10.5.1 VPN+OD 2 Servers

Hello, now I have been reading a lot of the VPN issues everyone is having and they give some great advise to people who know all of the command. I unfortunatley don't know all of the short cuts or slang that people are throwing around. I have (2) servers; (1) VPN only server and (1) OD Master. I put everyone into a single account on the OD master let's call it MyTeam. I then hooked up the VPN server through directory services and then eventually made it a replica to the OD. I went into the Serives/Access section and then only enabled "MyTeam" to have access to the VPN services. I cannot log into VPN BUT my colleague in the same office can. I can however log into the VPN from a machine in another office in another state. Some people can log into the VPN and some can't ever single person has verified their username and password using the AFP sharing pane. I am beginning to find small problems like this that are inconsistent. I have a perfect working model on a single Leopard Machine running all services but I don't want to have this out in the real world. I am thinking this might have something to do with users not being part of a specific group but I cannot find those settings. I am running out of things to do other then scrubbing the entire OD and resetting it up from scratch yet again. If someone want to give me a few tips please also include command lines for fixes. Thanks everyone, happy holidays.

GAH! This is a completely responsible approach to this issue of moving to Leopard and as it's responsible, it has no business being on this board. Kindly amend to include some sort of blame throwing towards Apple for something.
Thanks for the post, we need more like this around here.

Similar Messages

  • Snow Leopard Server VPN and other Servers

    I am thinking of deploying Snow Leopard Server at work using the Mac MiniServer option. We have a few Macs that we would like to manage their settings with. We also have Active Directory. I plan to use Open Directory with the Mac then use kerbos for logins.
    My question is if I use the Snow Leopard Server VPN with the Macs, will the users be able to access other resources on the LAN like Active Directory Shares, Exchange, and internal Intranets? Or only the Snow Leopard Server?
    Thanks,
    WillGonz

    It sounds like you will have 2 different kerberos realms, one in OD and one in AD.
    If you want them to use the same realm (the AD one) you need to look at a "golden triangle" setup.
    If you want to authenticate the VPN connection using Kerberos I suspect you need to be able to reach the KDC server from Internet before the VPN is up. That would mean it needs to have a public IP and same name as on the LAN(?).
    As an alternative a Radius connection for the VPN authentication from the Mac to an AD/Radius server might be possible.

  • Unable to access gateway and DNS via VPN (L2TP) with Snow Leopard Server

    Summary:
    After rebooting my VPN server, i am able to establish a VPN (L2TP) connection from outside my private network. I am able to connect (ping, SSH, …) the gateway only until the first client disconnects. Then i can perfectly access all the other computers of the private network, but i cannot access the private IP address of the gateway.
    Additionally, during my first VPN connection, my DNS server, which is on the same server, is not working properly with VPN. I can access it with the public IP address of my gateway. I can access it from inside my private network. A port scan indicates me that the port 53 is open, but a dig returns me a timeout.
    Configuration:
    Cluster of 19 Xserve3.1 - Snow Leopard Server 10.6.2
    Private network 192.168.1.0/255.255.255.0 -> domain name: cluster
    -> 1 controller, which act as a gateway for the cluster private network, with the following services activated:
    DHCP, DNS, firewall (allowing all incoming traffic for each groups for test purposes), NAT, VPN, OpenDirectory, web, software update, AFP, NFS and Xgrid controller.
    en0: fixed public IP address -> controller.example.com
    en1: 192.168.1.254 -> controller.cluster
    -> 18 agents with AFP and Xgrid agent activated:
    en1: 192.168.1.x -> nodex.cluster with x between 1 and 18
    VPN (L2TP) server distributes IP addresses between 192.168.1.201 and 192.168.1.210 (-> vpn1.cluster to vpn10.cluster). Client informations contain the private network DNS server informations (192.168.1.254, search domain: cluster).
    _*Detailed problem description:*_
    After rebooting the Xserve, my VPN server works fine except for the DNS. My client receives the correct informations:
    Configure IPv4: Using PPP
    IPv4 address: 192.168.1.201
    Subnet Mask:
    Router: 192.168.1.254
    DNS: 192.168.1.254
    Search domain: cluster
    From my VPN client, i can ping all the Xserve of my cluster (192.168.1.1 to 18 and 192.168.1.254). If i have a look in Server Admin > Settings > Network, i have three interfaces listed: en0, en1 and ppp0 of family IPv4 with address 192.168.1.254 and DNS name controller.cluster.
    The DNS server returns me timeouts when i try to do a dig from my VPN client even if i am able to access it directly from a computer inside or outside my private network.
    After i disconnect, i can see in Server Admin that the IP address of my ppp0 interface has switch to my public IP address.
    Then i can always establish a VPN (L2TP) connection, but the client receives the following informations:
    Configure IPv4: Using PPP
    IPv4 address: 192.168.1.202
    Subnet Mask:
    Router: (Public IP address of my VPN server)
    DNS: 192.168.1.254
    Search domain: cluster
    From my VPN client, i can access all the other computers of my network (192.168.1.1 to 192.168.1.18) but when i ping my gateway (192.168.1.254), it returns me timeouts.
    I have two "lazy" solutions to this problem: 1) Configure VPN and DNS servers on two differents Xserve, 2) Put the public IP address of my gateway as DNS server address, but none of these solutions are acceptable for me…
    Any help is welcome!!!

    I would suggest taking a look at:
    server admin:vpn:settings:client information:network route definitions.
    as I understand your setup it should be something like
    192.168.1.0 255.255.255.0 private.
    at least as a start. I just got done troubleshooting a similar issue but via two subnets:
    http://discussions.apple.com/thread.jspa?threadID=2292827&tstart=0

