IPSec VPN with VTI behind DSL router
Hi All,
Is it possible to use a vti tunnel interface on a router when the outside interface has a private IP address connected to a DSL modem with a static public IP address, in other words the router sits behind the DSL modem?
Router gi0/1 --> DSL Modem --> Internet --> to HQ (Firewall with static IP)
Outside 192.168.1.2 WAN static public IP
LAN 192.168.1.1
Interface config:
interface GigabitEthernet0/1
ip vrf forwarding Internet-VRF
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
Tunnel config:
crypto isakmp policy 282
encr aes 256
authentication pre-share
group 2
lifetime 28800
hash sha
crypto isakmp key 0 PSK address xxx.xxx.xxx.xxx
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile VPN
set transform-set aes256-sha
set pfs group2
interface Tunnel1
ip vrf forwarding Internet-VRF
ip address 172.27.82.254 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source Gi0/1
tunnel mode ipsec ipv4
tunnel destination xxx.xxx.xxx.xxx
tunnel protection ipsec profile VPN
I have been digging into Cisco documentation but have no answer found.
Thanks in advance.
Both the remote and hub router will detect existence of NAT device in between, which caused the both routers switching over from UDP port 500 to UDP port 4500 to exchange IKE message. I can suspect there is no switch over taking place from you log(both using UDP 500), So I suggest you validate if both routers support NAT-T feature by checking if they are listening on UDP port 4500?
Similar Messages
-
QuickVPN - RV110W behind DSL Router
Hi all,
I have a Cisco RV110W behind an Actiontek V1000H DSL router supplied by my ISP.
I'd like to be able to make use of the Cisco QuickVPN client. According to my ISP placing the Actiontek into bridge mode cannot be done.
On the Actiontek I have forwarded the following ports to my RV110W's address:
60443/tcp
4500/udp
500/udp
On the RV110W I have ensured that remote management is enabled (on port 60443).
When attempting to connect with the client (using port 60443) - I get this far:
2012/01/30 11:16:21 [STATUS]OS Version: Windows 7
2012/01/30 11:16:21 [STATUS]Windows Firewall Domain Profile Settings: ON
2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
2012/01/30 11:16:21 [STATUS]One network interface detected with IP address 192.168.245.164
2012/01/30 11:16:21 [STATUS]Connecting...
2012/01/30 11:16:22 [DEBUG]Input VPN Server Address = xx.xx.xx.xx
2012/01/30 11:16:22 [STATUS]Connecting to remote gateway with IP address: xx.xx.xx.xx
2012/01/30 11:16:22 [WARNING]Server's certificate doesn't exist on your local computer.
2012/01/30 11:16:23 [WARNING]Remote gateway wasn't reached...
2012/01/30 11:16:23 [WARNING]Failed to connect.
2012/01/30 11:16:23 [WARNING]Failed to connect!
Any suggestions? Is this configuration even possible?
Thanks!Hi, Rudi & Craig
I just tested another diffrent way, which way as Craig's book did, I set
Master's IP is DSL Router inside IP which same as "PUBLIC" Network Card's
IP address (10.0.0.101) when setting the MASTER's configuration in
iManager, it still working fine. Then it will be the best way if the ISP
change my static Public IP.
BTW, Craig, when you have chance, can you memtion this on your web site or
in your book (when you have new version book), BM38SP5 got a bug, the
vpn.jar cannot set Non-BM VPN Slave (I used Linksys router for Slave
server), I called Novell support engineer, he said Novell knew this error,
I have to use the vpn.jar which in BM38SP4_IR5 to setup Non-BM VPN Salve.
But there is another problem, the vpn.jar which in BM38SP4_IR5 cannot set
MASTER VPN server. The only way to do the job is install BM38SP5, setup
MASTER VPN server, setup C2S VPN, then copy the vpn.jar which in
BM38SP4_IR5 in, to setup Non-BM VPN Salve. I hope you can understand my
poor Engish.
James
> Rudolf Thilo wrote:
> Hello James.
>> In Craig's book, there is a sample
>> for VPN Slave Server behind DSL router.
>> But I don't know I can setup Master VPN
>> server behind DSL router or not.
> It works, starting with BM3.8. IIRC Craig has an example
> in his book? You will need to specify the DSL router's
> (static!!) public IP address as the MASTER's public IP
> when setting um the MASTER's configuration.
> Regards, Rudi. -
RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: endHi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
RV180 behind DSL-ROUTER can't connect with QuickVPN
Hello,
I want to ask if is possible to configure the RV180 behind my DSL Router to connect using QuickVPN. First I tried to connect to the PPTP server and worked fine, but when I tried to connect using QickVPN, seems to connect but when the client says "verifying network" after a while appears the message "network not responding..."
