Problem with L2TP with Cisco 3845
Dear all
I have the following scenario for my dailup network.
MaxTNT(LAC) ---Ethernet--- Cisco3845 (LNS)
I have configuered MaxTNT Dailup server to act as LAC and launch a L2TP Tunnel after authenticating with Radius Server. Cisco 3845 acting as LNS estblishes L2TP tunnel with LAC and Dailup Users get connected on it as VPDNpppOE users.
However problem i am facing is that i don't receieve any authentication request on Cisco LNS. As soon as user gets connect it sents Accouting Request only.
I need authorization request in order to Push various different AVP from radius. But its not happening.
Anyone have any idea what could be wrong here?? is thre any specific parameter i need to set up Cisoc.. or on MaxTNT????
Waiting for reply
To enable the Layer 2 Tunnel Protocol (L2TP) tunnel server or network access server (NAS) to perform remote authentication, authorization, and accounting (AAA) tunnel authentication and authorization, use the vpdn tunnel authorization network command in global configuration mode. To disable remote tunnel authentication and authorization and return to the default of local tunnel authentication and authorization, use the no form of this command.
vpdn tunnel authorization network {list-name | default}
no vpdn tunnel authorization network {list-name | default}
Similar Messages
-
Does Cisco 3845 with NM-16A/S support OIR feature or Hot swap for this NM.
Dear Sir
My customer would like to implement Cisco 3845 with NM-16A/S x 4. I found that Cisco 3845 support OIR function but I am not sure OIR function that Cisco 3845 support, it support with which NM models. Can anyone tell me that NM-16A/S on Cisco 3845 support OIR function on this NM or not.
Thank you very much
WisitHi,
From what I have read from the following document.
http://www.cisco.com/en/US/products/ps5855/products_installation_guide_chapter09186a00802ccf1d.html
Network Modules
Network modules install directly into slots in the rear of the router. The Cisco 3845 router supports online insertion and removal (OIR, or hot swap) of network modules. The Cisco 3825 router does not support OIR.
Caution The Cisco 3845 router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.
Interface Cards
Cisco 3800 series routers do not support OIR (hot swap) of interface cards inserted directly into router slots. You must turn off the router before installing or removing an interface card.
The Cisco 3825 router and the Cisco 3845 router each provide four interface card slots, labeled on the rear panel by HWIC and a number. Each slot can be occupied by one single-wide WIC, VIC, VWIC, or HWIC.
Hope this helps
Sarb -
Having a problem with PEAP and Cisco 2960 Switch
Hi All,
I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant. I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS. If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan. Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius?
The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
Any ideas?Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work. I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client. I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2. I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
CSSC Client pops out:
14:25:08.453 Network Connection requested from user context.
14:25:08.468 Connection authentication started using the logged in user's credentials.
14:25:08.468 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828 Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843 Identity has been requested from the network.
14:25:09.875 Identity has been sent to the network.
14:25:09.890 Authentication started using method type EAP-PEAP, level 0
14:25:09.890 The server has requested using authentication type: EAP-PEAP
14:25:09.890 The client has requested using authentication type: EAP-PEAP
14:25:09.968 Profile does not require server validation.
14:25:10.031 Identity has been requested from the network.
14:25:10.031 Identity has been sent to the network.
14:25:10.046 Authentication started using method type EAP-MSCHAP-V2, level 1
14:25:10.046 The server has requested using authentication type: EAP-MSCHAP-V2
14:25:10.046 The client has requested using authentication type: EAP-MSCHAP-V2
14:25:10.078 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078 The authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
Waking up in 0.7 seconds.
Waking up in 3.7 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps. -
Document on Cisco 3845 gateway with both Voice and VXML role
Dear all,
we are using single cisco 3845 gateway as Ingress as well as vxml gateway . Can you provide any documentation regarding the call volume capacity this gateway can handle. We have deployed this gateway in a UCCE parent- child model.Anoop,
It can be found in Table 7-2 on page 148 of CVP SRND Guide
HTH
GP.
Pls rate helpful posts by clicking on the stars under the post !! -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
Problems with walkabout with 350 card (location data)
Hello
I just saw in "ask the expert" archive about problems to get walkabout location data...but everything with the new cisco cards.
