Site-To_Site VPN problem

Hello everyone
I'm installing a new site-to-site VPN connection between two sites, having problems bringing the tunnel online.
We have two ASA 5505 firewalls - one at our Central site, and another for our customer at the Remote site.
I wiped both firewalls with write erase, installed the latest IOS version 9.2 on both firewalls.
I'm not sure if the new IOS is causing the problem, we have several site-to-site vpn’s all working with IOS 8.4 5
I'm enclosing the configs for both ASA firewalls for you to review and see if I missed something or what's changed in the IOS that maybe causing our tunnel issue.
Thank you 

Central site
packet-tracer input inside tcp 10.10.1.100 12345 10.4.1.1$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
Additional Information:
NAT divert to egress interface outside
Untranslate 10.4.1.100/80 to 10.4.1.100/80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
Additional Information:
Static translate 10.10.1.100/12345 to 10.10.1.100/12345
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static REMOTE-ONE REMOTE-ONE
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 817, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Remote site
packet-tracer input inside tcp 10.4.1.100 12345 10.10.1.1$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.1.100/80 to 10.10.1.100/80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static net-remote net-remote
Additional Information:
Static translate 10.4.1.100/12345 to 10.4.1.100/12345
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static net-remote net-remote
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 774, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
After running the command we see both firewalls have the same pre shared key

