Problem with VPN Client passthrough on ASA 5505

I am having a problem with passing through a VPN client connection on an ASA 5505. The ASA is running version 8 and terminates an anyconnect VPN. The ASA is using PAT. When the inside user connects with the VPN client, it connects but no traffic passes through the tunnel. I see the error
305006 regular translation creation failed for protocol 50 src INSIDE:y.y.y.y dst OUTSIDE:x.x.x.x
UDP 500,4500 and ESP are allowed into the ASA. Ipsec inspection has also been setup on a global policy, but the user still cannot pass traffice to the remote VPN he is connected through.
At the Main Office we have an ASA 5510 that terminates a site to site VPN, allows remote connections with PAT and allows passthrough no problems. Any ideas?

I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP?

Similar Messages

  • Problem with VPN Client and network access

    We are running VPN client 4.0.1 on our laptops, and there are a number of users who are getting documents they are using on the internal network (off VPN) corrupted. The initial cause seemed to be the stateful firewall, but I have that turned off, and we are still getting it.
    It only seems to be on the machines with VPN client installed, and it is only happening when the user is working on a file direct from the network drive. They are not connecting via the VPN client when the problem occurs.
    any suggestions?
    William.

    Did you get any joy with this ? We seem to be having the same issue.
    Thanks

  • Problem with VPN client on Cisco 1801

    Hi,
    I have configured a new router for a customer.
    All works fine but i have a strange issue with the VPN client.
    When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
    This is the log form the VPN client:
    Cisco Systems VPN Client Version 5.0.07.0290
    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 6.1.7601 Service Pack 1
    Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
    1      14:37:59.133  04/08/13  Sev=Info/6          GUI/0x63B00011
    Reloaded the Certificates in all Certificate Stores successfully.
    2      14:38:01.321  04/08/13  Sev=Info/4          CM/0x63100002
    Begin connection process
    3      14:38:01.335  04/08/13  Sev=Info/4          CM/0x63100004
    Establish secure connection
    4      14:38:01.335  04/08/13  Sev=Info/4          CM/0x63100024
    Attempt connection with server "asgardvpn.dyndns.info"
    5      14:38:02.380  04/08/13  Sev=Info/6          IKE/0x6300003B
    Attempting to establish a connection with 79.52.36.120.
    6      14:38:02.384  04/08/13  Sev=Info/4          IKE/0x63000001
    Starting IKE Phase 1 Negotiation
    7      14:38:02.388  04/08/13  Sev=Info/4          IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
    8      14:38:02.396  04/08/13  Sev=Info/4          IPSEC/0x63700008
    IPSec driver successfully started
    9      14:38:02.396  04/08/13  Sev=Info/4          IPSEC/0x63700014
    Deleted all keys
    10     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x6300002F
    Received ISAKMP packet: peer = 79.52.36.120
    11     14:38:02.460  04/08/13  Sev=Info/4          IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
    12     14:38:02.506  04/08/13  Sev=Info/6          GUI/0x63B00012
    Authentication request attributes is 6h.
    13     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
    Peer is a Cisco-Unity compliant peer
    14     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
    Peer supports DPD
    15     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
    Peer supports DWR Code and DWR Text
    16     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
    Peer supports XAUTH
    17     14:38:02.460  04/08/13  Sev=Info/5          IKE/0x63000001
    Peer supports NAT-T
    18     14:38:02.465  04/08/13  Sev=Info/6          IKE/0x63000001
    IOS Vendor ID Contruction successful
    19     14:38:02.465  04/08/13  Sev=Info/4          IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
    20     14:38:02.465  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    21     14:38:02.465  04/08/13  Sev=Info/4          IKE/0x63000083
    IKE Port in use - Local Port =  0xCEFD, Remote Port = 0x1194
    22     14:38:02.465  04/08/13  Sev=Info/5          IKE/0x63000072
    Automatic NAT Detection Status:
       Remote end is NOT behind a NAT device
       This   end IS behind a NAT device
    23     14:38:02.465  04/08/13  Sev=Info/4          CM/0x6310000E
    Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
    24     14:38:02.502  04/08/13  Sev=Info/5          IKE/0x6300002F
    Received ISAKMP packet: peer = 79.52.36.120
    25     14:38:02.502  04/08/13  Sev=Info/4          IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
    26     14:38:02.502  04/08/13  Sev=Info/4          CM/0x63100015
    Launch xAuth application
    27     14:38:07.623  04/08/13  Sev=Info/4          CM/0x63100017
    xAuth application returned
    28     14:38:07.623  04/08/13  Sev=Info/4          IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
    29     14:38:12.656  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    30     14:38:22.808  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    31     14:38:32.949  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    32     14:38:43.089  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    33     14:38:53.230  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    34     14:39:03.371  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    35     14:39:13.514  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    36     14:39:23.652  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    37     14:39:33.807  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    38     14:39:43.948  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    39     14:39:54.088  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    40     14:40:04.233  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    41     14:40:14.384  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    42     14:40:24.510  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    43     14:40:34.666  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    44     14:40:44.807  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    45     14:40:54.947  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    46     14:41:05.090  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    47     14:41:15.230  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    48     14:41:25.370  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    49     14:41:35.524  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    50     14:41:45.665  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    51     14:41:55.805  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    52     14:42:05.951  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    53     14:42:16.089  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    54     14:42:26.228  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    55     14:42:36.383  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    56     14:42:46.523  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    57     14:42:56.664  04/08/13  Sev=Info/6          IKE/0x63000055
