Problem with VPN Client passthrough on ASA 5505
I am having a problem with passing through a VPN client connection on an ASA 5505. The ASA is running version 8 and terminates an anyconnect VPN. The ASA is using PAT. When the inside user connects with the VPN client, it connects but no traffic passes through the tunnel. I see the error
305006 regular translation creation failed for protocol 50 src INSIDE:y.y.y.y dst OUTSIDE:x.x.x.x
UDP 500,4500 and ESP are allowed into the ASA. Ipsec inspection has also been setup on a global policy, but the user still cannot pass traffice to the remote VPN he is connected through.
At the Main Office we have an ASA 5510 that terminates a site to site VPN, allows remote connections with PAT and allows passthrough no problems. Any ideas?
I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP?
Similar Messages
-
Problem with VPN Client and network access
We are running VPN client 4.0.1 on our laptops, and there are a number of users who are getting documents they are using on the internal network (off VPN) corrupted. The initial cause seemed to be the stateful firewall, but I have that turned off, and we are still getting it.
It only seems to be on the machines with VPN client installed, and it is only happening when the user is working on a file direct from the network drive. They are not connecting via the VPN client when the problem occurs.
any suggestions?
William.Did you get any joy with this ? We seem to be having the same issue.
Thanks -
Problem with VPN client on Cisco 1801
Hi,
I have configured a new router for a customer.
All works fine but i have a strange issue with the VPN client.
When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
This is the log form the VPN client:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 14:37:59.133 04/08/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 14:38:01.321 04/08/13 Sev=Info/4 CM/0x63100002
Begin connection process
3 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100004
Establish secure connection
4 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "asgardvpn.dyndns.info"
5 14:38:02.380 04/08/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 79.52.36.120.
6 14:38:02.384 04/08/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 14:38:02.388 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
8 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
11 14:38:02.460 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
12 14:38:02.506 04/08/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
13 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
16 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
18 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
19 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
20 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
21 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194
22 14:38:02.465 04/08/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
23 14:38:02.465 04/08/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24 14:38:02.502 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
25 14:38:02.502 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
26 14:38:02.502 04/08/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 14:38:07.623 04/08/13 Sev=Info/4 CM/0x63100017
xAuth application returned
28 14:38:07.623 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
29 14:38:12.656 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
30 14:38:22.808 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
31 14:38:32.949 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 14:38:43.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 14:38:53.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 14:39:03.371 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 14:39:13.514 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
36 14:39:23.652 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
37 14:39:33.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
38 14:39:43.948 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
39 14:39:54.088 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 14:40:04.233 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
41 14:40:14.384 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
42 14:40:24.510 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 14:40:34.666 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 14:40:44.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
45 14:40:54.947 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
46 14:41:05.090 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 14:41:15.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 14:41:25.370 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
49 14:41:35.524 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 14:41:45.665 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 14:41:55.805 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
52 14:42:05.951 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
53 14:42:16.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 14:42:26.228 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
55 14:42:36.383 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
56 14:42:46.523 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 14:42:56.664 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
59 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
60 14:43:03.248 04/08/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
61 14:43:03.248 04/08/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
62 14:43:03.248 04/08/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
63 14:43:03.262 04/08/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
64 14:43:03.262 04/08/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
65 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
67 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
68 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
And this is the conf from the 1801:
hostname xxx
boot-start-marker
boot-end-marker
enable secret 5 xxx
aaa new-model
aaa authentication login xauthlist local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.1.60 10.0.1.200
ip dhcp excluded-address 10.0.1.225
ip dhcp excluded-address 10.0.1.250
ip dhcp pool LAN
network 10.0.1.0 255.255.255.0
default-router 10.0.1.10
dns-server 10.0.1.200 8.8.8.8
domain-name xxx
lease infinite
ip name-server 10.0.1.200
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall udp
ip inspect name Firewall tcp
ip inspect name Firewall https
ip inspect name Firewall http
multilink bundle-name authenticated
username xxx password 0 xxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxx
key xxx
dns 10.0.1.200
wins 10.0.1.200
domain xxx
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode adsl2+
hold-queue 224 in
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address 10.0.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 0 aliceadsl
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source list 101 interface Dialer0 overload
access-list 101 remark *** ACL nonat ***
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 150 remark *** ACL split tunnel ***
access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxx
scheduler max-task-time 5000
end
Anyone can help me ?