I just tried with the newest software (ACU, NDIS, Firmware) on a 350 aironet card without success. Number of location data stay always on zero, even during walkabout he said 7 WA measurements. Is that a bug ?
any input is very welcome
OliverI use version 2.9.1a
Yes, the card is associated with that AP, which should capute radio data. The wlse inform me during walkabout, that he has WP measurments.
best regards
oliver -
Problem disconnect Cat6509 with BladeCenter HS20
Hello. I have a catalyst 6509 with version IOS 12.1(22)EA6 and I BladeCenter HS20 with two switches Cisco version 12.1(22)EA6 and modelo cisco OS-CIGESM-18TT-EBU (RC32300). My problem is that the server blade is disconnect aleatory. What can be happening?
regards
GuillermoBefore dealing with this issue, I may want you to send me the following informations for clarification:
1.Did it show any error message at the console after disconnection.If so, can you send me the error message?
2.Can you send me the debug output?
3.Your network setup description?
If you send me these details, I will be able to help you in sorting out the problem -
the problem I have since I upgraded to Mavericks version 10.9.1
The problem appears only with Mail not with other programs, not even with my browser.
When I try to zoom the text of an e-mail I received or sent , I can no longer use the keys Command + to enlarge the text, although I can reduce it with Command -.
As I have a problem with my eyes, This is a serious matter for me.
When I write an e-mail, if I select text and press Command +, it just displaces the text to the right.
Now, my husband has a USB keyboard. If he connects it to my computer, his regular Command + does not work either, but he uses the extended keyboard, then it works. Unfortunately, he needs it for a musical application which does not work with a wireless keyboard.Firefox 3.6.4 and 3.6.6 use a process called, "plugin-container.exe" which was using up most of my CPU when I opened up multiple tabs that contained Adobe Flash files, and caused Firefox to lock up.
My solution was to use Firefox 3.5.10 which you can get from the Mozilla website at [http://www.mozilla.com/en-US/firefox/all-older.html]
I am using Adobe Flash 10.1.53.64 without any problem in this version of Firefox. Check the release notes, I believe it contains all the latest security fixes in "Firefox 3.6.4".
Hopefully, they will fix Firefox 3.6 in the next version (e.g. Firefox 3.6.7), until then you should probably use "Firefox 3.5.10". -
While running verify disc in disc utility on 251 GB SSD SM256c Media I came up with this message: Alert system verify or repair failed. In the descriptions box of history it said, problems were found with the partitions map which might prevent booting. This is followed by a message in red reading, Error: Storage system verify or repair failed. At the time I was down loading raw pictures off my camera through a card reader across my computer to a relatively new 2TB Western Digital portable hard drive. after about 13 to 15 pictures downloaded that drive faileded. My Mac Book Air works fine, but i get this message now everytime I run disc verify on this disc. The Macintosh HD checks out fine.
While running verify disc in disc utility on 251 GB SSD SM256c Media I came up with this message: Alert system verify or repair failed. In the descriptions box of history it said, problems were found with the partitions map which might prevent booting. This is followed by a message in red reading, Error: Storage system verify or repair failed. At the time I was down loading raw pictures off my camera through a card reader across my computer to a relatively new 2TB Western Digital portable hard drive. after about 13 to 15 pictures downloaded that drive faileded. My Mac Book Air works fine, but i get this message now everytime I run disc verify on this disc. The Macintosh HD checks out fine.
-
Hi! I can't upgrade my iTunes 10.3.1.55 on my Windows XP 2002 SP3 to the latest version of iTunes. Got the message: "A problem has occured with the Windows Installer-package. A program needed for this installation could not be run." What to do?
Perhaps let's first try updating your Apple Software Update.
Launch Apple Software Update ("Start > All Programs > Apple Software Update"). Does it launch and offer you a newer version of Apple Software Update? If so, choose to install just that update to Apple Software Update. (Deselect any other software offered at the same time.)
If the ASU update goes through okay, try another iTunes install. Does it go through without the errors this time? -
My iPhone 4 quit charging correctly. It does charge but very slowly and icon doesn't indicate it as charging. I've checked cables and charges and the problem is definetily with the phone. My car stereo no longer recognizes it as a device. Neither does the computer. The real strange thing to me is that when I plug it into my old klispch speaker dock it will play songs. My battery life is good when it is charged so I don't think its the battery. I've tried resetting the phone and cleaning the charging port. I'm out of warranty.
