RE: VPN client can connect but no traffic can pass [7:70084]
Hi.. Daniel and Group.. Thanks a millions..!! I SOLVED the issue. It was bcoz I installed Two different VPN clients in my PC. 1)VPN Systems VPN client 3.6.4 2)Cisco Secure VPN client (Safenet). I uninstall both and reinstalled # 1 only. I can connect to LAN now. I have some extra questions 1) how many remote VPN connections can connect to the PIX515 at the same time? 2) Can I assign the same local LAN IP range for VPN client IPPOOLS? Thanks Daniel Cotts wrote: 1) Can we assume that the client is fully authenticated? Your config looks good. There is a line crypto map lonmap client authentication RS that I don't understand. My guess is that authenticates remote users individually beyond the group password used between the Client and PIX. If there is any question, you could remove it temporarily for testing. 2) Is the Client installed on a PC that has a software firewall or the PC is behind a firewall? If so, check the settings there. 3) You are using VPN Client software 3.6 or thereabouts? 4) You mentioned that you changed your transform set in London. Did you also change it to match in Hong Kong and Tokyo? 5) use sh crypto isakmp sa and sh crypto ipsec sa to see what connections are up. HTH Let the list know when you are successful. -Original Message- From: Steven shinnick [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 9:23 PM To: Daniel Cotts; [EMAIL PROTECTED] Subject: RE: VPN client can connect but no traffic can pass [7:70084] Hey.. Daniel and Study Group I follow the instruction to assign different IP range for my IPPOOLS, 172.16.4.1-172.16.4.31. But I still can't ping and talk to my local LAN after get connected. Any idea what's wrong? Besides, I want to make clear that I accidentally delete - at the following line when I send to u. It was no-nat in my config not nonat nat (inside) 0 access-list no-nat Besides, I want to discussing about the PIX-PIX hang problem (not immediately) after I add in additional config for remote VPN client. I suspect it is caused by change the following line from crypto ipsec transform-set lonset esp-des to-- crypto ipsec transform-set lonset esp-des esp-md5-hmac without changing this my client can't get authenticated I have 2 isakmp policies , 10 was originally set for PIX-PIX to HK and Tokyo, and I add in 20 for Remote VPN connection. Any idea about my PIX-PIX hang problem with additional Remote VPN config? isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 My New config is LONPIX# wr term Building configuration... : Saved : PIX Version 6.0 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname LONPIX domain-name xxx.co.uk fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 70.7.75.150 HKpix name 20.2.25.150 tokpix access-list 111 permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 112 permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no-nat permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list no-nat permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no-n! at permit ip 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.224 access-list no-nat permit ip 192.168.3.0 255.255.255.0 172.16.4.0 255.255.255.224 access-list no-nat permit ip 10.10.0.0 255.255.0.0 172.16.4.0 255.255.255.255.224 no pager logging on logging buffered errors logging trap errors logging history errors logging facility 18 logging host inside 172.16.3.101 no logging message 400010 interface ethernet0 100basetx interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 103.103.130.130 255.255.255.240 ip address inside 172.16.3.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool IPPOOLS 172.16.4.1-172.16.4.31 pdm history enable arp timeout 14400 global (outside) 1 103.103.103.131 nat (inside) 0 access-list no-nat nat (inside) 1 172.16.3.0 255.255.255.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 103.103.103.129 ! 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server RS protocol radius aaa-server RS (inside) host 172.16.3.101 RSKEY timeout 5 aaa authentication ssh console LOCAL no snmp-server location
Re: VPN client can connect but no traffic can pass [7:70084]
