[c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Michael K. Smith - Adhost mksmith at adhost.com
Thu Sep 3 13:57:59 EDT 2009


Hello Scott:

That error is something not matching up in the Phase 1 portion.  You
should look at the ISAKMP values on both sides to make sure they match.
Including, but not limited to, proposals, session key, lifetime values,
DH Group, etc.  

Regards,

Mike

--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Thursday, September 03, 2009 10:41 AM
> To: Michael K. Smith - Adhost
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> Hi Mike and others, still no love.  I wanted to confirm I made the NAT
> entries properly.  I used the example on Cisco.com for the ASA and l2l
> +
> clients as an example.
> 
> 
> Here are the important bits
> 
> global (outside) 1 206.x.x.234
> nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0
> 
> And nonat acl
> 
> access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 141.11.0.0 255.255.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 192.168.122.0 255.255.255.192
> 10.18.14.0 255.255.255.0
> access-list nonat extended permit ip 157.254.0.0 255.255.0.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip host 216.x.x.196 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.0.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.1.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.2.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.3.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.4.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.5.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.6.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.7.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.8.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.9.0 255.255.255.0
10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.10.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.15.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 192.168.255.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 172.30.0.0 255.255.0.0 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.11.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.12.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.13.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.18.16.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.192.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.224.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.225.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.226.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.227.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.228.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.229.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.230.0 255.255.255.0
> 10.18.14.0
> 255.255.255.0
> access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 141.11.0.0 255.255.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 192.168.122.0 255.255.255.192
> 10.18.15.0 255.255.255.192
> access-list nonat extended permit ip 157.254.0.0 255.255.0.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip host 216.x.x.196 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.0.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.1.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.2.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.3.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.4.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.5.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.6.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.7.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.8.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.9.0 255.255.255.0
10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.10.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.15.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 192.168.255.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 172.30.0.0 255.255.0.0 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.11.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.12.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.13.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.18.16.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.192.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.224.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.225.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.226.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.227.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.228.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.229.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> access-list nonat extended permit ip 10.1.230.0 255.255.255.0
> 10.18.15.0
> 255.255.255.192
> 
> 
> Two points here.  I defined each as individual /24's to prevent the
> inclusion of the 10.18.14.0/24 range and so we can add or delete
easily
> because we're presently migrating a bit from one 10.x range to
another.
> Also, I doubled up the listings 1 for the destination of 10.18.14.0/24
> which
> is the clients and 10.18.15.0/26 which is a far end site.  Not sure if
> I'm
> heading in the other direction.  The error I received while trying to
> bring
> up the tunnel is unchanged.  "removing peer failed, no match!"
> 
> I did grab some debug output from the Pix side here's the important