  • VPN Tunnel setup - can't ping either endpoint

    So I was given the task to set up a new VPN tunnel for a client and even though I've basically made it open, we still cannot ping each other's endpoints. I troubleshooted for over an hour with one of their techs, still to no avail. I included the config of this router. The tunnel can build out, completes phase 1 and 2, but still doesn't allow traffic or ability to connect to either endpoint. Please help.
    Result of the command: "sh run"
    : Saved
    ASA Version 8.0(3)6
    hostname RBPASA01
    domain-name rbmc.org
    enable password *removed* encrypted
    passwd *removed* encrypted
    names
    name 10.20.10.0 OBD-DHCP-10.20.10.x description DHCP Scopes for VLAN20
    name 10.20.11.0 OBD-DHCP-10.20.11.x description DHCP Scopes for VLAN20
    name 10.20.12.0 OBD-DHCP-10.20.12.x description DHCP Scopes for VLAN20
    name 10.10.14.0 PAD-DHCP-10.10.14.X description DHCP Scopes for VLAN10
    name 128.127.0.0 Millennium-Remote
    name 10.10.0.0 Pad-10.10-network
    name 10.11.0.0 Pad-10.11-network
    name 10.12.0.0 Pad-10.12-network
    name 10.100.91.0 Pad-10.100-network
    name 10.30.13.0 Millennium-nat
    name 10.100.91.200 Maxsys-Server
    name 65.171.123.34 Maxsys-Remote description Landacorp remote access
    name 65.211.65.21 FTP-External-Address
    name 172.31.0.15 FTP-Internal-Address description FTP Server in DMZ
    name 10.100.91.201 RBPMAXYS02 description Landacorp Access
    name 10.10.10.231 c05407
    name 192.168.55.4 c05407Nat
    name 192.168.55.3 c057017Nat
    name 10.10.13.50 c05744
    name 192.168.55.5 c05744Nat
    name 151.198.253.253 VPN-External
    name 10.13.102.30 NBI20610 description Viewpoint Server SBHCS
    name 10.100.90.51 RBPASA01 description PRI ASA
    name 10.100.90.52 RBPASA02 description SECASA
    name 151.198.253.254 VPN02External
    name 10.10.7.189 RBMHIS description AergoVPN(Local)
    name 10.10.7.43 RBMHIS1 description AergoVPN(Local)
    name 10.10.7.44 RBMHIS2 description AergoVPN(Local)
    name 10.100.98.21 RBMS2 description AergoVPN(Local)
    name 10.1.6.0 AergoVPN-Remote description AergoVPN-Remote
    name 216.167.127.4 Lynx-PicisHost1 description Lynx Encryption Domain
    name 216.167.127.30 Lynx-PicisHost10 description Lynx Encryption Domain
    name 216.167.127.31 Lynx-PicisHost11 description Lynx Encryption Domain
    name 216.167.127.32 Lynx-PicisHost12 description Lynx Encryption Domain
    name 216.167.127.33 Lynx-PicisHost13 description Lynx Encryption Domain
    name 216.167.127.34 Lynx-PicisHost14 description Lynx Encryption Domain
    name 216.167.127.35 Lynx-PicisHost15 description Lynx Encryption Domain
    name 216.167.127.5 Lynx-PicisHost2 description Lynx Encryption Domain
    name 216.167.127.6 Lynx-PicisHost3 description Lynx Encryption Domain
    name 216.167.127.7 Lynx-PicisHost4 description Lynx Encryption Domain
    name 216.167.127.8 Lynx-PicisHost5 description Lynx Encryption Domain
    name 216.167.127.9 Lynx-PicisHost6 description Lynx Encryption Domain
    name 216.167.127.10 Lynx-PicisHost7 description Lynx Encryption Domain
    name 216.167.127.28 Lynx-PicisHost8 description Lynx Encryption Domain
    name 216.167.127.29 Lynx-PicisHost9 description Lynx Encryption Domain
    name 216.167.119.208 Lynx-PicisNtwk description Lynx-PicisNtwk
    name 10.10.7.152 OLSRV2RED description Picis-LynxLocal
    name 10.100.91.14 RBPPICISTST description Lynx-PicisLocal
    name 10.100.98.20 RBPAERGO1 description AERGO
    name 10.50.1.141 PACSHost1 description GE PACS Local
    name 10.50.1.149 PACSHost2 description GE PACS Local
    name 10.50.1.151 PACSHost3 description GE PACS Local
    name 10.50.1.38 PACSHost4 description GE PACS Local
    name 10.50.1.39 PACSHost5 description GE PACS Local
    name 10.50.1.41 PACSHost6 description GE PACS Local
    name 10.50.1.42 PACSHost7 description GE PACS Local
    name 10.50.1.43 PACSHost8 description GE PACS Local
    name 10.50.1.64 PACSHost10 description GE PACS Local
    name 10.50.1.67 PACSHost11 description GE PACS Local
    name 10.50.1.68 PACSHost12 description GE PACS Local
    name 10.50.1.69 PACSHost13 description GE PACS Local
    name 10.50.1.44 PACSHost9 description GE PACS Local
    name 10.50.1.70 PACSHost14 description GE PACS Local
    name 10.50.1.71 PACSHost15 description GE PACS Local
    name 10.50.1.72 PACSHost16 description GE PACS Local
    name 10.50.1.73 PACSHost17 description GE PACS Local
    name 10.50.1.74 PACSHost18 description GE PACS Local
    name 10.50.1.75 PACSHost19 description GE PACS Local
    name 10.50.1.76 PACSHost20 description GE PACS Local
    name 10.50.1.77 PACSHost21 description GE PACS Local
    name 10.50.1.91 PACSHost22 description GE PACS Local
    name 10.50.1.92 PACSHost23 description GE PACS Local
    name 10.60.1.42 PACSHost24 description GE PACS Local
    name 10.60.1.43 PACSHost25 description GE PACS Local
    name 10.60.1.44 PACSHost26 description GE PACS Local
    name 10.60.1.45 PACSHost27 description GE PACS Local
    name 10.60.1.46 PACSHost28 description GE PACS Local
    name 10.60.1.47 PACSHost29 description GE PACS Local
    name 10.60.1.48 PACSHost30 description GE PACS Local
    name 10.60.1.49 PACSHost31 description GE PACS Local
    name 10.60.1.51 PACSHost32 description GE PACS Local
    name 10.60.1.52 PACSHost33 description GE PACS Local
    name 10.60.1.53 PACSHost34 description GE PACS Local
    name 10.60.1.80 PACSHost35 description GE PACS Local
    name 10.50.1.30 PACSHost36 description GE PACS Local
    name 10.50.1.200 PACSHost37 description GE PACS Local
    name 10.50.1.137 PACSHost38 description GE PACS Local
    name 10.50.1.203 PACSHost39 description GE PACS Local
    name 10.50.1.206 PACSHost40 description GE PACS Local
    name 10.50.1.209 PACSHost41 description GE PACS Local
    name 10.60.1.215 PACSHost42 description GE PACS Local
    name 10.60.1.23 PACSHost43 description GE PACS Local
    name 10.60.1.21 PACSHost44 description GE PACS Local
    name 10.50.1.36 PACSHost45 description GE PACS Local
    name 10.50.1.34 PACSHost46 description GE PACS Local
    name 10.50.1.10 PACSHost47 description GE PACS Local
    name 150.2.0.0 GE_PACS_NET description GE PACS Remote
    name 10.50.1.19 PACSHost49 description GE PACS Local
    name 10.50.1.28 PACSHost50 description GE PACS Local
    name 10.50.1.29 PACSHost51 description GE PACS Local
    name 10.50.1.140 PACSHost52 description GE PACS Local
    name 10.60.1.161 PACSHost53 description GE PACS Local
    name 10.50.1.31 PACSHost54 description GE PACS Local
    name 10.50.1.32 PACSHost55 description GE PACS Local
    name 10.50.1.4 PACSHost56 description GE PACS Local
    name 10.50.1.35 PACSHost57 description GE PACS Local
    name 10.50.1.37 PACSHost58 description GE PACS Local
    name 10.60.1.22 PACSHost59 description GE PACS Local
    name 10.60.1.24 PACSHost60 description GE PACS Local
    name 10.60.1.218 PACSHost61 description GE PACS Local
    name 10.60.1.221 PACSHost62 description GE PACS Local
    name 10.50.1.16 PACSHost63 description GE PACS Local
    name 10.50.1.15 PACSHost64 description GE PACS Local
    name 10.50.1.106 PACSHost65 description GE PACS Local