Hey David and Group I have done as what you had asked me to change but no luck. Still no traffic can pass thru although it can connect. My new config is at the end of the mail. Anyone have idea why?? I really feel strange, as my username and password can be authenticated by my W2K radius server but why no traffic can pass to LAN after get connected? I saw the traffic statistic of VPN client increase but I can't connect to any thing on the LAN. Why? P/s: why you suggest to change from crypto map from 30 to 35 ? David Tran II wrote: After looking at your configuration, you need to do this: change from: crypto map lonmap 30 ipsec-isakmp dynamic outside_dyn change to: crypto map lonmap 35 ipsec-isakmp dynamic outside_dyn and add in this line: crypto map lonmap client configuration address respond crypto map lonmap client authentication RS (I think you already have this line) It looks to me like you are using xtended authentication, it is a good idea to upgrade your code from 6.0.x to at least 6.2(2) or better yet, 6.3(1). I know for a fact that the configuration above works for version 6.2(2) or higher. 6.3(1) supports NAT traversal. My New config is LONPIX# wr term Building configuration... : Saved : PIX Version 6.2 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname LONPIX domain-name xxx.co.uk fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 70.7.75.150 HKpix name 20.2.25.150 tokpix access-list 111 permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 112 permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no-nat permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list no-nat permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no-nat permit ip 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.224 access-list no-nat permit ip 192.168.3.0 255.255.255.0 172.16.4.0 255.255.255.224 access-list no-nat permit ip 10.10.0.0 255.255.0.0 172.16.4.0 255.255.255.255.224 no pager logging on logging buffered errors logging trap errors logging history errors logging facility 18 logging host inside 172.16.3.101 no logging message 400010 interface ethernet0 100basetx interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 103.103.130.130 255.255.255.240 ip address inside 172.16.3.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool IPPOOLS 172.16.4.1-172.16.4.31 pdm history enable arp timeout 14400 global (outside) 1 103.103.103.131 nat (inside) 0 access-list no-nat nat (inside) 1 172.16.3.0 255.255.255.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 103.103.103.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server RS protocol radius aaa-server RS (inside) host 172.16.3.101 RSKEY timeout 5 aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set lonset esp-des esp-md5-hmac crypto dynamic-map outside_dyn 30 set transform-set lonset crypto map lonmap 10 ipsec-isakmp crypto map lonmap 10 match address 111 crypto map lonmap 10 set peer hkpix crypto map lonmap 10 set transform-set lonset crypto map lonmap 20 ipsec-isakmp crypto map lonmap 20 match address 112 crypto map lonmap 20 set peer tokpix crypto map lonmap 20 set transform-set lonset crypto map lonmap 35 ipsec-isakmp dynamic outside_dyn crypto map lonmap interface outside crypto map lonmap client configuration address respond crypto map lonmap client authentication RS isakmp enable outside isakmp key address hkpix netmask 255.255.255.255 isakmp key address tokpix netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup GROUP address-pool IPPOOLS vpngroup GROUP dns-server 172.16.3.101 vpngroup GROUP wins-server 172.16.3.101 vpngroup GROUP default-domain company.com vpngroup GROUP idle-time 1000 vpngroup GROUP password telnet
RE: VPN client can connect but no traffic can pass [7:70084]
1) Can we assume that the client is fully authenticated? Your config looks good. There is a line crypto map lonmap client authentication RS that I don't understand. My guess is that authenticates remote users individually beyond the group password used between the Client and PIX. If there is any question, you could remove it temporarily for testing. 2) Is the Client installed on a PC that has a software firewall or the PC is behind a firewall? If so, check the settings there. 3) You are using VPN Client software 3.6 or thereabouts? 4) You mentioned that you changed your transform set in London. Did you also change it to match in Hong Kong and Tokyo? 5) use sh crypto isakmp sa and sh crypto ipsec sa to see what connections are up. HTH Let the list know when you are successful. -Original Message- From: Steven shinnick [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 9:23 PM To: Daniel Cotts; [EMAIL PROTECTED] Subject: RE: VPN client can connect but no traffic can pass [7:70084] Hey.. Daniel and Study Group I follow the instruction to assign different IP range for my IPPOOLS, 172.16.4.1-172.16.4.31. But I still can't ping and talk to my local LAN after get connected. Any idea what's wrong? Besides, I want to make clear that I accidentally delete - at the following line when I send to u. It was no-nat in my config not nonat nat (inside) 0 access-list no-nat Besides, I want to discussing about the PIX-PIX hang problem (not immediately) after I add in additional config for remote VPN client. I suspect it is caused by change the following line from crypto ipsec transform-set lonset esp-des to-- crypto ipsec transform-set lonset esp-des esp-md5-hmac without changing this my client can't get authenticated I have 2 isakmp policies , 10 was originally set for