Ipad vpn to cisco firewall
I use Cisco Firewall (pix501) to Cisco Firewall (pix515) VPN to run off site offices. I am now attempting to connect to my network with an iPad air. What is needed to connect an iPad air to the Cisco Firewall (pix515)?
Jags@GSC wrote:
It appears that my pix515 running at ver 7 might be the issue.
You didn't bother to mention that you had an issue. You still haven't explained what you "issue" is. Maybe you should try contacting Cisco support.
Similar Messages
-
Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)
Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.comAmit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up. -
Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone
Hi,
I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
The scanario:
Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
Any help or advice is much appreciated.
Thanks.Hello Bernard,
What you are looking for is a Remote Ipsec VPN mode not a L2L.
Here is the link you should use to make this happen:)
https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
Regards,
Julio -
Connect iPad VPN to RV220W?
What is the best way to connect an iPad VPN client to access an RV220W?
Sent from Cisco Technical Support iPad AppJags@GSC wrote:
It appears that my pix515 running at ver 7 might be the issue.
You didn't bother to mention that you had an issue. You still haven't explained what you "issue" is. Maybe you should try contacting Cisco support. -
VPN between cisco WRVS4400N and EdgeMarc
Hi Experts
Please help me.
Is it possible to create VPN between cisco WRVS4400N and EdgeMarc appliance.
Regards,
EjazHi Ejaz
I don't expect any cisco folks that answer this community to be expert on EdgeMarc, but i may be wrong..
We employ a open standard IPSec implementation.
Here is the open source document that relates to the RV220W.
http://www.cisco.com/en/US/docs/routers/csbr/rv220w/open_source/OSD_RV220W_78-19892-02.pdf
The question could have been, have you asked EsgeMarc if they wiork with open standard based IPSec implemations on our routers.
I would prefer you look at the RV220W if possible, which is a relatively young product.
I am guessing since you can source a product from Disti, try one and see if it works.
The beauty of buying from a Cisco Disti Partner, is they they have a returns policy. Check out that policy, if you wish and keep the packaging and try out your application.
Answered a question with someone trying to form a IPSec link to a OEM firewall/ IPSec gateway ..it worked. so give your application a try
regards Dave. -
Azure Site to Site VPN with Cisco ASA 5505
I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
(Does azure support 9.x version of asa?)
How can i fix it?Hi,
As of now, we do not have any scripts for Cisco ASA 9x series.
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
Did you download the VPN configuration file from the dashboard and copy the content of the configuration
file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
According to the
Cisco ASA template, it should be similar to this:
access-list <RP_AccessList>
extended permit ip object-group
<RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
nat (inside,outside) source static <RP_OnPremiseNetwork>
<RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
<RP_AzureNetwork>
Based on my experience, to establish
IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
compatible for dynamic routing, please make sure that you chose the static routing.
Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
Hope this helps you.
Girish Prajwal -
Hello, I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
The running-config it created is:
ciscoasa# sh run
: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password XXXX encrypted
passwd XXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.0.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ADSL_Telefonica
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_16
subnet 172.16.0.0 255.255.0.0
access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 55
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 55
console timeout 0
vpdn group ADSL_Telefonica request dialout pppoe
vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
vpdn group ADSL_Telefonica ppp authentication pap
vpdn username adslppp@telefonicanetpa password *****
dhcpd auto_config outside
dhcpd address 172.16.2.2-172.16.2.129 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy test internal
group-policy test attributes
dns-server value 172.16.1.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
username test password XXXXXX encrypted privilege 0
username test attributes
vpn-group-policy test
username ignacio password XXXXXXX encrypted
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
: end
Thank you very much for your helpYes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
• The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
I should have read Release Notes before. Thank you very much for your help and effort. -
Remote Access VPN on Cisco ASA Problem
Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276 -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
%ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510
Hi Friends,
I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
Error in CISCO VPN Client Software:
Secure VPN Connection Terminated locally by the client.
Reason : 414 : Failed to establish a TCP connection.
