Accessing a subnet via VPN session
Hi everybody.
I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
local network: 10.30.0.0 0.0.0.0
remote network 10.31.0.0 0.0.0.0
ASA
object-group network remote-network
network-object 172.16.27.0 255.255.255.0
network-object 10.31.0.0 255.255.0.0
object-group network network-local
network-object 0.0.0.0 0.0.0.0
access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
Router 3800
ip access-list extended vpn
permit ip 10.31.0.0 0.0.255.255 any
Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
Regards and Thanks very much!!
Hi Ankur, thanks very much for your reply!
this is the "sho run" in my remote router:
I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
this is a simple diagram of where I want to connect to:
REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
(10.31.0.0/24 network) (10.30.0.0/16network)
|
|
|
|
REMOTE USER
(10.30.23.130/25)
REMOTESITE#sho run
Building configuration...
Current configuration : 10834 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname PYASU1ROU01
boot-start-marker
boot-end-marker
logging buffered 64000 debugging
no logging console
aaa new-model
aaa authentication login default group tac-auth local
aaa authentication enable default group tac-auth enable
aaa authorization console
aaa authorization exec default group tac-auth local if-authenticated
aaa authorization network default local
aaa accounting exec default start-stop group tac-auth
aaa session-id common
clock timezone PR -3
ip cef
voice-card 0
no dspfarm
crypto pki trustpoint TP-self-signed-4112391703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112391703
revocation-check none
rsakeypair TP-self-signed-4112391703
crypto pki certificate chain TP-self-signed-4112391703
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
94350AFF EA7CB2
quit
username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
crypto keyring apex
pre-shared-key address "headquerters public ip address"
key apex
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile companyname
keyring apex
match identity address "headquerters public ip address"
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto map outside 10 ipsec-isakmp
set peer "headquerters public ip address"
set transform-set 3DES
set isakmp-profile companyname
match address vpn-companyname
interface Loopback1
description monitoreo
ip address 10.31.21.255 255.255.255.255
interface GigabitEthernet0/0
description Teysa
ip address public ip address
ip nat outside
no ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
crypto map outside
interface GigabitEthernet0/1
description TO CORE-SW
ip address 192.168.255.249 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
switchport access vlan 2
duplex full
speed 100
interface FastEthernet0/0/1
switchport access vlan 10
shutdown
duplex full
speed 100
interface FastEthernet0/0/2
switchport mode trunk
shutdown
interface FastEthernet0/0/3
switchport access vlan 10
shutdown
duplex full
speed 100
interface Vlan1
no ip address
no ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat interface GigabitEthernet0/0 overload
ip access-list extended nat
deny ip host 172.16.27.236 10.0.0.0 0.255.255.255
deny ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.31.11.0 0.0.0.255 any
permit ip 10.31.13.0 0.0.0.255 any
permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
permit ip 172.16.27.224 0.0.0.31 any
ip access-list extended vpn-apex
permit ip 10.50.20.0 0.0.1.255 any
permit ip 172.16.27.0 0.0.0.255 any
permit ip 10.31.0.0 0.0.255.255 any
permit ip 10.30.0.0 0.0.255.255 any
route-map nat permit 10
match ip address nat
control-plane
line con 0
password 7 xxxxxxxxxx
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxx
scheduler allocate 20000 1000
ntp server 10.30.5.38
end
REMOTESITE#
Regards!
Similar Messages
-
Unable to access secondary subnet via VPN
I am having a problem with clients accessing a secondary subnet via VPN.
Clients on VPN are given the address on the 192.168.15.0 subnet. Once connected they can access 192.168.16.0 (Production subnet) fine, but are unable to access the 192.168.8.0 secondary subnet. If you are on the 192.168.16.0 subnet in the office you can access 192.168.8.0 subnet fine. The traffic is coming in via an ASA 5510 then traverses a Juniper firewall and a MPLS router to the secondary subnet. I'm not sure if it's a nat issue or not. Any help would be helpful.
