Isakmp port
Does in all types of VPN the ISAKMP source and destination port remains 500 or only the destination port is 500?
Only the destination always the fixed port, so the ISAKMP will always have the port 500 for destination and the source will be any logic port above 1024 .
Similar Messages
-
Cisco ASA 5505 VPN Anyconnect no address assignment
I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
hostname firewall
domain-name ITTRIPP.local
enable password 8K8UeTZ9KV5Lvofo encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description Private Interface
nameif inside
security-level 100
ip address 192.168.178.10 255.255.255.0
ospf cost 10
interface Vlan2
description Public Interface
nameif outside
security-level 0
ip address 192.168.177.2 255.255.255.0
ospf cost 10
interface Vlan3
description DMZ-Interface
nameif dmz
security-level 0
ip address 10.10.10.2 255.255.255.0
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.178.3
name-server 192.168.177.1
domain-name ITTRIPP.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.178.x
subnet 192.168.178.0 255.255.255.0
object network NETWORK_OBJ_192.168.178.0_26
subnet 192.168.178.0 255.255.255.192
object service teamviewer
service tcp source eq 5938
object service smtp_tls
service tcp source eq 587
object service all_tcp
service tcp source range 1 65535
object service udp_all
service udp source range 1 65535
object network NETWORK_OBJ_192.168.178.128_26
subnet 192.168.178.128 255.255.255.192
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
object-group user DM_INLINE_USER_1
user LOCAL\admin
user LOCAL\lukas
user LOCAL\sarah
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service 192.168.178.network tcp
port-object eq 5000
port-object eq 5001
object-group service DM_INLINE_SERVICE_1
service-object object smtp_tls
service-object tcp destination eq imap4
service-object object teamviewer
object-group service DM_INLINE_SERVICE_2
service-object object all_tcp
service-object object udp_all
object-group service DM_INLINE_SERVICE_3
service-object object all_tcp
service-object object smtp_tls
service-object object teamviewer
service-object object udp_all
service-object tcp destination eq imap4
object-group service vpn udp
port-object eq 1701
port-object eq 4500
port-object eq isakmp
object-group service openvpn udp
port-object eq 1194
access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in terface]=-
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object -group Internet-udp
access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object -group Internet-tcp
access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip
access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1 78.0 255.255.255.0 any
access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1 78.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in terface]=-
access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo -reply
access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an y host 192.168.178.95 object-group DM_INLINE_TCP_1
access-list outside-in extended permit tcp any host 192.168.178.95 object-group 192.168.178.network
access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si p
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi os-ns
access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i nterface]=-
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10 .10.0 255.255.255.0 any
access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec t-group Internet-tcp
access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec t-group Internet-udp
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1 78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0 .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
object network 192.168.178.x
nat (inside,outside) dynamic interface
nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
access-group inside-in in interface inside
access-group outside-in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ITTRIPP protocol ldap
aaa-server ITTRIPP (inside) host 192.168.178.3
ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
server-type microsoft
user-identity default-domain LOCAL
eou allow none
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.178.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
http redirect dmz 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 56 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=firewall
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn l1u.dyndns.org
email [email protected]
subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA= [email protected]
serial-number
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 6a871953
308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
1416d222 0e11ca4a 0f0b840a 49489303 b76632
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 580c1e53
308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
d50e4e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable dmz client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.178.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
dhcp-client update dns server both
dhcpd update dns both
dhcpd address 192.168.178.100-192.168.178.150 inside
dhcpd dns 192.168.178.3 192.168.177.1 interface inside
dhcpd wins 192.168.178.3 interface inside
dhcpd domain ITTRIPP.local interface inside
dhcpd update dns both interface inside
dhcpd option 3 ip 192.168.178.10 interface inside
dhcpd option 4 ip 192.168.178.3 interface inside
dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
dhcpd option 66 ip 192.168.178.95 interface inside
dhcpd enable inside
dhcpd address 192.168.177.100-192.168.177.150 outside
dhcpd dns 192.168.178.3 192.168.177.1 interface outside
dhcpd wins 192.168.178.3 interface outside
dhcpd domain ITTRIPP.local interface outside
dhcpd update dns both interface outside
dhcpd option 3 ip 192.168.177.2 interface outside
dhcpd option 4 ip 192.168.178.3 interface outside
dhcpd option 6 ip 192.168.178.3 interface outside
dhcpd enable outside
dhcpd address 10.10.10.100-10.10.10.150 dmz
dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
dhcpd wins 192.168.178.3 interface dmz
dhcpd domain ITTRIPP.local interface dmz
dhcpd update dns both interface dmz
dhcpd option 3 ip 10.10.10.2 interface dmz
dhcpd option 4 ip 192.168.178.3 interface dmz
dhcpd option 6 ip 192.168.178.3 interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200
tftp-server inside 192.168.178.105 /volume1/data/tftp
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 dmz
ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
enable dmz
file-encoding 192.168.178.105 big5
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil e.xml
anyconnect enable
tunnel-group-list enable
mus password *****
group-policy DfltGrpPolicy attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
dhcp-network-scope 192.168.178.0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value ITTRIPP.local
split-dns value ITTRIPP.local
webvpn
anyconnect firewall-rule client-interface public value outside-in
anyconnect firewall-rule client-interface private value inside-in
group-policy GroupPolicy_SSL-Profile internal
group-policy GroupPolicy_SSL-Profile attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value ITTRIPP.local
webvpn
anyconnect profiles value SSL-Profile_client_profile type user
username sarah password PRgJuqNTubRwqXtd encrypted
username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
username lukas password KGLLoTxH9mCvWzVI encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL-POOL
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 trust-point ASDM_TrustPoint0
ikev1 radius-sdi-xauth
tunnel-group SSL-Profile type remote-access
tunnel-group SSL-Profile general-attributes
address-pool SSL-POOL
default-group-policy GroupPolicy_SSL-Profile
tunnel-group SSL-Profile webvpn-attributes
group-alias SSL-Profile enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
service-policy global_policy global
mount FTP type ftp
server 192.168.178.105
path /volume1/data/install/microsoft/Cisco
username lukas
password ********
mode passive
status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1
Any idea why it's not working?You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the local pool.
By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol. -
Isakmp peers using non-standard port 4500
Hello,
I have a remote site using the Internet to access corporate networks over IPSEC. Set-up is as below:
Remote Router uses public IP across internet --> hits corporate untrusted nework FW --> NAT'ed to private 10.x.x.x IP --> reaches trusted network router.
The problem is that the peer keeps hanging and the only way to reset it is to issue 'clear crypto session' on the central trusted router. I have added isakmp keepalives with the aim of forcing some keepalive traffic:
crypto isakmp keepalive 90 30 periodic
...and this works to some degree (with DPD are u there keepalives). However I have noticed that the far end router uses non-standard ports when trying to set up phase-1 tunnel:
BEVRLY_D_CR184_01#sh crypto isa pee
Peer: 161.x.x.x Port: 4500 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10456 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10554 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10557 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10580 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10589 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10596 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10600 Local: 77.x.x.x
Phase1 id: 10.2.0.92
These ports (non-4500) will be blocked by our firewalls. Why does it use these, and is there a way of stopping the router using anything other than port 4500?
Thanks
PhilHello,
Yes - there's NAT at the trusted central router end our side of the firewall... the config used is below:
Remote Router end:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 180
crypto isakmp key address
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 90 30 periodic
crypto ipsec security-association idle-time 300
crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set security-association lifetime seconds 1800
set transform-set BEVERLEY_Transform
interface Tunnel1
description BEVRLY_CC296_01 F0/8 (10.30.45.29)
ip address x.x.x.x 255.255.255.252
ip helper-address 10.91.6.30
ip helper-address 10.4.162.92
ip mtu 1400
ip ospf message-digest-key 1 md5
load-interval 30
tunnel source Dialer1
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Central Router:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 180
crypto isakmp key address
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 90 30 periodic
crypto ipsec security-association idle-time 300
crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set security-association lifetime seconds 1800
set transform-set BEVERLEY_Transform
interface Tunnel1
description link to Beverley via internet (BEVERLY_CR184_01 Tun1)
ip address x.x.x.x 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5
load-interval 30
tunnel source FastEthernet0/1
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
I believe the DPD keepalives ensure NAT is known and compatible (crypto isakmp keepalive 90 30 periodic) between the peers....
Any help gladly appreciated....
thanks
Phil -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
DMVPN-Why received packet doesn't use UDP port 4500 but 500?
Hello everyone
I got a problem with my DMVPN. Spoke is behind a NAT device. x.x.x.x is an public IP address which hub uses. I don't know why it discovered that the hub is also inside a NAT device. And after it sends a packet using port 4500, the received packet from hub was not using port 4500 but 500. I'm confused now. Any advise would be much appreciated.
