Span port with Pix 501?
I want to use an open source IDS for my small network. I have a Pix 501 and I would like to span one of the ports from the integrated four port switch so my IDS can see all the traffic. Is this possible or is the integrated switch too basic? I have a Cisco 3550 in storage that I could use if needed, but I really don?t have a good place to put it. Thanks in advance!
Hi .. yes infact the swith on the 501 is basically for extending your port density limits.
I suggest you connecting the desired port to a hub and then plug the IDS to the hub. The IDS will then get all the packets ..
I hope it helps ... please rate it if it does !!!
Similar Messages
-
- How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
- If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
(We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
thanks,
olegWhen talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.
-
Manual key negotiation with pix 501
how to use manual key negotiation with pix 501 6.3 to solve VPN tunnel negotiation problem
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1045493
"Manual configuration of SAs is not supported on the PIX 501 because of the restriction in the number of ISAKMP peers allowed on that platform."
However I'm sure a proper solution can be found to your original problem (establishing VPN with huawei)
Please rate helpful posts.
Regards
Farrukh -
Q about DNS with PIX 501 as PPPoE client
Hi!
I've got PIX 501 (PixOS 6.3.5) acting as PPPoE client. Outside interface gets IP and DNS addresses from access concentrator.
There is an example in config guide how to set DNS address (got from concentrator) for DHCH daemon in PIX, so clients in LAN can get that DNS address so.
But I don't use DHCP in LAN. Is there a way to set PIX inside address as DNS on LAN clients and make PIX somehow redirect DNS request to PPPoE DNS server by itself? (same as on simplest linux-build SOHO box by Linksys etc)
Thanks!In this example, the intent is for the machines in the 10.10.10.0 /24 network to access this web server in the DMZ by its external You do not want the PIX to do DNS Doctoring of the DNS replies. Instead, you want the PIX to dnat the external (global) IP address of the web server to its "real" DMZ address (192.168.100.10).
Use the alias command to perform dnat:
alias(inside) 10.99.99.99 192.168.100.10 255.255.255.224 -
Trouble with PIX 501 user limit?
I have installed a Cisco PIX 501 at a client's site, and now a couple of weeks later we are having an issue where some computers cannot access the Internet. The PCs can ping the internal interface of the firewall, and can resolve hostnames. But about three of them cannot ping public IP addresses. I thought the arp cache might be corrupted on the switch, so we restarted that to no good effect.
I suspect that the client has somehow run up against the 10-user limit for their PIX 501 license.
The site has eight PCs and a server, so it doesn't seem like they should be going over the 10-user limit.
I'm not much of an expert when it comes to the PIX, so I wonder if someone can tell me how to determine whether this is the case, and maybe give me some tips on how to resolve the issue?
Thanks very much for any advice you can offer.
Best regards,
ZacAny chance you can help me make sense of this? Does it really look like we have exceeded the number of allowed connections by over 3400?
pixfirewall# show local-host
Interface inside: 10 active, 10 maximum active, 3493 denied
local host: <192.168.1.2>,
TCP connection count/limit = 12/unlimited
TCP embryonic count = 2
TCP intercept watermark = unlimited
UDP connection count/limit = 0/unlimited
AAA:
Xlate(s):
PAT Global 67.115.121.230(38600) Local 192.168.1.2(3553)
PAT Global 67.115.121.230(51033) Local 192.168.1.2(3215)
PAT Global 67.115.121.230(51037) Local 192.168.1.2(3230)
PAT Global 67.115.121.230(51050) Local 192.168.1.2(3271)
PAT Global 67.115.121.230(55215) Local 192.168.1.2(4084)
PAT Global 67.115.121.230(55228) Local 192.168.1.2(4136)
PAT Global 67.115.121.230(55231) Local 192.168.1.2(4139)
etc, etc. -
Hi,
We have four remote sites with PIX 501's.
They are approximately two years old, but we are unaware of how long this issue has persisted.
We have found all of them incredibly sensitive to movement. If you stamp on the floor near one of them, it will reboot.
If you keep a console cable connected, you can see it just looks like a power cycle, as though there was a short or a small power outage.
What gets me is, it seems to affect all of them.
We are finding this difficult to deal with because it brings the VPNs we run offline, and they often take some time to reconnect.Hi,
We have taken the devices out of their homes and tested in our office, so it's not a power outlet issue.
We have swapped power supplies, but as all four have the issue, it's hard to rule out the supplies.
Insultating material would only be a temporary fix, as they are SO sensitive, I doubt we could really protect them. Is this common? -
Pix 501 Port Redirection with outside Dyn IP for DVR
Hi,
I have a pix 501 6.3 version soft. I need to access my cameras from the net. the camera address is 192.168.1.60:1042
my ISP outside is dynamic.