Below is the config of the ASA. Thank you in advance
ASA Version 8.2(5)
hostname charlotte
domain-name tg.local
enable password v4DuEgO1ZTlkUiaA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.0 Peak10 description Peak10
name 192.168.116.0 Charlotte_Phones description Charlotte_Phones
name 192.168.15.0 Charlotte_SSL_VPN_Clients description Charlotte_SSL_VPN_Client s
name 192.168.17.0 Charlotte_Wireless_Data description Charlotte_Wireless_Data
name 192.168.117.0 Charlotte_Wireless_Phones description Charlotte_Wireless_Phon es
name 192.168.5.0 Huntersville description Huntersville
name 192.168.16.1 SRX_Gateway description Juniper_SRX
name 192.168.108.0 Canton_Data description Canton_Data
name 192.168.8.0 Canton_Phones description Canton_Phones
name 192.168.9.0 Canton_Wireless_Data description Canton_Wireless_Data
name 192.168.109.0 Canton_Wireless_Phones description Canton_Wireless_Phones
name 192.168.16.4 TEST_IP description TEST_IP
name 192.168.16.2 CantonGW description Canton GW 192.168.16.2
name 192.168.5.1 HuntersvilleGW
name 10.176.0.0 RS_Cloud description 10.176.0.0/12
name 172.16.8.0 RS_172.16.8.0
name 172.16.48.0 RS_172.16.48.0
name 172.16.52.0 RS_172.16.52.0
name 10.208.0.0 RS_Cloud_New
name 10.178.0.0 RS_10.178.0.0 description Rackspace DEV servers
name 10.178.0.6 RS_10.178.0.6
name 172.16.20.0 RS_172.16.20.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.63.165.219 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.16.202 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
banner login ASA Login - Unauthorized access is prohibited
banner login ASA Login - Unauthorized access is prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.16.122
name-server 8.8.8.8
domain-name tg.local
dns server-group defaultdns
name-server 192.168.16.122
domain-name tg.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_2
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.240.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_11
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_13
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object RS_Cloud 255.240.0.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object 172.16.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object RS_Cloud 255.240.0.0
network-object RS_Cloud_New 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network tgnc074.tg.local
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq https
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group network DM_INLINE_NETWORK_15
network-object Canton_Data 255.255.255.0
network-object host CantonGW
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 Ch arlotte_SSL_VPN_Clients 255.255.255.0 any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_5 ho st SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_7 Ch arlotte_SSL_VPN_Clients 255.255.255.0 host SRX_Gateway
access-list Inside_access_in extended permit icmp any any object-group DM_INLINE _ICMP_1
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 ob ject-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list Inside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.25 5.255.0 any
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 log disable
access-list Tunneled_Network_List standard permit 192.168.16.0 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Data 255.25 5.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Phones 255. 255.255.0
access-list Tunneled_Network_List standard permit Peak10 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Data 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Data 255.255.2 55.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Phones 255.255 .255.0
access-list Tunneled_Network_List standard permit Huntersville 255.255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_172.16.8.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_Cloud 255.240.0.0
access-list Tunneled_Network_List standard permit RS_Cloud_New 255.240.0.0
access-list Tunneled_Network_List standard permit RS_172.16.20.0 255.255.252.0
access-list Tunneled_Network_List standard permit Charlotte_SSL_VPN_Clients 255. 255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip Charlotte_SSL_VPN_Clients 25 5.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_11 object-group DM_INLINE_NETWORK_12
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_5 object-group DM_INLINE_NETWORK_6
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_1 object-group DM_INLINE_NETWORK_2
access-list Limited_Access extended permit ip Charlotte_SSL_VPN_Clients 255.255. 255.0 host TEST_IP
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.123
access-list Limited__VPN_Acccess_List standard permit Huntersville 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.124
access-list Limited__VPN_Acccess_List standard permit 192.168.16.0 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 172.16.8.52
access-list Limited__VPN_Acccess_List standard permit Canton_Phones 255.255.255. 0
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV1
access-list Limited__VPN_Acccess_List standard permit host RS_10.178.0.6
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV2
access-list Limited__VPN_Acccess_List standard permit host 10.178.192.103
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.10
access-list Limited__VPN_Acccess_List standard permit RS_172.16.8.0 255.255.252. 0
access-list Limited__VPN_Acccess_List standard permit 172.16.0.0 255.255.0.0
access-list Limited__VPN_Acccess_List standard permit host 10.178.133.26
access-list Limited__VPN_Acccess_List standard permit RS_Cloud_New 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit host CantonGW
access-list Limited__VPN_Acccess_List standard permit host SRX_Gateway
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.1
access-list Limited__VPN_Acccess_List standard permit RS_Cloud 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit any
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 Huntersville 255.255.255.0
