How to IPsec site to site vpn port forwarding to remote site?

Similar Messages

• VPN: Port-forwarding OK but Nothing Talking

  I've set up several 10.3 & 10.4 VPN services but this one has me puzzled...
  10.4.2 Server (does it just need updated?)
  Internal ip only (no firewall on server) with router forwarding UDP 1701, 500 & 4500 (for L2TP).
  When attempting to form the VPN with remote (wan side) Internet Connect client, there is no connection showing in vpnd.log (set to verbose logging) and no connection showing on Internet Connect log. It's like the port forwarding is not taking place. However...
  If I run a port scan from remote machine, on UDP 1701, 500 & 4500, this traffic shows up on a TCPDump session running on the server.
  Attempting to form the VPN, however, shows NO traffic with TCPDump.
  The IP address of the server, in Internet Connect, is correct (same as the one used during port scanning). The VPN client is able to connect to several other servers OK.
  Any ideas?
  Ta.
  -david
      Server 10.4.8

  1. What kind of router are you using?
  Corega router at server side and Netgear DG834G on client side (with ethernet cable, not wireless).
  The Netgear works fine to other sites. The Corega is 'unproven' in that I do not have another site with same router. It can act as a VPN gateway (this does work elsewhere) but is not active in this role at this site (we want to use server vpn service).
  2. I have seen a few copies of 10.4.x Server just go
  L2TP/IPSec deaf. They all eventually sorted
  themselves out with software updates, but certain
  versions were just plain ol' deaf.
  I've now updated to 10.4.8. No difference.
  Just to reiterate...
  Port-forwarding of 500, 1701 and 4500 appears to be working, as a TCPDump on the server lists these packets when a remote machine is port scanning for them.
  However, the same TCPDump session does not list any UDP 500 packets when the VPN client (internet connect) is attempting to start. Logs show nothing beyond "listening for connections...". As I understand it, L2TP commences with an IKE communication on port 500 prior to the later 'real' stuff. Why is this not showing up in a TCPDump?
  Puzzled...
  -david
      Server 10.4.8

• RV042 vpn&port forwarding problems

  Hello,
  I spent a few days trying to configure  the RV042 router but I messed up. I need this router for VPN access on my  site and Port Forwarding to an internal web server. Apparently very  simple task, isn't it?
  So:
  1. PPTP is working fine but I need more than 5 concurrent accesses.
  2.  Quickvpn does not work when the DHCP server is checked  and I can't  access any computer from my lan. I have a DHCP server in my LAN but when  I'm conected through Quickvpn I never reach it. In the log file there  are messages like:
  Connection refused - Policy violation TCP 169.254.x.x->192.168.1.2 (DHCP server from my lan)
  3.  On Setup > Forwarding I added a Port Range Forwarding for HTTP port  80 to an internal IP address (192.168.1.x). I although added a firewall  access rule to allow traffic to Port 80 from any source interface and  any source IP to 192.168.1.x.
  From the internal LAN, using the WAN IP of the router,  the Port forwarding works but not form the outside, though in the log file of the router it appears to work:
  Connection Accepted TCP 208.64.252.230:33027->192.168.1.x:80 on ixp1
  What could I have done wrong?
  The  router is configured with a static address as a gateway and it has the  latest firmware 1.3.12.19-tm. The access rules are the default ones and  the one I added.
  Any help would be much apreciated.
  Thanks.

  Can't answer as to why QVPN fails when you enable DHCP on the router, but concidering your requirements it seems to be a moot point. So, you have a DHCP server on your network which I will guess is also running your Web service. If this is a Windows server does your current configuration allow you to enable PPTP on it? If so, that would solve the five user limit. You will need to turn off the PPTP server on the router and then forward port 1723 TCP to your server and you are done. As for your http access, remove any rule that you have in reference to "allow" port 80 connectivity to your web server. Not sure why but this tends to confuse the poor little things. Once you have verified that port 80 is active on the server via the LAN (which you already have) then you are done. If you are still not successful with the connection to the server from the WAN you may want to default the router and start over (lame I know).
  *** SORRY, just noticed that you stated that you added a "port range" forwarding rule. Remove that, and configure a UPnP rule for the same server instead. Do not know why they call it that, they just do. This is the same as configuring a single port forward they just call it something different. So just port forward 80 tcp to your server on 192.168.1.x and you are done.

• SRP547W, How to use multiple WAN IPs for port forwarding?

