[afnog] Delivery Status Notification (Failure)
Onowojo E.
onowojemma at yahoo.com
Fri Aug 3 22:29:13 UTC 2012
config on router
hostname uuuu
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable password class
!
no aaa new-model
memory-size iomem 10
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.43.0.1 10.43.0.50
!
ip dhcp pool class
import all
network 10.43.0.0 255.255.255.0
domain-name class.com
dns-server 10.40.0.6 66.178.2.25
default-router 10.43.0.1
!
!
ip domain name class.com
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key @#cgn!abc address #######
!
!
crypto ipsec transform-set war esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to########
set peer ########
set transform-set war
match address 100
!
!
crypto pki trustpoint TP-self-signed-2167060814
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2167060814
revocation-check none
rsakeypair TP-self-signed-2167060814
!
!
!
username cisco privilege 15 secret 5 ########
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
description #ETH-WANS#
ip address ######.26 255.255.255.248
ip mtu 1400
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
interface FastEthernet0/1/0
description #FE int to 2nd ETH-LAN#
ip address 10.43.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 ######
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0/0 overload
!
ip access-list extended suf
permit tcp 10.43.0.0 0.0.0.255 any eq www
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.43.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.43.0.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.43.0.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 permit ip 10.43.0.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
line con 0
password class
login local
line aux 0
line vty 0 4
privilege level 15
password edo
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn cef
!
end
asa
hostname Hop-ASA
domain-name class.com
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.40.129.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address #####.252 255.255.255.240
!
interface GigabitEthernet0/2
nameif DMZ
security-level 100
ip address 10.40.128.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif CHQWAN
security-level 50
ip address 10.40.129.5 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name class.com
same-security-traffic permit inter-interface
object network OUTSIDEIP
host #####.252
object network NETWORK_OBJ_10.40.0.0_16
subnet 10.40.0.0 255.255.0.0
object network NETWORK_OBJ_10.45.0.0_24
subnet 10.45.0.0 255.255.255.0
object network NETWORK_OBJ_10.41.0.0_
subnet 10.41.0.0 255.255.255.0
object network NETWORK_OBJ_10.42.0.0_
subnet 10.42.0.0 255.255.255.0
object network NETWORK_OBJ_10.43.0.0_
subnet 10.43.0.0 255.255.255.0
object network NETWORK_OBJ_10.44.0.0_
subnet 10.44.0.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_
subnet 10.0.0.0 255.248.0.0
description ben
object network obj-mailsrv_realip
host 10.40.128.2
object network obj-mailsrv_publicip
host 83.229.2.251
object network obj-phone_realip
host 10.40.1.69
object network obj-phone_publicip
host 83.229.2.253
object-group network DM_INLINE_NETWORK_1
network-object 10.41.0.0 255.255.255.0
network-object 10.42.0.0 255.255.255.0
network-object 10.43.0.0 255.255.255.0
network-object 10.44.0.0 255.255.255.0
network-object 10.45.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.41.0.0 255.255.255.0
network-object 10.42.0.0 255.255.255.0
network-object 10.43.0.0 255.255.255.0
network-object 10.44.0.0 255.255.255.0
network-object 10.45.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.41.0.0 255.255.255.0
network-object 10.42.0.0 255.255.255.0
network-object 10.43.0.0 255.255.255.0
network-object 10.44.0.0 255.255.255.0
network-object 10.45.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop2
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq ssh
service-object udp destination eq sip
service-object tcp destination eq h323
object-group network DM_INLINE_NETWORK_5
network-object 10.0.0.0 255.248.0.0
network-object 10.41.0.0 255.255.255.0
network-object 10.42.0.0 255.255.255.0
network-object 10.43.0.0 255.255.255.0
network-object 10.44.0.0 255.255.255.0
network-object 10.45.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object object NETWORK_OBJ_10.0.0.0_
network-object object NETWORK_OBJ_10.41.0.0
network-object object NETWORK_OBJ_10.42.0.0
network-object object NETWORK_OBJ_10.43.0.0
network-object object NETWORK_OBJ_10.44.0.0
network-object object NETWORK_OBJ_10.45.0.0
object-group service DM_INLINE_SERVICE_2
service-object tcp destination range 135 netbios-ssn
service-object tcp destination eq 3389
service-object tcp destination eq 445
service-object tcp destination eq ssh
service-object udp destination range 135 139
service-object udp destination eq 445
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp destination eq sip
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq h323
object-group network DM_INLINE_NETWORK_6
network-object 10.0.0.0 255.248.0.0
network-object 10.41.0.0 255.255.255.0
network-object 10.42.0.0 255.255.255.0
network-object 10.43.0.0 255.255.255.0
network-object 10.44.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object object NETWORK_OBJ_10.0.0.0_
network-object object NETWORK_OBJ_10.40.0.0_16
object-group network DM_INLINE_NETWORK_8
network-object object NETWORK_OBJ_10.0.0.0_
network-object object NETWORK_OBJ_10.41.0.0_
network-object object NETWORK_OBJ_10.42.0.0_
network-object object NETWORK_OBJ_10.43.0.0
network-object object NETWORK_OBJ_10.44.0.0
access-list from_outside extended permit icmp any interface outside
access-list from_outside extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_1 10.40.0.0 255.255.0.0
access-list from_outside extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_2 10.40.0.0 255.255.0.0
access-list from_outside extended permit ip any any
access-list from_outside extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_3 10.40.0.0 255.255.0.0
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit tcp object NETWORK_OBJ_10.0.0.0_ range 3230 3270 object-group DM_INLINE_NETWORK_5
access-list from_outside extended permit tcp object NETWORK_OBJ_10.40.0.0_16 eq h323 object-group DM_INLINE_NETWORK_6
access-list from_outside extended permit udp object-group DM_INLINE_NETWORK_7 range 3230 3277 object-group DM_INLINE_NETWORK_8
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_10.40.0.0_16 object NETWORK_OBJ_10.41.0.