In my DSL-Router forwared this ports: UDP: 500,4500,443,60443 - TCP: 443,60443 (i don't know if tcp ports are needed but I opened for testing) and allowed protocol ESP (comes with the rule to allow IPSEC-L2TP)
Thanks!Hello Siva,
From where I have to test reachabilty? From the computer where I have installed the QuickVPN client I can reach de WAN interface of the DSL-Router, which is doing NAT and forwarding the ports I said to the WAN interface of my RV180. The network betwwen DSL and RV180 is using private ips.
The schema is:
Internet ---- (public ip) dsl router (192.168.1.1) ---- (192.168.1.50)RV180(10.0.0.1) ----- my network 10.0.0.0/24
In the document you posted is explained:
"Your Cisco router must have a direct public IP address for QuickVPN to work, please check under the status tab and your internet connection type and make sure it has a public IP address and it is not behind another router. This issue is more common with DSL connections; if you are behind another router/modem you should request your ISP to turn it into bridge mode so our router can be the border router between your LAN and your ISP."
It's my configuration. I will look how to turn my DSL router into a bridge. Thanks. -
Cisco ASA 5505 site to site IPSec VPN with RV220W issue
I have a ASA5505 connected to RV220W through IPSec VPN. When using SMB to transfer large file, the ASA5505 will show error message:
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1561
The error message from the debug crypto engine. When the message show, the speed of the transfer will slow down quickly, and even no data can be go through between ASA and the RV220W. But the IPSec SA and the IKE SA is active, and can ping the inside network in both site.
Both ASA5505 and the RV220W has been updated the latest firmware. I have surf the Google but no such related issue found.
Any suggestions on where to look would be much appreciated.
Thanks in advance
TerryHi Ted thanks for your reply and information.
The strange things happened in RV220W shows the IPSec sa is expired, but the ASA5505 IPSec and IKEv1 sa is active. Inside both site internal network can ping to other side, but cant transfer file through Windows SMB. It seems when I transfer over 4GBytes of file, it will start happening and required clear IPSec and IKEv1 sa so that the VPN tunnel will start up again.
I am already surrander for this issue...... -
How to access Time Capsule drives behind DSL Router over WAN
Hello everyone,
I have an older Time capsule(with USB Drive) connected to my Hitron CGN3 DSL wireless router over ethernet.
I have turned off the wireless functionality of the TC since the router seems to be much faster on Speedtest.net.
I have my TC and attached USB drive setup to share over WAN but am getting a Double NAT error.
It doesn't seem like I can turn off NAT on my Router.
I can't run the TC in bridge mode because it will remove the Share over WAN option for the TC and Drive.
Is it possible to setup the TC and attached USB drive to the router, without wireless on, so that I can access the TC and drive over the internet?
Any help would be soooooo apreciated!!!
Thanks!
IanDoes anyone know why my Time Capsule drive sharing needs to be set to disk password?
You can set the TC disks to user accounts.. at least you can on older TC with older airport utility.. but there are consequences which you discovered.
If you set accounts.. you will have major issue with the existing files.. they will all disappear.
The old v5 utility gives you this warning.. which somehow Apple forgot on new version.
It actually makes all the present files disappear for all users. The warning just doesn't go far enough. You do this on a blank TC.. and of course the USB drive is just the same.. you cannot use different settings on that to the TC internal drive. So offload all your files.. create accounts on a bare TC.. load the files back into the correct user profiles.
In the end you probably want more flexibility than a TC is designed for.. buy something designed for remote access.. WD MyCloud.. it is hugely superior.
Also. . . I am trying some File manager apps for my iPhone in hopes that i can connect to the same drive with it. So far no luck with the free versions of FileBrowser Lite or File Explorer Free.
Most are SMB based.. not AFP.. Apple offer only two protocols.. SMB and AFP. But no responsible ISP allows SMB over the internet. The flood of files from hacked windows machines would bring the internet to a grinding halt.
People do get around it.. you can use filebrowser for instance by opening SMB to the outside world on a non-standard port.
See http://www.stratospherix.com/support/gsw_timecapsule.php?page=6remote
But this is incredibly risky.. there is very poor security and it is not a great idea. The AFP security is much better than SMB.