  Hi folks,
  We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
  What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
  Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
  We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
  a.b.c.208     Network Address (/29 subnet)
  a.b.c.209     ISP Gateway
  a.b.c.210     IP1
  a.b.c.211     IP2
  a.b.c.212     IP3
  a.b.c.213     IP4
  a.b.c.214     IP5
  a.b.c.215     Broadcast Address
  On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
  VLAN ID:               4000 (Chosen arbitrarily)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.211
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  When we try to do so however we get:
  Fail!
  Conflict with Ether_WAN2 interface address type
  I should mention at this point that we're running on firmware version 1.02.01 (023).
  Any suggestions on how we can proceed?
  Is there a CLI or other method of configuration that might work if the web interface won't?
  Thanks,
  Tim.

  OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
  As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  We'd now like to expose a server function on IP2, let's say LAN details for this server are:
  VLAN:                  3000
  VLAN IP Range:         192.168.1.1/24
  Server IP:             192.168.1.10
  Server Port:           80
  So first we turn on Software DMZ:
  Status:                Enabled
  Public IP:             a.b.c.211
  Private IP:            192.168.1.10
  WAN Interface:         Ether_WAN2
  My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
  Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
  In Interface (WAN):    All
  Out Interface (LAN):   VLAN.3000
  Source IP:             0.0.0.0
  Source Subnet:         0.0.0.0
  Destination IP:        192.168.1.10
  Destination Subnet:    255.255.255.255
  Protocol:              TCP
  Source Port:           Any
  Destination Port:      Single:80
  Action:                Permit
  Schedule:              Everyday
  Times:                 24 Hours
  Still no dice. What am I missing?
  Cheers,
  Tim.

• How do I configure for port forwarding?

  I just relpaced my CISCO E3000 wireless router with an Apple Airport Extreme and need to set up port forwarding.  I find the Airport Utility confusing and very limited in capabilities.  How do I configure the router for Port Forwarding?

  Here's a document that you can follow:  https://discussions.apple.com/docs/DOC-3415
  However, I ran into an issue with setting this up and had to do a work-around: Custom Port Forwarding Config Not Working

• E4200 port forwarding not working (v1 1.0.05)

  Hi there.
  I'll try not to rant too much, but I've had nothing but problems with this 'supposed' high end router... and when I tried calling Cisco I got the old yee-ha to cough up $30 for tech support on a $200 router I got 10 months ago (/rant).
  Anyway, following several speed drop issues with my router, I factory reset about 5 times. I later read in the internetz that QoS on these routers was causing the speed to fall to half no matter what settings are used, so I disabled QoS. This time I seem to have steady speeds, but no port forwarding method I use works! Used to work fine, but now Single PF, PF Range or anything else I can think of fails miserably. Even DMZ can't seem to open ports...
  I am extremely disappointed in this router and please, don't advise me to factory reset: I've tried, it doesn't work and quite frankly I have way too many devices to painfully reconnect to not send me over the edge.
  Please, if anyone has any idea what's going on, your help is more than welcome.
  Thanks
  -ts

  technosinner wrote:
  My setup is pretty simple: a Docsys3 modem through my ISP, piped to my Cisco E4200, and a few computers and devices connected to that, all on the same level (no switch or hub).
  To my knowledge the modem doesn't filter or route anything, and I don't need to login or connect to my ISP - cable internet with direct filtering on the modem. I might have missed something but here is a question: if I open a port, will it show open even if there is no application to "receive" the connection? I'm asking because I'm starting to wonder if my server might be a bit fussy...?
  To protect your router against possible DNS Rebinding Attacks, certain actions will not work from behind a router.  Typically, doing this is for testing purposes. What you can do to test if a certain application (port forward) works remotely, is to do it from outside your network.
  To test this functionality, this must be done from the outside of the router (remote area).  This includes even if the “Filter anonymous Internet requests” is unchecked.
  check the site below for reference:
  http://blog.trendmicro.com/trendlabs-security-intelligence/protecting-your-router-against-possibl-dn...