Error in CISCO ASA 5510
%ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
ASA Configuration:
XYZ# sh run
: Saved
ASA Version 8.4(4)
hostname XYZ
domain-name XYZ
enable password 3uLkVc9JwRA1/OXb level 3 encrypted
enable password R/x90UjisGVJVlh2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside_rim
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/1
duplex full
nameif XYZ_DMZ
security-level 50
ip address 172.1.1.1 255.255.255.248
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
interface Ethernet0/3
speed 100
duplex full
nameif inside
security-level 100
ip address 3.3.3.3 255.255.255.224
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa844-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name XYZ
object network obj-172.17.10.3
host 172.17.10.3
object network obj-10.1.134.0
subnet 10.1.134.0 255.255.255.0
object network obj-208.75.237.0
subnet 208.75.237.0 255.255.255.0
object network obj-10.7.0.0
subnet 10.7.0.0 255.255.0.0
object network obj-172.17.2.0
subnet 172.17.2.0 255.255.255.0
object network obj-172.17.3.0
subnet 172.17.3.0 255.255.255.0
object network obj-172.19.2.0
subnet 172.19.2.0 255.255.255.0
object network obj-172.19.3.0
subnet 172.19.3.0 255.255.255.0
object network obj-172.19.7.0
subnet 172.19.7.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.2.0.0
subnet 10.2.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-10.4.0.0
subnet 10.4.0.0 255.255.0.0
object network obj-10.6.0.0
subnet 10.6.0.0 255.255.0.0
object network obj-10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network obj-10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network obj-10.12.0.0
subnet 10.12.0.0 255.255.0.0
object network obj-172.19.1.0
subnet 172.19.1.0 255.255.255.0
object network obj-172.21.2.0
subnet 172.21.2.0 255.255.255.0
object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.0
object network obj-10.19.130.201
host 10.19.130.201
object network obj-172.30.2.0
subnet 172.30.2.0 255.255.255.0
object network obj-172.30.3.0
subnet 172.30.3.0 255.255.255.0
object network obj-172.30.7.0
subnet 172.30.7.0 255.255.255.0
object network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network obj-10.19.130.0
subnet 10.19.130.0 255.255.255.0
object network obj-XXXXXXXX
host XXXXXXXX
object network obj-145.248.194.0
subnet 145.248.194.0 255.255.255.0
object network obj-10.1.134.100
host 10.1.134.100
object network obj-10.9.124.100
host 10.9.124.100
object network obj-10.1.134.101
host 10.1.134.101
object network obj-10.9.124.101
host 10.9.124.101
object network obj-10.1.134.102
host 10.1.134.102
object network obj-10.9.124.102
host 10.9.124.102
object network obj-115.111.99.133
host 115.111.99.133
object network obj-10.8.108.0
subnet 10.8.108.0 255.255.255.0
object network obj-115.111.99.129
host 115.111.99.129
object network obj-195.254.159.133
host 195.254.159.133
object network obj-195.254.158.136
host 195.254.158.136
object network obj-209.164.192.0
subnet 209.164.192.0 255.255.224.0
object network obj-209.164.208.19
host 209.164.208.19
object network obj-209.164.192.126
host 209.164.192.126
object network obj-10.8.100.128
subnet 10.8.100.128 255.255.255.128
object network obj-115.111.99.130
host 115.111.99.130
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-115.111.99.132
host 115.111.99.132
object network obj-10.10.1.45
host 10.10.1.45
object network obj-10.99.132.0
subnet 10.99.132.0 255.255.255.0
object-group network Serversubnet
network-object 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
object-group network XYZ_destinations
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 172.19.1.0 255.255.255.0
network-object 172.19.2.0 255.255.255.0
network-object 172.19.3.0 255.255.255.0
network-object 172.19.7.0 255.255.255.0
network-object 172.17.2.0 255.255.255.0
network-object 172.17.3.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object host 10.50.2.206
object-group network XYZ_us_admin
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
object-group network XYZ_blr_networkdevices
network-object 10.200.10.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
access-list acl-outside extended permit ip any host 172.17.10.3
access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
access-list acl-outside extended permit tcp any any eq 10000
access-list acl-outside extended deny ip any any log
pager lines 10
logging enable
logging buffered debugging
mtu outside_rim 1500
mtu XYZ_DMZ 1500
mtu outside 1500
mtu inside 1500
ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
nat (inside,outside) source dynamic obj-10.8.108.0 interface
nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
object network obj-172.17.10.3
nat (XYZ_DMZ,outside) static 115.111.99.134
