Remote Access VPN, how to specify on which interface clients will be placed on?
Hi,
I have a general understanding problem with remote access VPN and Cisco ASA.
If I have an ASA with multiple interfaces and I want to make sure that a Remote Access VPN Client is placed onto a specific interface, how do I do this?
example:
ASA has 4 interfaces: outside, inside-clients, inside-workers, inside-lab.
I want to allow multiple Remote Access VPN configurations that put clients coming from "outside" to "inside-lab" and "inside-clients", with two different profiles and two different IP pools, as the IP addresses for each of the interfaces is different.
How do I do that?
If possible be as explanatory as possible for me to really grasp the concept.
Many thanks
Pat
Hi,
The ASA will view the hosts in its routing table behind the ASA interface which forms the VPN connection with the VPN Client. This is most of the time the interface called "outside".
By default the ASA allows all traffic coming from a VPN connection to bypass the interface ACL of the ASA. The thought process behind this is I guess the fact that the VPN devices/clients have already proven they have right to connect to the network to all traffic is allowed.
The configuration that controls this setting globally on the ASA is
sysopt connection permit-vpn
The above is the default setting of the command and it WONT show up in the CLI format configurations because its a default setting.
If you were to issue the following command
no sysopt connection permit-vpn
Then this would mean that the ASA would require an ACL statement on its VPN terminating interface (outside) to permit the traffic from the VPN Pool to the LAN networks.
Naturally you would have to take into consideration also that if you have existing VPNs and insert the above global command they would also need ACL statements on the "outside" interface ACL or the inbound traffic from the VPN will start to get blocked.
Other option (wihtout touching the above setting) would be to configure VPN Filter ACL that is a separate ACL that is only attached to a certain user or group of users.
I personally prefer the method of using the above global setting and using the "outside" interface ACL to control traffic.
Naturally it still leaves the question of how you are going to configure the Tunnel Groups, Group Policys and Usernames. To be honest, I have gotten a bit distracted from VPN client setups and have forgotten a lot of stuff since I dont work with them on a day to day basis. I mostly handle L2L VPN nowadays among normal firewall configurations.
If I had to suggest something simple at this point it would be this
Configure separate Tunnel Groups
Configure separate VPN Pools for the above Tunnel Groups
Configure separate Group Policys for the above Tunnel Groups
Configure the above mentioned Global setting to limit inbound traffic from VPN
Configure the "outside" interface ACL so that you only permit traffic from a certain VPN Tunnel Group users only to certain LAN networks
Configure the required NAT0 configurations for traffic between these networks
As Marcin said, there are multiple different ways to achieve the same thing as above.
And as I said I have gotten a bit rusty with the VPN Client side on the ASA so I am not sure if at the moment I can even consider all the possible options but surely the simple ones.
PS. The link that Marcin posted seems to point to a Group Policy setting that would let you lock the that VPN connection to use only a certain local Vlan (subinterface) on the ASA and therefore limit traffic from going to networks behind other interfacec
Hope this helps
- Jouni
Similar Messages
-
Hi All,
I'm looking to setup a Remote Access VPN via my ASA 5510. The clients will be using Cisco Anyconnect (which I assume is compatible...?) When I use the wizard it only mentions Cisco VPN Client.
When my clients connect up to the ASA via Anyconect, can I get them to just use DHCP via my AD servers or do I need to configure a seperate independent scope specifically for VPN clients?
ThanksHi Grant,
When you configure Remote access VPN , you need to configure a seprated pool of ip address for the vpn user.
Regards,
Bikas R.Pandey. -
Remote access vpn going through another firewall segment
Hi,
Can i know that when use remote access vpn connect to asa firewall inside interface, after that the remote access vpn is it can connect to another firewall segment , the firewall segment is behind the inside interface?Hello Sam,
As long as you include that traffic into the crypto acl and also on the NO_NAT configuration the answer would be yes. That is possible
Regards,
Julio -
Hello Support,
I have a question regarding a remote access VPN setup with the following. I have a Cisco 6500 with multiple VLANs, and an FWSM setup in mutliple context mode. Each of our clients sits behind their own context, and has their own associated VLANs. Each context has a shared interface, so that one network (our management network) can see all of the networks. We are using a Cisco ASA to terminate P2P VPNs as the FWSms cannot do so, but I would like to setup a remote access VPN from the ASA, but I will need to connect in and have access to all networks. Currently the ASA has an outside interface for internet, two client inside interfaces, and one interface on the shared network.
