PI 7.11: Mapping inside or outside PI??
Hi,
We have an IDoc to SOAP scenario.
Currently we have many issues with that interface, because the message mapping is very complicated (various entries per infotype have to be mapped to one target field etc.).
Wouldn't it be easier (especially for me as an ABAPer) to do the mapping in a user exit on SAP ERP side and call the PI WS from there?
Then we would have only to bypass the data through PI, because the inbound/outbound message type would be the same.
For me it always takes ages to find out what's wrong inside the mapping.
And the graphical mapping becomes very confusing even for easy mappings.
In ABAP the mapping part would be much easier!
What is here the best practice?
Do PI developers have always the aim to do all the mapping inside PI?
Thanks in advance!
Hi,
my problem is still not solved
I've extended Idoc HRMD_A06 now.
The problem is, that it works only if i put the Z segment under segment E1PITYP, which is always linked to an Infotype (currently I put '0000' as Infotype).
E1PITYP contains the following fields:
PLVAR PLVAR
OTYPE OTYPE
OBJID HROBJID
INFTY INFOTYP
SUBTY SUBTYP
BEGDA PD_BEGDA
ENDDA PD_ENDDA
LONG_INFTY LONG_INFTY
I tried to put my segment under header segment E1PLOGI, but then SM58 gives me the following error:
Segment 'ZHRMD_A06', segmentnumber '000084' not correct in structure
E1PLOGI has the following fields:
PLVAR PLVAR
OTYPE OTYPE
OBJID HROBJID
PROOF CHAR1
OPERA HROPERA
SERIAL_COUNTER CHCOU
FILTER1 HRMD_FILTER1
FILTER2 HRMD_FILTER2
I don't really understand why I cannot do it that way...
My question:
Is there a way to include my data without linking it to an HR Infotype???
Similar Messages
-
how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
for example, allow JPEG, MOV, AVI data flow from outside to inside
but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
how to configure?Hi,
The ZBF link sent earlier show how we can inspect URI in http request
parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”
class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm
ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
Thanks -
Internet Access from Inside to Outside ASA 5510 ver 9.1
Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
I get errors like this when I try Packet Tracer:
(nat-xlate-failed) NAT failed
(acl-drop) Flow is denied by configured rule
Version Information:
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
Thank You!
Config:
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name
inside.int
enable password <redacted> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <redacted> encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.199.199.123 255.255.255.240
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.199.199.4
domain-name
inside.int
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
access-group INSIDE-IN in interface Inside
access-group OUTSIDE-IN in interface Outside
router rip
network 10.0.0.0
network 199.199.199.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <redacted> password <redacted> encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:
<redacted>
: end
SH NAT:
ASA5510# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic inside-net interface
translate_hits = 0, untranslate_hits = 0
SH RUN NAT:
ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
SH RUN OBJECT:
ASA5510(config)# sh run object
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
Hi all,Hello everyone, I need some help before my head explodes. IddddddddHello Mitchell,
First of all how are you testing this:
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
Take in consideration that the netmask is /30
The Twice NAT is good, ACLs are good.
do the following and provide us the result
packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
And provide us the result!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com -
ASA 5510 traffic from inside to outside
Hello,
I'm working on a basic configuration of a 5510 ASA.
inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24
config is as follows:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
Any ideas please?Version of FW:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Output of Packet-Trace Command is:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 107, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow -
Asa 5505 inside to outside ping ?
Hello, for some reason I cannot ping from a host on my inside network to my outside network interface
i.e. ping from 192.168.0.100 to 192.168.200.2
Also vice versa, when I ping from the asa5505's outside interface to any inside network address it does not work.
Can anyone see wht this is ? - it has to be something simple.
Thanks kindly for any help.