*Sep 10 08:56:02 UTC: ISAKMP:(0): beginning Main Mode exchange
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching
*Sep 10 08:56:02 UTC: ISAKMP:(0): local preshared key found
*Sep 10 08:56:02 UTC: ISAKMP : Scanning profiles for xauth ...
*Sep 10 08:56:02 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 10 08:56:02 UTC: ISAKMP: encryption 3DES-CBC
*Sep 10 08:56:02 UTC: ISAKMP: hash MD5
*Sep 10 08:56:02 UTC: ISAKMP: default group 1
*Sep 10 08:56:02 UTC: ISAKMP: auth pre-share
*Sep 10 08:56:02 UTC: ISAKMP: life type in seconds
*Sep 10 08:56:02 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Sep 10 08:56:02 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:life: 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Sep 10 08:56:02 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
*Sep 10 08:56:02 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP
*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching x.x.x.x
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is Unity
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is DPD
*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload
*Sep 10 08:56:02 UTC: ISAKMP:(2746): speaking to another IOS box!
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): NAT found, both nodes inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20
*Sep 10 08:56:02 UTC: ISAKMP (2746): My hash no match - this node inside NAT
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Send initial contact
*Sep 10 08:56:02 UTC: ISAKMP:(2746):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 10 08:56:02 UTC: ISAKMP (2746): ID payload
next-payload : 8
type : 1
address : 192.168.1.101
protocol : 17
port : 0
length : 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Total payload length: 12
*Sep 10 08:56:02 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Sep 10 08:56:03 UTC: ISAKMP (2746): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 10 08:56:03 UTC: ISAKMP:(2746): phase 1 packet is a duplicate of a previous packet.
*Sep 10 08:56:03 UTC: ISAKMP:(2746): retransmitting due to retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH...
*Sep 10 08:56:04 UTC: ISAKMP (2746): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.This could be because the port 4500 packet that is being sent is not being received by the peer side or it is ignoring that packet.
Since the port 500 packet that you are receiving is a duplicate of the previous packet it is definitely not a reply packet for the port 4500 packet.
If you can get the debugs from the other end, then you could see if the peer side is receiving the udp port 4500 packets.
If not that then this could be a UDP port 4500 block with the ISP. -
Why wont my DMVPN get phased 1 isakmp?
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
https {
system-generated-certificate;
interface vlan.0;
dhcp {
router {
192.168.20.254;
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
unit 1960 {
family inet {
address 192.168.10.254/24;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
protocols {
stp;
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
then {
static-nat prefix 192.168.10.10/32;
screen {
ids-option untrust-screen {
icmp {
ping-death;
ip {
source-route-option;
tear-drop;
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
land;
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
host-inbound-traffic {
system-services {
all;
protocols {
all;
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
protocols {
all;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
protocols {
all;
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
protocols {
all;
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
vlans {
vlan-trust {
vlan-id 3;
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
l3-interface vlan.1960;
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETESome time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
The firewall shouldn't do any inspections etc. on the traffic to the hub.
You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast. -
Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet
Dear community,
quite frequently I am now receiving the following error message in my ASA 5502's log:
Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
The VPN Clients (in the last case: A linux vpnc) disconnect with message
vpnc[7736]: connection terminated by dead peer detection
The ASA reports for that <some_ip> at around the same time:
Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested
A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
crippled (I d suppose this happens during rekeying) ?
2) Any idea where to look for the cause of this
WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
SW related (vpnc bug)?
Thanks in advance for any pointer...
JoachimYes. You need to eliminate the things I've said to eliminate with the other side. Ensure your configs are matching exactly. They probably are, whatever, just make sure of it because it's easy. You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
The more info you can have just one person responsible for the better. What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
If you're seeing them come in his interface and never come back out, you know where to look.
Set your caps to a single host to single host if need be, and generate traffic accordingly.
You need to narrow down where NOT to look so that you know where TO look. I would say then, and only then, do you get the ISP involved. Once you're sure the problem exists between his edge device and your edge device.
I do exactly this for a living on a daily basis...day after day after day. I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions. I always start the exact same way...from the very bottom. -
Need help with ASA 5512 and SQL port between DMZ and inside
Hello everyone,
Inside is on gigabitEthernet0/1 ip 192.9.200.254
I have a dmz on gigabitEthernet2 ip 192.168.100.254
I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network.
I believe this will work for port 443:
object network dmz
subnet 192.168.100.0 255.255.255.0
object network webserver
host 192.168.100.80
object network webserver
nat (dmz,outside) static interface service tcp 443 443
access-list Outside_access_in extended permit tcp any object webserver eq 443
access-group Outside_access_in in interface Outside
However...How would I open only port 1433 from dmz to inside?
At the bottom of this message is my config if it helps.
Thanks,
John Clausen
Config:
: Saved
ASA Version 9.1(2)
hostname ciscoasa-gcs
domain-name router.local
enable password f4yhsdf.4sadf977 encrypted
passwd f4yhsdf.4sadf977 encrypted
names
ip local pool vpnpool 192.168.201.10-192.168.201.50
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.222.222.212 255.255.255.224
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.254 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name router.local
object network inside-subnet
subnet 192.9.200.0 255.255.255.0
object network netmotion
host 192.9.200.6
object network inside-network
subnet 192.9.200.0 255.255.255.0
object network vpnpool
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.168.201.0_26
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 log disable
access-list Outside_access_in extended permit udp any object netmotion eq 5020
access-list split standard permit 192.9.200.0 255.255.255.0
access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
object network netmotion
nat (inside,outside) static interface service udp 5020 5020
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value router.local
group-policy VPNT internal
group-policy VPNT attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNT_splitTunnelAcl
default-domain value router.local
username grimesvpn password 7.wersfhyt encrypted
username grimesvpn attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpnpool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group VPNT type remote-access
tunnel-group VPNT general-attributes
address-pool vpnpool
default-group-policy VPNT
tunnel-group VPNT ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
: endHi Vibor. Apologies if my comment was misunderstood. What I meant to say was that the security level of the dmz interface should probably be less than 100.
And therefore traffic could be controlled between DMZ and inside networks.
As per thr security level on the DMZ interface. ....... that command is correct. :-) -
Please Help - Only Some Port Forwards Working
Hi all,
I have the most annoying issue with a Cisco 887VA-K9 port forwarding. Some port work while other don’t and I just can’t see why, however I suspect it is a zone based firewall (ZBF) issue.
Port forwards on the follow ports all work fine:
External port 8021 to 192.168.4.253 on port 80 works
External port 8022 to 192.168.4.253 on port 8022 works
All the rest don’t. I also have SIP phones sitting outside the LAN which are unable to register through the internet with the PBX unit which is in the DMZ network 192.168.4..0
Any help would be great appreciated as this sending me mad. Fully running config below.
Louise ;-)
Building configuration...
