Got to set up a site to site VPN to one in a clients office and we're struggling to get Phase 2 working, just seems to loop around saying "Received encrypted packet with no matching SA, dropping" which to me means the ACLs arent mirrored correctly?
View 3 Replies
I've got a lot of these messages in my logs from SVC users:Code:
View 13 Replies View RelatedProblem Host A unable to reach Host B, trace route from Host A it reach to Router B but the packet unable reach to the Host B here the 1st level troubleshoot I did
1. Traceroute and ping success from router A to host B
2. Ping success from router B to host B success
I wonder the packet reach to router B but it didnt pass to Host B.
We have Cisco IP phones behind a 2600 series router:Most of the time when the PBX receives a packet from the phone, the source IP of the packet is set to the public IP of the router (1.2.3.4) as expected. However, once in a while, we get packets (at the PBX) with the source IP set to the private IP of the phone (10.0.0.12).The router is configured by our provider, and they can't give us any explanation for this behaviour. Is it safe to assume that PAT is not configured properly at the router?
View 2 Replies View RelatedI have a ASA5540 firewall set-up with an interface MTU of 1500.
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this. Any command that can be run on the firewall to display the MTU packet size being received on an interface?
We are also running Solar Winds so could query an OID if such a variable exists.
Most of the 4500 Switches in our network are giving the similar error for so many ports
%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 1 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on p t Gi2/6 in vlan 100
Its impossible to do a wireshark packet tracing for all the ports.
Issue I am having with a Cisco 4507? Below is the error i am receiving.
Feb 14 10:06:09 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 508 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
Feb 14 18:44:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 119 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
Feb 15 00:51:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 366 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
[Code]...
Default route is pointed to firewall but still it is taking the path directly to the ISP from the router without going through firewall.
[code]....
I came across a situation where a client had an old PIX 525 running PIX 6.2. There was a Windows 2008 R2 server running Exchange 2010 that was having trouble delivering email to a handful of email servers. We then found out that we could telnet to these servers on port 25 but got no return traffic. We then went back the old email server that was running Windows 2003 Server and could telnet to port 25 on these email servers and got a response, saw the banner and could issue commands. The first thought was reverse DNS which we thoroughly checked and it was not. I turned off the smtp fixup protocol and that didn't fix it either. From workstations on the network running XP or Windows 7 or Linux you could telnet to these servers and you would get a response but just not with 2008 server. I spent hours on the phone with Cisco support and it was determined that the packets were returning and we could capture the packets on the outside interface but they were then dropped by the firewall. Using the 6.2 version of PIX we could not determine why the packets were being dropped. I suggested upgrading to the next major version to be able to troubleshoot the issue further. We then upgraded the PIX to version 7.0(8). After the upgrade we were able to telnet to the problem mail servers from Windows 2008 Server and there were no issues. Is there a know issue with Windows 2008 Server and PIX 6.2?
View 1 Replies View RelatedI believe that the Cisco Unified Communications Manager Express matches the outbound VoIP dial peer digit-by-digit, because:
1. when using the debug command it shows how it works digit-by-digit till it match a pattern
2. It says in the study guide ( If a match is found, the router immediately processes the call - chapter 6) so I understand its not en bloc
my config and all the show's ive run sofar tryign to figure this out, but the policy map isnt matching the traffic for some reason
View 9 Replies View RelatedI have a Cisco ASA running 8.2 in routed mode.The ASA has three interfaces, inside, outside and DMZ. They connect to the following three networks:
Inside: 10.1.1.0/24
Outside: 10.1.2.0/24
DMZ: 100.1.1.0/24
I have the following dynamic PAT configuration:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 100.1.1.1
nat control is turned off.
By my understanding any traffic from the inside to outside interface will be PATted to 100.1.1.1. However, communications between inside and the DMZ will not be PATted, and should work with no problems.This seems to be corroborated by this document: [URL]Which states:"The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues."EDIT: I may have misunderstood the above statement.I found this guide to configuring NAT/PAT: [URL]It states:"When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected."My problem is that packet tracer does not seem to bear me out. It tells me the packet is dropped due to "no matching global" when I source traffic from the inside interface and send it to the DMZ.