    name 10.50.1.33 PACSHost66 description GE PACS Local
    name 10.20.7.160 PACSHost67 description GE PACS Local
    name 10.50.1.135 PACSHost68 description GE PACS Local
    name 10.60.1.141 PACSHost69 description GE PACS Local
    name 10.60.1.150 PACSHost70 description GE PACS Local
    name 10.60.1.154 PACSHost71 description GE PACS Local
    name 10.50.1.136 PACSHost72 description GE PACS Local
    name 10.50.1.147 PACSHost73 description GE PACS Local
    name 10.50.1.161 PACSHost74 description GE PACS Local
    name 10.60.1.155 PACSHost75 description GE PACS Local
    name 10.30.0.0 Throckmorton_Net1 description Internal
    name 108.58.104.208 Throckmorton_Net2 description External
    name 10.0.0.0 PAD_Internal description PAD INternal
    name 172.16.100.16 LandaCorp_Remote description LandaCorp
    name 192.168.55.6 C05817Nat description ViewPoint Computer
    name 10.10.13.71 C05817 description ViewPoint Computer
    name 10.50.1.189 RBMCCCG description GE PACS Local
    name 10.50.1.21 RBMCDAS21 description GE PACS Local
    name 10.50.1.22 RBMCDAS22 description GE PACS Local
    name 10.50.1.23 RBMCDAS23 description GE PACS Local
    name 10.50.1.24 RBMCDAS24 description GE PACS Local
    name 10.50.1.248 RBMCNAS_BACKUP description GE PACS Local
    name 10.50.1.243 RBMCNAS_STS description GE PACS Local
    name 10.50.1.186 RBMCSPS description GE PACS Local
    name 10.50.1.188 RBMCTESTCCG description GE PACS Local
    name 10.50.1.252 RBMCTESTIMS description GE PACS Local
    name 10.50.1.249 RBMICISU2 description GE PACS Local
    name 10.50.1.191 RBMC1DAS32ILO description GE PACS Local
    name 10.50.1.192 RBMC1DAS33ILO description GE PACS Local
    name 10.50.1.193 RBMC1DAS34ILO description GE PACS Local
    name 10.50.1.194 RBMC1DAS35ILO description GE PACS Local
    name 10.50.1.195 RBMC1DAS36ILO description GE PACS Local
    name 10.50.1.197 RBMC1DAS38ILO description GE PACS Local
    name 10.50.1.190 RBMC1DPS106ILO description GE PACS Local
    name 10.50.1.196 RBMCCWEBILO description GE PACS Local
    name 10.50.1.17 RBMCEACA description GE PACS Local
    name 10.50.1.247 RBMCNAS_BACKUPILO description GE PACS Local
    name 10.50.1.254 RBMICISU2ILO description GE PACS Local
    name 10.50.1.187 RBMC1DAS31_ILO description GE PACS Local
    name 10.50.1.253 RBMCTESTDAS description GE PACS Local
    name 12.145.95.0 LabCorp_Test_Remote description LabCorp VPN TEST
    name 38.107.151.110 ClearSea_Server description DeafTalk External Server
    name 10.100.90.15 DeafTalk1
    name 10.10.10.155 Dennis
    name 10.10.7.81 RBPMAM description SunQuest Lab Server
    dns-guard
    interface GigabitEthernet0/0
    description External Interface
    speed 1000
    duplex full
    nameif Verizon-ISP
    security-level 0
    ip address VPN-External 255.255.255.224 standby VPN02External
    ospf cost 10
    interface GigabitEthernet0/1
    description LAN/STATE Failover Interface
    interface GigabitEthernet0/2
    description INTERNAL-NET
    nameif Internal
    security-level 100
    ip address RBPASA01 255.255.255.0 standby RBPASA02
    ospf cost 10
    interface GigabitEthernet0/3
    description DMZ Zone
    nameif DMZ
    security-level 10
    ip address 172.31.0.51 255.255.255.0
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    time-range Vendor-Access
    periodic Monday 9:00 to Friday 16:00
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup Verizon-ISP
    dns domain-lookup Internal
    dns server-group DefaultDNS
    name-server 10.100.91.5
    name-server 10.10.7.149
    domain-name rbmc.org
    object-group service VPN_Tunnel tcp
    description Ports used for Site to Site VPN Tunnel
    port-object eq 10000
    port-object eq 2746
    port-object eq 4500
    port-object eq 50
    port-object eq 500
    port-object eq 51
    object-group network Millennium-Local-Network
    description Pad networks that connect to millennium
    network-object Pad-10.10-network 255.255.0.0
    network-object Throckmorton_Net1 255.255.0.0
    object-group icmp-type ICMP-Request-Group
    icmp-object echo
    icmp-object information-request
    icmp-object mask-request
    icmp-object timestamp-request
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq ssh
    object-group network Viewpoint
    description OB Viewpoint Clients
    network-object host 10.10.10.220
    network-object host c05407
    network-object host c05744
    network-object host 192.168.55.2
    network-object host c057017Nat
    network-object host c05407Nat
    network-object host c05744Nat
    network-object host C05817Nat
    network-object host C05817
    object-group service ConnectionPorts tcp-udp
    port-object eq 3872
    port-object eq 4890
    port-object eq 4898
    object-group service TCP tcp
    port-object eq 3389
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_1 tcp
    group-object ConnectionPorts
    port-object eq 3389
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object icmp
    protocol-object tcp
    object-group network AergoVPN-Local
    description Aergo VPN Local HIS Servers
    network-object host RBMHIS
    network-object host RBMHIS1
    network-object host RBMHIS2
    network-object host RBMS2
    network-object host RBPAERGO1
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object icmp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_4
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group network Lynx-PicisRemote
    description Lynx-Picis Remote Encryption Domain
    network-object Lynx-PicisNtwk 255.255.255.240
    network-object host Lynx-PicisHost7
    network-object host Lynx-PicisHost8
    network-object host Lynx-PicisHost9
    network-object host Lynx-PicisHost10
    network-object host Lynx-PicisHost11
    network-object host Lynx-PicisHost12
    network-object host Lynx-PicisHost13
    network-object host Lynx-PicisHost14
    network-object host Lynx-PicisHost15
    network-object host Lynx-PicisHost1
    network-object host Lynx-PicisHost2
    network-object host Lynx-PicisHost3
    network-object host Lynx-PicisHost4
    network-object host Lynx-PicisHost5
    network-object host Lynx-PicisHost6
    object-group network DM_INLINE_NETWORK_1
    network-object host OLSRV2RED
    network-object host RBPPICISTST
    object-group network DM_INLINE_NETWORK_2
    network-object host OLSRV2RED
    network-object host RBPPICISTST
    object-group protocol DM_INLINE_PROTOCOL_5
    protocol-object icmp
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_3
    network-object host OLSRV2RED
    network-object host RBPPICISTST
    object-group service DM_INLINE_SERVICE_1
    service-object icmp
    service-object udp
    service-object tcp
    service-object tcp eq ftp
    object-group protocol DM_INLINE_PROTOCOL_6
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_7
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group service DM_INLINE_TCP_3 tcp
    group-object ConnectionPorts
    port-object eq 3389
    object-group network GE_PACS_Local
    description GE PACS Local Hosts
    network-object host PACSHost67
    network-object host PACSHost65
    network-object host PACSHost47
    network-object host PACSHost68