Current configuration : 36870 bytes
! Last configuration change at 12:49:03 Magadan Fri Nov 8 2013 by cpadmin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname QQQ_ADSL_Gateway
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000
enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Magadan 11 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3471381936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3471381936
revocation-check none
rsakeypair TP-self-signed-3471381936
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-3471381936
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133
38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9
7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07
AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD
6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79
51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06
03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609
2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8
9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290
AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660
644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A
3D7107BA AA4E7273 1D43690E C4A5D4
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip dhcp excluded-address 192.168.0.230 192.168.0.255
ip dhcp excluded-address 192.168.0.1 192.168.0.200
ip dhcp pool QQQ_LAN
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.6 202.1.161.36
netbios-name-server 192.168.0.6
domain-name QQQ.Local
lease 3
ip cef
no ip bootp server
ip domain name QQQ.Local
ip name-server 192.168.0.6
ip name-server 202.1.161.37
ip name-server 202.1.161.36
ip inspect log drop-pkt
no ipv6 cef
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
password encryption aes
license udi pid CISCO887VA-K9 sn FGL162321CT
object-group service MAIL-PORTS
description QQQ User Mail Restrictions
tcp eq smtp
tcp eq pop3
tcp eq 995
tcp eq 993
udp lt rip
udp lt domain
tcp eq telnet
udp lt ntp
udp lt tftp
tcp eq ftp
tcp eq domain
tcp eq 5900
tcp eq ftp-data
tcp eq 3389
tcp eq 20410
object-group network Network1
description QQQ Management Network
192.168.1.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.8.0 255.255.255.0
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
object-group network Network2
description QQQ User Network
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
range 192.168.0.26 192.168.0.199
object-group network QQQ.Local
description QQQ_Domain
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.6.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.10.0 255.255.255.0
10.1.0.0 255.255.0.0
object-group network QQQ_Management_Group
description QQQ I.T. Devices With UnRestricted Access
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
192.168.1.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.4.0 255.255.255.0
10.1.0.0 255.255.0.0
192.168.10.0 255.255.255.0
10.8.0.0 255.255.255.0
192.168.9.0 255.255.255.0
192.168.100.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.21.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.23.0 255.255.255.0
object-group network QQQ_User_Group
description QQQ I.T. Devices WIth Restricted Access
range 192.168.0.26 192.168.0.199
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
object-group service WEB
description QQQ User Web Restrictions
tcp eq www
tcp eq 443
tcp eq 8080
tcp eq 1863
tcp eq 5190
username cpadmin privilege 15 password 7 1406031A2C172527
username QQQVPN privilege 15 secret 4 Hk2tP2GgJ1xXtJUqIZr4gmNSgw6q1E.rvzWiYnDAZHU
controller VDSL 0
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 121
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 120
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 122
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 117
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-cls-http
match access-group name dmz-traffic
match protocol http
class-map type inspect match-any Telnet
match protocol telnet
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
match access-group 102
match access-group 103
match access-group 104
match access-group 105
match access-group 106
match access-group 107
match access-group 108
match access-group 109
match access-group 110
match access-group 111
match access-group 112
match access-group 113
match access-group 114
match access-group 115
class-map type inspect match-any SIP
match protocol sip
class-map type inspect pop3 match-any ccp-app-pop3
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect sip match-any ccp-cls-sip-pv-2
match protocol-violation
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-1
match access-group name ETS1
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match access-group name ETS
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map Telnet
match access-group name Telnet
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match user-group qqq
match protocol icmp
match protocol http
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-cls-sip
match access-group name dmz-traffic
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SIP
match access-group name SIP
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect PF_OUT_TO_IN
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect PF_IN_TO_OUT
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-invalid-src
drop log
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
inspect
class class-default
drop
policy-map type inspect sip ccp-app-sip-2
class type inspect sip ccp-cls-sip-pv-2
allow
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-dmz-traffic
inspect
class type inspect sdm-cls-http
inspect
service-policy http ccp-action-app-http
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class class-default
pass
policy-map type inspect ccp-pol-outToIn
class type inspect ccp-cls-ccp-pol-outToIn-1
pass
class type inspect ccp-cls-ccp-pol-outToIn-2
pass
class type inspect CCP_PPTP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security dmz-to-in source dmz-zone destination in-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
crypto ctcp port 10000 1723 6299
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 PbKM_WfaCM[hYNXAFOUgCNgCB_ZdJEAAB address 220.245.109.219
crypto isakmp key 6 NddQRR[O^KY`GRDC[VZUEPE`CSJ^CDAAB address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group QQQ
key 6 UWVBhb`Lgc_AZbDYWDFZiGZTTadNYTAAB
dns 192.168.0.6 202.1.161.36
wins 192.168.0.6
domain QQQ.Local
pool SDM_POOL_1
include-local-lan
max-users 20
max-logins 1
netmask 255.255.255.0
banner ^CCWelcome to QQQ VPN!!!!1 ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group QQQ
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
keepalive 10 retry 2
virtual-template 1
crypto ipsec transform-set ESP_AES_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP_AES_SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to220.245.109.219
set peer 220.245.109.219
set transform-set ESP-3DES-SHA
match address 119
interface Loopback0
description QQQ_VPN
ip address 192.168.9.254 255.255.255.0
interface Null0
no ip unreachables
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no fair-queue
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description Telekom_ADSL
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description QQQ_LAN-VLAN_1
switchport access vlan 1
no ip address
interface FastEthernet1
description QQQ_LAN-VLAN_1
no ip address
interface FastEthernet2
description QQQ_WAN-VLAN_2
switchport access vlan 2
no ip address
interface FastEthernet3
description QQQ_DMZ-IP_PBX-VLAN_3
switchport access vlan 3
no ip address
interface Virtual-Template1 type tunnel
description QQQ_Easy_VPN
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description QQQ_LAN-VLAN1$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan2
description QQQ_WAN-VLAN2$FW_INSIDE$
ip address 192.168.5.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan3
description QQQ_IP-PBX_WAN-VLAN3
ip address 192.168.4.254 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Vlan4
description VLAN4 - 192.168.20.xxx (Spare)
ip address 192.168.20.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description ATM Dialer
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
no cdp enable
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxx0 password 7 xxxxxxxxxxxxxxxxxxxxx
no cdp enable
crypto map SDM_CMAP_1
router rip
version 2
redistribute static
passive-interface ATM0
passive-interface ATM0.1
passive-interface Dialer0
passive-interface Dialer2
passive-interface Ethernet0
passive-interface Loopback0
network 10.0.0.0
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
network 192.168.6.0
network 192.168.7.0
network 192.168.8.0
network 192.168.10.0
network 192.168.100.0
ip local pool SDM_POOL_1 192.168.5.100 192.168.5.200
ip forward-protocol nd
ip http server
ip http access-class 5
ip http authentication local
ip http secure-server
ip nat pool NAT_IP 192.168.0.210 192.168.0.235 netmask 255.255.255.0
ip nat inside source static tcp 192.168.4.253 5060 interface Dialer2 5060
ip nat inside source static tcp 192.168.0.240 20408 interface Dialer2 6208
ip nat inside source static tcp 192.168.0.240 20409 interface Dialer2 6209
ip nat inside source static tcp 192.168.0.240 20410 interface Dialer2 6200
ip nat inside source static tcp 192.168.1.240 20408 interface Dialer2 6218
ip nat inside source static tcp 192.168.1.240 20409 interface Dialer2 6219
ip nat inside source static tcp 192.168.1.240 20410 interface Dialer2 6210
ip nat inside source static tcp 192.168.7.240 20408 interface Dialer2 6278
ip nat inside source static tcp 192.168.7.240 20409 interface Dialer2 6279
ip nat inside source static tcp 192.168.7.240 20410 interface Dialer2 6270
ip nat inside source static tcp 192.168.8.240 20408 interface Dialer2 6288
ip nat inside source static tcp 192.168.8.240 20409 interface Dialer2 6289
ip nat inside source static tcp 192.168.8.240 20410 interface Dialer2 6280
ip nat inside source static tcp 192.168.0.6 1723 interface Dialer2 1723
ip nat inside source static tcp 192.168.0.6 3389 interface Dialer2 6389
ip nat inside source static tcp 192.168.0.24 3389 interface Dialer2 6390
ip nat inside source static tcp 192.168.4.253 8022 interface Dialer2 8022
ip nat inside source static tcp 192.168.4.253 80 interface Dialer2 8021
ip nat inside source static tcp 192.168.0.254 23 interface Dialer2 8023
ip nat inside source static tcp 192.168.0.6 443 interface Dialer2 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
ip default-network 192.168.0.0
ip default-network 192.168.4.0
ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
ip route 10.1.0.0 255.255.0.0 Vlan2 permanent
ip route 10.8.0.0 255.255.255.0 Vlan2 permanent
ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
ip route 192.168.4.0 255.255.255.0 Vlan3 permanent
ip route 192.168.5.0 255.255.255.0 Vlan2 permanent
ip route 192.168.100.0 255.255.255.0 Dialer2 permanent
ip access-list extended ACCESS_FROM_INSIDE
permit ip object-group QQQ_Management_Group any
permit tcp object-group QQQ_User_Group any eq smtp pop3
permit tcp object-group QQQ_User_Group any eq 993 995
permit tcp 192.168.0.0 0.0.0.255 any eq smtp pop3
permit tcp 192.168.0.0 0.0.0.255 any eq 993 995
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.7.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.4.0 0.0.0.255 any eq domain time-range QQQ_Control
ip access-list extended ETS
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended ETS1
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit tcp any host 192.168.0.100 eq 25565
permit tcp any eq 25565 host 192.168.0.100
ip access-list extended QQQ_ACL
permit ip any host 192.168.4.253
permit udp any any eq bootps bootpc
permit ip any 192.168.4.0 0.0.0.255
permit ip host 203.219.237.252 any
remark QQQ Internet Control List
remark CCP_ACL Category=17
remark Auto generated by CCP for NTP (123) 203.12.160.2
permit udp host 203.12.160.2 eq ntp any eq ntp
remark AD Services
permit udp host 192.168.0.6 eq domain any
remark Unrestricted Access
permit ip object-group QQQ_Management_Group any
remark Restricted Users
permit object-group MAIL-PORTS object-group QQQ_User_Group any
permit ip 192.168.0.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.2.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.3.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.6.0 0.0.0.255 any time-range QQQ_Control
remark ICMP Full Access