bit
> 
> crypto_isakmp_process_block:src:vpnc, dest:208.x.x.98 spt:500 dpt:500
> ISAKMP: reserved not zero on payload 5!
> ISAKMP: malformed payload
> 
> I assume malformed payload means I have something set incorrectly
> during the
> negotiation phase.
> 
> Any pointers would be appreciated.  I will grab more debug data per
the
> other post but this is what I've tried so far.
> 
> Thanks
> Scott
> 
> ----- Original Message -----
> From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
> To: "Scott Granados" <gsgranados at comcast.net>
> Sent: Wednesday, September 02, 2009 11:03 AM
> Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> 
> Correct.  But you can have multiple statements in your ACL.
> 
> Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.0
> 255.255.255.192
> Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.192
> 255.255.255.192
> Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.14.0
> 255.255.255.0
> 
> And so on.
> 
> Mike
> 
> --
> Michael K. Smith - CISSP, GISP
> Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
> w: +1 (206) 404-9500 f: +1 (206) 404-9050
> PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
> 
> 
> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Wednesday, September 02, 2009 11:02 AM
> To: Michael K. Smith - Adhost; Ryan West; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> Hi Michael, thanks but one thing I'm not clear on.
> 
> Suppose I have destinations of
> 10.18.15.0/26 10.18.15.192/26 10.18.14.0/24 etc.
> In other words my possible destinations can be different.  If I use
> your
> 
> example what happens if traffic has the proper source but a
destination
> of
> 10.18.15.192/26 or if traffic is destined to a client on
10.18.14.0/24?
> It
> won't match the ACL correct?
> 
> 
> ----- Original Message -----
> From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
> To: "Scott Granados" <gsgranados at comcast.net>; "Ryan West"
> <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
> Sent: Wednesday, September 02, 2009 10:47 AM
> Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> 
> Hi Scott:
> 
> No, if you use the no-nat below, *all* traffic from 10.18.0.0/24 will
> not be NAT'd, regardless of the destination.  What you want is:
> 
> Access-list nonat permit ip 10.18.0.0 255.255.255.0 <remote subnet>
> <remote mask>
> 
> In looking at your post below, I think that would be:
> 
> Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.0
> 255.255.255.192
> 
> I should note that the mask on the remote side for the 10.18.0.0
subnet
> is a /20, not a /24.
> 
> Regards,
> 
> Mike
> 
> --
> Michael K. Smith - CISSP, GISP
> Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
> w: +1 (206) 404-9500 f: +1 (206) 404-9050
> PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
> 
> 
> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Wednesday, September 02, 2009 10:44 AM
> To: Michael K. Smith - Adhost; Ryan West; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> Hi Mike, to follow up on this, I do have existing clients working now.
> For
> the nonat rule would I create a sepperate ACL for each target or would
> a
> 
> basic acl like I use for the split tunneling do the trick?
> 
> either
> access-list ny-vpn extended permit ip 10.18.0.0 255.255.255.0
> 10.18.15.0
> 
> 255.255.255.192
> or would
> access-list nonat standard permit 10.18.0.0 255.255.255.0
> 
> I have several different targets so how would one define that or is
the
> standard ACL enough?
> 
> Thanks for the pointers!
> Scott
> 
> ----- Original Message -----
> From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
> To: "Scott Granados" <gsgranados at comcast.net>; "Ryan West"
> <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
> Sent: Wednesday, September 02, 2009 10:33 AM
> Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> 
> Hello Ryan:
> 
> Without the no-nat on the ASA side it will try to NAT the traffic
> before
> putting it down the tunnel.  So, you're remove side is looking for the
> 10. Addresses, but it's going to see traffic coming from the static
> outside, NAT'd address.  Thus, the tunnel won't come up because your
> proposals don't match.
> 
> Mike
> 
> --
> Michael K. Smith - CISSP, GISP
> Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
> w: +1 (206) 404-9500 f: +1 (206) 404-9050
> PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, September 02, 2009 9:45 AM
> To: Ryan West; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> Hi, so right now my Pix in the field is pointing at a VPN 3000 so I
> can't
> take that path down until after hours but I will to capture the debug
> data.
> 
> A show ver on the asa shows device manager V5.0.7
> 
> The field pix shows V6.3
> I have access to both ends so updating the firmware is definitely an
> option.
> Any suggested version?
> 
> On the ASA side I do not have a no nat statement at all.  I never
> configured
> NAT because this device isn't beingused for any features other than a
> VPN
> access device with split tunneling enabled for the clients.
> On the NY pix side the nat config and acl are as follows.
> 
> global (outside) 1 208.x.x.100-208.x.x.115 netmask 255.255.255.224
> global (outside) 1 208.x.x.99 netmask 255.255.255.224
> nat (inside) 0 access-list vpn-1
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> 