Sometimes the vpn can be vreated using the iPhone or iPad vpn client...I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP? -
VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)
Hi, I've been pulling my hair out trying to get simple vlan trunking working between these devices.
Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200. I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc). Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
VLAN 1 - inside (has separate dhcp scope assigned by ASA)
VLAN 99 - guest (has separate dhcp scope assigned by ASA)
SG200
purpose
ASA 5505 (Sec Plus license)
purpose
g2
Trunk 1UP,99T
Ubiquiti AP (VLAN 1 works, VLAN 99 does not
g3
Access port 99T
vlan 99 does not work
g8
Trunk 1UP, 99T
< Trunk between switch and ASA >
Int e0/2
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Int e0/3
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Second ubiquiti AP
Both VLAN 1 and VLAN 99 clients work properlyFrustrated - yes. Confused - maybe not as much, but I could have put some more effort into the overall picture.
There are two VLANs (1 - native) and (99 - guest). There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.
No clients connected to the SG200 on VLAN 99 are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP. The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
Anything connected to the SG200 on the native VLAN works properly.
Anything connected to the ASA VLANs (1 or 99) works properly
I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
SG200 g2 - trunk port (1UP, 99T) -- Access Point
SG200 g2 - access port (99U)
SG200 g8 - trunk port (1UP, 99T) connected to ASA5505 e0/3
ASA5505 e0/3 (switchport trunk allowed vlan 1,99, switchport trunk native vlan 1, switchport mode trunk)
Thanks, -
Connecting Cisco VPN client v5 to asa 5505
I am having problem configuring remote vpn between ASA5505 and Cisco VPN client v5. I can successfully establish connection between ASA and Vpn client and receive IP address from ASA. VPN client statistics windows shows that packets are send and encrypted but none of the packets is Received/Decrypted.
Can not ping asa 5505
Any ideas on what I have missed?Your NAT configuration is incomplete, enter the following commands to your configuration:
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
This tells the ASA that the traffic destined for the VPN Client should not be NATted and should be sent directly to the client via the VPN Tunnel!
Please rate if the post helps!
Regards,
Michael -
WRV200 - Problems with VPN Client and Internal network access
I have a WRV200 router and want to access the internal (Private Network) connected on the inside. I have successfully conected to the router with the Linksys VPN Client, but it does not appear to allow access to the internal network.
How do I enable NAT Transversal or Passthru? I have already selected all of the PPTP, L2TP and IPSEC Pass Through.
Has anyone gotten this to work?I have actually gotten this to work. Issues surround this include the ability to get to the VPN if the main DNS is down (it does not fail over to the next DNS in the list).
If you unselect all of the boxes in the firewall General configuration, you can connect, but if you need to have all of this unchecked, what's the sense of having it?
Anyway, you can use the DoS Prevention, this is not interfering.
HTH. -
Problem with VPN Client and PIX 7.0(5)
Hi, i have a problem configuring my pix 525 7.0(5) as a remote vpn server. I already configure the pix
sollowing this instructions (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml)
and i can establish a vpn using CISCO VPN Client; but i can't reach any resource from my inside network or any network define in the PIX.
I think that could be a missing nat or an acl; but i have do a lot of research but i can figure out the solution.