permit icmp object-group QQQ_User_Group any
permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.6.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.0.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
ip access-list extended QQQ_NAT
remark CCP_ACL Category=18
remark IPSec Rule
deny ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
permit ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SIP
remark CCP_ACL Category=128
permit ip any 192.168.4.0 0.0.0.255
ip access-list extended Telnet
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any 192.168.4.0 0.0.0.255
access-list 1 remark CCP_ACL Category=2
access-list 1 remark QQQ_DMZ
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 remark QQQ_LAN
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark QQQ Insid NAT
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 3 permit 192.168.6.0 0.0.0.255
access-list 3 permit 192.168.7.0 0.0.0.255
access-list 3 permit 192.168.8.0 0.0.0.255
access-list 3 permit 192.168.9.0 0.0.0.255
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 4 remark QQQ_NAT
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 10.1.0.0 0.0.255.255
access-list 4 permit 10.8.0.0 0.0.0.255
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.2.0 0.0.0.255
access-list 4 permit 192.168.3.0 0.0.0.255
access-list 4 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 4 permit 192.168.6.0 0.0.0.255
access-list 4 permit 192.168.7.0 0.0.0.255
access-list 4 permit 192.168.8.0 0.0.0.255
access-list 4 permit 192.168.9.0 0.0.0.255
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 5 remark HTTP Access-class list
access-list 5 remark CCP_ACL Category=1
access-list 5 permit 192.168.4.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 101 remark QQQ_Extended_ACL
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any host 192.168.0.254 eq 10000
access-list 101 permit udp any host 192.168.0.254 eq non500-isakmp
access-list 101 permit udp any host 192.168.0.254 eq isakmp
access-list 101 permit esp any host 192.168.0.254
access-list 101 permit ahp any host 192.168.0.254
access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp
access-list 101 permit udp host 192.168.0.6 eq domain any
access-list 101 remark NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp
access-list 101 remark QQQ_ANY_Any
access-list 101 permit ip object-group QQQ.Local any
access-list 101 remark QQQ_DMZ
access-list 101 permit ip any 192.168.4.0 0.0.0.255
access-list 101 remark QQQ_GRE
access-list 101 permit gre any any
access-list 101 remark QQQ_Ping
access-list 101 permit icmp any any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq 443
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 8022
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq telnet
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq www
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit tcp any eq telnet host 192.168.0.254
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq telnet
access-list 103 permit udp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit udp any 192.168.4.0 0.0.0.255 range 10001 12000
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 10000
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any any eq 10000
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp any any eq 10000
access-list 107 remark CCP_ACL Category=1
access-list 107 permit tcp any any eq 10000
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp any any eq 10000
access-list 109 remark CCP_ACL Category=1
access-list 109 permit tcp any any eq 10000
access-list 110 remark CCP_ACL Category=1
access-list 110 permit tcp any any eq 10000
access-list 111 remark CCP_ACL Category=1
access-list 111 permit tcp any any eq 10000
access-list 112 remark CCP_ACL Category=1
access-list 112 permit tcp any any eq 10000
access-list 113 remark CCP_ACL Category=1
access-list 113 permit tcp any any eq 10000
access-list 114 remark CCP_ACL Category=1
access-list 114 permit tcp any any eq 10000
access-list 115 remark CCP_ACL Category=1
access-list 115 permit tcp any any eq 10000
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 117 remark CCP_ACL Category=128
access-list 117 permit ip any any
access-list 117 permit ip host 220.245.109.219 any
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 119 remark CCP_ACL Category=4
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 121 remark CCP_ACL Category=0
access-list 121 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 122 remark CCP_ACL Category=0
access-list 122 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address QQQ_NAT
banner login ^CCWelcome to QQQ ADSL GatewayIt turns out the problem had nothing to do with wires or splitters. The Verizon tech was at my house yesterday and the ONT was failing. He replaced part of the ONT and it fixed the problem (finally!). At least I was able to watch the Celtics game last night.
I have a Tellabs ONT. Not sure the model but it's older like the ones in this thread.
http://www.dslreports.com/forum/r19982000-Mounting-board-for-612-ONT -
How to IPsec site to site vpn port forwarding to remote site?
Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.134.49
lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
ThaiIs there anyone can help please?
-
Port Forwarding for Cisco ASA 5505 VPN
This is the Network
Linksys E2500 ---> Cisco ASA 5505 ---> Server
I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
Thank YouFor IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
Command to enable NAT-T on ASA:
crypto isakmp nat-traversal 30 -
Isakmp error major 69,245,157,123 mismatch
Hello,
I am doing a test lab for dmvpn and I couldn't find out the problem for one of the spoke's isakmp error. The Interesting part is I have done same for another spoke and which has successfully create VPN with the hub. There is no firewall between these two routers or any ACL. I would appreciate for any assist. I have uploaded hub and spoke configuration and the error messages at hub and spoke are given below:
Debug isakmp error at Hub Side:
*Jan 27 15:13:00.523: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:13:00.523: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:13:00.523: ISAKMP: New peer created peer = 0x2B96890 peer_handle = 0x80002A44
*Jan 27 15:13:00.523: ISAKMP: Locking peer struct 0x2B96890, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:13:00.523: ISAKMP: local port 500, remote port 500
*Jan 27 15:13:00.523: ISAKMP:(0):insert sa successfully sa = 10BB3F84
*Jan 27 15:13:00.523: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.523: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:13:00.523: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): pro
xnw0252#cessing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.523: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.523: ISAKMP:(0): local preshared key found
*Jan 27 15:13:00.523: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:13:00.523: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:13:00.523: ISAKMP: encryption AES-CBC
*Jan 27 15:13:00.523: ISAKMP: keylength of 256
*Jan 27 15:13:00.523: ISAKMP: hash SHA
*Jan 27 15:13:00.523: ISAKMP: default group 5
*Jan 27 15:13:00.523: ISAKMP: auth pre-share
*Jan 27 15:13:00.523: ISAKMP: life type in seconds
*Jan 27 15:13:00.523: ISAKMP: life duration (basic) of 3600
*Jan 27 15:13:00.523: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:13:00.523: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:13:00.523: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.527: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 27 15:13:00.527: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 15:13:00.527: ISAKMP:(0): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jan 27 15:13:00.527: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jan 27 15:13:00.527: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is DPD
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): speaking to another IOS box!
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID seems Unity/DPD but major 196 mismatch
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is XAUTH
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): His hash no match - this node outside NAT
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): No NAT Found for self or peer
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jan 27 15:13:00.531: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:00.531: ISAKMP:(14514):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jan 27 15:13:00.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:00.607: ISAKMP: reserved not zero on ID payload!
*Jan 27 15:13:00.607: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 80.x.x.x failed its sanity check or is malformed
*Jan 27 15:13:00.607: ISAKMP (14514): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:01.607: ISAKMP (14514): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
xnw0252#
*Jan 27 15:13:10.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:10.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:10.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:11.107: ISAKMP (14514): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:11.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:11.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:20.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:20.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:20.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:21.107: ISAKMP (14514): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:21.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:21.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:30.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:30.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:30.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:31.107: ISAKMP (14514): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:31.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:31.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:40.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:40.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:40.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:41.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:41.107: ISAKMP:(14514):peer does not do paranoid keepalives.
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
xnw0252#
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
*Jan 27 15:13:41.107: ISAKMP: Unlocking peer struct 0x2B96890 for isadb_mark_sa_deleted(), count 0
*Jan 27 15:13:41.107: ISAKMP: Deleting peer node by peer_reap for 80.x.x.x: 2B96890
*Jan 27 15:13:41.107: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 15:13:41.107: ISAKMP:(14514):Old State = IKE_R_MM4 New State = IKE_DEST_SA
xnw0252#
*Jan 27 15:13:50.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_NO_STATE
xnw0252#
*Jan 27 15:14:01.439: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:14:01.439: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:14:01.439: ISAKMP: New peer created peer = 0x14BDDFFC peer_handle = 0x80002A46
*Jan 27 15:14:01.439: ISAKMP: Locking peer struct 0x14BDDFFC, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:14:01.439: ISAKMP: local port 500, remote port 500
*Jan 27 15:14:01.439: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B94390
*Jan 27 15:14:01.439: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:14:01.439: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:14:01.439: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan
xnw0252# 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:14:01.439: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:14:01.439: ISAKMP:(0): local preshared key found
*Jan 27 15:14:01.439: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:14:01.439: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:14:01.439: ISAKMP: encryption AES-CBC
*Jan 27 15:14:01.439: ISAKMP: keylength of 256
*Jan 27 15:14:01.439: ISAKMP: hash SHA
*Jan 27 15:14:01.439: ISAKMP: default group 5
*Jan 27 15:14:01.439: ISAKMP: auth pre-share
*Jan 27 15:14:01.439: ISAKMP: life type in seconds
*Jan 27 15:14:01.439: ISAKMP: life duration (basic) of 3600
*Jan 27 15:14:01.439: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:14:01.439: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:14:01.439: ISAKMP:(0)::Started lifetime timer: 3600.