Similar Messages

  • Site to Site VPN Problems With 2801 Router and ASA 5505

    Hello,
    I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
    IP scheme at SIte A:
    IP    172.19.3.x
    sub 255.255.255.128
    GW 172.19.3.129
    Site A Ciscso 2801 Router
    Current configuration : 11858 bytes
    version 12.4
    service timestamps debug datetime localtime
    service timestamps log datetime localtime show-timezone
    service password-encryption
    hostname router-2801
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    logging buffered 4096
    aaa new-model
    aaa authentication login userauthen group radius local
    aaa authorization network groupauthor local
    aaa session-id common
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 172.19.3.129 172.19.3.149
    ip dhcp excluded-address 172.19.10.1 172.19.10.253
    ip dhcp excluded-address 172.19.3.140
    ip dhcp ping timeout 900
    ip dhcp pool DHCP
       network 172.19.3.128 255.255.255.128
       default-router 172.19.3.129
       domain-name domain.local
       netbios-name-server 172.19.3.7
       option 66 ascii 172.19.3.225
       dns-server 172.19.3.140 208.67.220.220 208.67.222.222
    ip dhcp pool VoiceDHCP
       network 172.19.10.0 255.255.255.0
       default-router 172.19.10.1
       dns-server 208.67.220.220 8.8.8.8
       option 66 ascii 172.19.10.2
       lease 2
    ip cef
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    no ip domain lookup
    ip domain name domain.local
    multilink bundle-name authenticated
    key chain key1
    key 1
       key-string 7 06040033484B1B484557
    crypto pki trustpoint TP-self-signed-3448656681
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
    revocation-check none
    rsakeypair TP-self-signed-344bbb56681
    crypto pki certificate chain TP-self-signed-3448656681
    certificate self-signed 01
      3082024F
                quit
    username admin privilege 15 password 7 F55
    archive
    log config
      hidekeys
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key XXXXX address 209.118.0.1
    crypto isakmp key xxxxx address SITE B Public IP
    crypto isakmp keepalive 40 5
    crypto isakmp nat keepalive 20
    crypto isakmp client configuration group IISVPN
    key 1nsur3m3
    dns 172.19.3.140
    wins 172.19.3.140
    domain domain.local
    pool VPN_Pool
    acl 198
    crypto isakmp profile IISVPNClient
       description VPN clients profile
       match identity group IISVPN
       client authentication list userauthen
       isakmp authorization list groupauthor
       client configuration address respond
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map Dynamic 5
    set transform-set myset
    set isakmp-profile IISVPNClient
    qos pre-classify
    crypto map VPN 10 ipsec-isakmp
    set peer 209.118.0.1
    set peer SITE B Public IP
    set transform-set myset
    match address 101
    qos pre-classify
    crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
    track 123 ip sla 1 reachability
    delay down 15 up 10
    class-map match-any VoiceTraffic
    match protocol rtp audio
    match protocol h323
    match protocol rtcp
    match access-group name VOIP
    match protocol sip
    class-map match-any RDP
    match access-group 199
    policy-map QOS
    class VoiceTraffic
        bandwidth 512
    class RDP
        bandwidth 768
    policy-map MainQOS
    class class-default
        shape average 1500000
      service-policy QOS
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
    ip address 172.19.3.129 255.255.255.128
    ip access-group 100 in
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/0.10
    description $ETH-VoiceVLAN$$
    encapsulation dot1Q 10
    ip address 172.19.10.1 255.255.255.0
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    interface FastEthernet0/1
    description "Comcast"
    ip address PUB IP 255.255.255.248
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPN
    interface Serial0/1/0
    description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
    bandwidth 1536
    no ip address
    encapsulation frame-relay IETF
    frame-relay lmi-type ansi
    interface Serial0/1/0.1 point-to-point
    bandwidth 1536
    ip address 152.000.000.18 255.255.255.252
    ip access-group 102 in
    ip verify unicast reverse-path
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    frame-relay interface-dlci 500 IETF 
    crypto map VPN
    service-policy output MainQOS
    interface Serial0/2/0
    description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
    ip address 123.252.123.102 255.255.255.252
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    crypto map VPN
    service-policy output MainQOS
    ip local pool VPN_Pool 172.20.3.130 172.20.3.254
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
    ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
    ip route 122.112.197.20 255.255.255.255 209.252.237.101
    ip route 208.67.220.220 255.255.255.255 50.78.233.110
    no ip http server
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip flow-top-talkers
    top 20
    sort-by bytes
    ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
    ip nat inside source route-map PAETEC interface Serial0/2/0 overload
    ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
    ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
    ip access-list extended VOIP
    permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
    permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
    ip radius source-interface FastEthernet0/0
    ip sla 1
    icmp-echo 000.67.220.220 source-interface FastEthernet0/1
    timeout 10000
    frequency 15
    ip sla schedule 1 life forever start-time now
    access-list 23 permit 172.19.3.0 0.0.0.127
    access-list 23 permit 172.19.3.128 0.0.0.127
    access-list 23 permit 173.189.251.192 0.0.0.63
    access-list 23 permit 107.0.197.0 0.0.0.63
    access-list 23 permit 173.163.157.32 0.0.0.15
    access-list 23 permit 72.55.33.0 0.0.0.255
    access-list 23 permit 172.19.5.0 0.0.0.63
    access-list 100 remark "Outgoing Traffic"
    access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
    access-list 100 deny   ip host 255.255.255.255 any
    access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit tcp host 172.19.3.190 any eq smtp
    access-list 100 permit tcp host 172.19.3.137 any eq smtp
    access-list 100 permit tcp any host 66.251.35.131 eq smtp
    access-list 100 permit tcp any host 173.201.193.101 eq smtp
    access-list 100 permit ip any any
    access-list 100 permit tcp any any eq ftp
    access-list 101 remark "Interesting VPN Traffic"
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq ftp-data
    access-list 102 remark "Inbound Access"
    access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
    access-list 102 permit udp any host 152.179.53.18 eq isakmp