PIX-PIX to HK and Tokyo, and I add in 20 for Remote VPN connection. Any idea about my PIX-PIX hang problem with additional Remote VPN config? isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 My New config is LONPIX# wr term Building configuration... : Saved : PIX Version 6.0 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname LONPIX domain-name xxx.co.uk fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 70.7.75.150 HKpix name 20.2.25.150 tokpix access-list 111 permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 112 permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no-nat permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list no-nat permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no-n! at permit ip 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.224 access-list no-nat permit ip 192.168.3.0 255.255.255.0 172.16.4.0 255.255.255.224 access-list no-nat permit ip 10.10.0.0 255.255.0.0 172.16.4.0 255.255.255.255.224 no pager logging on logging buffered errors logging trap errors logging history errors logging facility 18 logging host inside 172.16.3.101 no logging message 400010 interface ethernet0 100basetx interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 103.103.130.130 255.255.255.240 ip address inside 172.16.3.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool IPPOOLS 172.16.4.1-172.16.4.31 pdm history enable arp timeout 14400 global (outside) 1 103.103.103.131 nat (inside) 0 access-list no-nat nat (inside) 1 172.16.3.0 255.255.255.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 103.103.103.129 ! 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server RS protocol radius aaa-server RS (inside) host 172.16.3.101 RSKEY timeout 5 aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set lonset esp-des esp-md5-hmac crypto dynamic-map outside_dyn 30 set transform-set lonset crypto map lonmap 10 ipsec-isakmp crypto map lonmap 10 match address 111 crypto map lonmap 10 set peer hkpix crypto map lonmap 10 set transform-set lonset crypto map lonmap 20 ipsec-isakmp crypto map lonmap 20
RE: VPN client can connect but no traffic can pass [7:70084]
255.255.255.0 inside ssh timeout 60 username pix password xxx encrypted privilege 2 username user1 password encrypted privilege 2 terminal width 100 Cryptochecksum:xxx : end [OK] Daniel Cotts wrote: I believe that your IPPOOLS ip range should be different from your local LAN so that they can communicate. Maybe make it 172.16.4.1-172.16.4.31 Then build an access-list for the Clients that goes inside address, pool address access-list CLIENTS permit ip 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.224 The above gets you to the London LAN access-list CLIENTS permit ip 192.168.30 255.255.255.0 172.16.4.0 255.255.255.224 This gets your clients to the HK LAN access-list CLIENTS permit ip 10.10.0.0 255.255.0.0 172.16.4.0 255.255.255.255.224 This gets you to the Tokyo LAN Obviously Hong Kong and Tokyo will have to permit traffic from their LAN to the Client IPPOOLS range of addresses. You have a line nat (inside) 0 access-list nonat but there is no access-list nonat There is an access-list no-nat Just erase that and create an access-list (try the name VPNs) that has all the information in acl 111, 112, and CLIENTS. Use that acl in your nat 0 statement. There is a more elegant way to do this last step. Not sure which version allows it. There are several books on PIX configuration available. Cisco Secure PIX Firewalls by Chapman and Fox, Cisco Press, ISBN 1587050358 Cisco PIX Firewalls by Richard Deal, Osborne McGraw Hill, ISBN 0072225238 I'd suggest you buy both. -Original Message- From: Steven shinnick [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 10:56 PM To: Daniel Cotts; [EMAIL PROTECTED] Subject: RE: VPN client can connect but no traffic can pass [7:70084] Hey... Attached is my full config. I think I have to specify and access list to make No NAT for my IPPOOLS traffic right. For example I specified ip local pool IPPOOLS 172.16.3.11-172.16.3.20 which is same network as my local LAN, then I got to specify the following access list to make No NAT for the IPSec traffic right? But I am curious to see many example on the web that they specify IPPOOLS which is not the same network as the local LAN. Why? Can it connect if IPPOOLS not the same subnet as LAN? access-list no_nat permit ip 172.16.3.0 255.255.255.0 172.16.3.0 255.255.0.0 - Do you Yahoo!? Free online calendar with sync to Outlook(TM). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70163t=70084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client can connect but no traffic can pass [7:70084]
