Generic TCP proxy?
My ISP has a bad configured proxy under my connection, filtering HTTP (80).
This means that many sites report me as banned, even If I never visited them. I wanted to know if exists something like a generic tcp proxy, to send all my conections there.
I own a VPS server on lineo (london datacenter), and I have the idea of turning it in my personal proxy. Can I do it with iptables rules?
I know the existence of squid, but I've heard its only HTTP, and also a madness to configure.
suggestions?
A VPN set as the default route would probably work. I imagine there are instructions on the wiki for this.
You can also use tsocks + SSH. There is an option to force tsocks to load with every program.
Similar Messages
-
Best Performance: HTTP accelerator or generic tcp proxy
Hi,
We want to publish an application based on HTTPS. ( vmware view). Which would be a better choice, the HTTP accelerator, or the Generic TCP proxy, in terms of performance (lowest latency) ?
Kind regards,
HenHi,
I am unable to identify a bottleneck.
The proxy is generally performing fine, only the vmware view connection through generic TCP proxy shows a delay.
Kind regards,
Hen
Originally Posted by phxazcraig
In article <[email protected]>, Hennys wrote:
> I had not yet done the tuneup.ncf. Have done it now, see if it makes
> any difference. other things were already done according to tip 23.
>
The tuneup settings are from Novell, and they work together with proxy
settings to allow the proxy to work faster, and handle heavier loads.
Have a look at the proxy console statistics and see if you can get an
idea if there is a bottleneck somewhere. Perhaps disk I/O. Perhaps a
DNS server problem (check proxy console option 4).
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to Craig Johnson Consulting - BorderManager, NetWare, and More *** -
Generic TCP proxy: how to create Access rule ?
Hi,
I have configured a Generic TCP proxy on the public address, port 6300 of our bordermanager server that points to an internal server 192.168.10.148 on port 80. I have configured the filter exceptions for port 6300.
I have also tried to create an ACL rule to give everyone on the internet access to the Generic TCP in different ways, but I'm unable to succeed. I can see in the proxy statistics, number of ACL denials increasing each time I try to connect so the problem is in the ACL rule.
The rule I think should be right but isn't working is the following:
Allow:
source: host Ip Addresses:
IP: equals any (the Internet)
Destination: Host IP addresses:
192.168.10.148 (the internal server)
Origin server port:
6300 (the port on the public interface on which the Generic TCP proxy is listening).
What am I doing wrong ?hennys,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Generic TPC proxy & terminal server
Hi :
I am using Generic TCP to forward a TS request that os a TS server that is behind a Bordermanager 3.8 SP1.
Is that correct to use ?
I have a slow response, like it buffers for a time and then releases everything.
Is there anything to do or to fine tune that or is a bug or ma misconfiguration ?
Regards
CalilIn article <[email protected]>, Calil wrote:
> I am using Generic TCP Proxy to forward TS requests to a TS server that
> is behind a Bordermanager 3.8 SP1.
> Is that correct to use ?
I do it a lot. I prefer NAT, but generic proxy works fine. (NAT works
even if proxy isn't loaded...)
> I have a slow response to the users that are in the Internet accessing
> that TS server, it seems that Border server is buffering data for a time
> and then releasing everything, so If open a notepad, I type a keystroke,
> I wait for a while and then I see the characters.
That is not normal in my experience, unless your internet bandwidth is all
used up and everything to the internet is slow. I do a LOT of work
remotely, through BMgr servers, and I have a very good feel for the speeds
of remote access. Remote access doesn't feel that slow unless something
is wrong, or you are down in the 56k or less available bandwidth left on
busy circuits.
> Is there anything to do
> or to fine tune
> or is a bug
> or a misconfiguration ?
You definitely want to tune the server, even if the generic proxy seemed
OK. See tip #23 at the URL below, and also tips 1 and 63.
Check for basic communications issue, like duplex mismatch on the server
NIC's, viruses eating bandwidth, etc.
I would put a PC on the public side of BMgr, and give it a public address.
(Disconnect the router and use its address for a test if you have to).
That way you can rule out internet bandwidth as a factor. If generic
proxy is fast then, you start looking at the ISP, router and WAN link. If
the generic proxy is slow, you start looking at the server, and traffic
to/from the server.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
How to determine if extend TCP proxy isn't running?
I've setup a Coherence cluster using nodes Coh-A and Coh-B. I have a TCP proxy running on both the nodes on port 9098.