# sh crypto isakmp sa (at Hub)
IPv4 Crypto ISAKMP SA
dst src state conn-id status
83.X.X.X 62.Y.Y.Y QM_IDLE 14577 ACTIVE
62.Y.Y.Y 80.X.X.X MM_KEY_EXCH 14589 ACTIVE
62.Y.Y.Y 80.X.X.X MM_NO_STATE 14588 ACTIVE (deleted)
Debug isakmp error at Spoke side:
*Jan 27 14:43:50.595: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:43:50.595: ISAKMP:(4178):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:43:50.595: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:43:50.595: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:50.602: ISAKMP (4178): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:51.617: ISAKMP (4178): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:43:51.617: ISAKMP:(4178): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:43:51.617: ISAKMP:(4178): retransmission skipped for phase 1 (time since last transmission 500)
*Jan 27 14:43:52.063: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:52.063: ISAKMP (4178): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:43:52.157: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:52.157: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:52.256: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:58.259: ISAKMP:(4177):purging node -1724346266
*Jan 27 14:43:58.468: ISAKMP:(4177):purging node 1984618017
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:44:00.567: ISAKMP (4178): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:44:08.839: ISAKMP:(4177):purging SA., sa=322035C8, delme=322035C8
*Jan 27 14:44:10.487: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:10.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:10.567: ISAKMP:(4178):peer does not do paranoid keepalives.
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP: Unlocking peer struct 0x2B1155EC for isadb_mark_sa_deleted(), count 0
*Jan 27 14:47:10.567: ISAKMP: Deleting peer node by peer_reap for 62.Y.Y.Y: 2B1155EC
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node 365907352 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node -49897289 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 14:47:10.567: ISAKMP:(4178):Old State = IKE_I_MM5 New State = IKE_DEST_SA
*Jan 27 14:47:10.567: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 27 14:47:13.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:13.571: ISAKMP:(0): SA request profile is (NULL)
*Jan 27 14:47:13.571: ISAKMP: Created a peer struct for 62.Y.Y.Y, peer port 500
*Jan 27 14:47:13.571: ISAKMP: New peer created peer = 0x2B1155EC peer_handle = 0x800199D6
*Jan 27 14:47:13.571: ISAKMP: Locking peer struct 0x2B1155EC, refcount 1 for isakmp_initiator
*Jan 27 14:47:13.571: ISAKMP: local port 500, remote port 500
*Jan 27 14:47:13.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:13.571: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 322035C8
*Jan 27 14:47:13.571: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 27 14:47:13.571: ISAKMP:(0): beginning Main Mode exchange
*Jan 27 14:47:13.571: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.571: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jan 27 14:47:13.571: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 14:47:13.571: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.571: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.571: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.575: ISAKMP:(0): local preshared key found
*Jan 27 14:47:13.575: ISAKMP : Scanning profiles for xauth ...
*Jan 27 14:47:13.575: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 14:47:13.575: ISAKMP: encryption AES-CBC
*Jan 27 14:47:13.575: ISAKMP: keylength of 256
*Jan 27 14:47:13.575: ISAKMP: hash SHA
*Jan 27 14:47:13.575: ISAKMP: default group 5
*Jan 27 14:47:13.575: ISAKMP: auth pre-share
*Jan 27 14:47:13.575: ISAKMP: life type in seconds
*Jan 27 14:47:13.575: ISAKMP: life duration (basic) of 3600
*Jan 27 14:47:13.575: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 14:47:13.575: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 14:47:13.575: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 14:47:13.575: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.575: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.575: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jan 27 14:47:13.575: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan 27 14:47:13.575: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jan 27 14:47:13.579: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan 27 14:47:13.579: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.579: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jan 27 14:47:13.579: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.651: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is Unity
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is DPD
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): speaking to another IOS box!
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): His hash no match - this node outside NAT
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): No NAT Found for self or peer
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jan 27 14:47:13.655: ISAKMP:(4179):Send initial contact
*Jan 27 14:47:13.655: ISAKMP:(4179):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 27 14:47:13.655: ISAKMP (4179): ID payload
next-payload : 8
type : 1
address : 80.X.X.X
protocol : 17
port : 500
length : 12
*Jan 27 14:47:13.655: ISAKMP:(4179):Total payload length: 12
*Jan 27 14:47:13.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:13.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jan 27 14:47:14.651: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:14.651: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:14.651: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 996)
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:23.655: ISAKMP (4179): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:24.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:24.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:24.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:33.655: ISAKMP (4179): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:34.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:34.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:34.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:43.571: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:43.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:43.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:43.571: ISAKMP:(4179):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:47:43.571: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:47:43.571: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:43.655: ISAKMP (4179): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:44.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:44.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:44.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:53.655: ISAKMP (4179): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node 365907352
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node -49897289
xnwn252#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
62.Y.Y.Y 80.X.X.X MM_NO_STATE 4270 ACTIVE (deleted)Hello,
I am doing a test lab for dmvpn and I couldn't find out the problem for one of the spoke's isakmp error. The Interesting part is I have done same for another spoke and which has successfully create VPN with the hub. There is no firewall between these two routers or any ACL. I would appreciate for any assist. I have uploaded hub and spoke configuration and the error messages at hub and spoke are given below:
Debug isakmp error at Hub Side:
*Jan 27 15:13:00.523: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:13:00.523: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:13:00.523: ISAKMP: New peer created peer = 0x2B96890 peer_handle = 0x80002A44
*Jan 27 15:13:00.523: ISAKMP: Locking peer struct 0x2B96890, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:13:00.523: ISAKMP: local port 500, remote port 500
*Jan 27 15:13:00.523: ISAKMP:(0):insert sa successfully sa = 10BB3F84
*Jan 27 15:13:00.523: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.523: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:13:00.523: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): pro
xnw0252#cessing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.523: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.523: ISAKMP:(0): local preshared key found
*Jan 27 15:13:00.523: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:13:00.523: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:13:00.523: ISAKMP: encryption AES-CBC
*Jan 27 15:13:00.523: ISAKMP: keylength of 256
*Jan 27 15:13:00.523: ISAKMP: hash SHA
*Jan 27 15:13:00.523: ISAKMP: default group 5
*Jan 27 15:13:00.523: ISAKMP: auth pre-share
*Jan 27 15:13:00.523: ISAKMP: life type in seconds
*Jan 27 15:13:00.523: ISAKMP: life duration (basic) of 3600
*Jan 27 15:13:00.523: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:13:00.523: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:13:00.523: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.527: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 27 15:13:00.527: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 15:13:00.527: ISAKMP:(0): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jan 27 15:13:00.527: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jan 27 15:13:00.527: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is DPD
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): speaking to another IOS box!
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID seems Unity/DPD but major 196 mismatch
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is XAUTH
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): His hash no match - this node outside NAT
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): No NAT Found for self or peer
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jan 27 15:13:00.531: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:00.531: ISAKMP:(14514):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jan 27 15:13:00.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:00.607: ISAKMP: reserved not zero on ID payload!
*Jan 27 15:13:00.607: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 80.x.x.x failed its sanity check or is malformed
*Jan 27 15:13:00.607: ISAKMP (14514): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:01.607: ISAKMP (14514): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
xnw0252#
*Jan 27 15:13:10.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:10.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:10.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:11.107: ISAKMP (14514): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:11.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:11.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:20.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:20.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:20.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:21.107: ISAKMP (14514): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:21.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:21.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:30.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:30.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:30.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:31.107: ISAKMP (14514): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:31.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:31.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:40.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:40.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:40.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:41.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:41.107: ISAKMP:(14514):peer does not do paranoid keepalives.
