Cure Your Errors

Fix Windows Errors & Optimize Your System

Windows/Mac OS/Linux
Support Guide

Home

IPad: Open AES-encrypted zip files?

Is there an app which allows one to open zip files that were encrypted with AES-128 or AES-256?  There was a discussion last year (https://discussions.apple.com/message/12429143) saying that there were none at the time, but I'm hoping for some progress since then.  GoodReader, Filer LIte, and USB Disk Pro all failed to read files encrypted with either algorithm.  Thanks,
John

Is there an app which allows one to open zip files that were encrypted with AES-128 or AES-256?  There was a discussion last year (https://discussions.apple.com/message/12429143) saying that there were none at the time, but I'm hoping for some progress since then.  GoodReader, Filer LIte, and USB Disk Pro all failed to read files encrypted with either algorithm.  Thanks,
John

Solution

1. Download & Run DLLEscort - Download Now

2. Click 'Start Scan' to analyze your System.

3. Click 'Fix Errors' and you're done!

 

Related Content

I`m getting a saffire pro 40,and want to know what and how to turn anything I dont`t need to have running on my 2011 Macbook Pro


I`d like to know how can i insert documents, xls/doc/pdf into iCloud and have them in my iPhone and my iPad. I just found one way, through ibooks, but i think it isn't a practical option.


I_UPDMODE has no value in my Function Module when using Delta Extraction


I\updated bios earlier from and now my paviliong6 skype mic is not working. other side can't hear?


Ix2 fails to respond, cannot get past login screen


IWS Install Failed on Win 2000


IWS 6.0 SP1 Filtering API


IWorks 09 Crash under OD Network Home Folder


IWorks 08 and Snow Leopard


IWork won't allow small text to be antialiased in PDFs


IWork with Yosemite on iMac


IWork on my iPhone no longer syncs with iCloud


IWork on Macbook Pro Retina display needs updating, text is blurry?


IWork on iPad not syncing with iCloud Drive


IWork Numbers -- how to determine the current selected column/row?


IWork not syncing with iCloud on iPad


IWork not syncing with iCloud Drive on iPad or iPhone with new iOS 8.


IWork locked for maintenance each time I try and delete/download an iWork file from the web.


IWork install asking for serial number even though installed from disc set


IWork for two Mac's?


ATTENTION PeterGrace
Your post was removed to a secure area out of public view because it violates forum posting guidelines.
Forum Guidelines state >>> clickable link http://forums.comcast.com/t5/Forum-Guidelines/Posting-Guidelines/td-p/866289 which everyone should read BEFORE making a first post
Please don't;
Post personal information in the forums
Please do your best to keep your identity and personal information safe. This includes:
Your full name
Your telephone number
Your Physical/Mailing Address
Email addresses
Credit Card numbers
Account numbers
Personal public IP addresses
Modem MAC address and / or serial number <<<<<<<<<<<<<<<<<<<<<
Active phishing links
Other personally identifiable information
Here is your post with the information removed;
Hi there!
Has Comcast stopped assigning delegated prefixes for users who request them? I had my router setup to request a /60 via IA-PD but just today it appears to have stopped. I'm still getting an ipv6 address on the dhcpv6 solicit, but no more delegated prefixes. Thinking that the problem might be solved with a firewall software update, I upgraded to the latest release version but the same problem persists. Here's my IAID/DUID to aid in tracking down the issue.
IAID: XXXXXXXXX
DUID: XXXXXXXXXXXXXXXXXXXXXXXXXXX
EDIT: Cablemodem HFC MAC: XXXXXXXXXXXXXXXX (found on surfboard diagnostic page)
Let me know what other info I might provide to aid in diagnostics.
Thanks in advance!

