I have a tunnel between a PIX 515E version 7.2(2)and a Cisco 3800 version 12.3(11r). There is a mismatch somewere in the configs but I cannot find it. I have included the configs and the syslog errors.
View 5 RepliesI have a PIX-515E version 8.0(2).I have two remote sites connected to this PIX via IPSec tunnels.Each remote site can reach the local networks behind the PIX but I can not reach remoteSiteA from remoteSiteB.So,
10.30.8.254 SiteA <----- IPSec -----> PIX1 <----------------> SiteX 10.0.8.1
10.138.34.21 SiteB <----- IPSec -----> PIX1 <----------------> SiteX 10.0.8.1
SiteA can ping SiteX
SiteB can ping SiteX
SiteA can't ping SiteB
SiteB can't ping SiteA
If i do show crypto isakmp ipsec sa I can see appropriate subnets:
Crypto map tag: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1
access-list ACLVPN-TO_SITEA permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254
local ident (addr/mask/prot/port): (10.138.34.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.30.8.254/255.255.255.255/0/0)
current_peer: 104.86.2.4
[code]....
Some log messages that seem to point to the problem...
Apr 18 2013 13:27:35: %PIX-4-402116: IPSEC: Received an ESP packet (SPI= 0xD51BB13A, sequence number= 0x21A) from 104.86.2.4 (user= 104.86.2.4) to 203.166.1.1. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.138.34.21, its source as 10.30.8.254, and its protocol as 6. The SA specifies its local proxy as 10.0.8.0/255.255.255.0/0/0 and its remote_proxy as 10.30.8.254/255.255.255.255/0/0
My question is really do I need to do anything funky to allow the traffic to pass between the two tunnels?
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
View 8 Replies View RelatedI have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
The ASA is: Cisco Adaptive Security Appliance Software Version 8.2(2)Hardware:
ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz The router is:Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), Version 12.4(20)YA3, RELEASE SOFTWARE (fc2) Router Config:!version 12.4!card type t1 0 0!no ip cef!ip multicast-routing no ipv6 cef!crypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key xxxxxxx address nn.nn.12.130!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac !crypto map NOLA 11 ipsec-isakmp set peer nn.nn.12.130 set transform-set 3DES-SHA set pfs group2 match address VPN-ACL!controller T1 0/0/0 fdl both cablelength long 0db channel-group 1 timeslots 1-24!interface Loopback0 ip address 1.1.1.1 255.255.255.252 ip virtual-reassembly no ip route-cache crypto map NOLA!interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45!interface
[code]....
I'm able to upgrade the master of a 3750 stack, but the member fails to upgrade. [code] I couldn't do rmdir flash:update unless I reload chassis... but even after reloading still cannot make the 2nd member to load with the newer IOS.
View 3 Replies View RelatedI'm setting up a IPSec Tunnel between 3800 and 2600 routers over the internet.
Do I need to create a tunnel interface as they suggest in this document? [URL]
I just watched a couple of you tube videos saying I don't need to do that...
I have a pair of 5596 running in a vPC with Nexus 2248 connected to each N5596. When I do the command "show fex" I get the following output on the 2nd 5596
Number Description State Model Serial
------------------------------------------------------------------------
101 FEX101 AA Version Mismatch N2K-C2248TP-E-1GE SSI16390705
102 FEX102 AA Version Mismatch N2K-C2248TP-E-1GE SSI163704AD
122 FEX122 Online N2K-C2232PP-10GE SSI16370195
I'm running version 5.1(3)N1(1) on both of the 5K's. I have looked through all the configuration and I am not understanding why I am getting this error. I have tried to look it up on [URL], but not having a ton of luck.
I'm trying to stack 3750G & 3750X. As discussed in previous threads I am aware of that the version need to match.