    network-object host PACSHost72
    network-object host PACSHost38
    network-object host PACSHost52
    network-object host PACSHost1
    network-object host PACSHost73
    network-object host PACSHost2
    network-object host PACSHost3
    network-object host PACSHost64
    network-object host PACSHost74
    network-object host PACSHost63
    network-object host PACSHost49
    network-object host PACSHost37
    network-object host PACSHost39
    network-object host PACSHost40
    network-object host PACSHost41
    network-object host PACSHost50
    network-object host PACSHost51
    network-object host PACSHost36
    network-object host PACSHost54
    network-object host PACSHost55
    network-object host PACSHost66
    network-object host PACSHost46
    network-object host PACSHost57
    network-object host PACSHost45
    network-object host PACSHost58
    network-object host PACSHost4
    network-object host PACSHost5
    network-object host PACSHost6
    network-object host PACSHost7
    network-object host PACSHost8
    network-object host PACSHost9
    network-object host PACSHost56
    network-object host PACSHost10
    network-object host PACSHost11
    network-object host PACSHost12
    network-object host PACSHost13
    network-object host PACSHost14
    network-object host PACSHost15
    network-object host PACSHost16
    network-object host PACSHost17
    network-object host PACSHost18
    network-object host PACSHost19
    network-object host PACSHost20
    network-object host PACSHost21
    network-object host PACSHost22
    network-object host PACSHost23
    network-object host PACSHost69
    network-object host PACSHost70
    network-object host PACSHost71
    network-object host PACSHost75
    network-object host PACSHost53
    network-object host PACSHost42
    network-object host PACSHost61
    network-object host PACSHost44
    network-object host PACSHost62
    network-object host PACSHost59
    network-object host PACSHost43
    network-object host PACSHost60
    network-object host PACSHost24
    network-object host PACSHost25
    network-object host PACSHost26
    network-object host PACSHost27
    network-object host PACSHost28
    network-object host PACSHost29
    network-object host PACSHost30
    network-object host PACSHost31
    network-object host PACSHost32
    network-object host PACSHost33
    network-object host PACSHost34
    network-object host PACSHost35
    network-object host RBMCSPS
    network-object host RBMCTESTCCG
    network-object host RBMCCCG
    network-object host RBMCDAS21
    network-object host RBMCDAS22
    network-object host RBMCDAS23
    network-object host RBMCNAS_STS
    network-object host RBMCNAS_BACKUP
    network-object host RBMICISU2
    network-object host RBMCDAS24
    network-object host RBMCTESTIMS
    network-object host RBMCEACA
    network-object host RBMC1DAS31_ILO
    network-object host RBMC1DPS106ILO
    network-object host RBMC1DAS32ILO
    network-object host RBMC1DAS33ILO
    network-object host RBMC1DAS34ILO
    network-object host RBMC1DAS35ILO
    network-object host RBMC1DAS36ILO
    network-object host RBMCCWEBILO
    network-object host RBMC1DAS38ILO
    network-object host RBMCNAS_BACKUPILO
    network-object host RBMCTESTDAS
    network-object host RBMICISU2ILO
    object-group service DM_INLINE_SERVICE_2
    service-object icmp
    service-object udp
    service-object tcp
    service-object tcp eq ftp
    object-group service DM_INLINE_SERVICE_3
    service-object icmp
    service-object udp
    service-object tcp
    service-object tcp eq ftp
    object-group network DM_INLINE_NETWORK_4
    network-object Throckmorton_Net1 255.255.0.0
    network-object Throckmorton_Net2 255.255.255.248
    object-group network DM_INLINE_NETWORK_5
    network-object Throckmorton_Net1 255.255.0.0
    network-object Throckmorton_Net2 255.255.255.248
    object-group network DM_INLINE_NETWORK_6
    network-object Throckmorton_Net1 255.255.0.0
    network-object Throckmorton_Net2 255.255.255.248
    object-group network DM_INLINE_NETWORK_7
    network-object Throckmorton_Net1 255.255.0.0
    network-object Throckmorton_Net2 255.255.255.248
    object-group network DM_INLINE_NETWORK_8
    network-object Throckmorton_Net1 255.255.0.0
    network-object Throckmorton_Net2 255.255.255.248
    object-group service DM_INLINE_SERVICE_4
    service-object icmp
    service-object udp
    service-object tcp
    service-object tcp eq ftp
    object-group service DM_INLINE_SERVICE_5
    service-object icmp
    service-object udp
    service-object tcp
    service-object tcp eq ftp
    object-group network DM_INLINE_NETWORK_9
    network-object host RBMCEACA
    group-object GE_PACS_Local
    object-group protocol DM_INLINE_PROTOCOL_9
    protocol-object ip
    protocol-object icmp
    object-group service ClearSea tcp-udp
    description DeafTalk
    port-object range 10000 19999
    port-object eq 35060
    object-group service ClearSeaUDP udp
    description DeafTalk
    port-object range 10000 19999
    object-group service DM_INLINE_TCP_4 tcp
    group-object ClearSea
    port-object eq www
    port-object eq https
    object-group network DM_INLINE_NETWORK_11
    network-object 0.0.0.0 0.0.0.0
    network-object host DeafTalk1
    object-group protocol DM_INLINE_PROTOCOL_10
    protocol-object ip
    protocol-object icmp
    object-group protocol DM_INLINE_PROTOCOL_11
    protocol-object ip
    protocol-object icmp
    access-list RBMCVPNCL_splitTunnelAcl standard permit Pad-10.100-network 255.255.255.0
    access-list Verizon-ISP_Internal extended permit tcp any host FTP-External-Address eq ftp
    access-list dmz_internal extended permit tcp host FTP-Internal-Address any eq ftp
    access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
    access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 object-group Lynx-PicisRemote
    access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object-group Viewpoint host NBI20610
    access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_7 host RBPMAXYS02 host LandaCorp_Remote
    access-list Internal_access_in extended permit tcp host RBPMAXYS02 host LandaCorp_Remote object-group DM_INLINE_TCP_3
    access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
    access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_4 Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_7
    access-list Internal_access_in remark Permit to connect to DeafTalk Server
    access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 host ClearSea_Server object-group DM_INLINE_TCP_4
    access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_10 any LabCorp_Test_Remote 255.255.255.0
    access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
    access-list Verizon-ISP_2_cryptomap extended permit tcp host Maxsys-Server host Maxsys-Remote object-group VPN_Tunnel
    access-list Internal_nat0_outbound extended permit tcp Pad-10.100-network 255.255.255.0 host Maxsys-Remote object-group VPN_Tunnel
    access-list DMZ_access_in extended permit ip Pad-10.10-network 255.255.0.0 172.31.0.0 255.255.255.0
    access-list Verizon-ISP_access_in extended permit tcp any host FTP-External-Address object-group DM_INLINE_TCP_2