Result of the command: "show running-config"
Result of the command: "show running-config"
ASA Version 8.0(2)
hostname philASA5505
domain-name phil.home
enable password ma.B/.HgoVfoLiCL encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
interface Vlan2
no forward interface Vlan5
nameif outside
security-level 100
ip address 192.168.200.2 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 5
passwd ma.B/.HgoVfoLiCL encrypted
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
dns server-group DefaultDNS
domain-name phil.home
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network lan
description lan
network-object host 192.168.100.0
access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
ip local pool philpool 192.168.0.1-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
route outside 192.168.100.0 255.255.255.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.200.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.0.100-192.168.0.120 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect icmp
service-policy global-policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy philtunnel internal
group-policy philtunnel attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol IPSec
username phil password DfN1FSNE/PrGENWQ encrypted privilege 15
tunnel-group 192.168.200.1 type ipsec-l2l
tunnel-group 192.168.200.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:809d3cdfdada66715a76c3aa57905add
: endI do not see in your config an entry for
policy-map global-policy
is there an entry for this that somehow did not get posted?
and under that policy-map is there an entry for
class global-class
and under that is there an entry for
inspect icmp
If these are missing then I suggest that you add them to your config and see if the behavior changes.
HTH
Rick -
ASA5505 Can't pass traffic between inside (private) & outside (private)
10.15.50.0/24 <---> 10.15.50.254 (inside / ASA5505 \ outside) 10.60.15.253 <---> 10.60.15.254 <--- (cloud) ---> (eventual destination 10.15.60.0/24)
Goal:
10.15.50.0/24 traffic will communicate with 10.15.60.0/24 while block all other. Current config is any/any for troubleshooting.
Example:
10.15.50.249 pings 10.60.15.253 (inside of ASA) and fails. Running it thru ASDM Packet Tracer shows the Outside ASA interface blocking but I have any/any on that interface.
Question:
What am I doing wrong?
: Saved
ASA Version 8.2(5)
hostname SJ-HostB-ASA
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.15.50.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 10.60.15.253 255.255.255.252
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.60.15.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 30
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.15.50.243 source inside
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-645.bin
no asdm history enableHi,
You can only PING / ICMP an ASA interface from behind that same interface.
So users behind "inside" can PING / ICMP the "inside" interface IP address and users behind "outside" can PING / ICMP the "outside" interface IP address. Users can't PING / ICMP the remote interface from their perspective. The only exception is when users are coming through VPN connection and you use the "management-access " command. But this doesnt apply to your situation.
You seem to be simulating an ICMP send from behind "inside" to the "outside" interface IP address if what you say is true.
So attempt the Packet Tracer using some remote network IP address in the 10.15.60.0/24 network.
You dont seem to have "nat-control" enabled so all traffic should be able to pass through the ASA without translation. So NAT shouldnt be a problem.
You can also add the following configurations
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
- Jouni -
Google map inside the spry collapsible panel
So this time I've bumped into interesting 'bug'. I've placed the google map inside the spry collapsible panel. Panel is set to the closed mode on load of page. When I open the tab, map appears, but address marker is hidden behind the top left corner. If I place the same map outside the collapsiple panel it renders all well.
So my question is whether there is any way around this issue. When I know where the marker is hidden I can simply move the map and see it, but customer who's not aware of the problem will see only blank map with not marked address which is not acceptable.
cheers,
SimonSure mate. Here you go:
<div id="CollapsiblePanel1" class="CollapsiblePanel">
<div class="CollapsiblePanelTab" tabindex="0">SHOW MAP</div>
<div class="CollapsiblePanelContent">
<cfmap width="242" height="200" zoomlevel="12" name="mainMap" markercolor="333444" showscale="false"
typecontrol="none" showcentermarker="true" centeraddress="#get_event.event_address1#, #get_event.event_address2#, #get_event.event_city#,#get_event.event_county#, #get_event.event_postcode#, #get_event.event_country# "
></cfmap>
</div>
</div>
And this bit goes at the bottom of the code :
<script type="text/javascript">
var CollapsiblePanel1 = new Spry.Widget.CollapsiblePanel("CollapsiblePanel1", {contentIsOpen:false});
</script>
And that would be the preview that I get once the panel is open:
And that is the preview of how it should look:
As you can see the map marker sticks to the top left corner. I was wondering whether there is any way to re-focus it once the panel is open.
cheers,
Simon -
NAT outside to inside and inside to outside (in 8.4(2) version)
Thanks a lot and i attached a diagram here
Requirement:
need to pass through traffic from outside to inside and inside to outside.