Here the switch details:
Switch Ports Model SW Version SW Image
------ ----- -------------- ----------
* 1 24 WS-C3750G-24T 12.2(55)SE7 C3750-IPBASEK9-M
---------------------------------------------------------------------------------------------------------------
* 1 54 WS-C3750X-48 12.2(55)SE7 C3750E-IPBASEK9-M
I have changed the universal IOS on the 3750X to IP base..but they still wont come up as a stack. On the 3750X I don't see any log entry, on 3750G (major version mismatch).
We have bought four identical 3750X switches with identical SW-images: 12.2(55)SE3 C3750E-UNIVERSALK9-M
We initially connected two switches, this resulted in forming a stack.With the other two switches we wanted to do the same thing. However, we received the following message:
%STACKMGR-5-MAJOR_VERSION_MISMATCH: Major Version Mismatch (Local 1 - Received 6) with neighbor-1
Both switches will not see each other and the output of show switch stack-ports shows only one switch and both stack ports as being Down.
I did some digging using the show platform stack-manager all command to find out that three of the 3750X's have the stack version number 1.45 and one has 6.45. This would obviously indicate the reason behind the mismatch, but the SW-versions on all new switches are identical!
Checking the CISCO site explains that mismatching of Major version is critical:
Major Version Number Incompatibility Among Switches
Switches with different major Cisco IOS software versions usually have different stack protocol versions. Switches with different major version numbers are incompatible and cannot exist in the same switch stack.
That's all I could find. Nothing about changing the major version number, so all I can suspect is that IOS version needs to be the same.
I have a 2wire router and can currently only connect to the internet with an ethernet cable. I've screwed my settings up trying to install my new router(WHOLE 'nother post lol!) Anyway it's not taking my Security Key..that I think is the right one. If I enter a different one it doesn't say incorrect, but it says possible security key mismatch or something like that.
View 1 Replies View RelatedI am trying to access the internet (Plusnet) using a laptop, via as wireless computer. All that appears on the laptop screen is "network security key mismatch. What is a security key?
View 1 Replies View RelatedI still get the "security key mismatch error" for my school and home wifi. I know the passwords i'm using are correct.I also have the fake "Intel(R) Centrino(R) Wireless-N 6150" in my Device Manager. This does not have a driver nor can Device Manager find one.I recently noticed that there are 8 Virtual Wifi Miniport Adapters. What are these and why do they exist?
View 5 Replies View RelatedI was wondering if I picked up a used (End of Life) pix-515e, would would I need to do to be able to upgrade it to that latest version of IOS made for that product? Is it still possible to even get access to that version? Will cisco allow downloads for that devices IOS?
View 4 Replies View RelatedCan we use ACS 4.1 version recovery disc on 4.2 verison to recover the forgotten password.
View 1 Replies View RelatedHow can I configure the Cisco 515E (version 6.3(4)) to be used with ADSL modem. Currently the compuerters are directly connected to the ADSL modem to get the priviate IP addresses and we would like to add the Cisco firewall after the ADSL modem.
ADSL Modem ---> Firewall --> Switch--> Computers
We have a PIX 515E running ver 6.3 and we want to implemente some sort of logging to keep track of who/when logs in to the PIX and if they make any config changes or to the file system. All of this is for forensic purposes in the future. I have already looked at some PIX docs but I don´t seem to find what I am lokking for.
View 1 Replies View Relatedhow big the NAT tabel for a PIX515E is? how many entries can it have?
View 10 Replies View RelatedI had my computer in the shop for some relevant work - the system32 folder was corrupt.After this, i could not use any wifi networks. I have the correct password for two networks and get the "Network Security Key Mismatch" error whenever i try to connect.I cannot change the network settings in "manage wireless networks" because of:
1. a local wifi jammer
2. my adapter drivers not always working [URL]
3. the repairs done to my computer (i think... no networks show when the device is off and drivers working)
I also cannot alter the current router settings for either of the networks so resetting the password or "removing all wirless settings"
I need to redo the configuration on the new one?
View 11 Replies View RelatedHow to know the Red Hat OS version in the ACS 1121 appliance?
View 1 Replies View RelatedWhich IOS version of 3560-X switch support NAC-L2-IP ?
