IPSEC Tunnel Fails 2x2921

I tried putting a routing statement but no change.  NO PRIVATE INFO: I'll change the crypto key once I get this working.

ip route 192.168.175.0 255.255.255.0 192.168.176.1

ip route 192.168.176.0 255.255.255.0 192.168.175.1
!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 1 @@@@@@@@@@@@@@@@@@@@@@@@!!!!
localrtr#sh run
hostname localrtr
boot-start-marker
boot-end-marker
enable secret 5 $1$A3Kg$TZeqZI6QF3r.S4nu80fZJ1
no aaa new-model
!
ip domain name mydomain.com
ip cef
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 05190900355E41060D
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 192.168.168.236
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.168.236
 set transform-set TS
 match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.235 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!
interface GigabitEthernet0/1
 description INSIDE
 ip address 192.168.175.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description MGNT_10_10_10_15
 switchport access vlan 200
 no ip address
!
interface Vlan200
 ip address 10.10.10.15 255.255.255.224
!
ip access-list extended VPN_TRAFFIC
 …

Trying to get VRF forwarding on an interface in Cisco IOS 15.4.  We currently have a router with 15.2 and have no trouble with it:

interface FastEthernet0/0/3
 switchport access vlan 3
 ip vrf forwarding INTERNAL
 no ip address


But when I try to configure this on the 15.4 router, I get an error:

Test(config)#int f0/1/3
Test(config-if)#ip vrf forwarding INTERNAL
                   ^
% Invalid input detected at '^' marker.

Test(config-if)#


IP vrf isn't an option:
Test(config-if)#ip ?
Interface IP configuration subcommands:
  address     Set the IP address of an interface
  admission   Apply Network Admission Control
  auth-proxy  Apply authentication proxy
  ddns        Configure dynamic DNS
  device      IP device tracking
  dhcp        Configure DHCP parameters for this interface
  igmp        IGMP interface commands
  rsvp        RSVP Interface Commands

Test(config-if)#ip



I do have vrf configured in the global:

ip vrf INTERNAL
 description Trusted Network
 rd xxxxx:10
!
ip vrf INTERNET
 description Internet Traffic
 rd xxxxx:20
 inter-as-hybrid


Any ideas what I'm missing here?

We use Cisco StealthWatch and are disturbed at some of the activity we're seeing.

What's the best technique to research large downloads/uploads from a particular IP address, such as:  168.62.9.111 transferring 3 gigs?

Per https://myip.ms/info/whois/168.62.9.111 , I see this is registered to Microsoft so I don't think it's malicious.

The only IP's I've been able to figure out so are:
OneDrive:                   13.107.136.9
Windows Update:     13.107.4.50

Is there good site that knows what IPs microsoft uses and for what purpose?

Thanks,
Mike

Hello experts,

I am at a site and they use cisco WLC 5500 wireless controller and they have defined all the SSIDs , one of the SSID is the guest and I am checking the interface defined and it is clearly showing that it is on VLAN 50 the IP of the interface is given, plus the gateway which is same as the primary DHCP 10.20.10.1.

I checked the core switch and there is VLAN 50 but just the vlan is defined but there is no SVI for vlan 50 and there are no DHCP services on the core, I checked the Microsoft servers and I do not see the scope for vlan 50. I am wondering how the clients are getting a dhcp IP when they access the guest SSID. I can not find this gateway or primary DHCP 10.20.10.1

This client also uses cisco ISE, I have access to the cisco ISE but it uses different IP and I do have access to it but I am not getting clarity on this network, Any suggestions on how to find this dhcp server or service will be great help.

Hi,
Can someone please help me understand how a certificate works on a firewall. The concept and how the firewalls authenticate certs.
The scenario is a Fortigate 100d with a cisco ASA (3rd party) Certificate based VPN.

We have setup a tunnel however i don't see many logs due to firewall in shared datacentre managed external. However they do not support certificate based VPN tunnels.
We initially setup on pre shared key and was fine. So we know all the other settings are correct.

We have created a CSR on the fortigate and completed this with a CA "Digicert" we have loaded the cert into the firewall (Fortigate using web gui) We have received the Certificate Authority (Go Daddy from external 3rd party and installed these. Now remote_Cert1 2 etc.
We have setup the VPN tunnel to use the Peer certificate and pointed to 1 of the Go Daddy Remote-Certs. No option on a Fortigate to use 2 certs.