My application is able to the talk (i.e., both get and set) to the cluster through the TCP proxies. All is fine when the coherence servers are up and running. I was curious to see the behavior of the system when coherence servers are down. My requirement is such that, it should have no impact on the system if coherence is down. The application should instead bypass Coherence and go the database. But this isn't happening (logs below). Is there any way to check if the coherence server is reachable (up and running) before trying to access the cache from the application code?
2013-11-13 16:30:12.060/1660.501 Oracle Coherence GE 3.7.1.0 <D5> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Connecting Socket to 10.246.28.18:9098
2013-11-13 16:30:12.062/1660.502 Oracle Coherence GE 3.7.1.0 <Info> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Error connecting Socket to 10.246.28.18:9098: java.net.ConnectException: Connection refused
2013-11-13 16:30:12.062/1660.502 Oracle Coherence GE 3.7.1.0 <D5> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Connecting Socket to 10.246.28.3:9098
2013-11-13 16:30:12.063/1660.503 Oracle Coherence GE 3.7.1.0 <Info> (thread=[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', member=n/a): Error connecting Socket to 10.246.28.3:9098: java.net.ConnectException: Connection refused
2013-11-13 16:30:12,117 [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR errors.GrailsExceptionResolver - Exception occurred when processing request: [GET] /api/cafe/601272
Stacktrace follows:
com.tangosol.net.messaging.ConnectionException: could not establish a connection to one of the following addresses: [10.246.28.18:9098, 10.246.28.3:9098]; make sure the "remote-addresses" configuration element contains an address and port of a running TcpAcceptor
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.initiator.TcpInitiator.openConnection(TcpInitiator.CDB:120)
at com.tangosol.coherence.component.util.daemon.queueProcessor.service.peer.Initiator.ensureConnection(Initiator.CDB:11)
at com.tangosol.coherence.component.net.extend.remoteService.RemoteCacheService.openChannel(RemoteCacheService.CDB:5)
at com.tangosol.coherence.component.net.extend.RemoteService.ensureChannel(RemoteService.CDB:6)
at com.tangosol.coherence.component.net.extend.remoteService.RemoteCacheService.createRemoteNamedCache(RemoteCacheService.CDB:12)
at com.tangosol.coherence.component.net.extend.remoteService.RemoteCacheService.ensureCache(RemoteCacheService.CDB:27)
at com.tangosol.coherence.component.util.SafeNamedCache$CacheAction.run(SafeNamedCache.CDB:3)
at java.security.AccessController.doPrivileged(Native Method)
Thanks,
AnandCant we catch the mentioned exception and if that appears we can redirect the query to database
-
New parameter "timeout tcp-proxy-reassembly" in ASA 8.2
I couldn't find much in the config guide or web site for this. Can someone tell me which situations this would come into play? Here is the CLI help:
"Configure idle timeout after which buffered packets waiting for reassembly in tcp-proxy are dropped"Hi.
I've had a very interesting discussion with a TAC engineer about this command.
The engineer mentions that, with this command, ASA behaves in the following way:
When the ASA receive a fragmented data, it puts the fragments in the buffer to be able to reassemble it and then sent it. When the buffer exceed the limit, the ASA start dropping the reassemble packets so the reason for the packet drop is always the buffer limit exceed . by using the command “tcp-proxy-reassembly”, the ASA wait for an idle time which is determined by this command, the reason why we need this idle time is that the ASA after dropping the fragmented packet still keeps the connection in the conn table open waiting to reassemble the fragments and send it , but this will not happen as the fragment was dropped , so this will keep the connection in the conn table and exhaust the ASA memory by a lot of connections that are not really used. After dropping the fragment the ASA waits for the timeout specified by the tcp-proxy-reassembly to delete the connection from the connection table.
So in summary the ASA uses this command not to delete the fragment after the timeout , it uses this command to delete the connection after the drop of the fragment (which is caused by the buffer limit) with the time.
So keep in mind when you use it.
Best regards,
Ernesto. -
Has anyone used a transparent TCP Proxy solution as a performance enhancement tool (via caching or buffering)?
Does Cisco has anything? WAAS looks the closest but it more like a point to point solution (wan acceleration). I am looking after something like a PROXY (device in the middle).