If I setup a remote access VPN from the ASA with a separate scope will I be able to see all the networks that I setup routes and nonats for or is there more to it?
I provided a brief diagram showing all the vlans, I will need to be able to access all of the 6500s vlans when connected using the VPN.
Thanks in advance for all ideas, suggestions, and assistance.Hello John,
You will need to configure the respective IP Address pool for the Anyconnect users,
Then create the no_nat rules from all of the internal subnets to the Anyconnect Pool.
That should do it bud . I mean just make sure the internal network (core) knows that in order to reach the anyconnect pool must send the traffic to the ASA.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com -
ASA Remote Access VPN Clients - Multiple DNS Suffixes?
Hi community!
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5).
We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the grouip policy.
I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clietns may ignore this option anyway.
Other than umanually configuring the clients , does anybody have any other suggestions on how we may get this to work?
Full marks for helpful posts!
Kind regards, Ash.Hi
I am looking into the same issue, and I am finding conflicting documentation about this and wondered if you got the answers you were looking for.
I have a remote access requirement for users from separate AD's to authenticate through an ASA.
I was reading about Global Catalogue Server but this is not specifically what I want; and also creating a new AAA server group but the user would need to accept which group to use when they log in
Regards -
Remote Access VPN with existing site-to-site tunnel
Hi there!
I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
murasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
If I specify my key like a site-to-site VPN key like this:
crypto isakmp key xxx address 0.0.0.0
Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
Configuration:
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
hostname murasaki
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
crypto pki trustpoint TP-self-signed-591984024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591984024
revocation-check none
rsakeypair TP-self-signed-591984024
crypto pki trustpoint TP-self-signed-4045734018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4045734018
revocation-check none
rsakeypair TP-self-signed-4045734018
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
object-group network CLOUD_SUBNETS
description Azure subnet
172.16.0.0 255.252.0.0
object-group network INTERNAL_LAN
description All Internal subnets which should be allowed out to the Internet
192.168.1.0 255.255.255.0
192.168.20.0 255.255.255.0
username timothy privilege 15 secret 5 xxx
controller VDSL 0
ip ssh version 2
no crypto isakmp default policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address xxxx no-xauth
crypto isakmp client configuration group VPN_CLIENTS
key xxx
dns 192.168.1.24 192.168.1.20
domain xxx
pool Client-VPN-Pool
acl CLIENT_VPN
crypto isakmp profile Client-VPN
description Remote Client IPSec VPN
match identity group VPN_CLIENTS
client authentication list client_vpn_authentication
isakmp authorization list client_vpn_authorization
client configuration address respond
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map ClientVPNCryptoMap 1
set transform-set TRANS_3DES_SHA
set isakmp-profile Client-VPN
reverse-route
qos pre-classify
crypto map AzureCryptoMap 12 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 102400000
set transform-set AzureIPSec
match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
bridge irb
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
interface GigabitEthernet0
switchport mode trunk
no ip address
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description Main LAN
ip address 192.168.1.97 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip access-group PORTS_ALLOWED_IN in
ip flow ingress
ip inspect normal_traffic out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp route default
no cdp enable
crypto map AzureCryptoMap
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
ip access-list extended AzureEastUS
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
remark List of ports which are allowed IN
permit gre any any
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 55663
permit udp any any eq 55663
permit tcp any any eq 22
permit tcp any any eq 5723
permit tcp any any eq 1723
permit tcp any any eq 443
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any port-unreachable
permit icmp any any time-exceeded
deny ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
deny tcp object-group INTERNAL_LAN any eq smtp
deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
permit tcp object-group INTERNAL_LAN any
permit udp object-group INTERNAL_LAN any
permit icmp object-group INTERNAL_LAN any
deny ip any any
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
route-map NoNAT permit 10
match ip address AzureEastUS CLIENT_VPN
route-map NoNAT permit 15
banner motd Welcome to Murasaki
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0
privilege level 15
no activation-character
transport preferred none
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
end
Any ideas on what I'm doing wrong?Hi Marius,
I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