The following is my config, please let me know what is wrong with it.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bJT00RrZ7Q9S5J1B
encrypted
passwd bJT00RrZ7Q9S5J1B encrypted
hostname Haiyai
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit tcp any
interface outside eq 1042
access-list outside deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1
255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface
1042 192.168.1.60 1042 netmask 255.255.255.255 0 0
access-group outside in interface
outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed
0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip
0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00
sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts
3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33
inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:57847b305111572396f1ae0410e54f7e
: end
Thanks
MorganMorgan,
Your config is perfectly fin. You have your PAT static and opened the ACL for that port
access-list outside permit tcp any interface outside eq 1042access-lis outside deny ip any anystatic (inside,outside) tcp interface 1042 192.168.1.60 1042 netmask 255.255.255.255 0 0access-group outside in interface outside
The issue is somewhere else. When you try to connect check the conn through the PIX "sh conn | i 192.168.1.60", and you should see the conn.Check if the camera needs more ports to open and what the PIX logs show.
I hope it helps.
PK -
Help with opening port 10000 on a pix 501
I am attempting to open port 10000 so that I can remotely VPN using tcp port 10000. This is a pix 501 running version 6.3.5.
What commands do I need to enter for this to happen?Remote vpn access can be configured on a pix 501 by using the configuration guide present in the links given below:
Site-to-Site VPN Configuration Examples is present in the url below:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
Managing VPN Remote Access giude is present in the following url:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html -
Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS -
Cisco Pix 501 - Need help with VPN passthrough
Greetings!
Currently I have a Cisco Pix 501 version 6.3(1) which is in front of my Windows Server 2008 box. I am fairly new to firewalling, especially with the Cisco Pix; I have been able to accomplish some port forwarding for CCTV camera software, etc. but am coming to a standstill attempting to connect a company laptop (Windows 7 Professional) to the server via VPN.
Previously we had another facility which was able to connect through VPN but it has since been removed (and always seemed to not be very stable to begin with - though it was connecting to a Server 2003 box rather than 2008).
I have been through several articles both here and other forums and have attempted several of the proposed fixes. I'm almost sure at this point I've probably opened up more of my firewall then necessary and may have duplicate information attempted to complete this passthrough. My Server 2008 resides at 192.168.1.15, below is what I have thus far. The "crypto map" sections were all completed long before I took over, I believe this is how the old VPN was set up. What I have added since beginning this endevour is the "fixup protocol pptp 1723", the "access-list" entries relating to both pptp and gre, and the "static (inside, outside)" relating to the pptp.
I am still continuously getting an error on the laptop of "800" whenever I try to connect to the VPN. Any help would be greatly appreciated as I am rapidly losing hair attempting to get this situated.
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RysZD25GpRAOMhF. encrypted
passwd 0I6TSwviLDtVwaTr encrypted
hostname Lorway-PIX
domain-name lorwayco.com
fixup protocol ftp 21
fixup protocol ftp 22
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 50000
access-list outside_access_in permit udp any any eq 50000
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp host 66.242.236.26 any eq smtp
access-list outside_access_in permit tcp host 208.21.46.12 any eq smtp
access-list outside_access_in permit tcp host 68.59.232.176 any eq smtp
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp host 68.53.192.139 any eq smtp
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq 1009
access-list outside_access_in permit tcp any host 192.168.1.122 eq 7000
access-list outside_access_in permit tcp host 192.168.1.122 any eq 7000
access-list outside_access_in permit tcp any any eq 7000
access-list outside_access_in permit tcp any any eq pptp
access-list outside_access_in permit gre any any
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 20 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 30 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 74.221.188.249 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.15 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 50000 192.168.1.160 50000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 7000 192.168.1.122 7000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.15 pptp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.221.188.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.118
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set lorway1 esp-3des esp-sha-hmac
crypto map lorwayvpn 30 ipsec-isakmp
crypto map lorwayvpn 30 match address 30
crypto map lorwayvpn 30 set peer 66.18.55.250
crypto map lorwayvpn 30 set transform-set lorway1
crypto map lorwayvpn interface outside
isakmp enable outside
isakmp key ******** address 66.18.50.178 netmask 255.255.255.255
isakmp key ******** address 66.18.55.250 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:5c7b250c008519fe970262aa3bc28bb5
: endConfig looks good to me.
I would actually upgrade your PIX to the latest version of 6.3.x if you still have access to the software center as this PIX is on its EOL and you are running an extremely old version of code.