Would disconnecting the battery possibly reset it from some glitch or is the charging port got some bad contacts?I checked with the Genius Bar. It was a new dilema to the lady that was helping me. She took it to a back room and worked on it but it came out the same. She gave me some options for repair or credit for replacement.
I just kept the phone and put up with slowly charging it by plugging it in and then turning it off.
I couldn't transfer anything from itunes.
I finally got fed up and bought a new charging port for $10. and a toolkit for $3. I looked up a video on youTube for the replacement and did it.
That solved all the problems, it was the charging port, must have been some bad pins or something because it patially worked. -
Having installed an upgrade for Photoshop Elements 13, I cannot open the application. I get an error message saying "Adobe Photoshop Elements Editor cannot be opened because of a problem. Check with the developer to make sure Adobe Photoshop Elements Editor works with this version of OS X. You may need to reinstall the application. Be sure to install any available updates for the application and OS X".
I have since uninstalled and reinstalled the app, but get the same error message.Which version of OS X do you have? It's not clear from your post whether "installed an upgrade" means you just installed PSE 13 as an upgrade or you installed an update to PSE 13, like ACR 9 or 13.1. Please clarify.
-
Problem when syncing with MobileMe
I am using iPhone 3G, software 2.1. I use GMail for email (no problems) but my contacts, and only my contacts, sync through MobileMe.
The problem is that with MobileMe active, my Contact list, "Mail, Contacts and Calendars" settings and several other minor features simply do not work - they open, pause for a few seconds, then crash. The Mail application also hangs and crashes every other time I open it.
My local Apple Store restored 2.1, after which my Contact list and Email worked perfectly until I re-activated my MobileMe syncing, after which the problems resumed.
As the problems occurred only after MobileMe syncing is turned on, I assume this is the cause of the problem, but because "Mail, Contacts..." settings crashes every time I open it I cannot disable MobileMe syncing.
Any suggestions please? All help gratefully received...This was resolved by completely removing the MobileMe account from the iPhone, rebooting it and adding the account again.
-
Problems sending emails with iPhone 3G and outlook exchange
I have a problem sending email with exchange. Receiving and answering mail works fine and calender updates work fine. However when I initiate an email from the phone it syncs and ends up in the sent folder in the computer but never reaches the recipient. I have tried this many times with different recipients and phones. It only happens from my iphone and ipad. Any suggestions?
Any help much appreciatedThe iPhone you returned is still syncing against your server and locking out your account. Someone possibly has access to your mail data. I'd recommend having your Exchange Administrator install the Microsoft Exchange Server ActiveSync Web Administration Tool (http://www.microsoft.com/downloads/details.aspx?FamilyID=E6851D23-D145-4DBF-A2CC -E0B4C6301453&displaylang=en) and attempt to wipe/delete/block that other iPhone.