For an enterprise, it doesn't seem to make sense to use Global addressing for point to point, transit-only links and loopbacks.
Link-local only addressing breaks debugging tools like traceroute, DNS, etc.
Is Unique Local the correct choice for this?
I've searched quite a bit and I've not found a lot of discussion about scope selection for point to point links.  Some RFCs such as 6164 imply Global scope vs Unique Local scope usage is a preference.  Most discussions of point to point addressing focus on bit length.  I'm assuming this means design concerns are agnostic toward scope selection.
Is anyone aware of documentation I've missed or have any recommendations in this area?
If ULA was the correct choice, address hierarchy might look like this:
DataNetwork1 -- Router1 -- ULA.1.1 -- Link -- ULA1.2 -- Agg Router -- Core
DataNetwork2 -- Router2 -- ULA.2.1 -- Link -- ULA2.2 -- Agg Router /
DataNetwork3 -- Router3 -- ULA.3.1 -- Link -- ULA3.2 -- Agg Router /
The network core would have summarized entries for DataNetwork[1|2|3] and ULA[1|2|3].  IE, there would be a Global hierarchy and a ULA hierarchy.

Hello,
I work in healthcare and in our environment we have mostly HP LaserJet printers. Within the last 6 - 12 months we have started using some HP LaserJet 400 M401dn and HP LaserJet 400 MFP M425dn printers. They all have been updated with the latest firmware (20 printers) and connect to the network via ethernet using IPv4. We are having an issue when trying to print to them from a specific application. It's only happening on these particular models. All other HP LaserJet printers DO NOT have this problem (HP LaserJet 2015dn, 2055dn, P4015dn, 600 M602dn). The application is a telnet client using SSL that connects to a server. This server is on a different subnet (128.1.x.x) than the printers (10.92.x.x) that the clients print to.
It is possible to 'ping' the printer within the application using the printer hostname or IP address. The problem is, there are times when the printer status says 'Ready', and we can ping the printer from within the Windows operating system (Win7 Pro), but we cannot ping it via telnet SSL client. There is no response. The result is, we cannot print from the application to these printers. This problem isn't consistent either. There are times when it does work!
If we assign the printer to the same subnet as the application server, the issue appears to go away. Unfortuantely this is not a feasible permanent fix for us as the printers need to remain in their current subnet.
Sleep Mode is disabled on all of these printers. IPv4 settings are all correct and have been verified by various IT staff.
We believe there is an IPv4 gateway issue within the NICs on these printers. Has anyone ever had a similar issue? Are there any other additional details that I should provide which might help resolve this issue?
Regards.