If you place your Windows server bypassing the PIX temporarily, I assume you are able to connect to the VPN? -
Cisco pix 501 open port problem
Hi,
I'm running a Pix 501 for Home office and I want to open first ports for my mail client for an outside located server.
But i get following error in the log:
106023: Deny tcp src outside:<ipmailserver>/993 dst inside:<ipoutsideinterface>/1729 by access-group "outside-mail"
here's my basic config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YYYYYY encrypted
passwd YYYYYY encrypted
hostname sunny
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
pager lines 24
logging on
logging monitor emergencies
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
access-group outside-mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.10.10-192.168.10.39 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username stefan password YYYYY encrypted privilege 2
terminal width 80
Cryptochecksum:
: end
[OK]
What's the problem?
Any recommondations for the config anyway?
ThanksThanks Gerhard for the answer, but i don't want to redirect the port to an inside mail server.
I try to connect to an outside mail server with a mail client from an inside pc (who is in the dhcp ip pool, i.e. 192.168.10.22).
to open the ports i added:
access-list outside-mail permit tcp any any eq 465
access-list outside-mail permit tcp any any eq 993
access-group outside-mail in interface outside
but why is there a deny because of the access-group in the log?
106023: Deny tcp src outside:/993 dst inside:/1729 by access-group "outside-mail"
Regards S. -
PIX 501 passthrough with to a Win VPN Server
Can this piece of %^$ pix 501 allow port 1723 to be open so users can connect to a Windows VPN server configured by PDM?
pix 6.3(5)
Outside staic IP - whatever 111.111.111.111
Inside 192.168.1.1
Win VPN server 192.168.1.10
Thanks to anybody that can help.
Note - I wnat to know if thi can be accomplished using PDM 3.0.4
This pix has to have a use other than a glorified 4 port switchYes you can enable PIX501 with version 6.3.5 for PPTP pass through.
Command line:
static (inside,outside) tcp interface 1723 192.168.1.10 1723 netmask 255.255.255.255
fixup protocol pptp 1723
access-list permit tcp any host 111.111.111.111 eq 1723
If you don't already have an access-list applied to outside interface, then you also need the following:
access-group in interface outside
Then "clear xlate" after the above configuration. I also assume that you would like to use the outside interface ip address of the PIX for the translation. Otherwise, if 111.111.111.111 is actually a spare public ip address, then the above static command should say:
static (inside,outside) 111.111.111.111 192.168.1.10 netmask 255.255.255.255
Yes, it can be accomplished using PDM. But i have to apologize that i don't have a handy access to a PDM hence, i can only advise you on the configuration using CLI.
Hope that helps a little. -
Problem with VPN by ASA 5505 and PIX 501
Hi
I have this scenario: Firewall ASA 5505, Firewall Pix 501 (with CatOS 6.3(5) ).
I have configured this appliance for Easy VPN (server is ASA) and PIX, and remote Access with Cisco client vpn (for internal lan ASA).
When i configure the ASA i have this problem, when i configure nat for easy vpn.
This is my nat configuration:
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0 outside
when i put this command:
nat (inside) 0 access-list no-nat
this command is necessary for configuration of easy vpn, but the previous nat:
nat (inside) 0 access-list 100
is replace with the latest command.To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [udp udp_max_conns] [norandomseq]]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [udp udp_max_conns] [norandomseq] -
Since updating to Internet Explorer version 7 I am no longer able to access the PIX 501 using the PDM software.
Can anyone help with this situation.
MikeDisable the IE popup blocker to see if it works.Disable the popup blocker of yahoo toolbar.Even if this doesnt work download JRE from the following link http://java.sun.com/products/archive/j2se/1.4.2_03/index.html.
-
Can't Connect to Pix 501 VPN on Network
Hi All,
I have a software VPN client that connects just fine to the PIX 501 VPN, but I cannot ping or telnet to any services on the LAN. Below is my config and results of show cry ipsec sa. I would appreciate any suggestions to fix this.
It's been a while since I have done this. When I check the DHCP address received from the VPN, the default gateway is missing. IIRC, that is normal. What is strange is that when I ping, Windows does not show any sent packets.