Message was edited by: ethanm -
The problem is occurred with J2ee server node which is disabled it from MMC
Dear SAP Consultants,
The problem is occurred with J2ee server node which is disabled J2ee server node from MMS Console and the abap work process is working fine but the dispatcher is yellow status and I can login to the abap system but Iu2019m not able to start the j2ee from Tcode u201CSmicmu201D as well
The system parameters are:
BI 7.0 System as ABAP & JAVA add on, windows 2003 on Oracle database, 24 GB Ram
Paging files: Driveu201D Os system: minimum: 1525, maximum: 3048
Driveu201DEu201D application: minimum: 70855, maximum: 70855
I can see the log files as follow:
From dev_disp:
Sun Jun 21 13:10:28 2009
J2EE server info
start = TRUE
state = STARTED
pid = 2892
argv[0] = E:\usr\sap\BWD\DVEBMGS00\exe\jcontrol.EXE
argv[1] = E:\usr\sap\BWD\DVEBMGS00\exe\jcontrol.EXE
argv[2] = pf=E:\usr\sap\BWD\SYS\profile\BWD_DVEBMGS00_cai-bwdev
argv[3] = -DSAPSTART=1
argv[4] = -DCONNECT_PORT=64990
argv[5] = -DSAPSYSTEM=00
argv[6] = -DSAPSYSTEMNAME=BWD
argv[7] = -DSAPMYNAME=cai-bwdev_BWD_00
argv[8] = -DSAPPROFILE=E:\usr\sap\BWD\SYS\profile\BWD_DVEBMGS00_cai-bwdev
argv[9] = -DFRFC_FALLBACK=ON
argv[10] = -DFRFC_FALLBACK_HOST=localhost
start_lazy = 0
start_control = SAP J2EE startup framework
DpJ2eeStart: j2ee state = STARTED
DpJ2eeLogin: j2ee state = CONNECTED
Sun Jun 21 13:10:29 2009
***LOG Q0I=> NiIRead: recv (10054: WSAECONNRESET: Connection reset by peer) [nixxi.cpp 4424]
ERROR => NiIRead: SiRecv failed for hdl 6 / sock 1032
(SI_ECONN_BROKEN/10054; I4; ST; 127.0.0.1:1362) [nixxi.cpp 4424]
DpJ2eeMsgProcess: j2ee state = CONNECTED (NIECONN_BROKEN)
DpIJ2eeShutdown: send SIGINT to SAP J2EE startup framework (pid=2892)
ERROR => DpProcKill: kill failed [dpntdisp.c 371]
DpIJ2eeShutdown: j2ee state = SHUTDOWN
Sun Jun 21 13:10:48 2009
DpEnvCheckJ2ee: switch off j2ee start flag
From dev_jcontrol :
[Thr 2124] Sun Jun 21 13:10:29 2009
[Thr 2124] *** ERROR => invalid return code of process [bootstrap] (exitcode = 66) [jstartxx.c 1642]
[Thr 2124] JControlExecuteBootstrap: error executing bootstrap node [bootstrap] (rc = 66)
[Thr 2124] JControlCloseProgram: started (exitcode = 66)
[Thr 2124] JControlCloseProgram: good bye... (exitcode = 66)
From dev_bootstrap :
JHVM_BuildArgumentList: main method arguments of node [bootstrap]
-> arg[ 0]: com.sap.engine.bootstrap.Bootstrap
-> arg[ 1]: ./bootstrap
-> arg[ 2]: ID0072573
-> arg[ 3]: -XX:NewSize=57M
-> arg[ 4]: -XX:MaxNewSize=57M
-> arg[ 5]: -Xms256M
-> arg[ 6]: -Xmx256M
-> arg[ 7]: -XX:+DisableExplicitGC
-> arg[ 8]: -verbose:gc
-> arg[ 9]: -Djava.security.policy=.java.policy
-> arg[ 10]: -Djava.security.egd=file:/dev/urandom
-> arg[ 11]: -Djco.jarm=1
[Thr 5216] JLaunchIExitJava: exit hook is called (rc = 66)
[Thr 5216] **********************************************************************
ERROR => The Java VM terminated with a non-zero exit code.
Please see SAP Note 943602 , section 'J2EE Engine exit codes'
for additional information and trouble shooting.
[Thr 5216] JLaunchCloseProgram: good bye (exitcode = 66)
From server.0.log :
#1.5 #001E4F208703008A0001C7470000092000046A4414D60A1F#1242740546634#/System/Server##com.sap.caf.eu.gp.schedule.impl.ScheduleWorker#J2EE_GUEST#0##n/a##27772ea0447811deb9bf001e4f208703#SAPEngine_Application_Thread[impl:3]_25##0#0#Error#1#com.sap.caf.eu.gp.schedule.impl.ScheduleWorker#Plain###ERROR_ACQUIRE_CONNECTION
com.sap.caf.eu.gp.base.exception.EngineException: ERROR_ACQUIRE_CONNECTION
at com.sap.caf.eu.gp.base.db.ConnectionPoolJ2EE.getConnection(ConnectionPoolJ2EE.java:92)
at com.sap.caf.eu.gp.schedule.impl.ScheduleDbImpl.getScheduleToProcess(ScheduleDbImpl.java:1936)
at com.sap.caf.eu.gp.schedule.impl.ScheduleService.getScheduleToProcess(ScheduleService.java:432)
at com.sap.caf.eu.gp.schedule.impl.ScheduleWorker.work(ScheduleWorker.java:77)
at com.sap.caf.eu.gp.schedule.impl.ScheduleWorker.run(ScheduleWorker.java:63)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
Caused by: com.sap.engine.services.dbpool.exceptions.BaseSQLException: ResourceException in method ConnectionFactoryImpl.getConnection(): com.sap.engine.services.dbpool.exceptions.BaseResourceException: SQLException thrown by the physical connection: com.sap.sql.log.OpenSQLException: Error while accessing secure store: File "
cai-bwdev
sapmnt
BWD
SYS
global
security
data
SecStore.properties" does not exist although it should..