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
xnw0252#
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
*Jan 27 15:13:41.107: ISAKMP: Unlocking peer struct 0x2B96890 for isadb_mark_sa_deleted(), count 0
*Jan 27 15:13:41.107: ISAKMP: Deleting peer node by peer_reap for 80.x.x.x: 2B96890
*Jan 27 15:13:41.107: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 15:13:41.107: ISAKMP:(14514):Old State = IKE_R_MM4 New State = IKE_DEST_SA
xnw0252#
*Jan 27 15:13:50.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_NO_STATE
xnw0252#
*Jan 27 15:14:01.439: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:14:01.439: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:14:01.439: ISAKMP: New peer created peer = 0x14BDDFFC peer_handle = 0x80002A46
*Jan 27 15:14:01.439: ISAKMP: Locking peer struct 0x14BDDFFC, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:14:01.439: ISAKMP: local port 500, remote port 500
*Jan 27 15:14:01.439: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B94390
*Jan 27 15:14:01.439: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:14:01.439: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:14:01.439: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan
xnw0252# 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:14:01.439: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:14:01.439: ISAKMP:(0): local preshared key found
*Jan 27 15:14:01.439: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:14:01.439: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:14:01.439: ISAKMP: encryption AES-CBC
*Jan 27 15:14:01.439: ISAKMP: keylength of 256
*Jan 27 15:14:01.439: ISAKMP: hash SHA
*Jan 27 15:14:01.439: ISAKMP: default group 5
*Jan 27 15:14:01.439: ISAKMP: auth pre-share
*Jan 27 15:14:01.439: ISAKMP: life type in seconds
*Jan 27 15:14:01.439: ISAKMP: life duration (basic) of 3600
*Jan 27 15:14:01.439: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:14:01.439: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:14:01.439: ISAKMP:(0)::Started lifetime timer: 3600.
# sh crypto isakmp sa (at Hub)
IPv4 Crypto ISAKMP SA
dst src state conn-id status
83.X.X.X 62.Y.Y.Y QM_IDLE 14577 ACTIVE
62.Y.Y.Y 80.X.X.X MM_KEY_EXCH 14589 ACTIVE
62.Y.Y.Y 80.X.X.X MM_NO_STATE 14588 ACTIVE (deleted)
Debug isakmp error at Spoke side:
*Jan 27 14:43:50.595: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:43:50.595: ISAKMP:(4178):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:43:50.595: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:43:50.595: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:50.602: ISAKMP (4178): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:51.617: ISAKMP (4178): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:43:51.617: ISAKMP:(4178): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:43:51.617: ISAKMP:(4178): retransmission skipped for phase 1 (time since last transmission 500)
*Jan 27 14:43:52.063: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:52.063: ISAKMP (4178): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:43:52.157: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:52.157: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:52.256: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:58.259: ISAKMP:(4177):purging node -1724346266
*Jan 27 14:43:58.468: ISAKMP:(4177):purging node 1984618017
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:44:00.567: ISAKMP (4178): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:44:08.839: ISAKMP:(4177):purging SA., sa=322035C8, delme=322035C8
*Jan 27 14:44:10.487: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:10.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:10.567: ISAKMP:(4178):peer does not do paranoid keepalives.
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP: Unlocking peer struct 0x2B1155EC for isadb_mark_sa_deleted(), count 0
*Jan 27 14:47:10.567: ISAKMP: Deleting peer node by peer_reap for 62.Y.Y.Y: 2B1155EC
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node 365907352 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node -49897289 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 14:47:10.567: ISAKMP:(4178):Old State = IKE_I_MM5 New State = IKE_DEST_SA
*Jan 27 14:47:10.567: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 27 14:47:13.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:13.571: ISAKMP:(0): SA request profile is (NULL)
*Jan 27 14:47:13.571: ISAKMP: Created a peer struct for 62.Y.Y.Y, peer port 500
*Jan 27 14:47:13.571: ISAKMP: New peer created peer = 0x2B1155EC peer_handle = 0x800199D6
*Jan 27 14:47:13.571: ISAKMP: Locking peer struct 0x2B1155EC, refcount 1 for isakmp_initiator
*Jan 27 14:47:13.571: ISAKMP: local port 500, remote port 500
*Jan 27 14:47:13.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:13.571: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 322035C8
*Jan 27 14:47:13.571: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 27 14:47:13.571: ISAKMP:(0): beginning Main Mode exchange
*Jan 27 14:47:13.571: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.571: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jan 27 14:47:13.571: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 14:47:13.571: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.571: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.571: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.575: ISAKMP:(0): local preshared key found
*Jan 27 14:47:13.575: ISAKMP : Scanning profiles for xauth ...
*Jan 27 14:47:13.575: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 14:47:13.575: ISAKMP: encryption AES-CBC
*Jan 27 14:47:13.575: ISAKMP: keylength of 256
*Jan 27 14:47:13.575: ISAKMP: hash SHA
*Jan 27 14:47:13.575: ISAKMP: default group 5
*Jan 27 14:47:13.575: ISAKMP: auth pre-share
*Jan 27 14:47:13.575: ISAKMP: life type in seconds
*Jan 27 14:47:13.575: ISAKMP: life duration (basic) of 3600
*Jan 27 14:47:13.575: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 14:47:13.575: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 14:47:13.575: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 14:47:13.575: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.575: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.575: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jan 27 14:47:13.575: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan 27 14:47:13.575: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jan 27 14:47:13.579: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan 27 14:47:13.579: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.579: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jan 27 14:47:13.579: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.651: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is Unity
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is DPD
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): speaking to another IOS box!
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): His hash no match - this node outside NAT
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): No NAT Found for self or peer
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jan 27 14:47:13.655: ISAKMP:(4179):Send initial contact
*Jan 27 14:47:13.655: ISAKMP:(4179):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 27 14:47:13.655: ISAKMP (4179): ID payload
next-payload : 8
type : 1
address : 80.X.X.X
protocol : 17
port : 500
length : 12
*Jan 27 14:47:13.655: ISAKMP:(4179):Total payload length: 12
*Jan 27 14:47:13.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:13.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jan 27 14:47:14.651: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:14.651: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:14.651: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 996)
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:23.655: ISAKMP (4179): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:24.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:24.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:24.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:33.655: ISAKMP (4179): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:34.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:34.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:34.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:43.571: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:43.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:43.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:43.571: ISAKMP:(4179):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:47:43.571: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:47:43.571: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:43.655: ISAKMP (4179): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:44.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:44.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:44.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:53.655: ISAKMP (4179): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node 365907352
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node -49897289
xnwn252#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
62.Y.Y.Y 80.X.X.X MM_NO_STATE 4270 ACTIVE (deleted) -
Unable to access certain ports over Site to Site VPN
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \\192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the -
ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PrarieTow
boot-start-marker
boot-end-marker
logging buffered 52000
enable secret 5 $1$7Ab8$oFQY76OPhJm/UUkXfqCbl/
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Ch4C5eSP address x.x.y.y
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.y.y
set peer x.x.y.y
set transform-set ESP-3DES-SHA
match address 118
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
ip dhcp excluded-address 192.168.1.101 192.168.1.254
ip dhcp excluded-address 192.168.1.60
ip dhcp excluded-address 192.168.1.120
ip dhcp excluded-address 192.168.1.125
ip dhcp excluded-address 192.168.1.126
ip dhcp pool sdm-pool1
network 192.168.1.0 255.255.255.0
domain-name pltowing.local
default-router 192.168.1.1
dns-server 192.168.1.120 68.238.0.12
no ip bootp server
ip domain name pltowing
ip name-server 184.16.4.22
ip name-server 184.16.33.54
ip port-map user-protocol--8 port udp 3389
ip port-map user-protocol--9 port udp 14147
ip port-map user-protocol--2 port tcp 3489
ip port-map user-protocol--3 port udp 3489
ip port-map user-protocol--1 port udp 3390
ip port-map user-protocol--6 port udp 4431
ip port-map user-protocol--7 port tcp 3389
ip port-map user-protocol--4 port tcp 3390
ip port-map user-protocol--5 port tcp 4431
ip port-map user-protocol--13 port tcp 3487
ip port-map user-protocol--12 port udp 3488
ip port-map user-protocol--11 port tcp 3488
ip port-map user-protocol--10 port tcp 14147
ip port-map user-protocol--16 port tcp 8099
ip port-map user-protocol--15 port udp 1194
ip port-map user-protocol--14 port udp 3487
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
username prairie privilege 15 password 0 towing
archive
log config
hidekeys
ip ssh version 2
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 108
match protocol user-protocol--7
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 120
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 107
match protocol user-protocol--6
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 106
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 105
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 110
match protocol user-protocol--9
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 109
match protocol user-protocol--8
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 119
match class-map SDM_VPN_TRAFFIC
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-all sdm-nat-user-protocol--16-1
match access-group 117
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--14-1
match access-group 115
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--15-1
match access-group 116
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--12-1
match access-group 113
match protocol user-protocol--12
class-map type inspect match-all sdm-nat-user-protocol--13-1
match access-group 114
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 111
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--11-1
match access-group 112
match protocol user-protocol--11
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect sdm-nat-user-protocol--11-1
inspect
class type inspect sdm-nat-user-protocol--12-1
inspect
class type inspect sdm-nat-user-protocol--13-1
inspect
class type inspect sdm-nat-user-protocol--14-1
inspect
class type inspect sdm-nat-user-protocol--15-1
inspect
class type inspect sdm-nat-user-protocol--16-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservices
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
inspect
class type inspect sdm-protocol-http
inspect
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-access
inspect
class class-default
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
bridge irb
interface FastEthernet0
description $ETH-LAN$$FW_OUTSIDE$
ip address y.y.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
interface BVI1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip default-gateway 50.50.20.105
ip route 0.0.0.0 0.0.0.0 50.50.20.105
ip route 10.8.0.0 255.255.255.0 192.168.1.251
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.120 8099 interface FastEthernet0 8099
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static udp 192.168.1.251 1194 y.y.x.x 1194 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.125 3489 y.y.x.x 3390 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 3390 y.y.x.x 3390 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.126 3487 y.y.x.x 3487 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.126 3487 y.y.x.x 3487 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.126 3488 y.y.x.x 3488 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.126 3488 y.y.x.x 3488 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.125 3489 y.y.x.x 3489 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.120 4431 y.y.x.x 4431 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 4431 y.y.x.x 4431 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.120 14147 y.y.x.x 14147 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 14147 y.y.x.x 14147 route-map SDM_RMAP_1 extendable
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 50.50.20.104 0.0.0.3 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.120
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.1.125
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.1.125
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.1.120
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.1.120
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.1.120
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.1.120
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 192.168.1.120
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 192.168.1.120
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 192.168.1.120
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 192.168.1.126
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip any host 192.168.1.126
access-list 114 remark SDM_ACL Category=0
access-list 114 permit ip any host 192.168.1.126
access-list 115 remark SDM_ACL Category=0
access-list 115 permit ip any host 192.168.1.126
access-list 116 remark SDM_ACL Category=0
access-list 116 permit ip any host 192.168.1.251
access-list 117 remark SDM_ACL Category=0
access-list 117 permit ip any host 192.168.1.120
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 119 remark SDM_ACL Category=128
access-list 119 permit ip host x.x.y.y any
access-list 120 remark SDM_ACL Category=0
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=2
access-list 121 remark IPSec Rule
access-list 121 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 121 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 121
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 route ip
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
webvpn cef
endHello Frank,
Just to clarify, you have changed the rule so y.y.x.x is router WAN link:
ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
and after that you could access 192.168.1.120:3389 from 192.168.2.0 networks ?