    access-list Verizon-ISP_access_in extended permit tcp host LandaCorp_Remote host RBPMAXYS02 object-group DM_INLINE_TCP_1
    access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host NBI20610 object-group Viewpoint
    access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_3 AergoVPN-Remote 255.255.255.0 object-group AergoVPN-Local
    access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group Lynx-PicisRemote object-group DM_INLINE_NETWORK_2
    access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host LandaCorp_Remote host RBPMAXYS02
    access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_3 GE_PACS_NET 255.255.0.0 object-group DM_INLINE_NETWORK_9
    access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_9 LabCorp_Test_Remote 255.255.255.0 any
    access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_8 Pad-10.10-network 255.255.0.0
    access-list Verizon-ISP_3_cryptomap extended permit ip host Maxsys-Server host Maxsys-Remote
    access-list Internal_nat0_outbound_1 extended permit ip host RBPMAXYS02 host LandaCorp_Remote
    access-list Internal_nat0_outbound_1 extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
    access-list Internal_nat0_outbound_1 extended permit ip host OLSRV2RED object-group Lynx-PicisRemote
    access-list Internal_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
    access-list Internal_nat0_outbound_1 extended permit ip any 10.100.99.0 255.255.255.0
    access-list Internal_nat0_outbound_1 extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
    access-list Internal_nat0_outbound_1 extended permit ip Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_4
    access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
    access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
    access-list Internal_nat0_outbound_1 extended permit ip object-group Millennium-Local-Network Millennium-Remote 255.255.0.0
    access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
    access-list Verizon-ISP_5_cryptomap extended permit ip host RBPMAXYS02 host LandaCorp_Remote
    access-list Verizon-ISP_6_cryptomap extended permit ip object-group Viewpoint host NBI20610
    access-list Verizon-ISP_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
    access-list Verizon-ISP_7_cryptomap extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
    access-list Verizon-ISP_8_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
    access-list Verizon-ISP_9_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
    access-list Verizon-ISP_cryptomap extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
    pager lines 24
    logging enable
    logging buffer-size 32000
    logging buffered debugging
    logging asdm debugging
    mtu Verizon-ISP 1500
    mtu Internal 1500
    mtu DMZ 1500
    ip local pool CiscoClient-IPPool-192.168.55.x 192.168.45.1-192.168.45.25 mask 255.255.255.0
    ip local pool VLAN99VPNUsers 10.100.99.6-10.100.99.255 mask 255.255.255.0
    failover
    failover lan unit primary
    failover lan interface Failover GigabitEthernet0/1
    failover key *****
    failover replication http
    failover link Failover GigabitEthernet0/1
    failover interface ip Failover 172.16.90.17 255.255.255.248 standby 172.16.90.18
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit host 173.72.107.26 Verizon-ISP
    icmp deny any Verizon-ISP
    icmp permit host 192.168.10.2 Internal
    icmp permit host 192.168.10.3 Internal
    icmp permit host 192.168.10.4 Internal
    icmp permit host 192.168.10.5 Internal
    icmp permit host 10.10.10.96 Internal
    icmp permit host 10.10.13.20 Internal
    icmp permit host 10.10.12.162 Internal
    icmp deny any Internal
    icmp permit host Dennis Internal
    asdm image disk0:/asdm-603.bin
    asdm history enable
    arp timeout 14400
    global (Verizon-ISP) 1 65.211.65.6-65.211.65.29 netmask 255.255.255.224
    global (Verizon-ISP) 101 interface
    nat (Internal) 0 access-list Internal_nat0_outbound_1
    nat (Internal) 101 0.0.0.0 0.0.0.0
    static (Internal,DMZ) Pad-10.10-network Pad-10.10-network netmask 255.255.0.0
    static (Verizon-ISP,DMZ) FTP-Internal-Address FTP-External-Address netmask 255.255.255.255
    static (DMZ,Verizon-ISP) FTP-External-Address FTP-Internal-Address netmask 255.255.255.255
    static (Internal,Verizon-ISP) c05407Nat c05407 netmask 255.255.255.255
    static (Internal,Verizon-ISP) c057017Nat 10.10.10.220 netmask 255.255.255.255
    static (Internal,Verizon-ISP) c05744Nat c05744 netmask 255.255.255.255
    static (Verizon-ISP,Internal) Maxsys-Server VPN-External netmask 255.255.255.255
    static (Internal,Verizon-ISP) C05817Nat C05817 netmask 255.255.255.255
    access-group Verizon-ISP_access_in in interface Verizon-ISP
    access-group Internal_access_in in interface Internal
    access-group dmz_internal in interface DMZ
    route Verizon-ISP 0.0.0.0 0.0.0.0 65.211.65.2 1
    route Internal Pad-10.10-network 255.255.0.0 10.10.0.1 1
    route Internal 10.20.0.0 255.255.0.0 10.10.0.1 1
    route Internal Throckmorton_Net1 255.255.0.0 10.10.0.1 1
    route Internal 10.50.0.0 255.255.0.0 10.10.0.1 1
    route Internal 10.60.0.0 255.255.0.0 10.10.0.1 1
    route Internal 10.70.0.0 255.255.0.0 10.10.0.1 1
    route Internal 10.100.0.0 255.255.0.0 10.10.0.1 1
    route Internal 64.46.192.0 255.255.255.0 10.10.0.1 1
    route Internal 64.46.193.0 255.255.255.0 10.10.0.1 1
    route Internal 64.46.194.0 255.255.255.0 10.10.0.1 1
    route Internal 64.46.195.0 255.255.255.0 10.10.0.1 1
    route Internal 64.46.196.0 255.255.255.0 10.10.0.1 1
    route Internal 64.46.201.0 255.255.255.0 10.10.0.1 1
    route Internal 64.46.246.0 255.255.255.0 10.10.0.1 1
    route Verizon-ISP 65.51.206.130 255.255.255.255 65.211.65.2 255
    route Verizon-ISP Millennium-Remote 255.255.0.0 65.211.65.2 1
    route Internal Millennium-Remote 255.255.0.0 10.10.0.1 255
    route Internal 172.31.1.0 255.255.255.0 10.10.0.1 1
    route Internal 192.168.55.0 255.255.255.0 10.10.0.1 1
    route Internal 195.21.26.0 255.255.255.0 10.10.0.1 1
    route Internal 199.21.26.0 255.255.255.0 10.10.0.1 1
    route Internal 199.21.27.0 255.255.255.0 10.10.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server RadiusServer protocol radius
    aaa-server RadiusServer (Internal) host 10.10.7.240
    timeout 5
    key r8mcvpngr0up!
    radius-common-pw r8mcvpngr0up!
    aaa-server SafeNetOTP protocol radius
    max-failed-attempts 1
    aaa-server SafeNetOTP (Internal) host 10.100.91.13
    key test
    radius-common-pw test
    aaa-server VPN-FW protocol radius
    aaa-server VPN-FW (Internal) host 10.10.7.240
    timeout 5
    key r8mcvpngr0up!
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authentication enable console LOCAL
    aaa local authentication attempts max-fail 16
    http server enable
    http Dennis 255.255.255.255 Internal
    http 10.10.11.108 255.255.255.255 Internal
    http 10.10.10.194 255.255.255.255 Internal
    http 10.10.10.195 255.255.255.255 Internal
    http 10.10.12.162 255.255.255.255 Internal
    http 10.10.13.20 255.255.255.255 Internal
    snmp-server location BRN2 Data Center