I have a command line from ASA 5505 like below :
nat (inside) 0 access-list NO_NAT
The problem is I cannot see any matching ID of 0 at the (outside) like :
nat (outside) 0 xxxxxxxxxxxxx
Another problem is there is also no any access list with the name of NO_NAT.
i have firwall ASA5400, and the outside interface connected to internet router but i noticed that the interface speed in the outside interface is 1000M, but on the internet router is 115 M. so the interface in the router is highly utilized and also the firwall cpu highly utilized. [code]
View 0 Replies View RelatedI am trying to set up remote access vpn on an asa 5520 running 8.4.1. I have the ipsec group, policies, and ip pool set up. When I try and connect with the cisco vpn client I see the following in the logs. Deny icmp src outside:214.67.39.42 dst outside:24.252.51.73 (type 3, code 3) by access-group "acl_inbound". Do I need to put in some firewall rules to allow this traffice so that the VPN can connect?
View 9 Replies View RelatedI am trying to remove a static route I added: [code]
I was practicing setting up static routing on three routers r2 (2600xm) connected to r1(2600xm) via T1 module cards on the serial ports. connected to r1 is an old 2500 router called PC.
I removed the static routes off r2 and PC but when I get to r2 which I am connecting to via console cable from another 2500 that I use for an access server I get the above error. all the IPs are just generic subnets I created to play around with static routing. I
ASA is the server, 2651 is the client. Phase 1 is negotiating, after entering XAUTH on the 2651, the ASA is showing:
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.250.2.0/255.255.255.0/0/0 local proxy 10.10.3.0/255.255.255.0/0/0 on interface Outside
Not sure what this means in this instance, the maps are setup the same as the article below. I guess I more expected that sort of error if this was a static tunnel and there was an ACL issue. I don't have a lot of knowledge on the Easy VPN with the ASA. [code]
We are configuring a twice-nat to send traffic for scansafe, its on a asa5505 ve 8.4(3) on a remote location for the customes. The nat redirecion is working but we also have a VPN tunnel to the corporate network. Through the tunnel we need to reach a http server. The problem we are having is that when we add the scan-safe nat, all http traffic gets redirected to scansafe, includind the traffic to the http server on the corporate network.
10.2.1.0 ---<ASA5505> ---Internet,scansafe ---- <Corporate> --- 10.1.1.0
the http server is 10.1.1.75
the remote location network is 10.2.1.0/24
[Code].....
I'm performing tests with following desired scenario: We have several remote offices, connected to our HQ via MPLS. In these remote offices, we have several vlan's. Each vlan has it's own ip-range. The MPLS cloud is routed, so we cannot switch our HQ vlan's to the remote offices. In this case, the client pc is in a guest vlan which allows him internet access. The uplink for this internet access is hosted in our HQ datacenter.
basic scheme:
client pc --> MPLS cloud (managed by ISP) --> 6500 switch LAN --> Checkpoint Firewall --> 6500 switch DMZ --> ASA Firewall
My test scheme:
Client pc is in a subnet A (guest vlan range office).
We receive this traffic on our first LAN 6500.
[Code].....
I reloaded XP on an old laptop I have, a Toshiba Satellite, and it works fine. Problem is when I try to connect to my wireless network, it comes up as being security protected...and it isn't...and never has been. I have other computers connecting just fine, but I can't seem to figure this one out. I don't have a key to enter as there isn't one! I installed a USB wireless adapter, and it works fine, but I don't want to use the adapter on the laptop.
View 6 Replies View RelatedMy company is composed of three different campuses, all with a similar network topology. We currently are experiencing high bandwidth on our serial interface at one of the campuses in particular. The network is composed of about 20 VLANS routed internally using a Cisco 6509. Traffic to the outside is PAT’d by an ASA 5510 and then forwarded through our edge router interface. Each VLAN is PAT’d to a specific public address.Due to the PAT, how would you recommend determining what specific private addresses are consuming our resources on the serial interface. When I look at our NMS, it reports the public address, but that only narrows it down to a VLAN. For example, all the devices in VLAN 6 are translated to 146.34.118.245, and 146.34.11.245 is a top talker.
View 1 Replies View RelatedRV220W - I'm trying to create a one-to-one NAT connection to a PC on my network. I have 5 static IP's assigned by my ISP. I've gone through the step of 'registering' each IP in turn on the WAN port, and pinging that IP from an external device until it starts to respond, then I set the WAN IP back to the one I want to use to manage the device.
