I have same problem, but when I enter command authentication key-management wpa I get error: Encryption mode cipher is not configured But I have (or think I have) configured it. Any ideas what's wrong?
... View more
Found the answer: Packet capture wizard in the ASA can track all packets between any interface or IP address/range. By capturing from the source subnet, then sending the output to Wireshark, the culprit is revealed.
... View more
Hi, I don't have a Netflow box, and it looks very complicated!! What I really need is a simple metod of tracing the source IP of traffic going through the VPN.
... View more
I have a site-2-site IPSec vpn between an 1801 ISR and an ASA 5510. Monitoring the vpn on the ASA, I see there is constant traffic on it, when I would have expected only intermittent traffic. How can I trace what is actually causing traffic to cross the vpn? I suspect something at the ISR end is sending packets to the ASA network, but how can I find out what? Cheers
... View more
So, if I upgrade from 8.2 to 8.3, I could use the internal names/ip's in my ACLs? As you say, this would be much more flexible, as I do indeed plan to change external IP scheme eventually.
... View more
That config does not work, but I think I've spotted the flaw: it works if the destination of the access rule is the external IP of the internal server, but does not work if the destination is specified as the internal server (in this case centos). This seems somewhat counter-intuitive to me, and different from the ISR routers, where you do specify the internal name/ip. I have done all config via the ASDM, not CLI. I am assuming the Public servers config option is a 'user friendly' way of doing the nat and access list in one go?
... View more
I have just bought an ASA 5510 and am trying to configure it, but it is not working the way I expect. I have several internal servers which need to be accessed from the web. If I create a NAT entry for each, and a corresponding access rule, the servers cannot be accessed. If, however, I add the servers in the 'Public Servers' section, it automatically adds the appropriate NAT and Access rule, and it works. My first question is why is this so? Surly adding the NAT and Access rule should work? Secondly, although it works by adding the servers via Public folders, it only does so by assigning a different public IP for each internal server. I want to assign different ports from one external IP to different internal servers to conserve IP's, but it will not let me do this: adding a server in Public server assigns an IP to that internal server, even though I specify, for example, only smtp as the service. If I try to add another Public server, say http, to another internal machine, it says the external address overlaps with another in use. This can be done by configuring NAT and Access Rule directly, but this doesn't work. I can only access my servers by doing it via Public Servers. is this by design, or am I doing something wrong??
... View more
I have an 877 router that will not connect to my ISP. I've tried the troubleshooting docs, when I run a PPP debug, I get Vi2 CHAP: O RESPONSE id 1 len 34 from <my isp username>" Vi2 CHAP: I FAILURE id 1 len 42 msg is "CHAP authentication failure, unit 2965" the username and password are for certain correct, and the line is ok, as when I use another (much cheaper) router, it works fine. I've wiped my router and re-done the config from scratch, with same result. I'm running the latest IOS. Any ideas what other troubleshooting can be done?
... View more
I have an ACL on the 877 that prevents traffic to the remote network being nat-d in the first place, so return traffic will also not require natting: it should be straight network to network. I have looked at the IP net translations after trying to ping the remote network, and there are no entries, so I conclude the vpn traffic is not being natted, as expected. So I do not think Nat is the cause of the problem. But I cannot think what else could be causing the problem.
... View more
I have a Easy VPN remote configured on an 877 router, connecting to an 1801 running Easy VPN server. The vpn connects, and the 877 can ping clients on the remote network, but no clients on the LAN connected to the 877 can ping the remote LAN. Both sites use internal IP schemes and Nat to the Internet, but I believe I have filtered it correctly to prevent the vpn traffic being nat-d, and no packets are dropped by firewall. The IP schemes do not overlap. Any ideas where I'd go to troubleshoot this? I've gone through all the scenarios on the IPSec VPN troubleshooting page, but none of them seem to cover my issue.
... View more