*Oct 9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct 9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct 9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct 9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct 9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct 9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct 9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 9 20:43:16: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : timothy
protocol : 17
port : 500
length : 15
*Oct 9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct 9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct 9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct 9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct 9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct 9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct 9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE -
Remote access VPN client gets connected fails on hosts in LAN
Hi,
VPN client gets connected fine, I have a inter VLAN routing happening on the switch in the LAN so all the LAN hosts have gateway IP on the switch, I have the defult route pointing to ASA inside interface on the switch, the switch I can reach after Remote Access VPN is connected how ever I cannot ping/connect to other hosts in the LAN and if I make the gateway point to the ASA then that host is accessible, any suggestions? I really want to have gateway to be the Switch as I have other networks reachable through the Switch (Intranet routing)Hi Mashal,
Thanks for your time,
VPN Pool(Client) 192.168.100.0/24
Internal Subnets 192.9.200.0/24(VLAN 4000) and 192.168.2.0/24 (VLAN 1000)
=============
On the Switch
=============
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.2.5 to network 0.0.0.0
172.32.0.0/24 is subnetted, 1 subnets
C 172.32.0.0 is directly connected, Vlan101
C 192.168.200.0/24 is directly connected, Vlan2000
C 192.9.200.0/24 is directly connected, Vlan4000
S 192.168.250.0/24 [1/0] via 192.9.200.125
S 192.168.1.0/24 [1/0] via 192.9.200.125
C 192.168.2.0/24 is directly connected, Vlan1000
S 192.168.252.0/24 [1/0] via 192.9.200.125
S* 0.0.0.0/0 [1/0] via 192.168.2.5
===============
On ASA
===============
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.32.0.2 to network 0.0.0.0
C 172.32.0.0 255.255.255.0 is directly connected, outside
C 192.9.200.0 255.255.255.0 is directly connected, inside
C 192.168.168.0 255.255.255.0 is directly connected, failover
C 192.168.2.0 255.255.255.0 is directly connected, MGMT
S 192.168.100.2 255.255.255.255 [1/0] via 172.32.0.2, outside
S 192.168.100.3 255.255.255.255 [1/0] via 172.32.0.2, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.32.0.2, outside
We don't need route print on the PC for now as I can explain what is happening I can get complete access to the 192.168.2.0/24 (VLAN 1000) but for 192.9.200.0/24 (VLAN 4000) above from the switch I can only ping IP's on the switches/pair but cannot have any tcp connections, which explains the default route being pointed on the switch is on VLAN 1000, now my issue is How do I get access to VLAN 4000 as you can see these two are on different Interfaces/zones on the ASA and please note with default gateway pointing to ASA I will have access to both the VLAN's it is only when I move the gateway pointing to Switch I loose tcp connections to one VLAN depending on the default route on the being pointing to on the switch.
So we are left to do with how to on the switch with default route. -
Remote Access VPN and NAT inside interface
Hi everyone,
I have configured Remote VPN access.
Inside interface and vpn pool is 10.0.0.0 subnet.
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Also i have ASA inside interface connected to R1 as below
R1 ---10.0.0.2------------inside int IP 10.0.0.1--------ASA
R1 has loopback int 192.168.50.1 and ASA has static route to it.
When i connect to remote access vpn i can ping the IP 192.168.50.1 from My pc which is connected to outside interface of ASA.
This ping works fine.
Mar 04 2014 21:58:27: %ASA-6-302020: Built inbound ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user )
Mar 04 2014 21:58:28: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.52/1(LOCAL\ipsec-user) gaddr 192.168.50.1/0 laddr 192.168.50.1/0 (ipsec-user) Mar 04 2014 21:58:27:
Need to understand how this ping works without exempting 192.168.50.0 from natiing
or
how does nat work for above ping from 10.0.0.52 VPN user PC IP to loopback interface of R1 in regards to NATing?
Regards
MaheshHi Jouni,
IP address to PC is 10.0.0.52 ---------Assigned to Client PC.
Leting you know that i have removed the NAT below config from inside to outside interface
ASA inside interface has NAT exempt as per config below
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
object network NETWORK_OBJ_10.0.0.0_24
subnet 10.0.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
Still ping works fine from VPN client PC to IP 192.168.50.1
Packet tracer output
ASA1# packet-tracer input outside icmp 10.0.0.52 8 0 192.168.50.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.50.1 255.255.255.255 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any host 192.168.50.1 log
access-list outside_access_in remark Allow Ping to Loopback IP of R1 Which is inside Network of ASA1
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I can ping from PC command prompt to IP 192.168.50.1 fine.
Here is second packet tracer
ASA1# packet-tracer input inside icmp 192.168.50.1 8 0 8.8.8.8
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 18033, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So question is how ping from outside is working without nat exempt from inside to outside?
So does second packet tracer proves that i have no NAT config from loopback to outside and ping works because i have NO NAT configured?