    Sent a keepalive on the IPSec SA
    58     14:43:02.748  04/08/13  Sev=Info/4          IKE/0x63000017
    Marking IKE SA for deletion  (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
    59     14:43:02.748  04/08/13  Sev=Info/4          IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
    60     14:43:03.248  04/08/13  Sev=Info/4          IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
    61     14:43:03.248  04/08/13  Sev=Info/4          CM/0x63100014
    Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
    62     14:43:03.248  04/08/13  Sev=Info/5          CM/0x63100025
    Initializing CVPNDrv
    63     14:43:03.262  04/08/13  Sev=Info/6          CM/0x63100046
    Set tunnel established flag in registry to 0.
    64     14:43:03.262  04/08/13  Sev=Info/4          IKE/0x63000001
    IKE received signal to terminate VPN connection
    65     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
    Deleted all keys
    66     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
    Deleted all keys
    67     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x63700014
    Deleted all keys
    68     14:43:03.265  04/08/13  Sev=Info/4          IPSEC/0x6370000A
    IPSec driver successfully stopped
    And this is the conf from the 1801:
    hostname xxx
    boot-start-marker
    boot-end-marker
    enable secret 5 xxx
    aaa new-model
    aaa authentication login xauthlist local
    aaa authorization network groupauthor local
    aaa session-id common
    dot11 syslog
    no ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.0.1.1 10.0.1.10
    ip dhcp excluded-address 10.0.1.60 10.0.1.200
    ip dhcp excluded-address 10.0.1.225
    ip dhcp excluded-address 10.0.1.250
    ip dhcp pool LAN
       network 10.0.1.0 255.255.255.0
       default-router 10.0.1.10
       dns-server 10.0.1.200 8.8.8.8
       domain-name xxx
       lease infinite
    ip name-server 10.0.1.200
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip inspect log drop-pkt
    ip inspect name Firewall cuseeme
    ip inspect name Firewall dns
    ip inspect name Firewall ftp
    ip inspect name Firewall h323
    ip inspect name Firewall icmp
    ip inspect name Firewall imap
    ip inspect name Firewall pop3
    ip inspect name Firewall rcmd
    ip inspect name Firewall realaudio
    ip inspect name Firewall rtsp
    ip inspect name Firewall esmtp
    ip inspect name Firewall sqlnet
    ip inspect name Firewall streamworks
    ip inspect name Firewall tftp
    ip inspect name Firewall vdolive
    ip inspect name Firewall udp
    ip inspect name Firewall tcp
    ip inspect name Firewall https
    ip inspect name Firewall http
    multilink bundle-name authenticated
    username xxx password 0 xxxx
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2 
    crypto isakmp client configuration group xxx
    key xxx
    dns 10.0.1.200
    wins 10.0.1.200
    domain xxx
    pool ippool
    acl 101 
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    archive  
    log config
      hidekeys
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 8/35
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
    dsl operating-mode adsl2+
    hold-queue 224 in
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Vlan1
    ip address 10.0.1.10 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp pap sent-username aliceadsl password 0 aliceadsl
    crypto map clientmap
    ip local pool ippool 10.16.20.1 10.16.20.200
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 0.0.0.0 0.0.0.0 10.0.1.2
    ip http server
    no ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
    ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
    ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
    ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
    ip nat inside source list 101 interface Dialer0 overload
    access-list 101 remark *** ACL nonat ***
    access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
    access-list 101 permit ip 10.0.1.0 0.0.0.255 any
    access-list 150 remark *** ACL split tunnel ***
    access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
    control-plane
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    password xxx
    scheduler max-task-time 5000
    end 
    Anyone can help me ?
    Sometimes the vpn can be vreated using the iPhone or iPad vpn client...

    I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
    3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
    regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
    HELP?

  • VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

    Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
    Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
    VLAN 1 - inside (has separate dhcp scope assigned by ASA)
    VLAN 99 - guest (has separate dhcp scope assigned by ASA)
    SG200
    purpose
    ASA 5505 (Sec Plus license)
    purpose
    g2
    Trunk 1UP,99T
    Ubiquiti AP (VLAN 1 works, VLAN 99 does not
    g3
    Access port 99T
    vlan 99 does not work
    g8
    Trunk 1UP, 99T
    < Trunk between switch and ASA >
    Int e0/2
    switchport trunk allowed vlan 1,99
     switchport trunk native vlan 1
     switchport mode trunk
    Int e0/3
    switchport trunk allowed vlan 1,99
     switchport trunk native vlan 1
     switchport mode trunk
    Second ubiquiti AP
    Both VLAN 1 and VLAN 99 clients work properly

    Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
    There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
    No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
    Anything connected to the SG200 on the native VLAN works properly.
    Anything connected to the ASA VLANs (1 or 99) works properly
    I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
    I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
    SG200 g2 - trunk port (1UP, 99T) -- Access Point
    SG200 g2 - access port (99U)
    SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
    ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
    Thanks,

  • Connecting Cisco VPN client v5 to asa 5505

    I am having problem configuring remote vpn between ASA5505 and Cisco VPN client v5. I can successfully establish connection between ASA and Vpn client and receive IP address from ASA. VPN client statistics windows shows that packets are send and encrypted but none of the packets is Received/Decrypted.
    Can not ping asa 5505
    Any ideas on what I have missed?