access-list Outside_cryptomap extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Huntersville 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Canton_Phones 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Canton_Phones 255.255.255.0
access-list Outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Outside_access_in extended permit ip Huntersville 255.255.255.0 any log disable
access-list Outside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 any log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0 inactive
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 RS_172.16.20.0 255.255.252.0
access-list Canton_nat_outbound extended permit object-group DM_INLINE_SERVICE_6 Charlotte_SSL_VPN_Clients 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list splitacl standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging monitor informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool SSL_VPN_Pool 192.168.15.10-192.168.15.254 mask 255.255.255.0
ip local pool New_VPN_Pool 192.168.16.50-192.168.16.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
nat (Outside) 0 access-list Huntersville_nat_outbound
nat (Inside) 0 access-list Inside_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 70.63.165.217 1
route Inside Canton_Phones 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Data 255.255.255.0 CantonGW 1
route Inside Charlotte_SSL_VPN_Clients 255.255.255.0 SRX_Gateway 1
route Inside Charlotte_Wireless_Data 255.255.255.0 SRX_Gateway 1
route Inside Canton_Data 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Phones 255.255.255.0 CantonGW 1
route Inside Charlotte_Phones 255.255.255.0 SRX_Gateway 1
route Inside 192.168.116.219 255.255.255.255 CantonGW 1
route Inside Charlotte_Wireless_Phones 255.255.255.0 SRX_Gateway 1
route Inside Peak10 255.255.255.0 SRX_Gateway 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record TGAD_AccessPolicy
aaa-server TGAD protocol ldap
aaa-server TGAD (Inside) host 192.168.16.122
ldap-base-dn DC=tg,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn user,CN=Users,DC=tg,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 Inside
http Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 1 match address Outside_cryptomap
crypto map Outside_map0 1 set pfs
crypto map Outside_map0 1 set peer 74.218.175.168
crypto map Outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 2 match address Outside_cryptomap_2
crypto map Outside_map0 2 set peer 192.237.229.119
crypto map Outside_map0 2 set transform-set ESP-3DES-MD5
crypto map Outside_map0 3 match address Outside_cryptomap_1
crypto map Outside_map0 3 set peer 174.143.192.65
crypto map Outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map0 interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=charlotte
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=charlotte
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 48676150
3082024c 308201b5 a0030201 02020448 67615030 0d06092a 864886f7 0d010105
05003038 31123010 06035504 03130963 6861726c 6f747465 31223020 06092a86
4886f70d 01090216 13636861 726c6f74 74652e74 68696e6b 67617465 301e170d
31323039 32353038 31373333 5a170d32 32303932 33303831 3733335a 30383112
30100603 55040313 09636861 726c6f74 74653122 30200609 2a864886 f70d0109
02161363 6861726c 6f747465 2e746869 6e6b6761 74653081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181008e d3e1ac63 a8a39dab 02170491
2bf104d2 732c7fd7 7065758b 03bb9772 c8ab9faf 0e5e9e93 bfb57eea a849c875
7899d261 8d426c37 9749d3d7 c86ca8e0 1d978069 3d43e7c5 569bb738 37e9bb31
0ebd5065 01eb7a05 87933d2d 786a722e 8eee16e7 3207510b f5e7e704 cbddbda2
a6b9ae45 efaba898 b8c921b6 2b05c0fb 1b0a9b02 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 8014fb93 35da7dd5 15d8e2ad 8e05ccf7 b5c333cc 95ac301d
0603551d 0e041604 14fb9335 da7dd515 d8e2ad8e 05ccf7b5 c333cc95 ac300d06
092a8648 86f70d01 01050500 03818100 6851ae52 5383c6f6 9e3ea714 85b2c5a0
fd720959 a0b91899 806bad7a 08e2208e de22cad0 6692b09a 7152b21e 3bbfce68
cc9f1391 8c460a04 a15e1a9e b18f829d 6d42d9bd ed5346bd 73a402f7 21e0c746
02757fb6 b60405a9 ac3b9070 8c0f2fba d12f157b 85dd0a8b 2e9cf830 90a19412
c7af1667 37b5ed8e c023ea4d 0c434609
quit
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 172.221.228.164 255.255.255.255 Outside
ssh Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
ssh 192.168.16.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint1 Outside
webvpn
enable Outside
enable Inside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.16.122 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value tg.local
split-dns value tg.local
group-policy LimitedAccessGroupPolicy internal
group-policy LimitedAccessGroupPolicy attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value thinkgate.local
split-tunnel-all-dns disable
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
default-domain value tg.local
group-policy Site-to-Site_Policy internal
group-policy Site-to-Site_Policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy LimitedAccessGroupPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_Pool
tunnel-group LimitedAccessTunnelGroup type remote-access
tunnel-group LimitedAccessTunnelGroup general-attributes
address-pool SSL_VPN_Pool
default-group-policy LimitedAccessGroupPolicy
tunnel-group 208.104.76.178 type ipsec-l2l
tunnel-group 208.104.76.178 ipsec-attributes
pre-shared-key *****
tunnel-group 74.218.175.168 type ipsec-l2l
tunnel-group 74.218.175.168 ipsec-attributes
pre-shared-key *****
tunnel-group TGAD_ConnectionProfile type remote-access
tunnel-group TGAD_ConnectionProfile general-attributes
authentication-server-group TGAD
default-group-policy GroupPolicy1
tunnel-group 174.143.192.65 type ipsec-l2l
tunnel-group 174.143.192.65 general-attributes
default-group-policy GroupPolicy2
tunnel-group 174.143.192.65 ipsec-attributes
pre-shared-key *****
tunnel-group 192.237.229.119 type ipsec-l2l
tunnel-group 192.237.229.119 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ef741b4905b43dc36d0f621e06508840
: end
charlotte#What does the packet-tracer say, what does the IPsec associations say (packets encrypted/decrypted)?