    access-list 102 permit esp any host 152.179.53.18
    access-list 102 permit ahp any host 152.179.53.18
    access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
    access-list 102 permit udp any host 209.000.000.102 eq isakmp
    access-list 102 permit esp any host 209.000.000.102
    access-list 102 permit ahp any host 209.000.000.102
    access-list 102 permit udp any host PUB IP eq non500-isakmp
    access-list 102 permit udp any host PUB IP eq isakmp
    access-list 102 permit esp any host PUB IP
    access-list 102 permit ahp any host PUB IP
    access-list 102 permit ip 72.55.33.0 0.0.0.255 any
    access-list 102 permit ip 107.0.197.0 0.0.0.63 any
    access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
    access-list 102 permit icmp any any echo-reply
    access-list 102 permit icmp any any time-exceeded
    access-list 102 permit icmp any any unreachable
    access-list 102 permit icmp any any
    access-list 102 deny   ip any any log
    access-list 102 permit tcp any host 172.19.3.140 eq ftp
    access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
    access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
    access-list 102 permit udp any host SITE B Public IP  eq isakmp
    access-list 102 permit esp any host SITE B Public IP
    access-list 102 permit ahp any host SITE B Public IP
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 199 permit tcp any any eq 3389
    route-map PAETEC permit 10
    match ip address 110
    match interface Serial0/2/0
    route-map COMCAST permit 10
    match ip address 110
    match interface FastEthernet0/1
    route-map VERIZON permit 10
    match ip address 110
    match interface Serial0/1/0.1
    snmp-server community 123 RO
    radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    scheduler allocate 20000 1000
    ntp server 128.118.25.3
    ntp server 217.150.242.8
    end
    IP scheme at site B:
    ip     172.19.5.x
    sub  255.255.255.292
    gw   172.19.5.65
    Cisco ASA 5505 at Site B
    ASA Version 8.2(5)
    hostname ASA5505
    domain-name domain.com
    enable password b04DSH2HQqXwS8wi encrypted
    passwd b04DSH2HQqXwS8wi encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.19.5.65 255.255.255.192
    interface Vlan2
    nameif outside
    security-level 0
    ip address SITE B public IP 255.255.255.224
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name iis-usa.com
    same-security-traffic permit intra-interface
    object-group network old hosting provider
    network-object 72.55.34.64 255.255.255.192
    network-object 72.55.33.0 255.255.255.0
    network-object 173.189.251.192 255.255.255.192
    network-object 173.163.157.32 255.255.255.240
    network-object 66.11.1.64 255.255.255.192
    network-object 107.0.197.0 255.255.255.192
    object-group network old hosting provider
    network-object host 172.19.250.10
    network-object host 172.19.250.11
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
    access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
    access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
    access-list 10 extended permit icmp any any echo-reply
    access-list 10 extended permit icmp any any time-exceeded
    access-list 10 extended permit icmp any any unreachable
    access-list 10 extended permit icmp any any traceroute
    access-list 10 extended permit icmp any any source-quench
    access-list 10 extended permit icmp any any
    access-list 10 extended permit tcp object-group old hosting provider any eq 3389
    access-list 10 extended permit tcp any any eq https
    access-list 10 extended permit tcp any any eq www
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    pager lines 24
    logging enable
    logging timestamp
    logging console emergencies
    logging monitor emergencies
    logging buffered warnings
    logging trap debugging
    logging history debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    ip audit name jab attack action alarm drop reset
    ip audit name probe info action alarm drop reset
    ip audit interface outside probe
    ip audit interface outside jab
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit 75.150.169.48 255.255.255.240 outside
    icmp permit 72.44.134.16 255.255.255.240 outside
    icmp permit 72.55.33.0 255.255.255.0 outside
    icmp permit any outside
    icmp permit 173.163.157.32 255.255.255.240 outside
    icmp permit 107.0.197.0 255.255.255.192 outside
    icmp permit 66.11.1.64 255.255.255.192 outside
    icmp deny any outside
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group 10 in interface outside
    route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
    timeout xlate 3:00:00
    timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http 107.0.197.0 255.255.255.192 outside
    http 66.11.1.64 255.255.255.192 outside
    snmp-server host outside 107.0.197.29 community *****
    snmp-server host outside 107.0.197.30 community *****
    snmp-server host inside 172.19.250.10 community *****
    snmp-server host outside 172.19.250.10 community *****
    snmp-server host inside 172.19.250.11 community *****
    snmp-server host outside 172.19.250.11 community *****
    snmp-server host outside 68.82.122.239 community *****
    snmp-server host outside 72.55.33.37 community *****
    snmp-server host outside 72.55.33.38 community *****
    snmp-server host outside 75.150.169.50 community *****
    snmp-server host outside 75.150.169.51 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map VPNMAP 10 match address 110
    crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
    crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
    crypto map VPNMAP 10 set security-association lifetime seconds 86400
    crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
    crypto map VPNMAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet 172.19.5.64 255.255.255.192 inside
    telnet 172.19.3.0 255.255.255.128 outside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd dns 172.19.3.140
    dhcpd wins 172.19.3.140
    dhcpd ping_timeout 750
    dhcpd domain iis-usa.com
    dhcpd address 172.19.5.80-172.19.5.111 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection scanning-threat shun except object-group old hosting provider
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 128.118.25.3 source outside
    ntp server 217.150.242.8 source outside
    tunnel-group 72.00.00.7 type ipsec-l2l
    tunnel-group 72.00.00.7 ipsec-attributes
    pre-shared-key *****
    tunnel-group old vpn public ip type ipsec-l2l
    tunnel-group old vpn public ip ipsec-attributes
    pre-shared-key *****
    tunnel-group SITE A Public IP  type ipsec-l2l
    tunnel-group SITE A Public IP  ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect netbios
      inspect tftp
      inspect pptp
      inspect sip 
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:
    : end

