Jump to content
Sadikhov IT Certification forums

soll

Members
  • Content Count

    132
  • Joined

  • Last visited

Community Reputation

0 Neutral

About soll

  • Rank
    Member
  1. soll

    ISCW IPSEC

    hi yes it is possible. you would do it the same way as static. the only problem would be when the Dynamic IP changes after the lease has expired. I believe you can also do it with a Dynamic DNS host service but couldnt tell you for sure or the procedure, HTH
  2. soll

    IPSEC TROUBLE SHOOTING

    HI wtf wtf agree with the others that without config from both it is kinda difficult to help, looks like failing at phase 1 so it could be PSK mismatch, or isakmp policy mismtach. HTH
  3. soll

    STP hello timers

    laf yes i did - athough many months ago now (so cant remember what switches i used) I think the 3640 with Switch module HTH
  4. soll

    How can block HTTPS traffic on ASA CSC SSM20

    Hi try this http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml HTH
  5. soll

    How can block HTTPS traffic on ASA CSC SSM20

    you can do so via ACL applied on the inside interface? access-list acl_in deny tcp host source_ip any eq 443 The CSCSSM is used for blocking certain file types coming into the network inbound. Well thats how Ive configured it in the past. thanks
  6. soll

    How can block HTTPS traffic on ASA CSC SSM20

    Hi do you mean that you want to block outgoing access to https websites?
  7. soll

    Router as a bridge, need help

    Hi try applying your ACL inbound on R1, rather than R2. can you ping the outside interface of R1? Im assuming you have put static routes in place on all 3 routers? HTH
  8. soll

    site to site vpn help

    Hi My understanding is this - phase 1 process is, as you say is used to bring the tunnel up - so the public/private keys are exchanged between the 2 peers, the two peers authenticate using the PSK or certificated etc Phase 2 is used to actually encrypt the data (DES,3DES,AES), pass it through the tunnel and ensure that the data has not been changed in transit (thats where hashing comes in - md5 or sha1) guys, please feel free to correct me or add anything to this HTH
  9. soll

    VPN question

    hi first you will need to set up phase 1 IKE - encryption, authentication and either PSK or certificates - this has to match on both ends isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 group 2 isakmp policy 20 hash sha isakmp key test address remote peer the create a transform set or use an existing one - this has to be the same on both sides crypto ipsec transform-set SHA-3DES esp-sha-hmac esp-3des the create phase 2 - in this case the name of the crypto map is CRYPTO_VPN with a priority of 20 - so you just replace it with your crypto map name and give it a priority . as you can only have one crypto map assigned to the outside interface crypto map CRYPTO_VPN 20 ipsec-isakmp crypto map CRYPTO_VPN 20 set peer remote peer IP{ crypto map CRYPTO_VPN 20 match address ACL_VPN_SKL - this is the ACL of the interesting traffic you want to protect - crypto map CRYPTO_VPN 20 set transform-set SHA-3DES In asa you can also use the tunnel-group command to achieve the above - HTH
  10. soll

    VPN question

    laff the prob was this, although i entered the same security command, i didnt add the remote subnet 192.168.3.0/24 in the Split Tunnel ACL on the ASA. all working now thanks for your help
  11. soll

    VPN question

    no joy with that here is ACL protecting L2L on ASA: access-list acl_vpn_DC line 3 extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 (hitcnt=1) - not going up when trying to initiate telnet to remote host here is NONAT on ASA access-list no-nat line 13 extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 here is sh route command on ASA: (once Remote user has VPN in) S 192.168.10.2 255.255.255.255 [1/0] via 81.x.x.x, outside here is ACL protecting L2L on PIX (remote site) access-list acl_vpn_NO line 3 permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=44) at least this is going up here is NONAT on PIX access-list no-nat line 4 permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) here is sh route on remote PIX outside 0.0.0.0 0.0.0.0 80.x.x.x 1 OTHER static
  12. soll

    VPN question

    Ive exempted 192.168.10.0/24 to 192.168.3.0/24 from NAT and also the other way 192.168.3.0/24 to 192.168.10.0/24 from NAT! just a wildg guess - do i need to apply same-security-traffic permit intra-interface command to ASA at all ?
  13. soll

    VPN question

    laf just to add - tunneled traffic between 192.168.1.0 and 192.168.3.0 is fine (so the L2l is working for sure). there is only on router at the remote location which has a static route for 192.168.10.0/24 to via the inside interface of the pix 192.168.3.20 this is really weird!
  14. soll

    VPN question

    hi guys still no joy with this. I can vpn into the ASA no prob and get assigned an IP of 192.168.10.2/24. I can access all resources behind the ASA (on 192.168.1.0/24) network without any issues. THe problem comes when i try to access resources on the 192.168.3.0/24 network which is sat behing a PIX (at a remote location) and we have a L2L VPN between the 2 sites. So far, I have added No-nat between 192.168.10.0 to 192.168.3.0 and vice versa I have added 192.168.10.0 to the ACL protecting traffic between the L2L and the remote network behing the PIX (192.168.3.0/24) and vice versa the default route on both ASA and PIX goes out via outside interface any ideas ? thanks
  15. soll

    VPN question

    Laf the RA is running on the ASA. so users vpn into the ASA then from there I want them to access web services (via the L2L VPN) which are behind the PIX. Ive tried your suggestion like this on the ASA : ive added a static route (192.168.10.0/24 which is the subnet assigned to the RA users) to go through the outisde interface e.g route outside 192.168.10.0 255.255.255.0 81.xxx.xxx.xxx Ive also added the following to the acl which protects the L2L VPN access-list acl_l2l_vpn permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 Ive done the same but reversed the IP's on the PIX but i still cant get it to work. Thanks
×