Chapter 20.

PIX and ASA Product Information
In Part V, I'll discuss the use of Cisco PIX and ASA security appliances to initiate and terminate VPN sessions. PIXs and ASAs are very flexible and can be used for site-to-site (LAN-to-LAN or L2L) sessions, VPN gateways, and remote access clients. I'll cover topics on how to configure the PIX security appliances using the new 7.0 Finesse Operating System (FOS) and its predecessor, 6.x (the ASA only supports version 7.0). In this chapter, however, I'll introduce you to the Cisco PIX and ASA security appliance solutions, focusing on VPN deployment scenarios and their VPN capabilities. I'll also discuss some of the advantages that Cisco PIXs and ASAs have over other Cisco products when being used for VPN solutions.

PIX Deployment Scenarios
The Cisco PIX and ASA VPN capabilities have their roots in Cisco IOS VPN technologies. VPNs were first introduced in the Cisco IOS router product line and then added to the PIXs in an early 5.x release. Like the routers and the concentrators, Cisco PIXs support many VPN solutions including IPsec, PPTP, and L2TP. Because of their flexibility, they can be used in many different situations. The ASA was introduced in the spring of 2005. The ASA is a unique hybrid security appliance, having abilities from the PIX, VPN 3000, and IDS 4200 sensors. This section will focus on how PIX and ASA security appliances can be used to enhance a VPN solution in your network. Specifically, the section will cover the following:   L2L and Remote Access Connections The Special Capabilities of PIXs and ASAs

L2L and Remote Access Connections
PIXs and ASAs support L2L and remote access connections. For remote access solutions, the PIXs and ASAs can be Easy VPN Servers and the PIX 501 and 506E can be Easy VPN Remotes (clients). As I mentioned in Chapter 9, "Concentrator Site-to-Site Connections," I prefer to use Cisco routers for L2L sessions and concentrators for remote access connections. With the introduction of the ASA security appliances, they also can terminate SSL VPNs, with similar SSL capabilities compared to the VPN 3000 concentrators. Routers support enhanced routing and QoS capabilities over Cisco PIX and ASA security appliances and VPN 3000 concentrators. Plus, VPN 3000 concentrators scale better for remote access connections and are easy to set up. However, the Cisco PIX and ASA security appliances, first and foremost, provide better-integrated and more comprehensive security services than routers and concentrators. Therefore, if you need to enhance your VPN solution with security and firewall functions and place it in one box, or if you need enhanced address translation services for VPNs that terminate on a VPN device, the PIX or ASA is a much better choice than a router or a concentrator.

Special Capabilities of PIXs and ASAs
As I mentioned in Chapter 6, I prefer to use PIXs or ASAs in a VPN solution when I need advanced address translation capabilities in addition to advanced firewall and security services. There are three main features the PIX and ASA security appliances have over Cisco VPN 3000 concentrators and IOS-based routers when it comes to VPN implementations: address translation, stateful firewall services, and redundancy.

Address Translation
The PIX was originally developed by Network Translation as an address translation device back in 1994. From the beginning, the PIX has had its roots in address translation. The concentrator's address translation capabilities are very minimal and Cisco routers' capabilities are based primarily on address translation involving two logical locations: inside and outside. However, the PIX's address translation capabilities can handle multiple interfaces easily, with different translation policies for different interfaces. Policy address translation is one of its main strengths. Many times I've attempted to configure complex address translation policies, such as bidirection NAT on a multi-interfaced router, and then shortly gave up and easily configured the same policies on a PIX.

Stateful Firewall Services
With the introduction of FOS 6.x and 7.0, the PIX and ASA security appliances provide one of the best, if not the best, integrated stateful firewall services in the market, including support for both IPv4 and IPv6. Besides performing stateful firewall functions, they support superb application layer inspection and filtering capabilities, including detailed inspection of application layer information such as HTTP, FTP, SMTP, ESMTP, multimedia applications, voice, and many others. They support advanced guard and detection features to protect against TCP flood attacks, DNS spoofing, fragmentation attacks, web server attacks, and e-mail attacks. The PIX and ASA also can be used to detect and block instant messaging applications, peer-to-peer file sharing programs, and other applications that tunnel traffic through web services, such as AOL's Instant Messenger, KaZaA, and GoToMyPC.

Redundancy
Cisco PIXs support stateful failover for redundancy of connections. Before FOS 7.0, though, this did not include redundancy for VPN sessions; nor did it allow both PIXs, in a failover configuration, to process traffic. With the introduction of FOS 7.0, both PIXs or ASAs in a failover configuration can actively process traffic; this is referred to as Active/Active failover. Cisco routers don't support this type of redundancy, but the VPN 3000 concentrators do with VCA. However, with VCA, any remote access connections dropped by a failed concentrator must be rebuilt by the remote access clients via the master of the cluster, so temporary loss of connectivity will occur. With 7.0 of the FOS software, if one of the PIXs (or ASAs) in a failover configuration fails, all of the necessary VPN information already exists on the other redundant PIX, and the redundant PIX can immediately begin processing traffic for the VPN traffic. This solution provides a true stateful failover configuration not only for VPN traffic, but for any traffic flowing through the PIXs.

Note

Active/Active failover is load balancing based on the VCA code in VPN 3000 concentrators, and active/standby failover provides stateful failover for VPN sessions.

Failover times between PIXs or ASAs have been reduced to subsecond times when serialbased failover is used and three seconds when LAN-based failover is used. Another great feature in FOS 7.0 is zero-downtime software upgrades. You can upgrade the PIX or ASA without having to reboot it, which can be very important for mission-critical VPN applications.

many VPN improvements have been added in FOS 7.096 bits.0.0. In FOS 7. and those that are new in FOS 7. The PIX and ASA can act as a hub in a hub-and-spoke topologynew in FOS 7. and which PIX or ASA appliance you should choose for a VPN implementation.0.0. Note Up until 6.0. Other features are the export of private keys. the increase of RSA key sizes to 4. the ASA's SSL VPN capabilities are more comparable to the VPN 3000 concentrators than to Cisco routers. interactive user. the PIXs and ASAs can perform automatic software updates for the 3002 hardware clients and Cisco VPN software clientsnew in FOS 7. The PIX and ASA can route OSPF traffic across VPN tunnels and can inject RRI routes into an OSPF routing processnew in FOS 7. support for DSAbased X. The PIX has supported NAT-T since FOS 6.3. This information can help you in determining if the PIX or ASA is the right product platform for you. it was initially available only on the 515/515E and higher PIXs.        As you can see from the preceding list. and installed security product software (like antivirus and personal firewall software)new in FOS 7. . PIX and ASA VPN Features Cisco PIX and ASA security appliances support many VPN features. all of the PIXs supported the same FOS.509 certificates. where traffic can be inspected and policies enforced before allowing traffic to flow between the spokes via the hub PIX or ASAnew in FOS 7. and individual user authentication (like the 3002 hardware client). Like the VPN 3000 concentrators.0 was introduced. ASAs cannot be Easy VPN Remotes. VPN client security posture enforcement allows the PIX and ASA to perform NAC for VPN clients. support for hierarchical CA implementations. DH groups 1. As an Easy VPN Remote. and 5 are supported. They are fully IPseccompliant and support both L2L and remote access services.PIX and ASA Feature and Product Overview In the next two sections. The features listed below include features that have existed in older FOS versions. the PIX does not support this feature. and use of an IOS router acting as a CA. I'll discuss briefly some of the VPN features and VPN capabilities of the PIX and ASA security appliances. 2. however. and can perform device.2. where they can perform both Easy VPN Server and Remote functions. DES.0.0. FOS 7. and 3DES encryption algorithms (with AES added in FOS 6. The ASA supports the termination of SSL VPNs from SSL clients. but they can be Easy VPN Servers. support has been added to enroll for certificates manually. When FOS 7.0 has added support for IPsec over TCP and Cisco IPsec over UDP. all had the same capabilities. Currently.0 adding support for DH group 7.   All PIXs and ASAs support AES.3) and MD5 and SHA hashing functions. with possible support for the 501 and 506E to be added later. restricting clients' access based on their operating system and type.0. with FOS 7. and with a few exceptions of features. the PIX can use client and network extension modes with RRI.

You had to use split tunneling to allow this on the PIX.0 FOS was that traffic that entered a PIX's interface could not leave the same interface.Pre. and 535. The higher-end PIXs can do both software.0. and 535 are based on the use of the VAC or VAC+.3 VPN shortcomings in features with the introduction of FOS 7. but in many situations. the maximum number of VPN peers of the 515E. putting it on par with the Cisco IOS-based routers and VPN 3000 concentrators. With 7. redundancy features were somewhat lacking. and use low latency queuing (LLQ) and priority queuing (PQ)the IOS routers still support more advanced QoS functions. Also.0 remedied this situation. The 501 and 506E support only software-based encryption. bundled into one highperformance platform. Probably my biggest issue with the pre-7. . Hardware encryption is accomplished through the VPN Accelerator Card (VAC). Cisco has remedied this in FOS 7.and Post-FOS 7. if you wanted their traffic to come to the PIX first and then go back out to the Internet.and hardware-based encryption. Likewise. since there was no stateful failover for VPNs nor support for both PIXs in the failover configuration to process traffic.0. and the 535 by very large enterprise or ISP networks. the ASA hybrid security appliance allows you to use these features. This meant that the PIX could not be a VPN hub device in a VPN hub-and-spoke topology.0 and later). the 515E in medium networks. PIX Models The PIX security appliances come in several models: 501. Before FOS 7.0 FOS was that it didn't support any QOS. and/or AES. the PIX's QoS features are more than sufficient to deal with delaysensitive or bursty traffic. Of course. 515E. 525. I typically shied away from using the PIX as a VPN solution because of the many VPN features that it lacked (the ASA only supports FOS 7.0. There are two versions of the card:   VAC: hardware encryption using DES and/or 3DES VAC+: hardware encryption of DES.3 and earlier. and in certain categories surpassing these products.0 In FOS 6.0. 525. including faster processing than the VAC Table 20-1 has a brief comparison of the PIX models and their capabilities. 506E. Cisco has more than made up for the pre-FOS 6. and other security features. 3DES. Another limitation of the pre-7. Please note that VPN throughput figures are based on using the VAC+ instead of the VAC (Cisco no longer sells the VAC). 7. the 525 in enterprise networks. The 501 and 506E commonly are used in SOHO or small offices. the PIX and ASA now support QoS services that allow it to classify and police traffic. Nor could you have a policy that dictated that remote access clients had split tunneling disabled.

5520.5 AES-256 throughput in Mbps (software/VAC+) 3. 525.000[1] 2. VCA 325 500/2.650 Y 20/130 70/145 50/425 45/130 65/135 110/495 35/130 50/135 90/425 2. The ASAs are feature-rich. L2L. Active/Active. and 5540.Table 20-1. here is a very brief list of these features:     High-performance firewall services Intrusion prevention system (IPS) Network antivirus. and 535 appliances support 2.000[1] 2. VCA 170 50/150[1] 50/150[1] 225 300/750[1] 300/750[1] [1] Support for additional VPN sessions on a particular ASA model can be upgraded by purchasing the proper upgrade license. Summary . Table 20-2.000 VPN sessions with the VAC+ card installed. and remote access VPNs The ASA security appliances by and large combine the functionality of the PIX security appliances. IPS 4200 series sensors.000/5. Active/Active. only 1.4 Maximum VPN peers 10 [1] The 515E. and VPN 3000 series concentrators in a single chassis. and worm detection and deterrence SSL (WebVPN). including VPNs 3DES/AES throughput in Mbps Maximum IPsec peers Maximum WebVPN peers 5510 300 5520 450 5540 650 Active/Standby. PIX Security Appliances Specification Firewall throughput in Mbps Failover/redundancy support 3DES throughput in Mbps (software/VAC+) 501 506E 515E 60 N 3 100 N 15 30 25 25 190 Y 525 330 Y 535 1.000[1] 500/1.000 VPN sessions are supported.500[1] Active/Standby Active/Standby.000[1] AES-128 throughput in Mbps (software/VAC+) 4. Table 20-2 has a quick overview of the VPN performance specifications of the ASA security appliances.250/2. trojan horse. without this card. ASA Models The ASA security appliances come in several models: 5510. ASA Security Appliances Specification Firewall throughput in Mbps Failover/redundancy support.

VPN concentrator. Cisco introduced the new Adapter Security Appliance (ASA) devices. PIX and ASA Site-to-Site Connections In this chapter I'll discuss how to configure IPsec LAN-to-LAN (L2L) sessions on the PIX and ASA security appliances. and IDS features all in one box. Next up is Chapter 21. Fortunately.x software is still in wide use. and the 6.3 and earlier. the stateful failover feature of the PIXs did not provide stateful failover for . Currently this is supported only on the 515/515E PIXs and higher. much of the code and commands found in the 7.3 software. the 501 and 506/506E PIXs only support the FOS 6." where I show you how to create L2L sessions on these devices. At the end of the chapter I'll illustrate an example of an L2L session between PIXs/ASAs. the PIX/ASA supports VPN only in single mode. VPNs are not supported when your PIX/ASA is configured for multiple security contexts (multi-mode) or in an Active/Active stateful failover configuration. much of which applies to remote access sessions. called 7. However. in May 2005. and the correct PIX or ASA. router. Likewise. In April 2005. when designing a VPN implementation. I'll point out differences in the configurations of both operating systems throughout the chapter where appropriate.0. Chapter 21. commonly called routed mode. Cisco introduced a new version of the Finesse Operating System (FOS) for the PIX security appliances. "PIX and ASA Site-to-Site Connections. In FOS 6. Note In version 7.This chapter introduced you to the PIX and ASA security appliance family.0 software is new. Because the 7. The first part of the chapter focuses on the components you'll need to configure the management connection. which support PIX. and the second part will focus on configuring the components of the data connections.0.0 PIX security appliances are the same as those found in the ASA devices. I've attempted to give you a brief introduction to the PIXs and ASAs so that you have an understanding of their capabilitiesstrengths and weaknessesand therefore can properly choose the correct solution.

Topics such as tunnel groups.0." where it is more appropriate.0. .VPN sessions. The configuration of failover and stateful failover on the PIX/ASA. this enhancement has been added. which were added in FOS 7. in FOS 7. I'll address in Chapter 22. however. "PIX and ASA Remote Access Connections. is beyond the scope of this book.

from the FOS's perspective. Using ACLs to Allow IPsec Traffic If you decide you'll use ACLs to allow IPsec traffic into your PIX/ASA. The second statement assumes that ESP traffic can reach the PIX/ASA without having to go through a PAT device. which statement four would allow.secure interface:   Access control lists (ACLs) ACL bypassing The following two sections will discuss both options.0 is the ability of encapsulating ESP traffic in TCP. The second. you'll need to list all ports you've configured the PIX/ASA to use. You can use two methods to allow VPN traffic into or through the PIX from a less. but the default is port 10. in . third. With these security appliances. the least secure. New in FOS 7. After this. I'll discuss one issue with moving traffic between interfaces that have the same security level. if any. by default. which is.000. your IPsec session traffic will be terminated on the device's outside interface. Unlike Cisco routers. The third statement is for ESP traffic that is being encapsulated using NAT-T.ISAKMP/IKE Phase 1 Management Connection In this first part of the chapter. In most cases. You can list up to ten TCP ports for IPsec over TCP. your ACL configuration will look something like the following: appliance(config)# access-list ACL_name_or_# permit udp remote_peer_IP_address subnet_mask local_IP_address subnet_mask eq 500 appliance(config)# access-list ACL_name_or_# permit esp remote_peer_IP_address subnet_mask local_IP_address subnet_mask appliance(config)# access-list ACL_name_or_# permit udp remote_peer_IP_address subnet_mask local_IP_address subnet_mask eq 4500 appliance(config)# access-list ACL_name_or_# permit tcp remote_peer_IP_address subnet_mask local_IP_address subnet_mask eq port_# appliance(config)# access-list ACL_name_or_# permit protocol remote_protected traffic subnet_mask local_protected traffic subnet_mask [protocol_information] The first ACL statement allows the management connection to be built.to more. interfaces are assigned security levels. Much of what I discuss here is applicable to both L2L and remote access sessions. PIX/ASA devices behave differently when traffic is flowing through them. Allowing IPsec Traffic Your first task is to allow IPsec session traffic into your PIX/ASA. and based on security level configurations. I'll focus on the components necessary to allow IPsec traffic into the PIX/ASA and to build a management connection to a remote peer. and fourth statements are for the data connections. traffic is not allowed to flow from a lower to a higher level.

0. In 7.separate ACL statements. however. only ESP is supported. however. With 7. in the preceding section. however. Tip Whenever possible. the traffic that is allowed through the tunnel. be specific about the remote and local addressing information in the PIX/ASA's ACL. I would prefer to use an ACL to perform this function. You'll then need to activate the ACL on the PIX/ASA's interface where the traffic will be entering: appliance(config)# access-group ACL_name_or_# in interface logical_interface_name Using ACL Bypassing to Allow IPsec Traffic The second and less configuration-intensive solution (than configuring ACLs) is to use the ACL bypass feature for IPsec. Note Many administrators like to use this command because it's simple to configure. Second. in the initial release of FOS 7. you can have an ACL applied inbound or outbound on the same interface. use protocol number 51 in the protocol field of the ACL statement. both AH and ESP are supported. You'll need to list.3. PIX/ASA devices do the same thing. which might not be legitimate IPsec traffic. an ACL could be applied only inbound on an interface.0. which is configured with this command: appliance(config)# sysopt connection permit-ipsec This command performs the same function as manual configuration of the ACL statements.3 or earlier. but then use an ACL applied outbound on the . I might need to exclude some of that traffic." routers process IPsec packets twice on the ACL (depending on the IOS version): once when they're protected and again after the router has verified the protection and decrypted them (in their clear-text form). however. The last ACL statement in the preceding syntax allows the tunneled packets to pass the ACL check. because you want only certain types of IPsec traffic to enter your security appliance. sometimes I don't have control of the remote peer and the traffic allowed to traverse the tunnel.3 and earlier. and need to use AH.0. the remote administrator and I agree on protecting traffic between two networks. I don't like it for two reasons. any and all IPsec traffic is allowed into the PIX/ASA. If you are running 6. you might want to use the ACL bypassing option to allow the traffic into the router. To simplify things. probably in multiple ACL statements. "Router Site-to-Site Connections. In this instance. Remember that in FOS 6. First. As mentioned in Chapter 17. One other thing to point out about the ACL configuration is that in FOS 6.

or when split tunneling was disabled for remote access sessions. for remote access sessions. the first parameter is the one used for hub devices in an L2L session. for most purposes. Setting Up ISAKMP ISAKMP/IKE typically is used to build IPsec sessions. you can do this manually. prevented you from setting up a PIX as a hub device in a hub-and-spoke design. However.0. there are other options you can configure. as the next few sections will explain. This. Transmitting IPsec Traffic Between Multiple Interfaces with the Same Security Level In FOS 6. The PIX would not allow this process to occur.x and earlier. In 7. This is all that is necessary to enable ISAKMP/IKE. however. one restriction the PIX had was that if traffic entered an interface. but then you would have to make the following concessions:      You cannot use certificates for device authentication Anti-replay services are not used The encryption and hashing keys must be configured manually The IPsec SAs will never time out All SA configurations must be configured manually in all crypto map entries on all peers Because of these concessions. you'll need to repeat the command with the correct logical interface name. however. traffic could not traverse interfaces of the same security level. As an example. you must enable ISAKMP/IKE on your PIX/ASA with the following command: appliance(config)# crypto isakmp enable logical_interface_name For each interface that will have IPsec sessions terminated on it.other interfaces of the PIX/ASA to restrict where the tunneled packets can go. With VPNs. traffic would have to enter the outside interface of the PIX and then would have to exit the same interface (entering and leaving interfaces with the same security level). in other words. . the PIX/ASA allows you to enable this process by configuring the following command: appliance(config)# same-security-traffic permit {intra-interface | inter-interface) The intra-interface parameter allows traffic to enter and leave the same interface while the inter-interface parameter allows traffic to enter and leave two different interfaces with the same security level. it could not exit an interface with the same security level. required you to enable split tunneling to allow a user to access both the corporate site and the Internet. for hub devices in L2L sessions. or. and as an Easy VPN Server or VPN gateway for remote access sessions where split tunneling is disabled. most administrators opt to use ISAKMP/IKE to build and maintain IPsec sessions.

such as 8080 (some ISPs do this to residential customers.Address Translation Issues As mentioned in Chapter 3. like 1020 seconds.0. it defaults to port 10. To solve this problem. you can specify a different port number and up to a total of 10 ports. use the following command: appliance(config)# isakmp ipsec-over-tcp [port port1. IPsec over TCP takes precedence over NAT-T. use the following command: appliance(config)# isakmp disconnect-notify Using this command definitely is useful when you have two PIX/ASA devices at a site . wanting more money for what they refer to as a "business-class" service). "IPsec. using a detection method to discover if UDP encapsulation is necessary. the PIX/ASA will not notify the remote IPsec peer(s) that the SA(s) are no longer available.3.000. In FOS 7. reboot the PIX/ASA. To enable this feature. Note IPsec over TCP will not work with proxy-based firewalls. which could cause connectivity issues. You can get around this by specifying a TCP port that you don't use. NAT-T was added in FOS 6. also. a keepalive is generated every 20 seconds to ensure that the associated address translation entry stays in the translation table of the address translation device the packets will be traversing. You'll probably want to set this to a small value. which has the local PIX/ASA send an ISAKMP disconnect message to all IPsec peers connected to it.0. some ISP firewalls will block UDP port 4. You can change this by specifying a value from 103.600 seconds.500 and TCP port 10. or clear the IPsec sessions.000. Cisco added the disconnect notification feature.. to ensure that an idle data connection isn't timed out of any address translation device's translation table inadvertently.. Of the three approaches I discussed in Chapter 3. but can be enabled with this command: appliance(config)# isakmp nat-traversal [keepalive_seconds] By default. the PIX/ASA support two solutions: NAT-T and IPsec over TCP. an IPsec device can encapsulate the ESP packet either in a UDP or TCP segment. By default NAT-T is disabled." ESP packets typically cannot be forwarded through an address translation device performing PAT. if you reset a PIX/ASA's interface. In many instances. Disconnect Notifications By default. IPsec over TCP support was added in FOS 7. This feature typically is used when the protected traffic has to move through a stateful firewall. but that the ISP will allow through. However. To enable IPsec over TCP. and the firewall doesn't support UDP (which NAT-T uses).port10] If you don't specify a port number for the connection. if you've enabled both NAT-T and IPsec over TCP.

except that all of the policy configuration components of a policy are done from global configuration mode: appliance(config)# isakmp policy priority encryption {aes | aes-192 | aes-256 | des | 3des } appliance(config)# isakmp policy priority hash {md5 | sha} appliance(config)# isakmp policy priority authentication {pre-share| rsa-sig| dsa-sig} appliance(config)# isakmp policy priority group {1 | 2 | 5 | 7} appliance(config)# isakmp policy priority lifetime seconds If you don't configure any policies. you can disable aggressive mode with the following command: appliance(config)# isakmp am-disable Please note that this command was introduced in FOS 7. and for group 7 keys (PDA . If you always want the PIX to use main mode. RSA-SIG. will use: DES. For example. once you configure a policy.0 there is no default ISAKMP policy.3 or later. Main Mode Restriction The PIX/ASA support both main and aggressive modes in setting up the management connection. where each policy is given a unique number. Configuring Phase 1 policies on a PIX/ASA is similar to doing them on a router. And. when the PIX/ASA must drop an SA(s) associated with an IPsec interface. it transmits the identity information of the two peers in clear text.400 seconds. Aggressive mode is faster in setting up the connection.0. unlike Cisco routers.3. and to perform it in hardware. On Cisco routers. The number denotes the priority of the policy. there is a default policy that the PIX. you're ready to define your ISAKMP policies. Plus. making it less secure. if you want to use a default value for a parameter. and a lifetime of 86. In this situation. with lower numbers having higher priorities. to use SHA-1 for a hash function. ISAKMP policies define how the management connection is to be protected and built. it is not necessary to configure it. you would use thecrypto isakmp policy command and define the policies in a subcommand mode. Configuring Management Connection Policies Once you've taken care of the ISAKMP preliminary configurations. however. lower-numbered ones are sent first). you need the VAC+ card. however. For 7. you don't need to configure this manually for a policy. this is the default value for every policy. it will notify the remote peers. DH group 1. For a specific policy. the default never is used. RSA encrypted nonces are not supported for device authentication. in FOS 7. they process them based on the order in which they're sent (for example. To perform AES encryption. in FOS 6. you need FOS 6. which then can proceed to rebuild their sessions to the other PIX/ASA device at the same site. however.0. SHA. you need FOS 6. where main mode is the default. to use DH group 5 keys.3. DSA certificates are now supported.and the remote peers know about both devices. When peers exchange policies.

devices) you need FOS 7.0. For the management connection lifetime, you can specify a value from 1202,147,483,647 seconds.

Note
You can create up to 20 ISAKMP policies on your PIX/ASA; different policies are required if you have different peers with different capabilities, and you want to take advantage of the strongest security measures whenever the remote peer supports them.

To view your configured ISAKMP policies in 6.3, use the show isakmp policy command. The output of this command is very similar to the IOS router's show crypto isakmp policy command, discussed in Chapter 16, "Router ISAKMP/IKE Phase 1 Connectivity." In 7.0, use the show running-config isakmp command.

Configuring Device Authentication
The PIX/ASA devices support two types of device authentication:   Pre-shared keys: symmetric Certificates: RSA and DSA (DSA is new in FOS 7.0)

The next section will discuss identity types used for device authentication, and the following two sections will discuss the configuration of the authentication methods in the preceding list.

Device Identity Type
During the ISAKMP/IKE negotiations, the IPsec peers identify themselves to each other. To configure which identity type should be used, use the following command: appliance(config)# isakmp identity {address | hostname | key-id ID_string | auto}

The address parameter specifies that the IP address of the PIX/ASA should be used for the identity; the hostname parameter specifies that the FQDN (hostname plus domain name) should be used; and the key-id parameter specifies that the configured ID value should be used. The auto parameter is new in 7.0. It specifies that the IP address should be used if pre-shared keys are used for device authentication; otherwise, the DN (distinguished name) fields in the certificate should be used. In 6.3, the identity type defaults to address, whereas in 7.0, it defaults to auto.

Note
The identity type must match on the two peers for authentication to proceed. And because the isakmp identity command is a global configuration command, all devices connected to your PIX/ASA also must use the same identity type.

Pre-Shared Key Authentication

The most common method of setting up device authentication on a PIX/ASA, at least with a small number of IPsec devices, is to use pre-shared keys. For 6.3 L2L sessions, configuring pre-shared keys is done with the following command: appliance(config)# isakmp key keystring address peer_IP_address [netmask subnet_mask] [no-xauth] [no-config-mode]

The pre-shared key can be an alphanumeric key up to 128 characters in length. You can wildcard the peer's address with a subnet mask, allowing multiple peers to share the same key, but Cisco doesn't recommend this practice unless the peers are acquiring their addressing information dynamically. The no-xauth and no-configmode parameters were added in FOS 6.3. The no-xauth parameter specifies that user authentication should not be performed when this key is used (L2L connections) and the no-config-mode parameter specifies that IKE Mode config should not be performed (non-Cisco remote access clients). For 7.0 L2L sessions, each L2L peer is associated with a tunnel group and the pre-shared key is configured in a subcommand mode: appliance(config)# tunnel-group peer_IP_address type ipsec-l2l appliance(config)# tunnel-group peer_IP_adress ipsec-attributes appliance(config-ipsec)# pre-shared-key key_value

I'll save a more in-depth discussion of tunnel groups for the next chapter, "PIX and ASA Remote Access Connections," where it is more appropriate.

Certificate Authentication (CA)
Your second choice for device authentication is certificates. Cisco supports the following CA products on their PIX/ASA devices:        Verisign Entrust Baltimore Technologies Microsoft Windows 2000/2003 Certificate Services (only a central design) Cisco IOS CS (7.0) Netscape (7.0) RSA (7.0)

The configuration of the PIX/ASA to obtain and use certificates is not very similar in 6.3 versus 7.0. In 7.0, the configuration is by and large the same that is performed on a Cisco IOS router. In both cases, though, you'll need to perform the following steps: Step 1. Step 2. Define a name and a domain name. Generate a public/private key pair.

Step 3. Step 4. Step 5.

Specify a trustpoint. Obtain the root certificate. Create the PIX/ASA's PKCS #10 information and obtain an identity certificate. Verify and save your certificates and configuration information.

Step 6.

The following sections will discuss how to obtain, verify, and save certificate information if you are using a PIX running FOS 6.3 or earlier or a PIX/ASA running FOS 7.0 or later.

CA Configuration for 6.3
FOS 6.3 and earlier only supports SCEP to obtain certificates. The following commands outline what you need to do to obtain certificates for your 6.3 and earlier PIX: pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# pix(config)# hostname name domain-name domain_name ca generate rsa key {512 | 768 | 1024 | 2048} show ca mypubkey rsa ca identity CA_name [CA_ipaddress | hostname [:ca_script_location] [ldap_ip address | hostname]] show ca identity ca configure CA_name {ca |ra} retry_period retry_count [crloptional] show ca configure ca authenticate CA_name [fingerprint] ca subject-name CA_name X.500_string ca enroll CA_name challenge_password [serial] [ipaddress] show ca certificate ca crl request show ca crl ca save all write memory

The hostname and domain-name commands are necessary to generate an RSA public/ private key pair. The ca generate rsa key command generates the public/private keys that will be used to sign and authenticate the PKCS #10 information sent to the CA via SCEP. The show ca mypubkey rsa command displays the PIX's public keys that have been configured. The ca identity command specifies how the PIX should interact with the CA; you need to specify at least a name for the CA (typically a FQDN). If the name is not the same as the FQDN of the CA, you either need to specify one that is, or the IP address of the CA. In many instances, the CA product will require you to use a specific name for the CA. Also, you typically need to specify the script location that contains the SCEP software on the CA. The default location is "/cgi-bin/pkiclient.exe," which will not work with most CA products. For example, a Microsoft CA would require that you specify "/certsrv/mscep/mscep.dll."

77:/certsrv/mscep/mscep. The ca save all command saves the public/private keys and certificate information to Flash memory. You can optionally put the PIX's serial number or IP address on the identity certificate.3 to Obtain Certificates pixfirewall(config)# hostname pix63 pix63(config)# domain-name thedealgroup.rr. which is optional. The ca enroll command obtains an identity certificate for the PIX via SCEP. Using FOS 6.com pix63(config)# ca generate rsa key 512 Keypair generation process begin. The ca authentication command downloads the root certificate from the CA. The challenge password you enter is required.1. ST=FL. By default. you can configure this command and have the PIX verify the root's signature automatically. The write memory command saves the configuration commands necessary to interoperate with the CA. this password can be used to automate the identity certificate enrollment process. ST (state). however. The ca subject-name command." without the quotes. also. you need to save your configuration and certificate information. if you suspect that your PIX doesn't have the most recent CRL.3. The show ca configure command displays the configuration of the ca configure command. O=dealgroup. like ca identity and ca configure. O (company). meaning an infinite number of times).3.500 information that should appear on the PIX's identity certificate. ST=FL. Example 21-1. you'll be prompted to verify this before accepting the root certificate. You can specify an LDAP IP address or hostname if the CA is publishing its CRL to an LDAP server.1. Once you have obtained the root and identity certificates. C=USA. otherwise. you can download it with the ca crl request command. pix63(config)# ca identity caserver 192. EA=rdeal2@cfl. Upon completion. allows you to specify parameters that affect the interaction with the CA or RA. allows you to specify the X. Example 21-1 illustrates how to prepare your PIX for certificates using FOS 6.com. If you don't know the fingerprint (signature) of the CA. . C=USA pix63(config)# ca enroll caserver itsasecret % Start certificate enrollment . You can view the CRL with the show ca crl command. O=dealgroup. you can view them with the show ca certificate command. such as the OU (department). the PIX will download the CRL periodically.500 string: "OU=mydept. Success. The retry period specifies the amount of seconds that need to expire before recontacting a CA to obtain certificate information. the retry count specifies the maximum number of times to retry obtaining certificate information (this defaults to 0. which is optional. if you've already obtained this from the CA.dll pix63(config)# ca authenticate caserver Certificate has the following attributes: Fingerprint: ce9956aa c02d15df a2309a9c e059bd47 pix63(config)# ca subject-name caserver OU=mydept. You should remember this because the CA administrator will require it if you need to revoke your certificate. C (country). This command is new in FOS 6. Here's an example of the format of an X. and EA (e-mail address). and crloptional indicates that using a CRL to validate a certificate is optional. The ca configure command.The show ca identity command displays the configuration of the ca identity command..

Note The commands used to configure a trustpoint and obtain certificates in FOS 6. use the following commands in the specified order: pix(config)# clear ca identity CA_name pix(config)# ca zeroize rsa Note Because certificates have a beginning and ending validation date. Example 21-2 illustrates how to obtain the root and identity certificates via SCEP on a PIX/ASA running FOS 7. Fingerprint: 33c1af83 7c8a2665 2c74e153 8cbd1a96 The certificate has been granted by CA! pix63(config)# ca save all pix63(config)# write memory If you no longer want to use certificates. CA Configuration for 7. When generating a public/private key pair.0 FOS 7.3 ca commands. You can refer to Chapter 16. first you'll need to delete the old certificate and then the associated RSA public/private keys. Because it is so similar to a Cisco router. it defaults to 512 (an IOS router will prompt you for the modulus). I created the key pair with a label. you can specify either rsa or dsa.0 and eventually will phase out the 6. Obtaining the root and identity certificates is mostly the same as a router with the crypto ca authenticate and crypto . using the crypto ca trustpoint command. but Cisco is moving toward a more IOS-style command convention in 7." for a more detailed explanation of the commands. This can be set manually with the clock set configuration command. or need to change the modulus of your public/ private keys and create new certificates. In this example. The configuration process is very similar to that of an IOS router.thedealgroup.0.% The subject name in the certificate will be: pix63. depending on your CA and its use of keys. this is almost the same as doing it on a router. which I'll reference in the trustpoint configuration.3 or earlier. I'll illustrate only two examples of the enrollment process: SCEP and manual (with cut-and-paste). and doesn't look anything like what I described in the previous section for a PIX running FOS 6. it is important that your PIX/ASA device has the correct time on it. The trustpoint configuration is very similar to a router's. unlike on a router. As you can see from the example.3 also work with 7. "Router ISAKMP/IKE Phase 1 Connectivity. but it is preferred to set it using NTP. if you don't specify the modulus in the command. Also.com % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. The configuration of NTP on the PIX/ASA is beyond the scope of this book.0. To remove certificates and keys.0 for the PIX and ASA supports both manual and SCEP enrollment.

For security reasons your password will not be saved in the configuration. pix70(config)# crypto ca enroll caserver % Start certificate enrollment .77/certsrv/mscep/mscep. If you generate keys without a label.0.thedealgroup.1.dll pix70(config-ca-trustpoint)# crl optional pix70(config-ca-trustpoint)# enrollment retry period 1 pix70(config-ca-trustpoint)# enrollment retry count 10 pix70(config-ca-trustpoint)# subject-name CN=pix70.com pix70(config)# crypto key generate rsa label certkeys modulus 512 INFO: The name for the keys will be: certkeys Keypair generation process begin. Also. To remove certificates and CA interoperability. use the write memory or the copy running-config startup-config command.ca enroll commands. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. the ca save all command is no longer supported in FOS 7. I prefer to do this so that I can have different key pairs for different certificates. Example 21-2. you can use the crypto key zeroize {rsa | dsa} command to remove a specific RSA/DSA key label or all RSA/DSA keys. Please wait. pix70(config)# show crypto key mypubkey rsa output omitted pix70(config)# crypto ca trustpoint caserver pix70(config-ca-trustpoint)# enrollment url http://192.com pix70(config-ca-trustpoint)# keypair certkeys pix70(config-ca-trustpoint)# exit pix70(config)# crypto ca authenticate caserver INFO: Certificate has the following attributes: Fingerprint: ce9956aa c02d15df a2309a9c e059bd47 Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.com % The fully-qualified domain name in the certificate will be: pix70.thedealgroup. however. To view your certificates. just like with IOS routers. use the no crypto ca trustpoint command. to save the certificate.. if needed. and configuration information.1... . you don't need the keypair command in the trustpoint configuration. Using 7. use the show crypto ca certificate command.thedealgroup. And as with a router. keys.com % Include the device serial number in the subject name? [yes/no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority The certificate has been granted by CA! pix70(config)# show crypto ca certificate output omitted pix70(config)# write memory Note You don't have to use a label for the RSA key pair. Password: itsasecret Re-enter password: itsasecret % The subject name in the certificate will be: CN=pix70. Please make a note of it.0 on a PIX/ASA to Obtain Certificates via SCEP appliance(config)# hostname pix70 pix70(config)# domain-name thedealgroup.

however. once a certificate is obtained. yes). Using 7. The show crypto ca certificate command displays the certificates on the PIX/ASA. after cutting and pasting the root certificate into the terminal session to your PIX/ASA. yes).0 on a PIX/ASA to Obtain Certificates via Cut-andPaste pixfirewall(config)# hostname pix70 pix70(config)# domain-name thedealgroup. which you need to send to the CA. The CA administrator will use this to create the PIX/ASA's X. crl {required | optional | nocheck} Specifies whether or not CRLs are used. serial-number Specifies that the serial number of the appliance should be used during the enrollment process. and others. when the subordinate CA certificates are not installed on the appliance (by default. yes). The crypto ca enroll command creates your PKCS #10 information. the configuration is the same as in Example 21-2. OU. so I went and imported it here. which specifies that the terminal (terminal parameter) will be used instead of SCEP (url parameter). password passphrase Specifies the challenge password to use during SCEP registration or. I already had the root certificate. and certificate information. you don't have to import the root certificate first. Last. subject-name X. fqdn FQDN_of_appliance Specifies the fully qualified domain name to use for the enrollment certificate instead of the values from the hostname and domainname commands. Using the crypto ca authenticate command allows you to cut and paste the root certificate into your PIX/ASA.500_values specifies the X. Example 21-3 illustrates how to use the manual approach: generating the PKCS #10 information on your PIX/ASA and then importing the certificates the CA sends you.Here is an explanation of the trustpoint configuration commands:             enrollment {terminal | url URL} Specifies the enrollment mode (manual or SCEP). to use for the enrollment certificate. email email_address specifies the e-mail address to use for the enrollment certificate. such as CN. to revoke it. ip-address IP_address Specifies the IP address to use during the enrollment process.com pix70(config)# crypto key generate rsa label certkeys modulus 512 INFO: The name for the keys will be: certkeys . Up until the crypto ca trustpoint command. I saved the PIX/ASA's configuration. support-user-cert-validation Specifies whether the appliance will validate remote peer certificates with the currently configured CA (by default. At this point. keying. keypair key_label_name Specifies the RSA/DSA key pair to use during the certificate enrollment process. id-cert-issuer Specifies whether the appliance will accept peer certificates issued by the CA associated with the configured trustpoint (by default.500 values. In Example 21-3. but can go ahead and start the enrollment process by generating your PIX/ASA's PKCS #10 information (crypto ca enroll command). In the trustpoint configuration.509 identity certificate and send this back to you. The crypto ca import command allows you to import the identity certificate from the terminal (using cut-and-paste). accept-subordinates Specifies whether the appliance will accept certificates from subordinate CAs during ISAKMP/IKE Phase 1. Example 21-3. O. on a blank line type in the quit command and then press the <ENTER> key to import the root certificate. the only main difference is the enrollment command.

This line not part of the certificate request--Redisplay enrollment request? [yes/no]: no pix70(config)# crypto ca import caserver certificate % The fully-qualified domain name in the certificate will be: pix70.thedealgroup. Please wait.com Enter the base 64 encoded certificate.. % The subject name in the certificate will be: CN=pix70. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----MIIDRTCCAq6gAwIBAgIKYQoE8AABAAAAIzANBgkqhkiG9w0BAQUFADAgMQswCQYD output omitted U9wt0p0NCoZhb6iAPTW37APBnUiihTiUTw== -----END CERTIFICATE----quit INFO: Certificate successfully imported pix70(config)# show crypto ca certificate output omitted pix70(config)# copy running-config startup-config Note You can back up your identity certificate and keys with the crypto ca export command.com % The fully-qualified domain name in the certificate will be: pix70. The information is password- . pix70(config)# crypto ca trustpoint caserver pix70(config-ca-trustpoint)# enrollment terminal pix70(config-ca-trustpoint)# crl optional pix70(config-ca-trustpoint)# subject-name CN=pix70.Keypair generation process begin. % Certificate successfully imported pix70(config)# crypto ca enroll caserver % Start certificate enrollment .. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----MIIChTCCAe6gAwIBAgIQbr1TulXC0phB4KDUjkDPljANBgkqhkiG9w0BAQUFADAg output omitted BX3p1Wxz+tSEQwrChIzbHcFAUP1Gq0dpBQ== -----END CERTIFICATE----quit INFO: Certificate has the following attributes: Fingerprint: ce9956aa c02d15df a2309a9c e059bd47 Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.thedealgroup.com pix70(config-ca-trustpoint)# keypair certkeys pix70(config-ca-trustpoint)# exit pix70(config)# crypto ca authenticate caserver Enter the base 64 encoded CA certificate. which backs up the information in a PKCS #12 format.com % Include the device serial number in the subject name? [yes/no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: MIIBQzCB7gIBADBIMR8wHQYDVQQDExZwaXg3MC50aGVkZWFsZ3JvdXAuY29tMSUw IwYJKoZIhvcNAQkCFhZwaXg3MC50aGVkZWFsZ3JvdXAuY29tMFwwDQYJKoZIhvcN AQEBBQADSwAwSAJBALKJho6w+fJtIG8Vok6lGaoGqwWPvsg0/p0TALlVzCPwkYBy 2vVN9m8T5XI4PQTvoAUv6cUtvvkGi/dxyspVm60CAwEAAaBBMD8GCSqGSIb3DQEJ DjEyMDAwCwYDVR0PBAQDAgWgMCEGA1UdEQQaMBiCFnBpeDcwLnRoZWRlYWxncm91 cC5jb20wDQYJKoZIhvcNAQEEBQADQQCvTroxRLG3C2NU3gv/deUggTDnSj2IFz4q NhlWinSioX1D05q66YXjueKz+iNSSeNoKtvU9vUo0eNY4xovjtS+ ---End .thedealgroup..thedealgroup.

0. With certificate verification.3: appliance(config)# ca verifycertdn X. If you wanted to accept only certificates that had a CN that contained "corp." "engcorp. no matter what you enter for the ca verifycertdn command. I found that in the initial release of 7.0 it looks like it takes the command. st=FL. Certificate Validation In FOS 6." an ST that is "FL. o=dealgroup. apparently this feature isn't quite working in the initial release of FOS 7. this command is preceded by "crypto": crypto ca verifycertdn." an O that is "dealgroup." this string could be included in words such as "incorporate." an OU that is "engineering. this command doesn't exist! On top of that. Note Please note that you can enter the [crypto]ca verifycertdn command only once. which contradicts Cisco documentation. You can then cut and paste this information into a file in a safe place. however. when you execute the ca verifycertdn command. you get a warning to use the crypto ca verifycertdn command. The fields and values that you require are defined with the following command in FOS 6. where other companies also are using the same CA.3 and later." Normally this command is used with a public CA. c=US The "*" between the field name and a parameter states that the field should contain the following value. Also. but when you execute the show running-config command. but you want to restrict the PIX/ASA to accepting certificates only from devices within your organization or a trusted third-party company.0.500_string In FOS 7. you can specify which components have to be on a peer's certificate before the PIX/ASA will validate it. in 7. 7. This can then be re-imported on the PIX/ASA later if you need to recover your PIX/ASA's certificate information. For "*corp." you would use this command in 7." and a C that is "US." and "corporate.0. in 7." where all three values contain "corp. similar to what the .protected and displayed on the terminal.0. This feature adds an additional layer of security for preventing a man-in-the-middle attack. Cisco added enhancements to the use of CRLs. gives the warning. ou=engineering. it doesn't appear in the output! Based on this.0 and CRL Configuration Options In FOS 7. which must encompass all certificates that your PIX/ASA will accept.0.0: appliance(config)# crypto ca verifycertdn cn*corp. you can specify the distinguished name (DN) value the certificate must contain (the various fields and their values on the peer's identity certificate).

how long a CRL is to be cached locally before the PIX/ASA downloads a new one. In 7. the PIX/ASA never will cache the CRL. this can present a problem if you're concerned about redundancy where you have a CA and multiple RAs. both From the CDP.OU=value. For LDAP interactions. using the CA to download a CRL puts an additional processing burden on the CA. Using the noparameter with this command disables this requirement. the PIX/ASA doesn't know about the additional location.concentrators could do for quite some time.500 DN settings and password to use. the ldap-defaults command specifies the name or IP address of the LDAP server and optionally the port number to use. Likewise. most commonly in an LDAP directory structure. you can require this field in the CRL with the enforcenextupdate command. a PIX/ASA will locate the CRL by using the URL on the CA's (root) certificate. where each location must have a number associated with it (15). The policy command specifies where the PIX/ASA should obtain its CRL:    cdp From the CRL distribution point (CDP) on the CA's certificate. if the "NextUpdate" field in the CRL is not specified. but always will obtain it when needed. However. which is the default. the ldapdn command specifies the X. the protocol command specifies the protocol to use to retrieve the CRL. static From URLs you define statically. The DN information is in this type of format: "CN=value.500_DN password appliance(config-ca-crl)# cache-time minutes appliance(config-ca-crl)# [no] enforcenextupdate appliance(config-ca-crl)# exit appliance(config-ca-trustpoint)# exit appliance(config)# crypto ca crl request CA_name appliance(config)# show crypto ca crls The crypto ca trustpoint command takes you into the trustpoint subcommand mode.440 minutes. if the LDAP server requires authentication. if it's reachable. In the preceding code. You can place the CRL in other locations. . in minutes. The default command resets the CRL configuration on the appliance back to the defaults." The cache-time command specifies. no device will be able to obtain the CRL. On the PIX/ASA. Here is the basic configuration to perform this task: appliance(config)# crypto ca trustpoint CA_name appliance(config-ca-trustpoint)# crl configure appliance(config-ca-crl)# default appliance(config-ca-crl)# policy {cdp | static | both} appliance(config-ca-crl)# url {15} URL appliance(config-ca-crl)# protocol {http | ldap | scep} appliance(config-ca-crl)# ldap-defaults server_name_or_IP_address [port_#] appliance(config-ca-crl)# ldap-dn admin_X. By default. with 1 being the highest. and the CA fails. The number is used by the PIX/ASA to prioritize the entries. The crl configure command then takes you into the CRL subcommand mode. but by default. Of course. otherwise the static definitions.0. The default is 60 minutes. You can specify up to 5 CRL locations using a URL syntax.O=value. but the value can range from 11. For static URL definitions. use the url command to define CRL locations. you have the flexibility to define when a CRL is used and where the CRL should be obtained.

.

Specifying Traffic to Protect ACLs are used to specify what traffic is to be protected for an IPsec session to a particular peer. or want to enhance the security of the IPsec implementation. Therefore. I typically use the PIX/ASA with a small number of L2L sessions where I need advanced address translation configurations. This includes specifying what traffic to protect and how it should be protected. the PIX/ASA still lags behind routers when it comes to deploying scalable L2L IPsec sessions.ISAKMP/IKE Phase 2 Data Connections This part of the chapter will discuss the components you need to configure for the Phase 2 data connections in an IPsec L2L session for your PIX/ASA security appliance. Note Please note that even though Cisco has added many IPsec enhancements in 7.0.0 doesn't support advanced QoS. or DMVPN. GRE tunnels. commonly called a crypto ACL: appliance(config)# access-list ACL_name_or_# . For instance. 7. If you've configured L2L sessions on routers. the process and commands described here will be nothing new to you.