Thanks,
--Drichards38
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bgVy005CZTsaMOwR encrypted
passwd bgVy005CZTsaMOwR encrypted
hostname cisco
domain-name xxxxxx.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 1024-2048
fixup protocol ftp 49152-65534
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl-out permit tcp any interface outside eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq telnet
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 60990
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq echo
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any interface inside eq www
access-list acl_out permit tcp any interface inside eq ftp
access-list acl_out permit tcp any interface inside eq 3389
access-list acl_out permit tcp any interface inside eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq 902
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list acl_out permit tcp any host aa.bb.cc.dd eq www
access-list acl_out permit tcp any host aa.bb.cc.dd eq https
access-list acl_out permit tcp any host aa.bb.cc.dd eq ftp
access-list acl_out permit tcp any host aa.bb.cc.dd eq 3389
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.0 255.0.0.0
access-list split_tunnel_acl permit ip 10.0.0.0 255.0.0.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside aa.bb.cc.dd 255.255.255.240
ip address inside 192.168.93.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool low_vpn_pool 10.0.1.205-10.0.1.210
pdm location 172.16.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.93.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.67 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.68 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.69 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.70 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.71 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.72 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.73 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.74 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.75 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.76 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.77 netmask 255.255.255.255 0 0
static (inside,outside) aa.bb.cc.dd 192.168.93.78 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 aa.bb.cc.dd 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MY_VPN address-pool low_vpn_pool
vpngroup MY_VPN dns-server 4.2.2.1
vpngroup MY_VPN default-domain xxxxx.biz
vpngroup MY_VPN split-tunnel split_tunnel_acl
vpngroup MY_VPN idle-time 1800
vpngroup MY_VPN password ********
telnet 0.0.0.0 255.255.255.255 outside
telnet 192.168.93.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.93.230-192.168.93.240 inside
dhcpd dns ff.gg.hh.ii ff.gg.hh.ii
dhcpd lease 65536
dhcpd ping_timeout 750
dhcpd domain xxxxxx.biz
dhcpd auto_config outside
dhcpd enable inside
username xxxx password xxxxxxx encrypted privilege 15
cisco(config)# show cry ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. aa.bb.cc.dd
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.205/255.255.255.255/0/0)
current_peer: jj.kk.ll.mm:1265
dynamic allocated peer ip: 10.0.1.205
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 38, #pkts decrypt: 38, #pkts verify 38
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: aa.bb.cc.dd, remote crypto endpt.: 97.93.95.133
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 3a898e67
inbound esp sas:
spi: 0xeeb64931(4004923697)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 1, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607993/28610)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3a898e67(982093415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28574)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:I just set the logging to high on all areas of the Cisco VPN client. Below is the resulting log. Everything looks ok from here:
Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
29 09:57:02.887 09/03/12 Sev=Info/4 CM/0x63100002
Begin connection process
30 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100004
Establish secure connection
31 09:57:02.897 09/03/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "a.b.c.d"
32 09:57:02.907 09/03/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with a.b.c.d.
33 09:57:02.917 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to a.b.c.d
34 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
35 09:57:03.228 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
36 09:57:03.228 09/03/12 Sev=Info/6 IPSEC/0x6370002C
Sent 47 packets, 0 were fragmented.
37 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
38 09:57:03.979 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from a.b.c.d
39 09:57:04.039 09/03/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
40 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
41 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
42 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
43 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
44 09:57:03.979 09/03/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
45 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
46 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to a.b.c.d
47 09:57:03.999 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 09:57:03.999 09/03/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0421, Remote Port = 0x1194
49 09:57:03.999 09/03/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
50 09:57:03.999 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
51 09:57:04.029 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
52 09:57:04.029 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) from a.b.c.d
53 09:57:04.029 09/03/12 Sev=Warning/2 IKE/0xA3000067
Received Unexpected InitialContact Notify (PLMgrNotify:886)
54 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
55 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
56 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
57 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
58 09:57:04.039 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
59 09:57:04.039 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
60 09:57:04.039 09/03/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
61 09:57:09.327 09/03/12 Sev=Info/4 CM/0x63100017
xAuth application returned
62 09:57:09.327 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
63 09:57:09.367 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
64 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
65 09:57:09.367 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
66 09:57:09.367 09/03/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
67 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
68 09:57:09.387 09/03/12 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
69 09:57:09.387 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to a.b.c.d
70 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
71 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from a.b.c.d
72 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.205
73 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.1
74 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxx.biz
75 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
76 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.0.0.0
mask = 255.0.0.0
protocol = 0
src port = 0
dest port=0
77 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