This might be faster that going through your hundreds of lines of config. -
Unable to access secondary subnet from VPN client
Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
The setup is as follows:
ASA inside interface on 192.168.10.240
VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
Result of the command: "show startup-config"
ASA Version 8.4(3)9
hostname blank
domain-name
enable password encrypted
passwd encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 255.255.255.224
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.240 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.10.253 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-9-k8.bin
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 194.168.4.123
name-server 194.168.8.123
domain-name nifcoeu.com
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.254.0
subnet 192.168.254.0 255.255.255.0
object network obj-192.168.20.1
host 192.168.20.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-10.10.10.1
host 10.10.10.1
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network NS1000_EXT
host 80.4.146.133
object network NS1000_INT
host 192.168.20.1
object network SIP_REGISTRAR
host 83.245.6.81
object service SIP_INIT_TCP
service tcp destination eq sip
object service SIP_INIT_UDP
service udp destination eq sip
object network NS1000_DSP
host 192.168.20.2
object network SIP_VOICE_CHANNEL
host 83.245.6.82
object service DSP_UDP
service udp destination range 6000 40000
object service DSP_TCP
service tcp destination range 6000 40000
object network 20_range_subnet
subnet 192.168.20.0 255.255.255.0
description Voice subnet
object network 25_range_Subnet
subnet 192.168.25.0 255.255.255.0
description VLAN 25 client PC devices
object-group network ISP_NAT
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SIP_INIT tcp-udp
port-object eq sip
object-group service DSP_TCP_UDP tcp-udp
port-object range 6000 40000
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
access-list 100 extended permit icmp any any echo-reply inactive
access-list 100 extended permit icmp any any time-exceeded inactive
access-list 100 extended permit icmp any any unreachable inactive
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj-10.10.10.1
nat (DMZ,outside) static 80.4.146.134
object network obj_any-03
nat (DMZ,outside) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 62.255.171.0 255.255.255.224 outside
http 192.168.254.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2f0e024d
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 62.255.171.0 255.255.255.224 outside
ssh 192.168.254.0 255.255.255.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.25.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.6 source inside prefer
webvpn
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
wins-server value 192.168.10.21 192.168.10.22
dns-server value 192.168.10.21 192.168.10.22
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value
username blank password blank encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
username blank password encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
tunnel-group Remote-VPN type remote-access
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
I hope that helps.
Thanks
Rizwan Rafeek -
Can't access management interface via vpn connection
Hi all,
I can't seem to be able to manage my ASA 5510 when I connect via vpn. My asa sits at a remote colo, and from my office i can connect fine. I have it configured as management-access (dmz), bc as of now we are just doing some staging and all the servers are in the dmz interface.
When i connect with the vpn client, in the routes it sees 192.168.1.0 255.255.255.0 which is the management network/interface.
For some reason I can't get access to 192.168.1.1 to use the ASDM.
Here is how i did my vpn via CLI
isakmp enable outside
isakmp identity address
isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ip local pool vpnpool 10.1.1.2-10.1.1.10
access-list split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
group-policy xxxxx internal
group-policy xxxxx attributes
dns value
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
username xxxxx password
username xxxxxx attributes
vpn-group-policy xxxx
username xxxxxx password
username xxxxxx attributes
vpn-group-policy xxxx
username xxxx password
username xxxx attributes
vpn-group-policy xxxx
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
address-pool vpnpool
tunnel-group xxxx ipsec-attributes
pre-shared-key
access-list vpnra permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra
nat (dmz) 0 access-list vpnra
nat (management) 0 access-list vprna
crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside
Any help would be much appreciatedit seems like you are missing a line:
management-access "interface"
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1631964 -
Having trouble accessing wikis & blogs via VPN
After I connect to our server via VPN when I'm outside of our network, I'm having trouble getting wiki and blog pages to open up. Currently I'm using the internal hostname to pull up the pages: ajax.private (we used the .private domain because it is an internal server only).
So, when I type in: ajax.private into the browser, the page starts to load and I can see the graphics starting to load, but it never finishes loading. Likewise, if I try and access the pages using the server's internal IP address, the same thing happens. Am I doing something wrong here?