0. . Caution As with IOS routers. The source IP address/network specifies locations connected to the local PIX/ASA and the destination IP address/ network specifies locations connected to the remote peer. PIX/ASA ACLs use a subnet mask to match on a range of addresses.0/0) for the source or destination address in a crypto ACL. Therefore. you should be as specific as possible concerning what traffic is to be protected.0. you should be very careful about using the keyword any (0. because this includes broadcast and multicast addresses and can cause certain data transmissions to fail. whereas routers use a wildcard (inverted) mask. whereas a deny or implicit deny statement specifies traffic that doesn't have to be protected.{permit | deny} protocol_name_or_# src_IP src_subnet_mask [protocol_info] dst_IP dst_subnet_mask [protocol_info] Any ACL command in the grouping that has a permit statement specifies traffic to be protected. Unlike on an IOS router.

The default connection mode of the transform is tunnel. esp3des. How this is configured is similar to configuration for a Cisco IOS router. Here are the valid transform names: ah-md5-hmac. ah-shahmac. This can be changed with the mode parameter after you already have created a transform set (this is different from a . a transform set is used to specify how traffic is to be protected. esp-md5-hmac. esp-aes-192. esp-sha-hmac. esp-des. esp-aes (128-bit). one for ESP authentication.Defining How to Protect Traffic As with IOS routers. and one for ESP encryption. esp-aes-256. you define between one to three transforms: one for AH authentication. and esp-null (no encryption). Here are the commands to create a transform set on a PIX/ASA: appliance(config)# crypto ipsec transform-set transform_set_name transform1 [transform2 [transform3]] appliance(config)# [no] crypto ipsec transform-set transform_set_name mode transport Each transform set must have a unique name. Within each set.

3 to view your configured transform sets. A transform of DES and SHA no longer is supported in any current versions of the FOS software. or for remote access sessions. Dynamic Used for L2L sessions where most of the remote peer information is unknown. AH transforms are not supported in FOS 7. the function of a crypto map is to bring all the necessary information together to build an IPsec session to a remote peer.router.0.3. Note Here are some important items concerning the use of transform sets on PIX/ASA security appliances:    AES encryption was added in FOS 6. The following two sections will discuss the .0. use the show running-config crypto command. Building Crypto Maps As with IOS routers. In 7. security appliances support two types of crypto maps:   Static Used for L2L sessions where the remote peer information is known. where the mode is configured in the transform set's subcommand mode). And like IOS routers. You can use the show crypto ipsec transform-setcommand in 6.

configuration of both of these. For each destination and session. Static Crypto Maps Static crypto maps are used for L2L sessions where the peer's IP address and the traffic to be protected is known. a separate crypto map entry is used. Manual crypto map entries do not use ISAKMP/IKE. Creating a static crypto map entry that uses ISAKMP/IKE to build the IPsec session involves the following commands: appliance(config)# crypto map map_name seq_# ipsec-isakmp appliance(config)# crypto map map_name seq_# match address ACL_name . and refresh the keying information periodically for both sets of connections. With these types of entries. There are two types of static crypto map entries: ISAKMP and manual. including any encryption and HMAC keys. which is very similar to the configuration of crypto maps on IOS routers. no management connection is needed and you specify the connection information manually for the two unidirectional data connections. build the data connections. generate keying information for the management connection. generate keying information for the data connections. ISAKMP entries use ISAKMP/IKE to build a management connection.

appliance(config)# crypto map map_name seq_# set peer IP_address appliance(config)# crypto map map_name seq_# set transform-set trans_name1 [trans_name2.trans_name6] appliance(config)# crypto map map_name seq_# set security-association lifetime {seconds seconds | kilobytes kilobytes} appliance(config)# crypto map map_name seq_# set pfs [group1 | group2 | group5 | group7] appliance(config)# crypto map map_name seq_# set connection-type {answer-only | originate-only | bidirectional} appliance(config)# crypto map map_name seq_# set inheritance {data | rule} appliance(config)# crypto map map_name seq_# set nat-t-disable appliance(config)# crypto map map_name seq_# set ...

As with Cisco routers. An entry might have multiple parameters associated with it. Note Unlike with Cisco routers. the higher the priority. where each entry is given a unique sequence number within the crypto map. there is no subcommand mode for the parameters for a particular entry.000. where the map name and sequence number are the same for the entry's parameters. the lower the sequence number. all crypto map commands on the PIX/ASA are global . All entries in the map must use the same crypto map name.phase1mode {main | aggressive [group1 | group2 | group5 | group7]} appliance(config)# crypto map map_name seq_# set reverse-route appliance(config)# crypto map map_name seq_# set trustpoint CA_name [chain] The crypto map command creates a static crypto map. where sequence numbers can range from 110. An entry represents a session to a remote peer.

This value overrides the global value . where the order you enter them is the order in which they're processed.608.0.000KB. In seconds. Therefore.3. this has been expanded to 10 peers. The set peer command specifies the IP address or name (FQDN) of the remote peer (required). By specifying multiple peers. All the remaining parameters in the previous code are optional. The set transform-setparameter specifies the transform set name to use to protect the traffic to the remote peer (required). In 6. the default is 28. you can specify up to six transform sets. note that the ipsecisakmp parameter specifies that ISAKMP/IKE will be used to build and manage the Phase 1 and 2 connections (required). you can specify up to 6 peers by executing this command six times. The set security-association lifetime parameter changes the default lifetime of the data connections.800 seconds and the amount of traffic transmitted is 4. In the preceding code. with 7. put the most secure one first. the first peer configured becomes the primary and the second and other peers are backup peers. The match address parameter specifies the ACL name of the traffic to be protected (required).commands.

Using the latter parameter can generate a lot of SAs and . if you don't care which side initiates the session. The remainder commands in the previous command list were added in FOS 7. where the addresses are devices (not the appliances) transmitting actual user data.that is configured with the crypto ipsec securityassociation lifetime command (preface this command with show to see the configured global lifetime values). The set pfs command enables Perfect Forward Secrecy (PFS). if the originating end is acquiring its address dynamically.3 and Group 7 in 7. the default is rule. For a hub device. you would set it to answer-only for each peer entry and for a spoke device. which creates one SA in each direction to the peerdata creates a separate set of SAs per address pair. However. The set connectiontype parameter specifies which end will initiate the IPsec session.0. use bidirectional.0. originate-only. which uses Diffie-Hellman (DH) to share the keys instead of the existing management connection. Group 5 is the most secure. The set inheritance parameter controls how many SAs are created per peer. the originating end would specify originate-only and the remote end answeronly. Group 5 keys were added in FOS 6. Of the four types.

in a hierarchical implementation. the set nat-t-disable parameter allows you to disable it for a peer (entry). note that the set trustpoint parameter specifies the CA to use for the particular peer. This is necessary only if you are using more than one CA. The default is main mode. NAT-T was introduced in FOS 6.3 and is enabled by default. The set reverse-route parameter enables RRI. The responder side can . It is used only when the appliance initiates a session. The chain parameter specifies that the complete CA chain of certificates. to any connected private network. Last. Normally this is used with remote access clients but can be used with L2L sessions. If you specify aggressive mode.overhead on the appliances and should be used only with very security-sensitive applications with short lifetimes associated with them. where the appliance will place static routes in its routing table for the remote networks and then automatically advertise these. you can override the DH key group to use. otherwise DH key group 2 is used. The set phase1 mode parameter specifies the mode to use when initiating an IPsec session with a peer. assuming you've configured OSPF on your PIX and internal routing devices. via OSPF. is sent to the remote peer (this is disabled by default). This parameter can be used only by the initiator of the IPsec session.

This feature was added in FOS 6. Note A manual crypto map entry is used for a remote peer when there are ISAKMP/IKE compatibility issues with the two peers.0. which I'll discuss in Chapter 22. "PIX and ASA Remote Access Connections. use the show running-config crypto command to see your crypto map and other crypto commands. not initiating. Dynamic Crypto Maps Dynamic crypto maps typically are used for remote access sessions. but this requires the configuration of a tunnel group.3. when the remote peer is assigned an IP address dynamically by the ISP). they also can be used for L2L sessions where the remote peer's information won't be known until it connects (for example. you can use the show crypto map command to view the static crypto maps configured on your PIX/ASA. Dynamic crypto maps can be used only on a peer that will be accepting. connections from peers." In FOS 6. however.0. In 7. I won't cover manual crypto map entries for PIX/ ASA security appliances. .implement this feature. Because of this.3 and then removed in FOS 7.

A dynamic crypto map has multiple entries: typically one for L2L sessions and one for remote access users (or perhaps just one). but the other peer must use a static crypto map. the information about the session is placed in the static map as a temporary entry. and then removed upon termination of the connection. The dynamic crypto map is then referenced within a static crypto map as an entry in the static map. one peer can use a dynamic crypto map. When a remote peer builds a connection to your appliance and the dynamic map is used to build the session. Here are the PIX/ASA commands to create a dynamic crypto map: appliance(config)# crypto dynamic-map map_name seq_# match address ACL_name appliance(config)# crypto dynamic-map map_name seq_# set peer IP_address appliance(config)# crypto dynamic-map map_name seq_# set .and in any configuration. Dynamic crypto maps and their configurations are very similar to those of IOS-based routers.

Each dynamic crypto map needs to have a unique dynamic crypto map name. you can use the show crypto dynamicmap command to view the dynamic crypto maps . In FOS 6.trans_name6] appliance(config)# crypto dynamic-map map_name seq_# set security-association lifetime {seconds seconds |kilobytes kilobytes} appliance(config)# crypto dynamic-map map_name seq_# set pfs [group1 |group2 | group5 |group7] appliance(config)# crypto dynamic-map map_name seq_# set nat-t-disable appliance(config)# crypto dynamic-map map_name seq_# set reverse-route As you can see from the above commands.transform-set trans_name1 [trans_name2..3. configuring a dynamic crypto map is similar to configuring a static one..

configured on your PIX/ASA. All of the other parameters are optional and were discussed in the previous section." respectively. you need to reference it as an entry within your static crypto map: appliance(config)# crypto map static_map_name seq_# ipsec-isakmp dynamic dynamic_map_name Note The sequence number for the reference should be the highest number (lowest priority) of all of the entries in your static map: you want your known peers to use the specific static entries and unknown . Typically I put the term "stat" in the name of the static map and "dyn" in the dynamic crypto map. but this creates confusion for the novice administrator implementing a VPN. Tip It is possible to use the same map name for a dynamic and static map. like "statmap" and "dynmap. Only one command parameter is required for the dynamic crypto map entry: set transform-set. Once you've created your dynamic crypto map. like an IOS-based router.

I'll discuss these commands and their output in more depth in Chapter 23. "Troubleshooting PIX and . like "ethernet0" or "ethernet1. Here are the show commands you can use:   show isakmp sa Displays the management connections. Activating a Crypto Map Once you have created your static crypto map (and possible dynamic crypto map references). the static map won't be used until you activate it on the appliance's interface(s): appliance(config)# crypto map static_map_name interface interface_name The name of the interface is the logical interface name on the PIX/ASA." Data Connection Management Commands There are various appliance commands you can use to monitor and maintain your IPsec sessions. show crypto ipsec sa Displays the data connections.peers to use the dynamic crypto map reference. like "outside" or "inside" and not the physical interface name.

clear configure iskamp Deletes all ISAKMP commands.0. clear configure crypto dynamic-map Deletes all dynamic crypto map configurations. In FOS 7. the additional clear commands were added:     clear configure crypto Deletes all IPsec commands: crypto maps. The clear isakmp sa command tears down all of the Phase 1 management connections. and ISAKMP configurations. clear configure crypto ca trustpoint Deletes all certificate trustpoint configurations. ." You can use the following commands to clear IPsec connections and sessions: appliance(config)# crypto map map_name interface interface_name appliance(config)# clear [crypto] isakmp sa appliance(config)# clear [crypto] ipsec sa [{peer IP_address | map map_name | entry dest_IP protocol SPI_value} The crypto map interface command will reinitialize the SA and security policy databases. IPsec.ASA Connections. The clear ipsec sa command deletes one or more Phase 2 data SAs.

3 and then upgraded to 7. and it's going to take me a while to become accustomed to the new syntax. in FOS 6. however.0.0.0 adds many features that the 6. In contrast. . These configuration differences make it very confusing for a novice.3 it's show iskamp policy. you would use clear [crypto] isakmp sa. if I want to view the Phase 1 management connections.0 appliances. clear configure isakmp policy Deletes a specific ISAKMP policy or all policies. you'll see that the commands have not always been preserved from the older to the newer version. Or if I want to configure a pre-shared key in 6.3.0 CLI is much more similar to an IOS CLI than version 6.0 it's configured in a tunnel group with the pre-shared-key command.3 and earlier FOS versions lacked. omitting the sa. On top of that. I had hoped that Cisco would rectify this on the security appliances in 7. for the PIX novice who just started getting used to FOS 6. even though the 7. in FOS 7. Differences between FOS 6. and also frustrating for an expert with PIXs. but in FOS 7. making it easy for IOS router experts. there is still not a synchronization of the commands between the two platforms. For example. but on an IOS router you would use clear crypto isakmp.0 appliance.0 FOS 7. to delete management connections on a 7. like myself: I'm constantly using the oldstyle 6. For example.3.3 syntax on 7.0 it's show running-config isakmp. but alas. it's isakmp key. Cisco hasn't quite reached this point.3 and 7.

255.255 no-xauth no-config-mode isakmp key cisco123 address 202. Example 21-4.1 netmask 255.3 L2L Example Examples 21-4.1 netmask 255.0 255.1 255.168. The first example will be based on FOS 6. L2L Simple Hub-and-Spoke Design [View full size image] FOS 6.2 1 access-list nonat permit ip 192.1. Hub Configuration in FOS 6.255.0 200.0. I'll show you a couple of examples that illustrate the configurations. In the figure. Each example contains reference numbers.0 nat (inside) 0 access-list nonat sysopt connection permit-ipsec isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp keepalive 20 3 isakmp key cisco123 address 201.1.0.0 255.0. Figure 21-1. I'll use the same situation in both examples.255.255.168. shown in Figure 21-1.0.1.0.168.3.1.255.0 192.255.255.1.255.1.1.1.0 access-list nonat permit ip 192.168.3 for the PIX appliances and the second example on 7.255.255.1 255.0 255.255.0.255.3 hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# ip address outside 200. and 21-6 illustrate the configuration of the hub and two-spoke PIXs using FOS 6.255.0 ip address inside 192.2.255.0 192.1. 21-5.0 0.0 route outside 0. one PIX functions as a hub and two PIXs as spokes connecting to the central site via the hub PIX.0.L2L Connection Examples Now that you have a basic understanding of the commands used to build L2L IPsec sessions on a PIX/ASA appliance.0 255. which are explained following the specific example.255.0.168.255 no-xauth no-config-mode (1) (2) (3) (4) .255.

1.1.0.0 255.0 255.0 192.255.255.0 192.255.168.0 255.255.1.255.0 255.0 202.255.168.1 255.0.0 0.255.0 255.1.2.0 255.0.255.0 192.255.168.168.1.0 nat (inside) 0 access-list nonat sysopt connection permit-ipsec isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes .3 spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# spoke1(config)# ip address outside 201.0 192.255.1.0 255.255.0.168.0 hub(config)# access-list 102 permit ip 192.255.1 crypto map mymap 10 set transform-set mytrans crypto map mymap interface outside Example 21-6.1 hub(config)# crypto map mymap 30 set transform-set mytrans hub(config)# crypto map mymap interface outside (5) (6) (7) (8) (9) Example 21-5.168.1.0.255.255.0 255.1.255.255 no-xauth no-config-mode isakmp keepalive 20 3 access-list 101 permit ip 192.168.2.255. Spoke1 Configuration in FOS 6.1.255.3 spoke2(config)# spoke2(config)# spoke2(config)# spoke2(config)# spoke2(config)# spoke2(config)# spoke2(config)# spoke2(config)# spoke2(config)# spoke2(config)# ip address outside 202.0.255.1 255.255.0 nat (inside) 0 access-list nonat sysopt connection permit-ipsec isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp key cisco123 address 200.1.2.255.0 255.0.hub(config)# access-list 101 permit ip 192.0 255.0.0 192.1 netmask 255.1.255.1.0 ip address inside 192.168.1.255.1 255.1.0 ip address inside 192.255.168.1 hub(config)# crypto map mymap 20 set transform-set mytrans hub(config)# crypto map mymap 30 ipsec-isakmp hub(config)# crypto map mymap 30 match address 102 hub(config)# crypto map mymap 30 set peer 202.1 255.255.1.0 route outside 0.255.1.2 1 access-list nonat permit ip 192.2 1 access-list nonat permit ip 192.168.0 route outside 0.0.0.255.1.168.0.255.1.255.255.0.1.0 0.0. Spoke2 Configuration in FOS 6.1.168.0 201.0 hub(config)# crypto ipsec transform-set mytrans esp-aes esp-sha-hmac hub(config)# crypto map mymap 20 ipsec-isakmp hub(config)# crypto map mymap 20 match address 101 hub(config)# crypto map mymap 20 set peer 201.0 crypto ipsec transform-set mytrans esp-aes esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer 200.255.

A crypto map entry is defined for spoke1. traffic cannot be transmitted between the spokes via the hub because traffic .168. 9.255. configuring the PIX for L2L sessions is somewhat similar to configuring IOS routers. 4. The crypto map is activated on the hub's outside interface.0/24 and 192.1 netmask 255. FOS 7. 8.255. 3. I'm disabling address translation between the local network (192. if they need to send traffic to each other.168.0 spoke2(config)# crypto ipsec transform-set mytrans esp-aes esp-sha-hmac spoke2(config)# crypto map mymap 10 ipsec-isakmp spoke2(config)# crypto map mymap 10 match address 102 spoke2(config)# crypto map mymap 10 set peer 200. This is the Phase 1 configuration.255.255. cannot do this through the hub. The pre-shared keys are defined for the two spoke routers.1 spoke2(config)# crypto map mymap 10 set transform-set mytrans spoke2(config)# crypto map mymap interface outside Here's a brief explanation of the hub's configuration in Example 21-4: 1.0.0.1.1. 2.0/24) and the two remote networks (192. 5.168.0 192.1.168.255. If you recall earlier from the "Transmitting IPsec Traffic Between Multiple Interfaces with the Same Security Level" section.255.2. with ISAKMP being enabled on the outside interface and one ISAKMP policy defined to protect the management connection to the two spokes.spoke2(config)# isakmp policy 10 hash sha spoke2(config)# isakmp policy 10 group 2 spoke2(config)# isakmp key cisco123 address 200. 7.0 255.168.0 255. IPsec traffic is being bypassed from the ACL check.0/24). A crypto map entry is defined for spoke2.1.0 L2L Example The main problem with the last example is that the two spokes.1. As you can see from Example 21-4. Two crypto ACLs are created for the two respective spokes: 101 is for spoke1 and 102 is for spoke2.2. The configuration of the two spokes in Examples 215 and 21-6 is very similar to the hub configuration. 6.255 no-xauth no-config-mode spoke2(config)# isakmp keepalive 20 3 spoke2(config)# access-list 101 permit ip 192. A transform set is defined to protect the data SAs.

168. you would have to build an L2L session directly between the two spokes to overcome this problem.0 resolves this issue.1.1.0.1. Using the same network in Figure 21-1.0 255.0 255.0.168.1. I'll redo the configuration of the three PIXs.255.1.0 192.255.168.255.255.40 type ipsec-l2l hub(config)# tunnel-group 192.255.1.0 0.168.0 255.0 hub(config)# access-list 102 extended permit ip 192. the FOS level on the spokes doesn't matter: only the hub needs to be running 7.0 255. Within the configuration are references which are explained following the example.255.255.1.168.0 192.0 200.255.255.0 hub(config)# crypto ipsec transform-set mytrans (1) (2) (3) (4) .255.0 255.0 255.1 255.1.1.1. In this example.0 hub(config)# access-list nonat extended permit ip 192.2.255.0 255.0 192.255.255.42 type ipsec-l2l hub(config)# tunnel-group 192.0 192.40 ipsec-attributes hub(config-ipsec)# pre-shared-key cisco123 hub(config-ipsec)# isakmp keepalive threshold 20 retry 3 hub(config-ipsec)# exit hub(config)# tunnel-group 192.255.0 255.255.255.255.1. In this situation.2.168.0 hub(config)# nat (inside) 0 access-list nonat hub(config)# tunnel-group 192.2.0.255.0 hub(config)# access-list 101 extended permit ip 192.255.255. FOS 7.3 and earlier.0 255.0.42 ipsec-attributes hub(config-ipsec)# pre-shared-key cisco123 hub(config-ipsec)# isakmp keepalive threshold 20 retry 3 hub(config-ipsec)# exit hub(config)# access-list 101 extended permit ip 192.168.0.1 255.168.0 hub(config)# access-list 102 extended permit ip 192.0 255.255.0 255.0.0 hub(config)# interface Ethernet0 hub(config-if)# nameif outside hub(config-if)# security-level 0 hub(config-if)# ip address 200.1.0 192.1.255.255. Hub Configuration in FOS 7.168. Example 21-7illustrates the hub's configuration. which is not allowed in FOS 6.0.255.255.2 1 hub(config)# same-security-traffic permit intra-interface hub(config)# sysopt connection permit-ipsec hub(config)# isakmp enable outside hub(config)# isakmp policy 10 authentication pre-share hub(config)# isakmp policy 10 encryption aes hub(config)# isakmp policy 10 hash sha hub(config)# isakmp policy 10 group 2 hub(config)# isakmp policy 10 lifetime 86400 hub(config)# access-list nonat extended permit ip 192.255.1.2.enters the hub on the outside interface and leaves it on the same interface.1.0.168.0 hub(config-if)# exit hub(config)# interface Ethernet1 hub(config-if)# nameif inside hub(config-if)# security-level 100 hub(config-if)# ip address 192. Example 21-7.0 hub(config-if)# exit hub(config)# route outside 0.0 255.0.0 192.1.168.168.255.168.0.255.

1.255. The crypto ACLs for each spoke contain an additional statement to allow spoke-tohub-to-spoke traffic to be protected.2.2.1.0 and vice versa is allowed. 3.168. 2. Tunnel groups are used to assign the pre-shared keys and ISAKMP DPD timers for each spoke.0 192. For spoke1.1.0.255.0 255.3 configuration in Example 21-4. NAT is disabled for all traffic from the hub to the spokes.1.0 255. the crypto ACL statement would look like this: access-list 101 permit ip 192. On spoke2.255. since the spoke-to-hub-tospoke traffic is entering and leaving the same interface. As you can see from the rest of Example 21-7's configuration. 4.255.0 to 192.1.hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# hub(config)# crypto crypto crypto crypto crypto crypto crypto map map map map map map map esp-aes esp-sha-hmac mymap 10 match address 101 mymap 10 set peer 192.255.255. This command allows traffic from one tunnel on the interface to travel to another tunnel on the same interface.0 255.255.40 mymap 10 set transform-set mytrans mymap 20 match address 102 mymap 20 set peer 192. .0 192.1.2.42 mymap 20 set transform-set mytrans mymap interface outside Here's an explanation of the references in Example 21-7: 1. address translation is not performed on it. by default.168. For the spokes.255.168.168.0. only one item needs to be added on each spoke from the configurations in Examples 21-5 and21-6.168. an additional ACL statement is needed in the crypto ACL to allow the spoke1-to-hub-tospoke2 traffic: access-list 101 permit ip 192.168.1. traffic between 192.0 255. it's mostly the same as the 6.

"PIX and ASA Remote Access Connections. Both PIXs and ASA security appliances can perform the role of an Easy VPN Server. when compared to Chapter 16 and 17on IOS routers. . however. Cisco plans to release a low-end ASA appliance later that will also support this functionality." where I show you how to set up a PIX/ASA as an Easy VPN Server and a PIX as an Easy VPN Remote. Next up is Chapter 22. only the PIX 501 and 506/506E security appliances currently can perform the role of an Easy VPN Remote or hardware client. acting as a VPN gateway for client (Remote) devices. PIX and ASA Remote Access Connections Where the last chapter focused on IPsec L2L sessions with Cisco security appliances. this chapter will focus on their IPsec Easy VPN Server and Remote features.Summary This chapter showed you the basics of setting up ISAKMP/IKE Phase 1 policies and configurations on Cisco PIX and ASA security appliances and on L2L IPsec sessions. Cisco security appliances have less capabilities when it comes to features with ISAKMP/IKE Phase 1 connectivity and scalable L2L IPsec sessions. Chapter 22. As you can see from this chapter.

2. Step 7. Step 2. however. can perform this function. the PIX and ASA (7. the 800.x Since the release of FOS 6. Define a compatible tunnel-mode transform set with the crypto ipsec transform-set command (discussed in the last chapter). can perform the function of an Easy VPN Server. The configuration of an Easy VPN Server is different if you're running FOS 6. you can use your existing PIX/ASA for this function. and with the addition of the ASA appliances. Enable XAUTH with the crypto map map_name client authentication command. or if you need advanced address translation capabilities or security functions or features. Create ISAKMP policies with the isakmp policy command (discussed in the last chapter). they. Step 6. too. Create an address pool for remote access devices' internal addresses with the ip local pool command (this is required only for client mode connectionsnetwork extension mode connections do not require this). groups are used to apply policies to the Remotes connecting the Server.0 (the following main section). if you already have a PIX/ASA appliance in place and need to support only a small number of clients. Create a dynamic crypto map with the crypto dynamic-map command (discussed in the last chapter). . As with the routers and concentrators performing the Easy VPN Server function. and 1700 routers. Step 3. which the router might lack. the PIX security appliances.0) appliances support the Easy VPN Server function. including the Cisco VPN Client software. Disable address translation for the users' internal addresses with the nat (interface) 0 access-list ACL_name command (discussed in Chapter 21). Configuring an Easy VPN Server is broken into these components: Step 1.x Starting in FOS 6. and the PIX 501 and 506E security appliances. I've split up the configuration explanation into the following two sections: one for 6. which allows them to terminate IPsec sessions from Easy VPN Remote devices. ubr900. Because of the differences.3 (this section) and one for 7. This is preferable to a router if your PIX supports a VAC+ encryption card to perform hardware encryption and your router lacks this.2 and in later FOS releases. Define group policies for remote access users with the vpngroup command.3 or earlier when compared to 7. Normally.0. the 3002 hardware client. Step 4. Step 5. from the 501 all the way up to the 535. I prefer to use a VPN 3000 concentrator to support a large number of remote access users.Easy VPN Server Support for 6. Easy VPN Server Configuration for 6.

x An address pool is needed on the PIX Server to assign logical internal addresses to connecting Remote clients. Allow IPsec traffic with an ACL or the sysopt connection permitipsec command (discussed in the last chapter). Address Pool Configuration for 6. Step 10.x Groups are used to assign policies to the Remotes. you can specify a subnet mask value to ensure that the network number and directed broadcast addresses are not assigned to Remotes. and 9 in my discussions throughout this section." and should contain no more than 63 characters. Tip . With hardware clients connecting to the PIX Server. Optionally. Create a static crypto map and enable it with the crypto map command (discussed in the last chapter). The same command used on an IOS router to define an address pool is used on the PIX appliance: pix(config)# ip local pool pool_name IP_first-IP_last [mask subnet_mask] You can have different pools of addresses for different remote access groups. Within a pool. Step 9. The vpngroup group_name command is used to assign policies to a group.0." Therefore. I'll focus primarily on Steps 1.168. Each pool needs a unique name. 4. Group Configuration for 6. which can contain up to 63 characters. The group name should be descriptive of the group. "PIX and ASA Site-to-Site Connections. As you can see from the above steps. additional items may be configured. you specify the IP addresses by listing the first address in the pool. like this: 192. device.201-192.168.Step 8. followed by a dash ("").0.249. Enable IKE Mod Config for the static crypto map that has the dynamic crypto map reference with the crypto map map_nameclient configuration command. and then the last address in the pool. many of the things you have to configure I've already discussed in the last chapter. 2. Note Remember that any type of masking configuration on a PIX/ASA is a subnet mask. The groups and policies are defined on the PIX and pushed down to the Remotes during IKE Mode/Client Config. like "marketing" or "sales. not a wildcard mask. like the type of connection (client versus network-extension mode) and the type of authentication (default. and user).

for example. This parameter is new in 6. In FOS 6. Cisco recommends that you use the vpngroup password command for Remote authentication if you will have more than one remote access group on your PIX. authentication will fail! Here are the commands you can use to create a group: pix(config)# pix(config)# pix(config)# pix(config)# vpngroup group_name password preshared_key vpngroup group_name address-pool pool_name vpngroup group_name authentication-server AAA_tag vpngroup group_name backup-server {{IP_1 [IP2.3 and later. If you have only one group. . you could define the marketing accounts (usernames) on the PIX (in 6. if all your groups use the same AAA designation.The group names are case-sensitive and must be configured the same way on the Remotes. Note The isakmp key address and vpngroup password commands both specify a preshared key to use for device authentication during ISAMP/IKE Phase 1.IP10]} | clear-client-cfg} pix(config)# vpngroup group_name default-domain domain_name pix(config)# vpngroup group_name dns-server DNS_IP_1 [DNS_IP_2] pix(config)# vpngroup group_name split-dns domain_name1 [domain_name2 .. domain_8] pix(config)# vpngroup group_name wins-server WINS_IP_1 [WINS_IP_2] pix(config)# vpngroup group_name pfs pix(config)# vpngroup group_name split-tunnel access_list_name pix(config)# vpngroup group_name idle-time idle_seconds pix(config)# vpngroup group_name max-time max_seconds pix(config)# vpngroup group_name secure-unit-authentication pix(config)# vpngroup group_name user-authentication pix(config)# vpngroup group_name device-pass-through pix(config)# vpngroup group_name user-idle-timeout hh:mm:ss pix(config)# show vpngroup [group_name] The password parameter specifies a pre-shared key to use for device authentication during ISAKMP/IKE Phase 1. When using pre-shared keys. if you had two groups. the OU (Organizational Unit)/Department field is used as the group name. if you omit the pre-shared key. this command isn't necessary.3. certificates and main mode are used instead. otherwise.. The authentication-server parameter specifies which AAA group tag to use to perform XAUTH.. aggressive mode is used.3 and later) and the sales accounts on a Cisco Secure ACS AAA server. It allows you to use a different AAA designation for each group configured on the PIX. In this case. But. marketing and sales. you could just as easily use the isakmp key address command instead. You can assign only one address pool per group. The key can be up to 127 characters in length and is casesensitive.. The address-pool parameter assigns an address pool (configured with the ip local pool command) to the associated group.

but you can specify a value from 6086. it is very common to use split tunneling on the PIX when it is an Easy VPN Server.400 seconds. allows the Remotes to use the DNS servers in the dns-server parameter for the domain names listed (up to eight) in the split-dns command. The pfs parameter.3. This parameter is new in 6.The backup-server parameter allows you to assign up to ten backup Easy VPN Servers to the Remote for redundancy. therefore. The split-tunnel parameter specifies an ACL that defines which traffic is to be protected (permit statements in the ACL) and which traffic doesn't need to be protected (deny or the implicit deny statements in the ACL). overriding any locally configured WINS server addresses. The clear-clientcfg parameter allows you to erase any configured backup servers on the Remote device. Instead. a user behind the Remote must supply this to . Note If you don't configure split tunneling. Caution If you allow Remotes to use split tunneling. The default is infinite. The idle-time parameter specifies the number of seconds to wait before terminating an idle Remote session.800 seconds (30 minutes).000 seconds.3. The commands from here on out in the above code section apply only to Remote hardware clients and are new in FOS 6. The timers specified in these commands take precedence over the timers configured with the isakmp policy lifetime command for the management connection and the crypto map set securityassociation lifetime seconds or crypto ipsec security-association lifetime secondscommands for the data connections. be sure they have some kind of firewall feature configured to protect themselves from nontunneled traffic. In 6. The split-dns parameter. The default is 1. allows Remote devices to use PFS to exchange the keying information (via DH) instead of using the protected management connection. otherwise. The secure-unit-authentication (SUA) parameter enables what the VPN 3000 concentrators refer to as interactive unit authentication (Interactive UA). The default-domain parameter assigns a domain name to the Remotes authenticating to the group. In 7. that means the Remote won't be able to access the Internet because all traffic must be sent to the PIX and the PIX can't send the Internet traffic back out the same interface. The wins-serverparameter allows you to assign up to two WINS server addresses to the Remote. new in 6.3. The max-time parameter specifies the maximum number of seconds a Remote is allowed to have a session up. be sure all Remotes in the group support this feature.x and earlier. new in 6. The dns-server parameter allows you to assign up to two DNS servers to the group. but you can restrict this by specifying a value from 6031.0. Before enabling this.3.3 and earlier. this has been rectified. the Remote's locally configured DNS servers are used to resolve names. the password for the XAUTH user account is not saved on the hardware client (Remote). all Remote traffic must be sent to the PIX in a protected fashion.536. in 6.

You can restrict the output to just one group by specifying the name of that group." If you are running 6. the actual list of exempted clients must be configured on the Remote. you'll see this message on the PIX: "Warning: local database is empty! Use 'username' command to define local users. The first user must supply XAUTH credentials to bring up the tunnel and each user that wants to use the tunnel also must authenticate." If you already have user accounts defined when executing the command. assuming it's a PIX. When either SUA or individual user authentication are configured and pushed down to the Remote during IKE Mode Config. Last in the previous list of commands. The show username command displays all of the username commands configured on the PIX. this crypto map contains a reference to the dynamic crypto map for the remote access users. The user-idle-timeoutparameter is used when individual user authentication is enabled. however.3. you'll see this message on the PIX: "Warning: Local user database is empty and there are still commands using LOCAL for authentication. but must define the user accounts on an AAA server that supports either TACACS+ or RADIUS as a .2. which would prevent them from using the tunnel. The crypto map client authentication command specifies the static crypto map for which XAUTH user authentication will be enabled. The device-pass-through parameter exempts devices that can't perform authentication themselves. If you want to use local authentication and are going to create the user accounts on the PIX for XAUTH. you'll first need to make sure you are running FOS 6. with the vpnclient macexempt command. The user-authentication parameter enables individual user authentication for users behind the Remote (hardware client). all users behind the Remote can use the tunnel. XAUTH User Authentication Configuration for 6. any XAUTH password that has been hardconfigured on the Remote is erased. Note that the SUA feature is configured on the Server.3 PIX: this command specifies that the user accounts specified by the local username commands will be used. It specifies when the tunnel is brought down when there is no user activity. can't perform HTML-based XAUTH authentication. Any passwords configured with theusername command are automatically encrypted by the PIX. The LOCAL parameter at the end of the command points to the aaa-server command to use for XAUTH. not the Remote. and then you'll use the following configuration: pix(config)# aaa-server LOCAL protocol local pix(config)# username name password password pix(config)# crypto map static_map_name client authentication LOCAL The aaa-server LOCAL command is not necessary because it is pre-configured on a 6. Note that if you don't have any user accounts created when executing the crypto map client authentication command. One problem with individual user authentication is that certain types of devices. but then subsequently delete them.bring up the tunnel. such as IP Phones. you can't use local authentication on the Server. Once the tunnel is up.x The user accounts used for XAUTH (user authentication) can be defined locally on the PIX or on an AAA server that supports either TACACS+ or RADIUS. the show vpngroup command displays the vpngroup commands you've configured on your PIX.

I'll look at an example to illustrate the use of these commands.3 PIX as an Easy VPN Server. In this case. which causes the Server PIX to initiate IKE Mode Config.5 Cisco software client or non-Cisco IPsec clients (Microsoft's L2TP client). the token parameter specifies that a token card server associated with the AAA server will be used to handle the authentication.2 and 6. configure a transform set supported by the remote access devices. The encryption key must match the key used on the AAA server for communications to the local PIX. associate the transform set with a dynamic crypto map entry. For the old 2. you would use the following PIX commands: pix(config)# aaa-server group_tag protocol {radius| tacacs+} pix(config)# aaa-server group_tag (if_name) host AAA_server_IP encryption_key pix(config)# crypto map static_map_name client [token] authentication group_tag The preceding commands will work with both 6. Easy VPN Server Example for 6. If you have both types of clients. the IP address of the AAA server. using each parameter separately. use the following command: pix(config)# crypto map static_ map_name client configuration{initiate| respond} The respond parameter is used most commonly. The crypto map client authentication command then activates XAUTH authentication for the static crypto map. The first aaaserver command specifies the protocol the PIX should use when communicating with the AAA server: either TACACS+ or RADIUS.x To enable IKE Mode Config on your PIX so that you can apply group policies to IPsec remote access devices.3. using the network shown in Figure 22-1. possibly enable RRI. however. so I'll use pre-shared keys . create a static crypto map entry that references the dynamic crypto map. where the remote access client will initiate the IKE Mode Config process. Note You still have to create an ISAKMP/IKE Phase 1 policy. this is necessary for Cisco client devices. The second aaaserver command specifies the interface the AAA server resides off of (you must give the logical interface name. Optionally. configure the command twice.2 or 6. In this situation. and the encryption key used either to encrypt the AAA payload for TACACS+ communications or any password information for RADIUS communications.x Now that you have a basic understanding of the extra commands required to configure a 6. The group_tag parameter in the AAA configuration is used to group related AAA commands together.communications protocol. like "inside"). use the initiate parameter. IKE Mode Config Activation for 6. only a small number of remote access users need to set up IPsec sessions. and then enable the static crypto map. I discussed these commands in Chapter 21.

There are two basic requirements in this example: split tunneling is required because the remote access users need access to both the LAN segment behind the PIX and the Internet.168.254 .0.0.255.255.3 PIX Easy VPN Server Configuration server(config)# isakmp enable outside (1) server(config)# isakmp policy 10 encryption aes server(config)# isakmp policy 10 hash sha server(config)# isakmp policy 10 group 5 server(config)# isakmp policy 10 authentication pre-share server(config)# access-list NONATREMOTE permit ip (2) 192. Figure 22-1. however. 6. since an AAA server is already in the network.240192.0 192.0.x PIX Easy VPN Server Example [View full size image] Example 22-1 illustrates the PIX Server configuration. where I'll assume the PIX is running FOS 6.168. Remote access users will be assigned an internal address from 192. and split-DNS should be used. Example 22-1.168.168.2 cisco123 server(config)# crypto map statmap client authentication AAASERVER server(config)# crypto map statmap client configuration (6) address respond server(config)# ip local pool remotepool 192.168. I'll use the user accounts defined there instead of replicating this information locally on the PIX.0.0.168.0. The reference numbers to the right of various command sections are explained below Example 22-1.0 server(config)# nat (inside) 0 access-list NONATREMOTE server(config)# crypto ipsec transform-set mytrans (3) esp-aes esp-sha-hmac server(config)# crypto dynamic-map dynmap 10 (4) set transform-set mytrans server(config)# crypto map statmap 999 ipsec-isakmp dynamic dynmap server(config)# crypto map statmap interface outside server(config)# sysopt connection permit-ipsec server(config)# aaa-server AAASERVER protocol radius (5) server(config)# aaa-server AAASERVER (inside) host 192.0 255.240-192.255.3.0 255.168. 6.0.for device authentication.254.255.

is for the local LAN traffic (the . Also. you would use the initiate parameter instead of the respond parameter.255.0 192.0 255. with the assumption that this is a Cisco client.0. 3.0/24 reference.0 server(config)# vpngroup smallgroup address-pool remotepool (8) server(config)# vpngroup smallgroup password 123cisco server(config)# vpngroup smallgroup dns-server 192. The access-list and nat commands disable address translation between the local LAN (source addresses in the ACL) and the remote access user's internal addresses (destination addresses in the ACL). only DH group 1 is supported. If you also terminated L2L sessions on this PIX and were using pre-shared keys.0.255.com server(config)# vpngroup smallgroup wins-server 192.11 server(config)# vpngroup smallgroup split-tunnel splittunnelACL server(config)# vpngroup idle-time 600 Here is an explanation of the sections found in Example 22-1: 1.255.10 server(config)# vpngroup smallgroup default-domain cisco. you would use the noxauth and no-config-mode parameters to disable XAUTH and IKE Mode Config.168. when configuring the pre-shared key for each L2L peer. an address pool containing the remote access users' internal addresses is defined with the ip local pool command.5 Cisco client. respectively. For the 2. remember that if you have both L2L and remote access sessions terminated on the Server. for non-Cisco clients or the 2. This is then referenced in the static crypto map applied to the Server's outside interface. notice that the AAA protocol used between the PIX and the AAA server is RADIUS. The first 192. for the L2L peers.168.0/24 devices will be protected from the remote access clients to the local LAN segment and all other traffic from the remote access clients is sent in clear text. 5.5 Cisco client.0 255.168.0. A supported transform set for the remote access users is defined. ISAKMP is enabled on the outside interface and an ISAKMP policy is created for the remote access users. 7.com server(config)# vpngroup smallgroup split-dns cisco.0. 4. An AAA server.0.168.255.168.0. IKE Mode Config is enabled on the Server. 2. the source addresses.168. An ACL is defined to allow for split tunneling. specifying the transform set to use to protect the users' data SAs. use a highsequence number for the dynamic crypto map entry in the static map. The sysopt command then exempts the IPsec traffic by being processed by any ACL applied to the PIX's outside interface. giving it a lower priority than the static map entries for L2L peers. A dynamic crypto map entry is created for the remote access users.server(config)# access-list splittunnelACL permit ip (7) 192. which contains the user accounts. is identified and XAUTH is associated with the static crypto map and the AAA server. All traffic between 192. 6.

the pre-shared key to use for device authentication ("123cisco". you can't enforce that kind of group policy on the PIX/ASA until Version 7. The only thing you might want to do is ensure that the Remotes have a personal firewall installed because split tunneling is enabled.0/24 reference. . This group specifies the address pool to use ("remotepool").inside interface of the Server) and the second 192. domain name. One group. called "smallgroup. and split DNS. the configuration in 6." is created. if you were using certificates. As you can see from this example.3 is somewhat similar to configuring an Easy VPN Server on an IOS router.0. the destination addresses. 8.0. this command would be omitted). the WINS server. unfortunately.168. is for the internal addresses of the Remotes. the DNS servers. the split tunneling ACL to use ("splittunnelACL"). and an idle timeout (600 seconds).

initiating client connections to an Easy VPN Server. . Also. and individual users behind the PIX do not need to load an IPsec software client on their desktops. like a VPN 3000 concentrator. It's my preferred hardware client in this situation. which is ideal for the 23 users that need to work from home. ubr900. a Cisco IOS router.x Starting in FOS 6. If you recall from Chapter 14." the 3002 and 800. "3002 Hardware Client.3. "Router Remote Access Connections. One advantage of setting up a low-end PIX as a Remote is that minimal configuration is needed on the PIX to establish an IPsec session to an Easy VPN Server. or another PIX or ASA security appliance.Easy VPN Remote Support for 6. the low-end PIXs can perform Server functions to handle a small number of Remote connections. Tip A low-end PIX is an ideal hardware client for SOHO environments where you have a cable or DSL modem connection and need to use split tunneling.2 and 6. and 1700 routers are also hardware clients. the PIX provides many security features to deal with the traffic that is not protected." and Chapter 18. policies are centralized on the Server and pushed down to the Remote during IKE Mode Config. a PIX 501 or 506/506E can perform the function of an Easy VPN Remote.

including:       Pre-shared key and certificate device authentication Client and network extension modes Split tunneling and split DNS Backup server lists (6.3) AES encryption (6.3) and DH group 5 (6.3) Unit authentication (6.The PIX Remote supports many of the features of the Cisco VPN Client software and the VPN 3002. 525. Note Version 7. Therefore.2). . it is not currently possible to configure a PIX (or ASA) running 7.x Easy VPN Remote Configuration Like a low-end IOS router Remote device. 6. and 535. individual user authentication (6. only on the PIX 515/515E. and secure unit authentication (6.0 is not supported on the 501 and 506/506E PIX firewalls.0 as an Easy VPN Remote device.3).3). which is similar to Interactive Unit Authentication on the 3002 The following two sections will discuss the commands to configure a low-end PIX as a Remote and also an example configuration.

Server IP address_11] pix(config)# vpnclient mode{client-mode| networkextension-mode} pix(config)# vpnclient mac-exempt MAC_addr_1 MAC_mask_1 [MAC_addr_2 MAC_mask_2] pix(config)# vpnclient management tunnel IP_address_1 subnet_mask [IP_address_2 subnet_mask] pix(config)# management-access interface_name pix(config)# vpnclient nem-st-autoconnect pix(config)# vpnclient enable pix(config)# vpnclient connect . Use the following commands to set up the PIX Remote to connect to the Easy VPN Server: pix(config)# vpnclient vpngroup group_name password preshared_key pix(config)# vpnclient username XAUTH_username password XAUTH_password pix(config)# vpnclient server Server_IP_address_1 [Server_IP_address_2 .configuring a low-end PIX Remote is straightforward and requires few commands...

pix(config)# vpnclient disconnect The vpnclient vpngroup password command is used if the group on the Server is using pre-shared keys for device authentication.3. For user authentication/ XAUTH (assuming it is enabled on the Server. authentication is being used. if device. this command is omitted (requires FOS 6. if you are using certificates. which can be followed by up to ten backup Server addresses (in 6. The vpnclient server command specifies one or more Server addresses the Remote should use to connect to the central site. Group names cannot exceed 63 characters and cannot contain any spaces. If the Server has a defined backup list. if a Server is not reachable within five seconds. . The first address is the primary address. the Remote will try the next server in the list. you must define the Remote's username and password with the vpnclient username command. the pre-shared key cannot exceed 127 characters. When connecting to a Server. Neither the username nor the password can exceed 127 characters. which it probably is). or unit. the PIX Remote will replace its list of backup servers with that given to it by the Server during IKE Mode Config. only).3).

you would specify the following MAC address and mask: 0003.0000 (all Cisco IP Phones' MAC addresses begin with "0003. this command requires FOS 6. With client mode.0000 FFFF.E3"). the PIX also will perform PAT automatically on the SOHO IP addresses to the internal address assigned by the Server. you'll need to exclude any MAC addresses of IP phones and printers that need to initiate or send traffic across the tunnel. You can list two MAC addresses and masks. Note If your PIX Remote is connecting to a VPN 3000 concentrator and you'll be using network extension .The vpnclient mode command specifies whether the PIX should use client or network-extension mode for the connection to the Server. To match on all Cisco IP Phones. handing out addressing information to the connected SOHO devices. for all local LAN traffic that needs to be protected across the tunnel to the central site. which is accomplished with the vpnclient mac-exempt command.E300.FF00. your PIX must be a DHCP server for its inside interface. However. If you have IP Phones behind the PIX Remote.3 on your PIX Remote. When you configure client mode. you must use network extension mode for the connection type. on the Remote. And if you've enabled either user authentication or IUA/SUA for the group the PIX Remote belongs to.

this policy must be enabled on the concentrator also. SNMP polls. you need to configure two commands: vpnclient management tunnel and management-access. for tunnel connections. this is not true if the Easy VPN Server is an IOS router or a PIX/ASA appliance.mode." To manage the PIX Remote. all traffic is sent to the Server and thus there is little likelihood of the IPsec tunnel timing out to the . to the Server whenever the splittunneling policy has been enabled on the Server and pushed to the Remote. and ping to access the IP address of the configured management interface in the management-accesscommand. this should be "inside. The second command specifies which interface should be used to terminate the management connections. The vpnclient nem-st-autoconnect command specifies that the Remote should automatically bring up an IPsec session. This command is necessary only for network extension mode. The first command specifies IP addresses that are allowed to manage the Remote. you can then use Telnet. HTTPS (PDM). If you use network extension mode. via the tunnel. you can manage your PIX Remote from the central site across the tunnel. from the Server's network. when using network extension mode. SSH. in client mode. To do this.

however. To bring a tunnel up manually. In network extension mode. and crypto maps on the PIX Remote. to remove the VPN client configuration on your PIX Remote completely.Server. Also. only pre-shared keys were . so this command typically is used for testing purposes. use the clear vpnclient command. transform sets. crypto ACLs. this is more likely when split tunneling is enabled and more traffic is going to other places on the Internet than to the Server site.509 digital certificates via ISAKMP/IKE main mode for device authentication. In 6.2. use either the no vpnclient connect or the vpnclient disconnect command. user traffic. you don't need to configure ISAKMP policies. The vpnclient enable command allows an IPsec session to be initiated to the configured Server(s). Using Certificates for Remote Access In 6.3 the Easy VPN Remote and Server functions on PIX security appliances support X. which removes all of the vpnclient commands. To terminate a tunnel. will do this automatically. Note Just as with routers functioning as Remote devices. use the vpnclient connect command.

supported via aggressive mode. digital certificates will be used for device authentication. How you obtain a certificate on a PIX Remote is the same as if it were terminating an L2L session. For example. which could be used in a man-in-themiddle attack! Because of this security concern. If you omit the vpnclient vpngroup command from the last section on configuring a PIX Remote. However. c=us". This was discussed in the last chapter. ou=perimeter. this command. On the Server. when a PIX is configured as a Remote. st=ca. it will not check a CRL to see if the Server's certificate has been revoked. view the personal identity certificate to determine which fields you want to validate on the Remote. Note .500_string The X.500 string is a list of fields and values that must appear on the Server's identity certificate. o=cisco. Cisco has added a command you can configure on the Remote to examine certain fields on the certificate to determine if the Remote will accept the Server's certificate: pix(config)# ca verifycertdn X. would match on a CN containing "server" and on the rest of the certificate fields exactly matching the above parameters. "ca verifycertdn cn*server.