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
crypto dynamic-map dyn1 1 set reverse-route
crypto map vpn 1 match address XYZ
crypto map vpn 1 set peer XYZ Peer IP
crypto map vpn 1 set ikev1 transform-set vpn1
crypto map vpn 1 set security-association lifetime seconds 3600
crypto map vpn 1 set security-association lifetime kilobytes 4608000
crypto map vpn 2 match address NE
crypto map vpn 2 set peer NE_Peer IP
crypto map vpn 2 set ikev1 transform-set vpn2
crypto map vpn 2 set security-association lifetime seconds 3600
crypto map vpn 2 set security-association lifetime kilobytes 4608000
crypto map vpn 4 match address ML_VPN
crypto map vpn 4 set pfs
crypto map vpn 4 set peer ML_Peer IP
crypto map vpn 4 set ikev1 transform-set vpn4
crypto map vpn 4 set security-association lifetime seconds 3600
crypto map vpn 4 set security-association lifetime kilobytes 4608000
crypto map vpn 5 match address XYZ_global
crypto map vpn 5 set peer XYZ_globa_Peer IP
crypto map vpn 5 set ikev1 transform-set vpn5
crypto map vpn 5 set security-association lifetime seconds 3600
crypto map vpn 5 set security-association lifetime kilobytes 4608000
crypto map vpn 6 match address Da_VPN
crypto map vpn 6 set peer Da_VPN_Peer IP
crypto map vpn 6 set ikev1 transform-set vpn6
crypto map vpn 6 set security-association lifetime seconds 3600
crypto map vpn 6 set security-association lifetime kilobytes 4608000
crypto map vpn 7 match address Da_Pd_VPN
crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
crypto map vpn 7 set ikev1 transform-set vpn6
crypto map vpn 7 set security-association lifetime seconds 3600
crypto map vpn 7 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside
crypto map vpn_reliance 1 match address XYZ_rim
crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
crypto map vpn_reliance 1 set security-association lifetime seconds 3600
crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
crypto map vpn_reliance interface outside_rim
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside_rim
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28000
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.8.100.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy XYZ_c2s_vpn internal
username testadmin password oFJjANE3QKoA206w encrypted
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XYZ_c2s_vpn type remote-access
tunnel-group XYZ_c2s_vpn general-attributes
address-pool XYZ_c2s_vpn_pool
tunnel-group XYZ_c2s_vpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
service-policy global_policy global
privilege show level 3 mode exec command running-config
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command crypto
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
XYZ#Thanks Javier.
But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
access-list ACL-RA-SPLIT standard permit host 10.10.1.3
access-list ACL-RA-SPLIT standard permit host 10.10.1.13
access-list ACL-RA-SPLIT standard permit host 10.91.130.201
access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key sekretk3y
username ra-user1 password passw0rd1 priv 1
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key *********
username ******* password ******** priv 1
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
group 1
lifetime 3600 -
Hi there, i got an issue with vpn and cisco rv100w, router is configured well and computers and iphone can connect with PPTP. Problem became when we map NAS drive from computer or we move data (1-4 Mb). Seems connection go down, speed is so slowly and drop the connection.
Is it from router? or from Internet provider?
More data, If I connect to http of router/NAS .. all go fine, only when we need data from NAS (map drive by windows) copy, open files, ..., connection is so slowly and drop connection.
I saw in the logs of the router
1
2012-12-21 5:33:38 PM
err
pptpd[2280]: CTRL: CTRL read failed
2
2012-12-21 5:33:38 PM
err
pptpd[2280]: CTRL: couldn't read packet header (exit)
3
2012-12-21 5:33:38 PM
err
pptpd[2280]: CTRL: EOF or bad error reading ctrl packet length.
4
2012-12-21 5:29:07 PM
err
pptpd[2019]: CTRL: CTRL read failed
5
2012-12-21 5:29:07 PM
err
pptpd[2019]: CTRL: couldn't read packet header (exit)
6
2012-12-21 5:29:07 PM
err
pptpd[2019]: CTRL: EOF or bad error reading ctrl packet length.
7
2012-12-21 5:24:43 PM
err
pptpd[1643]: CTRL: CTRL read failed
8
2012-12-21 5:24:43 PM
err
pptpd[1643]: CTRL: couldn't read packet header (exit)
9
2012-12-21 5:24:43 PM
err
pptpd[1643]: CTRL: EOF or bad error reading ctrl packet length.
10
2012-12-21 5:24:22 PM
err
pptpd[1331]: CTRL: CTRL read failed
11
2012-12-21 5:24:22 PM
err
pptpd[1331]: CTRL: couldn't read packet header (exit)
12
2012-12-21 5:24:22 PM
err
pptpd[1331]: CTRL: EOF or bad error reading ctrl packet length.