My other services like ichat and ical are able to access and authenticate using the FQDN of ajax.privateYou'd have to provide a lot more details of the setup to have any hope of a useful response. You don't even say what kind of VPN it is. What does the network admin at work say?
-
Is symbian or windows mobile better to access mac shares via vpn?
I am considering a smart phone purchase in the next few months, and I would like to be able to browse my server via vpn from the phone the same way I can with my Palm LifeDrive. I think Symbian or Windows Mobile are my best OS choices for a phone, and I was wondering if anyone has actual experience with this. Do they use PPTP or L2TP? At this point, the iPhone cannot edit documents, so it is not a consideration, but I am also curious if it allows for this type of remote browsing through a VPN.
Thank you for any help that you can offer.
MichaelI have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
I can see all the shares, so dns seems to be fine right?
So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
When I try to create a mapped drive by machine name I receive the following message:
Windows cannot access \\fileserver.dev.lan\all
You do not have permissions to access \\fileserver.dev.lan. contact your network administrator to request access.
But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
This only seems to happen on windows 8.1, which leads me to think that has something to do with OS.
I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem. -
Unable to Access Company LAN via VPN
Hello,
I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
On the Cisco VPN client I can see lots of sent packets but none received.
I think it could be to do with the NAT but from the examples I have seen I believe it should work.
I have attached the complete running-config, as I could well have missed something.
Many Thanks for any help on this...
FWBKH(config)# show running-config
: Saved
ASA Version 8.2(2)
hostname FWBKH
domain-name test.local
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
names
name 9.9.9.9 zscaler-uk-network
name 10.8.50.0 inside-network-it
name 10.8.112.0 inside-servers
name 17.7.9.10 fwbkh-out
name 10.8.127.200 fwbkh-in
name 192.168.10.0 bkh-vpn-pool
interface Vlan1
nameif inside
security-level 100
ip address fwbkh-in 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address fwbkh-out 255.255.255.248
interface Vlan3
nameif vpn
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
banner login Trespassers will be Shot, Survivors will be Prosecuted!!!!
banner motd Trespassers will be Shot, Survivors will be Prosecuted!!!!
banner asdm Trespassers will be Shot, Survivors will be Prosecuted!!!!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.local
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_UDP_1 udp
port-object eq 4500
port-object eq isakmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 log warnings inactive
access-list inside_access_in extended permit ip inside-network-it 255.255.255.0 any inactive
access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www
access-list inside_access_in extended permit ip inside-servers 255.255.255.0 any log warnings
access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq www
access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq https
access-list outside_nat0_outbound extended permit ip bkh-vpn-pool 255.255.255.0 10.8.0.0 255.255.0.0
access-list outside_access_in extended permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 log errors inactive
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any
access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu vpn 1500
ip local pool UK-VPN-POOL 192.168.10.10-192.168.10.60 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 10.8.0.0 255.255.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 17.7.9.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.8.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint BKHFW
enrollment self
subject-name CN=FWBKH
crl configure
crypto ca certificate chain BKHFW
certificate fc968750
308201dd 30820146 a0030201 020204fc 96875030 0d06092a 864886f7 0d010105
05003033 310e300c 06035504 03130546 57424b48 3121301f 06092a86 4886f70d
ccc6f3cb 977029d5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb
7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c53 f2
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.8.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy UK-VPN-USERS internal
group-policy UK-VPN-USERS attributes
dns-server value 10.8.112.1 10.8.112.2
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value UK-VPN-USERS_splitTunnel
default-domain value test.local
address-pools value UK-VPN-POOL
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
username admin password XXXXXXXXXXXXXXXXX encrypted privilege 15
username karl password XXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group UK-VPN-USERS type remote-access
tunnel-group UK-VPN-USERS general-attributes
address-pool UK-VPN-POOL
default-group-policy UK-VPN-USERS
tunnel-group UK-VPN-USERS ipsec-attributes
pre-shared-key *****
tunnel-group IT-VPN type remote-access
tunnel-group IT-VPN general-attributes
address-pool UK-VPN-POOL
default-group-policy UK-VPN-USERS
tunnel-group IT-VPN ipsec-attributes
pre-shared-key *****
class-map ALLOW-USER-CLASS
match access-list USER-ACL
class-map type inspect http match-all ALLOW-URL-CLASS
match not request header from regex ALLOW-ZSGATEWAY
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http ALLOW-URL-POLICY
parameters
class ALLOW-URL-CLASS
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
policy-map ALLOW-USER-URL-POLICY
class ALLOW-USER-CLASS
inspect http
service-policy global_policy global
service-policy ALLOW-USER-URL-POLICY interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00725d3158adc23e6a2664addb24fce1
: endHi Karl,
Please make the following changes:
ip local pool VPN_POOL_UK_USERS 192.168.254.1-192.168.254.254
access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 192.168.254.0 255.255.255.0
no nat (outside) 0 access-list outside_nat0_outbound outside
access-list UK-VPN-USERS_SPLIT permit 10.8.0.0 255.255.0.0
group-policy UK-VPN-USERS attributes
split-tunnel-network-list value UK-VPN-USERS_SPLIT
no access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
no access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 192.168.254.0 255.255.255.0
management-access inside
As you can see, I did create a new pool, since you already have an interface in the 192.168.10.0/24 network, which does affect the VPN clients.