    I have removed the old "set peer" and have added:
    IOS router:
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
    ASA fw:
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    on the router I have also added;
    access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    Here is my acl :
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    Still no ping tothe other site.

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

    Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
    The following is the Layout:
    There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
    I have been able to configure  Client to Site IPSec VPN
    1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
    2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
    But I have not been able to make tradiotional Hairpinng model work in this scenario.
    I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
    Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
    LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
    running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name cisco.campus.com
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    interface GigabitEthernet0/0
    nameif internet1-outside
    security-level 0
    ip address 1.1.1.1 255.255.255.240
    interface GigabitEthernet0/1
    nameif internet2-outside
    security-level 0
    ip address 2.2.2.2 255.255.255.224
    interface GigabitEthernet0/2
    nameif dmz-interface
    security-level 0
    ip address 10.0.1.1 255.255.255.0
    interface GigabitEthernet0/3
    nameif campus-lan
    security-level 0
    ip address 172.16.0.1 255.255.0.0
    interface Management0/0
    nameif CSC-MGMT
    security-level 100
    ip address 10.0.0.4 255.255.255.0
    boot system disk0:/asa821-k8.bin
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name cisco.campus.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network cmps-lan
    object-group network csc-ip
    object-group network www-inside
    object-group network www-outside
    object-group service tcp-80
    object-group service udp-53
    object-group service https
    object-group service pop3
    object-group service smtp
    object-group service tcp80
    object-group service http-s
    object-group service pop3-110
    object-group service smtp25
    object-group service udp53
    object-group service ssh
    object-group service tcp-port
    object-group service udp-port
    object-group service ftp
    object-group service ftp-data
    object-group network csc1-ip
    object-group service all-tcp-udp
    access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
    access-list CSC-OUT extended permit ip host 10.0.0.5 any
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
    access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
    access-list CAMPUS-LAN extended permit ip any any
    access-list csc-acl remark scan web and mail traffic
    access-list csc-acl extended permit tcp any any eq smtp
    access-list csc-acl extended permit tcp any any eq pop3
    access-list csc-acl remark scan web and mail traffic
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
    access-list INTERNET2-IN extended permit ip any host 1.1.1.2
    access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list DNS-inspect extended permit tcp any any eq domain
    access-list DNS-inspect extended permit udp any any eq domain
    access-list capin extended permit ip host 172.16.1.234 any
    access-list capin extended permit ip host 172.16.1.52 any
    access-list capin extended permit ip any host 172.16.1.52
    access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
    access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
    access-list capout extended permit ip host 2.2.2.2 any
    access-list capout extended permit ip any host 2.2.2.2
    access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu internet1-outside 1500
    mtu internet2-outside 1500
    mtu dmz-interface 1500
    mtu campus-lan 1500
    mtu CSC-MGMT 1500
    ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
    ip verify reverse-path interface internet2-outside
    ip verify reverse-path interface dmz-interface
    ip verify reverse-path interface campus-lan
    ip verify reverse-path interface CSC-MGMT
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (internet1-outside) 1 interface
    global (internet2-outside) 1 interface
    nat (campus-lan) 0 access-list campus-lan_nat0_outbound
    nat (campus-lan) 1 0.0.0.0 0.0.0.0
    nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
    static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
    access-group INTERNET2-IN in interface internet1-outside
    access-group INTERNET1-IN in interface internet2-outside
    access-group CAMPUS-LAN in interface campus-lan
    access-group CSC-OUT in interface CSC-MGMT
    route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
    route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.2 255.255.255.255 CSC-MGMT
    http 10.0.0.8 255.255.255.255 CSC-MGMT
    http 1.2.2.2 255.255.255.255 internet2-outside
    http 1.2.2.2 255.255.255.255 internet1-outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map internet2-outside_map interface internet2-outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
            a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as
      quit
    crypto isakmp enable internet2-outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    telnet 10.0.0.2 255.255.255.255 CSC-MGMT
    telnet 10.0.0.8 255.255.255.255 CSC-MGMT
    telnet timeout 5
    ssh 1.2.3.3 255.255.255.240 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet2-outside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy VPN_TG_1 internal
    group-policy VPN_TG_1 attributes
    vpn-tunnel-protocol IPSec
    username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
    username administrator password xxxxxxxxxxxxxx encrypted privilege 15
    username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
    username vpnuser1 attributes
    vpn-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 type remote-access
    tunnel-group VPN_TG_1 general-attributes
    address-pool vpnpool1
    default-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 ipsec-attributes
    pre-shared-key *
    class-map cmap-DNS
    match access-list DNS-inspect
    class-map csc-class
    match access-list csc-acl
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class csc-class
      csc fail-open
    class cmap-DNS
      inspect dns preset_dns_map
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
    : end
    Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
    Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
    That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
    I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
    Thanks & Regards
    maxs