13
2012-12-21 5:17:56 PM
err
pptpd[1031]: CTRL: CTRL read failed
14
2012-12-21 5:17:56 PM
err
pptpd[1031]: CTRL: couldn't read packet header (exit)
15
2012-12-21 5:17:56 PM
err
pptpd[1031]: CTRL: EOF or bad error reading ctrl packet length.
16
2012-12-21 12:49:51 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
17
2012-12-21 12:49:35 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
18
2012-12-21 12:49:27 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
19
2012-12-21 12:49:23 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
20
2012-12-21 12:49:21 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
21
2012-12-21 12:49:20 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4
22
2012-12-21 12:44:50 AM
err
mDNSResponder: ERROR: getOptRdata - unknown opt 4Good morning
Thanks for using our forum
Hi Edu, make sure to be on the latest firmware, the latest release is 1.1.0.9, you can download it in cisco.com
http://software.cisco.com/download/release.html?mdfid=283879340&softwareid=282487380&release=1.1.0.9&relind=AVAILABLE&rellifecycle=&reltype=latest
Happy holidays !!!!
Johnnatan Rodriguez Miranda.
Cisco network support engineer. -
Port Forwarding Cisco firewall
Hi,
In Cisco Firewall 2900 seires
trying to use port forwarding
but not communication please help me.
Reg
Manoj.: Saved
: Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
name 10.10.70.X.40 FinalPdf
name 201.256.x.x Youfinalip
interface Ethernet0/0
nameif YOUB
security-level 0
ip address 201.256.x.x.254.82 255.255.255.248
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.70.X.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ftp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq 14147
object-group service any tcp-udp
port-object range 1 65535
object-group service DM_INLINE_TCP_1 tcp
group-object ftp
port-object eq ftp-data
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list YOUB_mpc extended permit ip any any
access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 512
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging device-id hostname
logging debug-trace
logging ftp-bufferwrap
logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
logging class auth trap emergencies asdm emergencies
mtu YOUB 1500
mtu SIFY 1500
mtu inside 1500
mtu WAN 1500
mtu management 1500
ip verify reverse-path interface YOUB
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm location Testpdf 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (YOUB) 1 interface
global (SIFY) 1 interface
nat (inside) 0 access-list EXEMPT
nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
access-group YOUB_access_in in interface YOUB
access-group inside_access_in in interface inside
route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
track 1 rtr 100 reachability
telnet timeout 5
ssh scopy enable
ssh 10.10.70.X.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map YOUB-class
match access-list YOUB_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description ftp
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
ips inline fail-open
policy-map YOUB-policy
class YOUB-class
ips inline fail-open sensor vs0
service-policy global_policy global
service-policy YOUB-policy interface YOUB
smtp-server 10.10.70.X.18
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
: end -
Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
keyring ISR_Keyring
self-identity user-fqdn [email protected]
match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overloadHow does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post. -
ion successfully installed. now unable to get on vpn using cisco, error 51 constantly appears. should have stayed on snow leopard!
Try opening a terminal window (Applications >> Utilities). At the prompt, enter:
>sudo SystemStarter restart CiscoVPN
This will ask you for the admin password and it will restart the Cisco client service. That should fix it. This seems to be a known issue that will eventually be solved with some updates.
DB
Maybe you are looking for
-
Hi All, Glad to post regarding Freezing panes in OBIEE 11g. Since this has got most hits in the search. I searched a quite few websites like replies from BI Joe and few others. But couldnt resolve this. Would be great help for all those who are looki
-
Problem in Save the Billing Document
Hi, We have a problem while saving the Billing Document i.e. Document 83034087 saved (error in account determination) Message no. VF051 when we saw it;s Revenue accounts, found there - Condition type............Message.................Description ZM0
-
Updated to 10.4.9 and now weather widget doesn't work-what to do?
Hello- Just updated to 10.4.9 tonight and for the first time since I bought this computer in August, the weather widget doesn't work. Would anyone happen to know what I could do to get this to work. I am connected to the internet, I can access the ac
-
Time Machine restore of File Vault encrypted user failed: Login failed due to an error.
Hello everyone, I did regular time machine backups of a File Vault (version one) encrypted user folder. Now I needed to restore a few files that have been deleted unintentionally. Since single files can't be restored from a File Vault encrypted backu
-
IOS7 bug: can't copy text when language isn't English
I can't copy copy text from SMS messages or from Chrome (+other apps). When I press and hold on the screen, the app crashes after 1-2 seconds. My iPhone language is Hebrew. When setting the language to English, it doesn't crash and works fine. I have