• Port Forwarding, MI424WR

  I'm not even sure I'll give enough information here, because I don't really know what I'm talking about.  However, I've been working with a couple of "technical" people from my office.
  Essentially, I'm trying to connect two devices (Yamaha Disklavier Pianos) over my FIOS connection (for a process called Remote Lesson) and need to utilize port forwarding.  I've tried the instructions on the www.actiontec.com website (Basic Port Forwarding on the MI424WR Verion Fios Router), but have been unable to connect successfully.
  Basically, here's the two things I need to do (cut and pasted from a technical document draft).  Can someone please advise what might be going wrong?   I could also forward the entire "connection" document to someone who might want to take a look at it and get a clearer picture.
  At any rate, here are steps 2 and 3 of the process we're trying to do:
  2. Port Forwarding for Remote Lesson (WAN to LAN)                                    
  - Port 58092 is used in both TCP and UDP by default.                                      
          - Note: You can choose any port unless it has already used.                            
  - Please configure a system to forward the access of this port to Disklavier.    
  3. Release of the port to the Internet (LAN to WAN)                                      
  - If the access of port 58092 is filtered, please release this port in both TCP and UDP.                    
           Note: If your partner has configured another port number, please release that port in both TCP and UDP.      
                                                                Port setting table
  PORT FORWARDING (WAN TO LAN):  IP Address (original LAN Address)
                                                                  Port Number (origin)
                                                                  Protocol:  Both TCP and UDP
  RELEASE OF THE PORT (LAN TO WAN): Port Number:  Destination or all
                                                                       Protocol:  Both TCP and UDP                  
  Thanks for being patient with a "newbie" - I hope someone can help.

  levesq56 wrote:
  Essentially, I'm trying to connect two devices (Yamaha Disklavier Pianos) over my FIOS connection (for a process called Remote Lesson) and need to utilize port forwarding.  I've tried the instructions on the www.actiontec.com website (Basic Port Forwarding on the MI424WR Verion Fios Router), but have been unable to connect successfully.
  Thanks for being patient with a "newbie" - I hope someone can help.
  If you're only trying to connect the 2 devices within your local lan you do not need to do anything with port forwarding.  You would only need to add port forwarding rules if you are going to access the devices from remote sites.
  The below addresses step 2 of your question.
  Step 3 of your question is not needed as the actiontec does not block any port access from the LAN to the WAN
  Step 2  allowing wan to lan access
  If you are doing the latter then you would want to give the device fixed ip addresses, make sure they are out of the dhcp range of the actiontec router.
  Then go to firewall setting
  Select Port Forwarding tab
  Select New Entry
  add the IP address of the device in the Local Host field
  Make sure Forward to Port is set as Same as incoming Port
  Make sure Schedule is set as Always
  Under protocols Select User defined
  Make the service name whatever you want - e.g Piano
  Select new server ports
  Under protocols Select TCP
  Under source port select single
  enter 58092
  Make sure destination port saya Any
  Hit OK
  Select New server ports again and repeat the last five steps for protocol UDP
  then say OK
  Say OK to the Edit port Forwarding rule
  Now you should be able to access the device from the outside WAN

• 2 WTR54GX2, trying to do port forwarding

  Hey all, So heres the thing, I have two WRT54GX2's in my network. One is the gateway router (192.168.1.1) and the other is quite a distance away and is the secondary (192.168.100.1). I want to set up a SlingBox on port 80 so basically a webserver. But due to restrictions of cabling and what not I have to attach it to 100.1 the secondary router. My question is how do I make this work with port forwarding? Because I can set the slingbox up with 192.168.110.12 and then port forward it on the secondary router and make it work, how do i do it on the gateway router, as I understand it, in order to port forward the device has to be on the same subnet as the router, but two routers on the same subnet is a PAIN. And the both routers have hardwired devices and wireless devices. Any help would be appreciated. Cheers! _KN

  brickmonkey, i really aprecieate the help. I have one more question tho (i know this whole thing must be getting annoyin, sorry :/), when i do the static IP i tried setting the "Internet IP" as 192.168.1.34 but it gave me an error along the lines of "Internet IP cannot be on the same subnet as the gateway", so what IP do i give the second router? As I understand it, in order for the 1st (gateway) router to portforward correctly, the port its forwarding has to be on the same subnet. Any advice?

• RV082 port forwarding limited to 30 entries ?