ThanksHello Tivig,
look for WCCPv2 it allows one or more routers to redirect to a group of web caches
It is supported also on multilayer switches and it is not limited to WEB traffic
see
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/wccp.html
Hope to help
Giuseppe -
Extend TCP Proxy vs. Client load balancing
I am unclear how proxy and client load balancing interact with respect to custom address providers. If I define my own address provider, and I do NOT set the load-balancer parameter to client in the client configuration, will the proxy still do load balancing of connections as described in http://docs.oracle.com/cd/E24290_01/coh.371/e22839/gs_configextend.htm#BEBCICDA ?
Edited by: user5179040 on Mar 23, 2012 9:43 AMHi,
The <load-balancer> element is only configured in the <proxy-scheme> and not at the client side. This parameter "proxy" dictates the proxy to use the specified strategy for load balancing client connections across proxies. The parameter "client" offloads the responsibility of load balancing to client across proxies or randomly select proxies.
I am unclear how proxy and client load balancing interact with respect to custom address providers. If I define my own address provider, and I do NOT set the load-balancer parameter to client in the client configuration, will the proxy still do load balancing of connections as described in http://docs.oracle.com/cd/E24290_01/coh.371/e22839/gs_configextend.htm#BEBCICDA ?
Hope this helps!
Cheers,
NJ -
Hi,
We have around 10 file to file scenarios from SAP R/3 to external system.All the scenarios are 1 to 1 mapping, no complex mapping is involved.
For these interfaces i want to created one genric proxy, which will be used by all of them.
Please anybody can give me an idea, how can i make this work.
Thanks
SrinivasHi Srinivas,
I think its a good idea to do it as this will reduce the number of development and support time.
You can follow the following approach:
1. Make a master structure for the sender file structure. This master structure will include all the fields from sender 10 interfaces.
2. Similarly create a master structure for reciever interface. Make sure you set the occurence of all the target fields as 0..1 if you set the occurrence 1 then whenver that field is not populated in the target structure; PI mapping will give runtime error.
3. Do your message mapping as it is.
3. Create the ID objects including File sender and reciever as it is. (Configure FCC properly!!)
Let us know if you face any issue with this approach.. -
Border manager as reverse proxy with Sharepoint 2007
hello
need to implement an extranet based solution of Windows Sharepoint 2007, clients may need to traverse a BM reverse proxy server in order to hit the sharepoint environment. have a few questions
1. does it work well? or at all?
2. is the SSL session from the client terminated at the BM level
3. will be using SSL, can i install certs at the BM level for the site?
any other tips??Originally Posted by phxazcraig
In article <[email protected]>, Gwelsh123 wrote:
> 1. does it work well? or at all?
Should work.
> 2. is the SSL session from the client terminated at the BM level
Yes, if you use proxy, sessions are always between client and proxy,
and another session between proxy and origin server.
> 3. will be using SSL, can i install certs at the BM level for the
> site?
I'm not quite sure what you mean. If you want to encrypt the data, I
think you would be best off doing a generic tcp proxy for port 443, and
have the cert on the endpoint (sharepoint) server, but perhaps that
would give cert errors due to the addressing.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to Craig Johnson Consulting - BorderManager, NetWare, and More ***
Im sure when using ISA as the reverse proxy, you install the SSL certs on the ISA box, and then you can use an internally generated cert on the web servers.
I also read somewhere that BM dosent support webdav?
do novell provide any documentation on this sort of configuration
we have a BM server already, there is an external firewall which forwards traffic to various websites to a specific port on the BM server, which then proxies the requests internall. it dosent seem particularly smart, more like a glorified port forwarder? -
wondering if anyone could walk me through port forwarding on a westell e90 610015-06 router. I am trying to set up TCP and UDP for a P2P program(e-mule). After several attempts i can't seem to set it up. Thanks!
Here is what I have set up
Services:
1. imapssl_993t_in all 993
2. imapssl_993t_out 993 all
Exceptions
1. imapssl_993t_in Public Any Public PUBLIC_IP_OF_BM_SERVER (I only want it coming in on this address)
2. imapssl_993t_out Public PUBLIC_IP_OF_BM_SERVER Public Any
Proxy - Generic TCP
original (internal_ip_of_imap_server) port:993 Proxy address: PUBLIC_IP_OF_BM_SERVER port:993
Access rule
Very generic, just allow original port with value of 993.
>>> akeaveney<[email protected]> 1/9/2013 11:46 AM >>>
JackCunha;2122118 Wrote:
> BM 3.8, fully patched; NW 6.5.8. An internet backup service says I need
> to forward external port 443 to the internal backup server's port 4282.