If you want security use something other than TC.. any real NAS that offers VPN access for instance. The cost of a WD MyCloud is very reasonable when you look at the flexibility of the design. But any decent NAS will offer real remote access.. not Apple's limited pretend version. -
Using Airport Express with an ATT DSL router
July 10, 2012
Hi All! The following thoughts are for
1) those of you who use ATT DSL as your internet service-provider, and
2) who wish to stream iTunes songs from your computer to speakers in other rooms via AIRPORT EXPRESSes, and
3) are wondering whether you have to purchase a separate Apple Airport Extreme base-station, or can simply use your exisiting ATT router.
Having just spent several days and many hours on the phone before Apple's tech "Dan" was finally able to get my system up and running, I thought some of you might appreciate my sharing the following info while it's still fresh in my mind.
1. You may need to update your ATT router to the latest version, in order for it to properly communicate with your AIRPORT EXPRESS(es) (henceforth shortened to "AEs"). The AEs use 802.11n speed. My original ATT router (a 2Wire 2701HG-B) was no faster than "-h," and this might have been part of the problem as to why my system wouldn't work. I went to my local AT&T store, and got their latest router: as of this writing, a Netgear "Westell" Model B90-755025-15, which can run at both the slower speeds as well as the faster "-n." To find out some of the specs of my router, an Apple tech had me type in the 10 digits of my Gateway IP Address into the address-bar (no need for the "https://www") and "Presto!", up popped several pages of info on my router.
2. When first setting up your AE, it needs to be back in "default mode." If it's right out of the box, you don't need to do anything. But if, like me, you've already made several attempts to get it running, then you need to reset it to its pre-configured state, You do that by taking a bent paper-clip, and inserting one end into the little hole on the ports-side of your AE (near where the mini-plug of a speaker-cable is inserted). While the device is plugged in, gently press the paper-clip into the hole until the light on top blinks amber QUICKLY, the flashes coming in rapid succession. Then remove the paper-clip, and the AE will glow solid amber--meaning it's waiting to be re-programmed.
3. When first setting up your AE, do NOT attach an ETHERNET CABLE from the router. The only cable that needs to be attached is the mini-plug cable running to some sort of portable, powered speaker. For myself, to make things easier, I brought my AE and my new Sony RDP-M5iP speaker/dock into the same room as my Imac & router. That way, I'd know immediately if the AE was working correctly.
4. After you've clicked on your Airport Utility App (hard drive TO Applications TO Utilities folder), you'll soon come to a page that asks you to name your AE (this page calls it a "base station"). Before you do that, you should see a button in the lower left-hand corner that says, "Other Options." Click on it. You'll then be given a choice of "Creating a New Network" or "Choosing an Existing Network." You want this 2nd choice--because you indeed are planning to use your ATT router's exisitng wireless network.
5. Shortly, you'll come to the page asking you to name your AE. Call it, for instance, "Family Room Speaker." As for password, at first I--as well as virtually all of the techs with whom I spoke--thought I should type in the multi-digit ATT router-password (called a "Wireless Network Key"). But finally, "Dan" told me to simply type in, "express1" (or, for my 2nd AE, "express2"). That did the trick!
6. Your AE should now be glowing green on top. Plus, on the 10x6" dark-grey rectangular box displaying the globe (i.e., your main internet connection), the globe should have a now-green glowing circle to its left. And underneath, it should be displaying a rectangle named "Family Room Speaker" (or whatever name you've given your Airport Express).
7. When you now open iTunes, you should see a little blue rectangle (with a triangle in its middle) in the lower right-hand corner of your iTunes box. Click on it, and it should show listed both your computer-speaker as well as your AE speaker(s), plus a heading called "multiple speakers." Click on "multiple," and it will bring up a box displaying all your now-current speakers. Check the small square next to any speakers that are unchecked, and a volume-slider will appear. Bring them all up to a comfortable level. Then click on an iTunes track you'd like to play and, viola!, you should hear music playing both from your computer and from the portable speaker to which your AE is attached.
8. Now close iTunes. Then unplug your Airport Express and--if you have a 2nd AE-- plug them both back into your power-strip. Go thru the set-up steps in your Airport Utility App for this 2nd AE. At the end of it, both AEs should be glowing green on top, and both should be displayed on your computer-screen.
Now re-open iTunes, and start a song playing. (Don't forget to click on the blue rectangle at the R-hand bottom, and activate the new AE speaker.) By inserting your speaker cable alternately into each of the AEs, you should be able to verify that, yes, both are now working.