I believe that your IPPOOLS ip range should be different from your local LAN so that they can communicate. Maybe make it 172.16.4.1-172.16.4.31 Then build an access-list for the Clients that goes inside address, pool address access-list CLIENTS permit ip 172.16.3.0 255.255.255.0 172.16.4.0 255.255.255.224 The above gets you to the London LAN access-list CLIENTS permit ip 192.168.30 255.255.255.0 172.16.4.0 255.255.255.224 This gets your clients to the HK LAN access-list CLIENTS permit ip 10.10.0.0 255.255.0.0 172.16.4.0 255.255.255.255.224 This gets you to the Tokyo LAN Obviously Hong Kong and Tokyo will have to permit traffic from their LAN to the Client IPPOOLS range of addresses. You have a line nat (inside) 0 access-list nonat but there is no access-list nonat There is an access-list no-nat Just erase that and create an access-list (try the name VPNs) that has all the information in acl 111, 112, and CLIENTS. Use that acl in your nat 0 statement. There is a more elegant way to do this last step. Not sure which version allows it. There are several books on PIX configuration available. Cisco Secure PIX Firewalls by Chapman and Fox, Cisco Press, ISBN 1587050358 Cisco PIX Firewalls by Richard Deal, Osborne McGraw Hill, ISBN 0072225238 I'd suggest you buy both. -Original Message- From: Steven shinnick [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 10:56 PM To: Daniel Cotts; [EMAIL PROTECTED] Subject: RE: VPN client can connect but no traffic can pass [7:70084] Hey... Attached is my full config. I think I have to specify and access list to make No NAT for my IPPOOLS traffic right. For example I specified ip local pool IPPOOLS 172.16.3.11-172.16.3.20 which is same network as my local LAN, then I got to specify the following access list to make No NAT for the IPSec traffic right? But I am curious to see many example on the web that they specify IPPOOLS which is not the same network as the local LAN. Why? Can it connect if IPPOOLS not the same subnet as LAN? access-list no_nat permit ip 172.16.3.0 255.255.255.0 172.16.3.0 255.255.0.0 BUT... I have another more serious issue. After I added in the config for the remote VPN, my PIX-PIX VPN to my HK and Tokyo PIX will HANG after some time and it doesn't happen immediately (after 8-9 hours). Can you see my following config about what's wrong? LONPIX# wr term Building configuration... : Saved : PIX Version 6.0 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname LONPIX domain-name xxx.co.uk fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 70.7.75.150 HKpix name 20.2.25.150 tokpix access-list 111 permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 112 permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list no_nat permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list no_nat permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 no pager logg! ing on logging buffered errors logging trap errors logging history errors logging facility 18 logging host inside 172.16.3.101 no logging message 400010 interface ethernet0 100basetx interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 103.103.130.130 255.255.255.240 ip address inside 172.16.3.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool IPPOOLS 172.16.3.11-172.16.3.20 pdm history enable arp timeout 14400 global (outside) 1 103.103.103.131 nat (inside) 0 access-list nonat nat (inside) 1 172.16.3.0 255.255.255.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 103.103.103.129 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius a! aa-server LOCAL protocol local aaa-server RS protocol radius aa a-server RS (inside) host 172.16.3.101 RSKEY timeout 5 aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set lonset esp-des esp-md5-hmac crypto dynamic-map outside_dyn 30 set transform-set lonset crypto map lonmap 10 ipsec-isakmp crypto map lonmap 10 match address 111 crypto map lonmap 10 set peer hkpix crypto map lonmap 10 set transform-set lonset crypto map lonmap 20 ipsec-isakmp crypto map lonmap 20 match address 112 crypto map lonmap 20 set peer tokpix crypto map lonmap 20 set transform-set lonset crypto map lonmap 30 ipsec-isakmp dynamic outside_dyn crypto map lonmap
Re: VPN client can connect but no traffic can pass [7:70084]
I am always suspicious of mtu differences, or mtu discovery via icmp being blocked.. Brian The path to a desireable destination is often more difficult than the path to stay where you are. On Tue, 3 Jun 2003, Steven shinnick wrote: I had installed a VPN client in home PC to connect to PIX in my company. It can connect and get authenticated and login. But I can't ping and talk to any PCs in my company. why?? I specify the IPPOOLS in my PIX config. It means my VPN client will get these IP right? But how about subnet mask? How do PIX know what subnet mask to give? ip local pool IPPOOLS 10.1.1.241-100.1.1.250 - Do you Yahoo!? Free online calendar with sync to Outlook(TM). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70088t=70084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