    Hi Jouni,
    Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
    But my problem is not solved fully here.
    Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
    Here the packet tracer output for the traffic:
    packet-tracer output
    asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.0.0      255.255.0.0     campus-lan
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.150.1   255.255.255.255 internet2-outside
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group internnet1-in in interface internet2-outside
    access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype:     
    Result: DROP
    Config:
    nat (internet2-outside) 1 192.168.150.0 255.255.255.0
      match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
        dynamic translation to pool 1 (No matching global)
        translate_hits = 14, untranslate_hits = 0
    Additional Information:
    Result:
    input-interface: internet2-outside
    input-status: up
    input-line-status: up
    output-interface: internet2-outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
    dynamic nat
    asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    Is it possible to access both
    1)LAN behind ASA
    2)INTERNET via HAIRPINNING  
    simultaneously via a single tunnel-group?
    If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
    Thanks & Regards
    Abhijit

  • How to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configrations

    how to handle multiple site to site IPsec vpn on ASA, any best practice to to manage multiple ipsec vpn configurations
    before ver 8.3 and after version 8.3 ...8.4.. 9 versions..

    Hi,
    To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
    Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
    If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
    Hope this helps
    - Jouni

  • P2P VPN problem

    I have a Pix 515 at one site that I need to set up with P2P VPN access to another site. My problem is that the outside interface of the Pix is not an external IP address. The border router that I have at the location has two separate internet T1s coming into it from two separate ISPs. So connection between the border router and the Pix is a 172.16.x.x/30 and we route all traffic down that, then we use route mapping to force specific traffic down one of the internet pipes based on the source IP (using NAT).
    Since the firewall's ouside interface is a 172.16.x.x/30 address instead of a real world external IP how do I set it up for the P2P VPN?

    You will need to have a public IP address to setup the VPN and this can not be done with a private IP address. Following links may help you
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml

  • VPN Problems ASA 5505 to 7206 Router MM_WAIT_MSG2

    Hi
    Since I swapped a Pix Firewall for a Cisco ASA 5505 Firewall at one of our Sites the VPN Tunnel wont come up
    I'm getting this:
    asaXXXXX# sho crypto isakmp sa
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 10.150.242.23
        Type    : user            Role    : initiator
        Rekey   : no              State   : MM_WAIT_MSG2
    asaXXXXX#
    below is the crypto relevant settings off the ASA:
    access-list outside_cryptomap_10 extended permit ip object-group Net_Inside any
    access-list outside extended permit ip object-group Network_PPCUK any log debugging
    access-list outside extended permit icmp any any
    access-list outside extended permit ip object-group Network_QSec any log debugging
    access-list inside extended permit ip object-group Net_Inside any
    access-list inside extended permit icmp any any
    access-list inside_nat0_outbound extended permit ip 10.xxx.xxx.x 255.255.255.192 any
    access-list outside_1_cryptomap extended permit ip 10.xxx.xxx.x 255.255.255.192 any
    access-list vpn extended permit ip object-group Net_Inside any
    access-list outside_cryptomap_11 extended permit ip 10.xxx.xxx.x 255.255.255.192 any
    crypto ipsec transform-set vue2 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 14400
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map site-crypto-map 10 match address outside_cryptomap_11
    crypto map site-crypto-map 10 set pfs
    crypto map site-crypto-map 10 set peer 10.150.242.23
    crypto map site-crypto-map 10 set transform-set ESP-3DES-SHA
    crypto map site-crypto-map 10 set security-association lifetime seconds 14400
    crypto map site-crypto-map 10 set security-association lifetime kilobytes 209715
    crypto map site-crypto-map 10 set trustpoint ukpvca
    crypto map site-crypto-map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 14400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp am-disable
    below is the crypto map settings off the 7206 Head End Router:
    crypto isakmp policy 10
    encr 3des
    group 2
    lifetime 14400
    crypto isakmp identity hostname
    crypto isakmp keepalive 30 3
    crypto ipsec security-association lifetime kilobytes 2097152
    crypto ipsec security-association lifetime seconds 14400
    crypto ipsec transform-set xxx ah-sha-hmac esp-3des esp-sha-hmac
    crypto ipsec transform-set xxxx esp-3des esp-sha-hmac
    crypto map vue 2148 ipsec-isakmp
    set peer 10.155.248.82
    set transform-set vue2
    set pfs group2
    match address SITENAME
    This 7206 Router has 140 VPN Tunnels running on it and the rest are all ok only this one Site thats not working
    Any feedback would be much appreciated!
    Thanks
    CLIGuru

    Hi
    I've compared the configs to a known working ASA and theylook identical
    I ran a debug crypto isakmp  251 and got the following:
    Aug 16 14:29:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:11 [IKEv1]: IP = 10.150.242.23, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
    Aug 16 14:29:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:12 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:13 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:13 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:14 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:15 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    en P1 SA is complete.
    Aug 16 14:29:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:37 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:38 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Aug 16 14:29:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Aug 16 14:29:39 [IKEv1]: IP = 10.150.242.23, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
    Strange eh ?!