9. Unplug both AEs, and bring them to whatever room you want to use them in. Plug them in to a wall outlet, and run your mini-cable from the AE to the speaker. Give the AEs a few minutes to pick up the signal once again from your ATT router; when they do, their lights will change from amber back to green. Tech Dan warned me to keep them away from too much metal, to avoid interference. As soon as they turn green, you should now be hearing your iTunes track playing thruout your house! (If not, you may have to first close iTunes on your computer, then re-open it, and start a new track playing.)
The BOTTOM LINE: no, you don't have to purchase a separate Apple Extreme to be your base-station. Your ATT router--if it's running at the 802.11n standard--should be able to work with your Airport Express(es)!
My thanks to Sean and Cameron and Chris and, most especially, Dan, the Apple techs who patiently worked with me to get this system online.I am GREATLY appreciative of this overview. Even though I don't understand a lot of it. I will keep working through. I am-- have for 2 years-- had terrible connectivity with AT&T's service & 2Wire router. My MacBookPro keeps dropping the signal. I'm talking every few clicks at times. Husband's PC drops it, too, but not nearly as much as the Mac. I'm sure what you posted can help us get better connectivity.
-
VPN with Time Capsule, Linksys router
We are running SLS 10.6.4 on a Mac Mini over Cox business internet with a fixed IP, and we've been trying to get VPN service working on the Mini through our TC. After some finagling I came across this post which describes the lack of L2TP support in the TC, so we bought a Linksys/Cisco WRV210 VPN router. We do want to keep the TC on the network for file sharing.
When setting this up, it would seem to me that the WRV210 should be (or would have to be?) the gateway. However, it appears to be limited in the number of ports that can be forwarded (at least without manually editing its config file; the web interface doesn't show enough for our needs). Or maybe there is a way to use the WRV210 for handling VPN access, while mapping a range of other ports to the TC and then on to the server?
Alternatively, perhaps we can continue using the TC as the gateway, mapping VPN access through the TC to the WRV210?
If anyone else has any experience with this type of setup, feel free to chime in.Having tried this in the past......the only way that I could ever get the WRT54G to connect correctly was by turning off the wireless security on both the Time Capsule and Linksys device.
Not sure if you want to run an open network.....or even if that will work with newer firmware on the Time Capsule. I believe that I was using 7.4.2 or possiby 7.5.2 at the time.
But, you never know. Maybe another user has a magic wand.
My opinion......life would be tons easier if you added an AirPort Express to the Time Capsule network, and added an Ethernet switch with as many ports as you need....and the connection will run 2-3 times faster or more than the WRT54G can provide. -
Setting up site to site IPSec VPN with RV 120W
Hi All,
I am looking to set up a site to site VPN between a local and remote office, with a RV 120w as the gateway at either side. Aside from changing the remote site's IP and Subnet, what do I need to do to get this functional? to call myself a well tooled novice would be appropriate. Any help is appreciated.
Thanks,
ScottYou will most likely need to call the Cisco Small Business Support Center at 1-866-606-1866 so that
we can assist you in setting up the Gateway to Gateway VPN Tunnel.
THANKS
Rick Roe
Cisco Small Business Support Center -
RV180W ipsec vpn with multiple networks
Hello,
I am setting up a customer site. One side is RV180W and the other side is Checkpoint 500W.
RV180W side
LAN - 192.168.100.0/24
Checkpoint side
LAN - 172.26.1.0/24
VOIP - 172.26.2.0/24
Need to setup an ipsec tunnel between the site. However, from the RV180W side, I can only ping the VOIP network, but not LAN. Need help. I have heard that RV180W only can talk to one remote network via ipsec, correct? Any other way to workaround this other than changing out the RV180W? Thanks.
HoHi Tom,
I have a similar situation, needing to setup 3 tunnels to the same endpoint. Each tunnel has a different remote LAN setting, but I can only get one tunnel to work at a time. I have to disable the other two. For more details, see my posting: https://supportforums.cisco.com/message/3781143#3781143
How can I setup 3 IPSEC tunnels to the same endpoint?
Marshall -
How to setup an IPSec VPN Tunnel Cisco 2320 Vs RVS4000
Hello all.
This forum has always helped me in all my investigations about VPN and now I'm gonna help everyone with this post.
I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.
On the site of Router Scientific Atlanta Cisco 2320 this is some info:
WAN IP: A.A.A.A
Router Local IP: 192.168.5.1
Subnet: 192.168.5.X
Subnet Mask: 255.255.255.0
On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info:
WAN IP: B.B.B.B
Router Local IP: 192.168.0.10
Subnet: 192.168.0.X
Subnet Mask: 255.255.255.0
Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.