Regards
Mahesh
Message was edited by: mahesh parmar -
One username for two tunnel in IPSec remote access vpn + ACS for authentication
Hi all,
I want to set up a username which can be used for two different IPSec tunnel (i.e. username USER1 can be used in tunnel TUN1 and TUN2). Can anyone help me how to do this? My current configuration is that I tied the username to tunnel group using group-lock (RADIUS property) so a username can only be used for a particular remote access vpn tunnel (USER1 can only be used for TUN1). I have already tried to enable multiple entry for group lock in ACS (by manipulating the dictionaru setting in ACS), but it seems that authentication still takes the first group and can not take the second group.You'd have to create a new AAA server group pointing to servers in the new domain for authentication.
Then make a new connection profile that uses that AAA server group.
Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).
This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD). -
Remote Access VPN Clients Cannot Access inside LAN
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: endHi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni -
Remote Access VPN - Unable to Access LAN / Inside Network
Hi,
I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
I have attached running configuration for your reference. Please let me know I miss any configuartion.
FW : ASA5510
Version : 8.0
Note : Site to Site VPN is working without any issues
Thanks
JamalHi,
Very nice network diagram
Are you saying that originally the VPN Client user is behind the Jeddah ASA?
If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
isakmp nat-traversal natkeepalive
no isakmp nat-traversal natkeepalive
Syntax Description
natkeepalive
Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
Defaults
By default, NAT traversal (isakmp nat-traversal) is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System
Global configuration
Command History
Release
Modification
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp nat-traversal command replaces it.
Usage Guidelines Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:
hostname(config)# isakmp enable
hostname(config)# isakmp nat-traversal 30
- Jouni -
Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?
I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface. The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ. Without the client connected, they access the web servers via the external public IP. Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address.
Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.
I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface.
Share the configuration if you want help with the NAT exemption part. -
Remote access VPN-unable to connect inside-URGENT
Hi,
I have configured Remote access VPN in cisco ASA 5520.Whenever I am trying to connect from outside it's connecting fine.It aslo getting IP from pool but prob is i am unable to connect/ping inside nw.
Pls help me...how to resolve this issue.I had the same problem on an IOS router (871). My solution was one of two things. I downloaded the most up-to-date version of the VPN client (5.0.02.90) as opposed to the version I had or it was a software firewall (Norton 360). I have two different computers. One works just fine...the other connects but no traffic passes through. Here is what I have:
Computer 1 (working)- VPN Client v5.0.02.0090 and Network Associates Enterprise VirusScan.
Computer 2 (not working) - VPN Client v5.0.00.0340 and Norton 360.
I highly doubt it is the VPN Client, but sometimes you never know. Check your software firewall and try disabling it. Let me know how this works. -
Problem with Remote Access VPN on ASA 5505
I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
The VPN client logs are as follows:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
2 15:09:21.240 12/11/12 Sev=Info/4 CM/0x63100002
Begin connection process
3 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100004
Establish secure connection
4 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "**.**.***.***"
5 15:09:21.287 12/11/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
6 15:09:21.287 12/11/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 15:09:21.303 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
8 15:09:21.365 12/11/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
9 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
10 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
11 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
12 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
13 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
14 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
15 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
16 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
18 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xFBCE, Remote Port = 0x1194
20 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
21 15:09:21.334 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 15:09:21.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23 15:09:21.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24 15:09:21.365 12/11/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
26 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 15:09:27.319 12/11/12 Sev=Info/4 CM/0x63100017
xAuth application returned
28 15:09:27.319 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
29 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
30 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
31 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
32 15:09:27.365 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
33 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
34 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
35 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
36 15:09:27.397 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
37 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
38 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
39 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
40 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
41 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
42 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
43 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
44 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
45 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
46 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
47 15:09:27.397 12/11/12 Sev=Info/4 CM/0x63100019
Mode Config data received
48 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
49 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
50 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
51 15:09:27.444 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
52 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
53 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
54 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
55 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
56 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
57 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=CE99A8A8
58 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
60 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
61 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
62 15:09:27.490 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 12/11/12 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
65 15:09:30.475 12/11/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
66 15:09:30.475 12/11/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
67 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
68 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
70 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
71 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
: Saved
ASA Version 8.2(5)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
boot system disk0:/asa825-k8.bin
ftp mode passive
access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit NCHCO 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp-transform mode transport
crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHVPN internal
group-policy NCHVPN attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value NCHCO
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
pre-shared-key *****
tunnel-group NCHVPN type remote-access
tunnel-group NCHVPN general-attributes
address-pool VPN_Pool
default-group-policy NCHVPN
tunnel-group NCHVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
asdm image disk0:/asdm-645.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Anyone have any idea why this is happening?