78 09:57:09.427 09/03/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
79 09:57:09.427 09/03/12 Sev=Info/4 CM/0x63100019
Mode Config data received
80 09:57:09.427 09/03/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.0.1.205, GW IP = a.b.c.d, Remote IP = 0.0.0.0
81 09:57:09.437 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to a.b.c.d
82 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
83 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from a.b.c.d
84 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
85 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb
86 09:57:09.477 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to a.b.c.d
87 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=D70550E6 OUTBOUND SPI = 0xB335C6DA INBOUND SPI = 0xE99E1A59)
88 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xB335C6DA
89 09:57:09.477 09/03/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE99E1A59
90 09:57:09.527 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 172.16.0.11 0.0.0.0 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
91 09:57:10.448 09/03/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=10.0.1.205/255.0.0.0
DNS=4.2.2.1,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=xxxx.biz
Split DNS Names=
92 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 25
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
93 09:57:10.458 09/03/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
94 09:57:10.458 09/03/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.11 25
10.0.0.0 255.0.0.0 10.0.1.205 10.0.1.205 1
10.0.1.205 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 25
a.b.c.d 255.255.255.255 172.16.0.1 172.16.0.11 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.0.11 172.16.0.11 25
172.16.0.1 255.255.255.255 172.16.0.11 172.16.0.11 1
172.16.0.11 255.255.255.255 127.0.0.1 127.0.0.1 25
172.16.255.255 255.255.255.255 172.16.0.11 172.16.0.11 25
224.0.0.0 240.0.0.0 10.0.1.205 10.0.1.205 25
224.0.0.0 240.0.0.0 172.16.0.11 172.16.0.11 25
255.255.255.255 255.255.255.255 10.0.1.205 0.0.0.0 1
255.255.255.255 255.255.255.255 10.0.1.205 10.0.1.205 1
255.255.255.255 255.255.255.255 172.16.0.11 172.16.0.11 1
95 09:57:10.458 09/03/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
96 09:57:10.508 09/03/12 Sev=Info/4 CM/0x6310001A
One secure connection established
97 09:57:10.618 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 172.16.0.11. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
98 09:57:10.638 09/03/12 Sev=Info/4 CM/0x6310003B
Address watch added for 10.0.1.205. Current hostname: toughone, Current address(es): 10.0.1.205, 172.16.0.11.
99 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
100 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
101 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xdac635b3 into key list
102 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
103 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x591a9ee9 into key list
104 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.0.1.205
105 09:57:10.638 09/03/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 172.16.0.11. SG: a.b.c.d
106 09:57:10.638 09/03/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
107 09:57:19.741 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
108 09:57:19.741 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445672
109 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
110 09:57:19.772 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
111 09:57:19.772 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445672, seq# expected = 3951445672
112 09:57:30.257 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
113 09:57:30.257 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445673
114 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
115 09:57:30.297 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
116 09:57:30.297 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445673, seq# expected = 3951445673
117 09:57:40.772 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
118 09:57:40.772 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445674
119 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
120 09:57:40.802 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
121 09:57:40.802 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445674, seq# expected = 3951445674
122 09:57:54.291 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
123 09:58:04.306 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
124 09:58:14.320 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
125 09:58:24.334 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
126 09:58:34.349 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
127 09:58:41.359 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
128 09:58:41.359 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445675
129 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
130 09:58:41.389 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
131 09:58:41.389 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445675, seq# expected = 3951445675
132 09:58:54.378 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
133 09:59:04.392 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
134 09:59:14.406 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
135 09:59:24.421 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
136 09:59:34.435 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
137 09:59:41.946 09/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to a.b.c.d
138 09:59:41.946 09/03/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to a.b.c.d, our seq# = 3951445676
139 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = a.b.c.d
140 09:59:41.976 09/03/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from a.b.c.d
141 09:59:41.976 09/03/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from a.b.c.d, seq# received = 3951445676, seq# expected = 3951445676
142 09:59:54.464 09/03/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
Maybe you are looking for
-
How to get data from function module in crystal report
Hi, I installed Crystal Reports 2008 and BO SAP Integration kit for CR. I connected successfully to SAP system from CR but unable to get the data into Report ... But data is present in function module. Could you please tell me what may be the reason
-
Hi, No sound on my netbook. I guess the default sound card is the wrong one, I try to correct that, with no success. I'm following the wikis and tips I found on forums, I don't know where I'm wrong. I am not using a DE, just Openbox. aplay -l gives (
-
Messages are blocked in XI QUEUES
hi experts my scenario flow is r/3 ---> Xi - > again same R/3 data is going to XI automatically and in also from XI inbound QUeue but the problem is that it is showing Green flag if we relase the msgs maually from the queues then it showing Single bl
-
Stopping Zoom in and Zoom out of pictures
I can't seem to find where I turn off the Zoom in and Zoom out features in iMovie related to pictures. Where or what I have to do to turn this feature off.. Thanks
-
DIV Confusion... Basic help for a measly beginner
Hi all.. Tried searching but couldn't find anything - perhaps due to my lack of knowledge of what terms to search for, so apologies if something like this has been posted :S I am making my first website myself after watching and learning from