255. shown in Example 22-2.1 vpnclient mode network-extension-mode vpnclient vpngroup client-access password ******** vpnclient username RemotePIX password ******** vpnclient management tunnel 192.Remember to put the group name of the PIX Remote in the OU/Department field of its identity certificate so that the Easy VPN Server knows what policies to apply to the Remote. Verifying Your 6. Remote Configuration Verification Remote# show vpnclient LOCAL CONFIGURATION vpnclient server 192.0 255. displays the Easy VPN Remote's configuration and any policy information downloaded from the Server. To see more details about the configuration of the Remote.1.0. Example 22-2.x Remote Configuration and Connection The show vpnclient command. add the detailparameter to the preceding command.0 vpnclient enable .1.168.255.

Example 22-3. however.1. Reference numbers in parentheses are listed to the right of the output. The beginning output is the same as the show vpnclient command. two additional sections are added: STORED POLICY displays any policies the Remote has received from the Server that it has saved locally and the RELATED CONFIGURATION section has the related commands the Remote created dynamically to build an IPsec tunnel to the Server. which is explained after the example.DOWNLOADED DYNAMIC POLICY Current Server Default Domain PFS Enabled : 192.com : No Secure Unit Authentication Enabled : No User Authentication Enabled Backup Servers : None : No Example 22-3 illustrates the use of the detail parameter.1 : cisco.1. Remote Configuration Verification Details .

1.1.168.255.Remote# show vpnclient detail LOCAL CONFIGURATION vpnclient server 192.1 : cisco.255.0 vpnclient enable DOWNLOADED DYNAMIC POLICY Current Server Default Domain PFS Enabled : 192.0 255.0.1.1 vpnclient mode network-extension-mode vpnclient vpngroup client-access password ******** vpnclient username userX password ******** vpnclient management tunnel 192.1.com : No Secure Unit Authentication Enabled : No User Authentication Enabled Backup Servers : None : No .

1.168.255.168.1.255.0 output omitted crypto ipsec transform-set _vpnc_tset_1 esp-aes256 esp-sha-hmac (3) crypto ipsec transform-set _vpnc_tset_2 esp-aes256 esp-md5-hmac output omitted crypto ipsec transform-set _vpnc_tset_11 esp-null .0 255.1 192.168.0.255.0 any access-list_vpnc_acl permit ip host 192.0 255.STORED POLICY Secure Unit Authentication Enabled : No Split Networks Backup Servers : None : None RELATED CONFIGURATION sysopt connection permit-ipsec (1) output omitted nat (inside) 0 access-list _vpnc_acl (2) output omitted access-list_vpnc_acl permit ip 192.255.

esp-sha-hmac crypto map _vpnc_cm 10 ipsec-isakmp (4) crypto map _vpnc_cm 10 match address _vpnc_acl crypto map _vpnc_cm 10 set peer 192.1.1.1 crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _ vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_test_6 _vpnc_tset_7 _ vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11 crypto map _vpnc_cm interface outside isakmp enable outside isakmp key ******** address 192.1.1.1 netmask 255.255.255.255 isakmp keepalive 10 5 isakmp nat-traversal 20 isakmp policy 65001 authentication xauth-pre-share isakmp policy 65001 encryption aes-256 isakmp policy 65001 hash sha isakmp policy 65001 group 2 isakmp policy 65001 lifetime 86400 (5)

output omitted isakmp policy 65018 authentication pre-share isakmp policy 65018 encryption des isakmp policy 65018 hash md5 isakmp policy 65018 group 2 isakmp policy 65018 lifetime 86400

Here is an explanation of the references in Example 22-3:
1. IPsec traffic is exempted from ACL checking from the Remote's outside interface. 2. Any traffic from the Remote's local network, 192.168.1.0/24, including the Remote's inside interface address, 192.168.1.1, is exempt from address translation for the tunnel; in this example, the Remote is using network extension mode. 3. Eleven transform sets are created automatically to protect the data connection: one of these has to match a transform set on the Easy VPN Server. 4. A static crypto map entry is created automatically for the Server connection; you can see that the "vpnc_acl" ACL is used to specify traffic to protect and the 11 transform sets created are referenced in the crypto map entry. 5. ISAKMP is enabled and a pre-shared key is created dynamically for the Server; 18 different ISAKMP policies are created for possible use in protecting the management connection to the Server, where at least one of these has to exist on the Server for the management connection to be built.

6.x Easy VPN Remote Example Configuration To show you how easy it is to set up a PIX as an Easy VPN Remote, I'll illustrate an example configuration. Figure 22-2 displays the network I'll use and Example 22-4 shows the Remote's

configuration. In this example, the Remote belongs to a group called "hwclients," which uses preshared keys. The XAUTH username and password are defined, as is the Easy VPN Server address. The connection mode is network extension, where management access is allowed from the central site to the inside interface of the Remote. If a split tunneling policy is enabled for the "hwclients" group on the Server, the vpnclient nem-stautoconnect command ensures that an IPsec tunnel remains up between the Remote and the Server. Last, I enabled Easy VPN on the Remote and then manually brought up the tunnel to test the connection. Figure 22-2. 6.x PIX Easy VPN Remote Example [View full size image]

Example 22-4. PIX Remote Configuration Example Remote(config)# vpnclient vpngroup hwclients

Plus.1 Remote(config)# vpnclient mode network-extension Remote(config)# vpnclient management tunnel 192.0 255.1.0 Remote(config)# management-access inside Remote(config)# vpnclient nem-st-autoconnect Remote(config)# vpnclient enable Remote(config)# vpnclient connect You can use the debug crypto isakmp command on the Remote or Server to troubleshoot the establishment of the management connection." .255. policies downloaded from the Server.password secretpass Remote(config)# vpnclient username RemotePIX password PIXpass Remote(config)# vpnclient server 192.0. and the debug crypto ipsec command for the data connections. you can use the show vpnclient detail command to display the Remote's configuration.1.255.168. and all commands the Remote created dynamically to allow for the IPsec session to be built to the Server. "Troubleshooting PIX and ASA Connections. The two debug commands are discussed in more depth in Chapter 23.

Many. However.0 security appliance to set it up as a Server:         Enabling ISAKMP.x" section) Creating user accounts.x" section) Creating tunnel groups (this is new in 7.0 Continued support for Easy VPN Server is provided in FOS 7.0) Specifying where user accounts are located.0. locally on the PIX/ASA or on an AAA server (discussed previously in the "XAUTH User Authentication Configuration for 6. The following are tasks you need to perform on the 7. putting the PIX and ASA more in line with the IPsec capabilities of the VPN 3000 concentrators.Easy VPN Server Support for 7.x. if specified locally Defining IPsec transform sets for data connections (discussed in the last chapter) Creating a dynamic crypto map for remote access users (discussed in the last chapter) Referencing the dynamic crypto map as an . This part of the chapter will focus on the configuration of a PIX/ASA as an Easy VPN Server. the configuration of an Easy VPN Server is very different than what I discussed earlier for 6. including policies (discussed in the last chapter) Defining IP address pools (discussed previously in the "Address Pool Configuration for 6. many new enhancements have been made to the Server function.

0. Tunnel groups are used to simplify the configuration and management of your IPsec sessions. Understanding Tunnel Groups The main IPsec change from 6. and an example that will illustrate the configuration of an Easy VPN Server running FOS 7.0.3 to 7.0. Tunnel groups allow you to define VPN session policies associated with a particular session or group of sessions. I'll also discuss issues with remote access sessions and solutions that are provided in FOS 7. entry in a static crypto map (discussed in the last chapter) Activating the static crypto map on the PIX/ASA's interface Because I described many of the above tasks previously in this and the last chapter. two tunnel groups already are created on your PIX/ASA: . By default. like a related group of remote access users or L2L sessions. the next few sections will focus on configurations unique to FOS 7.0 is the introduction of the tunnel group feature. including:     Understanding Tunnel Groups Defining Group Policies Creating Tunnel Groups Creating User Accounts for XAUTH Following these sections.

Step 3. Define group policies. A default group policy. It is associated with a tunnel group. . Tunnel groups must be configured locally on a PIX/ASA.x. The use of tunnel groups involves three configuration steps: Step 1. A tunnel group might include parameters such as general policy information and information to build IPsec sessions."DefaultL2LGroup" for L2L sessions and "DefaultRAGroup" for remote access sessions. Create user accounts for XAUTH." exists on the security appliance for users who are not associated with a specific remote access group (similar to the Base Group on a VPN 3000 concentrator). Defining Group Policies Group policies define attributes you want to assign to remote access clients during IKE Mode Config that belong to a particular remote access group. The above three tasks replace the function of the vpngroup command in FOS 6. called "DfltGrpPolicy. Step 2. A group policy is used to define attributes associated with a user or group of users. The following three sections will discuss each of these steps in more depth. Create tunnel groups.

These policies either can be defined locally or on an AAA RADIUS server. and the next section discusses how you associate the policies to a tunnel group that is used for the remote access clients. internal specifies that the policies are defined on the PIX/ASA itself and external on an . This section discusses how you create group policies. Creating policies locally is done with the group-policy command. use the following command: security(config)# group-policy group_policy_name {internal [from group_policy_name]| external server-group server_tag password server_password The group-policy command can be used to specify the location of the group policy information. Group Policy Locations Your group policies for your remote access users can be defined locally or on an AAA RADIUS server. To define the location of a group's policies. Once policies are created. you then must associate them with a tunnel group. which specifies the group name the remote access users will use.

If you specify internal. whatever other group policy it should use to get its default policies from (similar to the VPN 3000 concentrators' Base Group feature). TACACS+ is not supported. called "DfltGrpPolicy" on the appliance. shown here:            Default domain name: none DNS server addresses: none Split DNS: disabled WINS server addresses: none Access hour restrictions: none Simultaneous login restrictions: 3 Tunnel session idle timeout: 30 minutes Maximum session connection timeout: none Filter applied to tunneled traffic: none Supported tunneling protocol: IPsec and WebVPN Allowing a user to store the XAUTH password . Default Group Policies There is a default group policy. These can be viewed with the show running-config all group-policy DfltGrpPolicy command. you can even specify for the group policy.AAA RADIUS server. The server_tag parameter specifies which AAA RADIUS server to use by looking for the same tag in the aaa-server commands and the password for the access. which supports the following default policies (you can treat this as the Base Group found on a VPN 3000 concentrator).

                  locally: disabled Re-authenticate users upon expiration of the tunnel: disabled Locking a user into a group: disabled Restricting client types and version: disabled Compression of tunneled traffic: none Using PFS: no Login banner: none Backup server list: use the client-defined list Using IPsec over UDP: disabled For IPsec over UDP. the default port number: 10.000 Split tunneling policy: disabled (tunnel all traffic) Split tunneling network list: none Software client firewall policy: none Secure unit authentication for hardware clients: disabled User authentication for hardware clients: disabled User authentication idle timeout: none IP phone bypass feature for user authentication: disabled LEAP bypass feature for user authentication: disabled Network extension mode for hardware clients: disabled Default and Specific Group Policy Attribute Configuration You can change the values for the default group policy or define local policies for specific internal .

. domain_nameX security(config-group-policy)# wins-server value IP_address [IP_address] security(config-group-policy)# dhcp-network-scope IP_network_# security(config-group-policy)# vpn-access-hours value time_range_name security(config-group-policy)# vpn-simultaneouslogins number .groups with the group policy attributes command. The configuration of the policy attributes is shown here: security(config)# group-policy {DfltGrpPolicy | group_policy_name} attributes security(config-group-policy)# domain-name domain_name security(config-group-policy)# dns-server value IP_address [IP_address] security(config-group-policy)# split-dns domain_name1 domain_name2 ..

.security(config-group-policy)# vpn-idle-timeout minutes security(config-group-policy)# vpn-session-timeout minutes security(config-group-policy)# vpn-filter value ACL_name security(config-group-policy)# vpn-tunnel-protocol [ipsec] [webvpn] security(config-group-policy)# password-storage {enable | disable} security(config-group-policy)# re-xauth {enable | disable} security(config-group-policy)# group-lock value tunnel_group_name security(config-group-policy)# client-access-rule priority {permit | deny}type type version none security(config-group-policy)# ip-comp {enable | disable} security(config-group-policy)# pfs {enable | disable} security(config-group-policy)# banner value string security(config-group-policy)# backup-servers {server1 server2 . ..

server10 | clear-client-config | keep-client-config} security(config-group-policy)# ipsec-udp {enable | disable} security(config-group-policy)# ipsec-udp-port port security(config-group-policy)# split-tunnel-policy {tunnelall | tunnelspecified | excludespecified} security(config-group-policy)# split-tunnel-networklist value ACL_name security(config-group-policy)# client-firewall {none | {{opt | req} firewall_type} policy {AYT | CPP acl-in ACL_name acl-out ACL_name}} security(config-group-policy)# secure-unitauthentication {enable | disable} security(config-group-policy)# user-authenticationidle-timeout minutes security(config-group-policy)# ip-phone-bypass .

Using the attributes parameter with the group-policy command takes you into a subcommand mode where you can change the policies for the default group policy or a specific group policy. The domain-name command allows you to specify a domain name to assign to a remote access device. The domain name can be up to 63 characters in length. The use of these servers overrides the client's locally configured DNS servers unless . I discuss the use of groups in the next section. The dns-server value command allows you to specify up to two DNS servers for the remote access clients.{enable | disable} security(config-group-policy)# leap-bypass {enable | disable} security(config-group-policy)# nem {enable | disable} The above configuration applies only if the group policy type is defined as internal from the previous section. Note These are policies for the group or groupsnot the group itself.

however. The winsserver value command allows you to specify up to two WINS server addresses to assign remote access clients. I discuss the assignment of internal IP addresses to clients in the next section. based on a time of day.you set up split DNS with the split-dns command. or a specific day when connecting to the Easy VPN Server. This command specifies the network number the DHCP server should pull a dynamic IP address from. The dhcp-network-scope command is used only when the appliance will obtain a user's internal IP address from a DHCP server. day of week. The vpn-access-hours value command specifies a time range configuration to use to restrict a remote access device's VPN access. The time range configured with the time-range command is the same as how you would configure this on IOS-based routers. other domain names will be resolved using the DNS server configured locally on the client. the entire string cannot exceed 255 characters. Any domain names listed here will cause the client to use the DNS servers in the dns-server value command. The following commands configure a time range: security(config)# time-range time_range_name security(config-time-range)# absolute [start hh:mm date] . You can define as many domain names as you like for the split-dnscommand.

The date is entered by entering the day of the month. Upon executing the timerange command. . The time is entered in an hours and minutes format based on a 24-hour time period. the current time is used. this typically is used to give a group temporary access to the Easy VPN Server." If you don't enter a starting time.[end hh:mm date] security(config-time-range)# periodic day_of_the_week time to [day_of_the_week] hh:mm The name of the time range cannot exceed 64 characters. one-time-only period when access is allowed. if you don't enter an ending time. followed by the name of the month. the time period is infinite. upon the end time. you are taken into a subcommand mode. like 23:00 for 11 PM. The periodic subcommand is used more commonly in situations that occur periodically because it allows you to specify recurring time intervals when access is allowed. which. access is then denied. like "23 May 2005. and then a 4-digit year. This type of configuration would be common for temporary consultants or extranet partners. For the day_of_week parameter. For remote access. The absolute command specifies a specific.

" "Friday. I highly recommend that you use an internal NTP master clock. periodic weekdays 07:00 to 18:00 would allow access from 7 AM to 6 PM Monday through Friday. it defaults to the first value." "Wednesday. but deny access any other time. "weekdays" (Monday through Friday)." "Sunday. The vpn-idletimeout command controls how long an idle Remote .you can use "Monday. but this can range from 02." "Tuesday. 483." "Saturday. The time is specified in an hour and minute format based on a 24-hour period. 147. so this should be a low value." "Thursday. The vpn-simultaneous-logins group policy command limits the number of simultaneous logins allowed for any single user. 647." "daily" (Monday through Sunday). The default is 3. Normally you don't want Remotes to share usernames and passwords. For example. If you omit the second day_of_week parameter. and "weekend" (Saturday and Sunday). Tip To ensure that the security appliance has the correct time when restricting VPN access usage. you also can specify more than one day for the day_of_weekparameter. This is especially true if the appliance is using certificates for device authentication.

the Server will allow all traffic that is tunneled to it to exit the tunnel. It is recommended to keep it disabled for software clients. but you can specify a value from 135. The vpn-tunnel-protocol command can be used to restrict what remote access protocol or protocols (IPsec or WebVPN) can be used by remote access users associated with the policy. by default. 791. but must be enabled for hardware clients where the default authentication method is unit authentication (the username and password are stored on the hardware client). 394 minutes. where you need to specify a named ACL on the Server. You can restrict traffic across the tunnel by using the vpn-filter value command. Once a tunnel is established from the Remote to the Server. 394 minutes. even if traffic is being transmitted between the two devices. The vpn-session-timeout command specifies a maximum number of minutes the Remote can connect to the Server before the Server disconnects the Remote. By default this is disabled. 791. If you need to . this defaults to 30 minutes but can range from 135. the default is IPsec (only the ASA currently supports WebVPN).session is allowed before it is terminated. The password-storage command specifies the policy concerning the storage of the XAUTH password on the Remote. There is no limit.

enable it. The client-access-rule command allows you to restrict the termination of remote access sessions on the appliance. Plus. where 1 is the highest priority and is processed first by the Server. this might cause the tunnel to fail if no user is there to perform the authentication. based on the type of client and the client's software version. which allows a user to connect to any group if they know the pre-shared key for that group (assuming pre-shared key authentication is being used). This is disabled." You can't . by default. The re-xauth command controls whether or not users must re-authenticate when IKE rekeying occurs (the management connection is rebuilt). leave it disabled and for the hardware clients. you'd probably want to keep this disabled. for SUA and user authentication. The priority value ranks the rules. like "VPN 3002. if the rekeying interval is short. Also. in this situation create two policies: for the software clients. you probably don't want to use this feature. By default this is disabled.support both software and hardware clients. The group-lock command forces users who belong to a specific group to connect only to the specified group (the tunnel_group_name). The type value is the type of VPN client. if you are using network extension mode and have IP phones at the remote site.

Also. You can create only 25 of these rules per group policy.choose any type. instead. or "*" (by itself matches on any version). For example. This should be used only by remote access groups with only software-based users using dialup connections. you can specify "n/a" for each of these values. Therefore. the value you enter (including the quotes. assuming that they were running some 4. You can wildcard the version with an "*. client-access-rule 1 deny type WinNT version* prevents all software clients running on Windows NT from connecting to the appliance. for clients that don't send the type or version. if the client type is more than one word) must match exactly as it is displayed in the output of the show vpn-sessiondb remote command.* would allow all other software client connections.*" (matches all 4." like "4. The pfs command enables the use of DH for sharing .x version of software. whereas client-access-rule 2 permit type "Cisco VPN Client" version 4. for broadband users. This also is true of the client version in the version parameter. enable this policy attribute only when it is associated with a group of dialup-only users. enabling this can affect their throughput negatively in most situations if the user has enabled compression inadvertently.x versions). The ip-comp command allows for compression of IP packets using LZS compression.

As with the VPN 3000 concentrators. by default this is disabled.keys when building the data SAs during ISAKMP/IKE Phase 2. no banner is displayed. this is enabled on a groupby-group basis. which specifies that the client should use its locally configured backup server list. whereas IPsec over TCP and NAT-T are enabled globally with the isakmpcommand (discussed in the last chapter). however. Specifying the clear-clientconfig parameter has the client remove its configured backup server list. the Remote then will erase any list it has and use this list. By default. The default value is the keep-client-config parameter. The backup-servers command specifies a list of up to 10 backup Easy VPN Server addresses to push down to the Remote. you can insert carriage returns into the banner by specifying "\n" in the banner message (this counts as two characters). If you enable IPsec over UDP. you must enable it manually on the Cisco VPN Client software and VPN 3002 hardware applianceCisco router and PIX Remotes currently . IPsec over UDP is enabled with the ipsecudp command (it's disabled by default). The banner value command specifies a banner that should be displayed once the Remote connects. The banner can be up to 510 characters in length. You can't type the banner across multiple command lines in the banner value command.

by default. except for 4. The default port number for IPsec over UDP is 10. but this can range from 4. traffic matching permitstatements in the ACL defined in the split-tunnel-network-list command are tunneled and traffic matching the deny statements is sent in clear text.500. traffic that matches permitstatements in the ACL defined in the split-tunnel-network-list command is sent in clear text and traffic matching the deny statements is protected. The syntax of the command is slightly different based on the firewall that you want the user to use. The client-firewall command is used to define the firewall policy the remote user (Cisco Windows VPN Client software) must use when connecting to the Server.00149. Remember that IPsec over UDP is proprietary to Cisco and will work only with certain Cisco devices.don't support IPsec over UDP. If you configure the tunnelspecified parameter. 151. all traffic must be tunneled (the tunnelall parameter). which is used by NAT-T. The split-tunnel-policy command allows you to specify whether or not split tunneling is enabled.000. so here's a list of the firewall commands based on the firewall that you want users to use: hostname(config-group-policy)# client-firewall none . If you configure the excludespecified parameter.

hostname(config-group-policy)# client-firewall opt | req custom vendor-id num product-id num policy AYT | {CPP acl-in ACL_name acl-out ACL_name} [description string] hostname(config-group-policy)# client-firewall opt | req {zonelabs-zonealarm | zonelabszonealarmpro | zonelabs-zonealarmorpro} policy AYT | {CPP acl-in ACL_name acl-out ACL_name} hostname(config-group-policy)# client-firewall opt | req cisco-integrated acl-in ACL_name acl-out ACL_name hostname(config-group-policy)# client-firewall opt | req {sygate-personal | sygate-personal-pro | sygate-security-agent | networkice-blackice | cisco-security-agent} I discussed the configuration of client firewall .

you must specify the name of an ACL you've already created on the appliance that will be used to filter traffic entering the client (acl-in) and another ACL that will be used to filter traffic leaving the client (acl-out). and req (required). where in a filter you can have both inbound and outbound rules: on the PIX/ASA. NetworkICE. you must have a separate ACL for each. opt (optional). If you specify the latter two. The CIC client (cisco-integrated) supports only CPP. The two policies a firewall might support are Are You There (AYT) and CPP (Custom Policy Push or Protection). Sygate. This is different from the VPN 3000 concentrator." The only difference between configuring it on the concentrator and the security appliance is that the security appliance uses a CLI. "Concentrator Remote Access Connections with IPsec.policies on the concentrator in Chapter 7. and CSA only support AYT. and Zone Labs firewalls support both. The rest of the commands discussed in the group policy attributes subcommand mode apply to only two hardware clients. The secure-unitauthentication command enables SUA (referred to as Interactive Unit Authentication on the VPN 3002 . you must specify the firewall software that the user must have installed and running. For CPP. There are three firewall types: none (the default).

This. where only a single user must authenticate to bring up the tunnel and then all users can use the tunnel. which could be "LOCAL. When enabled. authentication is used). which is necessary in this situation. Both of these will not work properly if the Easy VPN Server is configured for SUA and no one . with the userauthentication-idle-timeout command. not the lifetime of the tunnel itself. which tells the appliance where to find the user accounts (this is discussed in the next section). too. Please note that this command affects a user's access only through the tunnel. The ip-phone-bypass and leap-bypass commands allow IP phones. which defaults to 30 minutes. This value can range from 135. this is disabled by default (unit. The user-authentication command specifies that all users must authenticate to either bring up or to use an existing tunnel to the Server. is disabled by default.hardware client). to bypass user authentication when enabled for a group. 394 minutes." for the tunnel group. also. you must specify an authentication server group tag to use. or the default/device. If you enable it. the hardware client will not store the XAUTH password on the box. which is negotiated during ISAKMP/IKE Phase 1. you can override the default idle timeout for authenticated users. 791. and wireless devices using LEAP authentication.

but cannot delete them. LEAP bypass is necessary only if the LEAP authentication needs to be performed across the IPsec tunnel to the network connected behind the Server. This mode should be used when you have devices at the Remote that the central office needs to establish connections to. The nem command is used to enable network extension mode. The configuration of tunnel groups is different between remote access and L2L sessions. by default. use the attribute command followed by the none keyword. You can modify the properties of these default tunnel groups. such as a file server or IP phones. client mode is used for groups containing hardware clients. The next two sections will discuss each remote access tunnel group's properties and the third . however. you can create additional tunnel groups if necessary.else has brought up the tunnel first. Note To set a group's policy value back to its default. Creating Tunnel Groups There are two default tunnel groups on your security appliance: "DefaultRAGroup" for remote access users and "DefaultL2LGroup" for site-to-site sessions. like vpn-idle-timeout none.

The configuration of a tunnel group for remote access sessions involves the configuration of two sets of properties: General and IPsec. The following commands discuss how to configure a remote access tunnel group's general properties: security(config)# tunnel-group group_name type ipsec-ra security(config)# tunnel-group {DefaultRAGroup | group_name} general-attributes security(config-general)# address-pool [(interface name)] address_pool1 [.address_pool6] security(config-general)# dhcp-server hostname1 [. Remote Access Tunnel Group General Properties Creating a tunnel group for remote access sessions requires either configuring the existing default remote access tunnel group (similar to the Base Group on a VPN 3000 concentrator) or creating specific tunnel groups.section will discuss L2L tunnel group properties....hostname10] security(config-general)# authentication-servergroup {LOCAL | AAA_server_tag} ..

security(config-general)# authorization-server-group {LOCAL | AAA_server_tag} security(config-general)# accounting-server-group {LOCAL | AAA_server_tag} security(config-general)# default-group-policy {DfltGrpPolicy | group_policy_name} security(config-general)# strip-realm security(config-general)# strip-group security(config-general)# exit The tunnel-group type command specifies the type of the tunnel: the ipsec-ra parameter indicates that the tunnel type is for remote access client sessions. The tunnelgroup general-attributes command specifies general attributes for the remote access tunnel of the specified group name. This command takes you into a subcommand mode where you can configure the general properties for the remote access group. The address-pool command specifies the address pool or pools created by the ip local pool command . which can include the default group (DefaultRAGroup). The group name for the tunnel group clumps together the tunnel-groupcommands.

is necessary when the vpn-addrassign command specifies the local parameter: security(config)# vpn-addr-assign {aaa | dhcp | local} There are no defaults to this global command. this is discussed further in this section. You can define up to six different address pools for a single group. The configuration of local pools. If you specify aaa. If you don't specify an interface name. you must use the dhcpserver command to define the IP address or name of the DHCP server or servers that have the user's addressing information. as shown in the following code. the address pool(s) can be used for any interface the client terminates its VPN tunnel on. you'll need to define the addresses on the AAA RADIUS server in each user's account. You can qualify which logical interface name on the appliance the pool should be used withthis is necessary only if clients might terminate their VPN tunnel on more than one interface on the appliance. so you must specify where remote access users will obtain their addressing from. you can define up to 10 .x" section. I discussed the ip local pool command earlier in the "Address Pool Configuration for 6. If you specify dhcp.that should be used by the group.

if the group policies are on an AAA RADIUS server.DHCP servers. If you've defined your group policies on the PIX/ASA appliance with the group-policy commands. For AAA authentication and authorization functions. like when a user brought up a tunnel and authenticated. you can create accounting records on your AAA server. you don't need to configure AAA authorization in the tunnel group (it defaults to LOCAL). To perform this function. This is configured with theauthorization-servergroup command. you must use the authentication-server-group command to specify the AAA group tag that defines the protocol and AAA servers that contain this information (this references the aaa-server commands on the appliance). the appliance will look for the user accounts on the PIX/ASA itself by searching for username commands. if unspecified). otherwise. If you're using an AAA server to store the user accounts and addressing information. configure . discussed later in the "Creating User Accounts for XAUTH" section of this chapter. you need to specify the AAA group tag to use to download the group policies (this references the aaa-server commands that tell the appliance what protocol and server or servers to use). If you specify LOCAL (the default.

and the required AAA group tag that references the AAA server or servers that will store the accounting records. the default group policy is used. or for sending them as syslog messages to a syslog server. and accounting. when configured. The configuration of AAA on the security appliance is beyond the scope of this book. the AAA group tag is the same for authentication. causes the appliance to strip off any realm qualifier in the user's XAUTH information. you can have different sets of servers handling the three separate functions. the user might send something like username@realm. If you forget to define a policy. The default-group-policy command references the name of the group policy (configured with the group-policy commands discussed in the last section) that should be used for this group. Only one policy can be applied to a group. this command would strip off . in most cases. There is no option for storing these records locally on the PIX/ASA.the accounting-server-groupcommand. Note If you're using AAA. The strip-realm. With many systems. authorization. however. You can specify the default policy (DfltGrpPolicy) or specify a specific group policy you created.

you're ready to define its ISAKMP/IKE/IPsec properties. This is done with the following configuration: security(config)# tunnel-group group_name ipsecattributes security(config-ipsec)# pre-shared-key key security(config-ipsec)# peer-id-validate {req | cert | nocheck} security(config-ipsec)# chain security(config-ipsec)# trustpoint trustpoint_name security(config-ipsec)# authorization-dn-attributes {primary_attribute [secondary_attribute] | use-entire-name} security(config-ipsec)# authorization-required . By default. both of these are disabled. This would be required when authentication is occurring externally on an AAA server and the AAA server doesn't support this capability. Remote Access Tunnel Group IPsec Properties Once you've defined your general properties for your tunnel group. removing any group name that is appended to the user's name in this format: username@group.the "@realm" portion of the username. The stripgroup command performs the same function.

use the pre-shared-key command to define the key. Executing this command takes you into a subcommand mode where you can define your properties. If you specify the req parameter. and the peer has and wants to use certificates. The key can be between 1128 characters in length. If the remote access group is using preshared keys.security(config-ipsec)# radius-with-expiry security(config-ipsec)# client-update type type url url_string rev-nums revision_numbers security(config-ipsec)# isakmp keepalive threshold number retry number The tunnel-group ipsec-attributes command defines ISAKMP/IKE/IPsec attributes for your remote access group. The nocheck parameter specifies that the appliance should not check for the . the peer must use a certificate. When using certificates in your network. omit the configuration of this command. If you're going to use certificates. The cert parameter specifies that if the appliance has a certificate and an ISAKMP policy with certificates enabled. you can configure a certificate policy on your appliance with the peer-id-validate command. the appliance will use certificates for device authentication.

by default. DNQ (DN . By default. If you are using a hierarchical implementation with certificates and want to send the appliance's subordinate root certificate and the certificates for the other higher-level root certificates. You also can specify which field to use on the certificate for user authorization. UID (user ID). I (initials). GN (given name). OU (organizational unit). use the chain command. SN (surname). you can specify which identity certificate to use for the remote access group by using the trustpoint command followed by the name of the trustpoint that generated the appliance's identity certificate. L (locality). O (organization).use of certificates. T (title). this is only the CN field on the certificate. Attributes you can specify are CN (common name). Remember that if you'll be using certificates. you'll need an ISAKMP/IKE Phase 1 policy that includes certificates for device authentication. but can be changed with the authorization-dnattributes command. If you don't configure a preshared key for the group with the pre-sharedkey command. If your appliance has two identity certificates from two different roots. C (country). N (name). the default value for this command is req. SP (state/province). the appliance will send only the root certificate of the CA that generated the appliance's identity certificate.

WinNT (Windows NT 4. you need to configure the radius-withexpiry command. SER (serial number). by default). If your appliance will be using MS-CHAPv2 to negotiate a password update with a user during authentication.0.98. EA (e-mail address). Windows (all Windows platforms). The url parameter specifies the URL location to . You can specify up to two attributes. which can be Win9X (Windows 95. The use-entire-name parameter specifies that the appliance should use the entire subject DN information to derive the user name credentials. Microsoft's L2TP/IPsec client is not presently supported. and GENQ (generational qualifier).2000. and vpn3002 (3002 hardware client).and XP).qualifier). it tells the client where to download the correct version. This is necessary only if the remote client is using Cisco VPN Client software and the user account is stored on an AAA RADIUS server. if the client is not running the specified software version. The default value for the primary attribute is DN and the secondary attribute is OU. The type parameter refers to the type of client. The client-update command specifies which clients should be running which version of software. The authorization-required command specifies that a user must be authorized before allowing the user to connect (this is disabled.and ME).

reboot the PC. install the new client.1 or 4. This process also is discussed in Chapters 12. install it. like 4. uninstall the software client.download the file if the client isn't running the specified client version. and reboot itself. It will download the correct software version automatically. "3002 Hardware Client.Rel. for the Windows client.1.7. The isakmp keepalive threshold command defines the values for dead peer detection (DPD). use HTTP or HTTPS. Within a tunnel group. the URL must use TFTP for the download. you can specify up to four client update entries by executing the clientupdatecommand four times with different update entries." For a VPN 3002 hardware client. and re-reboot the PC.6 version of the Cisco VPN Client for Windows supports this feature for software clients." and 14. The client version is specified by the rev-nums parameter. "Cisco VPN Software Client. Only the 4. prior versions of the VPN Client require the user to download the software update. Note The VPN 3002 supports automatic updates.6. The default threshold is to send an ISAKMP/IKE keepalive every 300 seconds for remote access .

you also can use tunnel groups to define properties for the L2L peers. but this value can range from 210 seconds.0 uses tunnel groups to deal with this issue.groups and every 10 seconds for L2L groups.x had one problem with IPsec VPNs: if you wanted to terminate both L2L and remote access sessions on a PIX. With L2L sessions. remote access users using preshared keys could be confused with L2L peers with dynamic addresses and wildcarded pre-shared keys.600 seconds. and treated as an L2L peer. L2L Tunnel Groups FOS 6. I've already discussed how to set up tunnel groups and group policies for remote access users. causing session failures because the client was expecting XAUTH and IKE Mode Config. If a response is not received for a keepalive. Version 7. but this can range from 103. the appliance will retry in 2 seconds. as shown in the following configuration code: security(config)# tunnel-group peer_name_or_IP_address type ipsec-l2l security(config)# tunnel-group {DefaultL2LAGroup | group_name} general-attributes security(config-general)# accounting-server-group .

{LOCAL | AAA_server_tag} security(config-general)# exit security(config)# tunnel-group peer_name_or_IP_address ipsec-attributes security(config-ipsec)# pre-shared-key key security(config-ipsec)# peer-id-validate {req | cert |nocheck} security(config-ipsec)# chain security(config-ipsec)# trustpoint trustpoint_name security(config-ipsec)# isakmp keepalive threshold number retry number The tunnel-group command specifies the L2L peer that is connecting to the appliance. The tunnel type must be configured as ipsec-l2l. The only general attribute that is applicable for L2L sessions is AAA accounting. you would use the default L2L group (DefaultL2LGroup). If the ISAKMP identity type is IP address (configured with the isakmp identity command). you specify the name of the remote peer. only . For peers that obtain their addresses dynamically. then you specify the IP address of the peer. if the type is hostname. For IPsec attributes.

To create users locally. the group policy might specify that users in the group can connect to the appliance only during business hours. whatever password you configure on the appliance will be encrypted by the appliance automatically and cannot be seen once configured. The appliance . trustpoint. for a specific user or users you can override the group policy and define a different restriction. peer-id-validate.the pre-shared-key. These specific user policies can override the group policies. specific user policies for your users. or ignore the restriction. however. and isakmp keepalive threshold commands are applicable: these commands were discussed in the last section.0 Easy VPN Servers. you'll need to create the accounts and. if you have defined a group policy for remote access users that specifies that their accounts are stored on the security appliance. use the following command: security(config)# username user's_name password password [privilege privilege_level] The username command creates a user's account. possibly. chain. For example. Creating User Accounts for XAUTH On FOS 7.

you now have the ability to define attributes specific to a user with the following commands: security(config)# username user's_name attributes . you can use an AAA server for the XAUTH accounts and then specify on the AAA server that local login access (to the ASA) is not allowed. it does not have any attributes associated with it and is associated with a group only when the user brings up a remote access session and either provides the group name with the pre-shared key or the group name is obtained from the user's certificate. If you don't specify the privilege level. the XAUTH accounts can be used to access the PIX. and if you are using these accounts for management access to the PIX. When you add a user locally. If this is not an option. if you've defined both management and XAUTH accounts locally.0. it defaults to 2. where 0 restricts the user to very few appliance commands and 15 allows access to all commands. set the privilege level to 0 for the XAUTH accounts. Caution If AAA is enabled on your appliance. restricting what the user can execute on the appliance. With 7.supports 16 privilege levels: 015. Based on this issue.

plus.security(config-username)# vpn-group-policy group_policy_name security(config-username)# vpn-framed-ip-address IP_address security(config-username)# vpn-access-hours value time_range_name security(config-username)# vpn-simultaneouslogins number security(config-username)# vpn-idle-timeout minutes security(config-username)# vpn-session-timeout minutes security(config-username)# vpn-filter value ACL_name security(config-username)# vpn-tunnel-protocol [ipsec] [webvpn] security(config-username)# group-lock value tunnel_group_name security(config-username)# password-storage {enable | disable} The username attributes command takes you into a subcommand mode where the attributes you specify in this mode apply only to this user. any .

attributes you define here automatically override any group attributes assigned to the user based on the user's group membership. This command is commonly used for remote access clients that don't or can't specify a group name for their membership. If you don't configure this command. The vpn-group-policy command specifies the name of the group policy configured in the grouppolicy command that should be applied to the user. the user will use the attribute defined by the group policy that user is associated with. the user inherits no properties by default. that user should be associated with. but obtains these once the user connects and specifies the group name. or an AAA server. The vpn-framed-ip-address command allows you to assign a specific IP address to a user instead of assigning an address dynamically from a locally configured pool. If you don't configure any attributes for the user. . if any. This is useful if you have per-user policies based on ACLs behind the security appliance. I discussed the rest of the commands previously in the "Default and Specific Group Policy Attribute Configuration" section. and the user always must use the same IP address. allowing the user to inherit the policies from the specified policy. a DHCP server. after being authenticated.

but allow the use of default unit authentication. you could set up their usernames with the password-storage enable command. possibly.0 In this last section covering the 7. specific user policies. you still could put the hardware clients in the same group as remote access users. where you must store the XAUTH username and password locally on the hardware client.Once you've created your users and. Issues with Remote Access Sessions and Solutions in 7. By doing this. I'll discuss some issues related to remote access users.0 software and Easy VPN Servers. including problems and solutions related to the following:    Simultaneously supporting both remote access and L2L sessions Using more than one Server to handle remote access sessions Restricting the total number of VPN sessions . instead of creating a separate group for this small number of hardware clients. you can view them with the show running-config all username command. Tip For the one or two remote access hardware clients that are set up for default unit authentication.

Using the certificate map rules feature involves two steps: configuring the certificate mapping rules and then associating them with a tunnel group. you can associate the device of that certificate with a specific tunnel group. one solution is to create certificate map rules and then associate these rules with a particular tunnel group (assuming you're using certificates for device authentication).x and earlier versions was supporting both remote access and L2L sessions simultaneously. Certificate map rules allow you to look at X.Simultaneously Supporting Remote Access and L2L Sessions One problem that has always existed on the PIX in FOS 6. Even when using certificates. and based on matching criteria you specify. this ensures that remote access users are associated with remote access tunnel groups and L2L peers with L2L tunnel groups. such as certain CN and/or OU values. The following two sections will discuss each of these .500 information on a certificate. there still might be a problem where:   Certain remote access users are associated with an L2L session An L2L session is associated with a default remote access group To overcome this problem.

Creating a certificate mapping rule involves the following commands: security(config)# crypto ca certificate map rule_# security(config-ca-cert-map)# issuer {eq | ne | co | nc} value security(config-ca-cert-map)# subject-name [attr tag] {eq | ne | co | nc} string The crypto ca certificate map command is used to create mapping rules. You can create multiple rules.535. You can . The issuer command allows you to look at the issuer field on the identity certificate for a matchthis can be used if you have two identity certificates from two different CAs and want to specify the correct IPsec tunnel group (and thus CA) to use for device authentication.steps. Executing this command takes you into a subcommand mode. Rules are processed in numerical order. followed by an example configuration. where each rule is given a different number from 165. Configuring Certificate Mapping Rules Certificate mapping rules allow you to specify which fields on a certificate you want to examine and which values should be found in those fields.

if you configured subject-name attr cn eq "richard deal. you can examine a specific field on the certificate: DNQ (DN qualifier). O (organization name). C (country). As an example of matching on identity information on a certificate." The match type parameter also is used in the subject-name command. EA (e-mail address). otherwise.match a value in the issuer field using the following values:     eqequal to the specified value nenot equal to the specified value cocontains the specified value ncdoes not contain the specified value For example. N (name). T (title). L (locality). the entire identity certificate information is used when looking for match in the string. If you don't specify the attr parameter. issuer eq caserver in the rule specifies that the issuer on the certificate must match "caserver. UNAME (unstructured name). SN (surname). IP (IP address). I (initials). GN (given name). OU (organizational unit). GENQ (generational qualifier). SER (serial number)." this command would cause an identity certificate with the common name of . SP (state/province). This command specifies which contents of the certificate will be associated with the rule. if you use this parameter. and CN (common name).

"richard deal" to be associated with this rule. when the user moved to the new group. however. This might be necessary for this user if the user was originally in the sales group and then moved to marketing. If you . Associating Certificate Mapping Rules with a Tunnel Group Once you've created your certificate mapping rules. the default matching is ou. when the rule is associated with a tunnel group. instead of creating a new certificate for the user. the user of this certificate then could be placed in the correct tunnel group. where you currently are using the OU field for the group name. which causes the appliance to use the OU field in a certificate when associating the remote access user or L2L peer to a group. you must specify which type of matching will be used to associate a user to a group with this command: security(config)# tunnel-group-map enable {ike-id | ou | peer-ip | rules} If you don't configure this command. in addition. you could create the appropriate certificate matching rule and then associate the rule with the user's new group. you can then use them by associating the rules with a tunnel group. First.

however. If you're using the certificate matching rules. had an OU value of "sales" on her certificate. In this example. Illustrating the Use of Certificate Mapping Rules Example 22-5 illustrates the use of certificate mapping rules. Alina was originally in the sales group.want to use your certificate matching rules. she was moved over to marketing and needs to use the policies associated . you can then use the following command to associate a match for a particular rule to a specific tunnel group: security(config)# tunnel-group-map rule_# defaultgroup tunnel_group_name This command associates a specific matching rule for a specific group. and correctly was associated with the sales group. you must configure the above command with the rules parameter. The peer-ip parameter specifies that the IP address of the peer is used to associate a peer to a particular tunnel group. The ike-id parameter specifies group matching when certificates are being usedthis is not done by the OU value on the certificate. but instead on the ID information shared during ISAKMP/IKE Phase 1.

with this group.cisco." Otherwise." Example 22-5." is being associated to an L2L IPsec tunnel group called "asapeer.cisco. the OU field is used to associate users to the marketing or sales group. who has a CN of "asapeer. The configuration in Example 225 accomplishes this. Also.com .com. Using Certificate Mapping Rules asa(config)# crypto ca certificate map 1 asa(config-ca-cert-map)# subject-name attr co cn "alina deal" asa(config-ca-cert-map)# exit asa(config)# crypto ca certificate map 2 asa(config-ca-cert-map)# subject-name attr eq ou marketing asa(config-ca-cert-map)# exit asa(config)# crypto ca certificate map 3 asa(config-ca-cert-map)# subject-name attr eq ou sales asa(config-ca-cert-map)# exit asa(config)# crypto ca certificate map 4 asa(config-ca-cert-map)# subject-name attr co cn asapeer. asapeer. one L2L peer. assuming the CN field on Alina's certificate is "alina deal.

you can use the above feature easily to look at certificate information for L2L peers and put them into the correct L2L group. Therefore. I typically try to use this as a last resort when associating a peer with the correct tunnel group.asa(config-ca-cert-map)# exit asa(config)# tunnel-group-map enable rules asa(config)# tunnel-group-map 1 default-group marketing asa(config)# tunnel-group-map 2 default-group marketing asa(config)# tunnel-group-map 3 default-group sales asa(config)# tunnel-group-map 4 default-group asapeer Note If you are using certificate mapping with an appliance terminating both remote access and L2L sessions. . certificate mapping could involve a lot of configuration on your part to associate the right device or user to the correct tunnel group on the appliance. and remote access users in the correct remote access group. however.

examines the load across the members of the cluster. reconnect to the virtual address.0 and the ASA security appliances (5520s and 5540s). you now can use the load balancing feature (VCA) that only the VPN 3000 series concentrators originally supported. but one nice bonus is that the load balancing feature is fully compatible with the VPN 3000 concentrators and can be included in the same VCA cluster. "Concentrator Management.Using More than One Server to Handle Remote Access Sessions With the introduction of FOS 7. Unfortunately. If a member of the cluster fails. Setting up VCA on an ASA involves the following commands: asa(config)# vpn load-balancing . The Remote then connects to the physical address. The master of the cluster handles this initial connection. this feature is not supported on the PIX security appliances. and thus be redirected to another member of the cluster. As you recall from Chapter 10. and sends back a physical address of the member with the least load. the Remote should be able to discover this quickly using DPD." VCA requires that you set up a virtual IP address that the Easy VPN Remotes connect to.

taking you into a subcommand mode to complete the configuration. The cluster ip address command specifies the virtual IP address of the clusterthis is what the Remotes will use for the Easy VPN Server address. The default port number of load balancing is UDP 9. VCA messages sent between cluster members are not encrypted by . this can be changed with the cluster port command. you must match this on all members of the cluster.023.asa(config-load-balancing)# cluster ip address virtual_IP_address asa(config-load-balancing)# cluster port port_# asa(config-load-balancing)# cluster encryption asa(config-load-balancing)# cluster key shared_secret_key asa(config-load-balancing)# interface {lbprivate | lbpublic} logical_interface_name asa(config-load-balancing)# nat IP_address asa(config-load-balancing)# priority priority_# asa(config-load-balancing)# participate The vpn load-balancing command configures VCA. If you change the port number on one member in the cluster.

default. The cluster encryption command enables the encryption of VCA messages and the cluster key command configures the encryption key to encrypt the messages (this must match what's configured on the other members). The interface command specifies which logical interface on the ASA should be associated with the public interface (lbpublic) and which with the private (lbprivate). The nat command is necessary only if an address translation device sits between the cluster and the Remotes. This command specifies the global address that represents the address of the ASA on its public interface. When performing redirection, the master will send the global address to the Remote, which the Remote will use to connect to the cluster member. The priority command is used to affect which cluster member is chosen as the master: the higher the number the more likely the member will be chosen. The priority can range from 110. If you don't configure it, the 5520 has a default priority of 5 and the 5540 a priority of 7. Last, you must enable load balancing with the participatecommand. To view your load balancing configuration, use the show running-config vpn loadbalancing command; to view the runtime statistics of the operation of load balancing, use the show vpn load-balancing command.