> I have a stateful filter exception for port 443 on my BM server, with
> the destination being the public address of the BM public NIC. Can i
> accomplish what want to do. If so, how?
I am trying to setup this at the moment, yet for IMAP access from
outside to internally. I don't want to hijack the thread, yet someone
might be able to help us both.
I have setup the generic tcp proxy under the BM Server in Imanager and
setup the private address and public proxy address with the port numbers
I want. I also allowed a filter exception from all interfaces to public
and allow the destination as the BM public address, but this still won't
work for me,
Is there something I am missing? I have tried it with the filters down,
but it doesn't seem to be doing the mapping.
Many thanks,
Anthony
akeaveney
akeaveney's Profile: http://forums.novell.com/member.php?userid=6365
View this thread: http://forums.novell.com/showthread.php?t=442041 -
BM 3.8 Port Forwarding?
Hello,
Does Bordermanager port forward? I am using Groupwise 6.5 along with
bordermanager, web access, vpn and other things on the same box.I am
installing a Barracuda Spam Firewall hardware appliance that I need to
redirect all mail traffic to and then back into GW. The problem is my
public mail address is also used for web,vpn etc. so I can't simply NAT to
the barracuda. I would like to simply port forward port 25 of my public
address to the Barracuda private address and then on to the GWIA.
A collegue told me there is no port forwarding in BM and that I would have
to add a secondary public address, change my MX record, and static NAT to
the Barracuda with that. While that sounds like a reasonable approach I
would like to avoid changing my MX record and be able to easily go back and
forth while I test the barracuda appliance. This is a live corporate email
system and I need to cause as little disruption as possible.
If there is a way to port forward SMTP traffic to a private address please
let me know the best way to do it . THANKS!
-DaveThanks very much for your reply! I will defnitley give the generic proxy a
try. Thanks for the tip about changing the proxy.cfg file. Are there any
other potential gotchas on using this proxy? Any other BM configs that need
to be adjusted to make this proxy work? Also where exactly is proxy.cfg? I
have not been able to find it on my Bordermanager server.
-Dave
> BM doesn't have true port forwarding, but it has a similar function:
> Generic TCP proxy. With it, you configure BM to proxy (forward) TCP
> traffic on a specific pulbi IP/port to a specific server/port on the
> private LAN. However, by default BM won't let you create a generic TCP
> proxy on port 25, because it conflicts with the SMTP proxy (another
> feature of BM, which you don't want to use :-) To get around that you
> need to add this to the [Extra Configuration] section of the proxy.cfg
>
> AllowGTCPProxyToUsePort25=1
>
> Good luck with the Barracuda... we love ours :-)
>
> --
> Jim
> Support Sysop -
BM access rule and port for Web Manager
The Netware Webacess and the Netware Web Manager is working fine
internally. What are the ports to open and the rules to create on the
Border Manager so it can be access froum outside. How to configure the BM
OmarIn article <MLMqe.411$[email protected]>, wrote:
> The Netware Webacess and the Netware Web Manager is working fine
> internally. What are the ports to open and the rules to create on the
> Border Manager so it can be access froum outside. How to configure the BM
>
WebAccess just (normally) wants port 80. You can static NAT it, or reverse
proxy it through BMgr. Older versions of BMgr (3.6 or earlier) put in
default filter exceptions for reverse proxy (both port 80 and 443), but
later versions require you to add your own filter exceptions.
NetWare Web Manager - do you mean for Novonyz Web Server? If so, the port
used depends on what you configured for it. You could use static NAT, or
generic tcp proxy, or (I think) reverse proxy for whatever port Web Manager
is using. Newer web manager for Apache uses port 2200, I think.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Mutiple servers using port 443
Hi,
I am looking to set up several websites that utilise port 443 for SSL
behind
my firewall.
I understand that the reverse proxy in BM will only forward from port
443 to
port 443.
As I only have one public IP address I was looking to use ports such
as
51443, 52443 and redirect to port 443 on the various internal servers.
Is this possible using the generic TCP proxy or is there another way
of
doing this I am using BM 3.6
All suggestions gratefully rec'd
Davidpresumably if that failed I could use a hardware firewall such as a
cisco
PIX to do the job.
set up some sort of DMZ and put the servers in there.
"Craig Johnson" <[email protected]> wrote in message
news:[email protected]..
> In article <skPnb.461$[email protected]>, David
> Quickfall wrote:
> > Is this possible using the generic TCP proxy or is there another
way of
> > doing this I am using BM 3.6
> >
> Generic proxy will work fine, (and in fact it probably works better
than
> using reverse proxy for 443). Set up one generic proxy for each
port.