View 1 Replies View RelatedI have read that nat control is no longer exist in this version,However, I am trying to permit traffic from lower security interface to higher interface security,Is it need to be Natted ?
When I try to route, i have never succeeded, but when I put a nat, I can access and the traffic go through Do I miss anything on the nat control statement ?
I've configured SSL VPN on an 1811 router running 12.4(9) IOS. I'm using the full SSL VPN client and do not want to split tunnel the traffic. I can reach my inside resources just fine, but I can not reach sites on the Internet. I want to tunnel my Internet traffic to the router and then have it hairpin out the same interface.
I've successfully configured this type of hairpinning on an ASA for SSL VPN, but have yet to find a way to do it in IOS.
how to disable XAuth for Remote VPN users on the ASA 5510 running 7.2(1)?
HPMFIRE(config)# tunnel-group vpn3000 general-attributes
HPMFIRE(config-tunnel-general)# authen
HPMFIRE(config-tunnel-general)# authentication-server-group none
ERROR: The authentication-server-group none command has been deprecated.
The isakmp command in the ipsec-attributes should be used instead.
--[code]....
I couldn't find anything under isakmp to disable it.
I have problem with the Lan-to-Lan VPN tunnel.the VPN working fines since 9 months ago without any problems.Suddenly got the problem!,In last two days we faced problem the VPN down.in first time the problem in phase-2.. but after that in phase-1... in latest no data packet received to their side.
View 1 Replies View RelatedIs it possible to establish a tunnel (LAN-to-LAN) from a VPN 3000 series Concentrator with a static IP address to another VPN 3000 series concentrator (or an IOS router) with a dynamic IP address.
View 3 Replies View RelatedMcAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
View 9 Replies View RelatedI have an ASA 5510 running ASDM 6.4(9) and Cisco Adaptive Security Appliance Software Version 8.4(4)1.I am trying to configure for the first time and I am accessing the ASA via its Management Interface.I am successfully able to connect to the device and get to the Cisco ASDM 6.4(9) page.When I try to run the startup wizard, a couple of prompts displays up to the point where the java applet runs and aks me to enter my IP, username and password.As it is a new system, password and username is blank so I enter and I get a message saying "loading software from cache" which later changes to "software Update completed" and then nothing happens.I am running MacOSX 10.7 Lion, Java version 1.6.0_33.I did try and run this on a Windows system and i was able to load the interface.
View 2 Replies View RelatedCan we integrate cisco acs verison 5.x with active directory Microsoft windows server 2012 ?
View 1 Replies View RelatedI have an existing VPN tunnel from my branch office to corporate.I want to allow my employees to establish a VPN connection to our local branch office where we have a local server, and not go through the corporate office.Can I set up a direct VPN connection to my router/ firewall at the branch office, even when there is a VPN tunnel already connected between my office and corporate?
View 1 Replies View Relatedwe have a cisco ASA 5505 and are trying to get the following working:
vpn client (ip 192.168.75.5) - connected to Cisco ASA 5505
the client gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100) when i try to access the url from the client i get a syn sent with netstat when i try the packet tracer from the ASA i see the following:
<Phase>
<id>1</id>
<type>FLOW-LOOKUP</type>
<subtype></subtype>
<result>ALLOW</result>
[code].....
I'm trying to configure a Cisco 3800 with a WIC-2AM-V2 to do DDR. I've gotten it to work before, but it was a while and now the config doesn't seem to work. I'm using an Lo0 interface and ip unnumbered on the Dialer interface. Using debug dialer and debug ppp and see nothing at all trying to dial out.
##############################################################
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DDR
[code].....
I am trying to configure cisco 3800 as NTP server for all Juniper MX router clients. Purpose is to server the clock to all Juniper routers. But i m facing weird issue.. All Juniper routers are getting synch with Cisco 3800 but there is difference of 30 min between client and server time.
Cisco config
ntp authentication-key 100 md5 11201D00163B0C1E 7
ntp trusted-key 100
ntp source Loopback1
ntp master
end