Hi all,
I have a site-to-site VPN configured between a 5520 at our data center, and a 1700 at a client's site for site-to-site connectivity.  What I've noticed is, is that the VPN can only initiate from my Data Center, never from the client router.  I can telnet into the router and start a telnet session sourced from the "inside" interface and it fails, yet I can see the NAT translations get created in the state table that should match the crypto-map.  However, if I ping a host on the inside of the remote LAN from my workstation (behind the 5520) to bring the tunnel up, and run the exact same command on the client router once the tunnel is up, it works.  Right now I have a continuous ping running from my workstation to keep the tunnel up, but obviously that's not the best solution
I had to modify this config to NAT the LAN addresses at the client to a non-overlapping subnet, so anything coming from 128.1.0.0/16 should be NAT'd to 192.168.105.[50-200]/24.  I've also got two static NATs for inbound access from the data center and those seem to work fine.
I've pasted the config below, can anyone see what I might have missed?
Current configuration : 2787 bytes
! No configuration change since last restart
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hch-1721
boot-start-marker
boot-end-marker
enable secret 5 [REDACTED]
enable password 7 [REDACTED]
username support password 7 XXXXX
username bywater password 7 XXXXX
clock timezone MST -7
clock summer-time MDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
aaa authentication login default local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip cef
ip audit po max-events 100
no ftp-server write-enable
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key MYKEY address MYPEER
crypto ipsec transform-set hch_vpn esp-3des esp-md5-hmac
crypto map hch_vpn 10 ipsec-isakmp
set peer MYPEER
set security-association lifetime seconds 28800
set transform-set hch_vpn
match address 101
interface Ethernet0
description HCH Outside (to DSL Modem)
ip address 12.34.56.225 255.255.255.248
ip nat outside
half-duplex
no cdp enable
crypto map hch_vpn
interface FastEthernet0
description HCH Inside Intranet
ip address 128.1.0.75 255.255.0.0
no ip proxy-arp
ip nat inside
no ip mroute-cache
speed auto
full-duplex
ip nat pool hchpool 192.168.105.50 192.168.105.200 netmask 255.255.255.0
ip nat inside source list 50 pool hchpool overload
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static 128.1.0.1 192.168.105.1
ip nat inside source static 128.1.247.4 192.168.105.2
ip nat outside source list 50 pool hchpool
ip classless
ip route 0.0.0.0 0.0.0.0 12.34.56.230
no ip http server
no ip http secure-server
access-list 20 permit REMOTEADMIN
access-list 20 permit REMOTESITE 0.0.0.255
access-list 20 permit 192.168.249.0 0.0.0.255
access-list 20 permit 128.1.247.0 0.0.0.255
access-list 20 permit 128.1.0.0 0.0.255.255
access-list 50 permit 128.1.0.0 0.0.255.255
access-list 101 permit ip 192.168.105.0 0.0.0.255 192.168.249.0 0.0.0.255
access-list 101 permit ip 128.1.0.0 0.0.255.255 192.168.249.0 0.0.0.255
access-list 110 deny   ip 192.168.105.0 0.0.0.255 192.168.249.0 0.0.0.255
access-list 110 permit ip 128.1.0.0 0.0.255.255 any
access-list 133 deny   tcp any any eq 135
access-list 133 deny   tcp any any eq 445
access-list 133 deny   tcp any any eq 5554
access-list 133 deny   tcp any any eq 9996
access-list 133 permit ip any any
route-map nonat permit 10
match ip address 110
line con 0
line aux 0
line vty 0 4
access-class 20 in
exec-timeout 0 0
ntp clock-period 17179984
ntp server 198.72.72.10
end

Hi
Here is some small digram of my firewalls
LAN ---- FW(A) ----- S2S Tunnel ------- FW (B)------------------ LAN
                  |                                                                  |
                   --------- Cisco VPN need to be run -------------
I used to run that VPN for more than three years with no issue, but after upgrading FW (A) from 8.2.5 to 8.4.7 I got below error msg
Group = XXXX, Username = XXXX, IP = x..x.x.x, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
Please does any body have any clue about it and I solve that?
Mike

Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
   translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
    translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
    translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
    translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
    translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
    translate_hits = 5402387, untranslate_hits = 1519419
##  Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
object network vpn_nat
nat (outside,outside) dynamic interface
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****

2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/aacerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg=  error in X.509 certificate default.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg=  loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=  error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg=  loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=  loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=  error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg=  loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/etc/ipsec.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=forgetting secrets;
2013-07-30 11:37:04
Information
IPsec VPN
msg=added connection description "Tunnel0";
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang" #117: deleting state (STATE_MAIN_R1);
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang": deleting connection;
2013-07-30 11:36:55
Warning
IPsec VPN
msg="Alabang" #117: STATE_MAIN_R1: sent MR1, expecting MI2;
2013-07-30 11:36:55
Error
IPsec VPN
msg=ERROR: "Alabang" #117: sendto on ppp0 to 112.209.172.XXX:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: responding to Main Mode;
2013-07-30 11:36:55
Warning
IPsec VPN
msg=packet from 112.209.172.XXX:500: received Vendor ID payload [Dead Peer Detection];
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
==============================================================
Site 1 = Cisco ISA 500. Named as CHI
Site 2 = Cisco RV042. Named as Alabang
Shown above is the logs from my ISA 570 IPSec VPN. I have set the same settings for my IKE Policies and my Transform Sets. Attached are the screenshots of my the VPN Settings of my 2 systems. It does show in the table above that the 112.209.172.XXX is unreachable, but please look at screen6.bmp and see that I can very well ping the RV042 system. Please feel free to ask me for more info about my setup.
On a side note, take a look at Screen5.bmp. This screenie shows that I have an existing WORKING VPN connection to another site with a Linksys RV042, named as Villa. So as you can also see in the screenshot, it has a VPN setup for CHI but it can not connect. Hence my problem above. The VPN setting for Villa is the same as CHI (PFS, IKE, Transforms, PFS).

Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1

Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels  on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
Muds

Hello (and Happy Thanksgiving to those in the USA),
We recently swapped our ASA and re-applied the saved config to the new device. There is a site-to-site VPN that works and a remote client VPN that does not. We use some Cisco VPN clients and some Shrew Soft VPN clients.I've compared the config of the new ASA to that of the old ASA and I cannot find any differences (but the remote client VPN was working on the old ASA). The remote clients do connect and a tunnel is established but they are unable to pass traffic. Systems on the network where the ASA is located are able to access the internet.
Output of sho crypto isakmp sa (ignore peer #1, that is the working site-to-site VPN)
   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA d
Total IKE SA: 2
1   IKE Peer: xx.168.155.98
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: xx.211.206.48
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
Output of sho crypto ipsec sa (info regarding site-to-site VPN removed). Packets are decrypted but not encrypted.
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c-ip
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.1.100/255.255.255.255/0/0)
      current_peer: xx.211.206.48, username: me
      dynamic allocated peer ip: 10.20.1.100
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: public-ip/4500, remote crypto endpt.: xx.211.206.48/4
500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 7E0BF9B9
      current inbound spi : 41B75CCD
    inbound esp sas:
      spi: 0x41B75CCD (1102535885)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28776
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
      spi: 0xC06BF0DD (3228299485)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, Rekeyed}
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28774
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x000003FF 0xFFF80001
    outbound esp sas:
      spi: 0x7E0BF9B9 (2114714041)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28774
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
      spi: 0xCBF945AC (3422111148)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, Rekeyed}
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28772
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
Config from ASA
: Saved
: Written by me at 19:56:37.957 pst Tue Nov 26 2013
ASA Version 8.2(4)
hostname mfw01
domain-name company.int
enable password xxx encrypted
passwd xxx encrypted
names
name xx.174.143.97 cox-gateway description cox-gateway
name 172.16.10.0 iscsi-network description iscsi-network
name 192.168.1.0 legacy-network description legacy-network
name 10.20.50.0 management-network description management-network
name 10.20.10.0 server-network description server-network
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 private-exchange description private-exchange
name 10.20.10.3 private-ftp description private-ftp
name 192.168.1.202 private-ip-phones description private-ip-phones
name 10.20.10.6 private-kaseya description private-kaseya
name 192.168.1.2 private-mitel-3300 description private-mitel-3300
name 10.20.10.1 private-pptp description private-pptp
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal description private-tportal
name 10.20.10.8 private-xarios description private-xarios
name 192.168.1.215 private-xorcom description private-xorcom
name xx.174.143.99 public-exchange description public-exchange
name xx.174.143.100 public-ftp description public-ftp
name xx.174.143.101 public-tportal description public-tportal
name xx.174.143.102 public-sharepoint description public-sharepoint
name xx.174.143.103 public-ip-phones description public-ip-phones
name xx.174.143.104 public-mitel-3300 description public-mitel-3300
name xx.174.143.105 public-xorcom description public-xorcom
name xx.174.143.108 public-remote-support description public-remote-support
name xx.174.143.109 public-xarios description public-xarios
name xx.174.143.110 public-kaseya description public-kaseya
name xx.174.143.111 public-pptp description public-pptp
name 192.168.2.0 Irvine_LAN description Irvine_LAN
name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
name xx.174.143.107 public-RevProxy description Public-RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-gateway description private-gateway
name 192.168.1.96 private-remote-support description private-remote-support
interface Ethernet0/0
nameif public
security-level 0
ip address public-ip 255.255.255.224
interface Ethernet0/1
speed 100
duplex full
nameif private
security-level 100
ip address private-gateway 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
ftp mode passive
clock timezone pst -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mills.int
object-group service ftp
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service DM_INLINE_SERVICE_1