  • Looking for a site that shows problems with windows patches or updates.

    Looking for a site that shows problems with windows patches or updates...so I know what not to install.
    Plenty of sites list and summarize individual patches, I want one that consolidates problems and complaints so I can better assess the risk. Currently I'm waiting to install patches several days and doing google searches. That works, but I'd rather find a place
    that does it with expertise.
    Which forums would be best to look for such problems.
    Thanks in and advance for suggestions

    Hi,
    I agreed with Cyber and Rick.
    Windows update helps to keep your PC safer—and your software current—by fetching the latest security and feature updates from Microsoft via the Internet.
    Although there might be some problems when installing it, Windows update is not the one to blame.
    For troubleshooting Windows updates, if needed:
    Fix Microsoft Windows Update Issues
    http://support2.microsoft.com/gp/windows-update-issues
    Best regards
    Michael Shao
    TechNet Community Support

  • I have been exporting lightroom webgaleries to my iweb site without any problem.  Suddenly I get the error message "finder can't complete the operation because some data can't be read or written" - error code -36 - thoughts?

    i have been exporting lightroom web galleries to my iweb site without any problem.  Suddenly I get the error message "finder can't complete the operation because some data can't be read or written" - error code -36 - and the move to the sites folder on my idisk fails..... thoughts?

    Try this community: MobileMe on my Mac: MobileMe: Apple Support Communities.
    And you can continue to use iWeb for some time to come. The following will explain:
    It's now confirmed that iWeb and iDVD have been discontinued by Apple. This is evidenced by the fact that new Macs are shipping with iLife 11 installed but without iWeb and iDVD.
    On June 30, 2012 MobileMe will be shutdown. HOWEVER, iWeb will still continue to work but without the following:
    Features No Longer Available Once MobileMe is Discontinued:
    ◼ Password protection
    ◼ Blog and photo comments
    ◼ Blog search
    ◼ Hit counter
    ◼ MobileMe Gallery
    All of these features can be replaced with 3rd party options.
    I found that if I published my site to a folder on my hard drive and then uploaded with a 3rd party FTP client subscriptions to slideshows and the RSS feed were broken.  If I published directly from iWeb to the FPT server those two features continued to work correctly.
    There's another problem and that's with iWeb's popup slideshows.  Once the MMe servers are no longer online the popup slideshow buttons will not display their images.
    Click to view full size
    However, Roddy McKay and I have figured out a way to modify existing sites with those slideshows and iWeb itself so that those images will display as expected once MobileMe servers are gone.  How to is described in this tutorial: #26 - How to Modify iWeb So Popup Slideshows Will Work After MobileMe is Discontinued.
    In addition the iLife suite of applications offered on disc is now a discontinued product and the remaining supported iApps will only be available thru the App Store from now on.
    HOWEVER, the iLife 11 boxed version that is still currently available at the online Apple Store (Store button at the top of the page) and those copies still on the shelves of retailers will include iWeb and iDVD.

  • Android 4.4.2 KitKat - Bugs - VPN problem/lockscreen options not working/Walkman Shake not working

    With the new KitKat update (20.1.A.0.47) trying to open VPN from Settings, the Settings app crashes and restarts. Due to that, in Security, the None and Swipe lockscreen options are disabled, leaving PIN, Password, and Pattern the only options. Why is that / is it ever gonna be fixed? 
    Oh and it didn't happen on 4.3... Now, when a music is playing in Walkman, when pressing the Walkman button and shaking the phone as I did on JB will pause the song, as if I didn't shake the phone. On Jelly Bean, this feature worked. This should get fixed too.

    Hi guys, sony seems to have solved the problem in an update in...india. I only found that and not tested yet : http://www.xperiablog.net/2015/05/22/small-update-rolling-for-xperia-e1-20-1-a-2-19-and-e1-dual-20-1-b-2-29/ It solves the lockscreen and VPN problem. Test and say if it works or not. I hope they will relase an european version soon.