This is the configuration i apply
access-list cryptomap-scada extended permit ip any 172.10.0.0 255.255.255.0
access-list acl-vpn-sap-remoto extended permit ip any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit icmp any 172.16.42.64 255.255.255.224
access-list acl-vpn-sap-remoto extended permit ip any any
access-list acl-vpn-sap-remoto extended permit icmp any any
ip local pool pool_vpn_sap 172.*.*.1-172.10.0.254 mask 255.255.255.0
nat (inside) 0 access-list cryptomap-scada
group-policy VPN_SAP_PED internal
group-policy VPN_SAP_PED attributes
vpn-filter value acl-vpn-sap-remoto
vpn-tunnel-protocol IPSec
username vpnuser password **** encrypted
username vpnuser attributes
vpn-group-policy VPN_SAP_PED
crypto ipsec transform-set vpn-cliente-remoto esp-3des esp-md5-hmac
crypto dynamic-map vpn-remoto-dymap 7 set transform-set vpn-cliente-remoto
crypto dynamic-map vpn-remoto-dymap 7 set reverse-route
crypto map siemens-scada-map 7 ipsec-isakmp dynamic vpn-remoto-dymap
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash sha
isakmp policy 7 group 2
isakmp policy 7 lifetime 43200
tunnel-group VPN_SAP_PED type ipsec-ra
tunnel-group VPN_SAP_PED general-attributes
address-pool pool_vpn_sap
default-group-policy VPN_SAP_PED
tunnel-group VPN_SAP_PED ipsec-attributes
pre-shared-key clavevpnsap
Thanks in AdvancedHi, thanks for you response, if i remove the acl form de vpn filter, i get the same problem (i can't reach any host). This is the output from the command that you ask for.
PIX-Principal(config)# show running-config nat
nat (inside) 0 access-list cryptomap-scada
nat (inside) 9 JOsorioPC 255.255.255.255
nat (inside) 9 GColinaPC 255.255.255.255
nat (inside) 9 AlfonsoPC 255.255.255.255
nat (inside) 9 AngelPC 255.255.255.255
nat (inside) 9 JerryPC 255.255.255.255
nat (inside) 9 EstebanPC 255.255.255.255
nat (inside) 9 GiancarloPC 255.255.255.255
nat (inside) 9 WilliamsPC 255.255.255.255
nat (inside) 9 PerniaPC 255.255.255.255
nat (inside) 9 ElvisDomPC 255.255.255.255
nat (inside) 8 LBermudezPC 255.255.255.255
nat (inside) 9 HelpDeskPC 255.255.255.255
nat (inside) 9 OscarOPC 255.255.255.255
nat (inside) 9 AnaPC 255.255.255.255
nat (inside) 9 RobertoPC 255.255.255.255
nat (inside) 9 MarthaPC 255.255.255.255
nat (inside) 9 NOCPc5-I 255.255.255.255
nat (inside) 9 NOCPc6-I 255.255.255.255
nat (inside) 9 CiraPC 255.255.255.255
nat (inside) 9 JaimePC 255.255.255.255
nat (inside) 9 EugemarPC 255.255.255.255
nat (inside) 9 JosePC 255.255.255.255
nat (inside) 9 RixioPC 255.255.255.255
nat (inside) 9 DaniellePC 255.255.255.255
nat (inside) 9 NorimarPC 255.255.255.255
nat (inside) 9 NNavaPC 255.255.255.255
nat (inside) 8 ManriquePC 255.255.255.255
nat (inside) 8 MarcialPC 255.255.255.255
nat (inside) 8 JAlbornozPC 255.255.255.255
nat (inside) 9 GUrdanetaPC 255.255.255.255
nat (inside) 9 RVegaPC 255.255.255.255
nat (inside) 9 LLabarcaPC 255.255.255.255
nat (inside) 9 Torondoy-I 255.255.255.255
nat (inside) 9 Escuque-I 255.255.255.255
nat (inside) 9 Turbio-I 255.255.255.255
nat (inside) 9 JoseMora 255.255.255.255
nat (inside) 8 San-Juan-I 255.255.255.255
nat (inside) 8 Router7507 255.255.255.255
nat (inside) 8 NOCPc4-I 255.255.255.255
nat (InterfaceSAN) 8 MonitorHITACHI-I 255.255.255.255 -
Problems with VPN-Client 5.0 instoled on Windows Vista over ADSL Conecction
Hi, I have severals clients that they use Windows Vista and connects throw there lan over a VPN-Client. The clients that has an ADSL connection in there hose has disconect problems. Do you know why?? Do you know same workarround to do?? Thanks.
