Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About majedalanni
07-18-2018
majedalanni
Member since
11-19-2006
Beginner
Created by
majedalanni
in VPN and AnyConnect
in VPN and AnyConnect
03-05-2014
01:15 PM
03-05-2014
01:15 PM
I'm goint to tell you why do I need that remote VPN. I used that VPN to acess al my network from the HQ firewall and I don't need my lan client access the other network too. my HQ network is like start network and only that VPN can access them all
... View more
Created by
majedalanni
in VPN and AnyConnect
in VPN and AnyConnect
03-05-2014
01:12 PM
03-05-2014
01:12 PM
I did a static nat that when trying to use the remote VPN so it is hit the other firewall with different IP of the tunnel, so you need to create a nat from the inside interface to the outside interface with source nat to any outside IP address other that the outside interface. hope this helps Mike
... View more
02-27-2014
08:14 AM
Hi Again, Now I have same problem when I switched to IKEv2, if I created the tunnel with protocols IKEv1 and IKEv2, the tunnel for two private network work on IKEv2, but when a switch sends logs the generated tunnel is IKEv1, If I turned off IKEv1 no more logs goes to the Syslog server and no tunnel generated. any idea why is that, is it a bug or IKEv2 limitation that cannot create tunnels when specific port configured? Thanks in advance Mike
... View more
Created by
majedalanni
in VPN and AnyConnect
in VPN and AnyConnect
02-13-2014
12:52 PM
02-13-2014
12:52 PM
but That bug should be resolved in 8.4.6, looks it still there
... View more
Created by
majedalanni
in VPN and AnyConnect
in VPN and AnyConnect
02-13-2014
08:38 AM
02-13-2014
08:38 AM
Hi Here is some small digram of my firewalls LAN ---- FW(A) ----- S2S Tunnel ------- FW (B)------------------ LAN | | --------- Cisco VPN need to be run ------------- I used to run that VPN for more than three years with no issue, but after upgrading FW (A) from 8.2.5 to 8.4.7 I got below error msg Group = XXXX, Username = XXXX, IP = x..x.x.x, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry. Please does any body have any clue about it and I solve that? Mike
... View more
Labels:
12-19-2013
11:42 AM
I already read that, but still cannot do it, I can pass phase one but never phase two, I didn't configure the ASA with tunnle as I don't want to use the DSL IP address, so I create the configuration for remote vpn as cisco vpn and windows vpn, but I don't know how to configure the mikrotik to make it as a L2tip/ipsec VPN client
... View more
12-19-2013
08:17 AM
I have Cisco ASA 8.2(5) and Mikrotik behind a DSL that I cannot get a static public IP fot it, I would to create a VPN connection between the Cisco Firewall that has static public IP and the mikrotik, I just confused about how to do that, I think S2S tunnel its not going to work as I don't have two static IPs in both side, so I thought if the Mikrotik can work as a Cisco VPN client. is that work and how we configure them. Thanks in advance Mike
... View more
Labels:
Created by
majedalanni
in Security Analytics and Management
in Security Analytics and Management
12-03-2013
07:41 AM
12-03-2013
07:41 AM
Hi, We have couple of Cisco switches 2960 and HP switches 2910-24g that enabled SSH sever to remote access, Nessus keeps reporting a low vulnerabilities on those switches because of CBC cipher and it recomandded to use CTR or GCM cipher mode? any Idea how we solve this? Thanks in advance! Mike
... View more
Labels:
07-19-2013
06:37 AM
So that's mean I don't need to upgrade to 8.3.X first, just jump from 8.2 to 8.4 right?
... View more
07-18-2013
11:39 AM
Hi All, I'm planing to upgrade my failover firewalls active/standby from 8.2.5 to 8.4.6. I read about the NAT and I think I'm ready for it cross fingers My plane is Upload the 8.4.6 and ASDM 7.1.3 for both firewalls then assgin the boot and ASDM image to the new files. After thaton the active firewall reload the standby and wait until its up and running (cross finger again) then force the active to be standby and reload the standby to get the new 8.4.6. am I right about that? or should I upgrade to 8.3.1 or 8.3.1 first ?? please if it is, can you give me the full upgarde path? Thanks in advance!!!