at com.sap.engine.services.dbpool.cci.ConnectionFactoryImpl.getConnection(ConnectionFactoryImpl.java:59)
at com.sap.caf.eu.gp.base.db.ConnectionPoolJ2EE.getConnection(ConnectionPoolJ2EE.java:89)
... 8 more
Caused by: com.sap.engine.services.dbpool.exceptions.BaseResourceException: SQLException thrown by the physical connection: com.sap.sql.log.OpenSQLException: Error while accessing secure store: File "
cai-bwdev
sapmnt
BWD
SYS
global
security
data
SecStore.properties" does not exist although it should..
at com.sap.engine.services.dbpool.spi.ManagedConnectionFactoryImpl.createManagedConnection(ManagedConnectionFactoryImpl.java:193)
at com.sap.engine.services.connector.jca.ConnectionHashSet.match(ConnectionHashSet.java:338)
at com.sap.engine.services.connector.jca.ConnectionManagerImpl.allocateConnection(ConnectionManagerImpl.java:267)
at com.sap.engine.services.dbpool.cci.ConnectionFactoryImpl.getConnection(ConnectionFactoryImpl.java:51)
... 9 more
Caused by: com.sap.sql.log.OpenSQLException: Error while accessing secure store: File "
cai-bwdev
sapmnt
BWD
SYS
global
security
data
SecStore.properties" does not exist although it should..
at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:106)
at com.sap.sql.log.Syslog.createAndLogOpenSQLException(Syslog.java:145)
at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:226)
at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:197)
at com.sap.engine.services.dbpool.spi.ManagedConnectionFactoryImpl.createManagedConnection(ManagedConnectionFactoryImpl.java:117)
... 12 more
Caused by: com.sap.security.core.server.secstorefs.FileMissingException: File "
cai-bwdev
sapmnt
BWD
SYS
global
security
data
SecStore.properties" does not exist although it should.
at com.sap.security.core.server.secstorefs.StorageHandler.openExistingStore(StorageHandler.java:372)
at com.sap.security.core.server.secstorefs.SecStoreFS.openExistingStore(SecStoreFS.java:1946)
at com.sap.sql.connect.OpenSQLConnectInfo.getStore(OpenSQLConnectInfo.java:802)
at com.sap.sql.connect.OpenSQLConnectInfo.lookup(OpenSQLConnectInfo.java:783)
at com.sap.sql.connect.OpenSQLDataSourceImpl.setDataSourceName(OpenSQLDataSourceImpl.java:209)
... 14 more
Please advice with the right solution,
Regards,
Ahmedthanks
Maybe you are looking for
-
Photo Albums not showing in iOS7
I recently upgraded my phone to the 5s and I'm on iOS 7.0.2 and my photos show under the collections tab, but when I go to albums they are not there. I tried unchecking the sync photos in iTunes and rechecking the box and now I have duplications. W
-
Complexity of PL/SQL in Discoverer Admin
Hi, Read you can register PL/SQL in Discoverer Admin - how complex can this be? Something comparable to the stored procedures in SQL Server? I guess it returns only one value as the output? Thanks!
-
Does anyone know which version for kindle fire
Please help....Thank You Very Much
-
Hi All, We have a requirement to capture additional metadata for each Term (Ex: Requested for, Requested date, Requested by). these properties are not available in Sharepoint 2010 OOTB but can be acheived using Term.SetCustomProperty(). where as in S
-
Step by Step: iMovie to iDVD?
If this process is outlined somewhere, a link would be great. I have 3+ hours of a concert imported into iMovie09. I've since broken it up into a different project for each song. I now want to export them to iDVD so each hour of the concert will play