access-list outside_cryptomap_1 extended permit ip object NETWORK_OBJ_10.40.0.0_16 object NETWORK_OBJ_10.43.0
access-list outside_cryptomap_3 extended permit ip object NETWORK_OBJ_10.40.0.0_16 object NETWORK_OBJ_10.42.0.
access-list outside_cryptomap_4 extended permit ip object NETWORK_OBJ_10.40.0.0_16 object NETWORK_OBJ_10.44.0.
access-list outside_cryptomap_5 extended permit ip object NETWORK_OBJ_10.40.0.0_16 object NETWORK_OBJ_10.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1460
mtu DMZ 1500
mtu CHQWAN 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo-reply outside
icmp permit any echo outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.40.0.0_16 NETWORK_OBJ_10.40.0.0_16 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4
nat (DMZ,outside) source static obj-mailsrv_realip obj-mailsrv_publicip
!
nat (inside,outside) after-auto source dynamic NETWORK_OBJ_10.40.0.0_16 interface
route outside 0.0.0.0 0.0.0.0 ####.249 1
route inside 10.40.0.0 255.255.128.0 10.40.129.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1242
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer ####.42
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 2 match address outside_cryptomap_1
crypto map outside_map1 2 set peer ####.26
crypto map outside_map1 2 set transform-set ESP-3DES-SHA
crypto map outside_map1 4 match address outside_cryptomap_3
crypto map outside_map1 4 set peer ####.202
crypto map outside_map1 4 set transform-set ESP-3DES-SHA
crypto map outside_map1 5 match address outside_cryptomap_4
crypto map outside_map1 5 set peer ####.34
crypto map outside_map1 5 set transform-set ESP-3DES-SHA
crypto map outside_map1 6 match address outside_cryptomap_5
crypto map outside_map1 6 set peer ####.4
crypto map outside_map1 6 set transform-set ESP-DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value from_outside
group-policy Policy1 internal
group-policy Policy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy policy2 internal
group-policy policy2 attributes
vpn-tunnel-protocol IPSec
username ##################
tunnel-group ####.42 type ipsec-l2l
tunnel-group ####.42 general-attributes
default-group-policy policy2
tunnel-group ####.42 ipsec-attributes
pre-shared-key *****
tunnel-group ####.26 type ipsec-l2l
tunnel-group ####.26 general-attributes
default-group-policy Policy1
tunnel-group ####.26 ipsec-attributes
pre-shared-key *****
tunnel-group ####.202 type ipsec-l2l
tunnel-group ####.202 general-attributes
default-group-policy Policy1
tunnel-group #### ipsec-attributes
pre-shared-key *****
tunnel-group #### type ipsec-l2l
tunnel-group #### general-attributes
default-group-policy Policy1
tunnel-group #### ipsec-attributes
pre-shared-key *****
tunnel-group #### type ipsec-l2l
tunnel-group #### general-attributes
default-group-policy Policy1
tunnel-group ##### ipsec-attributes
pre-shared-key *****
no tunnel-group-map enable ou
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome at cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:85f5d7fae2b60f34eb6e501fc8a3e2af
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
God be with u all
A true friend is someone who reaches for your hand and touches your heart.
________________________________
From: Seun Ojedeji <seun.ojedeji at gmail.com>
To: afnog at afnog.org
Sent: Friday, August 3, 2012 11:01 PM
Subject: Re: [afnog] Delivery Status Notification (Failure)
Hello Emmanuel,
For some unknown reason my PM to you don't get delivered.....so yeah make it local if symptom persists...(was about saying consult your doctor :-) ) post your running config....
Cheers!
On Fri, Aug 3, 2012 at 10:56 PM, Mail Delivery Subsystem <mailer-daemon at googlemail.com> wrote:
Delivery to the following recipient failed permanently:
>
> eonowojo at yahoo.com
>
>Technical details of permanent failure:
>Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 delivery error: dd This user doesn't have a yahoo.com account (eonowojo at yahoo.com) [0] - mta1388.mail.mud.yahoo.com (state 17).