    Your NAT configuration is incomplete, enter the following commands to your configuration:
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
    nat (inside) 0 access-list nonat
    This tells the ASA that the traffic destined for the VPN Client should not be NATted and should be sent directly to the client via the VPN Tunnel!
    Please rate if the post helps!
    Regards,
    Michael

  • WRV200 - Problems with VPN Client and Internal network access

    I have a WRV200 router and want to access the internal (Private Network) connected on the inside. I have successfully conected to the router with the Linksys VPN Client, but it does not appear to allow access to the internal network.
    How do I enable NAT Transversal or Passthru? I have already selected all of the PPTP, L2TP and IPSEC Pass Through.
    Has anyone gotten this to work?

    I have actually gotten this to work. Issues surround this include the ability to get to the VPN if the main DNS is down (it does not fail over to the next DNS in the list).
    If you unselect all of the boxes in the firewall General configuration, you can connect, but if you need to have all of this unchecked, what's the sense of having it?
    Anyway, you can use the DoS Prevention, this is not interfering.
    HTH.

  • Problem with VPN Client and PIX 7.0(5)

    Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
    sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
    and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
    I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
    This is the configuration i apply
    access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
    access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
    access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
    access-list acl-vpn-sap-remoto extended permit ip any any
    access-list acl-vpn-sap-remoto extended permit icmp any any
    ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
    nat (inside) 0 access-list cryptomap-scada
    group-policy VPN_SAP_PED internal
    group-policy VPN_SAP_PED attributes
    vpn-filter value acl-vpn-sap-remoto
    vpn-tunnel-protocol IPSec
    username vpnuser password **** encrypted
    username vpnuser attributes
    vpn-group-policy VPN_SAP_PED
    crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
    crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
    crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
    crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption 3des
    isakmp policy 7 hash sha
    isakmp policy 7 group 2
    isakmp policy 7 lifetime 43200
    tunnel-group VPN_SAP_PED type ipsec-ra
    tunnel-group VPN_SAP_PED general-attributes
    address-pool pool_vpn_sap
    default-group-policy VPN_SAP_PED
    tunnel-group VPN_SAP_PED ipsec-attributes
    pre-shared-key clavevpnsap
    Thanks in Advanced

    Hi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
    PIX-Principal(config)# show running-config nat
    nat (inside) 0 access-list cryptomap-scada
    nat (inside) 9 JOsorioPC 255.255.255.255
    nat (inside) 9 GColinaPC 255.255.255.255
    nat (inside) 9 AlfonsoPC 255.255.255.255
    nat (inside) 9 AngelPC 255.255.255.255
    nat (inside) 9 JerryPC 255.255.255.255
    nat (inside) 9 EstebanPC 255.255.255.255
    nat (inside) 9 GiancarloPC 255.255.255.255
    nat (inside) 9 WilliamsPC 255.255.255.255
    nat (inside) 9 PerniaPC 255.255.255.255
    nat (inside) 9 ElvisDomPC 255.255.255.255
    nat (inside) 8 LBermudezPC 255.255.255.255
    nat (inside) 9 HelpDeskPC 255.255.255.255
    nat (inside) 9 OscarOPC 255.255.255.255
    nat (inside) 9 AnaPC 255.255.255.255
    nat (inside) 9 RobertoPC 255.255.255.255
    nat (inside) 9 MarthaPC 255.255.255.255
    nat (inside) 9 NOCPc5-I 255.255.255.255
    nat (inside) 9 NOCPc6-I 255.255.255.255
    nat (inside) 9 CiraPC 255.255.255.255
    nat (inside) 9 JaimePC 255.255.255.255
    nat (inside) 9 EugemarPC 255.255.255.255
    nat (inside) 9 JosePC 255.255.255.255
    nat (inside) 9 RixioPC 255.255.255.255
    nat (inside) 9 DaniellePC 255.255.255.255
    nat (inside) 9 NorimarPC 255.255.255.255
    nat (inside) 9 NNavaPC 255.255.255.255
    nat (inside) 8 ManriquePC 255.255.255.255
    nat (inside) 8 MarcialPC 255.255.255.255
    nat (inside) 8 JAlbornozPC 255.255.255.255
    nat (inside) 9 GUrdanetaPC 255.255.255.255
    nat (inside) 9 RVegaPC 255.255.255.255
    nat (inside) 9 LLabarcaPC 255.255.255.255
    nat (inside) 9 Torondoy-I 255.255.255.255
    nat (inside) 9 Escuque-I 255.255.255.255
    nat (inside) 9 Turbio-I 255.255.255.255
    nat (inside) 9 JoseMora 255.255.255.255
    nat (inside) 8 San-Juan-I 255.255.255.255
    nat (inside) 8 Router7507 255.255.255.255
    nat (inside) 8 NOCPc4-I 255.255.255.255
    nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255

  • Problems with VPN-Client 5.0 instoled on Windows Vista over ADSL Conecction

    Hi, I have severals clients that they use Windows Vista and connects throw there lan over a VPN-Client. The clients that has an ADSL connection in there hose has disconect problems. Do you know why?? Do you know same workarround to do?? Thanks.
    Regards.