group-object ftp
service-object udp eq tftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 40
port-object eq ssh
object-group service web-server
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp eq smtp
group-object web-server
object-group service DM_INLINE_SERVICE_3
service-object tcp eq ssh
group-object web-server
object-group service kaseya
service-object tcp eq 4242
service-object tcp eq 5721
service-object tcp eq 8080
service-object udp eq 5721
object-group service DM_INLINE_SERVICE_4
group-object kaseya
group-object web-server
object-group service DM_INLINE_SERVICE_5
service-object gre
service-object tcp eq pptp
object-group service VPN
service-object gre
service-object esp
service-object ah
service-object tcp eq pptp
service-object udp eq 4500
service-object udp eq isakmp
object-group network MILLS_VPN_VLANS
network-object 10.20.1.0 255.255.255.0
network-object server-network 255.255.255.0
network-object user-network 255.255.255.0
network-object management-network 255.255.255.0
network-object legacy-network 255.255.255.0
object-group service InterTel5000
service-object tcp range 3998 3999
service-object tcp range 6800 6802
service-object udp eq 20001
service-object udp range 5004 5007
service-object udp range 50098 50508
service-object udp range 6604 7039
service-object udp eq bootpc
service-object udp eq tftp
service-object tcp eq 4000
service-object tcp eq 44000
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 5566
service-object udp eq 5567
service-object udp range 6004 6603
service-object tcp eq 6880
object-group service DM_INLINE_SERVICE_6
service-object icmp
service-object tcp eq 2001
service-object tcp eq 2004
service-object tcp eq 2005
object-group service DM_INLINE_SERVICE_7
service-object icmp
group-object InterTel5000
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object tcp eq https
service-object tcp eq ssh
object-group service RevProxy tcp
description RevProxy
port-object eq 5500
object-group service XenDesktop tcp
description Xen
port-object eq 8080
port-object eq 2514
port-object eq 2598
port-object eq 27000
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_8 any host public-ip
access-list public_access_in extended permit object-group VPN any host public-ip
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_7 any host public-ip-phones
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_1 any host public-ftp
access-list public_access_in extended permit tcp any host public-xorcom object-group DM_INLINE_TCP_1
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_2 any host public-exchange
access-list public_access_in extended permit tcp any host public-RevProxy object-group RevProxy
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_3 any host public-remote-support
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_6 any host public-xarios
access-list public_access_in extended permit object-group web-server any host public-sharepoint
access-list public_access_in extended permit object-group web-server any host public-tportal
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_4 any host public-kaseya
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_5 any host public-pptp
access-list public_access_in extended permit ip any host public-XenDesktop
access-list private_access_in extended permit icmp any any
access-list private_access_in extended permit ip any any
access-list VPN_Users_SplitTunnelAcl standard permit server-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit user-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit management-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit 10.20.1.0 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit legacy-network 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
access-list public_1_cryptomap extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list public_2_cryptomap extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
logging enable
logging list Error-Events level warnings
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm warnings
logging mail warnings
logging host private private-kaseya
logging permit-hostdown
logging class auth trap alerts
mtu public 1500
mtu private 1500
mtu management 1500
ip local pool VPN_Users 10.20.1.100-10.20.1.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (public) 101 interface
nat (private) 0 access-list private_nat0_outbound
nat (private) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (private,public) public-ip-phones private-ip-phones netmask 255.255.255.255 dns
static (private,public) public-ftp private-ftp netmask 255.255.255.255 dns
static (private,public) public-xorcom private-xorcom netmask 255.255.255.255 dns
static (private,public) public-exchange private-exchange netmask 255.255.255.255 dns
static (private,public) public-RevProxy private-RevProxy netmask 255.255.255.255 dns
static (private,public) public-remote-support private-remote-support netmask 255.255.255.255 dns