Above rule do a static translation of 192.168.1.120 3389 to your WAN link for all traffic EXCEPT VPN.
So maybe you were trying to access y.y.x.x (not 192.168.1.120) port 3389 from 192.168.2.0 networks ?
(and that traffic is not being sent via VPN but just normally routed through internet)
Michal -
Port Forward in Cisco series 800
Dear Support
below the configuration of Cisco Series 800 Router that Has VDSL port of internet , the configuration as below :
i add three command
what is required in order to make port forward
ip nat inside source static tcp 8000 10.10.10.10 8000 dilar 0
ip nat inside source static tcp 554 10.10.10.10 554 dilar 0
ip access list extended 100
permit ip any any
what is required to make port forward to the local ip address 10.10.10.10 from outside interface that is VDSL port ?
! Last configuration change at 10:47:44 KSA Wed Apr 22 2015 by aamalsup
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
hostname AamalNet
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret level 2 5 $1$Y4PF$K6TQ5wf0gcHiO5IxvLZba0
enable secret level 5 5 $1$WZeO$BzTCl0C0e1078CWxExJK0/
enable secret 5 $1$plq6$P5HVL/tR81cs0GFDrD.0V/
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
clock timezone KSA 3 0
crypto pki trustpoint TP-self-signed-1682106276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1682106276
revocation-check none
rsakeypair TP-self-signed-1682106276
crypto pki certificate chain TP-self-signed-1682106276
certificate self-signed 02
30820250 308201B9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363832 31303632 3736301E 170D3032 30333031 30303038
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36383231
30363237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2F3 49897460 71FEB259 7794B7C6 D398958A 2D338F0F C69F0E75 1137B16C
C261A275 8416DAF6 FC19AA6E 50024019 66CE4DB8 3AFAB6FE CE892B42 86A93490
97259E47 D740B2F4 9AA2D307 7B676841 2CAAA879 D945A6FD 717B507F 77399332
1644CEDE 884BF133 ACFBBC80 9869A104 54CC3EEE 9D521378 EC762D86 C3F0ABC9
CA990203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18417761 6C416D61 6C792E61 77616C6E 65742E6E 65742E73
61301F06 03551D23 04183016 80149ADD A651C9F9 F8369354 5C904777 090FEB75
72E0301D 0603551D 0E041604 149ADDA6 51C9F9F8 3693545C 90477709 0FEB7572
E0300D06 092A8648 86F70D01 01040500 03818100 50ACCA98 1A5FCCAD FC61D703
A8589B02 AFB8CD47 BD1CC7B0 B095C97F AA0604A8 F8495053 C8A9CBB9 644F5674
318A7AA0 873250AD 1DE28CE2 BE21ED19 BF212CF7 E2A97CFB FFA62F1E 643CEDFE
90D02109 719FD4D3 98E6C40B D61CE89C D2426C1E 3CBD9FBE 397F7F7C F1DD279E
14F8BB2D ABFA784B 6E04274B EDCBFC8F A805E91D
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.11.1
ip dhcp pool lan
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
ip dhcp pool wireless
import all
network 10.10.11.0 255.255.255.0
default-router 10.10.11.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
no ip domain lookup
ip domain name aamal.net.sa
ip name-server 212.93.192.4
ip name-server 212.93.192.5
no ipv6 cef
cwmp agent
enable download
enable
session retry limit 10
management server password 7 094D4308151612001D05072F
management server url http://aamalservice.aamal.net.sa:9090
license udi pid C887VA-W-E-K9 sn FCZ17459018
archive
log config
hidekeys
username k privilege 15 password 7 020D
username admin privilege 15 password 7 14161606050A
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group aamalnet
key aamalnet
dns 212.93.192.4 212.93.192.5
include-local-lan
dhcp server 10.10.10.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group aamalnet
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile SDM_Profile1
set security-association idle-time 60
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Vlan2
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 0007145E2E5A05522E1858
no cdp enable
interface BVI2
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 212.93.196.0 0.0.0.255
access-list 23 permit 212.93.192.0 0.0.0.255
access-list 23 permit 212.93.193.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
snmp-server community private RW
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
privilege interface level 5 encapsulation
privilege interface level 5 description
privilege interface level 5 no encapsulation
privilege interface level 5 no description
privilege interface level 5 no
privilege configure level 5 ip route
privilege configure level 5 interface
privilege configure level 5 controller
privilege configure level 5 ip
privilege exec level 5 copy running-config tftp
privilege exec level 5 copy running-config
privilege exec level 5 copy
privilege exec level 5 write memory
privilege exec level 5 write
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 show processes cpu
privilege exec level 5 show processes
privilege exec level 2 show running-config
privilege exec level 5 show configuration
privilege exec level 2 show
privilege exec level 5 clear counters
privilege exec level 5 clear
banner exec
CC
% Password expiration warning.
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
banner login
CC
********STC AamalNet Service****************************************
********Authorize Access Only. For more Support Call 909************
line con 0
privilege level 15
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 23 in
privilege level 2
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 20000 1000
endHello,
Sure.
What version are you running?
Regards, -
Router connected to cable modem by Ethernet port cannot get IP address from DHCP.
I have an ethernet cable on Fa0/0 connecting my 1841 router to my cable modem. The issue is that the router cannot obtain an IP address via DHCP when I have the "ACL-OUTSIDE-IN" ACL applied inbound on the Fa0/0 interface. I tried to allow all BOOTP and BOOTPS traffic in my ACL, but still no luck. I really don't want to run the router without a simple ACL firewall and connect it to the internet. When I take off the ACL off of Fa0/0, the router is able to get an IP address via DHCP.
Router#sh run
Building configuration...