    Make sure that you have the right cable pinout and that your ISP has turned on the DSL service. Troubleshoot the DSL connection by watching the modem state of the ADSL interface as the line retrains.
    To use the VPN Client, you need
    - Direct network connection (cable or DSL modem and network adapter/interface card), or
    - Internal or external modem
    For further more troubleshoot click this link,
    http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/release/notes/51client.html#wp1550392

  • Problems with SMTP port forwarding on ASA 5505

    Cannot telnet to port 25 to test for SMTP traffic.  Packet trace indicates that the packet is dropped by the implicit rule, but I have tried an access rule specifically for SMTP, and the trace appears to skip the rule and drop the packet when it hits the implicit default drop rule.  Can anyone help?  Here is my configuration:
    ASA Version 8.2(5)
    hostname XXXXXXXXXXXXXXXXX
    enable pXXXXXXXXXXXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXXXXXXXXX encrypted
    names
    name XXX.XXX.XXX.74 DNI-HOST1
    name XXX.XXX.XXX.184 DNI-HOST2
    name 192.168.1.2 Server
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address XXX.XXX.XXX.130 255.255.255.248
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object-group service rdp tcp
    port-object eq 3389
    access-list INBOUND extended permit icmp any any time-exceeded
    access-list INBOUND extended permit icmp any any echo-reply inactive
    access-list INBOUND extended permit icmp any any
    access-list INBOUND extended permit tcp any any eq smtp
    access-list INBOUND extended permit tcp any any eq https
    access-list INBOUND extended permit tcp any eq 3389 any object-group rdp
    pager lines 24
    logging enable
    logging buffered warnings
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    access-group INBOUND in interface outside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http DNI-HOST2 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca [REDACTED]
      quit
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 206.190.255.0 255.255.255.0 outside
    ssh DNI-HOST2 255.255.255.255 outside
    ssh DNI-HOST1 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    username Administrator password XXXXXXXXXXXXXXXXXXXX encrypted
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    : end

    Thanks.  I made the suggested changes, here are the results of packer-tracer:
    ASA# packet-tracer input outside tcp 1.2.3.4 1234 XXX.XXX.XXX.130 25
    Phase: 1
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
      match tcp inside host Server eq 25 outside any
        static translation to XXX.XXX.XXX.130/25
        translate_hits = 0, untranslate_hits = 3
    Additional Information:
    NAT divert to egress interface inside
    Untranslate XXX.XXX.XXX.130/25 to Server/25 using netmask 255.255.255.255
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group INBOUND in interface outside
    access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
    Additional Information:
    Phase: 3
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: INSPECT
    Subtype: inspect-smtp
    Result: ALLOW
    Config:
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect esmtp _default_esmtp_map
    service-policy global_policy global
    Additional Information:
    Phase: 5
    Type: HOST-LIMIT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
      match tcp inside host Server eq 25 outside any
        static translation to XXX.XXX.XXX.130/25
        translate_hits = 0, untranslate_hits = 3
    Additional Information:
    Phase: 7
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
      match tcp inside host Server eq 25 outside any
        static translation to XXX.XXX.XXX.130/25
        translate_hits = 0, untranslate_hits = 3
    Additional Information:
    Phase: 8
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 24392, packet dispatched to next module
    Result:
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: allow
    I'm not all that experienced with translating these results, but on the surface, it appears to be passing traffic.  However, I still cannt telnet to the public IP using port 25.  I am using Putty as my telnet client and it doesn't generate an error.  At no time am I able to interact with the prompt in the putty window. The putty window just closes abruptly after about 10 seconds.  Does the line in Phase 7 containing 'untranslate_hits=3' have anything to do with my issue?
    Here is the new config:
    NUGENT-ASA# show run
    : Saved
    ASA Version 8.2(5)
    hostname NUGENT-ASA
    enable password XXXXXXXXXXXXXXXXXXXX encrypted
    passwd XXXXXXXXXXXXXXXXXX encrypted
    names
    name XXX.XXX.XXX.74 DNI-HOST1
    name XXX.XXX.XXX.184 DNI-HOST2
    name 192.168.1.2 Server
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address XXX.XXX.XXX.130 255.255.255.248
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    object-group service rdp tcp
    port-object eq 3389
    access-list INBOUND extended permit icmp any any time-exceeded
    access-list INBOUND extended permit icmp any any echo-reply inactive
    access-list INBOUND extended permit icmp any any
    access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
    pager lines 24
    logging enable
    logging buffered warnings
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (outside,inside) tcp interface smtp Server smtp netmask 255.255.255.255
    access-group INBOUND in interface outside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http DNI-HOST2 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca [REDACTED]
      quit
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 206.190.255.0 255.255.255.0 outside
    ssh DNI-HOST2 255.255.255.255 outside
    ssh DNI-HOST1 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd dns 8.8.8.8 4.2.2.2
    dhcpd address 192.168.1.100-192.168.1.131 inside
    dhcpd dns 8.8.8.8 4.2.2.2 interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    webvpn
    username Administrator password XXXXXXXXXXXXXXXXXXXXXXX encrypted
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
    : end