I also attached a diagram with the ip
and also tell me one thing that natting is only for private to public or public to private.Hi,
I think i replied on your post earlier as well.
As per your query , you can NAT any kinds of IP(Public or Private) into any kind((Public or Private)).
For Bidirectional traffic , you always need static NAT
When you want Uni Directional Traffic , you can use Dynamic NAT/PAT.
For the Inside to Outside Traffic , you can use this NAT:-
object network LAN
subnet 0 0
nat (inside,outside) dynamic interface
FOr Outside to Inside Traffic , you would only want access for certain Servers. Just like Internally hosted Web Servers
For this , you can either use , Static PAT/NAT:-
object network host
host 10.10.10.10
nat (inside,Outside) static interface service tcp 3389 3389
access-list outside_inside permit tcp any host 10.10.10.10 eq 3389
This will enable you to take the RDP access for your PC from the internet.
Is this what you want ?
Thanks and Regards,
Vibhor Amrodia -
NAT (INSIDE To OUTSIDE)
I need Configuration of this topology
At Outside Router
int f0/0
ip add 10.1.1.2 255.255.255.0
At Inside Router
int f0/0
ip add 192.168.1.2 255.255.255.0
At ASA
int e0
ip add 10.1.1.1 255.255.255.0
int e1
ip add 192.168.1.1 255.255.255.0
I want NAT from inside to outside and also need ACL configuration and attached diagram.
and version of ASA is 8.2
Navaz
Message was edited by: Navaz WattooTHIS MY ASA CONFIGURATION
ciscoasa(config)# sh running-config
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-group OUT in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
THIS MY OUTSIDE ROUTER CONFIGURATION
R1(config)#do sh run
Building configuration...
Current configuration : 877 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R1(config)#
THIS MY INSIDE ROUTER CONFIGURATION
R2(config)#do sh run
Building configuration...
Current configuration : 880 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 10.1.1.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R2(config)#
Navaz -
Controlling ASA outbound (inside to outside) traffic
Hello There,
I have been in trouble while controlling every traffic passing from inside to outside. We already have websnese integtared with ASA 5520. Please help me in providing the details on this
1. Traditional method by putting ACL on inside port (what things need to be blocked)
2. Any special/standard configuration of inside ACL
3. What other ways or methods are implemented.
Please help somebody..... :-)What's is exactly what you want to do on the firewall with those Access-lists?
Here's a link that explains how to use Access-lists on an ASA.
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/traffic.html -
ASA 5505 unable to connect inside or outside
Hello,
I'm extremely new to router configurations, and am attempting to configure a backup ASA 5505 to use as a temporary access point in the event that our main ASA becomes unavailable. What I have done is loaded the running config from our main ASA onto the backup, and have made changes to necessary routes, IPs, etc. I can connect to it from a remote computer without problem, but I cannot access any of our servers, nor can I access the internet. I have also tried modifying the access list and NAT rules every which way from Sunday, but I still cannot get this thing to allow any information through. I keep getting "failed to locate egress interface for UDP from outside" errors.
We are using Cisco AnyConnect to connect , and mind you, since the config for this backup ASA was taken from our main, it still has the original certificate info and profiles. I was told that this wouldn't matter, but I thought I should mention in case I need to remove any of it from the config.