    snmp-server contact Crystal Holmes
    snmp-server community r8mc0rg
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps entity config-change
    auth-prompt prompt Your credentials have been verified
    auth-prompt accept Your credentials have been accepted
    auth-prompt reject Your credentials have been rejected. Contact your system administrator
    service resetoutside
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map Verizon-ISP_map 1 match address Verizon-ISP_cryptomap
    crypto map Verizon-ISP_map 1 set peer 65.51.154.66
    crypto map Verizon-ISP_map 1 set transform-set ESP-3DES-MD5
    crypto map Verizon-ISP_map 2 match address Verizon-ISP_2_cryptomap
    crypto map Verizon-ISP_map 2 set peer Maxsys-Remote
    crypto map Verizon-ISP_map 2 set transform-set ESP-3DES-SHA
    crypto map Verizon-ISP_map 2 set nat-t-disable
    crypto map Verizon-ISP_map 3 match address Verizon-ISP_3_cryptomap
    crypto map Verizon-ISP_map 3 set peer Maxsys-Remote
    crypto map Verizon-ISP_map 3 set transform-set ESP-3DES-SHA
    crypto map Verizon-ISP_map 3 set nat-t-disable
    crypto map Verizon-ISP_map 4 match address Verizon-ISP_4_cryptomap
    crypto map Verizon-ISP_map 4 set peer 198.65.114.68
    crypto map Verizon-ISP_map 4 set transform-set ESP-AES-256-SHA
    crypto map Verizon-ISP_map 4 set nat-t-disable
    crypto map Verizon-ISP_map 5 match address Verizon-ISP_5_cryptomap
    crypto map Verizon-ISP_map 5 set peer 12.195.130.2
    crypto map Verizon-ISP_map 5 set transform-set ESP-3DES-SHA
    crypto map Verizon-ISP_map 5 set nat-t-disable
    crypto map Verizon-ISP_map 6 match address Verizon-ISP_6_cryptomap
    crypto map Verizon-ISP_map 6 set peer 208.68.22.250
    crypto map Verizon-ISP_map 6 set transform-set ESP-3DES-SHA
    crypto map Verizon-ISP_map 6 set nat-t-disable
    crypto map Verizon-ISP_map 7 match address Verizon-ISP_7_cryptomap
    crypto map Verizon-ISP_map 7 set peer 208.51.30.227
    crypto map Verizon-ISP_map 7 set transform-set ESP-3DES-MD5
    crypto map Verizon-ISP_map 8 match address Verizon-ISP_8_cryptomap
    crypto map Verizon-ISP_map 8 set peer Throckmorton_Net2
    crypto map Verizon-ISP_map 8 set transform-set ESP-3DES-MD5
    crypto map Verizon-ISP_map 9 match address Verizon-ISP_9_cryptomap
    crypto map Verizon-ISP_map 9 set peer 108.58.104.210
    crypto map Verizon-ISP_map 9 set transform-set ESP-3DES-MD5
    crypto map Verizon-ISP_map 10 match address Verizon-ISP_cryptomap_1
    crypto map Verizon-ISP_map 10 set peer 162.134.70.20
    crypto map Verizon-ISP_map 10 set transform-set ESP-3DES-SHA
    crypto map Verizon-ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map Verizon-ISP_map interface Verizon-ISP
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    fqdn vpn.rbmc.org
    subject-name CN=vpn.rbmc.org
    keypair sslvpnkeypair
    no client-types
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 31
        308201dc 30820145 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
        34311530 13060355 0403130c 76706e2e 72626d63 2e6f7267 311b3019 06092a86
        4886f70d 01090216 0c76706e 2e72626d 632e6f72 67301e17 0d303830 38323030
        34313134 345a170d 31383038 31383034 31313434 5a303431 15301306 03550403
        130c7670 6e2e7262 6d632e6f 7267311b 30190609 2a864886 f70d0109 02160c76
        706e2e72 626d632e 6f726730 819f300d 06092a86 4886f70d 01010105 0003818d
        00308189 02818100 a1664806 3a378c37 a55b2cd7 86c1fb5a de884ec3 6d5652e3
        953e9c01 37f4593c a6b61c31 80f87a51 c0ccfe65 e5ca3d33 216dea84 0eeeecf3
        394505ea 231b0a5f 3c0b59d9 b7c9ba4e 1da130fc cf0159bf 537282e4 e34c2442
        beffc258 a8d8edf9 59412e87 c5f819d0 2d233ecc 214cea8b 3a3922e5 2718ef6a
        87c340a3 d3a0ae21 02030100 01300d06 092a8648 86f70d01 01040500 03818100
        33902c9e 54dc8574 13084948 a21390a2 7000648a a9c7ad0b 3ffaeae6 c0fc4e6c
        60b6a60a ac89c3da 869d103d af409a8a e2d43387 a4fa2278 5a105773 a8d6b5c3
        c13a743c 8a42c34a e6859f6e 760a81c7 5116f42d b3d81b83 11fafae7 b541fad1
        f9bc1cb0 5ed77033 6cab9c90 0a14a841 fc30d8e4 9c85c0e0 d2cca126 fd449e39
      quit
    crypto isakmp identity address
    crypto isakmp enable Verizon-ISP
    crypto isakmp enable Internal
    crypto isakmp policy 50
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    crypto isakmp ipsec-over-tcp port 10000
    telnet timeout 5
    ssh 173.72.107.26 255.255.255.255 Verizon-ISP
    ssh 10.10.12.162 255.255.255.255 Internal
    ssh 10.100.91.53 255.255.255.255 Internal
    ssh Dennis 255.255.255.255 Internal
    ssh timeout 60
    console timeout 2
    management-access Internal
    vpn load-balancing
    interface lbpublic Verizon-ISP
    interface lbprivate Internal
    cluster key r8mcl0adbalanc3
    cluster encryption
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    ntp server 207.5.137.133 source Verizon-ISP prefer
    ntp server 10.100.91.5 source Internal prefer
    ssl trust-point ASDM_TrustPoint0
    ssl trust-point ASDM_TrustPoint0 Verizon-ISP
    webvpn
    enable Verizon-ISP
    svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
    svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 3
    tunnel-group-list enable
    group-policy DfltGrpPolicy attributes
    wins-server value 10.100.91.5
    dns-server value 10.100.91.5
    vpn-simultaneous-logins 1
    vpn-idle-timeout 15
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    webvpn
      svc ask none default webvpn
    group-policy VPNUsers internal
    group-policy VPNUsers attributes
    dns-server value 10.100.91.6 10.100.91.5
    vpn-tunnel-protocol IPSec
    default-domain value RBMC
    tunnel-group DefaultL2LGroup ipsec-attributes
    peer-id-validate nocheck
    tunnel-group 65.51.154.66 type ipsec-l2l
    tunnel-group 65.51.154.66 ipsec-attributes
    pre-shared-key *
    tunnel-group 65.171.123.34 type ipsec-l2l
    tunnel-group 65.171.123.34 ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    tunnel-group 12.195.130.2 type ipsec-l2l
    tunnel-group 12.195.130.2 ipsec-attributes
    pre-shared-key *
    tunnel-group 208.68.22.250 type ipsec-l2l
    tunnel-group 208.68.22.250 ipsec-attributes
    pre-shared-key *
    tunnel-group 198.65.114.68 type ipsec-l2l
    tunnel-group 198.65.114.68 ipsec-attributes
    pre-shared-key *
    tunnel-group VPNUsers type remote-access
    tunnel-group VPNUsers general-attributes
    address-pool VLAN99VPNUsers
    authentication-server-group VPN-FW
    default-group-policy VPNUsers
    tunnel-group VPNUsers ipsec-attributes
    trust-point ASDM_TrustPoint0
    tunnel-group 208.51.30.227 type ipsec-l2l
    tunnel-group 208.51.30.227 ipsec-attributes
    pre-shared-key *
    tunnel-group 108.58.104.210 type ipsec-l2l
    tunnel-group 108.58.104.210 ipsec-attributes
    pre-shared-key *
    tunnel-group 162.134.70.20 type ipsec-l2l
    tunnel-group 162.134.70.20 ipsec-attributes
    pre-shared-key *
    tunnel-group-map default-group DefaultL2LGroup
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect sunrpc
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:9d17ad8684073cb9f3707547e684007f
    : end
    Message was edited by: Dennis Farrell