  • Problems with the new NAT in ASA 5510 (8.4)

    Hi together,
    i have some problems with the NAT statements in ASA Version 8.4.
    What i want is to translate the internal address of a server to the external address with a NAT rule.
    The ASA has only one WAN connection (named outside)
    The internal server has the ip address 192.168.0.221 (as example) and i want to translate all incoming traffic on port 3389 to the Server (192.168.0.221).
    This is only for training, i dont want to forward a 3389 port into the BAD in a productive Network
    first i create the network object for the inside server (192.168.0.221)
    object network Network_Obj_RDP
    host 192.168.0.221
    After that i create the access rule for incoming traffic on outside interface:
    access-list outside_access_in extended permit ip any any log debugging
    Next i create a access rule for the inside-prod network to allow the traffic to the RDP Server:
    access-list inside-prod_access_in extended permit object RDP interface outside object Network_Obj_RDP
    Now i create the NAT rule in the network object (Network_Obj_RDP):  
    object network Network_Obj_RDP
    nat (inside-prod,outside) static interface service tcp 3389 3389
    But if i want to connect via 3389 on the outside interface i see in the syslog this entry:
    Built inbound TCP connection 23248 for outside:80.187.107.132/7445 (80.187.107.132/7445) to inside-prod:192.168.0.221/3389 (External IP/3389)
    After a while the connection will be teardown with this message:
    Teardown TCP connection 23289 for outside:80.187.107.132/2294 to inside-prod:192.168.0.221/3389 duration 0:00:30 bytes 0 SYN Timeout
    It looks like that the acl works fine, but the NAT translation are wrong...
    perhaps somebody has a idea to fix this
    Looking forward and hope for help...
    Many thanks
    Greetings

    Hi Jouni,
    this is the correct Packet Tracer output i think:
    packet-tracer input inside-prod tcp 192.168.0.220 3389 8.8.8.8 4567
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside-prod_access_in in interface inside-prod
    access-list inside-prod_access_in extended permit ip object Network_Obj-Productiv any log debugging
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    object network Network_Obj_RDP
    nat (inside-prod,outside) static interface service tcp 3389 3389
    Additional Information:
    Static translate 192.168.0.220/3389 to 80.146.252.162/3389
    Phase: 6
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 825, packet dispatched to next module
    Result:      
    input-interface: inside-prod
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    That looks preety fine, but the way back isn´t right:
    packet-tracer input outside tcp 8.8.8.8 4567 192.168.0.220 3389
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.0.0     255.255.255.0   inside-prod
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outside-in in interface outside
    access-list outside-in extended permit tcp any object Network_Obj_RDP eq 3389 log debugging
    Additional Information:
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: NAT
    Subtype: rpf-check
    Result: DROP
    Config:
    object network Network_Obj_RDP
    nat (inside-prod,outside) static interface service tcp 3389 3389
    Additional Information:
    Result:      
    input-interface: outside
    input-status: up
    input-line-status: up
    output-interface: inside-prod
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    I have no idea...