Setting up load balancing, as you can see, is simple. I'll use Figure 22-3 to illustrate its configuration. Examples 22-6 and 22-7 show the configurations of the two ASAs. In this example, Remotes need to connect to 192.1.1.3, which, by default, ASA1 will handle because it has a higher priority. Figure 22-3. ASA and Load Balancing [View full size image]

Example 22-6. Load Balancing on ASA1 asa1(config)# interface GigabitEthernet 0/1 asa1(config-if)# ip address 192.1.1.1 255.255.255.0 asa1(config-if)# nameif public asa1(config-if)# security-level 0 asa1(config-if)# exit

asa1(config)# interface GigabitEthernet 0/2 asa1(config-if)# ip address 192.168.1.1 255.255.255.0 asa1(config-if)# nameif private asa1(config-if)# security-level 100 asa1(config-if)# exit asa1(config)# vpn load-balancing asa1(config-load-balancing)# interface lbpublic public asa1(config-load-balancing)# interface lbprivate private asa1(config-load-balancing)# cluster ip address 192.1.1.3 asa1(config-load-balancing)# cluster key 123cisco asa1(config-load-balancing)# cluster encryption asa1(config-load-balancing)# priority 10 asa1(config-load-balancing)# participate

Example 22-7. Load Balancing on ASA2 asa2(config)# interface GigabitEthernet 0/1 asa2(config-if)# ip address 192.1.1.2 255.255.255.0 asa2(config-if)# nameif public

255.2 255.asa1(config-if)# security-level 0 asa2(config-if)# exit asa2(config)# interface GigabitEthernet 0/2 asa2(config-if)# ip address 192. This means that the ASA must allow the VCA .3 asa2(config-load-balancing)# cluster key 123cisco asa2(config-load-balancing)# cluster encryption asa2(config-load-balancing)# participate Note Remember that members of a VCA cluster must be able to see each other off of all enabled interfaces.168.255.0 asa2(config-if)# nameif private asa1(config-if)# security-level 100 asa2(config-if)# exit asa2(config)# vpn load-balancing asa2(config-load-balancing)# interface lbpublic public asa2(config-load-balancing)# interface lbprivate private asa2(config-load-balancing)# cluster ip address 192.1.1.1.

Cisco has greatly enhanced the capabilities of the PIX/ASA. With the ASAs. possibly. One solution to this is to disconnect the users with thevpn-sessiondb logoff command: .x software because setting up VPNs is simple.0. but the FOS 6. the ASA must have an active 3DES/ AES license. However. this is more of a concern on the 5510 and. with the introduction of 7. any VCA configuration you've set up on the ASA is ignored by the ASA. the 5520.messages (UDP port 9. And if I needed a one-box solution. leaving none for other groups or for L2L sessions.023) on any interface that contains an ACL. Also. Restricting the Total Number of VPN Sessions One problem you might face with your appliance is dealing with the large number of IPsec sessions terminating on it. To use a PIX/ASA or not? If I had to implement an Easy VPN Server or an L2L session and I had a choice between a PIX running FOS 6. I would very rarely choose the PIX because of its limitations. if I had to choose between a router and a PIX/ASA for an Easy VPN Server.x and another device. This can be problematic if one group of remote access users is using up all of the VPN sessions allowed by the appliance. if it doesn't. Actually. especially the ASA with its support of features like WebVPN and load balancing.x software had too many limitations that typically wouldn't provide the functionality I or my customers needed. today I would easily choose the PIX/ASA because of their advanced capabilities. such as a concentrator for remote access or a router for L2L. Some people like the 6. I definitely would consider the PIX/ASA over a VPN concentrator or an IOS router. remote access VPN. and intrusion prevention in one box. with firewall. because of their VPN session license limits.

all members of a particular tunnel group with the tunnelgroup parameter. and others. you can terminate all remote access users with the remote parameter. This is configured with the following command: security(config)# vpn-sessiondb max-session-limit #_of_sessions Illustrating an Easy VPN Server Configuration Example for 7. all L2L users with the l2l parameter. a specific user with the name parameter. you can specify a lower limit of VPN sessions the appliance will accept. if your appliance is overloaded.security# vpn-sessiondb logoff {remote | l2l | webvpn | email-proxy | protocol protocol_name | name username | ipaddress IP_address | tunnel-group tunnel_group_name | index indexnumber | all} As you can see from the above command. Also. a user based on their IP address with theipaddress parameter.0 .

0 Server(config-if)# nameif inside Server(config-if)# exit . Reference numbers to the right of the configuration commands are explained below the example.To better understand how tunnel groups and group policies are used to terminate Easy VPN Remote sessions on your security appliance acting as an Easy VPN Server. this example will show you how to configure the Server running 7.1 255.1.168.0 as an Easy VPN Server Server(config)# interface ethernet0 Server(config-if)# ip address 192. Example 22-8 shows the configuration of the Server. I'll now show you a simple configuration example. Network with a 515E and 7. Example 22-8.0.0.1.0 as the Server and the network shown previously in Figure 22-1.255.0. This is basically the same example I illustrated earlier in the "6.1 255.0 Server(config-if)# nameif outside Server(config-if)# exit Server(config)# interface ethernet1 Server(config-if)# ip address 192. I'll use a PIX 515E running Version 7. however.255. In this example.0.x Easy VPN Remote Example Configuration".

255.255.com Server(config-group-policy)# dns-server value 192.com Server(config-group-policy)# wins-server value 192.255.0 255.168.0.255.0 255.168.0.0 192.168.10 Server(config-group-policy)# split-dns cisco.0.0 Server(config)# group-policy salespolicy internal (3) Server(config)# group-policy salespolicy attributes Server(config-group-policy)# domain-name cisco.168.11 Server(config-group-policy)# vpn-session-timeout 15 Server(config-group-policy)# split-tunnel-policy .Server(config)# isakmp policy 1 authentication preshare (1) Server(config)# isakmp policy 1 encryption 3des Server(config)# isakmp policy 1 hash sha Server(config)# isakmp policy 1 group 2 Server(config)# isakmp policy 1 lifetime 3600 Server(config)# isakmp enable outside Server(config)# access-list split-tunnel permit (2) 192.0.

168.254 Server(config)# username salesuser password sales123 (5) Server(config)# tunnel-group salesgroup type ipsecra (6) Server(config)# tunnel-group salesgroup generalattributes Server(config-general)# address-pool salespool Server(config-general)# exit Server(config)# tunnel-group salesgroup ipsecattributes Server(config-ipsec)# pre-shared-key salesgroup123 Server(config-ipsec)# isakmp keepalive threshold 20 retry 10 (4) .0.200-192.0.168.tunnelspecified Server(config-group-policy)# split-tunnel-networklist value split-tunnel Server(config-group-policy)# client-firewall req sygate-personal-pro Server(config-group-policy)# exit Server(config)# ip local pool salespool 192.

including the requirement of Sygate's firewall with the AYT feature. An ISAKMP/IKE Phase 1 policy is defined for pre-shared keys and ISAKMP is enabled on the PIX's outside interface. A policy called "salespolicy" is defined with the split tunneling policy.Server(config-ipsec)# exit Server(config)# crypto ipsec transform set trans1 (7) esp-3des esp-md5-hmac Server(config)# crypto dynamic-map dyn1 1 set (8) transform-set trans1 Server(config)# crypto dynamic-map dyn1 1 set reverse-route Server(config)# crypto map mymap 999 ipsecisakmp dynamic dyn1 Server(config)# crypto map mymap interface outside Server(config)# sysopt connection permit-ipsec Here's an explanation of the references in the above example: 1. and with other parameters. A user is defined and will inherit its attributes from the group it authenticates to. 2. A split tunneling ACL is configured: only the traffic sent to and from the Remotes to the cisco. . 3.com site is protected. An address pool is created to be used in the assignment of internal addresses to the Remotes. 3. 4.

"Router Remote Access Connections." 6. A remote access group is created and associated with the address pool in reference (4) along with a pre-shared key of "salesgroup123.0 (PIXs and ASAs).x. you have much more flexibility and management in defining and associating polices for the Remote devices. which was discussed in Chapter 18. "Troubleshooting PIX and ASA Connections.3 code. I've omitted the discussion of WebVPN from this chapter.5. And in 7. however. however." where I show you how to use basic security appliance commands to troubleshoot the setup of VPN sessions. A dynamic and static crypto map are enabled. Next up is Chapter 23. Note The ASAs support the ability to terminate WebVPN sessions. the PIXs do not. In 6. the configuration is more complex than an Easy VPN PIX Server running 6. . 7. support for WebVPN was added for the ASAs.2 or 6. As you can see from this example. The configuration of WebVPN is very similar to the configuration of it on Cisco routers. A transform set is defined to protect the data SAs. the PIX 501 and 506E can also be Remotes. in addition to being activated on the outside interface. Summary This chapter showed you the basics of setting up your security appliance as an Easy VPN Server using both the older PIX FOS (6.0.x) and the newer 7. IPsec traffic is also exempted from ACL processing on the outside interface." Therefore.

The layout of this chapter is similar to that found in Chapter 19. I'll show you how ISAKMP/IKE Phase 1 and 2 connections are built. With these two areas. and what to look for when there is a problem with either of these phases. However. . Troubleshooting PIX and ASA Connections This chapter will focus on how to troubleshoot IPsec sessions on Cisco PIX and ASA security appliances." I've broken the chapter into two areas on troubleshooting: ISAKMP/IKE Phase 1 and ISAKMP/IKE Phase 2 issues. This chapter by no means covers all possible problems you'll experience with IPsec sessions on Cisco security appliances. I hope to provide you with the basic background knowledge so that troubleshooting IPsec sessions on the appliances is a simpler process. "Troubleshooting Router Connections.Chapter 23.

therefore.3 only). debug crypto vpnclient Displays the interaction between the appliance. and the Easy VPN Server (FOS 6. If you recall from Chapter 3. In FOS 6. The following sections will discuss some of the more important commands.0 version of this command produces similar output compared to the debug crypto pki command discussed in Chapter 19. I've broken this part of the chapter into three areas:     An overview of the ISAKMP/IKE Phase 1 troubleshooting commands Examining your management connections Examining the building of L2L and remote access management connections Troubleshooting Easy VPN connections on a Remote Overview of the Phase 1 Commands You can use several commands to troubleshoot ISAKMP/IKE Phase 1 connections on the security appliances. however.ISAKMP/IKE Phase 1 Connections In the first part of this chapter I'll focus on troubleshooting ISAKMP/IKE Phase 1 connections. debug crypto isakmp Displays the steps taken to build a management connection and data connections via the management connection. the optional parameters are new in FOS 7. I won't cover it in this chapter.0. including the following:       show isakmp sa [detail] Displays the status of any management connections. debug crypto ca [messages | transactions] Displays the interaction between the appliance and CA for certificate enrollment and authentication functions. in more depth. Note Before FOS 7. Cisco has rectified most of my concerns in regard to this in FOS 7.0 only). show [crypto] isakmp ipsec-over-tcp stats Displays the statistics of any IPsec over TCP connections the management connection is managing (FOS 7. debug crypto engine Displays events related to the encryption/decryption problems on the appliance. show [crypto] isakmp stats Displays the statistics of the management connections (FOS 7.0.0 only). In FOS 7." the management connection built during Phase 1 is used to pass IPsec management traffic. not all commands are supported in all FOS versions.0.0. acting as an Easy VPN Remote. because it is used to build the two data connections for Phase 2. related to troubleshooting connectivity processes. I tended to try to troubleshoot IPsec problems from the remote peer and would look at the PIX's debug output only when I was still having problems trying to pinpoint the problem. clear [crypto] isakmp sa [SA_ID_#] Deletes all the management SAs or a specific management connection by specifying the SA ID number. This connection is important. . "IPsec.   As you can see from the above list. The 7. However. the debug output is much more similar to the debug output of IOS-based routers.3 and earlier. I found the output of debug commands less administrator-friendly than the debug output from IOS routers. no user data traverses this connection.

that the date and time are correct on the peers. as shown in Example 23-2.3.40 Type : L2L Rekey : no Role State : responder : MM_ACTIVE The debug crypto isakmp Command In most instances. The show crypto isakmp sa Command in 6.1. If you recall. then probably the culprit is failed device authentication. respectively.101 192. you'll use the debug crypto isakmp command to assist in detailed troubleshooting of building ISAKMP/IKE Phase 1 management connections as well as . The two most common problems that might cause this are:   You forgot to activate the crypto map or profile on the remote peer router's interface." depending on whether main mode or aggressive mode was used to build the management connection.1. QM_IDLE indicates the successful setup of the connection to the associated peer.1.0. be sure you've configured the keys correctly.0 pix70(config-general)# show isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192. verify that they haven't expired. Example 23-1." Table 16-1 in that chapter explains the states. Tip You can use the debug [crypto] isakmp sa command for more detailed troubleshooting based on the output of the show crypto isakmp sa command. this indicates that there is a problem with the initial setup of the connection.1. If you're seeing MM_NO_STATE or AG_NO_STATE. Instead of seeing "QM_IDLE" when the management connection has completed. you'll see either "MM_Active" or "AG_Active. For certificates.The show isakmp sa Command Example 23-1 illustrates the use of the show isakmp sa command with an appliance running FOS 6.1. For pre-shared keys. Example 23-2. "Router ISAKMP/IKE Phase 1 Connectivity. If you see a state of MM_KEY_EXCH or AG_INIT_EXCH.40 state QM_IDLE pending 0 created 0 In FOS 7. The output of this command is very similar to the show crypto isakmp sa command in Chapter 16.1. the output of the command is different. There is no matching ISAKMP/IKE Phase 1 policy on the remote peer.3 pix63(config)# show isakmp sa Total : 1 Embryonic : 0 dst src 192. and that they haven't been revoked. The show crypto isakmp sa Command in 7.

Phase 2 data connections the management connection builds. Deciphering the output of this command is not that simple. The following two sections will take a look at a few examples of L2L and remote access sessions.

Note
Because the output of the debug commands in FOS 6.3 and earlier is somewhat similar to that of Cisco routers, the following sections will focus on the use of the commands in FOS 7.0.

L2L Sessions
To understand how an L2L session is successfully set up, view the output from the debug crypto isakmp command in Example 23-3. In this example, the output is from a simple L2L configuration where the appliance is accepting a session setup request from a remote L2L peer. I've added steps to the right of some of the output, which are explained below the example.

Example 23-3. Successful Building of the Management Connection in FOS 7.0
[IKEv1 DEBUG]: IP = 192.1.1.40, processing SA payload (1) [IKEv1 DEBUG]: IP = 192.1.1.40, Oakley proposal is acceptable output omitted [IKEv1 DEBUG]: IP = 192.1.1.40, Received NAT-Traversal ver 03 VID (2) output omitted [IKEv1 DEBUG]: IP = 192.1.1.40, processing IKE SA (3) [IKEv1 DEBUG]: IP = 192.1.1.40, IKE SA Proposal # 1, (4) Transform # 1 acceptable Matches global IKE entry # 2 [IKEv1 DEBUG]: IP = 192.1.1.40, constructing ISA_SA for isakmp (5) output omitted [IKEv1 DEBUG]: IP = 192.1.1.40, processing ke payload [IKEv1 DEBUG]: IP = 192.1.1.40, processing ISA_KE [IKEv1 DEBUG]: IP = 192.1.1.40, processing nonce payload [IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, Received Cisco Unity client VID [IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, Received DPD VID [IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f) [IKEv1 DEBUG]: IP = 192.1.1.40, processing VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, Received xauth V6 VID [IKEv1 DEBUG]: IP = 192.1.1.40, constructing ke payload [IKEv1 DEBUG]: IP = 192.1.1.40, constructing nonce payload [IKEv1 DEBUG]: IP = 192.1.1.40, constructing Cisco Unity VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, constructing xauth V6 VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, Send IOS VID [IKEv1 DEBUG]: IP = 192.1.1.40, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) [IKEv1 DEBUG]: IP = 192.1.1.40, constructing VID payload [IKEv1 DEBUG]: IP = 192.1.1.40, Send Altiga/Cisco VPN3000/Cisco ASA GW VID [IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group (6) 192.1.1.40 [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating keys

for Responder... [IKEv1]: IP = 192.1.1.40, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 [IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (14) + NOTIFY (11) + NONE (0) total length : 112 [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID (7) [IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.1.1.40 [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, processing hash [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash [IKEv1 DEBUG]: IP = 192.1.1.40, Processing IOS keep alive payload: proposal=30/10 sec. [IKEv1 DEBUG]: IP = 192.1.1.40, Starting IOS keepalive monitor: 80 sec. [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing Notify payload [IKEv1]: IP = 192.1.1.40, Connection landed on tunnel_group 192.1.1.40 [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, constructing ID [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, construct hash payload [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, computing hash [IKEv1 DEBUG]: IP = 192.1.1.40, Constructing IOS keep alive (8) payload: proposal=32767/32767 sec. [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, constructing dpd vid payload output omitted [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 1 COMPLETED (9) [IKEv1]: IP = 192.1.1.40, Keep-alive type for this connection: DPD [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Starting phase 1 rekey timer: 82080000 (ms) [IKEv1 DECODE]: IP = 192.1.1.40, IKE Responder starting QM: msg id = 4a9a7c8b [IKEv1]: IP = 192.1.1.40, IKE DECODE RECEIVED Message (10) (msgid=4a9a7c8b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172 output omitted [IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received-(11) 192.168.0.0--255.255.255.0 [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.255.0, Protocol 0, Port 0 [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Processing ID [IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received-192.168.2.0--255.255.255.0 [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Received local IP Proxy Subnet data in ID Payload: Address 192.168.2.0, Mask 255.255.255.0, Protocol 0, Port 0 [IKEv1]: QM IsRekeyed old sa not found by addr [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map (12) check, checking map = mymap, seq = 10... [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Static Crypto Map check, map mymap, seq = 10 is a successful match [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE Remote Peer configured for SA: mymap [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, processing IPSEC SA [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, IPsec SA (13) Proposal # 1, Transform # 1 acceptable Matches global IPsec SA entry # 10 [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, IKE: requesting SPI!

[IKEv1 DEBUG]: IKE got SPI from key engine: SPI = 0xcc3dcb5a output omitted [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Transmitting (14) Proxy Id: Remote subnet: 192.168.0.0 Mask 255.255.255.0 Protocol 0 Port 0 Local subnet: 192.168.2.0 mask 255.255.255.0 Protocol 0 Port 0 output omitted [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, loading all (15) IPSEC SAs [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating Quick Mode Key! [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Generating Quick Mode Key! [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Security (16) negotiation complete for LAN-to-LAN Group (192.1.1.40) Responder, Inbound SPI = 0xcc3dcb5a, Outbound SPI = 0x382e1cb2 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0x382e1cb2 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0xcc3dcb5a [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, Starting P2 Rekey timer to expire in 3420 seconds [IKEv1]: Group = 192.1.1.40, IP = 192.1.1.40, PHASE 2 COMPLETED (17) (msgid=4a9a7c8b) [IKEv1 DEBUG]: Group = 192.1.1.40, IP = 192.1.1.40, Sending (18) keep-alive of type DPD R-U-THERE (seq number 0x3252ed2c)

Here's a brief description of the references in Example 23-3 (the output the debug crypto isakmp command is very verbose, so I've omitted some of it): 1. Main mode exchange is beginning; no policies have been shared yet and the peers are still in an MM_NO_STATE. The remote peer is testing for the use of NAT-T. The comparison of ISAKMP/IKE policies begins here. This message indicates that a matching policy has been found. The management connection is being built. The peer is associated with the "192.1.1.40" L2L tunnel group and the encryption and hash keys are being generated. This is where authentication begins with pre-shared keys: remember that authentication occurs on both peers, and thus you'll see two sets of corresponding authentication processes. DPD is being negotiated. Phase 1 is complete.

2. 3. 4. 5. 6.

7.

8. 9.

10. Phase 2 (quick mode) begins.

processing SA payload [IKEv1]: IP = 192.168.1. A DPD keepalive is being sent to the remote peer on the management connection. EV_ERROR-->MM_START.40. and 255 will show partial packet contents (the most in-depth). All SA proposals found unacceptable [IKEv1]: IP = 192. 16. Example 23-4. IKE DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100 [IKEv1 DEBUG]: IP = 192. EV_RCV_MSG-->MM_START.1.1.40. Therefore. A check is performed for mirrored crypto ACLs.40. IKE MM Responder FSM error history (struct &0x19f49a0) <state>.1.2. If there is a mismatch in the ISAKMP/IKE Phase 1 policy.1. your debug output will look like that in Example 23-4.1. Also. 13. A matching static crypto entry is looked for and found.40. The remote subnet (192.0. if you don't see any output from your debug command. EV_ START_MM-->MM_START.40.168. tuncnt 0 [IKEv1 DEBUG]: sending delete/delete with reason message . 17. The appliance finds a matching data transform for the data connections. this is the first thing I would check: use the show debug command to determine what debug functions you've enabled and for what output level they've been configured. Phase 2 completes. SPIs are assigned to the data SAs. Caution Also in 7.1.11. 18. you'll want to specify a number like 100 or 150 for the debug level to give you a reasonable amount of output to troubleshoot problems.0. you control the debugging level by specifying a number from 1255 after the debug command: this affects the amount of output you see from the debug command. if any. if you enter the debug command without specifying a level number.1. Keys are generated for the data SAs.0 [IKEv1 DEBUG]: IP = 192. between the peers.1. 12. therefore. <event>: MM_DONE.0/24). Mismatch ISAKMP/IKE Phase 1 Policies in 7. refcnt 0.0/24) is received and compared to the local subnet (192. it defaults to level 1. Error processing payload: Payload ID: 1 [IKEv1 DEBUG]: IP = 192. 14. A level of 1 will give you little information. EV_START_MM [IKEv1 DEBUG]: IP = 192.40.1. 15. IKE SA MM:2d31c23f terminating: flags 0x01000002.1.1.

Tip I've found out. Therefore.0 debug output more user-friendly in deciphering its messages than with the 6.40. output omitted Jun 29 17:39:09 [IKEv1 DEBUG]: sending delete/delete with reason message output omitted Tip One of the problems I've seen with the output of the FOS debug commands is that the nomenclature and verbiage has a tendency of changing from one FOS release to another. Example 23-5.1. If there is a mismatch in a key used for pre-shared key authentication.x and earlier releases. IP = 192. IKE SA Proposal # 1. Received encrypted Oakley Main Mode packet with invalid payloads. You can use the successful connection output as a baseline when comparing this debug output to the debug output from a failed connection attempt. Phase 2 connection.1. more likely.0 [IKEv1 DEBUG]: IP = 192. certain combinations of policies. like AES-128 and SHA.3 output to that of 7.40.40. even though you can configure them on the appliance.1.40.1. processing SA payload [IKEv1 DEBUG]: IP = 192. IP = 192. you still could get the dreaded "All SA proposals found unacceptable" message.40. in certain FOS releases that even if the ISAKMP policies match on the two peers. I've found out that in most instances. MessID = 0 [IKEv1]: IP = 192. had problems decrypting packet. Therefore.1. . will not work.1.1.1. the output of the debug crypto isakmp command will look like that found in Example 23-5. you have to scrutinize the output carefully to determine the exact problem. IP = 192. Transform # 1 acceptable Matches global IKE entry # 3 output omitted [IKEv1]: Group = 192.1. the hard way. probably due to mismatched pre-shared key. In certain cases.1. ERROR. Duplicate Phase 1 packet detected.40.1.1. This is very apparent if you compare the 6. especially for the two data connections. Retransmitting last packet. any encryption algorithm and MD5 will work. Aborting [IKEv1]: Group = 192. Mismatched Pre-shared Key Illustration in 7.1. first I would try a proposal that supported MD5 with your selected encryption algorithm. IKE DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 136 [IKEv1]: Group = 192. I've also found the FOS 7.40.1.1.40. Apparently.40. but only certain encryption algorithms and SHA will work.40.1.1. you might want to look at the debug output from a connection that works from the same FOS revision that you're using on a connection that is failing. Playing around.1.1. before you waste your time troubleshooting this problem with either a Phase 1 or.1.0. Oakley proposal is acceptable output omitted [IKEv1 DEBUG]: IP = 192.

77.1.77. Example 23-6. IKEGetUserAttributes: Split Tunneling Policy = Disabled [IKEv1]: Group = salesgroup.1.1. Establishing a Remote Access Connection to an Easy VPN Server Running 7.77.2.1.77.1.1 [IKEv1 DEBUG]: Group = salesgroup.1.0 [IKEv1 DEBUG]: IP = 192. IKEGetUserAttributes: IP Compression = disabled [IKEv1 DEBUG]: Group = salesgroup. IKE SA (3) Proposal # 1. User (salesuser) authenticated. IKEGetUserAttributes: secondary DNS = cleared [IKEv1 DEBUG]: Group = salesgroup. Username = salesuser.1.77. Username = salesuser. IP = 192.77.1.1.77. I explain the numbered references below the example output.1. IP = 192.1.1.1.Remote Access Sessions The debug output from setting up a remote access session can be very verboseabout 20 pages in length! Example 23-6 shows the output of the debug crypto isakmp command from a 7.1. Connection landed on tunnel_ group salesgroup [IKEv1 DEBUG]: Group = salesgroup. IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False [IKEv1 DEBUG]: IP = 192. Username = salesuser. IP = 192.77.1. IKEGetUserAttributes: primary WINS = cleared [IKEv1 DEBUG]: Group = salesgroup.1. IP = 192.77.77.77.1. where I've omitted much of the output to keep it brief. Username = salesuser.77.1. (4) [IKEv1 DEBUG]: Group = salesgroup. IP = 192. IP = 192.1.1. processing VID payload [IKEv1 DEBUG]: IP = 192. processing IKE SA [IKEv1 DEBUG]: Group = salesgroup.77.1.1. Username = salesuser. processing SA payload (1) output omitted [IKEv1 DEBUG]: IP = 192.1.1.77.2.1.0 Easy VPN Server. IP = 192.1.1. IKEGetUserAttributes: secondary WINS = cleared [IKEv1 DEBUG]: Group = salesgroup.1. Username = salesuser.1.1.77.1. IP = 192. IP = 192.1. output omitted [IKEv1 DEBUG]: Processing cfg Request attributes (6) [IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 address! [IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 net mask! [IKEv1 DEBUG]: MODE_CFG: Received request for DNS server address! [IKEv1 DEBUG]: MODE_CFG: Received request for WINS server address! [IKEv1]: Group = salesgroup. Received unsupported transaction mode attribute: 5 [IKEv1 DEBUG]: MODE_CFG: Received request for Banner! [IKEv1 DEBUG]: MODE_CFG: Received request for Save PW setting! [IKEv1 DEBUG]: MODE_CFG: Received request for Default Domain Name! [IKEv1 DEBUG]: MODE_CFG: Received request for Split Tunnel List! [IKEv1 DEBUG]: MODE_CFG: Received request for Split DNS! [IKEv1 DEBUG]: MODE_CFG: Received request for PFS setting! . Username = salesuser.77. IKEGetUserAttributes: primary DNS = 4.77. Username = salesuser. constructing ISA_SA for isakmp [IKEv1 DEBUG]: Group = salesgroup. IP = 192. (5) IP = 192. constructing nonce payload output omitted [IKEv1 DEBUG]: Processing MODE_CFG Reply attributes. Transform # 5 acceptable Matches global IKE entry # 1 [IKEv1 DEBUG]: Group = salesgroup.1. Received Cisco Unity client VID (2) [IKEv1]: IP = 192. IP = 192.1.

IP = 192.0.1.77.77. Client Type: WinNT Client Application Version: 4. Username = salesuser.0. Username = salesuser. constructing qm hash [IKEv1]: IP = 192.1.1. Username = salesuser.1.1. processing hash [IKEv1 DEBUG]: Group = salesgroup. PHASE 1 COMPLETED output omitted [IKEv1 DEBUG]: Group = salesgroup.1.77.6. Received unknown transaction mode attribute: 28683 [IKEv1 DEBUG]: MODE_CFG: Received request for backup ip-sec peer list! [IKEv1 DEBUG]: MODE_CFG: Received request for Application (7) Version! [IKEv1]: Group = salesgroup.1. Username = salesuser.1.0--0.0. IP = 192.77.77. Resume Quick Mode processing.1. IKE DECODE RECEIVED Message (msgid=d9fcc34b) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026 [IKEv1 DEBUG]: Group = salesgroup. IP = 192. Username = salesuser.168.1. Username = salesuser. Username = salesuser. Port 0 [IKEv1 DEBUG]: Group = salesgroup.1. IP = 192.1.77. IP = 192. Protocol 0.200.1.77. Username = salesuser.1.1. Username = salesuser.1.1.0.1.0. Cert/Trans Exch/RM DSID in progress [IKEv1 DEBUG]: Group = salesgroup.200 (11) [IKEv1]: Group = salesgroup.77.1.0.1.1. IP = 192. constructing qm hash [IKEv1]: IP = 192.0.77.1.1.0.1. Username = salesuser. IP = 192. constructing blank hash [IKEv1 DEBUG]: Group = salesgroup.77.0 [IKEv1]: Group = salesgroup. Username = salesuser.0.1. Username = salesuser. Received local IP Proxy Subnet data in ID Payload: Address 0. IKE DECODE SENDING Message (msgid=3b776e14) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92 [IKEv1]: IP = 192. IP = 192.1.1.0019 [IKEv1 DEBUG]: MODE_CFG: Received request for FWTYPE! [IKEv1 DEBUG]: MODE_CFG: Received request for DHCP hostname for DDNS is: i7500! [IKEv1 DEBUG]: MODE_CFG: Received request for UDP Port! [IKEv1 DEBUG]: Group = salesgroup. (8) IP = 192.1. IKE Responder starting QM: msg id = d9fcc34b [IKEv1 DEBUG]: Group = salesgroup.1. constructing blank hash [IKEv1 DEBUG]: Group = salesgroup.77.1.77.77. IP = 192.1. Processing ID [IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.1.1.77.1.77. Delay Quick Mode processing. (10) IP = 192.1. (9) IP = 192.2.1.168. Port 0 [IKEv1]: QM IsRekeyed old sa not found by addr (12) . processing SA payload [IKEv1 DEBUG]: Group = salesgroup.1. IP = 192. IP = 192.1.1.77.77. processing nonce payload [IKEv1 DEBUG]: Group = salesgroup. Cert/Trans Exch/RM DSID completed [IKEv1]: Group = salesgroup.01. Username = salesuser. IP = 192. IKE DECODE SENDING Message (msgid=e9f26b16) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 170 [IKEv1 DECODE]: IP = 192.2.77. Protocol 0.[IKEv1]: Group = salesgroup. Mask 0. Username = salesuser.1.77.0.77. Processing ID [IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received-0. Username = salesuser. Received remote Proxy Host data in ID Payload: Address 192. IP = 192. Username = salesuser.

. spi 0x46ffd888 output omitted [IKEv1]: Group = salesgroup.77.77) initiates a session to the appliance (acting as a Server). The group authentication is successful. along with the group it wants to connect to ("salesgroup").[IKEv1]: Group = salesgroup. seq = 10.1.1. (20) IP = 192.1.77.1.77. checking map = mymap.1.1.1. 5. ACL does not match proxy IDs src:192. seq = 10.1..1.77.168.2.0. (13) IP = 192. (19) IP = 192. Username = salesuser. (16) IP = 192.77.1. Username = salesuser.1. A matching Phase 1 policy is found: policy 5 of the Remote matches the first policy of the Server).77.168.1. IP = 192. IP = 192. Username = salesuser. IP = 192.1. IKE Remote Peer configured for SA: dynmap [IKEv1]: Group = salesgroup.0. map = mymap. Received keep-alive of type DPD R-U-THERE (seq number 0xa780a31f) [IKEv1 DEBUG]: Group = salesgroup.1. Inbound SPI = 0x46ffd888.0 [IKEv1]: Group = salesgroup.1. (15) IP = 192.1.. Static Crypto Map check. Username = salesuser.77. Overriding Initiator's IPsec rekeying duration from 2147483 to 28800 seconds output omitted [IKEv1]: Group = salesgroup. Username = salesuser.2.77. Username = salesuser. Static Crypto Map check. [IKEv1]: Group = salesgroup.1. The Remote sends its identity type to the Server. as is the XAUTH authentication via the user 3. 4.1. Username = salesuser. IPsec SA Proposal # 11. Outbound SPI = 0xfc4dd2f3 [IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0xfc4dd2f3 [IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE. Adding static route for client address: 192.77. (17) IP = 192. (14) IP = 192.200 [IKEv1]: Group = salesgroup. Transform # 1 acceptable Matches global IPsec SA entry # 1 output omitted [IKEv1]: Group = salesgroup. Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa780a31f) output omitted Here's an explanation of the debug output from Example 23-6: 1. Security negotiation complete for User (salesuser) Responder. The Remote (192.77. Username = salesuser.1. Username = salesuser.1. The Remote initiates IKE Mode Config and the appliance is determining which parameters it has configured for the associated group. Username = salesuser. Username = salesuser.1.77. (18) IP = 192.1. 2. PHASE 2 COMPLETED (msgid=d9fcc34b) output omitted [IKEv1 DEBUG]: Group = salesgroup.200 dst:0.1.1. processing IPSEC SA [IKEv1 DEBUG]: Group = salesgroup.

The internal address of the client is 192. 18.800 seconds) is negotiated. 13. 11. Because DPD was negotiated in Phase 1. The appliance compares the proxy information with its first crypto map entry (which is a static one) and finds that it doesn't match this entry (the proxy information doesn't match). 19. 14.200) is added to the Server's local routing table. A check is performed to make sure that the client isn't reconnecting (the Initial Contact feature for Easy VPN). Because RRI is enabled. Phase 2 has completed. 17. The appliance compares the proxy information with its second crypto map entry.200 and the proxy message it sends indicates that all of its traffic is to be protected (the group policy is split tunneling disabled). This completes ISAKMP/IKE Phase 1. 10. 16.168. in this example. because the appliance needs to verify whether or not the user is allowed access to the group. 15. The Remote sends an IKE Mode Config request for the policies defined for the salesgroup group. The Server sends back the IKE Mode Config parameters. which is a dynamic crypto map for remote access users. 12.2. 8.2. DPD now takes place. The debug crypto vpnclient Command . There is a difference in the data SA lifetime values between the two devices: the lower one (28. The two IPsec data SAs (inbound and outbound) are created and SPIs are assigned. A matching data transform is found. in this instance. During IKE Mode Config. notice that this message appears here rather than before IKE Mode Config.168.account "salesuser". 6. the client is initiating a new connection. 9. a static route for the Remote's internal address (192. the appliance learns the client type and version. 20. Quick mode begins with an exchange of policies. 7. the Remote is initiating DPD (however. both sides of the tunnel will do this periodically based on their local keepalive counters).

I explain the numbered references found in the example.1. where the client is using network extension mode. Example 23-7.3 VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC CFG: transform set unconfig attempt done CLI: no isakmp keepalive 10 5 CLI: no isakmp nat-traversal 20 CFG: IKE unconfig successful CLI: no crypto map _vpnc_cm CFG: crypto map deletion attempt done CFG: crypto unconfig successful CLI: no global (outside) 65001 CLI: no nat (inside) 0 access-list _vpnc_acl CFG: nat unconfig attempt failed CLI: no http 192.0 inside CLI: no http server enable CLI: no access-list _vpnc_acl CFG: ACL deletion attempt failed CLI: no crypto map _vpnc_cm interface outside CFG: crypto map de/attach failed CFG: transform sets configured CFG: crypto config successful CLI: isakmp keepalive 10 5 CLI: isakmp nat-traversal 20 CFG: IKE config successful CLI: http 192.2.0 inside CLI: http server enable CLI: aaa-server _vpnc_nwp_server protocol tacacs+ CLI: aaa-server _vpnc_nwp_server (outside) host 192. Below the example.255.101 host 192.1 VPNC ATT: ALT_PFS: 0 VPNC INF: Received application version 'Cisco Systems.0(1) built by builders on Thu 31-Mar-05 14:37' VPNC ATT: ALT_CFG_SEC_UNIT: 0 VPNC ATT: ALT_CFG_USER_AUTH: 0 VPNC CLI: no aaa authentication match _vpnc_nwp_acl outbound _ vpnc_nwp_server VPNC CLI: no access-list _vpnc_nwp_acl permit ip any any (1) (2) (3) (4) (5) .2.1.3.100 CLI: access-list _vpnc_nwp_acl permit ip any any CLI: aaa authentication match _vpnc_nwp_acl outbound vpnc_nwp_server VPNC CLI: no access-list _vpnc_acl VPNC CFG: ACL deletion attempt failed VPNC CLI: access-list _vpnc_acl permit ip host 192.255.1. you can use the debug crypto vpnclient command to troubleshoot client-specific configuration and connection setup issues.1 255. Establishing a Remote Access Connection from an Easy VPN Remote Running 6. Inc PIX-515 Version 7.For 6.3.100 VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl VPNC CFG: crypto map acl update successful VPNC CLI: no crypto map _vpnc_cm interface outside VPNC CLI: crypto map _vpnc_cm interface outside VPNC INF: IKE trigger request done VPNC INF: Constructing policy download req VPNC INF: Packing attributes for policy request VPNC INF: Attributes being requested VPNC ATT: INTERNAL_IP4_DNS: 4.1.168. Example 23-7 illustrates the use of this command.255.168.x PIXs configured as Easy VPN Remotes.1.1 255.255.1.

0. Based on the split tunneling policy. If something is misconfigured on the Remote or Server.1.1.1. 8.101 host 192. The Server is a PIX 515 running FOS 7. there is nothing that indicates what the problem is. 4. Tip Unfortunately. the debug crypto vpnclient command is not that useful for troubleshooting the setup of an IPsec session. the Remote was configured for network extension mode. 6. 3. the Remote then configures the necessary VPN commands. After attempting to remove all VPN-related commands.101) and the Easy VPN Server (192. This is the first time the VPN Remote functionality was enabled on the PIX.1.VPNC CLI: no aaa-server _vpnc_nwp_server VPNC CLI: no access-list _vpnc_acl VPNC CLI: access-list _vpnc_acl permit ip 192.1.0 255. In this example. with the output .101 any VPNC CLI: access-list _vpnc_acl permit ip host 192. you'll see something like that in Example 23-8repeated over and over.100). as you'll notice in the output. but the group on the Server didn't have this policy defined.168. For example.100 VPNC CFG: _vpnc_acl no ST define done VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl VPNC CFG: crypto map acl update successful VPNC CLI: no crypto map _vpnc_cm interface outside VPNC CLI: crypto map _vpnc_cm interface outside VPNC CLI: no global (outside) 65001 VPNC CLI: no nat (inside) 0 access-list _vpnc_acl VPNC CFG: nat unconfig attempt failed VPNC CLI: nat (inside) 0 access-list _vpnc_acl VPNC INF: IKE trigger request done output omitted (6) (7) (8) Here is an explanation of the numbered references in Example 23-7: 1.1.255. Based on the split tunneling policy passed to it by the Server. the client PIX builds an appropriate crypto ACL. The tunnel is now established to the Server. 2.255.1.1. however. 5. The PIX Remote initiates its connection to the Server and sends its policies. the appropriate address translation policy is configured.1.0 any VPNC CLI: access-list _vpnc_acl permit ip host 192.3. 7. An ACL is built to allow communications between this PIX (192. so the PIX is first removing any VPN commands that could cause any type of conflict.1.

IP = 192.3 Remote isn't as verbose.101. the debug output from the same command on a 6. from the Remote end using the debug crypto vpnclient command.101 host 192. you would see a message like this: "[IKEv1]: Group = salesgroup.1. Username = salesuser.1.1.100 crypto map _vpnc_cm 10 match address _vpnc_acl crypto map acl update successful no crypto map _vpnc_cm interface outside crypto map _vpnc_cm interface outside IKE trigger request done .3 VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC VPNC INF: INF: INF: CLI: CLI: CLI: CFG: CLI: CLI: INF: Constructing policy download req Packing attributes for policy request Attributes being requested no access-list _vpnc_acl access-list _vpnc_acl permit ip host 192.of the debug crypto isakmp command on the Server.1. Hardware Client connection rejected! Network Extension Mode is not allowed for this group!" Unfortunately. Example 23-8. if not impossible.1.1. A Failed Remote Access Connection from an Easy VPN Remote Running 6. making the troubleshooting of this problem more difficult.

show crypto accelerator statistics Displays the VAC/VAC+ card installed in the appliance and. Overview of the Phase 2 Commands If you're experiencing problems with establishing IPsec data connections with an IPsec peer. you could use several PIX/ASA commands to help pinpoint the problem. optionally. which checks the integrity of the cryptography engine used by the appliance. in later sections. show crypto interface [counters] Displays the VAC/VAC+ card installed in the appliance and. I'll begin by briefly describing the commands you can use and then. I'll discuss some of these commands in more depth. the verify parameter runs the Known Answer Test (KAT).0 only). show crypto protocol statistics {ikev1 | ipsec} Displays general traffic statistics about the . traffic statistics for the card (FOS 6.ISAKMP/IKE Phase 2 Connections In this section I'll discuss some security appliance commands you can use to troubleshoot ISAKMP/IKE Phase 2 connections.x only). optionally. Here's a brief summary of these commands:     show crypto engine [verify] Displays the usage statistics for the appliance's crypto engine (FOS 6.x only). traffic statistics for the card (FOS 7.

debug crypto isakmp Displays the steps taken to build a management connection and data connections via the management connection (see "The debug crypto isakmp Command" section previously in the chapter).0 only).    management or data connections (FOS 7. The show crypto ipsec sa Command The show crypto ipsec sa command displays the crypto map entry information used to build data connections. and the components used to protect the connection and packet statistical information. clear crypto [ipsec] sa [counters | mapmap_name|peer IP_address| entry IP_addre ss{ah | esp} SPI_#] Clears the statistics (counters). debug crypto ipsec Displays the actual creation of the two unidirectional data SAs between two peers. these commands discussed below are the more common ones used to troubleshoot data SA problems. all data SAs associated with a peer (peer). or a particular data SA to a particular peer (entry). all data SAs associated with a crypto map (map). and any existing data connections to . The following sections will discuss some of the above troubleshooting commands in more depth. show [crypto] ipsec sa Displays the data SAs established between two IPsec peers.

The address parameter sorts the output based on the IP address of the SA.x and earlier. it is similar to the 6.0.x version.remote peers. There are two forms of the command. The identity parameter sorts the display by SA flows. In FOS 7. the following syntax applies: pix63# show crypto [ipsec] sa [map map_name | address | identity] Without any specified parameters. The map parameter allows you to display only the SAs associated with the specified crypto map name. and the inbound and outbound connections and their SPI numbers. the crypto map information used to create the data SAs is displayed. The entry parameter performs the same function as the address . in addition to traffic statistics. In FOS 6. the following syntax can be used: pix70# show crypto [ipsec] sa [entry | identity| map map_name | peer peer_IP_address ] [detail] As you can see from the syntax of this command. depending on which FOS version your appliance is running.

it sorts the SAs based on IP addresses.x output is almost the same. Example 23-9. The crypto map called "mymap" has an entry associated with a remote peer. is very similar to a router's output from the same command. even though the 6. The identityparameter sorts the display by SA flows. The local ident and remote ident entries display the traffic that is to be protected (traffic between 192. The peer parameter allows you to display only the SAs established to the specified peer.1.168.x command. Using the show crypto ipsec .0. including error information. a connection is currently established to the remote peer (192. In the case of either of these two commands.1.1. likewise. you can see the number of packets encrypted and decrypted.2.parameter in the 6. the output produced. shown in Example 23-9. Given that there are nonzero numbers in these fields.0/24 and 192.168.0. The output in Example 23-9 is from a security appliance running 7. 192.1. The #pkts encaps and #pkts decaps display the number of packets encapsulated/deencapsulated using IPsec (AH and/or ESP). The map parameter displays only the SAs associated with the specified crypto map.0/24).40). The detail parameter displays more detailed information about the SAs.40. and the number of packets where a hash function was created or verified.

255.255.1.sa Command pix70(config)# show crypto ipsec sa interface: outside Crypto map tag: mymap.0.100.1. #pkts encrypt: 4. #pkts verify: 4 #pkts compressed: 0.2.255.1.1.40 #pkts encaps: 4.0/255. #pkts comp failed: 0. #recv errors: 0 local crypto endpt.1.1.255. local addr: 192. #pkts decompressed: 0 #pkts not compressed: 4. #pkts decrypt: 4.0/0/0) remote ident (addr/mask/prot/port): (192. media mtu 1500 current outbound spi: 2ED644AD . ipsec overhead 76.: 192. remote crypto endpt.168.1.0/0/0) current_peer: 192.40 path mtu 1500.100 local ident (addr/mask/prot/port): (192.168.: 192.0/255.1. #pkts digest: 4 #pkts decaps: 4. #pkts decomp failed: 0 #send errors: 0.

conn_id: 1. } slot: 0. conn_id: 1. } slot: 0. crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (4274999/3586) IV size: 16 bytes replay detection support: Y outbound esp sas: spi: 0x2ED644AD (785794221) transform: esp-aes esp-sha-hmac in use settings ={L2L. Tunnel. crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (4274999/3584) IV size: 16 bytes replay detection support: Y The SAs are displayed in separate sections . Tunnel.inbound esp sas: spi: 0x76DFE868 (1994385512) transform: esp-aes esp-sha-hmac in use settings ={L2L.

so you can see the SPI values.0.in Example 23-9. the only difference is that in 7. transforms. The debug crypto ipsec command is supported by both 6. I'll discuss that in the next section. where 255 displays partial packet contents. no data connections have been established. tunnel type. In this example.x and 7. the most common appliance commands to troubleshoot this problem are the debug crypto isakmp and the debug crypto ipsec commands. and other connection particulars in the inbound esp sas and outbound esp sas sections of the output. The debug crypto ipsec Command If you're experiencing problems establishing the two IPsec data connections between peers. which gives me . Normally I set it to 150. you need to specify a debug level from 1255. I discussed the former command earlier in "The debug crypto isakmp Command" section.0. only ESP is used. Common problems that might cause this situation are:    Mismatch in transforms Mismatch in crypto ACLs Mismatch in addresses that the two peers will use for IPsec communications Further troubleshooting can be done with the debug crypto ipsec command. If you don't see anything under these subsections.