Regards.Make sure that you have the right cable pinout and that your ISP has turned on the DSL service. Troubleshoot the DSL connection by watching the modem state of the ADSL interface as the line retrains.
To use the VPN Client, you need
- Direct network connection (cable or DSL modem and network adapter/interface card), or
- Internal or external modem
For further more troubleshoot click this link,
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/release/notes/51client.html#wp1550392 -
Problems with SMTP port forwarding on ASA 5505
Cannot telnet to port 25 to test for SMTP traffic. Packet trace indicates that the packet is dropped by the implicit rule, but I have tried an access rule specifically for SMTP, and the trace appears to skip the rule and drop the packet when it hits the implicit default drop rule. Can anyone help? Here is my configuration:
ASA Version 8.2(5)
hostname XXXXXXXXXXXXXXXXX
enable pXXXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any any eq smtp
access-list INBOUND extended permit tcp any any eq https
access-list INBOUND extended permit tcp any eq 3389 any object-group rdp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: endThanks. I made the suggested changes, here are the results of packer-tracer:
ASA# packet-tracer input outside tcp 1.2.3.4 1234 XXX.XXX.XXX.130 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
static translation to XXX.XXX.XXX.130/25
translate_hits = 0, untranslate_hits = 3
Additional Information:
NAT divert to egress interface inside
Untranslate XXX.XXX.XXX.130/25 to Server/25 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INBOUND in interface outside
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
static translation to XXX.XXX.XXX.130/25
translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
static translation to XXX.XXX.XXX.130/25
translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 24392, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
I'm not all that experienced with translating these results, but on the surface, it appears to be passing traffic. However, I still cannt telnet to the public IP using port 25. I am using Putty as my telnet client and it doesn't generate an error. At no time am I able to interact with the prompt in the putty window. The putty window just closes abruptly after about 10 seconds. Does the line in Phase 7 containing 'untranslate_hits=3' have anything to do with my issue?
Here is the new config:
NUGENT-ASA# show run
: Saved
ASA Version 8.2(5)
hostname NUGENT-ASA
enable password XXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (outside,inside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
: end -
Problems with the new NAT in ASA 5510 (8.4)
Hi together,
i have some problems with the NAT statements in ASA Version 8.4.
What i want is to translate the internal address of a server to the external address with a NAT rule.
The ASA has only one WAN connection (named outside)
The internal server has the ip address 192.168.0.221 (as example) and i want to translate all incoming traffic on port 3389 to the Server (192.168.0.221).
This is only for training, i dont want to forward a 3389 port into the BAD in a productive Network
first i create the network object for the inside server (192.168.0.221)
object network Network_Obj_RDP
host 192.168.0.221
After that i create the access rule for incoming traffic on outside interface:
access-list outside_access_in extended permit ip any any log debugging
Next i create a access rule for the inside-prod network to allow the traffic to the RDP Server:
access-list inside-prod_access_in extended permit object RDP interface outside object Network_Obj_RDP
Now i create the NAT rule in the network object (Network_Obj_RDP):
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
But if i want to connect via 3389 on the outside interface i see in the syslog this entry:
Built inbound TCP connection 23248 for outside:80.187.107.132/7445 (80.187.107.132/7445) to inside-prod:192.168.0.221/3389 (External IP/3389)
After a while the connection will be teardown with this message:
Teardown TCP connection 23289 for outside:80.187.107.132/2294 to inside-prod:192.168.0.221/3389 duration 0:00:30 bytes 0 SYN Timeout
It looks like that the acl works fine, but the NAT translation are wrong...
perhaps somebody has a idea to fix this
Looking forward and hope for help...