>
>
>----- Original message -----
>
>DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=gmail.com; s=20120113;
> h=mime-version:in-reply-to:references:date:message-id:subject:from:to
> :content-type;
> bh=l9IalKBWsIX2xpcdM5CXG05qX9CWy3GjcFUmBV49fCc=;
> b=ME2L083aKWYeIA++EjFPMz+4QoQ+UL/cTReJCKHN/rFBi28US4j5K687iaPhA06clP
> y2rAMFWDtVlKywSM7eBFrszb+SmfoiU6SNAHE5qrPVT7DdNK0h+o28NZMpfBshL2u6DH
> Ak6puWSVaMJVCswAiC58zV6gq0sZpz5X8vuu5x19e8fv0NhEAGgJpeYjsZtlPCe7T4qp
> zAZi1LhntdOULHDHc6Owq8VTTCJRSgmcsxJBIeDrdXjvI1Q4VSB/arXmx/wDfBUPT6AA
> +9Kz32MnVV7N0cbmjizdQ197wSRn/xSF+4uwmo1BgWCgdiOz2VRfWkdZfqEMb1o22fzy
> ZvgQ==
>MIME-Version: 1.0
>Received: by 10.204.128.65 with SMTP id j1mr1216589bks.93.1344030999482; Fri,
> 03 Aug 2012 14:56:39 -0700 (PDT)
>Received: by 10.204.225.133 with HTTP; Fri, 3 Aug 2012 14:56:39 -0700 (PDT)
>In-Reply-To: <1344029570.67538.YahooMailNeo at web140702.mail.bf1.yahoo.com>
>
>References: <4059366D-34BE-4484-8583-CE4A957D7ABC at gmail.com>
> <AAABB2DA-8DC9-4333-9CD7-9D12098B23BC at afrinic.net>
> <CAD_dc6hMYZ+yJ79FLmkr8oj4SwO5zUaTNBijoJMh2XgSY_vWQg at mail.gmail.com>
> <1344027080.42580.YahooMailNeo at web140701.mail.bf1.yahoo.com>
> <CAD_dc6im5e+4pQq+WS8O4QvNMpWKoFZmSn4ujAgNfopUMMufxQ at mail.gmail.com>
> <1344029570.67538.YahooMailNeo at web140702.mail.bf1.yahoo.com>
>Date: Fri, 3 Aug 2012 22:56:39 +0100
>Message-ID: <CAD_dc6iGxrwk=rR75KjFS-zcV=LLQOp63o4E0LZXah-0Wb6W+Q at mail.gmail.com>
>
>Subject: Re: [afnog] VPN mtu
>
>From: Seun Ojedeji <seun.ojedeji at gmail.com>
>To: "Onowojo E." <eonowojo at yahoo.com>
>Content-Type: multipart/alternative; boundary=0015174be3024a90c404c6639a2c
>
>
>Hello Emma,
>On Fri, Aug 3, 2012 at 10:32 PM, Onowojo E. <onowojemma at yahoo.com> wrote:
>
>> Thanks for your reply Seun i did it on the interface connecting to the
>> Internet (outside interface)
>>
>Could you run it on your local interface.
>
>Cheers!
>
>>
>
>> *God be with u all*
>> *A true friend is someone who reaches for your hand and touches your heart
>> *.
>>
>> ------------------------------
>> *From:* Seun Ojedeji <seun.ojedeji at gmail.com>
>> *To:* Onowojo E. <eonowojo at yahoo.com>
>> *Cc:* Nigeria Nog <afnog at afnog.org>
>> *Sent:* Friday, August 3, 2012 10:26 PM
>>
>> *Subject:* Re: [afnog] VPN mtu
>
>>
>> Hello Emmanuel,
>>
>> On which interface did you do the reduction? trust its on the local side
>> of the link? and you used something similar to below:
>>
>> ip tcp adjust-mss 1300
>>
>> Perhaps you could check packet size that goes through and then configure
>> with that, you can use the following(i am using debian): ping <other side
>> url>-s 1300 (increase or reduce the MTU untill you get a perfect one and
>> then apply the command above)
>>
>> Cheers!
>> On Fri, Aug 3, 2012 at 9:51 PM, Onowojo E. <onowojemma at yahoo.com> wrote:
>>
>> Hello all,
>> i just configure an ipsec site to site vpn between Asa and a cisco 2811
>> router using cisco ASDM and CCP ,but the tunnel comes up when i did and
>> extended ping and after a while it goes down i try use cisco configuration
>> professional (ccp ) to trouble shoot the link and it bring out this error "A
>> ping with data size of this VPN interface MTU size and 'Do not Fragment'
>> bit set to the other end VPN device is failing. This may happen if there
>> is a lesser MTU network which drops the 'Do not fragment' packets."
>> CCp suggests I can use crypto ipsec df-bit clear to resolve this or
>> contact our ISP to resolve
>> i have reduce the mtu on the ASA and the router to 1300,1460, 1400 and
>> 1480 but still the network is slow and the tunnel will just go off when
>> more user use the network and the tunnel goes down.
>
--
------------------------------------------------------------------------
Seun Ojedeji,
>Federal University Oye-Ekiti
>web: http://www.fuoye.edu.ng
>Mobile: +2348035233535
>alt email:seun.ojedeji at fuoye.edu.ng
>
_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20120803/df43637e/attachment-0001.html>
More information about the afnog
mailing list