3.0/0/0 (type=4). Below the example is an explanation of the debug output reference numbers. With 6.3 Appliance IPSEC(key_engine): got a queue event. Example 23-10. Successful IPsec Data SAs Established on a 6.3 and earlier.enough information to troubleshoot a problem. dest_proxy= 192.1.0/0/0 (type=4). (2) (key eng.255. src_proxy= 192.3.1.. The local appliance's address is 192.) dest= 192. msg. .0/255.0/255.255.0.1.0/24.40.. an appliance is accepting an L2L connection request from a remote peer.1.1.40 IPSEC(validate_proposal_request): proposal part #1.101. where the two data connections between two peers are established successfully.1.1.255. Example 23-10 illustrates the use of this command in 6. there is no option of specifying a debug level.101 with a local subnet of 192. IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP (1) IPSEC(key_engine_delete_sas): delete all SAs shared with 192.168.255. as is the case with Cisco routers.3.168. src= 192.168. In this example.1.

.1.1. lifedur= 0s and 0kb.1.0/255. dest= 192.40. transform= esp-aes esp-md5hmac . transform= esp-aes esp-md5hmac .255. flags= 0x4 IPSEC(initialize_sas): . (5) (key eng.255. src= 192. .101 for prot 3 IPSEC(key_engine): got a queue event.1.168.101.1. flags= 0x4 IPSEC(key_engine): got a queue event.1.1.101. spi= 0xffc3de48(4291026504).40.. spi= 0x0(0).1.255.1.1.168.255.1.0/0/0 (type=4). src_proxy= 192. protocol= ESP. dest_proxy= 192.) src= 192.protocol= ESP.1. msg. conn_id= 2.40 to 192.0/0/0 (type=4). conn_id= 0..0. (4) (key eng.. IPSEC(spi_response): getting spi 0xffc3de48(4291026504) for SA (3) from 192. keysize= 128. IPSEC(initialize_sas): .0/255. keysize= 128. msg.3. lifedur= 3600s and 4608000kb.) dest= 192.

0/24 be protected. As you can see from this output. A matching transform set (ESP with AES-128 and MD5) and crypto ACL are found.3.1. The SA from the remote peer to the local appliance is initialized.168.40 is the remote peer. The remote peer assigns an SPI for the SA from the remote peer to the local appliance. this makes sense because .168. This can be determined by the "validate proposal request" message. in this example.168.0.0/24 to 192.0. requesting that traffic from 192.255. 2. dest_proxy= 192. 4. the remote peer initiated the connection.0/0/0 (type=4).1.168.255.1.0/0/0 (type=4).src_proxy= 192.101 is the local appliance and 192.3.255. it is much less verbose than what you would see with the debug crypto isakmp command.255. spi= 0x378ef8b8(932116664). protocol= ESP. 3. lifedur= 3600s and 4608000kb. 5. transform= esp-aes esp-md5hmac .0/255. conn_id= 1. Any existing data SAs are being deleted before the new ones are added between the two peers: 192. keysize= 128. The SA from the local appliance to the remote peer is initialized and assigned an SPI value.1.0/255. flags= 0x4 Here's a brief explanation of the numbered references in the output from Example 23-10: 1.

you'll see the output in Example 23-11 from the debug crypto isakmp and the debug crypto ipsec commands. and the show crypto map command to see which transform set has been associated with . which includes both the management and data connections. The first part is from the former debug command (begins with "ISKAMP") and the last part is from the latter command (begins with "IPSEC").only the particulars of the building of the data connection are displayed. the debug output from the debug crypto ipsec command is fairly straightforward to interpret. The following sections will cover some common problems with establishing data connections. if you don't have a matching transform for the data connections. including:    Mismatched Data Transforms Mismatched Crypto ACLs Matching on the Incorrect Crypto Map Entry Mismatched Data Transforms As you can see from the output in Example 23-10. whereas with the debug crypto isakmp command. not all data SAs are built successfully. you see everything that ISAKMP/IKE builds. Of course. Use the show crypto ipsec transform-set command on the local appliance to determine which transforms have been created already. For example.

ESP_AES ISAKMP: attributes in transform: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: 0x0 ISAKMP: encaps is 1 SA life type in seconds SA life duration (basic) of 3600 SA life type in kilobytes SA life duration (VPI) of 0x0 0x46 0x50 authenticator is HMAC-SHA ISAKMP: key length is 128IPSEC(validate_proposal): transform proposal (prot 3. message ID = 2686916944 ISAKMP : Checking IPsec proposal 1 ISAKMP: transform 1.the remote peer's crypto map entry. Example 23-11. Mismatched IPsec Data Transforms output omitted ISAKMP (0): processing SA payload. hmac_alg 2) not supported ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! output omitted . trans 12.

the local peer wants to use MD5. you'll see debug output from the debug crypto ipsec and debug crypto isakmp commands shown in Example 23-12. hmac_alg 2) not supported At the beginning of Example 23-11. Mismatched Crypto ACLs If the crypto ACLs are not mirrored on the two peers. The proxy identities not . IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 192.IPSEC(key_engine): got a queue event. trans 12. you can see the output from the debug crypto isakmp command..40 IPSEC(validate_proposal): transform proposal (prot 3.1. but the remote peer has been configured with only one transform that has SHA.1.. The last part of the output shows that the transform proposed by the remote peer wasn't accepted because of a conflict in the HMAC function defined on both peers. Obviously. The first two highlighted lines display that there is a problem with an ESP proposal that the remote peer wants to use: ESP with AES-128 and SHA.

do not match (are not mirrored) on the two IPsec peers.supported message indicates that the crypto ACLs (if routers or PIXs)." When this error occurs. ESP_AES ISAKMP: attributes in transform: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: 0x0 ISAKMP: encaps is 1 SA life type in seconds SA life duration (basic) of 3600 SA life type in kilobytes SA life duration (VPI) of 0x0 0x46 0x50 authenticator is HMAC-MD5 . examine the crypto ACLs (or network lists. Example 23-12. This misconfiguration is commonly called an "invalid proxy ID. or network lists (if concentrators). Mismatched Crypto ACLs: Not Mirrored output omitted ISAKMP (0): processing SA payload. message ID = 2620452987 ISAKMP : Checking IPsec proposal 1 ISAKMP: transform 1. if the peer's a concentrator) to see where the ACL entries are not mirrored.

1.168.1.255. spi= 0x0(0).1. dest_proxy= 192. .) dest= 192.255.255.1. src_proxy= 192. keysize= 128.1.255.IPSEC(validate_proposal_request): proposal part #1. (key eng.255. protocol= ESP.0/0/0 (type=4). (key eng. src= 192. flags= 0x4 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1.1.) dest= 192. msg. msg. protocol= ESP.3.3.255.101.101.ISAKMP: key length is 128 ISAKMP (0): atts are acceptable.0/255.0/0/0 (type=4).40.1.168. src_proxy= 192.255. lifedur= 0s and 0kb.1.0/255. conn_id= 0. dest_proxy= 192.1.0/255.0/0/0 (type=4).1.0/0/0 (type=4).168. transform= esp-aes esp-md5hmac .40. lifedur= 0s and 0kb.255.168.0/255. src= 192. transform= esp-aes esp-md5hmac .

spi= 0x0(0). conn_id= 0. Therefore. Matching on the Incorrect Crypto Map Entry Another uncommon problem you might experience is if there are overlapping crypto ACLs. In this example. crypto ACLs 101 and 102 overlap. an appliance might have two crypto ACLs with overlapping entries like that found in Example 23-13. where a match is found for a peer for the wrong crypto ACL in a wrong crypto map entry. I've learned that in certain cases you'll get the mismatched crypto ACL error even if you have the entries mirrored on the same side. but the crypto ACL entries happen to be in a different order on the two peers. I recommend mirroring each statement and also matching up the statements in the same order. keysize= 128. flags= 0x4 IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPsec policy invalidated proposal ISAKMP (0): SA not acceptable! output omitted Tip From practical experience. If . For example.

give the former a lower entry number.1.1.168.0.10 host 192.3.168.1.168.the security appliance has an IPsec tunnel to 192. put the crypto map entry with the more specific crypto ACL entry or entries before the less specific one.0.1 security(config)# crypto map mymap 10 set transform-set trans1 .168.3.0 0.1.0.0 0.1. To solve this problem.1.168.2. Overlapping Crypto ACL Entries Example security(config)# access-list 101 permit ip 192.1.1.1.2.168. and 192. in other words. thus causing the error similar to the one shown previously in Example 23-12.2 forwards a packet from 192.255 security(config)# access-list 102 permit udp host 192.0.1 to 192.1.1.25 eq 69 security(config)# crypto map mymap 10 ipsecisakmp security(config)# crypto map mymap 10 match address 101 security(config)# crypto map mymap 10 set peer 192.0.255 192. but not 192. it will match the crypto ACL in the first entry. Example 23-13.0.

which also could indicate that you have a proxy mismatch:    A nonmatching mirrored crypto ACL condition exists. With a crypto ACL mismatch. you'll see one of the following:   The connection fails (with a proxy ID mismatch).3. I've never seen the message in the first bullet point.security(config)# crypto map mymap 20 ipsecisakmp security(config)# crypto map mymap 20 match address 102 security(config)# crypto map mymap 20 set peer 168. where the tunnel will come up when started from one . The same ACL is being used with a nat 0 access-list command and a crypto ACL.25 security(config)# crypto map mymap 20 set transform-set trans2 In some older FOS versions of the PIXs. I've always seen the messages displayed (or something very similar) in Example 23-12. you might see an "ACL = deny. A match on the wrong crypto map entry with overlapping crypto ACLs occurred. no sa created" message. An asymmetric tunnel startup condition.

you have a second crypto map entry that's a transport connection.168. With the last two bullet points.0. you might commonly see error statements about packets being dropped that should be protected: you can also view the output of the show crypto ipsec sa command and look for packet errors or drops. on the remote peer. protecting syslog . For example. An asymmetric transfer condition. from using the same ACL for address translation with the nat 0 accesslist command and as a crypto ACL. At first this might sound impossible. doing so might cause the proxy process.168. to fail. However. protecting traffic between 192. where data will flow across the tunnel depending on which peer brought up the tunnel.3. you might have an L2L session between two appliances.0/24. The most common problem with overlapping crypto ACLs is when two entries in your crypto map match on the same ACL reference. peer. but not in the reverse direction. but it is quite plausible based on your security policy. but not from the other. but in two different ACLs.0/24 and 192. Cisco highly encourages its customers to not use the same ACL for crypto and address translation functions. in certain situations. and thus the data connections. A bug in earlier FOS versions prevented you.

since it requires an understanding of how the crypto map entries are used. Depending on how the TFTP server was set up.25). So I created two crypto map entries for each. but the L2L traffic only needed to be protected with AES-128 and MD5.3. renumber crypto map entry 20 to something like 5.10) to a local TFTP server (192. no output from debug commands will actually pinpoint this problem. the syslog messages from the appliance might or might not be dropped. I had configured the PIX to protect the TFTP traffic using ESP AES-256 and SHA. The first time I experienced this problem was when I had a very similar problem as I described in the last paragraph: I couldn't understand why the PIX's syslog messages weren't showing up on the syslog server. In this situation.168. Tip The crypto map entry with the more specific ACL should have a lower number than an overlapping crypto map entry with a less specific ACL. it would never match and thus never would be used. However. and the TFTP server was dropping them because they weren't protected. using transport mode.traffic from a remote appliance (192. Reordering the crypto map entries would fix this problem. I then began to realize that something wasn't quite right with my configuration on the PIX. Once I found my configuration mistake. Overlapping Crypto ACL Entries Troubleshooting an overlapping crypto ACL entry problem is not simple. with the L2L traffic being entry 10 and the TFTP server. it took me the better part of a morning to discover my configuration mistake. When I broke out a protocol analyzer and realized that syslog messages were showing up in clear text at the TFTP server. When you experience this problem. being entry 20. unfortunately. because the IPsec tunnel is successfully established (or used) to the wrong peer.0. if the crypto map entry that represented this connection appeared after the L2L connection. In Example 23-13. .168. I reordered the crypto map entries and my problem was solved.

Summary This chapter showed you the basics of troubleshooting IPsec sessions on Cisco security appliances. Remember that in FOS 7.0. . reducing your learning curve if you already have experience with IPsec tunnels on IOS-based routers. This chapter completes the configuration and troubleshooting part of this book. Next up is Part VI." where I pull many of the important elements together from this book and apply them to an example company's VPN implementation. The commands and processes used are very similar to those on IOS-based routers. "Case Study. the debug commands have a level qualifier which affects the amount of debug output the command generates.

.-0 !80.0  /4083 9 8:55479.$89.420894/05438..8 -03/74:9078039.:8090!.../.3.8088438 47389.0/"4$ #9:3308 47'!  %0701470 95.3.

088 89*3.70:80/94850..80884394.0 .0/ .09080.11.94!7490.55.3.997.3.943.431 .3.431:7.11..42243.3!80.9438 47..894-0 57490.90/147.7594 .943   $50./. 3:2-07418088438070300/.3994 03.:794190!80..:.0/.13%7.79.75007  .2502039.$9.//708897.38.5.1.82.20*47* ..9 8.

3/39074:539.902039850.9.4*314(  3.902039850.8.9/0389.5072989.*!87.11.422.*8:-309*2.11.90/  070.94-057490.20*47* 87.3 $74:907 !.094-057490.8 57494.8 .108 97.9/4083 9.9.4*3..50729/03< 57494.4*314( /89*!/89*8:-309*2./034725.8 57494.90/ &3043 .10897.

//7088.//708808 070.9./.7/ 3.43.0790/ 2.894 2.$8:80.8 %084:7..874:9078:80 .0! .7.3041.8:-3092.

.!..9438.30947850.4330.90/94 904.1084.

3/90/0893.$.//7088.943!.

..701: .1084.90/9490702490 5007  .9438.07. 30947850.4330.3 .:943 89 $74:9078 4:84:/-0.-4:9:8390047/.

/.0733.38288438 941..89.3.43.8 5488-0.047/0893.894-057490..3/.1.90/  .:80983.//708808. %0701470 4:84:/-0.:/08-74.943.3/..97.3/2:9.7594  -0. 14790 84:7.//70883.8850.079.:80..11....9.997.89 .

 89 $74:9078 .9%7.943147.431:70/882.794.11.97.70.1497.90.8.7090.38147280943.4  $74:907 070.422.11.431:7.894-057490.3/894. 97.3814728098:80/94 850.!.90/ 4988 . 0133494!7490.

:9039.381472 809 97.75943 %0/01.381472(( . 085 /08 085 /08 085 .:9.0 ..55.208..381472*809*3.97.08  085 .19074:.381472*809*3.. 085 2/ 2./97.:36:03. . .3814723.3/430147$!03. 085 8.08  -9 085 .55.7..97..381472 809 97.20907.7594580.30/99024/05.3814728092:89.0 .38147289:330 %8.38147297.$ .38147297.:9039.385479  .70 90.3/085 3: 3403.70.7594580.943 24/0419097.08   . 8..20 97...4330. 2.97.70./ .. 2/ 2.943 . 2.943 430147$! .3814728430147.0..20 24/097.3...381472809 988/11070391742.20  930.3.97.431 34(.431 .809 4:/0130-09003430949700 97.75943 070..3-0 .90/.0.

3/  490 070.3814728098 3 :80 90847:333 .04:7.3/3  94.399028.381472809 88:-..70842025479.422.073390:80 4197.74:907 0709024/08.431:70/97.422.43.381472809843!.3/24/0 4:.7594580.7594.3:80 9084.431:70/390 97.431.97.422.381472 809.

3.:77039..7024905007 3/0  $74:9078 80.80884394.8.3814728.55.75942.55.3..088:55479949508 41.9438:3343 47147 702490.3!80.9.3.$80.94394090794 -:/.58 O O $9.731472.9030.75943.:79.70  :/37594.58 94-73.08  O O O $03.088.58 89 $74:9078 901:3.:8890 .703498:554790/3 $  97.//0/3 $   97.9438343  3.75942.2.&80/1478088438070248941 90702490500731472.0888088438  %014439480..94341.:79.38147241$.3/$3443078 8:554790/3.0784384190 $ 8419.9438/8.&80/147808843807090702490 500731472.

94341-49419080 .94-057490.//7088.70:80/1478088438070 905007 8!.3/ 2.431:7.7594.8.9.431:7.58 $9. $!039708:80$!.90/ 8343 470.3/808843 .11.7.94341.3/9097.7094 95084189..943../0893.0782.5843 $74:9078  $9.7 9490.58.90.9.. 805.75942.503978:80/ %070.3:.75942.75942.9.5039708$!.75942..

9.9435074/.9438 0307.02039.4330.3.943 0307.3...943 -:/ 90/.4330.4330.943 14790/.147-49809841 .3/7017089003 31472.02039.75942.5039708/4349:80 $!.9438 .900331472..9003 31472.9438 .943147902. 2.9.94-:/..4330.3:.4330.

3/4:850. 99080950841039708 34 2.:/3.4330.9438300/0/.1 90.3.9.02039.3 03.3:.3/08  70...9:808 $!.93.1479094 :3/70.75942.9.94331472.75943.503979.89.943.4330.9438 3.4330.9432./.

.20806* 2.55.75942.5*3.55.431 .5*3.20806* 580.3.422.0 .3.52.75942.20 .0890 1443.25 .4.0 .8088433.52. 8.3/8 .94-:/90!80.9.431 .//7088*3.

9 9 /8.75942.55.884.3.75942.943 950 .90 43 -/70.75942.431 .431 .55.943.0 .75942.//7088 .< .0 .20806*809 5007!*.55.55.75942.38*3.431 .3.55.431 .55.9.52.3.5*3.943 1092080.3.52.:79 .5*3.381472 809 97.7:0< .55.43/880.431 .52.0 .5*3.20806*809 .3.75942.-0 .0 .20806*809 97.20806*809 3.38*3.52.3..5*3.20806*809 80.75942.3807 43473.0 .4330.20806*809 518 74:574:574:574:5( .20 97.55.52.431 .431 .75942.5*3.20806*809 3079.20806*809 .52..0 /.0 .20( .20 97.0 .431 .3.43/8 4-9084-908< .52.3.38*3.0 .52.5*3.5*3.3.5*3.

79.3/806:03.5 3 03977057080398..75942.70.3.3/.908.03:2-078.8024/0 2.7.5.0780 74:90 .474:9078 90708348:-.03.422.53.9.422.884.7.20 .02:9505.5 0397083902.0 .5.3/ 24/0147905.3..52:89:80908.20.209078.03:2-07 .70397 .75942.03:2-07 90 079057479 070806:03.90/ 99 070902.:.70908.20806*809 97:895439 *3.5.52.0 .3 7..20 0700..75942.55.20806*809 70.7594 2.53...431 .3/84390!.03:2-079390.7024905007 3 039729.55.52.474:9078 9040790806:03.209078 89 8.5*3.074:574:5 74:5 74:5(< .75942..209078147.75942.301742  490 &3098.03978.89.80884394.5*3.422.7088.7.3.20147900397 85.20.75942.431 . :36:0806:03.5.3(  %0.

$. .704-.

8.990580.1089.4/0 34909.20907850.0/3.3/8   390570.9$!.7.422..255.

.9438 706:70/  %02.20419097.3.//70885.209078390570.43/8 90/01.4330..132:95050078  9017895007.431:70/-0.9.4330..1:59450078-00.11.4/0 .-0 :80/94-:/.80.10890!.:79 .20 " 41907024905007 706:70/ 3   4:.70-.422.422.382990/8     %8.884.7.:98   80.3/0/94 50078 850.90/ 706:70/  %08095007.3/ 9080.077/08904-.0880/ %0701470 5:9 90248980.43/.3/892089 98.:9398 .3850.3/850..11..20907.90 70574.10890 3.420890572.20907850..:04.3/ .99097.943 109205.3850.3/90.43/8.:0 .94 907024905007 706:70/ 4:.9438 380.1:5948 97.3/490750078.97.090!.3814728098 0709047/074:039079028 9047/073.7. %080980.8-003 05.20907850..:9109204190 /.94-057490.7.3814728093.:550078  %080997.7045943.7.30890/01.10890 97.381472 8095.335.4:8.2094:809457490.7.//708847 3.3/2..9.11...:704301789  90702.24:394197.

3/03.-08!0710.9090 !80.3  94 8..99075..1473.7 07090. &8390 .20907..943 9505..70.3/ .808843 47. 40. !$ .422.3807 43  %08093079.:808110 02.0 4:4:/8099 94.70.3.98.3/9849480090.43974842.943.03/39.20907..90890808843 :80-/70.90 43.50070397.6:7398.7.9080941$8507.108.422.4330. 10920.3/07.908...3/ 5701.//708808.:987:0 .9.9439490 5007/.3/74:53  19014:79508 74:5890 248980.70..3/9070249003/.20907850.422.80.9:.//0/3 $  .4941$8.70/0./419008932.431:70/990.:08  %0809518.805.3807 431470..947.70.4330.:-/0.94310920. 90473..9.08 97.:70  %0702.:807/.:79 .422.90 4314:/43 9./70.//0/3 $ %0809.7.884.431:70/4-.70.2.7090083890.3.4:8..908430$30.0 473.943 74:508070.422.382993. .098 .02039 .3/8390570.//7088 /3..05.70.07 1 90473.9303/8.9.08 34990 .9303/4:/ 850.7594580.7.7/ $0.8/0 39.90/507500790/01.3/ 89070.3.90.3 $8.30307..3/147.7.//7088 5.55.8540 /0..

7.070.08.990.20907 .4.0. 74:90839874:939.484:94 /8.05.89 34909.74314:. 808843  % %.079809080 .3 .3430  %0.55.808843 %88 30..3.-09147.20907 03.3 4.:79 80389.908 3.108 9094:80147905.7.1089024/094:8003 39./.55..1.20907.3..3/803.8088439.9 9 /8.9.988 :80/9702490.7..5007 0397 %08095.20907850..94389 8479109208.3/39073.341.-014790702490309478 .99080997:8954395.70:8324709.3-0:80/ 98088438 .9.7.943 8803994907024905007 988 /8.:9908093.20907850.79.431:70/ $!434:7!.4330.3. $! 94 .024/0 4:.7.-0/- /01.:98 2..884.908.:9 %0708543/078/0.:942..7088. 2502039.3-0:80/43-9039.93.3/84:/-0:80/ 439.077/090074:594:804907800 74:58:80/ %080970.9030947 472.08  ..:.-05./4390.3..-08## 07090.90/9902 %85.07.90/57.0/3 $ .80 24/05.039.55.0780.7..088.88:234: ..0.0780 74:905.83974/:..324/0 14:850.74:93/0.3!80.1089.35..089.0791.75007 98:80/43 0390...7.20907850.425090 .0398-:9..5007 %0/01..55.088...-0/-/01.3/903.9474190!80.

 /8.94341.9.9:33074:5 .431:7.9:70 -:998706:70890 .5..431:70/434:7!.75942.422.9438  3 $  4:.088 4330.58 .09089.:88 3.3:809084.25020399810.5907 !.7594 2..3/$#02490..3/94.

75942.422.3/948004:7..7594 2.70$!.$ 3 :809084 7:333 .3/4907.5.7024905007 039070.7594.3/8  490 2.503978:80/147.431.7594.3:.422.

5039708147!.9-988:08 9909450078 %810.//0/3 $  .75942.425.3/9037024.4.3:..0/3 $ 0.8..9:70.:804198  43 9..072.

.:79...98 147 0.//7088/3.55..2.3! .58.8830/.7594.9438174250078 .250 039070249050078.7594 2.08   3.3.2.$ 80..-90$! 3.2...4330.4330..58 3..84.2.70:80/147702490 .94343 9-0343:399.93 ..088808843840.0593 34939.3-0:80/4343.3-0:80/ 1478088438070907024905007 8 31472.50079.5895.75942.9-0 ..07 90.

9438.902547.58.0782.943 4305007.. 4301478088438.9.0/:543 90723.4330.2.3/90 /3.8..589037010703.5.943. /3. 2.80/74:9078  /3.0/39089...8 .55.431:7.3/9037024.82:95003970895..75942.89..3/430147702490.431:7.58:89430 %0/3.75942..4330.2..3..3039739089.58:80/94-:/90808843 90 31472..5  3..2.5.0/93.-4:99080884385.9.70397 . 89.5.5 -:990490750072:89:80.088 :8078 47507.3/3.75942..7594 2.2.943944:7.9434190.5 03.794948041 $ -.9.70 .7090!.75942.7024905007 -:/8.2.3:80.9.75942.3/907.2.3..943  070.2.0.

7594/3. 2.5 .55.0 .52.3.7594/3.20 806*809 .70.55.431 .//7088 .0 .55.52.2.2.431 .20 806*809 5007!*.431 .3.5*3.2.2.5*3.20 .3. . 2..52.3/894.422.20 806*2. /3.$. 2.//7088*3.0 .90.9.75942.5*3.7594/3.

422.3.75942.7594/3.2.2.5*3..55.431 .97.43/880.2.2.:79 .3800174290.794 .55.20 97.3.431:73. 2..9.431 .2.2.5*3.75942.89.431 . 2.38*3.-4.3/8  .7594/3.430 .20( .94310920 80.884.-0 .2.52.52.3. 2.20  3 $  4:.0 .20 806*809518 74:574:574:574:5( .38*3..2.20 97.:36:0/3../3.7594/3..20 806*809 3. 2.3:809084.0 ./3.52.5882.3/94.5*3.381472 80997.43/84-908 4-908< .75942.52..0.5*3. 2.0780 74:90  84:.53..38*3.422.3.2..7594/3.55.7594/3.75942.0.431 .5 300/894.9 9 /8.58 .0 .20 806*809 70.5..20 806*809 80.431:73.55.090/3.0 .

431:70/434:7!..

75942.1.3/070 /8.92.4190 03970834:789.5 .3.80/ 74:907 4:300/947010703.2.5 -:998.3//32.5  089.5..3/5.2.943  3.54:. 8.0 ..2.2.89.20147.204190 89..3/:3343 .'!  %5.3/89.2.5039780997.:880/390570..431 .9.20  490 %0806:03./3.93903.2.0   3430.209078706:70/14790 /3.3 $ -.75942.5*3.0 .039708.75942..70..*2.70.7.908.5*3.7.2.202.09.5:990907289.3//3390/3.5 70850.55.75942.8.9.381472 809 41 9049075.9.53.9.$  %5 985488-094:80908.9.084:/-0 900893:2-07 408957479 41..03:2-07147907010703.9.5 0.*2.422.90/4:7/3.7045943. /3.9.4:880.394:7343 5007894:8090850./23897.2.0.94725020393..209078.431:843 1479034.5.3039793 4:789.04: .20 806*580.2.25 /3.589.75942.

90/4:789.9094390 ..08904..9.93.589.543 9-0:80/:394:.20419039071..55.039071. 2.0 3.431 .0 ..*2.5 ..7594.204390!.0   .5007894:8090/3.75942..0*3.57010703.04:.08 9089...55.2.57010703.75942.20 39071.9..70.9.9.5 3..39071.2.3..0 839071.75942.3/ 5488-0/3.5*3...3.0 8  .0.20  %03.9.75942.

8088438 070 .02039422.709084.5907 %74:-084493!.85.3/84:..3/9074:95:93 2470/0593.8902.422.3/2.943.890/.3..3/84:.3/8 %070..55..3.9438  84.70.0.:889080.$ 04:98/04738/0 .8.3:80 94243947.9.3/ .3.3/8.39071.02039 .4330.34:7!80.9438   /8.4330.422.3/3499058.74:8.9.85.3:80 O O 848.258. .03.4330.39.422..20 00907309  470907309  .7594580.

7.7580.422.75942.0.52. 5007!*.0 .4330.431:70.9438  4:.0 39071.80 2.5*3.0.55. 8. 2.431:708.55.9438  .258.4190!.3//00908430472470!.3.431 .0.02039..80/.7 8.0.7594(8.2.2.422.3/$! .58 !80.7!80.78/43. .422.!80.5.7594(580.422.75942.431:7.7.9438  .3/80./.258.9.431:70.7594/3.0.3/8088438 .431 .0.-.0.$4330.0.7.3/7039.0 .500908.$8  3 $ 90.9438 %0..0.431:7.2500908.5*3.52.422.3/8.0.$! ..0*3.0.4$!*..9097:895439. .//0/ O O O O .422.0 ...8.7594.0 90$.20 .3:80901443..3/8070 .4330.97:89543900908.7.9438. /3.75942.0791.9.808 %0.. .422..7.7.2039071.3/894..759400908.431:7.20 0397/089*!57494.7.:0<  %0.3/8  .431 .3.//943.431:70.55. .539071.:7954. .//70882.3/90..9438  .75942.3.3.

919843 9080.00908.0 4:4:/ :80.4389.422.7594(8.790/0993:80/94 $ .55.743.250 94 /00902.7 .390.247082.0/985439    .9434190.9:33074:5990570 8.250 1./0/94 4: 8009.422.802..08-09003 $ .07843 470.0.943/110703.7.078438.08  110703.:79.8  8.2554.914728 470.431:708.47.3994.420.3994.431:7.02039.3/8..943843.083 2..0349.04:8989.8-003 570807.310.3.43 .1. 83.0 90!..39:83904/ 890 839.3/. .258.98.83 96:9070.431:70/ 3.34.082.850.  3945419.//82.4397.84 17:897.3/0.707 $..25  71.55.431:70...08 .794.25 42993908.3/  %080.3/ 903:57.70/03  9 88..3.990.07 14790!34.55.4.0.0394:90  82:.3 $74:9074:4:/:80.3.020.8147 $74:907050798 -:9.75948.O .2554.3.3.3/9 843949.4318.89 3 $ 9 8.0.07.-:943. -:93 $ 9 8847:333 ./450/9.44:/70.422. .3/8-0900390945.93147.9438 3 $ 9 8848.:89420/949030839.07843  9070889349.9 0.3 $9..3.0/ 40.990 .3050799!8 02801 2.02039.094 -0.7.4330.3/   $ .431:83147.4330.9:7089.0/1742904/0794903007.09.0 .250 3.70/ 0.54. $!54. 570 8.

:3/0789.94:.943.8.3/34190.422.!.0. 808843843.-..2508 49.3/8:80/94-:/!80.4330.

3/94 8540 !8:83 $  .4..0(    $ .80/43 $ 14790!.9438.3.2508    .25005.2508 8433:70   3901:70 430!1:3.-04:98/0 :.03:2-078 .0  :.. .8..431 5.3/ $540083 '01:802.9 38/0  .:934 .4:50410.250  .3/ :897.431 74:904:98/0      :.94350729 580.431 5.431 8.088 89343.439..250.431 8.//70884:98/0       :..885408.7005.25089.250-0-.2554..9090. :.431 24/0 :.75943.9507295              :.088 89343. .2554..$...3.3/94!8.8.2554.30/ 144390850.939490 ..088 89343.9433 $  :.9434190:-.431 8.431:7.90:-!  :70  $250:- .08 :.43/0.55.890.431 8...8    34 .8    34 ..250  :-431:7.431 8.250 .//7088     3092...08.0397.387010703.1..//708838/0      :.4330.3/90 80.//7088 :.431 24/0         .25043  :80908..:9039..431 3.9433-490...431 88459.8. :.431 8..250..//7088     3092.9090 .943570 8.9 :.431 .431 8.431 8.9507295              :.55..2089:.431 8.250..9:897.0  844:.88. 03.9438 %017890.:934 ..0.2554.2503.70 :.25/0399.4.0..431 .4330.:-.431:7.. 74:5 :..

431 .431 8.75942.5 2.431 3.381472 809297.431 .522.088 89 507295              :.088 89343..431 8.522.08085 8.9...431 5.2554.38 :.. 74:5 8540 .9433 $  8540 .5 80997. 8.431 .8.//708838/0       8540 .088 89343.-04:98/0 8540 ... :.75942.38 085 .431 .381472 809297.8    34 .2554.431 8.431 .97.250. 8540 .//7088    3092...431 .75942.75942.//70884:98/0        8540 ..75942..431 5.75942.5 2.088 89343.431 . 2.38 8540 .70 8540 .088 89 507295              :. .//7088  :.431 8.5 8095007     :.088 89 507295             8540 .75942.431 8..381472 809297.431 .539071.4.//708838/0       8540 .25/0399..5 580. 8.:.088 89343.75942.38 085 .04:98/0            .5 580... 8540 .431 8.9 38/0  .. 03.943570 8.94350729 580.5 8095007     :..75942.2503.431 .431 8.94350729 580.431 .-04:98/0 8540 .7594580.:9039.9433 $  8540 ..//7088  :..522.//7088 8540 .431 5..431 .431 88459.431 74:904:98/0       8540 .5 2. 8.522.0  8540 .431 24/0 8540 .381472 809297. 2.9 38/0  .//7088 8540 ..431 5. 8540 .9 8540 .2503.431 . 8540 .08 .431 8.250  $540431:7. . .2554.522.431 74:904:98/0       8540 ..9.431 .250  $540431:7.4330..75942.2554.25005.522.522..//7088  8540 .9507295             8540 .431 ..75942.97.431 8.75943.4330.431 .:9039.2554. 03.//70884:98/0        8540 .:934 .5 580..38 :..75943.522.5 80997.75942.381472 809297.431 8.2554.08 8540 .75942.522.7594580.431 3..70 8540 .522..25 8540 .08085 8.25/0399.522...431 ..431 .9507295             8540 .5 80997.522.431 .522.5 8095007    8540 .431 .431 .431 8.431 88459.9.25 :..9 8540 .88..522.539071.943570 8.431 8.25 :.04:98/0  .75942.431 ....

522. ..431:7.431 .431 8.//7088    3092.431 8.75942.3.5 8095007    8540 .8.-70105.250..7594580.97.25 8540 .8. 74:5 8540 .30947   .38 085 .88.-3.8540 .431 24/0 8540 .431 .431 8.08085 8.431 .2554.539071.. 8.//708897.04:98/0  070 8.431 . 8540 .75942.38 8540 .5 2..25005.//7088  8540 .088 89 507295             8540 .431 .522.381472 809297..250     2/8.75942.5 80997..5 580.8    34 .522.9.943-09003904.9434190:.. 2. 8540 .75942.431 .4.522.381472 809297.:934 .75942.38.522.2554.431 8.0  8540 .431 .9433.

3/ 9094702490309478    . .

.3/   .

./0130/9457490.940.80.943419094854083...90/147909470850.0  84:.97.02039.9.$8    .09003:95039071..890.    !80...431:7390!147808843888420.382993!80.75942.3814728098/0130/9457490.75942.4907 .9.085408 81478540.943   $ .    %8890!.79490:-.38001742.3/430$!54.9902.250  .11.431:7.70.11.75948.3349-097.8-03-5..25089.431:73 $74:9078 %0.503978/0130/1478540    %0.0782.880/174290.431:7.-0/43904:98/0 39071.58.990/.3349/498974:90:- 14:70.90:--0.11.0.20$0.794.3/  81478540    97.503978/0130/1478540    .84:98/039071.75942.250 %02.11.90/4390:.0 80.943 9$!-0303.70/0130/1479094854074:9078    %4.0.3.9909485408 190300/94803/ 97.70.382990/-090039085408.9 82..08990$.9.3/ 8.3574-02990..943 97.:790.94394 909485408    %0570 8.%7..:8097..11.0.2508 . .707174290 %7..4330..431:7.70/08.

70/ 0.431 8...2554...431 580.94350729 580.20309473:70   70/490 .431 .. .943570 8.431:7.381472 809297..9-09003909485408944.431 1 09 :.431 9:330 74:5    950580.707 39889:.431 580.  :.2014:98/0 :.3808843 /70....//7088      :..75943. :...:79 0.0 :.088 89343.250  .3/0.0  :..8 .11.88..088 89 0903/0/507295               :..42098574-02   $ 7084.431 .70/ 0.943 9390....431 9:330 74:5   950580.431 .:9039.. 39071.431 580.431 39071..431 1 5.997-:908 :..08943908.4330.088 89 0903/0/507295              :..431 .07..431 . 09 :.250 :897.431 8.//7088       :.2503.250 90 $0.431 1 09 :..90903/0/507295              :. . :.. ..2554.08.431 580.431 580.097084/ 7097 :.. 74:5 :.20 80..25005...4 :..088 89343.250  :-431:7..431:7.7594580.08 :.707010703.431 8.03907890:-43904:98/039071.943.2039071.3/0..90903/0/507295              :...9 38/0  ..431 1 80.431 74:904:98/0      :.....:79 0.431 39071..089888:0 &83908.088 89 0903/0/507295               :.431 580..088 89 0903/0/507295              :.99074390:-300/894-07:333 .50729397....0907309  :..431 9:330 74:5   580.8349 .8.2554.431 8..431 9:330 74:5    580.431 1 5..4 :.70 :..431 3.431 8.431 .431 8.30/144390 0.97.25005.9 :. 8. 10920  :.0. 8.0 ..0  :.431 1 3.094-:/.431 1 3..20138/0 :...8.7005..2554....431:7..94341909700!8 3980.2554.0907309 :.431 88459. 03.:79 97..38         .  :.943 4:4:/.088 89343.-04:98/0 :.431 . 570 8..097084/ 7097 :. 09 :.9433 $  :.431 1 80.. 570 8. .431 8.997-:908 :..0439085408/4083 9 2.90890:.40/3 $ .

11.75942.90203994.431:7.//943.3/0.09497.305.439.//0/ 430.75942..5 8095007    :.9438349 50714720/439 -/01.90/97.3/$!!92078147 0.759481470.088 89 507295              38540 90.759489..94-057490....//943.2039071..8540    %0.381472 809297..75942.20.97.5 80997.8540.-0/147.17424309:330439039071.083.4897.3.250  479085408 43430902300/894-0.75942.:9    %:33074:58.0908540 94 :- 94 854097.0.174290:-94908540883.75942.9020394:/44098.3.3/.4908540 94 :- 94 854097.431 .5 80997.088 89  507295              .759494.522..431 .88390570 8...431:7.522.75942.094.5 8095007     :.539071.9020398300/0/390. :.9433.0    %8/8.2508 .-09003   94    .//708897.3/  478540 .431 .8540174290.11.522.431:7..8039073.11.943 9 82489908..250    %8.9.8..38 :.3800174290708941.522..11.75942.250  8..08085 8..34907 9:33043908.38.431 .522.//7088  :.89..94341907010703..381472 809297.078.11..431 . 2.3.11.431 .422..085 ..2039071..3908.40/  84:..5 2.3 .8 90 .94383.522.//7088  :..522.3/.70/08.04:98/0  070 8.5 2.9..70:80/94.48540 94 :- 94 854097..89.431 .38 :.0 .

$:22.7 %8.5907840/4:90-..84180993:5 $!.8.

-908 039.3/43 $74:9078  8.4!.:79.08.55.9:7089$!.!.:79.3800174298.8054...943843 8.3.5907  03.5.70/94.480.08.8088438 84:.425.3/43 !80...431:7.3/$80.5907.3.3/.55.08.42089410.0088.

4330..5907 !.-0!80.3/$#02490. !.088 4330.9.9438 070844:494809:5.3/8..80 .9.!.8088438  09:58..

93.07 4390! .07.8.89.8'!$07.:843907!80.3.3.0884330.350714729074041.808843898..590714.3/$#02490 .:79.:79.3/ .3/#0249010.08..8.90.8'!$07.'! .!.55.07 .3/ $80.9438 07090.3/..590714.3 .3.3.147.8'!#02490    .8'!$07..039 #02490 /0.:80/43!80.480.8.9:708 49!8..0840.07.5907 !.08 98 .$...55.

7/.:77039.8'!#0249047.3.55.80.08.4 03/$..55.3.039  8.350714729074041.9   . 80.3894700.9.70.9079.943.848:5547998 1:3.45.:79 .0.3.

08 174290 .'!  .3.088:807840..3/990.35071472981:3.35071472901:3.43.07 14: .0..08 90 944 .:594 90 .:79./..90.07.94341.0397.07$:55479147  $3. 57010794:80..943 472.3.!.70.8041 $  90!80.090700.55.8'!$07...8'!$07.//9434190 $..55.703:2-0741702490.947948:55479.3.

3/300/948:5547943.$.0398 4:..3.55.82.3:2-0741 .0..3:804:70893!.035.

75943.75943.8'!$07.088:8078990.3/ /8.8'!$07.90.422.5*3.0397.38..380.08 8 99074:9078.425.544.3/ 988706:70/43147.071:3.' 03.3/430147  9014432.9:708 .5907  70.7/.90$!54.3.3/4:7 74:907.7/945071472.9-09:330 24/097.381472809990.:880/3.80884381742.3/  70.5.089908.071:3.422.422.039 .381472 809..3/ /8.3.8'!$07.039  90 :-7 .08 3.:804190/110703.52.89.:9039.:/3908.489029490723.70/94 0.//708897.3/ /8.3.90!80.088 89*3.0/..8'!$07.3.4330.90.70 90 .03924/0 .943 .3/$  .38.8'!$07..-0&%990.94384710..431:7.943147  $9..94341./3.3/3.4'!0398419... 2.2554.//7088544147702490.4330.431:7.943 74:58.5907  0130.5907   3..08147702490..3/ /8..$147981:3.-9084780...55.425.:880/390 .943  .-094.5554.//708897.9074:90729..707 03.3..422.943 %88570107.943830947090384324/0.43.:79 1:3.8 '!#02490/0.3.20..0  ./.9390$07....943 05..08 39073.-0.//7088089 9054.3.943..9438430147  9880.07431:7.:880/390.5990.907 $700.3/ 74:9078 .088:55479 90.5907  $905  $905  $905  $905  $905  $905  .3/.  %0.74:907 14:7!8:554798.//7088089 903.70 :80/94.94785071472390.808 90!.75942. 97.422.89.7594580.7003..898 4714:300/.:880/390..3/  8.422.70.94314790:8078 39073.:79.943.5374:5.089490#024908.3/90! .943 .2.088/0.7594/3.55.078/110703914: 707:333 $ 470.7/.07  431:73..9438/4349706:7098  013074:554.7933 $ .9 39071.75942.2.5.3/ 80.422.89.0859:590.078-74033949080.9433949014439480..08  .20.4330..425430398 $905  70.

.078:830947 090384324/0 .20 .9.8:-3092.939490!$07.5*3..55.//7088390544 1440/-.3850.83..88:-309*2.431:70 .5.70.3/$$90 94 $904330.:8572.7.4330.8  .8(  4:.52..-4.943 /01.3 $74:90794/0130.3..9.5.9078 93.1 90!.11..544 4:850.3/  $905  $905  4!80.3 .75942.//708808.3/ /8.422.75942.:880/390.3/ /8.0990.039 ..08874:58 .90/ -74.-0..3//70.:36:03.$905  70.094.431:7.9.3950412.:88438974:4:99880.3800174290.3/:807  //7088!44431:7.70.9.943.89..-09990.1.7594 2.89.0/1107039544841.5907  84:.4330..75942.20.422./.89 2.3479088459.39073.7/.5907 !..90.90282.544 300/8.3/:80/43.75942.9438 %0701470   14.439.3..//708808147/1107039702490.//70880894 ..!.5907  3..2.089058 2.3/03.//943.890/3..9.70349.. 4: .422.//8..57010703..89.//70885448300/0/4390!$07.20!*1789 !*.039.:9039.8834.0 ..:9 /0.943147  3.544544*3.94350729 580.3:594.3/9095041 .341909384:.8.943 .743$9058   .94343.0398 %08.89.89.0398.431 54.//7088390544 098        5943.0 5 .20.//70885448:80/4390!.431:7.-04/4311479089.93#02490.3.0 ...:094038:709.89...990309473:2-07.3/903 90.97.4330.422..4330.8830/94#024908  490 #0202-079.431:70/  09095041.:880/390.././/708808-893901789.07 .943  9.0794.3/32/8..:880/390.59.

70/0130/ 4390!.8   74:5431:7.$8.08.7/2.70:80/94.3/54.089490#024908 %074:58.3/5:80//439490#024908/:734/0. /..8 349.8:-3092.88354.943147  74:58.

759.20.7.7093478.3.0894.08 .3 3424709.3/84:/.88354.74:5 %074:5 3.0419074:5 02..039431  %0.9078  %5 .5374:574:5*3.2084:/-0/08.3/8:80/94.439..422.

5374:574:5*3.70.3*3.0.07$*!*$*!*( 5 .0.5374:574:5*3.5374:574:5*3..5374:574:5*3.5374:574:5*3.431 .20 5 .5374:574:5*3.80 80389.:9039.20907850..431 84.0.20/01.20 5 .8847/5.:9039.20/0 920/0*80..8847/5708..5374:574:5*3.20 /42.20859 /38/42.:9039.4390 #024908490780 ..7.88 974: 5 .:9 /42.422.70.5374:574:5*3.43/8 5 .570 8.20:807 /0 9204:92288 5 .431 .205.5374:574:5*3.431 .:9039.5374:574:5*3.431 .07!*! ! (< .943 5 .431 .0 5.20 /42.//7088 544544*3.3:8094.43/8 5 .431 .  070..7090.9431..5374:574:5*3.5374:574:5*3.90.2038 807.5374:574:5*3.088*89*3.:70 :39 .1< 5 .431 .20-..431:70/908..039 .20.70/*0 5 .20/0.431 .431 .5374:574:5*3.:5 807..20.20/38 807.7 .943 807.3/2:89-0.20:807 .5374:574:5*3. 9202.431 .20.431 .108.431 .3/42.3*3.431 .431 .07*9.*80.3/84:.431 .202.431 .208.70/094:80147/0.20 5 .07$*!*$*!*( 5 .20518 5 .3*3.20859 9:330.20(  %05. 5 ..2080.74:5 5 ..943 5 .5374:574:5*3.3*( 5 .%074:53.:9039.943 /:73$!.5374:574:5*3.

80 80389..943.0791.7.024/08:80/ 3 $ .70/0 .908..7088.3/.3/2.&39 .0 03:83570 8..70/08 ..70:80/3890.324/0.80  90 & 7.3..!.3-0:594./ 398.3/8..907 1 4:42990570 8.80 %00.90783039.

:9039.250.570 8.943/:73$!.1.0.422.70/094:80147/0.79203910/8:80/.89074:53.8847/.05.3/8-49850.3/.//7088..5374:55..20  490 %08.

943 807.//7088 5445.943 98 .94314:.422.!.04343074:5 4:.94:80945071472 &% %85.431:70/99054.5374:55.907 .94::8090..024709.80.20/083.108.4 70./   %0./1107039/083.:9039.3/8./9474:58 2.4:774:58:80908.90/74:5 4:.7 :9 1470.20907850.88343430..3/83 930.7....4:39843..3/147#02490 .08.4:398 :8073.088.7.075.422..3.20907.884.484:94:80.08  4:.3/ 9490.422.//7088544507 74:5  %0.943147 0.74:59.80 8.250.//7088544 .4$0..208 4390! 3 .7.//7088..3.8:80908.8847/.3/ 3890.:9039..8838.209078303  9.431:70/4390!1.3430702490...4://0130902..:70$807.74:5.7093.4:/:89.08874:5434:7! 14: .3/.3/ 908.07  . 544.422.250 14:.8.42203/89.7093..