... View more
Labels:
03-26-2013
01:35 PM
OK, I did it for the 8.2(5) too, looks my main problem was the the other VPN interested traffic! Thanks a lot for your patient and help
... View more
03-26-2013
11:59 AM
Yes makes sense, will check and update you. if its worked can we do it on version 8.2(5) ? Thanks
... View more
03-26-2013
11:43 AM
because the packet not passing at all so did not configure the other end show crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.95 access-list outside_cryptomap extended permit ip 172.25.101.0 255.255.255.0 172.25.3.0 255.255.255.0 local ident (addr/mask/prot/port): (172.25.101.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.25.3.0/255.255.255.0/0/0) current_peer: y.y.y.y #pkts encaps: 92, #pkts encrypt: 92, #pkts digest: 92 #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 92, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: x.x.x.95/0, remote crypto endpt.: y.y.y.y/0 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: D2A20B9F current inbound spi : 09309044 inbound esp sas: spi: 0x09309044 (154177604) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 1, } slot: 0, conn_id: 20480, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373998/27395) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x1FFFFFFF outbound esp sas: spi: 0xD2A20B9F (3533835167) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 1, } slot: 0, conn_id: 20480, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373966/27395) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
... View more
03-26-2013
11:10 AM
ASA Version 8.4(5) ! hostname ciscoasa names ! interface GigabitEthernet0/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/1 nameif outside security-level 0 ip address x.x.x.95 255.255.255.0 ! interface GigabitEthernet0/2 nameif inside security-level 100 ip address 172.25.101.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! boot system disk0:/asa845-k8.bin ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network NETWORK_OBJ_172.25.101.0_24 subnet 172.25.101.0 255.255.255.0 object network NETWORK_OBJ_172.25.3.0_24 subnet 172.25.3.0 255.255.255.0 object network sw host x.x.x.247 object network logserver host 172.25.3.213 object service syslog service udp destination eq syslog object network insidepc host 172.25.101.2 access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 172.25.3.0 255.255.255.0 access-list outside_access_in extended permit object syslog object mypc object server access-list outside_cryptomap_1 extended permit ip object mypc 172.25.3.0 255.255.255.0 pager lines 24 logging enable logging asdm notifications no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 flow-export destination inside 172.25.3.53 9996 flow-export template timeout-rate 1 flow-export delay flow-create 60 mtu outside 1500 mtu inside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-712.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (outside,outside) source static sw sw destination static interface logserver service syslog syslog access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy no user-identity enable user-identity default-domain LOCAL user-identity action ad-agent-down disable-user-identity-rule http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer y.y.y.y crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 172.25.3.9 source inside prefer webvpn group-policy GroupPolicy_y.y.y.y internal group-policy GroupPolicy_y.y.y.y attributes vpn-tunnel-protocol ikev1 access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 172.25.3.0 255.255.255.0 access-list outside_access_in extended permit object syslog object sw object logserver access-list outside_cryptomap_1 extended permit ip object sw 172.25.3.0 255.255.255.0 tunnel-group y.y.y.y type ipsec-l2l tunnel-group y.y.y.y general-attributes default-group-policy GroupPolicy_y.y.y.y tunnel-group y.y.y.y ipsec-attributes ikev1 pre-shared-key ! class-map global-class match any class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class flow-export event-type all destination 172.25.3.53
... View more
03-26-2013
10:56 AM
it doesn't work looks the packet not passing the VPN Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (outside,outside) source static mypc mypc destination static interface server service syslog syslog Additional Information: NAT divert to egress interface outside Untranslate firewallip/514 to logserver/514 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit object syslog object mypc object server Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (outside,outside) source static sw sw destination static interface logserver service syslog syslog Additional Information: Static translate sw ip/1065 to firewalla ip/1065 Phase: 7 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
... View more
Created by
majedalanni
in VPN and AnyConnect
03-05-2014 01:15 PM
03-05-2014 01:15 PM
I'm goint to tell you why do I need that remote VPN. I used that VPN to
acess al my network from the...
Created by
majedalanni
in VPN and AnyConnect
03-05-2014 01:12 PM
03-05-2014 01:12 PM
I did a static nat that when trying to use the remote VPN so it is hit
the other firewall with diffe...
02-27-2014 08:14 AM
Hi Again,Now I have same problem when I switched to IKEv2, if I created
the tunnel with protocols IK...
Created by
majedalanni
in VPN and AnyConnect
02-13-2014 12:52 PM
02-13-2014 12:52 PM
but That bug should be resolved in 8.4.6, looks it still there
Created by
majedalanni
in VPN and AnyConnect
02-13-2014 08:38 AM
02-13-2014 08:38 AM
Hi Here is some small digram of my firewallsLAN ---- FW(A) ----- S2S
Tunnel ------- FW (B)----------...
12-19-2013 11:42 AM
I already read that, but still cannot do it, I can pass phase one but
never phase two, I didn't conf...
12-19-2013 08:17 AM
I have Cisco ASA 8.2(5) and Mikrotik behind a DSL that I cannot get a
static public IP fot it, I wou...
Created by
majedalanni
in Security Analytics and Management
12-03-2013 07:41 AM
12-03-2013 07:41 AM
Hi, We have couple of Cisco switches 2960 and HP switches 2910-24g that
enabled SSH sever to remote ...
07-19-2013 06:37 AM
So that's mean I don't need to upgrade to 8.3.X first, just jump from
8.2 to 8.4 right?
07-18-2013 11:39 AM
Hi All,I'm planing to upgrade my failover firewalls active/standby from
8.2.5 to 8.4.6. I read about...
03-26-2013 01:35 PM
OK, I did it for the 8.2(5) too, looks my main problem was the the other
VPN interested traffic! Tha...
03-26-2013 11:59 AM
Yes makes sense, will check and update you. if its worked can we do it
on version 8.2(5) ?Thanks
03-26-2013 11:43 AM
because the packet not passing at all so did not configure the other
endshow crypto ipsec sainterfac...
03-26-2013 11:10 AM
ASA Version 8.4(5) !hostname ciscoasanames!interface
GigabitEthernet0/0shutdownno nameifno security-...
Public Statistics
| Date Registered | 11-19-2006 12:52 AM |
| Date Last Visited | 07-18-2018 12:03 AM |
| Total Messages Posted | 61 |