  Hello,
  we use RV082 as main gateway and need to open/forward around 50 ports to inside. But during setting of the rules I got an error message "The max of Port Range Forwarding is 30 entries. You can't add any more.".
  In the online help is explicitely said "4. Click the Add to List button, and configure as many entries as you would like."
  How can we setup more than 30 port forwarding rules ?
  If it is this a sotfware bug, can this be corrected ?
  Regards,
  Petr Svoboda

  Petr, I agree with tekliu.  I use the UPnP rules with UPnP disabled for all of my port forwarding, unless a range is needed.  They should not cause any more exposure than regular Forwarding rules, and if you use port translation they will reduce your exposure.
  The only differences:
  Forwarding allows port ranges
  Forwarding has a "Port Triggering" section
  UPnP allows port translation (because it's only single port at a time, not a range)
  UPnP has unlimited entries

• Phase 2 issue in IPSEC site-to-site

  Hi All,
  I have got an issue while creating an IPSEC site-to-site VPN between cisco2901-15.2(4)M3 ---> cisco861-12.4
  Phase#1 is successfully up but when i'm putting command #show crypto ipsec sa i can't see encry & decry packets.
  below is the running-conifgs and show crypto output for both side
  cisco2901:-
  Current configuration : 5668 bytes
  ! Last configuration change at 17:08:59 PCTime Mon Feb 3 2014 by ciscodxb
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname DXB-CIT
  boot-start-marker
  boot-end-marker
  logging buffered 52000
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  clock timezone PCTime 4 0
  ip cef
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.10.1 192.168.10.9
  ip dhcp excluded-address 192.168.10.101 192.168.10.254
  ip dhcp pool dxb-pool
  network 192.168.10.0 255.255.255.0
  default-router 192.168.10.1
  dns-server 80.xxx.xx.xx 213.xxx.xxx.xx
  ip domain name channelit
  ip name-server 80.xx.xx.xx
  ip name-server 213.xx.xx.xx
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-1231038404
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1231038404
  revocation-check none
  rsakeypair TP-self-signed-1231038404
  crypto pki certificate chain TP-self-signed-1231038404
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31323331 30333834 3034301E 170D3134 30313331 31333230
    30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32333130
    33383430 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244
    2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE
    1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A1904 57898B3F
    F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1A982438
    63730203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14546BDB F740F993 E0A596EF 93D4991E 751C4240 7F301D06
    03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300D0609
    2A864886 F70D0101 05050003 8181000E 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B
    04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511
    08A59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55
    6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328FC38 DE9916AC
    FE4AD16D 1EA2CF64 316146D5 A960DB
          quit
  voice-card 0
  license udi pid CISCO2901/K9 sn FCZ1716C4QT
  hw-module pvdm 0/0
  username cisco
  username ciscodxb privilege 15 password 0 cisco
  username compumate privilege 15 secret 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2
  redundancy
  crypto ctcp
  crypto isakmp policy 1
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key xxxxxxxxx address 41.xxx.xx.xx
  crypto isakmp client configuration group CITDXB
  key xxxxxx
  pool SDM_POOL_1
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group xxxxx
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set Dxb-to-Nigeria esp-3des esp-md5-hmac
  mode tunnel
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA
  set isakmp-profile ciscocp-ike-profile-1
  crypto dynamic-map hq-vpn 11
  set security-association lifetime seconds 86400
  set transform-set CHANNEL-DUBAI
  crypto map Dxb-to-Nigeria 1 ipsec-isakmp
  set peer 41.xxx.xxx.xxx
  set transform-set Dxb-to-Nigeria
  match address 110
  crypto map VPN 1 ipsec-isakmp dynamic hq-vpn
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-WAN$
  ip address 192.168.10.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description $ES_WAN$
  ip address 80.xxx.xxx.xxx 255.255.255.252
  ip flow ingress
  ip flow egress
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map Dxb-to-Nigeria
  interface Virtual-Template1 type tunnel
  ip unnumbered GigabitEthernet0/1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  ip local pool SDM_POOL_1 192.168.20.20 192.168.20.50
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat source list 100 interface GigabitEthernet0/1 overload
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
  ip sla auto discovery
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.10.0 0.0.0.255
  access-list 101 deny   ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any
  access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
  route-map SDM_RMAP_1 permit 1
  match ip address 101
  control-plane
  mgcp profile default
  gatekeeper
  shutdown
  line con 0
  logging synchronous
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  DXB-CIT#show cry
  DXB-CIT#show crypto isa
  DXB-CIT#show crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst                         src             state          conn-id status
  41.xxx.xxx.xx    80.xxx.xx.xx   QM_IDLE           1011 ACTIVE
  IPv6 Crypto ISAKMP SA
  DXB-CIT#show cry
  DXB-CIT#show crypto ips
  DXB-CIT#show crypto ipsec sa
  interface: GigabitEthernet0/1
      Crypto map tag: Dxb-to-Nigeria, local addr 80.xxx.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
     remote ident (addr/mask/prot/port): (41.xxx.xx.xx/255.255.255.248/0/0)
     current_peer 41.xxx.xx.xxx port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 1467, #recv errors 0
       local crypto endpt.: 80.xxx.xxx.xx, remote crypto endpt.: 41.xxx.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
       current outbound spi: 0x0(0)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
  cisco861:-
  crypto pki trustpoint TP-self-signed-2499926077
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2499926077