90/ /0347 9025...9431092080...484:94.3.9/0389.35.-08.11. 9205.:9039.20907.43/8  23:908 -:94:.3090 0331472.:9039..9020398390 .075.2554.#024908.078..209078303  %0.4330.43/894.075.943 3907..431:708599:3303 .7.075.33.-398 -08:70.80.43.883:59494$807.943 $&  5.422.0..20907 303  .884..7.7.108902.8'! $07..9.20907.48#02490/0.3/.7.9.7.3/490780 90#02490 84.3/ 0.11.4330.0:39 .431:70/9908.0  %0/01.11..3/89.209490#024908.0817423439:3300/97.8-00370.0894:80!$940.4224394:808599:33034390!0398.   %0/0 9205.554394#02490 .07   .90/2.7594580.808843:5 %0/01.:5 807.8838.39.883:59494$ 807.. %85.#0249097.9-0147090723.484:94..43/8 %092078850.0/ 4390..910/90701470 3 .3/90.7 .70303 $  %080.943.15.70. 57490.7.943 .707 9.3 70897.4330.894-057490.998-850.7.//7088089490#02490 4. 3890.:79 .3.:79 .0.90/1./41:839057490.7.:70 :39 .3/.484:94.884.3/0.9.3/147902.:01742   80.078 9490#0249014770/:3/.9/01308.0/03.43/8.03..843 3 .20907850.2:23:2-07 4180.10/3 9080.4#02490894:808599:3303 -08:7090.43/8.920..-.9020398390  490 14:/43 9..3850.97.039 #02490 3890.#02490839074:58:554799810.33.2090714790/42.484:9407.02039.077/3.078390/38 807.8847/14790&%:807.0.943..94310920 80.3/81742070434:9390.990280.7.90/ 5072989.07.20907.3./42.580980.%0-.34..97.9438  %0.20907850.3/90!.70.75942.:98  80.:9831390 -:94:..4890#02490894:8090$ 807.:5807.40/94.422.431:70/9457490.83907.0 3 98.11.9:70  %0859 9:3305.3 /0#02490808843 %0/01..075.3.084203/41170..079092078.7/.11.422..94787010794.07894 9074:5 %0859 /385. .:01742   80.431:70/$807.2:89-080399490!.-094.07.43/847.:9039.431:70/-.20907.4/080.943  0147003.0784390#02490/0.:943 14:.707 98.0397.02039.208 %038 807..0& 905.93.7.108903:2-074180.07 .990'! .//708808  %05185.97.8'!$07. 10..80.20907850.4:9908.883:594903-.2039071.:807-03/90#024902:898:559894 .93 949074:5 %0/38 807..:9 /42..20907.3890#0249043 9-0.422.108..7.08890 3907309-0.04./ ..20907 303  ..039 ....0398.9:70.7/.3/814790/.208890/ :59409 3 90859 /38.431:70/$807.422. 10920.13./4083 9300/94-057490.-4..:5.43/8 %02.7.1.2090703.3 9803/903907309 97.4:3983498..11.2:89-080399490!3.0570.70 :80/947084.7.3.:80.

..431:7.7590/-90! %084 :8073.3/.088.:807 .:807...39894:80909:330.9:708.20.914:/43 9.0840.990:807.8847/8.3//85.0392.. 807.431:70/4390#02490807..943 .04390!..9.422.707:333 $  ..98:5547980907%$ 47#&$.3/84: .431:70/4390!  %0.:9039.9  .98:5547980907%$ 47#&$ 14:.4:398850.:9039..3994:80 4.422.943.3-0/0130/4.431:70/4390$07.20. 00259.. .8.3/.:9039.0 :807.943431:7.3/850.3/834930.08:704:.422..7.-0/98.943.9.8..75942..:8078-03/90#02490.422.9090:807.80/&%.*2..70.70.3/0./:.3/94:80147&%  4909.8 90..088:8078 %0 5.:9039...990 03/4190..8847/9.07 90.9904:95:994 :8943074:5-850.8847/5.:9039.94390280.3 9 5071472.:9039..:9039.079.9.7089.9.07 -:92:89/0130 90:807..8080259&80 :8073.8 !!4308 .90/0300.3/ %0:807 /0 9204:95.:9039.431:70/9 90:8073.20907.4:398.7010703.10/-90 4.8-003.943-003.20.-.431 .75942..:9390.9.75942.3/ 4: 800982088.039902 1742:83909:330 %0/0.5147 .....422.:9390..039 %01789:8072:898:55&%. 5 .203.70.4:39843..3&%5..9.70.431:70/434:7! 4:..439.20907002598/0.-73:5909:330  3.422...3950841/0.3/8-0:80/ 35.514790702490.7.943.8941002590/./:.70..:807.3/ -:99038:-806:039/0090 902 4: 800982088.990$&10.0 9490/3.1089..3/9034: :80901443 .431 :8073.5 .:9039..4190:8073.943   %0.&%:807. 807.3/850..943./:.9434390$07.:807/.75942.38..3/8:83 147.5374:5..70.07..3 95071472% -. /.422.9:.943 .88:239 8...9.! 990.3:8090 9:330 4909.422.7334.431:70/.3 9:804.3/94/01304..70/039.039.:8073.079..13903..:8079.4:/570.7..943147:8078 -03/90#02490 ..07 57494.20.0.:8098570 .44..9.422.5.943 5 .3/543989490.:8078 14:.:9039.88 974:5.3/8 9084.7.:942..04390!.3807..7-0..5*3.974:5  &%&807:9039.7334.3/ 9070.08 8:.8080259.0.53.089.4:398:80/147&% :807.4390 !4743....422..209078:80/033/.422.2090703.03982:89-0 .431:70/4390#02490 .431 .03.5.:9039.:9039.943  14:.1089089./.9435.4:3984390!147&%  4: 1789300/942.9..842:89.894 -73:5909:330.431:70/43.3//85.0 5.079..:9039.370897.5374:5.:807.0909:3308:5 .-083/.:9039.422.  !98.8847/ 5 ..589.20.3/8.3:807./:..80/  30574-0293/.422.20419..205.422.704394...90  030907$&473/.7/.-0/ 9850..75942.3/5:80//4394 90#02490/:734/0431 .422.07 .4:88941.94389.:9039.3807.039.7/ .9..039.4:398/0130/0300.89390570..943803.10803909:3308-74:9/43039070834 :807...20 . 807.:9039.75942.707:333  4:.943147  %0:807.-.422..2.422.07 34990#02490  %0:807 ..

0 :830.759905.3..422:3.943857494.! %0.589.39071..0-49950841.8 < 5 .088..94339.209078:80/2489.07147.943894904.7.7/807.589.431 ..75942...43/.759430:80/09079403.. 807.431 .57494.20907390 ..431:7090.07!9439.4.422..:9039. 807. 1*3.-04/0431434:7!849.48419.9403.431 .490!84:/:8003.8847/31472.3/850.20907 805.07*!03.943847 .90708543/<  %0708543/5.5  5943.3/850.07 .08898830.90904/0431574.422:3.70...422..039 39..90  490 4:89.0774:5*9.20.943  4/0431.03.3/9..07.35.03947343 8. 807.9.9.908&%.4 398.5*3.70.. 807.20907850.42243 07090702490..5 .1089057494.090807.....  %0570.20  489*807.90.5..7.0398 .90/990807.4..7594302:892.039 .3/903.070907%$ 47#&$ %074:5*9.9438:80/9474:570.:80890$07.90/.7.9.9.5*3.9.039.094.090 4.422:3.088/0.5.3/8479-49 .*2.08 4790 4/ 8.3/ 5 .9438 %003.088...94374:5*9.422:3.75942. 900:80/4390807.431 .904/0431 14: .905.422:3.0774:5*9.07..422...07-0:80/94.20.039 :80 9039.5574:554.*2./147%$ .9431479089.422.:9039.08 :80901443.//70884190807.4!80.80 4:4:/:80901443!.884..943.20907 .943147  %403.7.47. 702490..748419 8%!. ....3/8 5 .422.3/8940907 %080.. 9094035.0/3.431:7.3$!..422.75942./:89.7.431:7..93990 807..75942..422....07708/0841141 4:2:89.3/090.75943*0 5 ..9..0399403( .:9039.1089039071.20 038/0 90!.94:.71478.039/0.9.7..07 .0398 .0894!80.:9039.943147#&$.1089.3/90 03.422..3/  %01789.

8054.70.50397 5488-03.540.  47 !.250147  49.07.088/0.431:70.422.8088438 84 :80570 8.30.3/83.3/34190097.89./3.:3/0789.75942.9.. .75942.943 43.0.503979.5907   .884.9090:8041 9080...97.8.088:8078300/94809:5!80..422.-0## .8.3/8706:70/94.75942.08 90/3.08 .5 .2.9..3.07 /8.:880/ 9080...3/8 :8390309478433:70  39889:.3814728099.431:70.8'!$07. .8'!$07..2.75942.909097.07  44.97010703. 3:2-0741702490.25094:897..-09089..-.70/08 .94:.9.3/90303.82.422.381472809 8:554790/-90702490.!..90.

.07 . 807.:9039..75942.589.7594/3.//7088708543/ 807.07 ./39030947   :8090:807.431 .08 807.088 89 %# % 807.75943.088 89 %# %507295               807. ...07 .74:8.90890!$07.92.38   085 .94350729 580. 807.706:70203983980..0(   .5/32.07.3807.381472 809297.9 38/0  .04:98/0 807.2508599:33038 706:70/-0.431 8.07 .2.30/-04.2554.:9039...47.3/859 $84:/-0:80/ #02490..0.250   !..2.07431:7. 2..039..07 . 03.9438.07 83.939831472.4330.339073.431 .5    80997. ..92.431 .4390 !  :70   !.539071.2503..088:8078300/.94340.431:7.250 :897.943   .431 .3/80.431 8.:9039...07$#'#57494.88:2090!8 7:333 $  %070.5 807.//70881742      %07010703.07 .70.0.431 54..431 3.75942.250 '01:802.07 .4:398/0130/90703890.3/903907309 ..70 807.589.589.8830/.07 .078.589...97.039.75942.431 8. 2. 807..431 .07 .08894-4990802039-03/ 90!.431 ..8'!$07.08085 8...088:8078-0 ..92.:8090702490.07 .943 807.431 .5580.-04:98/0   807.8'!$07.07$#'# 38/0 489   ./41705.250   . 8.431 8.381472 809297.07 .03:2-078 94907941..07 .544702490544       .2554. 807..8.943570 8.422.25 /3.2554.07 .07.8.943 070 .943$#'# 807.7594580.07 .5..431 .88.07 .07 .07 ./32.431 . 807..5./:8   807.431:7.147/0.75942.431 88459.431 8.38 807.9434.7005.2554.92.7094-. 74:5 807.4 807.

3.431 .422.7.4:398 8/03910/.74:5/01.75942.07 .//708808 /0893.11.5374:582.74:55.07 .3. 806:03.9..431 ..943-09003904..431 .-0&%.2.//7088 544702490544   807.422.209073890.4 807.74:5859 9:3308599:330 807.07 .884.503978.088:8078 39073.90/14790 702490.5374:582.03984790 8..4.2.5.7.088808843890723.943.38.07 990.3/.5039739089.3/4/0431  70850.5374:582.431 .--03574.431 .75942.75942.70.03:2-0714790/3..3/90807.-09003  .:9.74:5859 /38.9.431 .07349.088:8078 850.74:5.0/390 89.07   807.3/&%8 .74:5/38 807..$8 %889037010703.70/08 03 .  84:7.//708897.74:538 807.90/99089.07 .-0/43904:98/039071..8847/.5374:582..8.943814:3/3.3.07 :80.039 4:4:/:80 9039.09.//7088088/0130/99054..431 .5007 4:4:/:809034 .9.0..07 84:98/039071.5374:582...//7088544 .2..90/14790702490.3/    38/0130/94..439.3/903 00259890!80.3/070:83570 8.431 24/05.4 .0880/-.0    3807.0-49.9.2.3$!54..8490723..-0.990:8078 /.4:80/-0900390!.07 .8./4190708543/5..3390702490..088:80788/0130/    /3.5 . 407574799.75942.250    $!803.088 898599:330507295               807.3/3.//708808390 .38147280914790702490.422.439.9.70/01470.07 .4 .4.8..97.3/8/8.905.88:259439..088:807 839073.088:8078 4790 8.07 .11.550/9490$07..990 57494.305.078#&$    4/0431803.5374:5/0 920   0708.0.07 .1390 97.503970814750078 %088459.431 .431 .807..3/90807..41478599:3303 97..3/34 .943419080.039 4374:588:554790/ 14: ..550/9490! 8 4:98/039071.8..5.9.38147280994:809457490.914: .39089.39.3890:807.0 1479050078    %0.4 .039147343 8.42 807..088 89.:9 /42.42 807.431:7390570 8..20907 84 .3/702490..5374:582.-0/4390$07.07 .5374:582.90/80884384398!..70.7..4.07 ..9988.90/4390$07.3/90702490. 544.8..07    807.9.3.//708808390    8:554790/97.20907894/8.070202-079.

... /0.490797.039894904.0398880393.90/174290702490.3/..174290702490.11.08-057490.7909 %01789   .088.0..088.802039 ..

 90 .0 9084:7.7010703.//708808 8147904.0.11.97..

04190$07.3/9080.38/039071..43/  .07 .

8'!$07.//708808 81479039073.93/4174:554.943.74:5 8.//708854494 :80 702490544 90570 8..3 903147.990#024908.7010703.170.0/82.3/.07 908599:3303 94:80 8599:330 ..794 ...3 $74:907 %043934:29..70/094:80147/0.//7088084190#024908    3074:5 .-0/:31479:3.90 4:.943 .0791.3994/48 038:709.:808599:33038 03.414:070:83.9433 88420.0.3/09204:9  80.3.431:7.982.43/8  84:.0/-0.09.908 98.0743.38001742980.250 90.90/ %874:5850.431:73..507843.422.0 90 /0893.0.078 /42..3/4:/-042990/ 90 $807.:9039..10890.33.8.20 .389.3/859$ 90$807.70.4390!..

$:39 '07843   .

7933 $ ..3/  .! 47 .8'!#02490$:55479147  $9.

 8419.-047$ 24/02.43.3/5:80//439490 #02490/:734/0431 . :8078-03/90!/4349300/944.0397.5907 #4:907#02490.0754.8'!$07.8.9:70894/0..3.'! ./.82.380.7/.07.:7910.3/0.943894.147 90:80789.11.  .4 03/!./082.07  0.90/ 9 8257010770/ . 3:2-0741#02490..3.3/...039147$   03.3/0.9438 90 .34907!47$80.8'!#02490  39.#0249089.3/3/..4 $74:907 47 .3.9438 .088 4330.:79.9.9300/94471742420  .9 9097.03939889:.3 !80.3!80.03943907/089458  %5 4 03/!8.947 .0/4390$07.4330.0397.80884394.5907  .4330.0 14:70.70039  ..943..3.039.3/ :-7 .93.8'!$07.55.4330.8.071:3.08.70. .70 .70.9438300/0/4390!94089.041 80993:5.943 84 904 03/ !8.84.9232.70.3/300/94:808599:3303 90!574.94341.-8.8/0.0. 1742.9834957490..3/  74:9078.70.35071472901:3.39.7/.431:7.7/./:.0398  30..7/.70.35071472$07./.743203980704:.943894.

.431:7.9438/8.07898    $03.0791.#02490 ..4'!0398419..3419010.250.943  490 '07843 83498:554790/4390 .0 .3/.3/74:5    &39.8./:..3/80.:9039.422.:5807.943   .3/859$ ..0&39:9039.70/0.3/.3/894.3/  .9.:8890 .70.:70:39 .:807 .84.943   ..943   3/.794 3907.:9039.431:70...943 039.3/90'!   3.9:70841 908.75943   .90/0.:/3 O O O O O O !70 8.9434390  %014439480.:9039. %0!#024908:5547982.4 03/!..3/30947090384324/08 $599:3303.:9039.30.882.

 !170.8434390!.

3.8 '!#02490/0.943 0.0    .3/ %0701470 98349.8'!#02490431:7.8..4 03/ $74:907#02490/0.0  .   ..431:70.:770395488-0 94.! 47$ 7:333 .

03903.0392.//7088*8:-309*2.4330.53.431 .9 .9 5 .431 .//7* *2..53.422.53.039:8073.431 .431 .0*3.431 .53.4330.-0 5 .422.3/706:70810.431 2.8847/ 5 .3.08839071.8'!$07.20 5.039302 89 .20 5.:94.53.03924/0.3.431 ..4330..70/*0 5 .07$07.//7088*8:-309*2.8847/&%*5.8 !*.53.07*!*.431 .431 .20 5 .3/894809:590!#0249094.039.020399:330 !*.5374:574:5*3.039807.994 90.53.3/8 &80901443 .431 .02039 .039..8( 5 .8847/5708..//7088* $07.53.7/ .0392.039 24/030947 0903843 24/0< 5 .53.//7088*( 5 .4 03/!#024908897.431:73.20&%*:8073.07! . 00259*.8* *.9147.//7**2.//7088* $07.8*( 5 .07 5 .07*!*.

.00/..33490.0.943.0890570 8.53.4330.53.0791.9078.5374:55..039/8..422.70/0 ..9  %0.385...908 98.70:83 .70/08 147/0.3/842990/ 706:708 $   74:53.208.00/.8847/.3/ ...3349.422.:9039..3..431 ..439.3/8:80/ 19074:54390$07.5 .9078 47:807 .039.94314:.078:83570 8.:9039.7.33490.7.

7.0988941-.53.9.07.20.-0 931.039807.:9039.3/ 090790 :8073..99490.$07.8847/9 90.9438-03:80/ 4:2:89/013090 #02490 8:8073.07834970.039:8073.-8 1/0...07 .4330.8847/.07 .0 47:39  .//7088890 572.9394.07 1.//70880890#0249084:/:8094 ..&% .0397./0130/-.20347905.:5$07.9574-.:589 90!#02490 705.422.20.9078  %0.4330.07/:734/0431 03 .//708808 3  43 190$07.43/8 90#024909790309 807.3/850....422.8..07899.3-01440/-:594903 -.3/5...30..07.88:239803.10843047 2470$07.$07...:5807.0739089  .-0/43 90$07.07.03949 -90$07.//7088 .7.53.080.00/ .890 %01789.

03924/0.7488909:3309490.07 147.431:70 ..03924/0  90!.4330.890 1 4:.//708808949039073.9.003.0714798 38/039071.845071472!%...0!!4308-03/90!#02490 4: 2:89:8030947090384324/014790 .!807.0394730947 090384324/0147 90.9300/894 -057490.94347&.97.0397.4330.4.9439490$07.108090790 !84:/:80.53.4390 $  !.07 034:.:9039.//7088.90/$  /0..//7088331472.03924/0 4:7!2:89-0.9.3/850..422.%0.4330...11.943 9490.943950 3/14: .0 .:942.8830/ -90$07.90/.3/34:9..08 9.-0/0907:807 .

0397. 8.3/ 706:708 $ 434:7!#02490 4:.9.07 98.43.3/2.3/ 57390789.9394.3/2.88 %42.53.'!  .3.11.4!!4308 4:4:/850.43.:/0. 00259.422.9300/9439.039 2.947...7488 909:330 .1901443 .42580/990.3/ 40.//7088.//708808...//70880841!54308.//708808-039    490 14:7!#024908.8..8       .$&1479074:590! #02490-043894 4390#02490 4: 300/94 0..4!!4308  .4330.389 94.8.3/4: -0:83309470903843 .9047803/97.422.

!.3 $74:90747.-0/4390 .2:89-003.947.43.24/0 9854.078.0397.8'! $07.8498834997:0190.

..02039 .40/942.//70884190 .4330.3!80.422.808843 03:8330947 090384324/0 9490$07.3903:80%0309 $$ %%!$ ! $! 548 .02039.7 4314730947090384324/03..:942..9. 97.3.0790859 9:330354.03 902.3.11.43/.3.4330.53.0 4:7!#02490174290.3/ 850.3/ 850.431:70/2.088.-0/4390$07.07 8 30947 %080..$.9.32.422.0   14::8030947090384324/0 4:.07030.880399490$07..088 %01789. 39071.3..53.422.0392.9.08890!..70.990#0249084:/.039302 89 ..3. -73:5.084:/-0:80/9490723.94381479:330.3/  %0.03924/0 .//7088089.0 90#02490 .:94.9090 2.3.07.3/830.108!.1089.3/ 5:80/9490#02490 %8..748890 9:330 %4/498 4:300/94.9438  9884:/-038/0 %42.088.3/850..431:7094 .55.8-00303.3..3/2.3/8..02039 9:330..4330.07.890.422.0203939071.0397.422.3.02039 .3/5394.3.3/9:890708990 044/4190!80.422.090!#02490  4:.9:3309234:99490 .909:330 174290$07.108.

422.94790. 80884394-039.90/9490.3 9490$07.-0.039 /8.3:..8'!#02490.9..4330.584390! #02490 84 947024.11.088:55479  /9.:942.07 /498 .422.0791.53.48.3/ . .07 8  %4-73.3!80. :8090.53.908.090'!.3/8   &830791.3/  490 :89.9:330 :800907 9034.-0/.$07.9433.4330.41 90.07890  %0..9..8#02490/0.08 .03903.3/$07.:79.53.53.55.039 .3814728098 ..9:330:52.3/2470 97.3/.90..0.9.431:70/$07.431:70$!54.422.943843 !80.039.8:80/147 908935:754808 %490723.08.53.422.53. 40.7.071:3.039.3/.7024.3/:80797.08439039073099. 8498.088 3 90.908147#02490.422.4330.422..039.431:7.7594 8 97.$!.425090 :80 90.8439449075.07 330947090384324/0 9882470 0038599:3303803..3/95.943434:7!#02490.8974:90781:3.08  4:/43 9300/94.3.75942.039 .11.

..943 3  43570 8.70/08070 .324/0147/0.:9039.0 .2.

07 8.4  89.07 ...422.89 80.209078  490 .3/174290.550.94343.431 ..0791.230.9043.43.9..079.8/8.!#02490890 8.81907090723.9.05990 $07..390.0791.943  44:4-9.3/..#02490 9349.4.904390 #02490 470..3.894110/8.93..090507843.43.8.431:7043 90#02490940..8..3/439070894190.073  8..89.0791..20..:089.0.:8 4:/2. .024/0 14:429 90.. #94800190$07.....0791.//0/.310/84390 .9 2:89.:79.07 8/0399.3/ .07 4:50720907 4.2.74390$07.079/3.8-003 70.039.8:554790/.9094 /0907230.439.3.8.90 5 .07.4:/-0:80/3.9010/8 0.0791.3808843 %8 .:880/390.0.079/3  *8973  %0  89738.:9039..5907 40.7..3 807..40/ .431:70/.07 03.5374:5.05.9094/0907230190#02490.90  3 90$07.. ..071.10/84:. ..3/4:.07 8.071.0791../0399.3 3 90 2//0..../.250 98.92.3994.0791.422.90.:80419880.99.908-0:80/147/0.422.. !8.53.0.!#02490 /9..33 807.7088.-4.0791.431:73.

#0202-07945:99074:53.204190!#02490 390 &.

039:8073..53.53.943.8'!$07.//90/09..53.3.53.53.03903.431:7.250   /85./0/174290 $07.3/ 4330.07    .943 %084.0894 .020399:330       .3/  .209079490 570.354.90 849.05.53.-4:990.20#02490!5..039.07348.422.422.5.890.7.943 #0249084.943'071.03924/030947 0903843 24/0 ..8'!#02490 8.990.8847/ .943 .3/.039   &#%  .559490#02490   '07134:7 #02490431:7.0791.0392.954.8847/ .-0   .07 %48002470/09.79203910/4198/0399.250  #02490431:7.53.3/ 8433.431:7.943 4190#02490 .039807.0885.039.5374:5.8.943/434.0/3.53.039 .31472.

07 #010703.:70&39:9039.354.90890:8041 90/09.:5$07.250 :897.89084.805.8.250  #02490431:7..    !  :77039$07.20907 %0-03334:95:9890 8.943..1907900.039.:942.99.70390808.5..7.943'071.2.90/ .70890/94907941904:95:9  .9433.870.943 09..//0/$% #!  /85.8 .4 .03:2-0783 5.3/890#02490.30/.422.3/90 #% &#% 80.3!80.3/40.53.079.9433.0890#02490...80..94-:/ .250  .90//3.9:3309490$07.078430  .0/4.3.07  94.0.-0/4 &807:9039.-0/4 .88.0/1742 90$07..07    01.70.//943.422.-0/4 $0.8.20.89070.42 !$3.70.9438.

020399:330       .:5$07.   &#%  .53.:70&39:9039.20:8075.8.9433.53..07    01.039:8073.53.-0/4 &807:9039.-0     !  :77039$07.4 .53.5374:5..:942.039807.3.53.42 !$3.8847/ ..#0249084..07    .-0/4 .078430     .039/09.3.039.039 .03903.9433.-0/4 $0.0885.8847/ .03924/030947 0903843 24/0 .53.53..0392.

.381472 809*.53.:70&39:9039.53.  4:95:942990/  .507295489          4:95:942990/  . 2..08 085 2/ 2.53.08 085 8.088 89*.....$% #!  $0.7594580...7594580.*.7594580..381472 809*..97..*9809*085 .3 .-0/4 $5909478430 .*.4330.  4:95:942990/  3.078430 #% &#%  88459.381472 809*.088 89*.94350729 580.:5$07..53.9433. 4:95:942990/  .9 38/0  .*9809*085 3: .   .*.088 89*.*9809*085 .97.53.97.507295       ..53.

75942. 10920  .9 97.//7088   3092.:9 570 8.53.*9809* . .5*.53.75942.53.53.*.53.70 8.381472 809 *..*.078.2 580.*9809**.2 8095007    . 8.*9089**. .04:98/0 8.88.*9809** .//7088*.75943..9.53.53.5*.  8.*..*9809**.*.2554.53.:9039.*9809** .75942.253. .25005.5*.8     8. 03.2554.53.239071.*9809**.53.2554.53.53.*9809**.*.75942.25  ..75942.*9809**.53.2503.0  8.2554.*. 74:5 8.250 .53..2554..-04:98/0   8. 8.08  8.085 8. 2.5*..2 2.53. .*9809*  *.2 80997.943.5*.53.53.*9809* *.

174290#02490 84..250     !80.2554.4:95:942990/  8.11.97.30947    . 10920   0708..943570 8.305.2554.8002590/1742.2554. .0.3174290#02490 84:98/039071.70 8. ..3.:9039.083. 74:5 8.94341907010703.75943/08 8.11.0    397.2554.82/ 8. 03.2554.

.3814728098.38.53.90/.//7088     8002591742.8'!#02490  :897.9.89894809:5.02039 .07    89.75942.3814728094390.943430 419080.4330.90/.97.9.07 /1107039$!54.90/1475488-0:80357490.570 8.431:7.89430419080.8942.3/90 97.14790$07.3/.8940894390$07.70..9.//708897.250 .02039.4330.70.0.9.70/08.08.4330.90//3...990/.07.:942.9457490.9434: .9439490$07.2.*.9.11.3 .943 147909:3303980.0397.!.943 :70 /85.89030947  :80.3.4330.9.707010703.70.90/.8'!#02490.3/.30.75942.90.-0/.94394-0-:9   .9457490..70.07 070..0/390.250 84890#02490 8 .503978.8.:942.250 90#024908:8330947090384324/0    0.07147 902.3814728098.:/390 #02490 838/039071.3.197.250431:7.943 %4844:40.. 3.8'!$07..93902.38009.14790$07.990.50397    $!803.8:80/94850..70.70.90.70.

89 03.0888.74:5.70/08 %0&%:8073.3/5..8847/ .4330.3:.9:330 702.:808570 8.803.250 '01:802.07.431 .943.3!80.-0/14790.8'!4390#02490.3/038:7089.-74:9:5909:33094908990 .3.38:5-0900390#02490.07 90.4330.07  .422.859 9:330354.94324/08309470903843 070 2.0398 74:54390$07.0397..0/.53.40/174290.4330..8'!#02490.0(   .3/903 2.3/90$07.5374:5.0398 .431:7.250 #02490 .04190#02490 1.-0/.250 90#02490-0438 94.:94.//7088 %0 .0398 .943 3980..943  :70   !.53.02039.039.8890.9.890 949038/039071.250  !#02490431:7.9.8'!$07.039302 89 .20..70/0130/ .

2.431 .20#02490! 5.3.75948.80884394-0-:99490 $07.4330.53.53.431:7.7095.3/.5.431 .90//3.07    #02490 .53.3:809084.25.943 .02039 .53.:880/3 2470/0593.3/890#02490.02039..431 .020399:330       #02490 ..3/43 90#0249047$07.3/14790/. . 94.943 54.422.4330.3/ $4330.-0 #02490 .53.039302 89 ..9  4:.9438 !:8 4:.422.431 .4330.70/8.039 /09.03924/030947 0903843 #02490 ..53.70.3.9 #02490 .53.431 2.3/8.08/434.039807.08838/0 #02490 ..:94.414790!80.0392.88 #02490 .07 %094/0-:.9.3/94/85.03903.3.422./0/174290$07.431 .5907 %74:-084493!..88 #02490 .8847/!5.53.4330.039.8847/80.431 ..3/ 90/0-:.0794974:-0844990 089.-8203941902.07  .90#02490 8 .9438  .3:8090/0-:.422.422.7594580.431 ..039:8073.

590714.794190.. .8'!$07.8'!$07..078.9/8.9478 40.020398.07 /11070399.3/$2470330990!80..431:7.94341.431:7..078574.8'!$07.07$:55479147  4393:0/8:55479147.33003.943 5:99390! ./0/ 3 $ .071:3.5.:880/0.3 2.:84390 .94341.43.3.3.3./09490$07.07 90 .0 -0032.-90841 90'! .707147   %85.!.0397.

8'!$07..07  %01443.4:398.704.//70885448 /8.0948099:5.943  70.:79.$..08 /8.07 O O O O O O O O 3..709.4390!.8.3.13070:807.:/354..:880/ 390.-3$! 3.55..$07.4:8 390//7088!44431:7.90/  4.3.8.939:33074:58 988303  $50.89.884:300/9450714724390  80.943147  80.5907  0133!.:880/570.

:880/390..4:8390&%&807 :9039.:880/390.$4743.4:398 1850.5907  70.390/3..89. .97.5907  #010703.088:8078 /8.07 /8.8.3 .:880/570.943147 80.5147702490 .943  70..93.75942..5..3814728098147/.93:807../3. 0133!80.4330.2.9.10/4..3807.943431:7....89.75942.2.9438 /8.

75942..:880/390 .O 03973.9.89.54390 !...9.939089.89.9.5907  .5 /8..75942.

44:94/0130'!80884354..90/74:541702490.3/90.9 :897.07 7:333 $  &3/0789.70.94341.:8888:08 9702490./0/3 $ .088 :8078478088438 %:33074:58.9..9438  .431:7.0888088438.8'!$07.3!80.301742 94 890 3974/:.4:398147&% 443908080..3/3%:33074:58 013374:5!4.$ 839071..79.84/8.8088438 /01.:9 949:33074:58 .3/3%:33074:58 %02.9090.3/84:94389.3.93%:33074:58 70.431:7..94341909:33074:510.7-0/2..0 0.70 574.:/3 O O O O &3/0789.3/.943814..884.02039414:7 !80.08 70.5907 9030910 80.2509.:843.-4.4:8398.90/434:7!.08 .3/2.34190.9:70 %:330 74:58.70:80/94 825190.93&807.:..30.78088434774:541 8088438 0.90/9.5.88 570.89../..9438:36:094 $  3.70.70.431:7.:80/08.09.70.3..943.

$ .

:8074774:541:8078 98 .089700 .70349.01..43.3/ 01.94389058 $905  $905  $905  013074:554.0888088438  9:33074:5293.90/9. 850.884.9:33074:5 /01.94341 90.884.0/1975!4.. . 0898439080.947  %0:80419:33074:583..1..909:33074:58  70.4:398147&%  %0.08874:5 82.54.:79 .4.88705.31472..90/9.097009.702490.5374:5..3/3 $  %:33074:58 2:89-0.:/05..55.:974:5 54.943.!.2090788:.80 74:543.431:7.997-:908 .-4..8 0307.:974:51478088438.422.3.8088438  74:554.7.'! .0147:80784...90:807...79490.884.0397.94394-:/ !80.08  70.8:80/94/0130.3/31472.0901:3.431:70/4.:9#74:5147702490..43.90/9.

997-:9084:.79.5.:880.088.419080 8905832470/059  013374:5!4.:.08874:5  ..08 74:554.7702490.9438/8....883 94702490.3994.0398/:734/0431 9.08/0130.$ %0 1443970080..9-04394.

422.08.9074:554.084.431 74:5 54..4...3/90 30980.4743.07*5.081474:7702490..1089..8 /43099074:5 54.884.0398  74:5!4.9:33074:59..422..3-0/0130/4.%08054.07 74:5807.9438 4:774:554.70 /0130/4390!.07  %4/0130904.:880844:.9090 54.3-0:80/94850.5.850.088:8078 ..74:5*54.*3.943/8.943419074:554.:79 .70.94341.422.080907..98:80/14790702490 .3/  3. 31472..8847/  %074:5 54.0894.70... 807.99054.909029.*3.90/ 4:9032:89.850.07*9.9354. 9:33074:5 .088:8078:80 %880.4743..8847/ 807.1089074:53.3#&$807..3/ 80.1 904.74:5 854. 174274:5*54.70.07 70..088.20 39073..3/...:880844:.08 .3-0/0130/4.08 :8090 1443.943 /8.054.943 39073.20(09073.884.08 .3 #&$807..2090 702490.

43.3 .$9801.3/09073.

3-0.998.390..3/90 5.0397. .//7088083430 .4330.#&$807.0397..11479074:554..07.422.00/990847:333 .139073.074907 74:554.07*9.//7088083430 $59$/8.3/ 0-'! 43..8847/14790.5.4!80.2:2808843..0884:770897.947  %080..43.3430 $:554790/9:330357494. 807.9438 %:330808843/09204:9 23:908 .94383430 $2:9.0 .79490'! .:974:554.03850.550/949:3300/97.8847/ .1975!4.8:554798 901443/01.9439204:93430 907.7.80 74:510.431 .304:84370897.:974:5!4.'! .3970./01.#&$807.08 1742 82.3 0..:954...07..0/ 1975!4.3. 4:.20907850.0794:80-44314790 8.90.74:5 54.108 .9478 .088%$ 8349 8:554790/  01.:807948947090&%5.8 90.8074:514:3/43. .43.3/ 843 070 O O O O O O O O O O O 01.07.209.07 14:850.984:/:80940998/01..9:70 %0807.08 4:.33.11.55.203430 $807.08 %0708.422.4390.3/8.-0/ $807.:9/42.:954.

:9039..0398 /8.:974:5 54.-0/ #0 ..-0/ 425708843419:3300/97.1..-0/ !-5.-0/ 01.:9039.11.:9.0399508.-0/ 47!80.-0/ &807.7/.9:70147:807.0398 /8.08147850.-0/ #0897.9434190 9:330/8..O O O O O O O O O O O O O O O O O O 4.:70:39.039 /0130/89 &83!80.943 4:.70.3.3/$50.7/.943147.997-:90 431:7./8.:9039.:9039.-0/ 4.54..54.:0814790/01.11.943147.93.039170.39073.3430 &83!$34 43-.:807394.:5807...:954793:2-07   $599:330354.1.3.90:8078:543057../8.8810.70..943/09204:93430 !5430-5.33073430 .-0/ &807.07&! 90/01.943 /8.943 /8.:9039.4.70.07843/8.3/.07&!/8.9:70147:807.0789:8090.:9039..3430 $0.3090. 97.-0/ 9:330.4.47/01304.74:5/8.70.0398 /8...8810.  $599:330330947893430 $419.74:5!4.7/.-0/ 0947090384324/0147. .

997-:9088843 070 80.30*3..3*3.431 74:5 54.450 !*30947* 80.431 74:5 54. 38 807.3*3..:0920*7.:79 .20 80. /38 807. 859 /38 /42.53 ..20 80. /42.//7088 !*.20< .//7088( 80.431 74:5 54..:0 !*.//7088( 80..:79 .304:8 4383:2-07 ..:79 . .088 4:78 .:79 ..20 /42.997-:908 80.431:7.3/  %0.431 74:5 54.74:5899074:554.//7088 !*.3*3.20 80.20  /42.:79 .3 3.:79 .5 30947 8.53 82:9.431 74:5 54. .07.:79 . 74:5*54.:0 !*.*3.07.997-:908.:79 .422.3*3. /.943419054.431 74:5 54.20/42.431 74:5 54.1975!4.431 74:5 54.

(0-.-0/8.:79 . .. 70 .:79 . 51803.:79 .42503.-0< 80.431 74:5 54.20 80.4 580. .:79 ..:79 ...07807.:79 . .431 74:5 54.:79 .431 74:5 54.-0< 80. 5 .:79 .-0/8.:903.-0< 80. -..-0 /8.431 74:5 54. .07  ..:08973 80.431 74:5 54.8847/ 8947.53 /0 9204:9 23:908 80.3307.431 74:5 54. .-0 /8.0 03.80.:79 .53 808843 9204:9 23:908 80.431 74:5 54.:79 .-0< 80.53 1907.:5 807. -.078433430 80.20 80.431 74:5 54.53( 80.. 74:5 4. 5.039 .:79 .078 807.:0 *3.:0 9:330*74:5*3.431 74:5 54.431 74:5 54.431 74:5 54.:79 .53 9:330 57494.431 74:5 54.088 7:0 57479 50729/03<950950.

:79 . 9:330850. 3*3.431< 80.-0 /8.-0< 80. 80.431 74:5 54.10/0..943 03.:9039. :807 .07 .431 74:5 54. :/5 54795479 80.:79 .:79 .20.:70 :39 .. 9:330.0.431 74:5 54.88 .-0< 80.431 74:5 54.431 74:5 54.431 005 .807.039 .. 859 9:330 30947 89 .:79 . 859 9:330 54.:0*3.:79 .:79 .20<< 80.:79 .:9039.20 80.-0/8.943 /0 9204:9 23:908 80. 580.039 .:79 . :/503..*950<54.% !!. .431 74:5 54. 580. 5 5430 -5.7 .10/< 80. 4:9*3.3430 459706< 170.:/0850.039 170..431 74:5 54.431 74:5 54.

3/.3/9..03..088.0398 %0:80419080807.20.-0< 80.484:94850.0784.7054.422.2094.1.47.88394.33. 74:554.7.839073..431 74:5 54.081479074:54774:5834990 74:59801 /8.078:3088 .:974:554.209079 9074:5 54.039 84.702490..943.0  %0/42.084:394.90783 039 %0/38 807..-0<  %0..3-0:594.9508/0130/.077/08 90. 30203.:8890:804174:58390309 80....5 -5.-0 /8.088/0.850.:0.997-:9085..943 &8390.943   %0/42.431:70/$807..0814790/01.55084319074:5 54.8803.33..07..431:7.422.-0 /8.7.3 3..3/24/00704:.:79 .4:8 80. 0.  490 %080.3.20. /42.431 74:5 54.3/.3090 54.-0/8.422.1.07814790702490 .174290570. 8:-.422.484: 94850.:79 .1:59494$807.-0< 80.0.-4.

84 4:4:/.2.422.422.088/0.208-07084.422.0 8'!.33.3/  4:.80/43.90( .30.422.!.422.8'!$07....4100 47.04-9.1:594 94$807.:8890 .30.92041 /.422.82.20 80.33490.208..-84:9089...07.00/.30 ..4330..88320394139073..208 890/070.10890309473:2-0790!807./3.:0.:79 .94394:809470897..3/42.7922 /.9207.20.30 80.5 30947 8.07.:807 839073..4390.3/40.30920*7.3.088 4:78.088 .07 %8.:79 .1.702490 . 9207.431:7.431:70/ 990920 7./.84:0 14790859 /38.850.07 %09207.3/8908.108.422.484:94850.30*3.:8090.!.0398390 30980.07.07.078390/38 807.883702490.3/0130.943  %0.9..:0.!807.3/ 850..431:709843 $ -. !.//70881742 /8.431 920 7.93 9490.450.33.//70881742.33. /..088 -.//70880894.422.03.55.431 920 7.7.07 90039708973 .9078 3/42..3/8.03994:8090$ 807.07 84:/5:.0398 %0/.422.039 %038 807.3/850.3/4907 /42.53 ..//70880894.3/.80/74:9078 %0 1443..0/:8390$ 807.:0.4:809:5859$990859 /38.3/8:80/ 430390.431:70..3.431:70/4.30.

80/43.90( 80.*41*005.94389.:79 .422...088 9895.850.  14:/43 903907.3/8:80/2470..0888.30.*41*90*0092094 /.8:80/94. /90..42243147902547.908039070/-03907390/.9078 &54300.3/850.7 .40/ 4790/.1.422.3/903 .0889490.7.431:7.30...3095..4190 2439 1440/-903.00/ .793920 90.0...:9390920 7.:7739203907.03394.422.438:9.03/22/.39847097..:770399208:80/14:/43 9 03907..0888903/030/ %8950 41.74:5 902547.-84:90...431 920 7.803 . 4:79205074/ 0 147!  %0/.709.3/ 24/0 %0.07 .8:-.7 0.20907  .793078  %05074/.422.  430 920 435074/03.8'!$07.170.2041909207.94.3/ 4:.303/3920 909205074/831390 47 702490.42243 389:.*41*90*00(22  %03.484:94850.-0.34:78.9 -.8:-.9434:/-0.:809 ..40/ %0 9208039070/3.7.  :5439003/920 .:75074/.0888. 89. /.30 5074/.3/23:9081472.108.2041902439 ...7..33490..

3/0003/ $.%! 2. $:3/...250 5074/.3850. %880850.0..34:7.0 8:83.3/0#02490 .4:.37. 43/.:9039.70:8073.4:/43 9 .97:0190.  %:78/.301742     472.943   %0. /.*41*005.3.:989490 1789..890 .088174294! 43/.3/5. 0/308/.208..124709.3/298903:2-074182:9.:0 %0.3/ $:3/. 00/.4.0791.:0 470.3830:807 %0/01. -:9/03..99200370897.39#024908948.93'!.40/147.99080.0  70.42203/9. 974:7/.422. %:08/.3/. 14790/..55.55.439748443.43//....8847/8  849884:/-0.*41*005. 4:...53 /0 9204:9.00/.84.53 82:9.:98 -:998 . .94::80.8 43/.9-.7.3/23:901472.. 7/. 4:7 5074/ 14:42990 80.3430/. $.974:7/.9:7/. .10/ 3.304:8438 .34907 920  %5 %4038:709.20907 9/01.974:$:3/.80/43.9:7/.304:8 43874:554.4770.7.908147/0.3.0.8907..:79.339073..3:8043/.4.8  94  4:/.4.20907 %09208850..088:8.422.088.

97.3.90 /01.:9 -:94:.-80/174290#024909490 $07.943 90:8073.370897.4.422.0398 07090/01.3/850.-0/  9870.37..108.3850.2:23:2-074123:90890#02490 .422.301742   23:908 %0.90/99054..9432094/8:39 ..:9894 23:908-:9.7/.07 /8..1.53 9:330 57494.3/ .7488909:330-:8390.9.470-'! .9.90/98 /01.0.8847/4390#02490 /01.2..-0/147.039 14:300/94 .422..03197.:98!80.9890#02490 0.43..:9039.:9039.9:3308089....3/ 0704:300/94850..3-0:80/- 702490.422.11.48 !80. 4390$.53 808843 9204:9.4330.3.70 .0.3/5.11.08857494.98 9:3300/9499409909:330 4:.884.1.:0 ..3/ 850.9702490..20/ 4390$07.088:8078.382990/-090039094/0...:01742   23:908  3.:770398:554798 0-'!  %05.08 %070834 29 -/01.4 4757494.:9.07-0147090$07.11.-0/1478419.8847/.53 1907.8847/ 8947.4330.9 97.70 89470/4390.07 90$07.42203/0/940059/8.8088438.40/-014709890723.07 %0.:9988/8.3-0:80/9470897.10890 54..0398 -:92:89-003.70.99490$07....07.0733908947..70.7/.04190&% 5.8-03 97.20.4.

94341702490.38 907:08 07089008957479.990 702490890 4:574-.9438 70-:9 /01..9439490850.99090723..:9039.70.:9039.0398 03.994.3/.1.3/8 574.3/90 .3994:8098 10.08147908419.4330.439748 090747349:80782:8970 .70.134:8078907094 507147290.10/ 74:5 909:330*74:5*3..:80794.70/0.80/439095041.422.-0/ - /01.3/:807..3/147.:9988/8..70.3/14790.88479 4: /574-.-0/1907003 3907.039 0'!  4:.48.09/8..-09 %070 .9438-03 :80/  %0.70 .374:5 1903490570 8.70..-0/ 84 147$&.3/.850...70/01479.422.039 88419.-/43 9.3.4330.7/.3..70 .0 -.07843 %057479.:9039.0888088438 4390.088 7:0.:80909:330941.07 %0950.974:5 ..943 !:8 14:.943 98 29.70:83 30947090384324/0.039.3/.:9..4330.:9039.74:594.:07.3 9 ..:78 902..8:55479-498419.9003 70034..0!54308.08:80784-043 94.:9 .0398 398 89:.0880/1789-90$07.7/.-0/.422.0398 0.-.20 %88/8.399400598 /8.55.909454..3/.9:70  %074:5 4.:0890 95041'!.484:94 70897.02039.943...039 .88:23570 8.

20907 4:.039 ./ 90.078435.4330.3 43047/ 2:892.07843 570.039 .3.70.0398.3850.13.039 .9.0.9.90434190807:0850774:554..:04:03907 3.088 7:050729950 8.39503890.039950824709.4330.4907 8419.7.898/85.07843 4: .3 .55.4'!039.07843418419.:/3906:4908 190.039.4.0/3 904:95:9419084.9...3 0  2.07843 4:/.8419.250 .07843390..9/43 9803/9095047..84897:04190.88:239.078438 47  -98012.088 7:0/03 9503%.3/.9438 .70.8..990 0707:3338420 .3 .53 808843/- 702490.70.4480.03989..3/ %8..08..0 070.0398 7:333433/48%1742.  .9.078439.0843..939490 .. 84  147.07843 470.70 4:.7/ 90.422.

098:83$.-09854.997-:90430398 .80/:8078:83/.419080...4257088433.425.422..884.4330.425708843 %884:/-0 :80/43-702490.3.9907 974:5:930.74:541/.422.-398.:5 43:8078  %0518...1470.73 .803.110..3/./-.3/:8078 03..9438147 -74..70 -.-0/.9438190:807 .48147.:08  %05 .03248989:.:5./.08874:58943 8419.079039 %0701470  03..42570884341! 5.3/03.90/9.9.-0890:80411478.

9.0803-:/390/.$8/:73$!.

1390.:5807.20907.133390 -.8.08.4:398.3307.4315.. 4.33078/85.0789 $50.3/40..07&! 4:2:8903.3307 .338079.98 /01.33072088.422.3/:809889 %0/01.07 4:.9908..80-/01.-092... :/5..4 '!0398419.422.108.-.3307-850.33079..984:/-0 /85.-0/ %0-.0.88 070.8'!$07.90783039 4:.:880/390.7.3307 .3/850.0789  !80.3/!#024908.:9 34 -.-0!80.0397.07%!.9078  %0-.0 98.098 .039 .89.:9 8990 '! .4330.3/308390-..:0.8941:5 94 -.5907 14:03.:77039 .-0/43.03984:/:80984.77.422.07.7 .70..25.07&!803.850.431:70/-.9478 98803.090#02490.3-0:594  .0/ %0-.:9.:5 807.7.422.74:5 - 74:5-.55.3/ /8.3 899.43908.3/% % ..422.20907 .4.078.4.4315.890.039 .:9988/8.7.108.3/850...3/'! .7.7/.70 .0/43...:0.894.:5.3:..74882:950.431:70/ -..108 9.3.422..3 995090-.-0/990580.990.//708808945:8 /439490#0249090#0249090307.:5807.:08 90005 .7003.3/ 9 8/8.0397024.80. !...43.3307 .-0/-/01.474:907.8!80.-0/4-.0 709:73839490-.