    Hi Dennis,
    Your tunnel to "12.145.95.0 LabCorp_Test_Remote" segment can only be initiated from host: RBPMAM is due to your crytp-acl below.
    access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
    Secondly your no-nat on internal interface is denying the traffic that must enter into crytp engine, therefore your tunnel never going to come up.
    Therefore please turn it to a "permit" instead.
    access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
    Please update,
    thanks
    Rizwan Rafeek
    Message was edited by: Rizwan Mohamed

  • PPTP VPN on Mac OS X Sever 10.3.9 - Unable to Authenticate Users

    When attemping to connect to a VPN that I've set up on an Xserve running OS X server 10.3.9, Internet Connect shows 'Contating Server' -> 'Negotiating' -> 'Disconnecting' and then reports that authentication failed.
    After much reading on these and other forums I believe I've figured why I'm having this issue and that would be that none of the users on the xserve have 'Open Directory' type passwords. So what I'm hoping is that someone here can help with how in fact I could add a user and set their password to OD type.
    I've read on these boards that you can have a user with an OD password type without having the server be an 'Open Directory Master/Replica'. Is this true? And in any case, is anyone able to tell me the simplest way of setting up a user with an Open Directory password?
    Powerbook G4 12" 1Ghz   Mac OS X (10.4.6)  

    Thanks for that, using root with NeST did the trick, it gave root an OD password and enabled me to set other users' passwords to that type also.
    As I'm new at setting up VPN's, I have a further question, but to briely explain my setup: I have an Xserve (static ip: 192.168.1.100), which is the server that is running the vpn and is connected to an Airport Basestation (192.168.1.1), and also a web server (static ip: 192.168.1.240). So my question is how do I enable access to the webserver over the VPN? Currently when I connect to the vpn I can't access the webserver, not can I ping its ip (nor any other ip on the remote network for that matter).
    In the 'Client Information' tab of the VPN service 'DNS servers' is set to: 192.168.1.1, 'Search Domains' is blank, and there are no routing definitions.
    Powerbook G4 12" 1Ghz   Mac OS X (10.4.6)  

  • Two VPNs, one accesses DNS properly, one does not.

    I have two Offices with two separate RRAS servers setup in each one on Windows 2012
    Office 1
    DHCP server on separate VM from RRAS server.
    RRAS Server on VM
    Office 2
    RRAS and DHCP servers on same VM
    Both DHCP servers and RRAS servers are configured exactly the same except, of course, the DHCP server scopes are different subnets. I literally brought both up in two different screens and went screen by screen.
    I running a Mac at home, however, I have the same problem on my PC. If I connect to the VPN in Office 1. Then run nslookup and do a DNS lookup, it uses my VPN's DNS servers and resolves the IP.  If I connect to the VPN in Office 2. Then run NSLookup
    and do a DNS Lookup, it shows me that I'm using my local (to my Mac) DNS servers and it won't resolve the IP.
    I have checked my Mac (and PC) VPN settings and they are also identical.
    I don't even know where to check to solve this problem.

    Both servers are the same. Ethernet on top and then Remote Access connections.
    I noticed while searching on this just now that there is this article: http://www.isaserver.org/articles-tutorials/configuration-general/work-around-VPN-clients-split-DNS.html
    but nowhere in my registry is this \Device\NdisWanIp that they're talking about.

