dhcpd address 192.168.10.190-192.168.10.195 dmz
dhcpd enable dmz
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol l2tp-ipsec
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 61.122.112.97 61.122.112.1
vpn-tunnel-protocol IPSec
username mcit password 4alT9CZ8ayD8O8Xg encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group ocmc type remote-access
tunnel-group ocmc general-attributes
address-pool OfficePool
tunnel-group ocmc ipsec-attributes
pre-shared-key *****
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
address-pool VPN_Pool
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 192.168.10.10
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:222d6dcb583b5f5abc51a2251026f7f2
: end
asdm location 192.168.10.10 255.255.255.255 inside
asdm location 192.168.0.29 255.255.255.255 inside
asdm location 58.13.254.10 255.255.255.255 inside
no asdm history enableHi Conor,
What is your local net ? I see only one default route for outside network. Dont you need a route inside for your local network.
Regards,
Umair -
PFS shown as disabled in 'show crypto ipsec sa' even tough configured
Hi,
I have PFS configured (at least I think) but when I do a 'show crypto ipsec sa', it says 'PFS: N' ...
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 163, #pkts encrypt: 163, #pkts digest: 163
#pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340
#pkts compressed: 5, #pkts decompressed: 8
#pkts not compressed: 157, #pkts compr. failed: 1
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.10
current outbound spi: 0x2093BFD5(546553813)
PFS (Y/N): N, DH group: none
Here's the relevant config:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 20
lifetime 3600
crypto ipsec transform-set vpn-s2s-ts esp-aes 256 esp-sha256-hmac comp-lzs
mode transport require
crypto ipsec profile vpn-s2s
set transform-set vpn-s2s-ts
set pfs group20
interface Tunnel0
tunnel protection ipsec profile vpn-s2s
A 'show crypto map' shows it enabled AFAICT:
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 2.2.2.2
Extended IP access list
access-list permit gre host 1.1.1.1 host 2.2.2.2
Current peer: 2.2.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group20
Transform sets={
vpn-s2s-ts: { esp-256-aes esp-sha256-hmac } , { comp-lzs } ,
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
Any idea ?
Cheers,
SylvainHi,
I have the same problem with an ASR1001, running asr1001-universalk9.03.10.03.S.153-3.S3-ext.bin.
Im am using IKEv2 and IPSec with PFS group20. Here's the relevant config (lab):
crypto ikev2 proposal ikev2-prop_1
encryption aes-cbc-256
integrity sha512
group 20
crypto ikev2 policy ikev2-pol_1
match address local 10.10.0.1
proposal ikev2-prop_1
crypto ikev2 profile ikev2-prof_1
match address local interface GigabitEthernet0/0/1
match identity remote address 10.10.0.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keyring_1
dpd 10 3 on-demand
crypto ipsec profile ipsec-prof_1
set transform-set tset_1
set pfs group20
set ikev2-profile ikev2-prof_1
interface Tunnel1
ip address 10.20.0.1 255.255.255.252
tunnel source GigabitEthernet0/0/1
tunnel destination 10.10.0.2
tunnel protection ipsec profile ipsec-prof_1
As soon as the IPSec SA is established, the "show crypto ipsec sa" command shows:
PFS (Y/N): N, DH group: none
But after the first rekeying (after default time of 3600 secs) it shows:
PFS (Y/N): Y, DH group: group20
I consider this a cosmetical problem only, since PFS is doing its job. This can be told from the debugs during the first rekeying:
000492: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking for PFS configuration
000493: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):PFS configured, DH group 20
000494: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
000495: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
000496: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Request queued for computation of DH secret
000497: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking if IKE SA rekey
000498: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Load IPSEC key material
000499: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database -
Understanding output of sh crypto ipsec sa peer
Hi All,
I a bit puzzled by why the remote indent and remote crypto endpointpt ID is different. I also noticed that the remote ident address matches the remote NBMA address, but just not the remote crypto endpt address. I really expected the remote crypto endpt address to be the same as the remote indent address and remote NBMA address (remote tunnel source address). Tunnel1 is an mGRE tunnel protected by IPSec.
Could anyone shed light on this?