 .94:.9..709:3300/ .7909 14:.4190.20907 97.4330.3/97.422.9.9020398390/0130/3 90859 9:330 30947 89.90702490:807 8.:95479 3:2-07147!80.422.0.4..35072989. 2.4/0.08  %0859 9:330 54.7..07 %0839.11.9.9020398390/0130/3 90859 9:330 30947 89.4.3990:807 94:80 84070 8.54.9020398 857490.894190170.7909.10907473498599:3303803.10/5.:/0850.2.20 .20907 14:.07&!8 -:998./43 98:55479!80.3/880393 .80/4390170.085072989.5.079.94:.7948.9.3430 .70 2:89:8003.3/8 -.2.7.97.07&! %0/01.2:89-09:3300/ 909:330.9 2.431:70 909:330850.9.11.4.80/4390170.90/  %0.3/47439.3 7.422.11.039 170.07&!8 5745709.11.390/0389.422.431:70 900.8 :80/-% % #0202-079.939490 $07.059147  .039 170.-0/- /01.3 8..9.43/48'! 0398419.3/.0.9020398880393 ..20907 97.390/0389.39:807894:80 4893.484:94 850.422.3/889 /1107039-.3/8:80/94/013090 170.9.4.3/97.3/.10/5.9!80.:9 .301742   0.431 74:5 54.11.422.7.

759438973( 4893.4893.:79 .459 706.20< 4893. 4:9*3..459 706 430.4 3907.20.0 .20 .039<  /8.039 170.:8942 .431:7.:880/90.9 /3:254. . ..90/...20.039 170.-8 430.72430.039 170.94341.. 3*3.-8 430.4 80.459 706 .20 . .20 4893.8. .0 -. .20< /08. 574 8.20 .431 74:5 54.90 507843. 3*3.03930947..20 .% !!. 4:9*3. 4:9*3.459 706 8.:79 .20 .90 80.431 74:5 54. 3*3.72574 430.90 507843.039170.7247574<54.431 74:5 54.% !!..8..03/47 /3:2574/:.8.-8 430..431 74:5 54.039 170...

3/9080..298:55479 .2041.990794 4:2:89850.3/4:9-4:3/ 7:084390!.99080.70 9700170.709.:9 459 45943.95083430 90 /01.11.0:808.09.0-493-4:3/. 3 .039 .0397.3. 8419.039073 90.0/.943 47!! 4:2:89850.947#02490..0397.170. .:79. 19074:. %043/110703.431:739 4390..94389 !80...34: .08.0389.190170.0.70.08 9.0397.:79.3.43.9-0:80/94190797..3/706 706:70/ 14: 850.5907  43.3/.3.54. !:847!7490.0884330.70. 4:9 %88 /1107039174290'! .70704:%070 % .55.190 3. %070./.55.9-0:80/ 94190797..947 0703.3/ 7:333 %09454.349079.0397.43.190.90/4390 .55.390.990:8072:89.3.9473.0-09003.3/!! :8942!4.039 .0.947.084390.11.43.

3/$ 438:55479%. %0.83907.805.4 3907.422.90 0947 .$ 4:2:89.3/24/0.997-:9088:-.3/03.9434390'!  .70.7/...0..:9039.422..943.3/8/8.:880/39074:5 54.9.90 1470.8.0&39:9039..-08$& 7010770/94 .88:55479 -49  %070894190.-8170.039 .3/430.559443 94.:70 :39 .90/  8:55479843!!$.7..422.0398 %080.

3:80909:330988/8.-0/-/01..039 07043.. :8078.:9039.830:8072:89 .:9.7/.9094-73:5909:330..3/903.:9 :39 4790/01.70.

83049.0393498947090 &%5.90940907-73:54794:80 .3/.:9 14:03..94:80 .-0/ 90.00709413/90:807.98.:9039.55.3.3.7/.943 /0 9204:9.943  %0:807 .:9/09204:9147.84 4:2:89850.9438:80/  0303.:9894 23:908 990:807 .37..70..1 .-0/-/01.:9039.110.077/090/01.3 4.998.90/ :8078 ..4:/-0  147909:33074:5 .8847/4390-4.4:398 98 8/8.-09 4:.422.0 .943807....1089.908 90....422.:0 ...943.9.:9039./0.:9039.301742  23:908 !0.:9039.07 %8 944 8 /8.0774:59.90//:73$!.803490 9.088 43974:909:330 34990109204190 9:3309801 .3/ %8.3/850..:880/39030980. .308939:3309490$07.422./01.:807 8.. :80782:89.:9039.

3/8 ..431:70/147$&.943 94-5.94303 03.-0/147.88:807.088..:9039.3/34430 .88.3/0.80  %05 5430 -5.422.08:83! .:9039.078.830.8'!$07..5 -5.4!54308 .74:5 .88.3/70088/0. !.943 4941908034947574507190 .7398 89:.

:9039.422.888 30.3/1440/- 903430047/ 0.3/9097/ .70.90.:9#74:5147702490.422.33.411.3.702490 .0300/894089.9:33074:581 30.70.748890!80...7/..0398 %824/0 84:/-0:80/034:.:880.3349/0090902 40..:9 :80 90..07 4:.10807.743190!.:79 .4330..//943.7 %0.7094/01.080.0889:33074:5 8574507908..9438/8.088.74:5 854.990.93%:33074:58 %070.088.90/-03/90$07.55.8..431:7.07  %0302.990 #024909.:9 .0397.0/0.3/8088438  %03099480.-8 ..3/8:80/9403.9498/01.088 :8078.324/190574507908419080 /01.943894 8:.439.001.4330..:974:5147890 94 890 8088438 4:.:0-.8-74:9:5909:3301789 !-5..03924/08:80/147 74:58.943300/894 -050714720/.3/01.08.997-:90.-030947 090384324/0-/01...:99:33074:58 -:9.0747!54308  490 %4809.088.53 /0 9204:93430   70.9:330949030947 ..:99:33074:58434:780..3..943419:33074:588 /1107039-09003702490...

0889:33074:5 82.431:7.431 9:330 74:501..94341948098415745079080307.997-:908 80.:9039.20 ( 80.3/ !80.:9#74:5 74:5*3. .80 74:543.431 9:330 74:574:5*3.70.943/8.702490.:79 .431:70.:889:33074:5574507908  #02490.431 0307.20 ( .20950 580.431 0307.431 0307. 80.!74507908 70. 7.07 74:5  *807.08880884383.:79 .0890 .0888088438 706:7080907..947 47.:79 .:79 .:88494 .//7088*544 .1..:79 .9:330 74:5147702490. ..5 807.9:33074:5147702490.43.:9 702490.07*9.943 807.79490.0397.93 850.0 3.0889:33074:5 80307.431:7. %01443. /.80.20  4893. ..94341.074893.//7088 544 39071.3/8/8.93.. 574507908 80...< ..422.4.431:73900893/01..20< 0307..088%:33074:50307..9:33074:58 %0.//7088*544( 80.'! .

422. 7.1080307.20< 80.33.997-:90814790702490.5.//7088 544475448. .4:393 807.0889:3304190 850.3..:9 74:5 54.3/850...:79 .7.8:-. 09  %09:330 74:5950.422.0398088438  %074:53.08874:5  %0.:79 .10/74:53.57450790814790702490. .431 0307.544..//7088 544.431 0307.943 807.. 8975 74:5 80.431 0307.3/24/00704:.422.3/9.70..07*9.07*9.9 909:3309508147702490...088.< 80.2 80.:/090/01.20147909:33074:5. 1975!4..:258 940907909:330 74:5.422.:9 74:5 01.80.90/-9054. .:79 .:79 .10890950 41909:33090580.07 74:5  *807.:79 . .422.3/ . /01.:9#74:5 %8.10890.07 74:5  *807.:947. 74:5*54.3/850.20 .:79 .< 80.3/8 %09:330 74:50307.431 0307.431 0307..9089.084: 394.209073/.3/850...997-:908.422..431:70 900307.*3.422.431 0307. 8975 70.

/.39071.  4: 300/94/013090.2041 90!807.088..70390..9434:.088:8078 4-9.943 14: 850.943147 80..90898 '!9:33043 4:..:9894984-.03982990723.3/0.83074:5  %0.4..5 4.339071.883.7431 .//7 .03.//7088544 8 .090 54484:/-0:80/998830..1.431 .7034/01.36:.544.//7088331472...5.0730.07.20 90..1.088.//70885448147.0789.3/0130:5948/1107039 .3/ 84 4:2:89850.3/850...3907.20907 80.7.04390....5448 .0 14:/43 9 850.4/0 830.943 4:..55.0747807.//7088084390 #&$807.431:7.4:39988 /8.422.8843390 1443.03990723.707390//7088!44 431:7..1 .//7 .204390.1070702490.883.422.9..108904.3.3 -0:80/147.422..//708831742 14:850..9..984:/-0:80/-9074:5 /8.53 .<  %070.422..:807 8.:880/1:790739880..:79 .943414.5 4:2:89:8090/.090:807 8 .55.53 .//7088473.339071..:880/905 4.03.090.343039071.3/0130:594  ..90907'!9:330432470 9.1/.3/94/013090!.3.5 807.

.943 807.439.3/84390 .943 4:2:89:80 90.943 98 7010703..3807..//7088331472.39831472.0890.!807.3/ 807..422.07..9.3.07948947090:807 .0 14:850.078  14: 70:83.1 9074:59.07 74:5.:9039.1  90/01.4:398.55.9/013089057494.422.0789..10/ 90. 807.55.04414790:807 .3.4:3984390!.3/..3/94850.:9 1 :3850.9.4.

907390 70.3/8 /8.93&807..0/0130/4:774:554.3 147:8073..422.084390!.9434198 .20.5907  14: .7.:880/.$9801-80.4:398147&%80.

07 4: 300/94850.90/ %45071472981:3.:9894  490780 190 74:554.07./9074:554.08 987010703.08.943390 9:33074:5 9/01.55..:9039..3/  47.:947.94:8094 /434.3/..0747807.422.3.9438  4:.19074:59.3/8 4: /43 9300/94.943 .3/89.:947.:807-74:9:5.4.0 .07 74:5.3.99090.431:70.. 807.47/8434:7 807.07894:80 %88 .4:39370.099074:5 54.55.:947.3/ ....07 003.943.422.957494.90.70.$ .7043.422.3#&$807.9:330.08 90.431:70/990..431:70 .:9039.9431:3.3.943 807.3/807.

3/90 706:70/74:59.0890 807.90..4390!..4:393 807.47/8 4.0789.97010703.0747807.3/ .4:393 70..422.9...07 74:5.98947090.47/8 %0708344594314789473908070.

:9 74:5 54.07  490 14: 70:83 32489.2070.850..943 92.4:39340.422.1.808 9074:5 9.422.431:70/ .943  .0890 3..984:/-0:80/1479874:5 4:.298..0/1107039 809841807..3889028 90 :80729803/842093 0:8073.74:5  %08975 70.943 9.884807.0948975411. 1975!4.90/ 14:1470994 /0130. 47850.3 850.3.:954.70.3/.190/01.3-0..55.3.26:.3/7010703.08-043/908.3.0894.55.:9039.89 80.8908.:80890 .:880/390.550/94.8 8842088.7.370.94341439080..078. 90/01.90 1:3..$ 47147803/3902..4504198-44   %0/01.943 ..:947.:974:554.422.8:80/  343054.3/8/8.431:70/9 9074:5 54.07 4:. ..9438 %0.54.107390 :807 8&%31472.4:.3/4:/8975411 .20147..3/3909700805.20419074:554.:79 ..74:554.2 03.1 .431:7.

-9 %08975 74:5.201:3..574507908147 4:79:33074:5 4: 7070.5503/0/9490 :807 83.203981472.:9 -49419080.943  7024.422.209./94/013098 $!.20 %84:/ -0706:70/03.!74507908 3.25479434190:8073.374:53.43.3/50714728908.0/0130/4:70307.:9039.04: .70/8..3.98.07 /4083 98:5547998..088%:33074:5!80.07.2074:5  /01.3/90807..3807.:773 09073.-0/  #02490.94384.9:8073.9070.5.

.

431 580.:79 ..43/.20< 80.20580.431 9:330 74:574:5*3.431 580.7*.943 80. .< 80.:79 .943 /3 .997-:9080.:947..997-:908 572.997-:90( :80 03970 3. .574507908 %88/430990 1443.!80. .431 580.70/ 00 80.:79 . .:79 .3 80.20 80.431:7. 97:89543997:895439*3./. 5007 / .079 34.431 580. 570 8.90706.431 580.:79 .7*.:79 .943 706:70/ .997-:908 80.431 580.:79 .:947.0.

3:2870. .:79 .25005.997-:908.3//01308 $!.431 580. .039 :5/. 8.843*3:2-078 80.422.90950950:7 :7*8973 70.80..431 580.431 580.097084/ 3:2-0770973:2-07  %09:330 74:5580.:79 .:79 . 7./:8 9 057 80.

.

.3/01304:7 574507908 190702490.14790 .55.3/905007..908 90.0795.90803.3.3-0-09003 .997-:9081474:7702490.0791.7.422.90834:730947 4:..3/94 /0130900 %00.3 .0 .908 147/0..0.0791.08874:58:83570 8..084:/349.9190..3.. 8:-..0:80.1 907065.:9398..422.0.70/08 :8090570 8.3/  03:83.3...90783039 14: 704394:80 .0791..55.0791.90.0791.0791..20907 9050072:89:80.39894 :80.90  %0.3/.8...3/9.7.-0/ ..908 42990.084:394.9434198.990.088 74:5 0.0791.90.422.70/ 0.422.1089.7.3/24/00704:.3$!54.431:7.:9039.943 %034.20907850.0791.55..20907 850./.7...431:70.8.1089...09 905007 / .5.3.434:7.0...3/ 14:850.422.9 .9054..55.3/.!80.

908  4: 300/.3$!.:9.422.908 14:/43 9..431:70..0791.:8041.0791.:014798..70/ 0.3/ 90/01.914: -0:83.3/ 8706 #0202-079.422.570 8.70/01479074:5990570 8.

943  14:...90147:807.20 419097:8954399.422.30/990.422..3994803/90.9 3./0399 .90 -:9.0 8/0399.0791.90/90.894/0399..9041909.3850.90  4:.908.3/ 997-:9084:..1.908147/0.90...0791.3.3.0 8 8:-47/3.908174294 /110703974498 4:.1..0791.943.0.07.943 /01.0791.3/.8054..9094:8014790702490.907449.943 /3 ..3/-/01...997-:908.3.:9 90..422433.70:83.90/90.7.55..0791.!.90307.2502039..:947.908 :80 90.55.:9 988 439010/4390.0791..3.0.0791.9 $! 89.9439 .1.422..90.3850..:947..90 14:7 .3.3/1440/-903.3.943  4.0791.:/08.0791.0 8 /0399..10/94:804390 ..3.55..0 803/43907449.0791.08874:5- :839097:895439.0791.3/90.55.3.908147 90490707 0..9 0307.9.20  & 47.55.07449.70  .:9039.0791.3-0 ..:39   47..84.3850.

4:397 & :807 % 990 $ 8:73.8  .20 "  .574.3.20  3.033.0  .20  39.

3/850.:8072:89-0.422.94394/07.4'!0398419. 5.3/ %8830.:947.:9470/-01470.9 .0398:838.3/90:807.107 4:.70/039.-0/ -/01..70 .084:/:809003970 8:-0.431:70907.3:2-07  .:9.55.43/.:014790572.205.909.3/9080.7 .931472.3#&$ 807.7.943.088.943  4:300/94.20 .8847/:5/.748419 8%!.20907 850.3.997-:908 &  %0.943049.3.997-:908 %0:80 03970 3..8 %0/01.743190 702490.6:.4:39889470/43.:9 14:7 .090:8073.3/" 0307./:8 9 057.997-:908.//7088 $# 807.6:.9 988/8.4390:807 94.90.990.:807/:73..7.1 :59494.07.0-0:83$ !.943 706:70/.55..1089..4330.1089.422..3850.107  0 2.:9039.

/90.039 .0398 84:/-07:333.70.7.10890&#4.0398349 57080398:554790/  %0.20907850..07843  990890.!80.07843418419..10/8419.3/850.9 ...94394 .20907701078949095041 .039 :5/.70190 .53   .422.90.03983497:33390850.03907094/434.3/.07843 %09505.70.3/ ! 3/48 .914728  .4770...3-03 3/48  .7.7/.039  %0:75.3/485.3/  3% 3/48%  .108.

4'!0391473/48 8:5547989810.:997084/894803/./5007/090.1:59414:7./90.4770.0784341908.039 90&#2:89:80%%!14790/434.90 8419.25005.7/.3//01308 90.:942.70039 47. 3:285.:08147/0.3/70-4499801  390  .:942.422.98419.:880/ 3.039 70-44990! 389.943 ! %0 /01.9 .20907 0  47    #0 %8574.039 :5/..3$!./908419. 9:33074:5 4:.039.70.7/.3850.07843 .3/70 70-44990!   %08..70:5/.039 :80%%!47%%!$ 93.07843 %0./9010190.422. 389.3/14:792089/1107039:5/.70.7.70 ./434.9..70.4'!$419.'! .:9390.9:701478419.9.03983 97:33390 850.90 :3389.039 :5/.848/8.90.097084/.03985747 .039  .70039 ./147 903/48.039.078438 850.:5/.9030.90039708-00..908 9 /434.3/   .10/-9070.59078 8.90 039708  490 %0'! 8:554798.088.10/.0784384190'!039706:7090:80794 /434.

.00. 005.43/8147702490..088 .07 80..

301742  80.:708 -0.7/0/570 8.088 808843843.:838088431.//8.997-:908 80.4:393 807.'!814: .70854380 834970.20< 0307.8050.:974:5 74:5*3.088:8078 9 8088438 4:.:880/494809:59:33074:58 ..70/08.:79 .039.90/.3.43/8 1.301742   80.:79 .. 99888:0   . ....431 0307.2.3:809:33074:5894 /01305745079081479050078 .3/970./430574-029!80.3/702490.37...37.//708808.3/0..70.431 9:330 74:5 5007*3.0.0 7097380.! 702490. .35007 .8843390 1443.3/74:554.431:80/9500789 /3..84.3/ 4/0431 '07843 :8089:33074:5894/0.43/8  %:33074:58  $ .390/9490723..55.:8090..005...//7088950580.0/147.93&%.0 90.07 80.8.4/0 80..:0.0.43/8 -:998.74:58.088:8078:83570 8.431:7.08147702490..90-49.  80.07 74:5 ...:79 .70/08  .3//.20*47*!*.943.4:/-0.43/814774:58 -:9 98.431 9:330 74:501.

431 0307.3907.20 80.2.997-:909.90706.< 80.0.:79 . 09 80.422.:79 .431 580.98. 570 8.< 80..20*47*!*.431:70/.//70884190500719095084893.097084/ 3:2-0770973:2-07  %09:330 74:5....:79 . 4:4:/:80 90/01.25/0399.108905007 9.:79 .3.:79 .//7088 .:79 .431 580.190 !. .997-:908 80.079 34.431 580.2041907024905007 47500789.0 190$! /03999508!.1903. 8.//7088 580.8580.431 580.4330.:974:5 %09:330 9502:89-0.:974:5 01..98.55. *807./.431 9:330 74:5 5007*3.70/ 00 80.3/850.55.3 80.//708808/3.:79 ..-01478088438 8.9 4-9.939490.431:70/9 908.  %043 0307.20 4: 850.431 580.4:393 47!80. ..3/ 9034:850.997-:908 43 .07*9..422. 97:89543997:895439*3..25005. 5007 / .

55.8'!$07.250 9074:554.8847/ 57.25005.9090.422..422.077/09074:5 54.8847/ 5.3/8.0.075.8980.4330.3/  5488- 850.431 :8073.20.9850.3/ 80.4:398.55.0 -003.1..55.3.:807 8.147702490.70..0/0130/.3349-0800343.088:80789.-09080 .3/8..55.90.0057.55.943  %4.55.0 .077/09074:5 54..422.422.7089470/439080.:880/390.4:398.4:398147&% 3 $ .34..4:39 ..70.850...:79 ..:80754.431:704390..:942.0 97084/.081474:7:8078  %080850.3.3//0130.943 473470 9070897.29 850./..:79 .0(  %0:8073.:80754...908.08 470.07 147 .205.90570 8.70..043/:73-:830884:7840. 74:554..20:807 8*3.943  70.90:80784.431:70/ %0.3  97:895439 .0 4: 300/94.93&807.90 .9907.08.00*0.. :80901443.3.3.078 14:.0..70.8847/4:.7590/-90.3..9:807839074:5.1..9.70/ 0 5007 / .3.3/ .99490 .34..:80747:80784:.3/.108 9../110703970897.1.3/8070/8.19.

0.300.43.884.0 9/01...0 14: .40/ 1988349.20:807 8*3.14390 807.094 14790&%.8:55479857.4:398147 2.70:839080..02039.3.....98 90:80794.3:80.94.000..0791.3/0907574.:807990 1443.3/14:.1..-994/0130.0889490! 90&% .:79 .1 9057.3-0:80/94../089074:53.. 74:5430390:807-738:5.4:398.55.20990 570 8.997-:908. 9/408349.000.884.4:398.20.55.0.//.090 ....997-:908 .02039.90/99.3807..00 0.702490.08890! .422.0 /0130/-492..90 9 4:34..3.2084-9.48..431 :8073.422..3/8.30/1742 90:807 8..0714790 &%...3/8 80.4:398 70897.3/8.997-:908850.3/8 14:/43 9850...80/43 9888:0 4:.3/ ..93.:943 1803.08894.088 808843.422.9 90:807..3 ..3.:9894  .0710.3..088 9490$ 8349 .:904390.55.079...345943 8099057.3/903850.0   034:.94..3.:8074.4:398 4. .08  070 70897.70/0479074:53..3/&%.-0/434:7.90/9.

997-:908.53 /0 9204:9 23:908 80. 8:-.:79 .20 80.30*3.20 .20.422.1 39824/0.:79 ..:0 9:330*74:5*3.53 9:330 57494..80.:0 *3.20 .431 :8073.:79 .//7088 80.:79 .0 03.53 74:5 54.431 :8073.3/9..:79 .304:8 4383:2-07 80.20 .:79 .20 80.431 :8073.*3.20 .53 808843 9204:9 23:908 80.20 . 74:5*54.431 :8073.8847/ 8947.55439498:8075:8 .53 1907.088 4:78.3 .20 5..:79 .(0-.-0/8.431 :8073.997-:9084:850.53 .53( 80.431 :8073.20/ 5 .20 80.4 580.:79 ..20 74:5 4.-0<  %0:8073.422..20 .431 :8073.431 :8073.:79 .53 82:9.//7088 !*.:79 .431 :8073.084:394.20 .53 17.:0 920*7.431 :8073.20 .20 80.3/24/007090.

.3/ 850..:942.8830/9490:807-.1907-03.422.431:7098 .!.:9  -:94-9.//7088. .:880/9070894190..3807.20147907202-0785  %0.82:89:80908.10/54.9/43 947.8833./41 .20 1.422.0507 :80754.90/  .1742.550/9490:807  .55.:79.80/43 90:807 874:5202-0785  %0..07  %88:801:14:.484:94 .3.//708894.08-. 14:/43 9.3/8.850..997-:90 /0130/-9074:554.9:8078.1.:9039..08174290 850.884.3/$50.3/8570..53 17.03989.3 9.3/850.088.984:/-0.997-:90814790:807 90:807:8090.07 47..98.997-:9084:/0130070.431:70/39074:5 54.108903.422..53 74:5 54..374:5.943 14:/43 9.3/9.3 9850..1.3 .9:80784:/-0 .9.0 .3.80/43 8-03/9080.422.2.20/ 5 .90/ 9 ..9.20!.431:70/544 .884.4390:8079430799054..1089074:53.38908043.3/ 90:8073079834574507908-/01.4.4..883.74:53.431:70.:8073890.3/90:807 .74:5!4.997-:90 431:7.3/.422.090:807.20 419074:554.1 .//7088  /8.4330.!807.422.90/9 %8.997-:908.//7088/3.4:83 9001.94380.42243:80/ 147702490.:9..077/0 .

70..04: .:80754.7..3/  %5 47904304794702490.1.3:2-0741.7/.3/5../41..304:88:554793-49702490.:88842088:0870.422.90/94901443 O O O $2:9.3:2-0741'!8088438 .9074:51479882.003.8'!$07.:9:39.3/0702490 .08 4:.2074:5..7/.8980.0888088438 #0897.3/ 5488-  850.20.0398390 8.0398 4:.70 .3/ /43 98 4:89.8847/ 8947.0398 9.7/.943.3/$4:9438 3  398.3430$07.490 :8041/01.20.088 .422..4:/809:5907:8073.90/4:7:8078.078  /8.9.3.3/8088438 &8324709.93.70.07390 8419.70.3/ 84:943870.088:8078 3..:/3574-028.:8073.431.0.8702490.088$088438..943 070 4:2:898947090&%:8073.039 3890.3/ .7/.70.088:8078 -:9. 805.2089 905.09029 90847:333 ..9390949.70.:9039.4:/5:990.088.3.90/ 94702490.:9039.0794...:9:39.-0..70809:5147/01..4390.4.70..943   88:089#02490.8847/ 4..

.0..79.90/ 9.0791.../01.3/.0791.3/0.884.088..3702490.5....1 8:...078438..70.94343..884.90 .3.902.908 90708929-0..70.0303:83.3/-.0791.943  0791.304:8  .707.44:9444..079.0791.$2:9.7907.902..80890/4390!3  $ ..884.9   31472.90/9.908147/0.3/ $088438 30574-029.8...:9039.9.3/808843882:9.4:850.304:8$:554793#02490.9090807:08 9.42098574-02 43084:943894.088:8078.88:234: 70 :83.79:33074:5 .9..3/903.80/432..3 .088.:.07. 574-02070 O O 079.:9 702490.3808843 38088438.08874:5 %44.8.57:08.90 .57:08.88:554793-49 702490.

70.431:7390.0419.57:0810.0791..902.5537:08.3/ 903.9:33074:598038:708 9...909...9702490.884.9:33074:5 %0 14439480.:880.088:8078..0791.0791..0894 89058.902.850.419080 ..0889:33074:58.9:703.....47 & .:08 4:.9090/0.90/9 702490.9 .9438/8.1.4..939029.3/500789 9:33074:58  &8390.884.3.884..

70574.0880/33:207.20.0791.902.250.3/ .98.084:394.908174294/11070398.44:94850.:79 ..422.0791.90.431:7.5 8:-0.30.3-0:80/14:.47/07  0.902:9507:08  0700.99088:0710/4390/0399 ..553#:08 0791.7594.39940..3 .190.230.9:33074:5 .3/.943  431:730791.9.57:0* 80.5 88:070630. .03..4.902.70.904:.5537:08 4:..7:08.70.422.0890 1443.3994850......079 2.5.0.422.43..3/8 80.93. .7594..( 0630.0 94/0399.422..:9039..431 .422.0791...89058 1440/-..:9398.:79 ... 8:-..5537:03....3/ 9:8 94:80147/0.3.943 4:.902.3/9.2.:79 ..4 3.4770.9 3. 10/843.3/8:80/94 .0791.:0 80./11070393:2-071742   #:08.<8973  %0.997 9.431 .3/24/0 %088:07.<.5537:08.902.:0884:/-014:3/3948010/8  70.431 .0791..0791.1.90147..3/ .48 4:9444..079 2.902.9!80.

2.10/.108.9:70/3.20  3..:0 470.9490850.90 31472...390850.20907.422.03 3.3.108 9.07 %02.107 " 0307.43903984190.9.20 ! ! .20 $ 8:73.20.:08 O O O O 0606:.7.9505..1.807.20907 4: .4.:0 3.9490850.9.7.//7088 % 990   47.30.:039088:0710/:83901443 .902:892.107  39.073907:0850..250 88:0706.20907 9003970/0399.943..90/9907:0 14:/43 9850.3 908973490780 14::80985.3890850..8  .439..0791. .9 $! 89.9.90-0 .90..20  0 2.10/4390 .9975. 6:..422.9 3. ..10/.20  4../408349.3/ 850.90" 6:.99088:074390.439.9.9438:80/034431472...848:80/ 3908:-0.0791.850..10/.0791.230.7..807.884.:0 3034906:.//7088 $# 807..3/ %8.10/. 3:2-07 & :3897:..0791.:0 .1 90.943 3.

90 14:.3.3 /0399.0  .4:397  & 47....7//0..90990.943.3/4:/.3.3/ .997 .3067.:80.20  8.343/039931472.9 3.943 43.:39 .0791.2041 .9.20.574.422.250412.0791..30.422433.422433. 98.431:70/8:-0.

07 0390:80724..4:/.95041 2.431 9:330 74:5 2.70:8390 &10/1479074:5 3.884.9003.90/9.90903.0791.422.088:80747500794.90/9987:03 .70.7093 070 4:.55.04: .90.384: .3903:80902-.:80890.884.4:/-0 5.9:330 74:5 90:8074198..94-0.902.0791.3.90.99:33074:5 %829-0 30.//943 03907:08.90 2.2040.930791.0874:5.70.37:0.3/ 80.9.5537:08  4:.9090..422.%:330 74:5 3.088..094:80 90 &10/3.1..553#:089..0791.7.3 908...503..884.9:33074:5 789 4:2:89850.0/949030 74:5 3890.70..3/903.9390 702490.-0 0 /4:5007 57:08<  14:/43 9.9014790 :807 4:.884.3/ 90/01.9..884..30.714798:807190:807.93.74:5 14: ..884.431:7098../41.93907:089 .:79 .90907:0990 :807 83074:5  884.0/390..4770..0791.90/4:7.90.3/90324..0/942.8473...9.557457.:77039.0.0791.:80794.7//0.:9 2.74:5 998..3-0:80/94..

7.3/9 907:085.9438..20907850..70//:73 $!.37:08 4: 2:89..20907 %00 /5.108 74:52.7./439031472.0791.9..:04390.0791.303.90 -:9 3890..9.0791.431:7090.0.3994:804:7.908.422.-4.70-03:80/98 8349/430-90 &.902.

08.5537:08 3980.1.90 2.80 %05007 55.431 9:330 74:5 2.9.5.3/94.3/300/894:809054./.90/ .7093..3/.850. 3908.908.20907 850.0843 07.884.90.1.884.3/.1..4770.0791.0874:5 .9.5.:.250 :897..902.850.:0418.07 80.74:5  :897.500794.884.//7088419050078:80/94 ..0791.553#:08 .9:330 74:5 80.!.250 3.90.:79 .824.79.90 .79.3 &.884.57:0*/01.79:33074:5  14: 70:8390.8...:9 74:5 9:330*74:5*3.9390&80410791.90/990 8..2.422. 2.90890:8041.0/4.7..147..37:08 4: .0794 2.9.8473.77:094.1089.850.20  %8..0874:540.990!.90.37:0 147.0791..:.884.3903:80901443..9.422.

.4.. .908.7594.9433.8..8. .5 .5 09 .42 8-03..20.4 .250 .20. .884.079 2.. .5 8:-0..5 8:-0.079 2.0791. . .9 3. .431 .90/94 .8.902.7594..431 .902.3.431 .5 09 .7093 .079 2.0/.079 2.0791.  90780 90 & 10/8:80/94.7594..8.997.5007 .079 2.9 3.997064: 8...9:33074:5..079 2...3 .. .997064: 2.431 .709347 8.431:7.8.8. .8./0.8.8.553#:08 .20.0791.431 ...42580898 .88:239010/43 3..431 .997. . .431 . .079 2.8.431 .5 8:-0.90:807894902.3.. 41..5 .5 09 .90.5 .5 . .431 .431 .. 8.20...4 .9 3.8.5007 ..0791.884.08 .5007  . .3!80.42 ...5 8:-0.250  &830791.8.4.8.902.0791.99874:5 %0.8.8.902./0. .8.8. ..9 3.5007 4.8.7594. .3 .0874:5 84 4305007 .431 . . .

..431 .079 2.4770.-07:08 .. .94314750078.8.088.8.0791.5/01.431 9:330 74:5 2.4941 .:9 74:5 ..0791.4770..902.8.3/702490.553.884.9:700.088 :8078390.431 9:330 74:5 2.5007  490 14:..894 44.:9 74:5 2. .0.93.55.4:/3. .902.3 .9794:8098..99:33074:54390 .9702490.0791..431 9:330 74:5 2.. .884.3/ 8088438 4:.08 .909079 /0.090723.07  .8.-4.010. .7994.431 9:330 74:5 2.8970847903.4770.7093 .93-49702490.431:7.5007990..8.70:83.5 09 ..:9 74:5 2.4.943434:75.5/01.974:5 .8. .503...55.0 %0701470 95.3..5/01. .9031472..7093 ..431 9:330 74:5 2.:9 74:58.047:8079490..8.4770.5/01.3.9.08874:540.5539.3:8090.9 9:33074:5   .8.3/5:9 90239490.

..&834709.0794.98949058.748890202-078 4190.08901443 .5907 43.//7088 .55.89074190.3.0397.994  %02...:83! 70.3/90$ 80. !.:8907.94341 $ .:79.8:554790/  &31479:3.02039 '706:7089.422.-094/8.:/0/3 908.9:70 ' 9.43.4330.310.90 9810.//70889.3.1742.8 90#0249084:/-0.90/94.4.08-:94303..9478473.4330.202-074190 .:8907  $0993:5'43.9:7081:..20'.//7088 1.9478.0397.8'!#024908.3/9:8-070/70.43.:89071.3/089839....9:7083498:554790/4390 !80.79:.3. .310.9-09 90'! .99490.:8907  84:70.3./.943 0.3/0#02490 ./-.990./ -.425.3 .08  8..3$3.088$088438 9903974/:./ %0#02490903 .34907202-07 4190.3.55.58.0-43:889.3/..8.94:809:5. .3.3 30$07.3-03.947 ..3 :80904.3/8 .:8907 ./-.534..//708841 90202-079900.:79.431 ..3/ 8 4:34.4330.4.894. .0397.3/803/8-.2308904.9 904.79:.94390 '! 80708..07 986:.4330.

//7088 %0/01./ -..:8907 5479.8.431 4.3 8&! 98.:8907 4:2:892.9!*.3/24/094./ -./ -.3/ 850.7590/- .0*3.3.202-0784190.:89075.422.431 4.30/990./ -.3.8.3.3.3.422.90 -5:-.//7088.3 . .3.8:-.3 .3 .:8907988 .//7088 .3.431 4. .8..8.../ -.3.34:394.:8907 '2088..//7088 .8. .431 4.20 ..8.943 %0.70/*80..//70884190./ -. .534.3-0.< 4.431:7./-.431 4.10890..7034903.0-57.3.088039 -09003. .5..425090 90./ -.3 3. .990#024908:8014790.431 4...431 4.431:708'  9..709*0 .3 ..07 ..:954793:2-07414. .:890703.3/ 14:.//7088 .3.431 4..:8907202-078./ -.79:.8'!$07.90  %0./ -.8.:89075..422..3/.75943 .*!*.9843 .79:.9. .8.422.3.3 5747957479* .:89070 8.79.!.3 39071.:890754795479* .309054793:2-0743 430202-07390.*39071.3 5..

3/850.3.-04..//70884190 $43985:-.:9 %0.:8907 0.7594341'2088.9 9490..110.7431..108.3.943414.75943.04390$84:/-0.422.0 -5:-.422..3/  .//708897. /01.9 8 ./ -.9705708039890.943 :80 90847:333 ..3.422.79.90 -57.-08 9003.38.431:7089003.4..3 :809084. 39071..3/.9.3/830.3.37.90#02490:8094./01.:8907202-07 %057479.943/0.422.422.0.8907803/904-.99057./ -.422.:8907 .3/850.3.422.90 %03.39071.3/03.:890703.53 4.89  4:2:8903..:8907202-078.3/90 .0907:392089. .//70889...4803.5..39 905...0898-0900390.5747941 .431:7./-.3/90#024908 %8.3/.30 1742 14:/43 9.8.0 0350714723 70/70.08 982:892..943 902.:95747941.89079007903:2-079024700 90202-07-0..//7088 9490#02490 ..884.08.8 41904507.75943094 03.088.431:70/43904907202-078  %039071./-.3/90.3.431:709 90 ./-..4803 %057479.9.3.3/  %4.9.3/8 :80/94.759902088.90.8 902.3 .3/94.90/990 5:-.989..10890 4-.3.04:74.4330.422.39071.422..431.534.

.431 39071.4330.:9 $.../-.8.$0993:54.07 57479  :70  $.3/4.250  4.0(   .3/0-0.431:7. .3..343$ .3/ 8490 .84:.3.943 .8.3.2508 .0..3 '01:802./.9438419094$8 3980.3 .-9907309 ..431:7.:809./. - /01.994    .250  #024908300/94.3800 88250   :80:70 94:897.9098 .

431 1 80. . .431 1 5.0  .8. .431 1 3.431 1 09 .:79 0.//7088       .2015:-.8. .8. .8. .

-9907309 .. .431 39071..8.0.

8. .431 39071./.. .. . .8.431 1 3. ./ -.534.3.431 4.8.343$ ...:89070.0-57.. .8.90 .4 .5.3./ -.8. .8. ...79./ -.431 4. .3 39071. ./ -./ -.8. 5:-.3.3..431 4.3.3 5.250  4. .0-5:-.8.90 .-9907309 .431 1 09 . .:79 0.8.3 .3.3 .3 .3.//7088     ./ -.8./ -. .90  .431 4..0  .3.:89075.:890703.431 ...0.3 57479  .431 1 80..3 .8.431 4. .8.431 4.//7088       .90 57.3. .431 1 5.3 39071./ -.431 4.8..20157..8.75943 ..

 . . .2015:-.8.//7088       . .431 1 5.431 1 3.8.

8.431 1 80. .431 1 09 ..431 39071. .8.8.-9907309 .:79 0..0  .0. .

431 1 5.534.0  . ..'.8.90 .431 4.8. 5:-.:79 0.3 5.8. . .. .20157.8.3 . . .3..8.//7088     .5.8.431 4.490' .490741141.3.8..3./ -. .:89072:89-0 ./ -.990$2:89.3..3.:890703.90 57.3 ..431 1 09 .8. .//7088       .3 .431 ..3./ -./ -.8.-0948000./ -.4 ..:89070..8.0-5:-.431 4...431 1 3.03.90 .:89075..431 1 80./ -..3 39071.431 4./ -.3 39071.75943 .-0/39071.389.79.3.3 .0-57.08  %820.90  490 #0202-079.431 4.431 4.8. . .8. . ..9202-07841. .

.2088.08 &!5479  43..0.09.3 84 90$2:89.9 .439.339071..0 $.9.3.38.

9434: .$.3' .0809:54390$83470/ -90$   %4:80.431:7.!.038019/4083 9 .

329.3/.947147702490.8'!$07.3.4.9438 9.:80 80993:5'!888250-:990 $ 8419.3808843.!7:333 $ .08847.903..4480 90!-0.0-09003.0 8:.. .../9442.4:/3 9574.$47349 1.07 9903974/:.70-0.0397..870.9472.:8942078300/0/  40.077.9438 $42050450090 8419.70.:80419829.70.74:907147 4:/.5./. .0/90 .8.34907/0..94341 8./942502039.43.995../0901:3..3/.4.943.3.-9084190!.0747.

!.4480-09003.74:907.$ .9:.3/ ./94. 1.

07 94/.8'!$07.$147.3.8.448090!.4:/0.

3.088'! .0/./.:8041907. 702490./-..3 3/1300/0/.-908 0850.3/397:843570.3...3/4.039433430-4  /013904:/..90$9988:5547941 10.9:70800-'!.$ -0.438/0790!.5.430 -484:943  9170....

53 808843/-4411.9 90:8078990.08 /0.3-0574-02.422.94747.3.8088438 90723.094:7.93439 990$8 988247041..4330.143074:541702490.0 0.4190'!8088438...$4.703:2-0741!80.'!..43.3/ .07.43.:8041907'!808843.9.55.0380298 %8 .3. .:2-0741'!$088438 30574-024:291.55.0397.40/- 90.3/ 5488- 90  -0.3 $ 74:907   #0897.33430147490774:5847147 8088438  3084:9439498894/8..0734390 ..9390%49.088 :80788:83:5.3990.

457494.8'!$07. 808843 29 *41*8088438  :897.:8079 903. 574 57494.088:80789 907024905./0/ 4:.80/43907! .07431:7.20 5.059 %88.//70889905.203.93.1.084.20907 .20907 .:.4072941'!808843890.//70885.<  84:.:79 .3/ 80.20907 .702490.7..943 .90..250147  .7.7.5302.4*3.422.3/ 4:.//70889:330 74:5 9:330*74:5*3.422.3.79.79:33074:59909:330 74:55.0.203/03/03:2-07 .:80789 905.3 90723.3.7..431 .80.074.431:70/9901443 .7.205.20907 .:79.:807-.//7088!*.55.53 808843/-4411702490 0-.3/49078  84 14:7..3..20:8073.1.202-078 41.20907 ..3 850.0 .55.5.-4.3800174290.850.53 808843/-2..

93.908.707390  .3/ .077:333  .431:7.422.8'!#02490 8088438434:780.8'!#02490.431 1 09 $07.07  34844:.07 .8.:79.7005.250431:7.3.07.07 .//7088      $07.0.30/-04900.250:897.250 84890.3/8.431 1 3.3/74:5 54.9434190$07.250  :80.890$07.9430.90/0.07 .07 $07.431 1 5.3 .8'!$07.943 40.00907309 $07.431 39071.70:80/9490723.3/49:33074:58.943 .431:7.//7088     $07.431 1 3.07 980.8.08.07 .07 ..8.8250 .20138/0 $07.3/90 30947843570.%4-09907:3/0789.07  #010703..3 .431:7090$07.90.250  09479.250  .200.07 .4:83:70  %88 -.55..07 .! 7:333'07843 .8'!$07..03:2-0789490794190.00907309  $07.431:7.431 39071.07 .250 3980..2014:98/0 $07.250844:494 .431 1 5.431 1 09 .

431 74:5 54.39073.:0     $07.07 .07 .2554.07 .20 . 859 9:330 54.07 .431 8.8. /38 807.42 $07.07 .2554.07.07 . .3 3.07 .07 .088 89859 9:33050729               $07.75943/08 $07.:9039.2554.10920  $07.07.8.4 .-04:98/0 $07.07 .431 74:5 54. 38 807.431 8.997-:908 $07.431 8.431 74:5 54. .431 74:5 54.53 808843 9204:9  $07.03..8.:0    $07.   $07.2554. /42.431 74:5 54.0854.431 74:5 54.07 .74:5 $07.88..07 . 859 /38.07 .07 .943570 8.$07.431 74:5 54.70   $07.2503.42 $07....431 8...07 .2554.431 8.0854.431 8.07 .431 .431 74:5 54..8.4 . $07.

90 507843.706 8. 570 8.07 .997-:908 $07.431 74:5 54.431 9:330 74:58.997-:908 $07.431 54.097084/  7097  .07 .9:330850.07 .431 9:330 74:58. .431 0307.08544 $07.08:8075..08544         $07.25005.0874:5950580.   $07.//7088 5448.07 .208. .07 .431 9:330 74:58.431 74:5 54..0874:5580.07 .07 .8847/ 8.039 170.07 .0874:5 $07.08   $07. 7.431 580. ..431 74:5 54. 09 $07.07 .5448.70/ 08. 09 $07. 859 9:330 30947 89 . 574 $07.431 580.:0859 9:330 $07.10/ $07.07 . .431 0307.431 :8073.0874:50307.07 . 8.07 .

38  085 /08085 2/ 2.431 .381472 80997.97.07 . 09 $07. $07.07 .7594/3.3.431 .07 . 2.94341907010703..07 .5580.07 .305.2.75942.2.431 . 8.94350729 580.431 .75942.07 .2.38 $07.522.7594580.431 . 2.539071.431 580..7594/3.0 0.$07.25/3.08390.522.38147280997./3 $07.250   3$!.5/3809  97.0780 74:90 $07.431 88459.07 .-4.5/3809 70.  070 8.4330.04:98/0 $07.

42890857490.//70885448.8/0130/147570 8.:9039.!.3/307998.3/174290#02490894 90.90 8170.9:70    3.990%10.90/94-0:80/390.0854.4 .3/94907 5.-0/4390! 84:98/039071.//7088089490 #024908    :8078/0130/.70.8.88320394139073..8054..0/8.803994.8/0130/9908599:330354.431:70/439097..0    8599:33038.90894  .:/390706:70203941$.90/    54...209078 3. .7.70/08.11.3/$!8 03.997-:90817429074:59.

5907 %74:-084493!..8.84 -0#024908  09:58.:79.7003..2.3/894974:-0844990809:541'! 8088438  .3.-0/ 3.431:7.$8    /3. 247010-9..943410-'!8.8 /8.250 90.90/.3/89.9438 070844: 494:80-.439.020393/0133.9.422.3..07:83-49904/07! $   .07 7:333 47 ..990/.3/2.5907     $:22.:8843 410-'!174298.9354.0  84:.042990/90/8..884.90/4390 4:98/039071.3.07 4:.943 82470..3.0!80.474:9078 .3814728098/0130/9457490.8'! $07.0.//0/14790$8 3  90! .3/$8 3/3  8:554791470-'!.3.07 90!8/4349 %0 .08  490 %0$88:5547990.5907 #4:907#02490.3/ .02:.  702490.088343904:98/0 39071.0874:5    97.0.42509.3/$4330.431:7.75942.088 4330.943419438..97.70/0418.3/903007  !8.:79.900-'! 808843840.9438 %0701470  .3.80..5..55.4/040.8..:880/3..-99490723.3/ .431:7.8.0  .0782..55.90/990.//94394-03.70..884.570 8.7 %8.//708854437010703...3/.8'!!$07.79490 .08874:58.38001742980..11.84002590/1742574.0814790#02490/0.3..9.8.8.5907840/4:90-.9.84180993:54:780.

590714.843 974:-084493$!.55.7949.8088438438.5907882.5907 %74:-084493!..3.590739494.5907  %74:-084493#4:9074330.3/ $4330.9438  .:843494974:-08449!80.08 %0.4:94198.3/$ 80.:79..4!.70.0-740390. .9438 %8.914:3/3..

!.80.3/$!.

70.8088:08 9908094 .!.8  844:4$!.

 8088438438.078.80884384390.088   .!.480.3.4330.5907-3420.09!80.55.70-:9 .5488-0574-0284: 050703./04:990-.088.08 40.:79.994 441470390708.80.3/. -.07 45094574.574-02909074190805.8.74:3/340/0849.55.3/..38. 82507574.808  %8.9974:-084493!80.3.9438.4..

$!.

:843974:-084493$!.5907 14.804330.9438 39017895.794198..!.

59073949700.!.9.808:80/945.97.0-7403985.4330.9438 14:70.70.3.:8098:80/94-:/9094 /.4330.2.07 -0. 902.9.4330.1742.4330.943-:9 /:73!.88!80.34:807/.0203997.4330...8 O O O O 34.943 %8.794190.5907 !80..07..9438147!.80 .39 40..02039.04190$!.11.3.0780898 .80  .943825479.