Once you are done, connect the client and try:
ping 10.8.127.200
Does it work?
Try to ping other internal IPs as well.
Let me know how it goes.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez -
Bridging identicle subnets via VPN/IPsec
We have a Cisco SB ISA550W, as does our client.
We are using software from Rockwell for programming PLCs that absolutely requires the subnet of our programmers laptops and the subnet of the PLC to be identicle in order to connect to the PLC processors. Say the client is a 192.168.111.0 subnet. Say our office is a 192.168.222.0 network.
I would like to configure a VLAN on a specific port of our ISA to 192.168.111.0 and I'm going to run an ethernet cable from that port to the programmers laptop. I'm going to statically program the LAN interface of the laptop with say 192.168.111.12 (an IP which I know to be available on the clients network and reserved for us in their DHCP server). Say the IP of the PLC processors on the clients network is 192.168.111.58 that we are wanting to connect to.
First, is this possible and is this the best way to do it? Second, should we use the Cisco AnyConnect client on our promgrammers laptop to connect to their network, OR, should I setup and IPsec tunnel between the gatways? We have a static IP on DSL, our client has a static IP with their Satellite ISP.
Comments, sugestions? Will this work? Am I going about this the right way?
Thanks!
AlexUnfortunately what you're wanting to accomplish is not feasible. The reason is this. What you're stating is that the Programmer and the PLC must be on the same physical network which means they must be able to communicate at Layer 2. However the only time a device would send traffic to either your ISA or your client's ISA is if it requires Layer 3 routing, which means that the requestor is looking for something that is not on it's own layer 2 network. I've been racking my brain trying to figure out a way to do this using VPNs, AnyConnect, NAT, etc. and I'm not coming up with one. Most likely your only solution will be to have a device at your client's premise that you can remotely access via RDP, VNC, etc. and then leverage that device to program the PLC.
Sorry I wish I had a better answer for you.
Shawn Eftink
CCNA/CCDA
Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community. -
Window 8.1 system unable to access network shares via VPN connection
Is there something inherent to Windows 8.1 that prevents it from accessing shares on a domain?
I know that it cannot join a domain, but does that also mean that it cannot access shares which are on a domain?
My problem is that I have several user that are running windows 8.1 that are connecting to our network via a VPN.
The users have domain accounts but their computers as windows 8.1 cannot joined to the domain.
So to access network shares they have to use their domain credentials to create a VPN connection.
Once connected the user can RDP to systems on the domain using their domain accounts, so I know that their user names/passwords and permissions are correct. They can access these systems using the computer name, so I don't feel that I have a DNS issue.
They can see the shares on our file server, but when they try to access their departments shared file, they receive an access denied message. There are a few shares that are completely wide open, shared to all users and all departments but they cannot access
those shares either.
You can ping the file server, from the the client when they are connected to the VPN but you just cannot access any of the shares.
So...
I am thinking that it has something to do with windows 8.1 and not being able to join a domain, but I cannot find anything to explicitly support this thought.
Other users running a variety different OS (windows 7, OSX, Linux) can all access the shares without any problems via the VPN, so I am a little stumped.I have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
I can see all the shares, so dns seems to be fine right?
So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
When I try to create a mapped drive by machine name I receive the following message:
Windows cannot access \\fileserver.dev.lan\all
You do not have permissions to access \\fileserver.dev.lan. contact your network administrator to request access.
But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
This only seems to happen on windows 8.1, which leads me to think that has something to do with OS.
I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem. -
JClient accessing remote AppModule via EJB Session Fascade (BMT)?
Would appreciate some "how-to" advice on bootstrapping a remote JClient like the one in the VSM example,
such that: the JClient remotely accesses OC4J-pooled AppModule instances,
rather than creating a new AppModule instance on the client side.