Thanks!Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
VPN Client Log:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
331 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100002
Begin connection process
332 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100004
Establish secure connection
333 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "69.61.228.178"
334 13:11:41.362 12/17/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 69.61.228.178.
335 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
336 13:11:41.424 12/17/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
337 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
338 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
339 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
340 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
341 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
342 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
343 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
344 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
345 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
346 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
347 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
348 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD271, Remote Port = 0x1194
349 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
350 13:11:41.393 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
351 13:11:41.424 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
352 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
353 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
354 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100017
xAuth application returned
355 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
356 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
357 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
358 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
359 13:11:41.456 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
360 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
361 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
362 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
363 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
364 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
365 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
366 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
367 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
368 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
369 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
370 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
371 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
372 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
373 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
374 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
375 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
376 13:11:41.502 12/17/12 Sev=Info/4 CM/0x63100019
Mode Config data received
377 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
378 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
379 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
380 13:11:41.534 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
381 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
382 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
383 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
384 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
385 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
386 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
387 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
388 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xD2DBADEA
389 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x14762837
390 13:11:41.549 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
391 13:11:41.877 12/17/12 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
392 13:11:43.455 12/17/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.70/255.255.255.0
DNS=192.168.2.1,8.8.8.8
WINS=0.0.0.0,0.0.0.0
Domain=NCHCO.local
Split DNS Names=
393 13:11:43.455 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 266
394 13:11:47.517 12/17/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
395 13:11:47.517 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
69.61.228.178 255.255.255.255 192.168.1.1 192.168.1.162 100
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.2 255.255.255.255 192.168.1.162 192.168.1.162 100
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 266
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 266
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 266
396 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
397 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310001A
One secure connection established
398 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.1.162. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
399 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
400 13:11:47.517 12/17/12 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
401 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
402 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
403 13:11:47.517 12/17/12 Sev=Info/6 IPSEC/0x6370002C
Sent 109 packets, 0 were fragmented.
404 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
405 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
406 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xeaaddbd2 into key list
407 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
408 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x37287614 into key list
409 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
410 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.1.162. SG: 69.61.228.178
411 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
412 13:11:52.688 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
413 13:11:52.688 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476009
414 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
415 13:11:52.704 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
416 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
417 13:12:03.187 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
418 13:12:03.187 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476010
419 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
420 13:12:03.202 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
421 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
422 13:12:14.185 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
423 13:12:14.185 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476011
424 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
425 13:12:14.201 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
426 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
427 13:12:24.762 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
428 13:12:24.762 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476012
429 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
430 13:12:24.778 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
431 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
New running configuration:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
Thanks so much!
Matthew -
Remote Access VPN on Cisco ASA Problem
Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
Problem is that my internet has stopped working, and default route is just showing stars.
i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
what additional required to force my internet to go to regular internet instead of getting encrypted?
Also attaching output of route print at the point when VPN is connected.
ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside
isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL
access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
nat (inside) 0 access-list nonattest
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.111.36.1 10.111.36.9 276
0.0.0.0 0.0.0.0 On-link 10.1.200.100 20
10.1.200.0 255.255.255.0 On-link 10.1.200.100 276
10.1.200.100 255.255.255.255 On-link 10.1.200.100 276
10.1.200.255 255.255.255.255 On-link 10.1.200.100 276
10.110.10.150 255.255.255.255 10.1.200.1 10.1.200.100 100
10.111.36.0 255.255.255.0 On-link 10.111.36.9 276
Maybe you are looking for
-
Hi All, This is with respect to Inbox Search for CRM 2005. We have customized "Assigned To" field so as to show all the employees under Call Center. Following is the code to do this DATA: lt_org_unit_list TYPE TABLE OF objec, ls_org_unit_list
-
I want to install adobe digital editions
i want to install adobe digital editions
-
Hi all y'all. My wife uses her Macbook at work. The LAN there is in one building (house) and her office is in the far end of the next building (house). The connection to the LAN for the second house is wireless (not Mac hardware). The signal indicato
-
Google News is not loaded properly
news.google.com fails to render properly on Firefox android
-
Unable to install any .air (media player, log analyzer...)
Hi all, I tried unsuccessfully for three days to install PS CS5 : reboot without BSOD, no windows logs. Seeking the origin of the problem I discovered that installing Adobe Media Player 1.7 with .air immediately caused the same problem (crash, reboot