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0
> 255.255.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
> 255.255.240.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0
> 255.254.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
> 255.255.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
> 255.255.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0
> 255.255.0.0
> 
> Thanks
> Scott
> 
> ----- Original Message -----
> From: "Ryan West" <rwest at zyedge.com>
> To: "Scott Granados" <gsgranados at comcast.net>;
> <cisco-nsp at puck.nether.net>
> Sent: Wednesday, September 02, 2009 6:15 AM
> Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> 
> Scott,
> 
> Can you provide debugs from the ASA, code versions on both devices and
> your
> associated no-nat ACLs?
> 
> Assuming you have nothing else logging to monitor, you can enable
> 'logging
> class vpn monitor debug' and throw up a term mon to gather inbound
> messages
> to the ASA from the PIX side.  You can gather the information on the
> PIX
> 
> with a debug cry isa 2 and then initiate interesting traffic from the
> ASA
> using the following, the more valuable information will be on the
> receiving
> end.  It really doesn't matter which side you enable as the receiver,
> but I
> try to stay away from pre 7.x code on the PIXes.
> 
> packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed
> 
> Phase: 10 or 11 should be subtype encrypt.  If it fails the first
time,
> run
> it again, the negotiation process causes the first packet to fail as
> the
> 
> tunnel is being brought.  This type of traffic will also give you your
> debug
> information and help you figure out where the failure is.
> 
> -ryan
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Tuesday, September 01, 2009 8:29 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> Hi, I have a Pix out in the field and an ASA5520 that I'm trying to
> configure to pass L2L traffic.  I keep getting an error that says
> IKEV1 IP=a.b.c.d removing peer from peer table failed, no match
> ip=a.b.c.d unable to remove peer table entry
> 
> What am I doing wrong?
> 
> Here are the important config bits
> 
> asa-5520
> crypto map
> crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 10 set transform-set vpn-transform1
> vpn-transform2
> vpn-transform3
> crypto dynamic-map dynmap 10 set reverse-route
> crypto map vpn-ra-map 10 match address ny-vpn-acl
> crypto map vpn-ra-map 10 set peer ny-fw-outside
> crypto map vpn-ra-map 10 set transform-set vpn-transform2
> crypto map vpn-ra-map 10 set reverse-route
> crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
> crypto map vpn-ra-map interface outside
> 
> ISAKMP
> 
> isakmp enable outside
> isakmp policy 5 authentication pre-share
> isakmp policy 5 encryption aes-256
> isakmp policy 5 hash sha
> isakmp policy 5 group 7
> isakmp policy 5 lifetime 3600
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption aes-256
> isakmp policy 10 hash sha
> isakmp policy 10 group 5
> isakmp policy 10 lifetime 3600
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 3600
> isakmp policy 30 authentication pre-share
> isakmp policy 30 encryption aes-192
> isakmp policy 30 hash md5
> isakmp policy 30 group 2
> isakmp policy 30 lifetime 28800
> isakmp nat-traversal  20
> isakmp reload-wait
> 
> and the acl
> access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0
> 10.18.15.0
> 255.255.255.192
> access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0
> 10.18.15.0
> 255.255.255.192
> access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0
> 10.18.15.0
> 255.255.255.192
> access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0
> 10.18.15.0
> 255.255.255.192
> access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0
> 10.18.15.0
> 255.255.255.192
> access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0
> 10.18.15.0
> 255.255.255.192
> 
> TUNNEL GROUP
> 
> tunnel-group 208.37.161.98 type ipsec-l2l
> tunnel-group 208.37.161.98 general-attributes
>  tunnel-group 208.37.161.98 ipsec-attributes
>  pre-shared-key *
>  peer-id-validate nocheck
> 
> PIX
> 
> CRYPTO MAP and ISAKMP
> 
> crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac
> crypto map map1 10 ipsec-isakmp
> crypto map map1 10 match address vpn-1
> crypto map map1 10 set peer vpnc
> crypto map map1 10 set transform-set set1
> crypto map map1 interface outside
> isakmp enable outside
> isakmp key *
>  address vpnc netmask 255.255.255.255
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption aes
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 28800
> 
> ACL
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0
> 255.255.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
> 255.255.240.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0
> 255.254.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
> 255.255.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
> 255.255.0.0
> access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0
> 255.255.0.0
> 
> )note on the ASA I use individual /24's and shortened the ACL for ease
> of
> reasing.  I do this to exclued 10.18.14.0/24 from the tunnels since
> that
> houses the ASA's inside interface and client access)
> 
> Any pointers would be appreciated.
> 
> Thanks
> Scott
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list