  • Connecting Multiple Remote Sites with VPN Passthrough

    I have several Win2003SBS sites requiring VPN passthrough from remote clients some using the VPN Connectoid supplied with the SBS (on the RWW - "Download Connection Manager". The requirement is for an DSL modem router with at least 10 tunnels which also supports GRE. The device should support ADSL2 as a minimum and SDSL is preferred.
    A more detailed diagram is attached. Access to the Web Server will be required from both the LAN and WAN sides later.
    Any suggestions please?

    3700 Series multiservice access routers supports GRE, SDSL, ADSL.Refer the following URL for more information
    http://cisco.com/en/US/products/hw/routers/ps282/products_data_sheet09186a00800921f0.html

  • Advice with Site-toSite VPN Setup

    Hi all
    I'm needing to set up a site to site VPN specifically for deploying multiple IP phones at a remote site.  I need help selecting the right hardware.
    At my central site with the phone system (Samsung 7100) I have an ADSL connection using a Linksys AG300 dedicated to the phone connection.  At my remote site I currently do not have a device, though have been playing with a DLink dir-130 that refuses to play nice with the AG300.  The remote site connects to the interweb via a router I don't control but will do VPN passthrough.
    My central site is a static IP, but the remote site is not.
    Can anyone suggest the right peace of kit.  The rv042 looks like it may be OK, but I need to be certain.  Note that the devices either end will be the VPN endpoints ie no servers/firewall appliances either end.
    TIA

    Hi Nigel,.
    I will give you some choices and some basic reasons for my selection. There are a lot more routers in the portfolio, but from your posting you seem to intinate you want to check out the  lower priced Cisco Small Business products. 
    1.SR520-FE-K9
    A very very low cost Cisco IOS based router.
    it offers the advantages of Cisco IOS CLI in a low low price
    excellent debugging
    excellent counters
    can be managed by the free utility Cisco Configuration Assistant
    supported by Cisco TAC
    Allows for site to site IPSec VPN tunnels
    There are two  ADSL variants   SR520-ADSL-K9 SR520-ADSLI-K9
    Wireless versions as well..but check datasheet.
    2. RV220W  or RV120W (relatively new)
    Gui only configuration
    provides IPSec tunnel between gateways
    enhanced software  compared to older WRV2XX
    VLAN and trunk support
    PPTP server (with RV220W)
    Gig wan and LAN ports on the RV220w
    supported by Cisco Small Business Support Center
    3. RV042  (refresh of a popular router , newly released Version 3 hardware and new firmware)
    Gui only configuration
    provides IPSec tunnel between gateways
    impoved software
    VLAN and trunk support
    PPTP server as well
    supported by Cisco Small Business Support Center
    Moving up in features and price, you could check out the;
    4. SA500 series ( with newly released version 2 firmware)
    A very capable box offering IPSec tunnels as well as
    termination for SSL client vpn tunnels
    option for IPS, content filtering , trend integration
    But spend some time and really  and check out the dataheets on all these products.
    Also, If you are a cisco partner there is a management GUI  emulator for the RV220W, RV120W, SA500.  It does go too deeply into the configuration as it only is a emulator, but it provides a great insight into how easy these products are to configure via their built in GUI's.
    https://supportforums.cisco.com/community/netpro/small-business/onlinedemos?view=overview%20target=
    regards Dave

  • Hi, since installing mountain lion on my macbook, it wont download pdf files from internet sites, the same problem does not exist on my mac mini, i am using firefox on both macs, please help!

    Hi, since installing mountain lion on my macbook, it wont download pdf files from internet sites, the same problem does not exist on my mac mini, i am using firefox on both macs, please help!

    Back up all data.
    Quit Safari. In the Finder, select Go ▹ Go to Folder... from the menu bar, or press the key combination shift-command-G. Copy the line of text below into the box that opens, and press return:
    /Library/Internet Plug-ins
    From the folder that opens, remove any items that have the letters “PDF” in the name. You may be prompted for your login password. Then launch Safari and test.
    If you still have the issue, repeat with this line:
    ~/Library/Internet Plug-ins
    If you don’t like the results of this procedure, restore the items from the backup you made before you started. Relaunch Safari again.

  • Cisco ASA 5505 Site to Site VPN Problem

    Hi All,
    We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
    We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
    When I dial into the modem which is connected to the firewall I see the following messages in the logs:
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
    Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
    Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
    Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
    Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
    Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
    There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
    I have checked both firewalls for any mis-matched parameters and do not see any.
    Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
    Thanks!

    Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
    hostname
    domain-name
    enable passwordpasswd names
    interface Vlan701
    nameif inside
    security-level 100
    ip address 10.65.0.69 255.255.255.252
    interface Vlan999
    nameif outside
    security-level 0
    ip address ******  255.255.255.248
    interface Ethernet0/0
    description Link to Internet
    switchport access vlan 999
    interface Ethernet0/1
    description
    switchport access vlan 701
    interface range Ethernet0/2 - 0/7
    switchport access vlan 2
    shutdown
    ftp mode passive
    dns server-group DefaultDNS
    domain-name******
    access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
    access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
    access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
    pager lines 24
    logging enable
    logging timestamp
    logging buffered warnings
    logging trap warnings
    logging asdm informational
    logging host outside *****
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list nonat
    route inside ******
    route outside 0.0.0.0 0.0.0.0 ********
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    snmp-server location **:
    snmp-server contact **
    snmp-server community shortkey
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
    crypto map CASGMAP 50 match address 101
    crypto map CASGMAP 50 set pfs group1
    crypto map CASGMAP 50 set peer ********
    crypto map CASGMAP 50 set transform-set 3desmd5
    crypto map CASGMAP 50 set security-association lifetime seconds 3600
    crypto map CASGMAP interface outside
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet **** inside
    telnet timeout 5
    ssh **** inside
    ssh **** outside
    ssh timeout 5
    console timeout 30
    management-access inside
    dhcpd ping_timeout 750
    priority-queue outside
    ntp server **
    username ***
    tunnel-group ******** type ipsec-l2l
    tunnel-group ******** ipsec-attributes
    pre-shared-key ***
    class-map VoIP
    match dscp ef
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map General-purpose
    class VoIP
    priority
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect http
    service-policy General-purpose interface outside
    prompt hostname context

  • VPN problem behind ASA5505 -regular translation creation failed for protocol 50

    Dear All,
    I have to connect behind my ASA5505 with an VPN klient to an other site.
    First time i got this failure.
    "Deny protocol 50 src inside:192.168.50.X dst  outside:x.x.x.x by access-group "acl_in" [0x0, 0x0]"
    Than I opened our inside (src 192.168.50.0) network  the UDP 500,4500 TCP 500,4500,10000 and ESP (dest x.x.x.x remote firewall ip).
    access-list acl_in extended permit esp host 192.168.50.0  host x.x.x.x eq isakmp
    access-list acl_in extended permit udp host 192.168.50.0  host x.x.x.x eq 500
    access-list acl_in extended permit eudp host 192.168.50.0  host x.x.x.x eq 4500
    etc.
    After that i could connect for the remote firewall with vpn client but i couldn't reach any PC1s on there side and ping gives back no anwser.
    Deny protocol 50 was solved but i got an other problem:
    "regular translation creation failed for protocol 50 src  inside:192.168.50.X dst outside:x.x.x.x"
    I found somewhere thet lines can help:
    crypto isakmp nat-traversal
    inspect ipsec-pass-thru
    But this wasn't usefull.
    I tried a many thing but i'm stuck.
    Could somebody help me what can i do to solve this problem?
    Thanks for all anwsers!

    The solution was the following for one IP!
    object network x.x.x.x                      (inside IP)
       host x.x.x.x                                  (inside IP)
       nat (inside,outside) static y.y.y.y     (remote IP)

Maybe you are looking for

  • Firefox becomes really slow then eventually unresponsive when loading a page with many hires images. Unsual high memory usage up to 2gigs just for firefox. Was never a problem with v3.6.

    When loading a page with many hires images, Firefox becomes really slow and scrolling becomes jumpy then eventually becomes completely unresponsive. Unusual high memory usage of up to 2gigs just for firefox when loading these pages. This was never a

  • Write Special Characters in PDF file from SAP Script

    Hi there, Need a quick help... We are converting SAP Script to PDF using the function module CONVERT_OTF and saving the file on presentation server using GUI_DOWNLOAD... But in certain cases where the item text is maintained with some special charact

  • How to upload multiple images

    Hey folks.      I have 10 file upload files for users to upload up to 10 different images into the same folder, but not sure how i should go about it. I did 10 different inserts, but it seemed very "chicken scratch" type coding. Not sure how to do it

  • Attribute variable

    Hi Guys,      I remember I have used the attribute variable for planning folder at my previous client who use BW 3.5 and SEM 4.0. My current cleint is only use BW 3.5. and when I in the t code UPSPM trying to configure the attribute variable, none of

  • Authorization Tab Missing

    Hi, I'm working on Easy DMS 7.0.We are using ECC 5.0.In either of the transactions CV* there is no tab for authorizations. Also there is no such in spro as "Activate ACl & Document Browser" which i can see in ECC 6.0. Any help regarding this would be