I show the configuration on Router Scientific Atlanta Cisco 2320:
I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:
If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up:
As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10
I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
I wish that this help to anyone that need to do this.
Best regards!Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch -
How to reduce the IPSec VPN connection establishment time
Hi,
I set up an IPSec VPN with NAT-T between two cisco router 871. In particular one router acts as a SERVER and the other one as a CLIENT. All the traffic coming from the hosts connected to the CLIENT-router is sent over the VPN (no split tunnel). Everything works perfectly.
The only problem is the amount of time the VPN takes to establish the first connection between the two routers. In particular it takes about two minutes.
Could anybody tell me if this amount of time can be reduced (with a partcular configuration instruction)?
Or this is the minimum amount of time required for the first connection establishment?
Thank you for your help.Sara,
Two minutes sound like a lot of time even with a super slow Internet connection. Could you share your configs to see if there is anything on the VPN config that is adding such a huge delay? The connection stablishment shouldnt take more than a few seconds.
Thanks,
Raga -
How to check the port status in IPSec VPN
Hi Experts,
Is there any way by which we can find that the UDP port 500 is blocked at ISP side.
My IPSec VPN configured between two cisco router in production network is not coming up and experts are saying that the ISP has blocked the port 500 somewhere in between, however ISP denying and saying that they dont block any port.
kindly suggest what whould be the best wayout?
ThanksThanks Marvin,
How could I capture the traffic from initiating peer so that I can figure out that UDP port 500 is blocked or not, with the help of wireshark...
In my network ONT/Modem (having four ethernet port) is installed at both the end and from one of its port the router is connected at each side and IPSec VPN is configured between the router. to check the UDP port status, my question is, should i connect my laptop (running with wireshark) with one of the port of ONT and capture the traffice or is there any other way and how that traffice will tell me that port 500 is blocked or not? -
IPSec VPN to MPLS (PE)
Guys, Is that possible to setup site-tosite IPsec VPN to an MPLS enabled router using Cisco ASA (ASA5520--> MPLS)? Is there any configuration problem I need to be aware?
Many thanks in advance.Thank you all for all your input.
One thing to clear, our ASA is seating behind our ISP router and the hosting provider is located somewhere in the internet (outside our ISP network)
here is the config sent by the hosting provider, which i believe is an MPLS VPN configuration. The engineer is trying to terminate our ASA IPsec VPN into this config. Will it work?
ip vrf vs319776
description vfi240 - CLIENT1 vs319776
rd 7496:319776
maximum routes 10 100
crypto keyring vs319776
pre-shared-key address 203.x.x.7 key --omitted--
crypto isakmp profile vs319776
vrf vs319776
keyring vs319776
match identity address 203.x.x.7 255.255.255.255
keepalive 10 retry 2
crypto dynamic-map VPN 390
set transform-set 3dessha 3desmd5
set isakmp-profile vs319776
match address vs319776
reverse-route
interface FastEthernet2/0.673
ip vrf forwarding vs319776
ip route vrf vs319776 210.x.x.192 255.255.255.255 202.x.x.206
ip route vrf vs319776 210.x.x.200 255.255.255.255 202.x.x.206
ip access-list extended vs319776
permit ip 10.1.1.192 0.0.0.7 202.x.x.206 0.0.0.7
permit ip 10.1.1.200 0.0.0.7 202.x.x5.206 0.0.0.7
deny ip host 0.0.0.0 any
end
Our ASA configuration is the normal ASA IPsecl2l config.
Maybe you are looking for
-
My hard drive crashed..what to do?
Hi, My hard drive crashed..What should i do now? Is there a way for me to upload the content of my ipod to a new/blank itunes library (on my new hard drive), eventhough i understand that it usually works the other way around (itunes to ipod)? Any hel
-
When going to the SELL area of ebay, I can use every part except the description area. I hover the mouse over , the arrow is there but you can't click on it to start typing. Ta Jan.
-
JDBC Receiver - INPUT CURSOR - Procedure
Hello People! I've already configured a scenario where a JDBC Receiver channel called a procedure. The procedure had an output cursor and it worked ok! Now I have to configure a scenario where a JDBC Receiver channel calls a procedure and the procedu
-
Hi people, When the Purchase Order's data are saved , which table is used to save all the information of the Partner : - Function - Description - Number - Name I need to change this informations by Prog. but I didn't find this table. Someone knows,
-
Broad casting as an excel sheet option is not there
Hi All, We are trying to do broad cast for a workbook in BI 7.0 in excel sheet format . So we have created workbook and created broad casting setting for this workbook, we are getting pdf format broad casting but i am not getting the option to broad