>
> I don't know if you can successfully use the port translation
ability of
> generic proxy here. (Proxy port 444 to 443). I don't think that
works
> for SSL.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
> -
%ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510
Hi Friends,
I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
Error in CISCO VPN Client Software:
Secure VPN Connection Terminated locally by the client.
Reason : 414 : Failed to establish a TCP connection.
Error in CISCO ASA 5510
%ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
ASA Configuration:
XYZ# sh run
: Saved
ASA Version 8.4(4)
hostname XYZ
domain-name XYZ
enable password 3uLkVc9JwRA1/OXb level 3 encrypted
enable password R/x90UjisGVJVlh2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside_rim
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/1
duplex full
nameif XYZ_DMZ
security-level 50
ip address 172.1.1.1 255.255.255.248
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
interface Ethernet0/3
speed 100
duplex full
nameif inside
security-level 100
ip address 3.3.3.3 255.255.255.224
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa844-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name XYZ
object network obj-172.17.10.3
host 172.17.10.3
object network obj-10.1.134.0
subnet 10.1.134.0 255.255.255.0
object network obj-208.75.237.0
subnet 208.75.237.0 255.255.255.0
object network obj-10.7.0.0
subnet 10.7.0.0 255.255.0.0
object network obj-172.17.2.0
subnet 172.17.2.0 255.255.255.0
object network obj-172.17.3.0
subnet 172.17.3.0 255.255.255.0
object network obj-172.19.2.0
subnet 172.19.2.0 255.255.255.0
object network obj-172.19.3.0
subnet 172.19.3.0 255.255.255.0
object network obj-172.19.7.0
subnet 172.19.7.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.2.0.0
subnet 10.2.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-10.4.0.0
subnet 10.4.0.0 255.255.0.0
object network obj-10.6.0.0
subnet 10.6.0.0 255.255.0.0
object network obj-10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network obj-10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network obj-10.12.0.0
subnet 10.12.0.0 255.255.0.0
object network obj-172.19.1.0
subnet 172.19.1.0 255.255.255.0
object network obj-172.21.2.0
subnet 172.21.2.0 255.255.255.0
object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.0
object network obj-10.19.130.201
host 10.19.130.201
object network obj-172.30.2.0
subnet 172.30.2.0 255.255.255.0
object network obj-172.30.3.0
subnet 172.30.3.0 255.255.255.0
object network obj-172.30.7.0
subnet 172.30.7.0 255.255.255.0
object network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network obj-10.19.130.0
subnet 10.19.130.0 255.255.255.0
object network obj-XXXXXXXX
host XXXXXXXX
object network obj-145.248.194.0
subnet 145.248.194.0 255.255.255.0
object network obj-10.1.134.100
host 10.1.134.100
object network obj-10.9.124.100
host 10.9.124.100
object network obj-10.1.134.101
host 10.1.134.101
object network obj-10.9.124.101
host 10.9.124.101
object network obj-10.1.134.102
host 10.1.134.102
object network obj-10.9.124.102
host 10.9.124.102
object network obj-115.111.99.133
host 115.111.99.133
object network obj-10.8.108.0
subnet 10.8.108.0 255.255.255.0
object network obj-115.111.99.129
host 115.111.99.129
object network obj-195.254.159.133
host 195.254.159.133
object network obj-195.254.158.136
host 195.254.158.136
object network obj-209.164.192.0
subnet 209.164.192.0 255.255.224.0
object network obj-209.164.208.19
host 209.164.208.19
object network obj-209.164.192.126
host 209.164.192.126
object network obj-10.8.100.128
subnet 10.8.100.128 255.255.255.128
object network obj-115.111.99.130
host 115.111.99.130
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-115.111.99.132
host 115.111.99.132
object network obj-10.10.1.45
host 10.10.1.45
object network obj-10.99.132.0
subnet 10.99.132.0 255.255.255.0
object-group network Serversubnet
network-object 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
object-group network XYZ_destinations
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 172.19.1.0 255.255.255.0
network-object 172.19.2.0 255.255.255.0
network-object 172.19.3.0 255.255.255.0
network-object 172.19.7.0 255.255.255.0
network-object 172.17.2.0 255.255.255.0
network-object 172.17.3.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object host 10.50.2.206
object-group network XYZ_us_admin
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
object-group network XYZ_blr_networkdevices
network-object 10.200.10.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
access-list acl-outside extended permit ip any host 172.17.10.3
access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
access-list acl-outside extended permit tcp any any eq 10000