  revocation-check none
  rsakeypair TP-self-signed-2499926077
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki certificate chain TP-self-signed-2499926077
  certificate self-signed 01
    3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 32343939 39323630 3737301E 170D3032 30333031 30303036
    32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34393939
    32363037 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64
    25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A
    4D83CDD3 4B9811B9 734D84AB EFD85F9D 82541A09 4C2B580F E3302B67 97F93286
    6D908B49 D936A0D1 78AB3829 56896990 9008E8EC 0333B1F1 8AACD0B2 4BCE81E3
    A4A10203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
    551D1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06
    03551D23 04183016 8014E7CE C4274196 09907466 DE068815 C9987EDF 4712301D
    0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C9 987EDF47 12300D06
    092A8648 86F70D01 01040500 03818100 B546F76E B5A79129 95A37822 132F6685
    E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8
    ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3
    35CD6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097
    DEE688A7 E04797CB 7ED73ED3 E9FFC8D0
          quit
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  ip source-route
  ip dhcp excluded-address 10.10.10.1
  ip cef
  ip domain name yourdomain.com
  username emma privilege 15 password 0 PasemmaY
  username admin privilege 15 secret 5 $1$GHAV$CuyCKFpaEVCRcTX4jTNzp/
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 3
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp policy 5
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp policy 7
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key &dtej4$ address 41.xxx.xx.xxx
  crypto isakmp key ch@nn#l!t address 41.xx.xx.xx
  crypto isakmp key t3l3comch@nn3l&mtn address 196.xx.xx.xx
  crypto isakmp key CITDENjan2014 address 80.xxx.xx.xx
  crypto ipsec transform-set MTN-TCWA esp-3des esp-sha-hmac
  crypto ipsec transform-set channelit esp-3des esp-md5-hmac
  crypto ipsec transform-set MTNG-TCWA esp-3des esp-md5-hmac
  crypto ipsec transform-set CHANNEL-DUBAI esp-3des esp-md5-hmac
  crypto map CHANNEL-DUBAI 14 ipsec-isakmp
  set peer 80.xxx.xx.xxx
  set transform-set CHANNEL-DUBAI
  match address 160
  crypto map MTNVPN local-address FastEthernet4
  crypto map MTNVPN 10 ipsec-isakmp
  set peer 41.xxx.xx.xx
  set transform-set MTN-TCWA
  match address 101
  crypto map MTNVPN 11 ipsec-isakmp
  set peer 41.xxx.xx.x
  set transform-set channelit
  match address 150
  crypto map MTNVPN 12 ipsec-isakmp
  set peer 196.xxx.xx.xx
  set transform-set MTNG-TCWA
  match address MTNG
  archive
  log config
    hidekeys
  ip tcp synwait-time 5
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description This interface connect MTN Fibre
  ip address 41.206.xx.xxx 255.255.255.252
  duplex auto
  speed auto
  crypto map MTNVPN
  interface Vlan1
  description This interface connects to CIT LAN
  ip address 41.xxx.xx.xxx 255.255.255.248
  ip tcp adjust-mss 1452
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 41.xxx.xx.xx
  ip route 10.93.128.128 255.255.255.224 41.xxx.xx.x
  ip route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx
  ip route 10.135.45.0 255.255.255.224 196.xxx.xx.xx
  ip route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx
  ip route 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip access-list extended MTNG
  permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31
  access-list 23 permit 10.10.10.0 0.0.0.7
  access-list 23 permit any
  access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75
  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15
  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7
  access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225
  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31
  access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31
  access-list 150 permit ip host 41.206.13.193 10.197.212.224 0.0.0.31
  access-list 150 permit ip host 41.206.13.194 10.197.212.224 0.0.0.31
  access-list 150 permit ip host 41.206.13.195 10.197.212.224 0.0.0.31
  access-list 150 permit ip host 41.206.13.196 10.197.212.224 0.0.0.31
  access-list 150 permit ip host 41.206.13.197 10.197.212.224 0.0.0.31
  access-list 150 permit ip host 41.206.13.198 10.197.212.224 0.0.0.31
  access-list 160 permit ip 41.206.xx.xxx 0.0.0.7 192.168.10.0 0.0.0.255
  no cdp run
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^C
  Cisco Configuration Professional (Cisco CP) is installed on this device.
  This feature requires the one-time use of the username "cisco" with the
  password "cisco". These default credentials have a privilege level of 15.
  YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
  PUBLICLY-KNOWN CREDENTIALS
  Here are the Cisco IOS commands.
  username <myuser>  privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want
  to use.
  IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
  NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
  For more information about Cisco CP please follow the instructions in the
  QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
  ^C
  line con 0
  login local
  no modem enable
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  end
  CIT_2#show cry
  CIT_2#show crypto isa
  CIT_2#show crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst                       src             state          conn-id slot status
  41.xxx.xx.xxx    80.xxx.xx.xxx QM_IDLE           2003    0 ACTIVE
  IPv6 Crypto ISAKMP SA
  CIT_2#show cry
  CIT_2#show crypto ips
  CIT_2#show crypto ipsec sa
  interface: FastEthernet4
      Crypto map tag: MTNVPN, local addr 41.xxx.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
     remote ident (addr/mask/prot/port): (41.xxx.x.xx/255.255.255.255/0/0)
     current_peer 41.xxx.xx.xxxport 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xxx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
       current outbound spi: 0x0(0)
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
     remote ident (addr/mask/prot/port): (10.109.95.120/255.255.255.248/0/0)
     current_peer 41.xxx.xx.xxx port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
       current outbound spi: 0x0(0)
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:

  @Marcin
  any suggestion to fix the issue????
  i mean if i'll put below commands will i be able to fix the issue???
  crypto map MTNVPN 12 ipsec-isakmp
  set peer 80.xxx.xx.xxx
  set transform-set CHANNEL-DUBAI
  match address 160

• How to make site root-relative links work in DW and Server both?

  See details on buggy DW image link behavior, below. My question is:
  1) how to make site root-relative links work in DW and Server both? Or…
  2) how to reliably automate the change of several hundred legacy root-relative links of the form
  /images/image.jpg  to document-relative?
  That is, to
  ../images/image.jpg or
  ../../images/image.jpg or
  ../../../images/image.jpg etc…depending on where the directory is.
  The old format (/images/image.jpg ) used to work fine in my previous DW 8 configuration but appear grey in DW after “upgrading” to DW cs5.5 mac. (they look fine on the server, but it’s hard to edit image-heavy pages locally when they are all grey).
  I tried changing the files to how DW creates root relative links now:
  /public_html/images/image.jpg, which is a very easy, attractive root flow since there’s a one-to-one mapping. These look great in DW but are broken on the server!
  I looked at the “advanced” site setup, and it looked like it might be possible to nuke the /public_html/ part of my server info…but it also looked like there was the potential for doing damage changing these settings, which are automatically generated from our server connection settings, which seem to work.
  The “links relative to document/ site root” toggle…does that change how DW interprets existing links, or just change the default when you are adding a link?  I have made 80% of the file links document relative…before wondering if root-relative isn’t better?
  It sure seems less ambiguous for all those images if theres a way to make root relative work for DW design view, DW link check, and server.
  Summary of buggy behavior: (see test with images here)
  "old style" site root link
        /images/img_book/WScover120x150_NEW.jpg
        Design veiw in DW: broken (grey w/ broken icon)
        Link check in DW: "external link" (i.e., uncheckable, + file could appear orphaned)
        Browser: good
        Ease of switching: n/a (existing format)
  "new style" site root relative link
        /public_html/images/img_book/WScover120x150_NEW.jpg
        Design veiw in DW: good
        Link check in DW: good
        Browser: broken
        Ease of switching: easy
  Document relative link
        ../../images/img_book/WScover120x150_NEW.jpg
        Design veiw in DW: good
        Link check in DW: good
        Browser: good
        Ease of switching: hard (how to automate?)
  Absolute link
        http://www.oasisdesign.net/images/img_book/WScover120x150_NEW.jpg
        Design veiw in DW: broken (grey w/ broken icon)
        Link check in DW: external (i.e., uncheckable, + file could appear orphaned)
        Browser: good
        Ease of switching: n/a...not a real option
  Thanks!
  Similar discussion on "/"