Thanks,
David
Router#sh crypto ipsec sa peer 1.1.1.1
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
current_peer 1.1.1.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7978837, #pkts encrypt: 7978837, #pkts digest: 7978837
#pkts decaps: 7286115, #pkts decrypt: 7286115, #pkts verify: 7286115
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 14644
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1514, ip mtu 1514, ip mtu idb Loopback2
current outbound spi: 0xB96E4FB1(3111014321)
inbound esp sas:
spi: 0xB1D02649(2983208521)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3002, flow_id: Onboard VPN:2, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4501742/22874)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB96E4FB1(3111014321)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3001, flow_id: Onboard VPN:1, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4445656/22873)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:The output suggests you have NAT-T in the network and IPSEC tunnel mode turned on. If the transform-set is set to transport mode, clear the crypto sessions then remote ident and crypto endpoint will be the same address.
HTH,
Dan -
We're using Solaris 8, 9 & 10. (Mainly version 9)
We need to connect to our DMZ servers via an IPSEC tunnel, but the solution seems to be unstable and does not work properly from a UNIX Solaris workstation.
Is there an IPSEC client that will allow secure stable access to manage Web servers? We need to be able use X-base GUI over this tunnel.Are you using a real IP-in-IP tunnel protected with IPsec? Or do you just want the IPsec protection? (Many vendors think all IPsec protection is a "tunnel", which is wrong.)
A few more details would be helpful here. And I'm sorry for not seeing this sooner.
Dan - Solaris IPsec developer -
I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.
Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.
Thanks
Brian -
Cisco IPSec Client - shared key size
Hello,
I have got a question concerning the Cisco IPSec Client.
Could you tell me, how large the key may be (max. 64 or 127 characters) ?
Thanks and regards
PatrickJust to help somebody else facing an issue similar to this one.
Open Advanced menu from the configurated VPN in the Network Preferences and check 'Send all traffic over VPN connection'.
The problem is when you have a VPN that routes all the traffic, if you want specific routes they should be configured and passed on from the router.
I've configured a tested several vpn connections to Cisco ASA without an issue when the routes are configured on it (vpn_net1, vpn_net2 and so on) but when the route isn't specified in the router it should be considered as a default route and this option needed to be checked. -
Crypto ipsec gre tunels droped
Hi,
From time to time lots of tunnels drop down due to:
Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 24
Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 90
Can somebody help me ?
#sho crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine VAM2+:1 details: state = Active
Capability : IPPCP, DES, 3DES, AES, RSA, IPv6
IKE-Session : 423 active, 5120 max, 0 failed
DH : 227 active, 5120 max, 0 failed
IPSec-Session : 746 active, 10230 max, 0 failed
Router:
Cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:
Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:
interface Tunnel0
ip address 192.168.16.1 255.255.255.0
tunnel source
tunnel destination
Configure isakmp policies, as shown:
crypto isakmp policy 1
authentication pre-share
Configure pre share keys, as shown:
crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)
Configure transform set, as shown:
crypto ipsec transform-set strong esp-3des esp-md5-hmac
Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:
access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)
Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:
crypto map vpn 10 ipsec-isakmp
set peer
set transform-set strong
match address 120
Bind crypto map to the physical (outside) interface if you are running Cisco IOS? Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:
interface Ethernet0/0
ip address
half-duplex
crypto map vpn
Configure Network Address Traslation (NAT) bypass if needed, as shown:
access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask)
access-list 175 permit ip (local private network) (subnet mask) any
route-map nonat permit 10
match ip address 175
exit
ip nat inside source route-map nonat interface (outside interface name) overload -
Windows 7 32 b ipsec client to RV220W error 789
Hello,
I try to connect to RV220W with windows 7 client but I fail : error 789. I compare again and again pre shared key, but it doesn't change anything
Is anybody connect to RV220W with IPsec client ?
ThanksGF, this is not an ipsec vpn and it is not as secure. The only built-in window support will be PPTP in regards to connecting to the router.
If you're looking for IPsec, you need to use quickvpn (free Cisco software) or a 3rd party software such as greenbow, shrewsoft, ipsecuritas, etc.