  • Problems with QuickVPN client

    Hello,
    I experiance problems with QuickVPN client (version 1.4.1.2). I'm trying to connect to router SA520 with 1.1.65 firmware,
    vpn tunell is established, but client says "The remote gateway is not responding. Do you want to wait?"
    in case i click no, it drops vpn tunell
    QuickVPN client log looks like this:
    2010/08/18 12:13:27 [STATUS]OS Version: Windows 7
    2010/08/18 12:13:27 [STATUS]Windows Firewall Domain Profile Settings: ON
    2010/08/18 12:13:27 [STATUS]Windows Firewall Private Profile Settings: ON
    2010/08/18 12:13:27 [STATUS]Windows Firewall Private Profile Settings: ON
    2010/08/18 12:13:27 [STATUS]One network interface detected with IP address 192.168.1.100
    2010/08/18 12:13:27 [STATUS]Connecting...
    2010/08/18 12:13:27 [DEBUG]Input VPN Server Address = vpn.in-volv.lv
    2010/08/18 12:13:28 [STATUS]Connecting to remote gateway with IP address: 78.28.223.10
    2010/08/18 12:13:28 [WARNING]Server's certificate doesn't exist on your local computer.
    2010/08/18 12:13:30 [STATUS]Remote gateway was reached by https ...
    2010/08/18 12:13:30 [STATUS]Provisioning...
    2010/08/18 12:13:39 [STATUS]Success to connect.
    2010/08/18 12:13:39 [STATUS]Tunnel is configured. Ping test is about to start.
    2010/08/18 12:13:39 [STATUS]Verifying Network...
    2010/08/18 12:13:44 [WARNING]Failed to ping remote VPN Router!
    2010/08/18 12:13:47 [WARNING]Failed to ping remote VPN Router!
    2010/08/18 12:13:50 [WARNING]Failed to ping remote VPN Router!
    2010/08/18 12:13:53 [WARNING]Failed to ping remote VPN Router!
    2010/08/18 12:13:56 [WARNING]Failed to ping remote VPN Router!
    2010/08/18 12:14:08 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
    2010/08/18 12:14:12 [STATUS]Disconnecting...
    2010/08/18 12:14:15 [STATUS]Success to disconnect.
    Server logs look like this:
    2010-08-18 12:28:49: INFO:  Adding IPSec configuration with identifier "arvils"
    2010-08-18 12:29:02: INFO:  Configuration found for 83.243.93.200[500].
    2010-08-18 12:29:02: INFO:  Received request for new phase 1 negotiation: 78.28.223.10[500]<=>83.243.93.200[500]
    2010-08-18 12:29:02: INFO:  Beginning Identity Protection mode.
    2010-08-18 12:29:02: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
    2010-08-18 12:29:02: INFO:  Received Vendor ID: RFC 3947
    2010-08-18 12:29:02: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    2010-08-18 12:29:02: INFO:  Received unknown Vendor ID
    2010-08-18 12:29:02: INFO:  Received unknown Vendor ID
    2010-08-18 12:29:02: INFO:  Received unknown Vendor ID
    2010-08-18 12:29:02: INFO:  Received unknown Vendor ID
    2010-08-18 12:29:02: INFO:  For 83.243.93.200[500], Selected NAT-T version: RFC 3947
    2010-08-18 12:29:02: INFO:  NAT-D payload matches for 78.28.223.10[500]
    2010-08-18 12:29:02: INFO:  NAT-D payload does not match for 83.243.93.200[500]
    2010-08-18 12:29:02: INFO:  NAT detected: PEER
    2010-08-18 12:29:02: INFO:  Floating ports for NAT-T with peer 83.243.93.200[4500]
    2010-08-18 12:29:02: INFO:  ISAKMP-SA established for 78.28.223.10[4500]-83.243.93.200[4500] with spi:e2cd855a75fc0887:6dc3b2e025152444
    2010-08-18 12:29:02: INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
    2010-08-18 12:29:02: INFO:  Responding to new phase 2 negotiation: 78.28.223.10[0]<=>83.243.93.200[0]
    2010-08-18 12:29:02: INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.1.100/32
    2010-08-18 12:29:02: INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)
    2010-08-18 12:29:02: INFO:  IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=47693803(0x2d7bfeb)
    2010-08-18 12:29:02: INFO:  IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 78.28.223.10->83.243.93.200 with spi=1079189482(0x40531fea)
    2010-08-18 12:35:57: INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
    2010-08-18 12:35:57: INFO:  Purged IPsec-SA with proto_id=ESP and spi=1079189482(0x40531fea).
    2010-08-18 12:40:46: INFO:  Configuration found for 83.243.93.200[500].
    2010-08-18 12:40:46: INFO:  Received request for new phase 1 negotiation: 78.28.223.10[500]<=>83.243.93.200[500]
    2010-08-18 12:40:46: INFO:  Beginning Identity Protection mode.
    2010-08-18 12:40:46: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
    2010-08-18 12:40:46: INFO:  Received Vendor ID: RFC 3947
    2010-08-18 12:40:46: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    2010-08-18 12:40:46: INFO:  Received unknown Vendor ID
    2010-08-18 12:40:46: INFO:  Received unknown Vendor ID
    2010-08-18 12:40:46: INFO:  Received unknown Vendor ID
    2010-08-18 12:40:46: INFO:  For 83.243.93.200[500], Selected NAT-T version: RFC 3947
    2010-08-18 12:40:46: INFO:  NAT-D payload matches for 78.28.223.10[500]
    2010-08-18 12:40:46: INFO:  NAT-D payload does not match for 83.243.93.200[500]
    2010-08-18 12:40:46: INFO:  NAT detected: PEER
    2010-08-18 12:40:46: INFO:  Floating ports for NAT-T with peer 83.243.93.200[4500]
    2010-08-18 12:40:46: INFO:  ISAKMP-SA established for 78.28.223.10[4500]-83.243.93.200[4500] with spi:28447d39874689f9:a2b7da19d8d86413
    2010-08-18 12:40:46: INFO:  Responding to new phase 2 negotiation: 78.28.223.10[0]<=>83.243.93.200[0]
    2010-08-18 12:40:46: INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.1.100/32
    2010-08-18 12:40:46: INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)
    2010-08-18 12:40:47: INFO:  IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=259246202(0xf73c87a)
    2010-08-18 12:40:47: INFO:  IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 78.28.223.10->83.243.93.200 with spi=3642234214(0xd9181566)
    2010-08-18 12:43:27: INFO:  IPsec-SA expired: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=33356156(0x1fcf97c)
    2010-08-18 12:45:47: INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
    2010-08-18 12:45:47: INFO:  Purged IPsec-SA with proto_id=ESP and spi=3642234214(0xd9181566).
    The most interesting thing is that sometimes this message appears, sometimes not (with the same configuration).
    Please help!