Many thanks
GreetingsHi Jouni,
this is the correct Packet Tracer output i think:
packet-tracer input inside-prod tcp 192.168.0.220 3389 8.8.8.8 4567
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-prod_access_in in interface inside-prod
access-list inside-prod_access_in extended permit ip object Network_Obj-Productiv any log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
Additional Information:
Static translate 192.168.0.220/3389 to 80.146.252.162/3389
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 825, packet dispatched to next module
Result:
input-interface: inside-prod
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
That looks preety fine, but the way back isn´t right:
packet-tracer input outside tcp 8.8.8.8 4567 192.168.0.220 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside-prod
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any object Network_Obj_RDP eq 3389 log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside-prod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I have no idea... -
Hello,
I experiance problems with QuickVPN client (version 1.4.1.2). I'm trying to connect to router SA520 with 1.1.65 firmware,
vpn tunell is established, but client says "The remote gateway is not responding. Do you want to wait?"
in case i click no, it drops vpn tunell
QuickVPN client log looks like this:
2010/08/18 12:13:27 [STATUS]OS Version: Windows 7
2010/08/18 12:13:27 [STATUS]Windows Firewall Domain Profile Settings: ON
2010/08/18 12:13:27 [STATUS]Windows Firewall Private Profile Settings: ON
2010/08/18 12:13:27 [STATUS]Windows Firewall Private Profile Settings: ON
2010/08/18 12:13:27 [STATUS]One network interface detected with IP address 192.168.1.100
2010/08/18 12:13:27 [STATUS]Connecting...
2010/08/18 12:13:27 [DEBUG]Input VPN Server Address = vpn.in-volv.lv
2010/08/18 12:13:28 [STATUS]Connecting to remote gateway with IP address: 78.28.223.10
2010/08/18 12:13:28 [WARNING]Server's certificate doesn't exist on your local computer.
2010/08/18 12:13:30 [STATUS]Remote gateway was reached by https ...
2010/08/18 12:13:30 [STATUS]Provisioning...
2010/08/18 12:13:39 [STATUS]Success to connect.
2010/08/18 12:13:39 [STATUS]Tunnel is configured. Ping test is about to start.
2010/08/18 12:13:39 [STATUS]Verifying Network...
2010/08/18 12:13:44 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:47 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:50 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:53 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:13:56 [WARNING]Failed to ping remote VPN Router!
2010/08/18 12:14:08 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/08/18 12:14:12 [STATUS]Disconnecting...
2010/08/18 12:14:15 [STATUS]Success to disconnect.
Server logs look like this:
2010-08-18 12:28:49: INFO: Adding IPSec configuration with identifier "arvils"
2010-08-18 12:29:02: INFO: Configuration found for 83.243.93.200[500].
2010-08-18 12:29:02: INFO: Received request for new phase 1 negotiation: 78.28.223.10[500]<=>83.243.93.200[500]
2010-08-18 12:29:02: INFO: Beginning Identity Protection mode.