The info we are getting from the Cisco side debug is as follows

IPSEC An inbound LAN to LAN SA xxx between IP and IP (user==IP has been created
same and outbound LAN to LAN created
AAA retrieved default group policy IP for user =IP
local remote connection established. then it say an IPSEC inbound/outbound LAN to LAN has been deleted.

The CIsco (3rd party side have no experience on Fortigate( they are seeing a message saying our certificate has been successfully validated SN x subject name CN = company etc.

The tunnel won't come up on the fortigate. So any info on …

Anyone have any experience with Cisco Cloud Email Security with the AMP add-on? We are currently using Office 365 for email and are looking for a more robust email security platform.

The Cisco solution is one we are looking into, does anyone else have any experience with any others or would be able to make any recommendations?

If you have used Cisco CES, how is it working out? Is there a big difference vs Office 365's built in security features?

We are currently using a Meraki MX84 for VPN.  It connects to our Active Directory to authenticate users.
I am setting up a Duo Authentication Proxy to tie into my Meraki MX84 so I can have Multi-Factor Authentication on my VPN.  The Duo Auth Proxy is asking for a Radius Secret from the Meraki.  I am not sure where to setup the connection on the Meraki side.  Am I setting up sign in with my Radius Server under Access control?

I have a new Cisco ASA 5506x and am having difficulty setting up remote management.

SSH on the outside address will work, and is set to accept connection from only specific IPs.  However, I would like to be able to use ASDM from outside as well. (My IOS skills suck.) Using the same IPs as the ssh command does not work, and the client gets a "unable to launch device manager from ..."  

I have Anyconnect VPN working as well, and when connected, I can ping all addresses on the inside network, including the management IP. (same as gateway address) Device is configured to use inside address 10.0.12.0/24, and VPN pool is 10.0.13.0/24.  

I have ' management-access inside'  entered in the configuration, and yes when a PC is connected to the inside ports, the ASDM will come up and run as expected.

I think what is killing this is the default configuration now comes with all the ports on the device (less 'outside') are joined to a bridged network that is by default BVI1. All remaining interfaces are given the nameif of 'inside-1' thru 'inside-7'. To make http work on the inside ports requires adding lines 'http 10.0.12.0 255.255.255.0 inside-1' thru ...inside-7.  If I add 'http 10.0.12.0 255.255.255.0 inside' or http 10.0.13.0 255.255.255.0 inside' it barks at me that this is an 'ambiguous command'.  (same thing if trying to add BVI1) So clearly it wants to reference something that is a physical connection instead of a virtual object.  Problem is that the only other options …

Hi,
I need your advice about this scenario. I have to configure cisco ASA and Fortigate firewalls to bring High Avalaibilty to my headquater. Is it possible? How can I do it?

Thanks,

Best Regards,
Aristide Akaffou

Just found out that Cisco ASA does not make layer 2 tunnels :-(  Does anyone have a recommendations for what device(s) to use?
**** What license do I need to configuring Layer 2 Tunneling Protocol (L2TP) over IPSec on a 2921? **** FOUND IT: DATA = MPLS, BFD, RSVP, L2VPN, L2TPv3, IP-SLA
.
1) NAT overload the ISP IP for outgoing Internet traffic
2) Port map outside customers into the local network to access servers (https, scp)
3) make layer 2 tunnels out to remote sites (using static ISP IP addresses)

I'd prefer to use only 2921 routers but I can use a FW<->RTR combination....

I got the following error While trying to install Cisco AnyConnect Secure Mobility Client Version 4.7.00136 predeploy. "There is a problem with this Windows Installer package. A program run as a part of the setup did not finish as expected. contact your support personnel or package vendor".

i am trying to install this on Windows 10 Version 1803 OS build 17134.441

Your help is greatly appreciated.

Inherited a Cisco ASA and I have an IPSec tunnel configured and working great, however, I am trying to figure out which hosts are using this tunnel

Since the tunnel is encrypted, I can not seem to capture any packets

I see the peer ip for the tunnel, and the destination being the outside public ip of the ASA,  it need to the the host that is initiating this tunnel

Appreciate any insights, thanks

If I have two SIP routes - model 2951 ISRs CUBE - and you want call manager to
failover if one of them can't complete a call - what is required? We currently have
a SIP trunk to one ISR (and the ISR has a TIP trunk to our call center). For redundancy
we want to add a second ISR/SIP Trunk. But the second should only be used in the
event that the SIP peering on the primary goes down. Advice appreciated.