In the OTN VSM-JClient example code, the Bootstrap is done in
AdministrativeServiceForm::main() as follows:
JUApplication app =
JUMetaObjectManager.createApplicationObject(
"VSMJClient.AdministrativeService",
null,
new JUEnvInfoProvider() );
String appModule =
System.getProperty("jclient.service",
"VSMJClient.AdministrativeService" );
The problem with this is -
JUMetaObjectManager.createApplicationObject() is undocumented, hence may or may not facilitate remote
App-Module access?
If anyone can share a working example of JClient remote AppModule access over ORMI (talking to modules deployed on JBuilder-embedded-OC4J), or can modify the VSM-JClient to do the same - it would be greatly appreciated!
Many thanks,
Lee.JUMetaObjectManager.createApplicationObject("VSMJClient.AdministrativeService",null,new JUEnvInfoProvider());
looks for the Session AdministrativeService in VSMJClient.cpx:
<Session
Name="AdministrativeService"
Package="oracle.otnsamples.vsm.services"
Configuration="AdministrativeServiceLocal" >
</Session>
<Session
Name="RemoteAdministrativeService"
Package="oracle.otnsamples.vsm.services"
Configuration="AdministrativeService9iAS" >
</Session>
Just call
JUMetaObjectManager.createApplicationObject("VSMJClient.RemoteAdministrativeService",null,new JUEnvInfoProvider() );
to access the deployed Beans with configuration AdministrativeService9iAS. -
Can I use domain name to access local web (& other) services via VPN?
I've just set up a VPN service for our office but, when connected via VPN, I can't seem to access our Wiki Server via our domain (http://example.private/groups/). Instead it will only let me access it via IP (http://192.168.1.2/groups/)
Is it possible to access it via http://example.private/groups/ and if so what do I need to do?
EDIT: actually, same goes with the local iChat and iCal services too.
Message was edited by: ChristiaanOkay, it's sorted. I phone Apple Support.
The solution is to open Server Admin. Go to VPN Settings, then click on the Client Information tab, then add your local DNS server to the DNS Servers list (in our case 192.168.1.2).
I would have expected the Standard configuration of Leopard Server setup to have added this by default, so I'll submit a bug report when I get a chance. -
Do I need to run DNS on a colo server being accessed remotely via VPN?
My Mac Mini Server is located in a colo site. We generally use it for Web, email and a couple of application-specific services. It has a dedicated IP address. We have a separate DNS service we use to point to the domains on the server located remotely from the server. Forward and reverse lookups work fine from the server, even though the local DNS service is turned off.
However, we now have a couple of things we want to access remotely on the server via VPN (for example, some files via AFP). The firewall blocks remote AFP requests (using the built-in firewall, not a separate box). We can connect via VPN without problems. However, AFP does not work. If I allow AFP in the firewall and try to connect, no problems at all.
Since the Mini is located by itself and will never likely have anything connected to a "local network" (never running DHCP, etc.), there generally doesn't seem to be a need to run DNS on the server.
I suspect the problem is that when you VPN into the server you are on its "local network", whatever that means, so the DNS does not resolve since the local DNS service is not running. However, I am not positive of this.
Must we run local DNS? Does it have to mirror the remote DNS that we currently reference? Can we somehow "reference" the local DNS from VPN clients trying to access local services?
I hope this question makes some sense.Bear with me please....
The Mac Mini is in a data center on a shelf, getting a direct connection to the Internet via ethernet with a fixed IP address (under the covers, I suspect that the data center is using some sort of router or switch, but I am not paying for a hardware firewall or other gateway). There is no local network for the Mini. It is not running DHCP, not handing out NAT addresses, etc. DNS is currently off. Rather than using the local DNS, the Mini is resolving its DNS needs with a DNS server located at another site, over the Internet. This seems to work fine (i.e., changeip confirms it is working and services seem to work).
I am currently using the software firewall built into SLS.
I want to turn on VPN so that remotely located computers can access services on the Mini without having to make the services visible through the firewall.
I am able to connect devices via VPN with little difficulty (iPhones, Macs, etc.). However, when I try to access services (let's use AFP as an example), I cannot access them UNLESS they are allowed through the firewall. This tells me that I am not seeing the services through the VPN, but rather through the Internet directly.
What I meant by "local network" is that the VPN allocates local IP addresses when devices log into the VPN service (10.0.x.x). There is no DHCP allocating these addresses, just VPN.
My question is: why can I not see the services on the Mini blocked by the firewall when successfully logged into VPN on the server? Isn't the whole point of the VPN to gain access to services behind the firewall?
I am guessing (with no particular information to support my thesis) that somehow without DNS running on the Mini, VPN clients are unable to access services on the Mini. I do not know for sure, however, if this is the problem. If it IS a problem, then the question is whether I should completely copy the DNS entries from the remote DNS server to the Mini and start the service. Will that solve the issue? Create conflicts with the DNS (since it is now located on both a remote service and on the Mini)? It certainly will create a maintenance headache since now I will have to maintain the DNS in both places.