2010-08-18 12:29:02: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 12:29:02: INFO: Received Vendor ID: RFC 3947
2010-08-18 12:29:02: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: Received unknown Vendor ID
2010-08-18 12:29:02: INFO: For 83.243.93.200[500], Selected NAT-T version: RFC 3947
2010-08-18 12:29:02: INFO: NAT-D payload matches for 78.28.223.10[500]
2010-08-18 12:29:02: INFO: NAT-D payload does not match for 83.243.93.200[500]
2010-08-18 12:29:02: INFO: NAT detected: PEER
2010-08-18 12:29:02: INFO: Floating ports for NAT-T with peer 83.243.93.200[4500]
2010-08-18 12:29:02: INFO: ISAKMP-SA established for 78.28.223.10[4500]-83.243.93.200[4500] with spi:e2cd855a75fc0887:6dc3b2e025152444
2010-08-18 12:29:02: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2010-08-18 12:29:02: INFO: Responding to new phase 2 negotiation: 78.28.223.10[0]<=>83.243.93.200[0]
2010-08-18 12:29:02: INFO: Using IPsec SA configuration: 192.168.75.0/24<->192.168.1.100/32
2010-08-18 12:29:02: INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
2010-08-18 12:29:02: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=47693803(0x2d7bfeb)
2010-08-18 12:29:02: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 78.28.223.10->83.243.93.200 with spi=1079189482(0x40531fea)
2010-08-18 12:35:57: INFO: an undead schedule has been deleted: 'pk_recvupdate'.
2010-08-18 12:35:57: INFO: Purged IPsec-SA with proto_id=ESP and spi=1079189482(0x40531fea).
2010-08-18 12:40:46: INFO: Configuration found for 83.243.93.200[500].
2010-08-18 12:40:46: INFO: Received request for new phase 1 negotiation: 78.28.223.10[500]<=>83.243.93.200[500]
2010-08-18 12:40:46: INFO: Beginning Identity Protection mode.
2010-08-18 12:40:46: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 12:40:46: INFO: Received Vendor ID: RFC 3947
2010-08-18 12:40:46: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 12:40:46: INFO: Received unknown Vendor ID
2010-08-18 12:40:46: INFO: Received unknown Vendor ID
2010-08-18 12:40:46: INFO: Received unknown Vendor ID
2010-08-18 12:40:46: INFO: For 83.243.93.200[500], Selected NAT-T version: RFC 3947
2010-08-18 12:40:46: INFO: NAT-D payload matches for 78.28.223.10[500]
2010-08-18 12:40:46: INFO: NAT-D payload does not match for 83.243.93.200[500]
2010-08-18 12:40:46: INFO: NAT detected: PEER
2010-08-18 12:40:46: INFO: Floating ports for NAT-T with peer 83.243.93.200[4500]
2010-08-18 12:40:46: INFO: ISAKMP-SA established for 78.28.223.10[4500]-83.243.93.200[4500] with spi:28447d39874689f9:a2b7da19d8d86413
2010-08-18 12:40:46: INFO: Responding to new phase 2 negotiation: 78.28.223.10[0]<=>83.243.93.200[0]
2010-08-18 12:40:46: INFO: Using IPsec SA configuration: 192.168.75.0/24<->192.168.1.100/32
2010-08-18 12:40:46: INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
2010-08-18 12:40:47: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=259246202(0xf73c87a)
2010-08-18 12:40:47: INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 78.28.223.10->83.243.93.200 with spi=3642234214(0xd9181566)
2010-08-18 12:43:27: INFO: IPsec-SA expired: ESP/Tunnel 83.243.93.200->78.28.223.10 with spi=33356156(0x1fcf97c)
2010-08-18 12:45:47: INFO: an undead schedule has been deleted: 'pk_recvupdate'.
2010-08-18 12:45:47: INFO: Purged IPsec-SA with proto_id=ESP and spi=3642234214(0xd9181566).
The most interesting thing is that sometimes this message appears, sometimes not (with the same configuration).
Please help!Hi,
I have some problem. I am using Windows 7 Entreprice x64. I use SA520 Firmware 1.1.65 and QuickVPN 1.4.1.2 port 60443.
"The remote gateway is not responding. Do you want to wait"
2010-08-18 17:25:51: INFO: Adding IPSec configuration with identifier "username"
2010-08-18 17:25:51: INFO: Adding IKE configuration with identifer "username"
2010-08-18 17:26:04: INFO: Configuration found for xxx.xxx.xxx.xxx[235].
2010-08-18 17:26:04: INFO: Received request for new phase 1 negotiation: 172.22.5.10[500]<=>xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:04: INFO: Beginning Identity Protection mode.