-Tom
Please rate helpful posts -
Wrv210 + ipsec client config
as anyone managed to get the wrv210 to work with ipsec clients such as NCP or Greenbow?
If so can you post the config of the client and wrv ipsec vpn section.Straight from Greenbow's website.
How to Configure WRV200/ WRV210 to work with the Greenbow client. -
Do I need 'crypto ipsec df-bit clear'?
I have a VPN tunnel between an 871 and 877, the tunnel seems to be fine, but checking the tunnel using SDM shows an error.
Checking the tunnel status... Up
Encapsulation :330231
Decapsulation :393226
Send Error :7939
Received Error :0
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not Fragmet' packets.
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
Are the send errors anything to worry about?
Do I need to issue the 'crypto ipsec df-bit clear' on the routers?
Any info would be much appreciated.
Thanks
GarethHi Rick
I've got a list of icmp types from typing 'permit icmp any any ?' in IOS... theres quite a list, 57!!
How should I decide which ones to allow and which ones to block, I don't even know what they mean :-) Do Cisco publish any recommendations?
bim7dsl(config-ext-nacl)#permit icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option Match packets with given IP Options value
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
reflect Create reflexive access list entry
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
Would it be better to permit all icmp where the source is the other end of my VPN, a known fixed IP? And then deny icmp from elsewhere?
Thanks for all your help on this.
Gareth -
Edit Anyconnect IPSEC Client text
Hi
I am trying to edit the text in the any connect client for new and existing users of the client who make IPSEC connections to my ASA.
I have followed the following cisco document:-
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac11customize.html
I want to edit the text in the box which prompts you for group, username and password having clicked connect following the applications launch. I want Password: to change to Token Number:
Following the above document I have edited the template in
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > GUI Text and Messages
I changed the following by adding an entry in the quotation marks for msgstr
#: 0300000000000000e4fe180003000000
#: 0300000000000000e4fe180003000000
msgid "Password:"
msgstr "Token Number:"
Following saving the changes on the ASA I have uninstalled the IPSEC Any Connect client on my client machine and reinstalled it. The change is not recognised in the reinstalled client and I presume this is because the information isn't pulled down from the ASA each time a new connection is established.
Any help would be great
thanksCan anyone offer any advice as to how to change the text in the any connect login box?
-
How to install IPSec Client Certificate for Apple products (iPad,iPhoe and Mac)
We need Ipsec vpn client authentication with certificate (instead of pre-shared key). We tested the same with Windows client and its works fine. However when we used the same certificates with Apple products (iPad, iPhoe and Mac) it doesnt work.
We have two types of certificates installed on the client from the CA server.
One is the root certificate with the extenstion .cer
and the other one is client certificate with the extension of .pfx (personal informaiton exchange)
We can not find a proper document to install certificates and client configuration for iPad,iPhoe and Mac. We need to know what type of certificates needed, what are the certificate formats and how to install etc.
Appreciate if someone has implemented this and share any documents.
thanksThis will be helpful for you :-
http://images.apple.com/iphone/business/docs/iOS_Certificates_Mar12.pdf
Manish
Maybe you are looking for
-
MM Report : How can I see those Material Only Which are not issued to any Department From Last 1,2,..n Months.
-
How I do a clean install of Win 8.1
Since my initial post "Why is option to create striped volume grayed out in disk management?" I have seen numerous threads re doing a clean install of Win 8.1. So I'm re-posting the info I got from Puget Systems http://www.pugetsystems.com/ w
-
Is it possible to put a "logout" button on the wake-from-screensaver dialog
Does anyone know if there's a setting or hack to put a "logout" option on the password dialogue you get when the machine wakes from sleep or screensaver (with secure option set). Example: When our family laptop goes to sleep or screensaver after it w
-
when iam doing delivery with ref to sales order its giving error. Number of copying routine for table VBKD ismissing in Table TVCPL. how to rectify this can any body can give solution. copy control correctly i have maintained. (sales document to deli
-
Hi, SAP Gurus, Need a help on KKS1 Transaction KKS1 Period End Closing for Production order is working very slow. When I am runing for a particular period and a particular plant it is taking more than 6 to 7 hrs. It is not giving any dump in between