Here is part of the config file. I took out some information, but tried to keep it understandable. If anyone could point me in the right direction, it would be greatly appreciated!
ciscoasa# show running-config
: Saved
: Serial Number: xxxxxxxxxxx
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)
hostname ciscoasa
domain-name domain
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
ip local pool pool1 x.x.9.22-x.x.9.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address x.x.8.10 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.237 255.255.255.248
boot system disk0:/asa922-k8.bin
boot config disk0:/startup-config
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group Default
name-server x.x.8.100
domain-name domain
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network pool1
subnet x.x.9.0 255.255.255.0
object network outside-network
host x.x.x.237
object network Remote-Network
subnet x.x.8.0 255.255.255.0
object network local
object network obj-x.x.9.24
host x.x.9.24
object-group network Outside-Network-Group
description Outside Network Group
network-object x.x.x.232 255.255.255.248
object-group network Inside-Network-Group
description Inside Network Group
network-object x.x.8.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list NONAT extended permit ip x.x.8.0 255.255.255.0 x.x.9.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside x.x.8.132 2055
flow-export template timeout-rate 1
flow-export delay flow-create 50
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static pool1 pool1 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static Remote-Network Remote-Network no-proxy-arp route-lookup
nat (outside,outside) source dynamic pool1 interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.232 1
route inside x.x.11.0 255.255.255.0 x.x.11.1 1
If you have any questions, or need any other information, please let me know.
Thanks!Am I posting this in the wrong section? Anyone?
-
Problem of routing between inside and outside on ASA5505
I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot -
I bought a X10 wireless Security Camera last year and it took me months to figure out how to set it up to access the video both inside my home and through my iPhone remotely, even on my Mac at my office. I thought I would provide my process of getting this done to help those trying something similar. Yes the X10 camera works as a Foscam Camera. I am very happy with the result. The biggest challenge was Port Forwarding the Apple Basestation but now that I figured it out, it is easy.
"How I set up a Foscam wireless webcam through Apple Hardware and software to work inside and outside of my home network seemlessly."
What you need:
-Foscam or compatible camera, (iPad or iPhone or Mac or better all three)!
-Service Provider Router.
-Apple Base Station, Extreme or Express. 7.71
-'ip scanner' (software for Mac, app for iPad/iPhone.
-CCTV Camera pros port scanner app for iPhone.
First REMOTE ACCESS
Go to www.dyndns.org and set up an account. For about $20/yr you can have 30 host websites. Write down the user name and password as you will need it later.
You need this service to have a stable website to see your camera outside your network later as 'ip' addresses can change but this site will remain stable.
Then after you log back in, create a 'host website' from the menu. When you are creating the host site, dyndns will give you lots of web address choices or you can create your own. Just pick one. Also, you will need the 'ip' of the server where the camera will be. Luckily the dyndns website tells you this, just select it. Write down the web address, click create and you are done this part.
Next you need to set up the camera.
CAMERA SET UP
Using an Ethernet cable, connect your Apple Base Station to your web cam.
You will need to run 'ip scanner' to see the 'ip' address for the web cam. Write down the 'ip'. Select it, then select "open device in". Pick browser.
A web page will be launched and you are given 3 choices. I picked the middle, 'push browser'. You are then asked for the user name and password for the camera. By default the user is 'administrator' and there is no password. Just click log in. You now will see a menu along the left, at the bottom it should say 'device management'. Select that. Another page will show and there are several important things to do here.
1. Alias - give a name to the camera.
2. Set the time from a server.
3. Users - set a user and password. Write this down as you will need it.
4. Basic network. Either check to 'Obtain IP from DHCP Server' or specify an IP you want to stay the same. You need the subnet and main DNS server and the Gateway (same thing like 192.168.0.?or 10.0.0.? or 172.16.0.?)
Decide on a port you want use. Write this down. The camera will reboot, you will need to log in. In the browser enter IP then : the port#. Like 192.168.0.?:80 you will need the camera user name and password.
5. Wireless-scan for the nearby network list. Pick your network, enter your password, click submit. It will reboot.
6. UPnP-check to use.
7. DDNS Service (this allows remote viewing) pick DynDns.org
Enter your DynDns user name and password.