  Hello again Jon!
  Thanks for jumping on this.
  All clear and understood about where publc_html is etc.
  No contemplation of nuking the actual public_html directory on the server, just the "/public_html" text string at the start of the DW-generated links.
  "/public_html" is automatically added to the front of the link in DW if I create the link with any of the GUI tools, if I have "site root relative" selected. And ""/public_html" ends up in the code, and gets uploaded that way to the server, where it (obviously) doesn't work.
  Doesn't sound like it is supposed to work this way. Also, what seems to be the usual root relative format (/images/image.jpg) shows as a broken link in the GUI and an external link in the DW link check. All this togther makes me thinkI have some obscure setting incorrect?
  The setting that caught my eye is manage sites/ site setup/ advance settings/ local info/ web url,  which is automatically set to http://www.oasisdesign.net/public_html/
  it gives an option to change it but it makes every effort to make this NOT look like something users should mess with:
  Having gone through the more careful thought process during this post, I'm ready to do the experiment of changing the remote server web URL (why is it wrong by default?)...think I'll eat dinner first so there's 45 min to avert disaster if anyone knows this to be a bad idea!
  Art
  PS--don't  have a local testing server...don't think this will solve the GUI broken link/ link shows as external problems.
  Is there an easy, automated way to change links sitewide from document to root relative?

• Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

  I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well.  Port forward configurations performed on the Actiontec are working well. 
  I installed an L2TP/IPSec VPN server, tested internally and it connected successfully.  So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
  I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
  Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
  With the port forwarding in place, I tested VPN externally but it didn't connect.
  I've done the following so far to no avail:
  Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
  There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
  There was an L2TP port triggering rule enabled, that I toggled on and off with no change
  Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
  Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router.  But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this.  For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
  My router details:
  Verizon Actiontec
  MI424WR-GEN2
  Revision E
  Firmware 20.21.0.2
  Verizon Actiontec built-in L2TP/IPSec rule templates.  They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
  Solved!
  Go to Solution.

  normally a vpn on that router, will have a GRE tunneling protocol as well.
  two ways to build the PF rules,
  Manually
  Preconfigured
  I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

• Enterprise Mode for Internet Explorer 11. Difference in how adding a site works.

  I am noticing a difference in how adding a site to open in Enterprise Mode works.
  When I incorporate a XML file created by the List Manager, containing 'http://mysite/mypath'.   Enterprise mode functions for the entire site.  When I say entire site, I mean pages in virtual directories also open in Enterprise Mode.  
  This is good.   But I for the time being I would like to put it on my users to approve their sites.
  However, if I choose to not use a file and just allow the users to add sites, when they go to 'http://mysite/mypath' then go to Tools and Enterprise Mode to add the site.    We close Internet Explorer, reopen, enter the site 'http://mysite/mypath'
  opens in Enterprise Mode.   But when they navigate to pages located in virtual directories, they display in standards mode.   And would need to be added separately by going to Tools -> Enterprise Mode.
  I just want to know am I seeing this behavior correctly, or am I possibly missing a step.
  Thanks in advance for the response and feedback.

  Hi David,
  I am testing in my environment, and I will let you know if we have any result.
  Thanks for your patience.
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• How make dynamic site with MUSE

  Howdy, i want ask how make dynamic site with muse, can it intergated with CMS like wordpress, joomla, drupal etc?
  Thanks,
  best regard,
  harles

  Hello Harles,
  The CMS functionality till now is only supported with Muse while using Business Catalyst as host.
  Please refer to forum posts : http://forums.adobe.com/message/4418294?tstart=0 and http://forums.adobe.com/message/4776241#4776241 .
  Hope this helps.
  Regards,
  Sachin

• How to extract .sit files(in MAC)  using java program

  Hi,
  please help me , i want to simple program for
  " how to extract .sit files(in MAC) using java program"
  that sit files same as zip files in windows..[                                                                                                                                                                                                                                                                                                                                   

  Thanks for reply...
  but i search in the google about this topic...there is no results will appear..
  the problem is "i have to run program in the MacOS like extract all the
  .sit(StuffIt) extension files. These sit files same as zip files in the windows... we have one tool called StuffIt Expander but it is 3rd party tool. but here requirement is i have to write my own program to extract all the files same as zip file program...
  please do the needful..i am waiting for ur reply,,,