2010-08-18 17:26:04: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 17:26:04: INFO: Received Vendor ID: RFC 3947
2010-08-18 17:26:04: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: Received unknown Vendor ID
2010-08-18 17:26:04: INFO: For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
2010-08-18 17:26:04: INFO: NAT-D payload does not match for 172.22.5.10[500]
2010-08-18 17:26:04: INFO: NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:04: INFO: NAT detected: ME PEER
2010-08-18 17:26:04: INFO: Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
2010-08-18 17:26:04: INFO: ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:ed4f291c71c1b688:7e6a8a0968f878fb
2010-08-18 17:26:04: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2010-08-18 17:26:04: INFO: Responding to new phase 2 negotiation: 172.22.5.10[0]<=> xxx.xxx.xxx.xxx[0]
2010-08-18 17:26:04: INFO: Using IPsec SA configuration: 192.168.75.0/24<->192.168.170.224/32
2010-08-18 17:26:04: INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
2010-08-18 17:26:05: INFO: IPsec-SA established[UDP encap 48540->4500]: ESP/Tunnel xxx.xxx.xxx.xxx->172.22.5.10 with spi=239099274(0xe405d8a)
2010-08-18 17:26:05: INFO: IPsec-SA established[UDP encap 4500->48540]: ESP/Tunnel 172.22.5.10-> xxx.xxx.xxx.xxx with spi=3886848189(0xe7ac98bd)
2010-08-18 17:26:07: INFO: Configuration found for xxx.xxx.xxx.xxx[235].
2010-08-18 17:26:07: INFO: Received request for new phase 1 negotiation: 172.22.5.10[500]<=> xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:07: INFO: Beginning Identity Protection mode.
2010-08-18 17:26:07: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 17:26:07: INFO: Received Vendor ID: RFC 3947
2010-08-18 17:26:07: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 17:26:07: INFO: Received unknown Vendor ID
2010-08-18 17:26:07: INFO: Received unknown Vendor ID
2010-08-18 17:26:07: INFO: Received unknown Vendor ID
2010-08-18 17:26:07: INFO: For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
2010-08-18 17:26:07: INFO: NAT-D payload does not match for 172.22.5.10[500]
2010-08-18 17:26:07: INFO: NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
2010-08-18 17:26:07: INFO: NAT detected: ME PEER
2010-08-18 17:26:07: INFO: Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
2010-08-18 17:26:07: INFO: ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:699f34b434d4318c:df4adca414787d36
2010-08-18 17:27:14: INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=699f34b434d4318c:df4adca414787d36.
2010-08-18 17:27:14: INFO: Configuration found for xxx.xxx.xxx.xxx[235].
2010-08-18 17:27:14: INFO: Received request for new phase 1 negotiation: 172.22.5.10[500]<=> xxx.xxx.xxx.xxx[235]
2010-08-18 17:27:14: INFO: Beginning Identity Protection mode.
2010-08-18 17:27:14: INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-08-18 17:27:14: INFO: Received Vendor ID: RFC 3947
2010-08-18 17:27:14: INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2010-08-18 17:27:14: INFO: Received unknown Vendor ID
2010-08-18 17:27:14: INFO: Received unknown Vendor ID
2010-08-18 17:27:14: INFO: Received unknown Vendor ID
2010-08-18 17:27:14: INFO: For xxx.xxx.xxx.xxx[235], Selected NAT-T version: RFC 3947
2010-08-18 17:27:14: INFO: NAT-D payload does not match for 172.22.5.10[500]
2010-08-18 17:27:14: INFO: NAT-D payload does not match for xxx.xxx.xxx.xxx[235]
2010-08-18 17:27:14: INFO: NAT detected: ME PEER
2010-08-18 17:27:15: INFO: ISAKMP-SA deleted for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:699f34b434d4318c:df4adca414787d36
2010-08-18 17:27:15: INFO: Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[48540]
2010-08-18 17:27:15: INFO: ISAKMP-SA established for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:3fe5eb0bddbf2b9a:f5c11d7f813ca74a
2010-08-18 17:27:15: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2010-08-18 17:28:20: INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=3fe5eb0bddbf2b9a:f5c11d7f813ca74a.