static (private,public) public-xarios private-xarios netmask 255.255.255.255 dns
static (private,public) public-sharepoint private-sharepoint netmask 255.255.255.255 dns
static (private,public) public-tportal private-tportal netmask 255.255.255.255 dns
static (private,public) public-kaseya private-kaseya netmask 255.255.255.255 dns
static (private,public) public-pptp private-pptp netmask 255.255.255.255 dns
static (private,public) public-XenDesktop private-XenDesktop netmask 255.255.255.255 dns
access-group public_access_in in interface public
access-group private_access_in in interface private
route public 0.0.0.0 0.0.0.0 cox-gateway 1
route private server-network 255.255.255.0 10.20.1.254 1
route private user-network 255.255.255.0 10.20.1.254 1
route private management-network 255.255.255.0 10.20.1.254 1
route private iscsi-network 255.255.255.0 10.20.1.254 1
route private legacy-network 255.255.255.0 10.20.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map admin-control
  map-name  comment Privilege-Level
ldap attribute-map allow-dialin
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE IPSecUsers
ldap attribute-map mills-vpn_users
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin True IPSecUsers
ldap attribute-map network-admins
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf FALSE NOACCESS
  map-value memberOf "Network Admins" 6
dynamic-access-policy-record DfltAccessPolicy
aaa-server Mills protocol nt
aaa-server Mills (private) host private-pptp
nt-auth-domain-controller ms01.mills.int
aaa-server Mills_NetAdmin protocol ldap
aaa-server Mills_NetAdmin (private) host private-pptp
server-port 389
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa-server NetworkAdmins protocol ldap
aaa-server NetworkAdmins (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map network-admins
aaa-server ADVPNUsers protocol ldap
aaa-server ADVPNUsers (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa authentication enable console ADVPNUsers LOCAL
aaa authentication http console ADVPNUsers LOCAL
aaa authentication serial console ADVPNUsers LOCAL
aaa authentication telnet console ADVPNUsers LOCAL
aaa authentication ssh console ADVPNUsers LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
snmp-server host private private-kaseya poll community ***** version 2c
snmp-server location Mills - San Diego
snmp-server contact Mills Assist
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map public_map 1 match address public_1_cryptomap
crypto map public_map 1 set pfs
crypto map public_map 1 set peer xx.168.155.98
crypto map public_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map public_map 1 set nat-t-disable
crypto map public_map 1 set phase1-mode aggressive
crypto map public_map 2 match address public_2_cryptomap
crypto map public_map 2 set pfs group5
crypto map public_map 2 set peer xx.181.134.141
crypto map public_map 2 set transform-set ESP-AES-128-SHA
crypto map public_map 2 set nat-t-disable
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable public
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
telnet 0.0.0.0 0.0.0.0 private
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 public
ssh 0.0.0.0 0.0.0.0 private
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 216.129.110.22 source public
ntp server 173.244.211.10 source public
ntp server 24.124.0.251 source public prefer
webvpn
enable public
svc enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc
group-policy IPSecUsers internal
group-policy IPSecUsers attributes
wins-server value 10.20.10.1
dns-server value 10.20.10.1
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Users_SplitTunnelAcl
default-domain value mills.int
address-pools value VPN_Users
group-policy Irvine internal
group-policy Irvine attributes
vpn-tunnel-protocol IPSec
username admin password Kra9/kXfLDwlSxis encrypted
tunnel-group VPN_Users type remote-access
tunnel-group VPN_Users general-attributes
address-pool VPN_Users
authentication-server-group Mills_NetAdmin
default-group-policy IPSecUsers
tunnel-group VPN_Users ipsec-attributes
pre-shared-key *
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 general-attributes
default-group-policy Irvine
tunnel-group xx.189.99.114 ipsec-attributes
pre-shared-key *
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 general-attributes
default-group-policy Irvine
tunnel-group xx.205.23.76 ipsec-attributes
pre-shared-key *
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 general-attributes
default-group-policy Irvine
tunnel-group xx.168.155.98 ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global-policy
class global-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
service-policy global-policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes are glazing over from looking at this for too long. Does anything look wrong? Maybe I missed a command that would not show up in the config?
Thanks in advance to all who take a look.