access-list acl-outside extended deny ip any any log
pager lines 10
logging enable
logging buffered debugging
mtu outside_rim 1500
mtu XYZ_DMZ 1500
mtu outside 1500
mtu inside 1500
ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
nat (inside,outside) source dynamic obj-10.8.108.0 interface
nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
object network obj-172.17.10.3
nat (XYZ_DMZ,outside) static 115.111.99.134
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
crypto dynamic-map dyn1 1 set reverse-route
crypto map vpn 1 match address XYZ
crypto map vpn 1 set peer XYZ Peer IP
crypto map vpn 1 set ikev1 transform-set vpn1
crypto map vpn 1 set security-association lifetime seconds 3600
crypto map vpn 1 set security-association lifetime kilobytes 4608000
crypto map vpn 2 match address NE
crypto map vpn 2 set peer NE_Peer IP
crypto map vpn 2 set ikev1 transform-set vpn2
crypto map vpn 2 set security-association lifetime seconds 3600
crypto map vpn 2 set security-association lifetime kilobytes 4608000
crypto map vpn 4 match address ML_VPN
crypto map vpn 4 set pfs
crypto map vpn 4 set peer ML_Peer IP
crypto map vpn 4 set ikev1 transform-set vpn4
crypto map vpn 4 set security-association lifetime seconds 3600
crypto map vpn 4 set security-association lifetime kilobytes 4608000
crypto map vpn 5 match address XYZ_global
crypto map vpn 5 set peer XYZ_globa_Peer IP
crypto map vpn 5 set ikev1 transform-set vpn5
crypto map vpn 5 set security-association lifetime seconds 3600
crypto map vpn 5 set security-association lifetime kilobytes 4608000
crypto map vpn 6 match address Da_VPN
crypto map vpn 6 set peer Da_VPN_Peer IP
crypto map vpn 6 set ikev1 transform-set vpn6
crypto map vpn 6 set security-association lifetime seconds 3600
crypto map vpn 6 set security-association lifetime kilobytes 4608000
crypto map vpn 7 match address Da_Pd_VPN
crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
crypto map vpn 7 set ikev1 transform-set vpn6
crypto map vpn 7 set security-association lifetime seconds 3600
crypto map vpn 7 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside
crypto map vpn_reliance 1 match address XYZ_rim
crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
crypto map vpn_reliance 1 set security-association lifetime seconds 3600
crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
crypto map vpn_reliance interface outside_rim
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside_rim
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28000
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.8.100.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy XYZ_c2s_vpn internal
username testadmin password oFJjANE3QKoA206w encrypted
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XYZ_c2s_vpn type remote-access
tunnel-group XYZ_c2s_vpn general-attributes
address-pool XYZ_c2s_vpn_pool
tunnel-group XYZ_c2s_vpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
service-policy global_policy global
privilege show level 3 mode exec command running-config
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command crypto
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
XYZ#Thanks Javier.
But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
access-list ACL-RA-SPLIT standard permit host 10.10.1.3
access-list ACL-RA-SPLIT standard permit host 10.10.1.13
access-list ACL-RA-SPLIT standard permit host 10.91.130.201
access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key sekretk3y
username ra-user1 password passw0rd1 priv 1
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key *********
username ******* password ******** priv 1
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
group 1
lifetime 3600
Maybe you are looking for
-
How do I download a movie from my camcorder?
I have a JVC GZ-HD6U camcorder. How do I download the movies to my MacBook Air?
-
Retrieving lots of rows through XSQL servlet
Hi Steve! I am currently trying to break XSQL-servlet in order to have some proof of usability for our customers. During one of these 'sessions' I discovered that the XSQL servlet throws me out with an exception error (out of memory) when I try to re
-
Which report or module can I use to get all the exCess material and dead stock ? Thanks Polo Ramirez [email protected]
-
Using OMW I succesfully managed to capture my access database and migrate it to Oracle. When is time to load the "table data" I get multiple errors one of them being: Integrity constraint violated-parent key not found. What is the best way to go abou
-
Migration from Flex 4 to Ext JS
Hi All - Could anyone please let me know if there is a tool / way to convert my Flex 4 application into Ext JS/JQuery/HTML 5 ? Even 70% achievement would do. Thanks in advance.