    Hi,
    I have some problem. I am using Windows 7 Entreprice x64. I use SA520 Firmware 1.1.65 and QuickVPN 1.4.1.2 port 60443.
    "The remote gateway is not responding. Do you want to wait"
    2010-08-18 17:25:51: INFO:  Adding IPSec configuration with identifier "username"
    2010-08-18 17:25:51: INFO:  Adding IKE configuration with identifer "username"
    2010-08-18 17:26:04: INFO:  Configuration found for xxx.xxx.xxx.xxx[235].
    2010-08-18 17:26:04: INFO:  Received request for new phase 1 negotiation: 172.22.5.10[500]<=>xxx.xxx.xxx.xxx[235]
    2010-08-18 17:26:04: INFO:  Beginning Identity Protection mode.
    2010-08-18 17:26:04: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
    2010-08-18 17:26:04: INFO:  Received Vendor ID: RFC 3947
    2010-08-18 17:26:04: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    2010-08-18 17:26:04: INFO:  Received unknown Vendor ID
    2010-08-18 17:26:04: INFO:  Received unknown Vendor ID
    2010-08-18 17:26:04: INFO:  Received unknown Vendor ID
    2010-08-18 17:26:04: INFO:  Received unknown Vendor ID
    2010-08-18 17:26:04: INFO:  For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
    2010-08-18 17:26:04: INFO:  NAT-D payload does not match for 172.22.5.10[500]
    2010-08-18 17:26:04: INFO:  NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
    2010-08-18 17:26:04: INFO:  NAT detected: ME PEER
    2010-08-18 17:26:04: INFO:  Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
    2010-08-18 17:26:04: INFO:  ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:ed4f291c71c1b688:7e6a8a0968f878fb
    2010-08-18 17:26:04: INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
    2010-08-18 17:26:04: INFO:  Responding to new phase 2 negotiation: 172.22.5.10[0]<=> xxx.xxx.xxx.xxx[0]
    2010-08-18 17:26:04: INFO:  Using IPsec SA configuration: 192.168.75.0/24<->192.168.170.224/32
    2010-08-18 17:26:04: INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)
    2010-08-18 17:26:05: INFO:  IPsec-SA established[UDP encap 48540->4500]: ESP/Tunnel xxx.xxx.xxx.xxx->172.22.5.10 with spi=239099274(0xe405d8a)
    2010-08-18 17:26:05: INFO:  IPsec-SA established[UDP encap 4500->48540]: ESP/Tunnel 172.22.5.10-> xxx.xxx.xxx.xxx with spi=3886848189(0xe7ac98bd)
    2010-08-18 17:26:07: INFO:  Configuration found for xxx.xxx.xxx.xxx[235].
    2010-08-18 17:26:07: INFO:  Received request for new phase 1 negotiation: 172.22.5.10[500]<=> xxx.xxx.xxx.xxx[235]
    2010-08-18 17:26:07: INFO:  Beginning Identity Protection mode.
    2010-08-18 17:26:07: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
    2010-08-18 17:26:07: INFO:  Received Vendor ID: RFC 3947
    2010-08-18 17:26:07: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    2010-08-18 17:26:07: INFO:  Received unknown Vendor ID
    2010-08-18 17:26:07: INFO:  Received unknown Vendor ID
    2010-08-18 17:26:07: INFO:  Received unknown Vendor ID
    2010-08-18 17:26:07: INFO:  For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
    2010-08-18 17:26:07: INFO:  NAT-D payload does not match for 172.22.5.10[500]
    2010-08-18 17:26:07: INFO:  NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
    2010-08-18 17:26:07: INFO:  NAT detected: ME PEER
    2010-08-18 17:26:07: INFO:  Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
    2010-08-18 17:26:07: INFO:  ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:699f34b434d4318c:df4adca414787d36
    2010-08-18 17:27:14: INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=699f34b434d4318c:df4adca414787d36.
    2010-08-18 17:27:14: INFO:  Configuration found for xxx.xxx.xxx.xxx[235].
    2010-08-18 17:27:14: INFO:  Received request for new phase 1 negotiation: 172.22.5.10[500]<=> xxx.xxx.xxx.xxx[235]
    2010-08-18 17:27:14: INFO:  Beginning Identity Protection mode.
    2010-08-18 17:27:14: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
    2010-08-18 17:27:14: INFO:  Received Vendor ID: RFC 3947
    2010-08-18 17:27:14: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    2010-08-18 17:27:14: INFO:  Received unknown Vendor ID
    2010-08-18 17:27:14: INFO:  Received unknown Vendor ID
    2010-08-18 17:27:14: INFO:  Received unknown Vendor ID
    2010-08-18 17:27:14: INFO:  For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
    2010-08-18 17:27:14: INFO:  NAT-D payload does not match for 172.22.5.10[500]
    2010-08-18 17:27:14: INFO:  NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
    2010-08-18 17:27:14: INFO:  NAT detected: ME PEER
    2010-08-18 17:27:15: INFO:  ISAKMP-SA deleted for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:699f34b434d4318c:df4adca414787d36
    2010-08-18 17:27:15: INFO:  Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
    2010-08-18 17:27:15: INFO:  ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:3fe5eb0bddbf2b9a:f5c11d7f813ca74a
    2010-08-18 17:27:15: INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
    2010-08-18 17:28:20: INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=3fe5eb0bddbf2b9a:f5c11d7f813ca74a.
    2010-08-18 17:28:21: INFO:  ISAKMP-SA deleted for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:3fe5eb0bddbf2b9a:f5c11d7f813ca74a
    With windows XP Pro i dont have this problem.
    Is there a detailed configuration guide?
    10x