Current configuration : 10736 bytes
! Last configuration change at 18:14:42 MST Fri Nov 16 2012 by matt.chan
version 12.4
service nagle
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
hostname Router
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.124-25f.bin
boot-end-marker
logging count
logging userinfo
logging buffered 1048576 informational
enable secret 5 <removed>
aaa new-model
aaa authentication login AUTH-LOCAL local-case
aaa session-id unique
memory-size iomem 25
clock timezone MST -7
ip cef
ip nbar pdlm flash:directconnect.pdlm
ip nbar pdlm flash:citrix.pdlm
ip nbar pdlm flash:bittorrent.pdlm
ip nbar custom steam destination udp range 27000 27030
ip nbar custom rdp destination tcp range 3389 3391 55402
ip domain lookup source-interface FastEthernet0/0
ip name-server 8.8.8.8
ip inspect name fa0/0_inspect_ou icmp router-traffic timeout 10
ip inspect name fa0/0_inspect_ou ftp timeout 300
ip inspect name fa0/0_inspect_ou udp router-traffic timeout 120
ip inspect name fa0/0_inspect_ou tcp router-traffic timeout 300
login block-for 60 attempts 4 within 60
login quiet-mode access-class ACL-ACCESS-QUIET
password encryption aes
crypto pki trustpoint TP-self-signed-1755372391
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1755372391
revocation-check none
rsakeypair TP-self-signed-1755372391
crypto pki certificate chain TP-self-signed-1755372391
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373535 33373233 3931301E 170D3132 31313137 30313130
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37353533
37323339 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D53F 9EB5B123 3103A4D5 82E786F7 F91C2DE5 9E409A22 80AF78F6 812F624A
89FE9103 73C4AAAB 13FF880D F628607D 6888AC49 18BEDD77 778F0DB1 F9A796E9
E92717CD 6DD19450 5066620A 91278C33 E38349EA 92B8C671 80761609 0AC46E6F
2C8C6BCF ABC7E1F7 A64BD28C C85477FE B23F8A7C 555ECDF9 CE461B8D 6C017370
0ED70203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 074E5543 4C455553 301F0603 551D2304 18301680 146CA2E0
936C651F E2ED4DCD D7025FF3 2AB029E0 95301D06 03551D0E 04160414 6CA2E093
6C651FE2 ED4DCDD7 025FF32A B029E095 300D0609 2A864886 F70D0101 04050003
8181004A AFA4D07C 1424DE0E EF3F17F2 BB1EA63B CB17C13D 1AEA31A1 BAB6AF77
DB6EA8A2 2117DCD1 5530A18C 3618D568 CC7EF520 E039ACBD DA906352 BB7E51BD
0954490C B2AB30C2 FBBE4738 C214BE1C CB63FFEA BAFC46E0 3DC419EE 714B9ABD
144A21E3 3E54C103 FF47FAF1 412FE5C4 59ACD1FE FD72356B C8DC04C3 E2EDF275 45954C
quit
username <removed secret 5 <removed>
ip ssh maxstartups 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 2226 rotary 1
ip ssh version 2
class-map match-all Zuri-YouTube-Class
match access-group name NAT-Pool-Zuri-WLAN
match protocol http host "*youtube.com*"
policy-map PMAP-QOS-VTI-IN
description QOS FOR TU0
class class-default
shape peak 1512000
policy-map PMAP-QOS-VTI-OUT
description QOS FOR TU0
class class-default
shape peak 512000
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 43200
crypto isakmp key 6 <removed> address <removed>
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 5 periodic
crypto ipsec transform-set EDGE-TS ah-sha-hmac esp-aes 256
crypto ipsec profile EDGE
set security-association lifetime kilobytes 256000
set transform-set EDGE-TS
set pfs group5
interface Loopback0
no ip address
interface Tunnel0
description "VTI Link"
bandwidth 4000
ip address 172.20.0.2 255.255.255.0
ip mtu 1400
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 12090011003E5A0C0F186E752220211B4A
keepalive 10 5
tunnel source FastEthernet0/0
tunnel destination <removed>
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EDGE
service-policy output PMAP-QOS-VTI-OUT
hold-queue 75 out
interface FastEthernet0/0
description "Link to ISP"
bandwidth 4000
ip address dhcp
ip access-group ACL-OUTSIDE-IN in
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect fa0/0_inspect_ou out
ip virtual-reassembly
ip ospf cost 1
duplex auto
speed auto
no keepalive
no cdp enable
interface FastEthernet0/1
description "Link to LAN"
ip address 172.16.0.1 255.255.255.248
ip access-group ACL-INSIDE-IN in
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip ospf cost 1
ip ospf priority 255
duplex auto
speed auto
no keepalive
router ospf 1
log-adjacency-changes
redistribute static subnets
passive-interface default
no passive-interface Tunnel0
network 172.20.0.0 0.0.0.3 area 0
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 Null0 name "Class A Private"
ip route 172.16.0.0 255.240.0.0 Null0 name "Class B Private"
ip route 172.17.0.0 255.255.0.0 FastEthernet0/1 172.16.0.2 name "Home WLAN"
ip route 172.19.73.31 255.255.255.255 Null0
ip route 172.27.0.0 255.255.0.0 Tunnel0 172.20.0.1 name "IPsec GRE Tunnel"
ip route 192.168.0.0 255.255.0.0 Null0 name "Class C Private"
ip route 192.168.0.0 255.255.255.0 Tunnel0 172.20.0.1 name "VLAN 70"
ip route 192.168.100.1 255.255.255.255 FastEthernet0/0 70.162.0.1 permanent name "CABLE MODEM MANAGEMENT"
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp 253
ip dns server
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 120
ip nat translation max-entries 2048
ip nat inside source list ACL-NAT-172.16.0.0/29 interface FastEthernet0/0 overload
ip nat inside source list ACL-NAT-MANAGEMENT interface FastEthernet0/0 overload
ip nat inside source static tcp 172.16.0.4 22 interface FastEthernet0/0 2227
ip nat inside source static tcp 172.16.0.5 3389 interface FastEthernet0/0 3391
ip nat inside source static tcp 172.16.0.3 3389 interface FastEthernet0/0 3390
ip nat inside source static tcp 172.16.0.4 80 interface FastEthernet0/0 8084
ip access-list standard ACL-ACCESS-QUIET
permit 216.161.180.16
permit 172.16.0.0 0.1.255.255
permit 172.27.0.0 0.0.127.255
permit 172.20.0.0 0.0.0.3
ip access-list standard ACL-NAT-172.16.0.0/29
permit 172.16.0.0 0.0.0.7
ip access-list standard ACL-NAT-172.17.0.0/24
permit 172.17.0.0 0.0.0.255
ip access-list standard ACL-NAT-172.17.1.0/24
permit 172.17.1.0 0.0.0.255
ip access-list standard ACL-SNMP
permit 172.16.0.4
ip access-list extended ACL-CRY-MAP
ip access-list extended ACL-INSIDE-IN
deny ip host 172.16.0.2 172.27.0.0 0.0.127.255
deny ip host 172.16.0.2 172.20.0.0 0.0.0.3
permit ip 172.17.0.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.0.7 any
permit ip 172.17.1.0 0.0.0.255 any
ip access-list extended ACL-NAT-MANAGEMENT
permit tcp host 172.27.10.11 eq 3389 host 72.166.77.196
ip access-list extended ACL-OUTSIDE-IN
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit tcp any any range 3390 3391
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any any range 2226 2228
permit tcp any any range 8081 8084
permit icmp any any echo
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
deny icmp any any
deny ip any any
ip access-list log-update threshold 10
logging history informational
logging trap debugging
logging 172.17.228.17
logging 172.17.228.10
control-plane
line con 0
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication AUTH-LOCAL
line aux 0
login authentication AUTH-LOCAL
line vty 0 4
exec-timeout 60 0
privilege level 15
logging synchronous
login authentication AUTH-LOCAL
rotary 1
transport input ssh
scheduler allocate 20000 1000
ntp clock-period 17178311
ntp source FastEthernet0/0
ntp server 148.167.132.201
endHi Matt,
Try adding below line
ip access-list extended ACL-OUTSIDE-IN
permit udp any eq bootpc any eq bootps
Regards
Najaf
Please rate when applicable or helpful !!!
Maybe you are looking for
-
IPhone 5s frozen during install of iOS 8.1.2 update
I have an iPhone 5s 16GB that has been installing the new iOS 8 update (8.1.2 I believe?). After being prompted to install the update, I agreed to the terms & conditions and hit "install." After seemingly flying through the first 9/10ths of the upd
-
Lumia 520 cant connect to Wifi
For heavens sake .Lumia 520 is a smartphone that cant connect to wifi. very useless. I have tried all those steps abt settings on the router without success. i love my fone but i feel disappointed with it..Feel like i can return it to shop
-
Howdy all. Very new to IPOD and iTunes but can I listen to a sample of any song before I purchase? If not then I can't see myself buying much. Thankyou.
-
i am trying to download the new version of itunes and quicktime etc and for me to do updates i have to enter my user name and password. i know my password is correct but i don't know about my user name. how do i find this out? i am using the new vers
-
WE ARE HAVING PROBLEMS SUBSCRIBING EVENTS IN INTERCONNECT.
Hi all, We have installed the Oracle DB Adapter and Oracle Applications Adapter to test publishing and subscribing events with different adapters. We have designed two new test. One publishing a message with the Oracle Applications Adapter and subscr