I think what I want to do is simple. I simply want to NAT ALL traffic hitting my 2nd IP address, let's call it 24.15.120.73 (not the real value) to 192.168.1.10 internally. I want ALL ports both UDP and TCP to be forwarded. This Server is then going to be one end of a VPN tunnel going to another site, but I don't want to complicate things with that for now. So I can't even seem to get one-to-one NAT working! I created the one-to-one NAT on the Advanced tab of the firewall and created rules for all ports for UDP and TCP, but I can still never 'see' the internal server from the Internet. Also, the server will not get out to the Internet (can't hit Google, etc).
How can we check when we connect using VPN client software if traffic is getting encrypted ?
View 7 Replies View RelatedI am actualy trying to make a remote access VPN between a ISR1921 and Windows 7 pro. I already managed to put a PPTP VPN with an authentication against our LDAP databse via radius. But our password are in SHA1 in our LDAP, so I had to let the password unencrypted on the network using pap and this is bad.If I don't use pap, it simply doesn't work since all the other method need unencrypted password for the challenge authentication.Does that mean that every remote access VPN keep our password unencrypted ? Maybe use EAP (but I can't find a howto or good documentation about it)? Can I add a certificate or something?
View 1 Replies View RelatedIs it possible to configure an IPSEC GRE tunnel with RIP on an SRP527w? I see RIP, GRE & IPSEC are all possible.. But I'm not sure about them all together securing the GRE tunnel??
I basically want to do this with the SRW routers not native IOS. Single head end hub & spoke.
I've configured an ASA5505 to be Lan to Lan VPN tunnel endpoint, peering with a linux box. The ASA is full licensed so that side isn't an issue.PROBLEM:When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets. It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.When the tunnel is initialised from the ASA, nothing happens.After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.
ACL for NO_NAT:
access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)
[code]....
I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN. The setup is a LAN to LAN connection with no natting in between.The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post. I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa. The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.
I have
MLS : C6509-E
SUP : VS-S720-10G
PFC : VS-F6K-PFC3CXL
I'm trying to find out what is its limitation for encrypted traffic via SVTI there .
I don't have a SPA for the ip sec .
My router password is "55xxxxx"
But when I want to change the router password in CCC, it warns me "Current password is not match"
How WEP cracking works. I have a much better understanding now but it seems whatever programs I download and however close I get I always hit a wall somewhere. I am using windows 7 64 bit and my network adapters/cards are Broadcom 802.11n Network Adapter and Broadcom Netlink(TM) Gigabit Ethernet. I am not sure if these are adequate. I was using Commlink and aircrack but not sure if they are compatible and which versions i should have installed. I got as far as the collecting packets stage but the packets that appeared said ENCRYPT which was not correct and then my computer went to blue screen adn shut down and I had to system restore.
View 1 Replies View RelatedThe only way we can use our Motorola router is unencrypted. I have gone into the router numerous times and reset it, unplugged it, retyped the WEP key, tried to shift to WPA and nothing works. None of three computers in the house will connect unless all encryption is off. We live in a good neighborhood on a cul de sac, don't get a lot of traffic through here, and know the immediate neighbors, but nothing is stopping a stranger with a laptop from sitting on the street and using our wifi. I've talked to the Comcast tech. The trouble just seems to be our boxes won't get past the WEP encryption stage.
View 8 Replies View RelatedI have XP running on this older laptop for my kids.I wish to connect this laptop wireless (WPA2 encrypted) with the internet AND with other hardware in my home (other pc, harddisk, mediaplayer, printer).I know it can be done in windows 7, and Microsoft also had a virtual WiFi research project for a WEP encrypted visual WiFi.But as said I need a WPA2 encrypted virtual WiFi for a laptop running XP.
View 14 Replies View RelatedI've noticed, that ACS 5.1 is writing .gpg archives for backups. I'm about to upgrade an evaluation system and the Installation and Upgrade Guide tells me to do a full backup and restore in order to upgrade an eval to a production system. [URL] (second note in section "Evaluating ACS 5.1)
Question: can the production system sucessfully decrypt the backup? According to my personal gpg it is CAST5 encrypted with one passphrase. Is this passphrase constant for all ACS 5.x?
Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco 1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113 Appliance as radius server. For username and password, ACS will export the data from Oracle database (production DB). The problem that we are facing right now is password that store in oracle database is in encrypted format. Base feedback from our database administrator, the encryption is done by oracle - application layer and cannot be decrypt back. In Oracle they call it "Oracle Stored Procedures"
My questions :
1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