  • Problem with Variable Client Support

    Hello,
    I work with Labview 8.5 and Crio 9014.
    I have a problem with  Variable Client Support. When I try to compile my project I have the following error:
    "The Network Variable Engine and Variable Client Support must be installed on the RT target for this application to function properly..."
    I have read that we have to install the Variable Client Support in Measurement and Automation by right-clicking on the software and then choosing add/remove software but I can't install the appropriate shared variable components because I can't see neither Network Variable Engine and Variable Client Support. So what can I do?
    Can somebody help me?
    Thanks

    I have exactly the same problem. I wanted go through the "Getting Started with the LabVIEW RT module" and when I use wizard for generating new project I get same notification in my VI... 
    The Network Variable Engine and Variable Client Support must be installed on the RT target
    for this application to function properly. If the Network Variable Engine is not supported on
    the target (e.g. FP-2000 with <32MB of RAM), open the project and move the variable library
    to My Computer in the project. Doing this will deploy the variables to localhost but
    will still require that Variable Client Support be installed on the RT target.
    Could someone help please ? 
    Attachments:
    ni.png ‏95 KB

  • We encountered a problem with some client machines that use Firefox version 24ESR and IE8. Ajax requests of aspx pages from Firefox are getting the following er

    I encountered a problem with some client machines that use Firefox version 24ESR and IE8.
    Ajax requests of aspx pages from Firefox are getting the following error from the iis server (iis version 7.5):
    Bad Request - Request Too Long
    HTTP Error 400. The size of the request headers is too long.
    From analyzing the request that was sent to the server, I saw that the request consist of only the viewstate of the aspx page.
    I tried to disable the viewstate for one page and the server got the request correctly.
    I do not encounter any issues on these laptops with postback requests from Firefox or when running the same application with IE8.

    Sometimes that means that the page address sent is loo long.
    Check the link address you are using.
    I can't help you further and will send for more help.

  • After upgrading on ios 6 i have problems with vpn connection..pls help if someone have the same problem

    problem with vpn connection after upgrading on ios6.pls help

    I've never been able to share FaceBook posts nor seen the option using the iOS FaceBook app regardless the FaceBook app and iOS version. I can Like and I can Comment, and if I select a link or video to view under iOS 6, I can use the Share option for the link or video, but not for a post.

  • Problem with VPN by ASA 5505 and PIX 501

    Hi
    I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
    I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
    When i configure the ASA i have this problem, when i configure nat for easy vpn.
    This is my nat configuration:
    nat (inside) 0 access-list 100
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (inside) 0 0.0.0.0 0.0.0.0 outside
    when i put this command:
    nat (inside) 0 access-list no-nat
    this command is necessary for configuration of easy vpn, but the previous nat:
    nat (inside) 0 access-list 100
    is replace with the latest command.

    To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
    For regular dynamic NAT:
    nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
    no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
    For policy dynamic NAT and NAT exemption:
    nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
    no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]

Maybe you are looking for

  • PersistenceService denies permission when running an Applet

    I'm converting an application that uses JWS to run inside a browser. Ok, so it's not just a matter of changing <application-desc> to <applet-desc> (which is just about the only change I made to the jnlp), but the problem I'm getting is not one I expe

  • Gr/ir mb5s

    hi everyone mb5s give gr/ir balances as now i would like to devp a zee program for this can anyone explane me steps thanks

  • RAID on LVM logical volumes

    Hey, i've got a 1T and a 500G hard drive in my workstation. The 500G drive is my media disk. I initialized a software RAID-1 with one missing drive on a 500G logical volume on the 1T disk. After formatting and copying all the data from the media disk

  • Problem connecting to DB service sapdp00

    Hello, i installed Sneak preview for NetWeaver on Windows Server 2003. Data base looks ok. Console root looks ok, and shows NSP active(green). I installed locally on server 2003. Loopback is installed. I cant reach the sapdp00. i get a " partner not

  • IPhoto 6 and Nikon's Coolpix S6

    Hello, I have the latest version of iPhoto, and I'm using Nikon's Coolpix S6 digital camera, which has a wireless transfer option built in, but I'm not sure how to transfer my pictures wirelessly to iPhoto. Can this be done? or am I stuck with the pr