3.8'!.3/702490.0882.07.02039.3/8 .#02490 .3.4330..80422.9438 %74:-084493.4330.3:8080.23390-:/341.943843.9438 .04190!.3/894974:-08449$!.02039.80974:-084493.422..2334:72.07.422..3/8 4:.4330.!..

943-09003 90.425.9885.7594.70/9490/0-:.3.3.2088.9438902.0897.70303 $ %0 ..:79.80.3/..89089.7594(8.08 3.(85.841.943-0900390.90/949003.209078.:9039.07%!.0 .55..4330.93 .890890589.0791.8903907..9003742039.3  $  43  /0-:.2589.3/147.3.0882.2.7594.07 9.80.3.02039.5.32.0..078434198.4330.3//8.9438  $ 43  84.89089.02039.!.5907  /0-:.422.02039 .3/90.9431:3.2585.53.841902.0394-:/.89089.3//. 4.9.03985.039870.3.8'!#02490 .8'!$07.75948.079398.422.75945.943.4.3.4330.589.:/3901443 O O O 848.4.3.4330.9438(85.989.3.9438  84.../09.8903907.590790701470 43 9.943  /0-:.74:95:9.25580.94382.7594(8.4330.943890 45943.3.9885.55..9438.02039 .7594033085.38.4330.258.55.75943.3/ 574/:.94384390 80.902..7.8.3 !80..07  $ 43  /0-:.3.4330.4330.9:841.989.02039.:880/ 3.

79490/0-:4:95:941 $ -.0738370.3/8.4330..9438/8.247082.4.3574-0289739453543990574-02 40.43.07  8.39.947 1703/9.3/8088.3/0.422./0. $.990! 8/0-: 4:95:94303.3.02039.3.889.422.3/4:/44.574-0281742907024905007.943-850.9.708:554790/3.870..7/94983 $ 3 $ 90 /0-:4:95:982:.80/74:9078   ./23897.0.707 903/0/949794 974:-08449!80.9574.$**(00908.7.08808 32470/059  490 01470 $ 14:3/904:95:941/0-:. 850.1.078438  %0144380.4330.0  .2.422.7594(8.902.02039$847.910/2489412.90/94 974:-084493.55.3 90/0-:4:95:91742 $74:9078 3 $ .3/8 70.:8884204190247025479.258..3.089 349.1390$3:2-07  O O O O O 84:.75943 574-0284390.-4.3800174290.

5907 #4:907$!.3/3.258.7949084.258.0 7:333 $  %04:95:94198.3/9.422.90890:804190848.3..3/8.422.422.7594 8.422..3.0782.55.%0848.3/ .258.250 :897.

990708.943 %0942489.0881: 809:54190.929.9 %.389089..9089.9439490...9...9090.3$!. "*3/.908 14:70.9.42243574-0289..4330..!.-0  39.9.90/5007 14: 708003* *$%%47 * *$%% 983/.75942.804330..:8098.70 O O 4:1474994..884.4330.809:54190 ..908908:.0  %0708342.9.574-0299039.590705.547574104390702490500774:907 8 39071.

0.4330.3/920.422.90/         "*    3 $ 904:95:94190.990/..0/ /0...3. %49.3/ 32489389.9.0  .25422.3.0791.258.. .908 .431 0307.3/   .943 70850.258.0719.7594(8.08 4: :8090/0-:.3/8/1107039 .-90.40/  %5 4:..047*.0 /0503/34309072.03 9-00370.250  %084.943 9050078 .3/9.75948.70. 2-743.9041**47*%* 903574-.!. 848.258.9..4770.258.70.024/0.422.9..258.943 47570 8.3/3  5 .8.75948.3/#00$/:73700  %49.90*%'  %0/0-:.258.0.90503/3.422.0/ 974:-084493-.4770.0.3/3  5 .9.7088.02039.324/047.250  %084.:57981..89.88893/09.75948.02039.4330.0$ #00$  9:330705479.3.422.943.422.9  47.990.8 :80/94-:/902.03 90570/ 9.9.:9039.431 848.80/43904:95:9419084.75948.70/08 -08:704: .431:70/9008.43907024905007  14:800.250  3890.3:8090/0-:.75948.3/94.90./ 418003"*03902.3/1472470/09.25.990.  /8987.8054.88433.422.89.425090/ 4: 8000907 *.$  !007     %50#40708543/07 #0034$9.0/ 974:-08449341-:/3$!.

80.4330.3.02039.9438.8 .802.!.

250  3980.0593.70 05..&(!     .&(!    574.9.0574548.0881:809:5 .3/83 $ .0883 $.07 '   4:95:942990/  .3/0.&(!    #0.059.    %7.55.8250.3.0883$5./ .&(!    #0.0883343.0883'5..98250 %014439480.7 949.0/!' .422.&(!    #0..0888088438  490 0.&(!    574.084-.:84390:804190./ ..982.4330.&(!    574.0.3/4.0..!.078..08.088305..4.4.0397 .039' .43897:.44.059.25   4:95:942990/  .7024905007  .381472.250  .94389.0904:95:91742 90/0-:..&(!    ./ .-0.0883'5.30/-04900.25.3/83499.80/.943-:/8 0.250 904:95:98 1742.&(!    !74.4.9.9438902.94307090.808843809:5706:089 1742.02039.93$*$1478.0/8..0883'5.9418.//0/8905894907941842041904:95:9 .3/83  $   $088438 %4:3/0789.70788420.0883$   .05.250841.3/3.&(!    $!74548.422.3.943814.0.4&39.0881::/34190.-0 4:95:942990/  ./ .4330.:80904:95:94190/0-:..4./   ..8.&(!    574.250  $:.3.422...&(!    574./ .0883$* .5073904:95:941 98.10 0.0.&(!    574.&(!    574.4.75948.380884388:.0/% %7.474:9078 90144380.9.4.3/702490.0.020394330.431:7...9433 $   .&(!    574.422.

93343./ .93$854413 $'03/47 5.05.07843 .4.&(!    #0.0883'5./ ..93.4&39'5.&(!    43897:.9305./ ./  .!'03/475.&(!    $03/9.0/.5./ .&(!    .:9'' .938.4.&(!    $03/ $' .4.43897:.43897:.43897:.4.4.&(!    .93'5.0.4.5./ .&(!    .-908 1  .4.07843 .:9''5./ ..&(!    .&(!    574./ .43897:.-908   .43897:.4.&(!    .

8.4 '! .

3/0/439:330*74:5        .&(74:5    !    0307.8.(!    4330.4$' .9308 .943.

/ 574548.0883   ./8#    $    $!'     %     949.0 28/ 9 5.4. (*!'*#70.147#08543/07  .4.0883..039 .4.8 .0 28/ 9 5. .(!     #'088.0/     .(!     $088.0.&(74:5    !    !74.039 .0883 $005.05.&(74:5    !    .425:93.&(!    !74.8 .&(74:5    !    574./8#        ' #   ' #    ' #   ' #     949.

4.43897:.3/0/439:330*74:5      .0883 4915./ .  .0243947  80.93 $005.  ..0   5.&(!    $9.(!    4330.&(74:5    !    !74.8 .&(!    43897:..943.4.9./ .425:93. 80.&(74:5    !    .8 5.793 $005.&(74:5    !    .&(74:5    !    ..93 .4./574548.43897:.

 .32.095014798.///7088    .(74:5    !    $9.. %7.9.34914:3/-.807009207   28  ..522.-0..5 .  .8   !7494.4330.5 806  .0.(!     #'088.0.039 4:95:942990/  ..(74:5    !    $9.0/         .("8#000/4/8.9../ 4:95:942990/  .0.93/5/.793" 28/. $0397  .&(74:5    !    !74.$   !74548.0/          .4 !479  .0.///7088   .(74:5    !    #0.&(74:5    !    $9.(74:5    !    #0.&(74:5    !     .4.- .8   !7494. 2.!!74 $:-309/.0/4. (*!'*#*$&%70.(74:5    !    !$ !%   .3!..943! .5 806 8.8:.!80.9./8# $   $                949. (!    #08543/0789.381472.&(74:5    !    !80..//7 .4.0883 .(!    005 .793 5.0/702490! !74$:-309/. (*!'*#*$&%70./5.4 !479  .4. .7594.522.0..95.0.5   .5 .4.3!.0    28/.9.(74:5    !    574.7594..9..80.(74:5    !    706:0893$! .(74:5    !    #02490!007 .0.0881:2.43897:.9.0883!$$ .431:70/147$22.059.084-.

382993   !74/#024908:-309  .7594341907010703.-701/08..8    !7494.422.70/09.  :9-4:3/$! 0.4 !479  4:95:942990/  .8   !7494.&(59.- .250  904:95:990/0-: .   070 8./.*28147$$! 0.&(74:5    !    0307.308-03333454.083.8:-309    2.&(74:5    !    0307.041950!# & %# 8063:2-07 0/.93 ":..793!#009207 9405703 80.3* *$%%    %0702490500789089314790:8041% %    %0.3/8.(74:5    !    $0.425.07.25.   !$$8 . 4:95:942990/  ..425090147 94 74:5      #08543/07 3-4:3/$! .&(74:5    !    4.43/8 .4/00 ..042990/8420419    .(74:5    !    !$ !%    28/..- .75948..-.-.0-0038. .-.07-480 84 .4 !479 4.&(74:5    !    $03/3   005 .324/00.08. .784341$!.&(49..3/9050078 .93 ":.943.*&!% 85 ../.:79   3049.077./3.(74:5    !    $9.&(74:5    !    %7.&(49$!174200330$! ..70893...4/00 ../.

808..70-030307.3/9:84: 80094809841...8-00314:3/    %02.08-038070    %82088.4330.9434.02039..03/.808..80 6:.3.90/    !.3/9003.9089.:7843-4950078 .9 .:9039.3/.354.47708543/3 .:9039.75943 .54.943574.9438-03-:9    %050078.9.90/    %88070.425090   !.2..884.9.90/990    9:33074:5.70/0870202-079.24/0 -038  .943-0389570 8.08808    !8-033049..:9039.

 %07024908:-309   .

8:-309    .0.70/94904.0/..3/.425. 870.

79.422.$8   !.94:95:9 0.850714720/147277470/.3/ 988901789934:/..13.4330.700307.97.431:70/   190708.2.282.3994850.9.3:2-071742.5.390$!.02039.04:.110.24:39414:95:9 94974:-08449574-028 84 14:0390790/0-:.041.759403978440/147. 3:2-070 47 14790/0-:0.090701470 14:/43 9800.   2.9438   .3/98.38147214790/.08-0380399490702490500743902.003.8830/9490/.3/147.9890.1907 90/0-:.04:99031472.4250908   !005.9.9.3/.9.0.3 .3/94/0907230.422.4397490/0-:30.70.3/ 845.4330.:809084 /0-:.3/ 0.9.$8   $!8.422.094.:98940.94384: .4390398 9024893 /059 %0701470 4: .422.90/14790/..3.75948   08.0.55.9.0-003.3.03:2-07 9/01.13.9/0-:1:3.0-850.80.9.70.389.24:39414:95:94:8001742 90/0-:.3/94:9850..843.9.:943 843 4:.-0/.422.-0.013/8.1.3/14:3/   %0. 0.943  .34:95:91742 4:7/0-:.090 ..09.943 1.

9.$!.93. -090039050078 4:7/0-: 4:95:94409.8054.250  82.250   .!.

4./8#  %     949.190723.93 1.(!     $088.4.9 1./ .083  .&(!    $574548.0883$5.&(!    574.!.059.08835.-0 .90 0.&(803/3/0090.814:3/:3.(!    7747574.0 28/  95.039  ../!. 89.39 9:3..4./ .80!4.39  .039*   '*## # *$%#% '*#'*$ *$%#% '* $%#%* *$%#% '*$%#%* .&(!    #08543/07$07747 8947 897:.4.8    701.&(!    $/.

0  ./0090970.8432088.

7590/ .422.9.90/ #097.431:709024390 .574548.75948.70/0.75943.0:80/147570 8.25. 3.9.08 0850..90.&(!     ..7039 .943 904:95:941 90/0-:./5.&(!    574.4:/0990/70.&(803/3/0090.70/0  -4793 .0.0574548.079..43909450078 4:89.80 5.079.8.4792.(74:5    !    ## # .8089.0.9.303.303.14790 94/.  %7.&(!    $!74548./ .059.4.75943.0/!70 8.09  4:95:942990/  :3 .0993..814:3/ :3.09 574-.34/05.3/$ !.-0 4:95:942990/  .3 $700..%5  .250  82.4.9 8:554790/94:7800.3/4409.3/ $47 %0701470 -014704:.382993.914:3/3.932489389.0397 4:95:942990/  .55..0883$5.0394:4:.4792   190708.8904:7920974:-08449398574-029 0907.0 28/  95..381472.(74:5    !    #0.08 2.059.079.42-3.250   .9..9438 34947 0.75935.90!.-0.3.-02088..4330.!.8047 24700 !.014:3/4:99.3.3/47-:943.059..9433  .0/570 8.70/0:897./8  088  .80.9.:9039.90/03.09/090.3.(!     $088.0/ 03.4.../8#  %     949.08  .94384154.3./0/$574548.282.03190$!54..(74:5    !    :5..4330.9..0 55..75943.943 17894:/97./574-028 /0.3.014:3/4:9 90.895.0 0$ .084-.74:3/  .9.039 .7/.47928.-/:094282.3.

41.0881:.3990 .981.8414:3/90 $ /0-: 4:95:92470:807 1703/3/0.8.1..425.0.34907 %88.9439.3/.9:70.7090 4:95:9949.7398/0-:4:95:99490 /0-:4:95:91742..3 4:.0 4:95:942990/   %5 304190574-028 .3/0.94781742 908.943.-.0948.9574-02 3.399444.941 %0701470  4:.8.422.3:8090 8:.0/.0.425.3/889.7:930904:95:9.990/0-:4:95:91742.07..3 .8094 .079.080039904:95:94190 $/0-:.4330.331742430 $700.94: 70:8343.20 $70.8439./0090970.55...4330..703914:..089.701:94/0907230900...5073982088.9434:95:9.808 4:29.990 34203.07-.4330.8432088.9439.808   .803003.903/03.707 700..4330.990259  .

0883$5.0874:5 &8073.#02490.1#06:089.&(!74.422.4.:9039.208.&( *#0..93 $*$1478.&(74:58.0.43/.07.0/706:089147.0/706:089147!$80993 .5.0874:5 !    .41904:95:9 940059-701 05.208.0/706:089147$59%:33089 .&( *#0.&(74:58.088$088438 %0/0-:4:95:9174280993:5..25.3307 .-0/ .43897:.083039.70/ .2504:95:9  .94394.997-:908   .0/8.943.208.702490.7$    .(!    4330.43/.3/1742.&( *#0.0.0874:5 !    574..3.0/:38:554790/97.0883'5.08-04900.&(!    574.208.&(74:58.0.08:807  !    #0.381472..0874:5 !    $   !74548.&( *#0.0.0.:/0/ 17.0/706:08914701.07-480.25 .0883 $ .&(!74.&( *#0.0..08:807 .8.7$.04/0.997-:90 .-83.70/ .08:807  !    09&807997-:908572.//7088 .07 070 . %7./ 4:95:942990/  .4&39.3903:2-070/7010703.20 .208.7$.05.208..997-:908    .&(74:58.088808843.0.08:807  !    09&807997-:908572..3.0874:5 &8073.08:807  !    09&807997-:90880.0. .4.-0/ .08:807  !    09&807997-:908!425708843/8.-4:9  5.084-.(74:58.059.0./   4:95:942990/  .0/706:089147!'.93 343.9.0.0.8'!$07.0874:5 &8073.7$.0...0/706:089147$807.208.08:807  !    09&807997-:90880.8 .039'   .//7088 .0874:5 &8073.943.07.208.0!80993 .-91.&(74:58.&(!    #0.#02490./ .3-0.4.07.250  89.0/706:089147!'3092.38.-0.0874:5 &8073.3/0/439:330* 74:58.(74:58.0/706:089147$.94324/0 .0883 *#05.90/  4:95:942990/  .0.0.08:807    !    &807 8.08:807  !    09&807997-:908$59%:3303 !4.&( *#0.0.&(74:58.0/706:089147$807.8.&(74:58.0874:5 &8073..:942.0884330.&(!    574.0874:5 .80 .43897:.8'! $07. 0397 .&(74:58.&(74:58.&( *#0.34/0%7:0 7088.0874:5 !    .&(74:58.&( *#0.&(!    !0073.//7088 .0874:5 &8073.7594 8.&( *#0.0883.0/706:089147$59$ ..2039.70/ .07#:333  .042990/2:.&( *#0.0874:5 &8073.250 848904:95:94190/0-:.

(74:58.997-:90 ...0.0/706:089147!4893.0874:5 &8073.0874:5 &8073.&(74:58.:55 80.4.0/:334397.3...8 .5007 89 .&( *#0.&( *#0.208.":.0.793" 28//1.93-.94324/0.08:807    !    .08:807  !    0.208.0.208.208.(74:58.039  .&( *#0.208.- .9362.0/706:089147-.38.43897:.0874:5 &8073..&(74:58.43897:.8 .08:807  !    .(!     $088.0874:5 &8073.&(74:58.08:807  !    039%503%03955.&( *#0.943   '07843 .0.0883 079.0/706:089147%! . (!    #08543/0789.0  28/01- 95.943 '07843    .4/0574.0..0/706:08914755.08:807  !    #0.0.0/706:089147&!!479 .&( *#0.0874:5 &8073./8# $   %%#      949.20147 $8  .

.38 .%7.

4/0574.0883 079.&(74:58.08:807  !    #08:20":.#$35747088 .208.0874:5 &8073.

38 .%7..

93-.039  .08:807  !    574.!!74$:-309/.///7088    !7494.9.95.08:807  !    574.0874:5 &8073.4.208.&(74:58.08:807  !    #0.34914:3/-.08:807    !    .0874:5 &8073.(74:58.08:807  !    .&(74:58.208.&(74:58..(74:58.0/4.05.0883 . (*!'*#*$&%70.//7   .0/       .4.0883.208.0874:5 &8073.3.0874:5 &8073..208./8# $     %     949.0/    .08:807  !    #0.43897:.&(74:58./8# $   $                949.43897:.///7088 .08:807  !    574. (*!'*#70.08:807  !    !74.8 .0874:5 &8073.0.("8#000/4/8.0883 .4.208.(!     $088.(74:58.0./ .208.9.0  28//1.(!     #'088.0874:5 &8073.&(74:58.4.&(74:58.4 !479  .0874:5 &8073.#$.3 !.08:807    !    !$ !% 4:95:942990/  .0874:5 &8073..208.&(74:58.208.0.9362.8 !7494.8 .08:807  !    !74.208.0/702490!74489/.039 ./ .425090/ .8 .0874:5 &8073.0.208.0874:5 &8073.3 !.4 !479  .0883343.0  28/-0 95.4.0883$5.4.

4399074:59.0874:5 &8073....9.0.9. %7.90/74:5    %074:5.8890&%.3..0/005 .039.8.3.208.7003 /:7.0874:5 &8073.943.55.947 8!80.522..93.208.//1 ..(74:58..08:807   !    $0.(74:58.08:807   !     .*28147$$! 1.1  4:95:942990/           070 8.08:807   !    $9.0874:5 &8073.7594.&(74:58.(74:58.(74:58..08:807   !    #02490!007.08:807  !    $9.//7088      .208.0874:5 &8073.0874:5    2.9. .5 .250    %0#02490     39.3!. 2.08:807   !    //389.08/0907233..!80.884.*&!% 85 11/ 4:95:942990/  .431:70/14790.0874:5 &8073.077.08:807 #08543/07 3-4:3/$! 11/   :9-4:3/$! 1.3.0.5.08:807   !    !$ !% 28//1.(74:58.8.5.041950!# & %#  8063:2-07 .08:807   !    #0.0883!$$ .07 .39894 .&(59.08:807  !    574.//1 .0874:5 &8073.(74:58..522.5 806  .574887.$07.208. 4:95:942990/  ..425090147 &807 8.43/8 4:95:942990/  .:9039.(74:58.0.208.1  .077/339.$0397 4:95:942990/  .208.208.-0.9. 4190$07.2090789.9434190/0-:4:95:91742.381472 .943.0 .4330.9.&(49.994 8.814:3/54.7594.7..0874:5 &8073.&(74:58.4190#024902.041950!# & %#   8063:2-07 .305.431:70/147$/32.059. .0890178954.0874:5 &8073.94388:.3/90.74:90147.208. 5.0.0874:5 &8073.9084/0431.(74:58.084-. .9.0874:5 &8073.908.08:807  !    $03/3005 ..08:807   !    !80..3 2.$!74548.90:807 .208.208.208.943174294 80.0874:5 &8073.0881: .5  806 /4083492.07    %0#02490803/898/03999509490$07.55.&(74:58.:9039.07    %0#0249039.:793049.8088439490.9.     /89  .8054.

0300/894.07803/8-...3..4:398.07109074734990:8078 .:8090.08/0130/14790 8.34/0431706:0891479054.550.07843    %0$07.4250908$!.904/04315.0874:574:5    :734/0431 90..039950.3/.9982088.0.55.780707..00.08:807349.3.73890.40/..209078    %8..9079.3-01470 4/0431 -0.55.088949074:5    %0#02490803/8.09.7.

5147702490.9.4330.3/$!8..:80!.0.3.08:709.3/4:9-4:3/ .. 439.89.$8 3-4:3/.80/439074.70.943 /4083 92..90/3!.50397  .425090/   0.0.9089..30 .8.03983 970. 8..-0/   ..9.990.9.3/905742088.850714720/942.93.93! 40.//0/9490$07.53.0390/..425...910.9439981789..4330..74:939.90/   %094!80..7089057431472.-0/ .93 9039.:80##803..8'! 3980.430 .980397 9057431472.0 90 #02490839.94399880.894-057490.43/.039422.088:8078   2.-0   !.!.70..75942.$10920..24/0-0389.3/.9.   %0.9.83049.75942. -.75942.8830/   0.7089057431472.74:9014790#02490 839073.//7088     8.0398389.0..425.//70884190.11.2.3.381472814:3/   %0708.99/4083 92.55.50397 .0890 407430   80.90/ 9074:554.8.0./3.80 !349.250 90.304154.005.07 84.70.9.9.9.80.943   %0.0398    .3/13/89.43/8 83049.9:70147.08   %039073.:08-090039094/0.3/ .07 -498/0841909:330/4985074/.90/.085.419897.80   ":.88599:3303 /8.3.4:39078  %0/0-:.30.97.039839.7594.89.09803/8 3/.55./../110703.9.

.75942.25005.53.3/94974:-08449..8 '!#02490#:333  '!97.*.0/ '!34995      38/0 '!34995807.3/ 07090.53.4318:.. '!3..9 38/0  . '!/00943.250  .75942.5/0.9902591.0814:3/ 3900.078.8'!#024908 4:.0703.8...*..039.-0 '!34.-83.3.5/00943.943809:5 88:08 . 4:98/0   '!343.9 97.53.239071.088 89*.3903:2-070/7010703.0884330.0881: '!34.90890:804198..990259/430 '!.250 05.0/ '!34.250  89.9:3.53..53.5*.253.431:70/..431.0881: '!344-.039 850.#02490.*.422.0  '!348.*.1.  '!:3.088 89*.75942.75942.9902591.47 !8.5*.7594 .3:8090/0-:.990259/430 '!348.4318:.4330.422..04:98/0 '!.0398:83 30947090384324/0 04900.431.3/..943..2 '!.7594:3..250 :897.381472809:3.431:7.9431742.

99..53.9.*35*807.25005. ! '07843  -:9--:/07843 %: .*.3.3           ....507295.53.07 '!34..07*.*35*807..53.9354..*.239071.4318:.908:.9 97.04:98/0 '!9707706:089/430 '!43897:..0757494..239071.07*.53.4:9-4:3/* .9..706:089 '!997-:908-03706:0890/ '!%%%#*!*$    '!%%%*!$  '!#0..088 89*.53..0/ '!.0881: '!34.8  '!./706 '!!.3.53.3.0703..:5/..*.997-:90814754.4:9-4:3/ .*..088 89*..1.53.*35*807.  '!.0/..0../434.53.9.*.9432.07843 8.*.53.53..*35*.507295489     489     '!.3814728098..5*.431:70/ '!.088 89*.0881: '!8.....53.04:98/0 '!.507295..0/ '!97.4$89028 3..53..0  '!8...4318:.07 4:98/0 489     '!.-0 '!.5*... '!/00943.943...*35*.75942.9902591.53.*35*.53.75942.078.. '!.2 2.55.:9039.. 807...3 '!.*.088 89*..*35*807.75942.0881: '!995      38/0 '!995807.//7088*.7594. 807.5*.49.07 '!34...253.75942.:9039.5..7   '!%%%**$*&%  '!%%%**&$#*&%  '!34.*..*35*..9432.

5*.9.*.250 7050.7'!.088 89*. '!.422:3.53.*.:80.422.07*.*.0/ '!3.808843 1842093828.90.431.422.*..039!-:/8 .8 .239071.557457.90.:5/.53.507295         .250 90#02490.90/4.083.5*.07 90.9438-0900398!      .53.07.3. '!3./0130/ 470.431.34$%/0130/430 '!... '!9707706:089/430   4:95:942990/   0708.80/43908599:330354.557457.9:3.039. 90.3..93.53.9:801:147 974:-08449390809:541..088.9902591.04:98/0 '!344-.088 89*.07 '!34.3/803/89854.9 38/0  .53.239071.07 .8'!$07.908.3/8 90#02490903..3!80..*.5.9.3.07 4: 80084209309.90898.84: 349.0881: '!34..90 90/0-:.*.53...-80/9490$07.53.3'!..880/949-90$07..08    %0$07.431:70/14730947090384324/0  -:99074:54390$07.422.53.250 9904:95:9 . 4:98/0     '!343.4:/.07  %5 &31479:3.431:708 9030..3/ 4.3/90 .088 89*.93/.*..5.53...*35*807.53..305.53.//708897.'! 70..0.53.!7:333 $    .7594.3/8    38-:994. '!.04:98/0 '!.75942.431:70/4390 #0249047$07.07        %0!#0249039..94354.431:70/    %09:330834089. 807.90/.*.80/43908599:330354..//7088*.75942.3/83499.078..943.'!34.9    1907.3 '!.09854.94341903:2-070/7010703.0740.507295 489    .7594    .75942.75942.507295 489    489     '!*.250    %8890178992090'!#024901:3.*...*..8..4330.03904:95:9 9070834939.3 '!.-0/4390! 8490 !817897024...9 38/0  .07//3 9.088 89*.4.9.9439490$07.908:.422.38..088 89*.2 2..3/89.803.5*.*.53.395041.07..088 89*..990 574-028 3980.9902593947024.

90/09479038434/08349.*..8'! #02490#:333  '!43897:.7594.2 2...8 .390974:-0844934198574-022470/11.04:98/0 '!9707706:089/430   .3/4390$07.07 4:4:/800.3.00 98.*.*.40/1479874:5 &31479:3.706:089 '!997-:908-03706:0890/ '!34.07-480 2.75942.08:807 !     .75942..7/.53.9431742./706 '!!.75948.0881: '!34.908:.25.088 89*.70 039.5*.53.53.. '!..(74:58. #0249083 9..53.422.:5/.75942.239071.*.. '!.039.0884330.53..250  .3/   .239071.53.5.*.422.088 89*./434.997-:90814754.4330.3/43.208.5*..04:98/0 '!.20.5*.422.9354.90 90/0-:4:95:91742908.3.9.943700.75942.4190/0-:..0874:5 &8073..0/#02490.507295489    489     '!.2088.:9 134925488-0  174290#0249003/:8390/0-:.//7088*..*.53..

$!.

804330.943 /8.3:8094974:-08449$!.55.:88842080..0 .3.!.3/84:.:79.9438 39880.422.

4330.-83 !80.:888420419080.3/8 14: 70050703.80422.3/84:.422.3!80.3/903 3.9438  /8.422.07. !.907 80.3/83 2470/059  .9438  -03--701/08.4330.!.7-3 90.4:/:8080..9.07.3574-0289089./.80..5007 4: .3:80.94389.04190!.

3.89039079 4190.759439071.75947.0715.0  84.0.55.741 9080.50330:80/-90 .422.890 '.989.209077:3890343 3807%089 % ..0.3/8 O O O O 84.75940330  $  43 90.75940330.3.0 8.0 89.-7018:22.$.4:39078(85.55..7.3/89405 53543990574-02 070 8.422.890:8.814790.071(85.

885.890 '.7594.. 97..11.55.7/  $  43  84.3/  45943.0/390..0.89..814790.94789.989.989.3.7/389.007.' .

< 85.989.0/390.989.89.8.11.989.80307..0.89.55.' .97.3/  45943.814790.580. 97.11.-4:990 .80.489..7/  $  43  84.7/389.759457494.3.

:880/-04..2.0989..3/832470/059 9080.5.989.422.943894 ..2585.-80/-0900394!80.4:8390.7. .7 5007 0397  %0144380.5039731472.422./.3/8/8.0974:-084493. .3/ 5.943.7594580.7594580.50078 .75942.25422.70.5*3.7594580.$8 089.9.4330.79.85.425430398:80/9457490.8.31472.3.9:.943570.$8.0203947/.3.9.9438  $  43  84.890/.0.//70 88.4330.9438.3/90 .4:39078 2.75948.989.5.9..7594(580.884.943.422434308:80/94974:-08449/..8 .4:39078 .85.7/.205007!*.890.8.4330.990.$ 574-028  %084..3/ 80.3/.422.8.9.90/9.3/ %084.4330.789089..5 .-4.03 94-:/.943:80/94-://.9.:8884204190 .5 2.902./.4330.3//85.085<$!*(0.4330.9.70902470 ..02039.//70880397!*.$8-0900394 50078  .5907  /0-:..:.890 .3//.9438 .9438/8.7594 2.5007 5007 47.$8..7594580.:.02039.9.30893/.3.943.9.884.943  /0-:./.890890589.943 800%0/0-:.(8.O O O O 2.943 419094:3/70.90/9..4330.9.79.422.52..$94.75948..9.

943.$88 /85.//9439497.55..5*3.89.9090/.2090784798904:95:9 -.(8.20 %0.3800174290839.3/ 9 882.5508 584.890.(8.989.4198.078434:7.7.20907 50714728908.3-0:80/ 5 84.//7088(/09.0397/03992.75942. $.3/0..10/.80/4390!.70249050078 %070.10/5.9.884.07843 %003975.9438.3/4:9-4:3/.8 .-$ 148  3 $ 901443839.3/90 3-4:3/.209078479890/85.//70884190$  %0/03995.209078 90.3/907$! 3:2-078 %02.//7088 .7094147284190.79490 .484:94/85.53.7594 2.//70885.70.7594580..707 901443839.20907..3/  /0503/343.422.(  84:.7.5 31472.55.0/ 3.943:80/94.2.//7088/0399(  94:9.20 .5*3.90/990850.422.7..4330.3.5 2.08 7:333  3 $ .7. 4390$8.7594580.52.201:3.3850.11.7.20 50075007*!*.

84390$8.484:94 /85.10/ .90/9.2090784798 90/85.0/ 31472.250  8.0394:90 4:95:98 .5.9.07:333 0.-$148 %02.3/702490/039039708 /85./039.422.7024905007      %04.//708808 %0/03995.943  390.3/  %04:95:93.11.5 %050075.10/ 5007 %0/09.-80/9490850.20907.3/98479890$8 -.55.0/ 8433..5.5.11.8.884.:79 .2489908.5 .884.20907/85..75942.-4:990$8 3.943.75942.422. -09003   .74:907 84:95:91742908.07 82.3/8 90 4:95:9574/:.4390$8089.20 %0.30397..7.7.80/43!.82470/09.794.90/ 97.0/22.9097.20907 /85.80.7.9894-057490.250 81742.20.7.7.3...:/307747 31472.20907390 .90/990850.55.8041090741908094.422.

.3/  .

.58:...90/.3/598/0.90 3:2-07415.58..58/85.  %059803.09803.

58:./003.3/.90/ :83!80.. .

..70343074 3:2-0783908010/8 .0710/ .039. .7590/  .70.90/47.3/903:2-07415.7594580.47$! 080 4:.99070.81:3.8.4330.:77039 089.09803..7590/.250  &839084.3800 903:2-07415.3//0.9438.-80/94907024905007      .098070..943 ..

/039 .//7     4. 39071.8.04:98/0 75942..8.//7.59.3/ 5 ...22.5 4.422..431 84.7594580.

8.2.

5749.

5479     .

   .

.

 702490/039 .//7.

8.2.

5749.

5479    .

   .

.

759 598.42570880/  598349..42570880/ 598.4.58 598/0..  .:770394:9-4:3/85 .7594 03/59      5.070.4251.58 59803.077478   4.29:   .:77039*5007      59803.929: 580.42570880/ 598/0..071 598.0/  598/0./ 20/.4251..759403/59     702490.759 598/089 598/0..0/  803/077478 70.

522.381472085 . 2.8 85    97. 3:80809938 %:330 < 849 .7594 2.08085 8..5 8.33010920 .433*/ . 3-4:3/0858.923702.

80.  .

381472085 .5 8.923702.08085 8.7594 2.8 85    97.522.433*/ ./090.9438:55479 4:9-4:3/0858..  '80-908 705. 2.33010920 . 3:80809938 %:330 < 849 .

 .80.

9080./090.70/85.9438 .7.  '80-908 705.0/3805.9438:55479  %0$8.

422.75948 82.75948.1.09 . .:880/90147207 ..25 422..9.9438-0900350078 902489 .3/90/0-: .9438 :7907974:-084493.85.9438 41904:95:9 14:/43 9800.9909450078 :80147!80.4330.943./.3/80.9.//7088089.55.70 O O O 82.422.01742 070/85.7090/0-:.5.089.422.9438 34/.25..0-003 089.4390398 472.42243.422:3.422..7594580.3/ 14: 70050703.3/  /8../0-: 0.-839094 !80.3.9.79..809994 .3.79.3/8 /8.7594580.93 4:300/94850.3.:...0820 .7594580.397.:80 9889:.422..:08 97.4330.422.9390309 80..943  %0/0-:.880..3-0/430990/0-: .929.380090$!.:889.3574-028089.3/0.783 903-4:3/0858.7594580.943 %0/0-:.3/88:554790/--49 .3814728 9:330 950 .4330.75948.9.3/4:9-4:3/0858.3.9435.3/ 9043 /110703.250  3980.9.7073%0/0-:.9438.3/894974:-0844998 574-02.0.3/4907.8.3814728 82..-80/ 42243574-0289.393:3/079080 8:-80.250 43$!8:80/  844:..

..-80/8:. /0-:0.08.55.707 90708344594341850.474:9078  ..3.3/ 3  0709094/.3.55.3/0..574-02 9  .0 8 .94394974:-08449..4330.250  .3..//70888    9.3.8890.0881: 3980.4..13.4330.0 .943 706:0891742.8098..0593.422.90890:804198.9.70089.7024905007 %04.9438-0900394 50078.8:-30941    .034:31472.250  :897.

90*574548.     /089*574   .6:0:00.03:2-078  .0 !$ 0*0330 49.3... //00903491 1742$!   !$ 0*0330*/0090*8.. 04900.9.$8 8.039  !$ 0*0330*/0090*8.8 70.5.79    003 28 /089     87.8 /0090.$8 89.943 4190/0-:4:95:97010703.305.250  $:.2508.0881:!80./.3.70/9      !$ .-80/43.*706:089 574548. 55.

   .

.

*574  .  950  87.

   .

.

 950  .

.08085 2/ 2.8      003 28 /089     87.  10/:7 8.381472085 . 85  .039  !$ 85*70854380 099385 11.6:0:00.8  !$ 0*0330 49.039  !$ 39.0*8.6:0:00./0    147$   1742    94    1475749 !$ 0*0330 49.     /089*574   .57494.4$! 97.3/ .433*/ 080 1.

   .

.

 950  87.*574  .

   .

.

 85 11.433*/  080  1.3/  .08085 2/ 2.8  !$ 39.4$! 97..     /089     .0*8.  10/:7 8.  950  57494./0    .381472085 .8      003 28 87.

87.*574   .

   .

.

 950  /089*574  .

   .

.

381472085 ...3/  .250     30893/.3/    890702490 5007    2.381472809 $!9$ .9.4330.08085 2/ 2. 85 01-  .  10/:7 8.083904:95:91742.7594.3.997.70-03/0090/-0147090304308..55.0.4$! 97.70.  950  57494.94341903:2-070/ 7010703.9.//0/-09003 909450078    8904.3.$8.250 90702490500739.7014:3/ 3980.397.943 706:08939. 1742  .8   070 8.11.-70105.433*/ 080   1.3/ .90/90.3/.

94   .

-057490..8830/.55..706:0892088... .3/.0    %0$1742904.3-0/0907230/- 90.088 .3.3 $!..25.422.3..75948./.90/ %8.0880380-0..55..0    %07024905007.3/982.0839.90574548.:80 .094907024905007839.3$!14790$174290702490500794904..:0    %0$174290702490500794904.94:4:/800990/0-: .3.0/.0/  84:.55..38001742984:95:9 982:.8838.3.07-4809.

07939.8990/0-: .943.9.0/ 070.:.70/85.25.75948.3/ 4:8000.43905.9 $!.422.79. .4330.784190-:/34190/.

895./.9438.7594580.7594 580.3//.5397 82.0881:  470.97.-:/8 .4770.75942.9.-83/.3.422.422.9438  %0144380.250 174290/0-:..9.3/43904.38001742904:95:93.5.094/0907230..9.9.343903.9907 .9147..3/ 90/0-:.90/.078420.7/9439075709  1.3/ -0389 $! .798174290.9.422.884.4330.8-003.7897..9438  3.90/9 .25.3814728.3.9438 4: 800904:95:9 3.4330.250 14:/43 9.0/75948 ..70..3/8 %017895.75948.798 174290147207/0-:.9.3/81.9.97.9.0-003 .%7.250   90/0-:4:95:9174290/0-:..422.3/ 94800.3/9084.4:780 349.7594580.9.4.381472 809. .0/.422.9.:/3 O O O 82./ .3/ -0389!$ &809084 .9.97594.3814728 84:.3.422.:/08-4990 2.397.97..0/.4330.3814728 82..70-:98:.%7.381472809.381472 14790/.42243 574-0289089.3/90.02039.70.55..0.$8..2.

. $!97.998349..  97.90*574548.9478 $ $!00398 !$ .4.0  $!0.. 5749 97.059.381472 $!03.50397  .43/8 $!$10/:7.381472574548.588 $!$10950380.0883$5.250  82..4./ 2088.3!80.  3498:554790/ $! .75942.0/!80...38 2.3814728 4:95:942990/  $! 574.%7./.8.059.943 -.9./8  $! $349.997-:908397.907024905007 8. 41  $!$1095034-908 $!$10/:7..574548.-0 4:95:942990/  ..9.943 '! 41        $!.*.-0 095..381472 $!*$ $!.:9039.

..8$  82.70349277470/439094 50078 4: 800/0-:4:95:9174290/0-: .25.93901:3.431:70/ 94343097.38  2.380090 4:95:9174290/0-:.9907024905007 .9.5007.422. //00903491 1742$! !$ 0*0330*/0090*8. 5749  97.7941904:95:98489.3/ %0 17899490/308/85../..$8 8.381472574548. 574-029.70/9     !$ .3/$ %0.83 9.9.3814729.75948..75948.. 3498:554790/  990-033341.8-003..3//0-:.3/8 8433.99097.381472 5745480/-907024905007.990708.9.9.6:0:00.431.8 /0090..90*574548. 97.*.8 70..250  %0574/039908349 .039  !$ 0*0330*/0090*8.:8041.0/75948 190.39894 :80 -:9907024905007.!$ 0*0330 49.75948.4:8 904.25.89 5.0590/ -0.39894:80$!9$ .7594580.943/0130/ 43-4950078  -.250  4:.3$!574548.422.

943 '! 41        $!..250  82.9.0397.381472 $!*$ $!./574 0398 077474. .431:7..3!80.0   $!0...:78 0.9.947 9480007090 039708.9478  .0/.4.9089./ 2088.23090.75948 174:907847!8 4730947898 1 .33.9438 .8.42243.8:554790/2088.588 $!$10950380.997-:908397.9478 /43492..43.03/.0/7594849 77470/ 4:95:942990/  $! 574. $!97.943 -..70349277470/  .75948 4730947 898 1905007 8..990.43/8 $!$10/:7.43.0397.574548.70349277470/ 43 9094!80.381472 $!03.0883$5. 41  $!$1095034-908 $!$10/:7.50078 %828.:9039.

./.     /089*574   .998.059.-0 !$ .*706:089  574548.5.70 .$!00398 $! .79   003 28 /089     87...90*574548.

   .

.

 950  87.*574   .

   .

.

4$! 97./.381472085 .90*574548. 85  .8  !$ .5.  950  57494.79   003 28 /089     87..  10/:7 8.08085 2/ 2./.*706:089 574548.433*/ 080 1. 574 /0399083498:554790/ !$ .381472*574548..     /089*574   .90*97..3/ .

   .

.

 950  87.*574   .

   .

.

  10/:7 8.381472085 ..4$! 97.  950  57494.3/ . .08085 2/ 2.

550394-0 3.0/.8  !$ .7594 077470..55303970809.4770.75948 070.059.553.75942..8084: 0990282.84 2./110703947/0743909450078 %0701470  70.343903.759489 4.814:3/147.5 1  .3/.9.3.381472*574548.3:59089.094.9.9.500714790743.902039..75948 .914:3/3.0  .250   3980.-0 4:95:942990/  %5 74257.54.90203983908.5397 34907:3./.250 .93 ..250 .0314:.9./.079.90*97.07.89..42243574-024:29050703.029.55.743.07.090039708277470/4390 8.42203/2774730.2047/07   .97594..90/574548.704..00.208/0 -:990.3/ 4.3.0 819070.07.3.9. 574 /0399083498:554790/ $!!80.85  ..50397 470.433*/ 080 1.050703..7594 3.. $! $349.730/9.3 .7594039708. 2.

75942.522.75942.431 ..40703973:2-07  .431 ..55.//7088  80.5 580.4:8 3.75942.43034907 47/8 .1.088 89 50729:/5489     489   06 80.091742   94    92. .79490430843570.25 80.38 .8.759439017890397 9:8.088 89 507295          80.381472 80997.522.07.9..250  %484.7594 039747039708-0147090088850. 5.3/   147..:79 . 90.75942.522.522.0.:79 ..553759439708 .:79.431 .:79 .250 80.7/8.5 2. 8.9080..5 809 97.3.098574-02 5:990 .431 .9:33094     -:9349    .3!80.5 8095007     80.503979902470850.:79 .1.75942.431 ..090147207.9.:8390 0774782.250   .:79 .431 .:79 .

.909.90/2088.0 .4390743.9.7594.03901789-:095439  .08/85.574282.88003902088.75942..431 .088 89.75942.0.43/943 0898  %08.759484.822097.9:33089..5 2.0.3/03348.79:5.9.0784384190!8 4:29 800.84.75942.9..4:/3/.5 809 97.:79 .9.7 3.9.07..9  .3277470/.5 580.75942.9.7594282.553.  3.522.:79 .3/.0782.431 .0/ 47 842093.3.43/943 070 909:330.80. 4: 8004304190 1443 O O %0.431 .503979 4.422.381472 80997.790/1742430 ..:79 . 8.574282.70.4330.250  9.94:.208-03:80/9. .420:50389.38  384204/07 $.9431.5 8095007    80.25 80.431 .75942.7594  2.3/. O O O 3432.:79 .522...522.:770/   . .030.//7088  80. .8 9.078003902088.522.

 14..3..3808843-09003 94.0.4:7.088 89.  %02489.52.422.389:.0907747847/7458  -:30.08 57490.:7954.207010703.4330.0 -:9394/1107039 8 91789982984:3/25488-0 -:998 6:905.7594.3/ 441475.553. .0898.943  990.:8-0-.. 47 0.84.97..3/9:890/.9 ..90/4:. 5007-74:9:5909:330 -:9349390 70..3/.090 4:95:9419084.9.9438 1742:83908.42243574-0294.0780/70.9.3/.3.088 .43/943 070/.9439903.422.-4:95.7594580.11.7594 8.9397.078438570.9438 941.707 $.20147 .9438/43 8429.4 03.250 4:29.079..-09003   ..38.3/.098-03/74550/ 9.0390/4: 3 .7488909:330/0503/343.//708897. 43908.//708897.3/.07.8.822097.8.9431:3.8994-:0954398 4:29.9020398.42243 8000774789.75942.:8090574574.9.:894207894349:80908.7594 88039403970834:7..38.984:/-057490..38107.80/434:780.55.O 5007 -:93491742904907  3.20 147.

.3/   .

0.07 4390 7024905007 4:.43/.50397 9.9 8.75942.385479.97.80.93884 .4330..943 57490. 40.

53543998574-02 -0..98842088.431:70/90!9457490.8 /08.0782...9.943289.4330.088850.3/90%%!807.550.07..503979.0 9706:708.08174290.4:/3 9:3/0789.75942.3/90! 8884 2088.3.11..07 99442090 -099075.3/ $4./.4.07.07 03-7404:9.5039708.895. 4.1.75940397574-0283498250 83.07 .11.83 96:9079 92.503979902470850.5039708 4:/198574-02 3.0/ 40.0    94.3/70.3/9:830.3/2574-02.75942.90/ 903-0.1.08070843:53.7941.75942.422.97057080390/98 .3.190790.:8090 0703 957490.553 .3/8..7.431:7./.8/74553902-0.3:3/0789.%%!807.07.3.0/98574-02. 99097.75942.943 1 90.90/94.3/$ -:99097.0 7047/070/90 .5039708.90/9$ .9:.5.431:7.9842093..   .943289.70/.098574-02 :31479:3.4073:2-079.702490.70.7574-02.43300/0/94-0 57490. 57494.75942.90 344:95:9 1742/0-:.-030397 .07.014:3/2.9434390! .09.7-0/390.3/90%%!807.34.:83$!$ .0294729 349-0/74550/ #047/07390. 84:/.3/341490.75942.0   .7 909.072.11.07.55.080703 9843:54390884807.70:80/ 03 4:050703.11.2473394/8.8809:5 90 8842088.5039708147 0.803.75942.75942.4330.-80/ 47:80/ 94907435007 %01789920 050703.07     39889:. 9:33088:.1742..97.07 :8397.0.553759439708 %74:-084493.943 9 4:/30.:8090!80.431:7.07..39470.4.385479 24/0 -030397  3.072.34.55.50397 948420930  %5 %0.074:/-0:80/  0503/343490%%!807.7.943.553.884.0/9.990%%!807.990%%! 97.503979.0881:089.0.3.250  703:2-07 .

93 $ 90/0-:.3/8.3/.0.841 974:-084493!80.80/74:9078 #0202-07 9.733.79'  .39 0020398940907174298-44..425.3/ 974:-0844935.80/74:9078 70/:.250.8.3/574.5907840/4:90-.3/8.3 4:70...480.0050703.422.5590294 .24:3941/0-:4:95:9 90.3419025479.794948043 $ -.08 %0.30.08808:80/.:79 .0 9!80.422.0 6:.107..0.422.9890.55./.431:7.3.943    .110.0782.:7.794198-44 09:58!.908  %8.425090890.70.80$9:/ 0705:2..7 %8.3/0307.3 8'!2502039.5907.8088438438.943. $:22.70 .9:330843 $ -.014:.