2010-08-18 17:28:21: INFO: ISAKMP-SA deleted for 172.22.5.10[4500]- xxx.xxx.xxx.xxx[48540] with spi:3fe5eb0bddbf2b9a:f5c11d7f813ca74a
With windows XP Pro i dont have this problem.
Is there a detailed configuration guide?
10x -
Problem with Variable Client Support
Hello,
I work with Labview 8.5 and Crio 9014.
I have a problem with Variable Client Support. When I try to compile my project I have the following error:
"The Network Variable Engine and Variable Client Support must be installed on the RT target for this application to function properly..."
I have read that we have to install the Variable Client Support in Measurement and Automation by right-clicking on the software and then choosing add/remove software but I can't install the appropriate shared variable components because I can't see neither Network Variable Engine and Variable Client Support. So what can I do?
Can somebody help me?
ThanksI have exactly the same problem. I wanted go through the "Getting Started with the LabVIEW RT module" and when I use wizard for generating new project I get same notification in my VI...
The Network Variable Engine and Variable Client Support must be installed on the RT target
for this application to function properly. If the Network Variable Engine is not supported on
the target (e.g. FP-2000 with <32MB of RAM), open the project and move the variable library
to My Computer in the project. Doing this will deploy the variables to localhost but
will still require that Variable Client Support be installed on the RT target.
Could someone help please ?
Attachments:
ni.png 95 KB -
I encountered a problem with some client machines that use Firefox version 24ESR and IE8.
Ajax requests of aspx pages from Firefox are getting the following error from the iis server (iis version 7.5):
Bad Request - Request Too Long
HTTP Error 400. The size of the request headers is too long.
From analyzing the request that was sent to the server, I saw that the request consist of only the viewstate of the aspx page.
I tried to disable the viewstate for one page and the server got the request correctly.
I do not encounter any issues on these laptops with postback requests from Firefox or when running the same application with IE8.Sometimes that means that the page address sent is loo long.
Check the link address you are using.
I can't help you further and will send for more help. -
problem with vpn connection after upgrading on ios6.pls help
I've never been able to share FaceBook posts nor seen the option using the iOS FaceBook app regardless the FaceBook app and iOS version. I can Like and I can Comment, and if I select a link or video to view under iOS 6, I can use the Share option for the link or video, but not for a post.
-
Problem with VPN by ASA 5505 and PIX 501
Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
Maybe you are looking for
-
PersistenceService denies permission when running an Applet
I'm converting an application that uses JWS to run inside a browser. Ok, so it's not just a matter of changing <application-desc> to <applet-desc> (which is just about the only change I made to the jnlp), but the problem I'm getting is not one I expe
-
hi everyone mb5s give gr/ir balances as now i would like to devp a zee program for this can anyone explane me steps thanks
-
Hey, i've got a 1T and a 500G hard drive in my workstation. The 500G drive is my media disk. I initialized a software RAID-1 with one missing drive on a 500G logical volume on the 1T disk. After formatting and copying all the data from the media disk
-
Problem connecting to DB service sapdp00
Hello, i installed Sneak preview for NetWeaver on Windows Server 2003. Data base looks ok. Console root looks ok, and shows NSP active(green). I installed locally on server 2003. Loopback is installed. I cant reach the sapdp00. i get a " partner not
-
IPhoto 6 and Nikon's Coolpix S6
Hello, I have the latest version of iPhoto, and I'm using Nikon's Coolpix S6 digital camera, which has a wireless transfer option built in, but I'm not sure how to transfer my pictures wirelessly to iPhoto. Can this be done? or am I stuck with the pr