I am hesitant to migrate all of my DNS services to the Mini (because I will also have to go to the domain registrars to change where they point, etc.) to eliminate the remote one. And I am not sure it will solve this problem anyway.
Sorry for all of the typing! -
Access AFP, email, Remote Desktop via VPN and local network but NOT web
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
-
Unable to access Standalone VM via Remote Desktop through a VPN
Good Morning everyone, now here is my problem.
My company is a small software development house and we test our software on Win 7 or 8 VM's running on standalone (ie not on the domain) VM's. We are running the VM's on WS2012 R2 Hyper V and when we are inside the building we are able to Remote Desktop
onto these VM's direct without any problem. The problem comes when we want to RD onto the VM's when working from home via the VPN. When we try to connect to the VM's via RD through the VPN the Remote Desktop Connection fails with the following alert "Remote
Desktop can't find the computer '[Computers Name]'. This might mean that '[Computers Name]' does not belong to the specified network. Verify the computer name and domain that you are trying to connect to." The only way I can connect to the VM's is
by going onto the host server and access the VM's via Hyper V manager and use it that way.
Now when I try to connect to a VM that is running on the Domain via the VPN I connect without any problems at all.
So my question is why can I connect to standalone VM's via RD without any problems when in the office but when I am at home via VPN I can't but I can connect to VM's on the domain without any problems? What do I need to do to make this work?
PhilHi Darren,
I have just tested it and when at work I can ping by name a named server and the standalone VM without any problems.
But when I connect from the outside via the VPN I am still able to ping by name a named server but not the stand alone server. Nor can I ping the IP address of the standalone VM although I can connect to a standalone VM using its IP address via RDC
Phil -
Server Admin not connecting to Leopard Server when accessing via VPN
Hi everyone,
Recently, as the title suggests, Server Admin (or Server Preferences, for that matter) would not connect to my remote server via VPN. I'm quite sure that the server is working nicely, as the users (both of them lovely young ladies with considerable charms, which makes on-site support quite interesting, if distracting) didn't call me to complain, and I can login via SSH with no problems.
The server is a Mac Mini, connected to an Airport Extreme (gigabit N), which in turn connects to our ADSL modem, if that helps any.
Now, I did tinker around a bit with the settings before this happened, so I think it's probably my fault (well, I started my "career" of administering this server a week ago, what do you expect), so I suppose I may have inadvertently limited access to a service required for Server Admin and Server Preferences to function.
If anyone could tell me which services are absolutely necessary for Server Admin to function, or at least where to start looking, I'd be immensely grateful. I didn't yet go on site to try and wrestle the whole thing from there, as the travel costs are non-trivial, so I'd rather do it remotely, if at all possible.This is exactly the difficulty I am having with a 10.5.4 Intel xserve. I have established a VPN connection that connects me to my business LAN, and I know it has carried out the connection because there are a number of things I can access properly that are not available on the public internet. For instance, my LOM ports are restricted to my business LAN, and when I connect to the server via VPN I can access teh LOM ports and using server monitor. However, when I try to use Server Admin, nothing works. It won't connect. I too am confused. All traffic to the xserve is allowed via the business LAN. I thought all traffic was supposed to be routed to the VPN server when connected via a VPN. If this is the case, shouldn't Server Admin work? When I go on site and connect my computer directly to the business LAN, I have no difficulty using Server Admin.
Maybe you are looking for
-
"ipod cannot update - file not found" after getting new ipod
i had my ipod replaced today at the apple store because of a bad HD. Seems like the one they gave me was brand new...anyway after following the restore/charge directions, i went to go plug it into my dock and Itunes is telling me it can't update the
-
Where can I buy the Orange U300s?
Is anyone stocking the U300s yet? Also, is it just me or is the subject column in this forum area to narrow?
-
I have one scenario:- I want to have procurement of one semi FG as X i.e both in house as well as external procurement. If order quantity is less than 100, system should create planned orders to be converted to production orders. If order qty is more
-
Why is the first address on a subnet reserved?
Based on subnetting, the "all 1s" or last address in a subnet is the broadcast address. Why is the "all 0s" or first address reserved? About all I can find on the web is that "way back in time" it was also a broadcast address of some type. Is ther
-
JSP hanging when 9i database invoked through JSP
Hi I have just installed Oracle 9i DB on Win 2000 server. When I try to invoke a SQL from a jsp on the application server on the same machine, it hangs. The jsp is able to connect to the Oracle 8i database on a different machine. We are having classe