Enter the long DynDns Host website you wrote down. Click Submit. It will reboot.
APPLE Basestation set up
Run Airport Utility on Mac or iPad or iPhone.
Tap basestation, tap edit, tap advanced, tap Port Settings, tap 'new entry', in description enter a name, enter HTTP port number you picked when setting up the camera in all 4 spots: public and private UDP and TCP. Enter the IP address you picked in the camera setup. Click done and again until the Basestation updates.
Run the CCTV app, pick 'tools', pick 'Port forwarding Checker'. Enter the port you selected to see if it shows open then you are good. If not go back through the steps.
Set up Foscam App on the iPad and iPhone.
Run App, tap Add Camera,
Label- enter a name
User- Camera user name
Password- Camera
Local camera address-the IP address eg 192.168.0.?
Port- the one you specified.
If it connects you will see the chain turn green.
Remote address- the long one from DynDns.
Port- the one you specified.
If it connects you will see the chain turn green.
Tap done.
If everything is entered correctly it will all work.
Trouble shooting, make sure the IP address for the camera is listed correctly in the Apple Router. If it changes on the network, just go into the Airport Utility and update that. Also make sure the dyndns address is correctly listed in the Camera set up.
If questions, just let me know.Ok.. you have to work out the way you are going to access the TC..
There are basically three methods..
1. Direct access using AFP.. you need a static public IP and the TC as the main internet router.. then you need to turn on internet access and password the hard disk. The college has to have port 548 open.
If you do not have a static public IP then you can use ddns service but there is no client in the TC.. so you will have to figure out a way to update the service.
2. Use BTMM with icloud. This is the Apple method. It actually uses vpn..(the vpn is locked to apple use only but it is not available to end user).. The requirements are 7.6.1 firmware and lion or ML on a Mac computer. I am not sure of the ports because the link to the Apple cloud is separate from the vpn to your home system.
3. VPN.. that means you need to bridge the TC and use a decent quality vpn modem / router or combo thereof.
VPN are not for the faint of heart.. it can take a lot of work to get running but offers the best security.. you will need to change the network equipment in your house more than likely.. using a pc / mac as a vpn server is possible.. but messy.
There are also easy ways to at least access the home computer.. teamviewer for example. This is likely blocked by the college though.
Double NAT is where you put a router on a private IP behind another router on a private IP.. that makes port forwarding close to impossible. -
Multiple Crypto Maps on Single Outside Interface
Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni -
I am writing a book and need to have the margins alternating left and right pages, so that there is sufficient margin for the binding. I have tried different inside and outside margins, the same inside and outside margins, facing pages, changing the master, and I cannot get the margins to alternate at print time. The larger margin is always on the left. Can anyone please help me on this, as I have spent hours and lots of ink.
Set up as facing pages with a larger inside margin.
Maybe you are looking for
-
How do i move an app from one page to another
how do i move an app from one page to another? When I upgraded to the latest software on my 4s, the camera went to the last page rather than remaining on the home page
-
How do I download a picture from my Macbook Pro to a website?
OK, maybe I'm missing something obvious, but I can't figure it out. I was updating my medical information, which is a website, and there is a place to download a picture of myself. I clicked on browse and it opened up Finder. So far, so good. I t
-
Can I listen to podcasts etc. on my work computer?
I have iTunes set up on my home PC and have various playlists etc. on it. Is there anyway I can listen to them at work without recreating them on my work PC? Ron
-
Hi all, I am using JDev10g created jspx page. in backing bean i written this code. I created commandButton. I add following code public String Login_action() // Add event code here... if(this.getInputText11()!=
-
Problems with text in overlays
Hi All and sorry if this is a basic question, but really rushed to meet a client's deadline. I created a simple SD menu at 16x9. My client wants the entire title of the video tracks highlighted when the pointer rolls over it or selects it. Problem is