  • SAPROUTER + VPN

    Hi gurus,
    I connect to a customer SAP server using saprouter and all works fine. What is the purpose of using also a VPN connection? Is it a matter of security? I'm not a network expert ...
    Thanks
    Guido

    Hi,
    SAProuter & VPN are two different things.
    SAProuter is the tool provided by SAP to access the SAP servers securely. You can configure the it as SNC-Secure Network Connection.
    [http://help.sap.com/saphelp_nw04/helpdata/EN/4f/992d65446d11d189700000e8322d00/content.htm]
    A virtual private network (VPN) is a private network that makes use of a public network (such as the Internet), while maintaining security and privacy through encryption and security procedures.
    VPN's give companies an alternative to leasing an expensive, dedicated private connection from one office to another. Many businesses are using VPN on their servers to allow their employees to connect to their server from home.
    If you are using VPN then there is no need to use the SAprouter.
    Hope this helps you to understand.
    Thanks,
    Shambo

  • Leopard VPN open ports

    Hello,
    I use standard Leopard VPN for connecting laptop to my office network. Web and Exchange mail work fine but I cannot get connection to Perforce server (port 1666). Changing firewall settings didn't help. My Windows environment uses same VPN and Perforce servers and doesn't have this problem.
    Thanks

    Hello avilt,
    VCA stands for Virtual Cluster Agent. This is basically used when the VPN 3000 pair is configured for load balancing... when doing this the boxes talk to each other on VCA and we normally need to allow this on the filters ..
    My question is, have u enabled this filter on the public interface ?? are u seeing the ports going through the VPN concentrator or are u doing a VA scan and seeing these ports (like FTP) open on the VPN concentrator?
    Raj

  • SIP bypass of VPN

    Hello,
    I've got VPN connection from Cisco 877 to ASA 5520 and on the Cisco 877 I've got SIP device which doesn't has to go through VPN. I assume that for the best audio quality I should bypass the VPN and connect directly to the SIP servers, but how to configure it??
    Many thanks,
    Dan

    We use external third party service for phones. All traffic except the SIP should go thourgh VPN from cisco 877 to asa5520, but the SIP could go directly from the cisco 877 to the third party servers.
    I'd assume that this way we're not really more exposed just becuase SIP is not going through VPN, but I would hope it will improve VoIP communication as it wouldn't have to go through VPN and our servers/gateway but connect directly to the SIP servers.
    Only one ADSL line one the cisco 877 with IPv6 VPN to the asa5520, the SIP providers use IPv4 addresses.
    Thank you for your help
    Dan

  • Local HDD through Clientless VPN

    Hello. How to connect local HDD through Clientless VPN???

    Yes, access with  RDP, but there is a task that requires connecting through clienless vpn to different servers are also available to local HDD client PC.
    I implemented it by adding the connection "rdp://servers?RedirectDrives=TRUE", but it is uncomfortably for end users, as it is possible to solve the problem without having to manually specify this option?
    Thanks in advance.

  • Troubleshooting RPC issue over ASA VPN

    Hello,
    I have a IPSec VPN Tunnel between my corporate data center and a satellite service provider.  I also have 2 trucks, A & B, with networks on them.  These truck networks communicate via satellite to the provider base station, and then across the VPN tunnel to our corp. data center.  The A & B truck networks each have a Windows Domain Controller that communicates to our DCs in the data center, for Active Directory replication.  They are using RPC for this.
    Both truck networks and servers were tested and worked perfectly when first tested and deployed.
    ASA 5510 running IOS ver 8.2(1)
    About a month ago, truck B lost it's ability to communicate via RPC to the DCs in the data center.  Nothing has changed on the network on my side as well as the satellite provider side.  I've looked through my VPN logs and firewall logs, but don't see anything that indicates a probable cause.  There is no evidence of requests being denied on my firewall, and the VPN ACLS.
    The one strange thing I've noticed when doing some tests is that I don't see interesting traffic hitting the ACL on the ASA when trying to PING or traceroute from the truck B server, or when the RPC request is being run.  BTW, the truck B server can PING and traceroute over the VPN tunnel to servers in the data center just fine.  And the reverse it also true. Just the RPC doesn't work.
    Here's the RPC error output:
    NtFrsApi Version Information
       NtFrsApi Major      : 0
       NtFrsApi  Minor      : 0
       NtFrsApi Compiled on: Feb 16 2007 20:10:33
    ERROR -  Cannot RPC to computer, odyssey; 00000721 (1825)
    Below is a traceroute from the truck B server to the data center server.  Notice the multiple entries for server accord?
    I seem to remember that this kind of behavior occurs whent an IP Address is being Natted.  Is that correct?
    Any suggestions are greatly appreciated.

    Thanks Pranesh,
    I haven't checked IPsec tunnel but I assumed that since I get successful connection to the VPN tunnel, the tunnel is up.  I have very limited knowledge about this; still learning the basics for CCNA certification.    The wiered thing is when I swap out ASA-5505 with home netgear router (at home), I don't have any problem accessing inside network at the temple.  Therefore, my assumption is something is wrong on my ASA-5505 config at home (the confg is pasted in intitial post.).  Please advise.
    Again thank yo so much for your help.

  • Newbie question about software installation

    I just bought my first mac, testing the waters. I downloaded apple remote desktop, and am unable to install this software. I work from home and VPN to our servers. I have always used a PC. The process goes through the installation until it gets to configuring installation. It gives error unable to install. I have os x tiger 10.4.5, 700 mhz G3. Help?

    Hi jasonss, and a warm welcome to the forums!
    Did you download the Client or the Admin and what version please?
    Have you seen these...
    http://www.external.ameslab.gov/is/remote-vpn-osx.html
    http://www.shiftmanager.net/~kurt/VTUNONOSX/VTUNonOSX.html
    http://www.equinux.com/us/products/vpntracker/index.html

  • Call for participation: OASIS Enterprise Key Management Infrastructure TC

    We would welcome your participation in this process. Thank you.
    Arshad Noor
    StrongAuth, Inc.
    To: OASIS members & interested parties
    A new OASIS technical committee is being formed. The OASIS Enterprise Key
    Management Infrastructure (EKMI) Technical Committee has been proposed by the
    members of OASIS listed below. The proposal, below, meets the requirements of
    the OASIS TC Process [a]. The TC name, statement of purpose, scope, list of
    deliverables, audience, and language specified in the proposal will constitute
    the TC's official charter. Submissions of technology for consideration by the
    TC, and the beginning of technical discussions, may occur no sooner than the
    TC's first meeting.
    This TC will operate under our 2005 IPR Policy. The eligibility
    requirements for becoming a participant in the TC at the first meeting (see
    details below) are that:
    (a) you must be an employee of an OASIS member organization or an individual
    member of OASIS;
    (b) the OASIS member must sign the OASIS membership agreement [c];
    (c) you must notify the TC chair of your intent to participate at least 15
    days prior to the first meeting, which members may do by using the "Join this
    TC" button on the TC's public page at [d]; and
    (d) you must attend the first meeting of the TC, at the time and date fixed
    below.
    Of course, participants also may join the TC at a later time. OASIS and the TC
    welcomes all interested parties.
    Non-OASIS members who wish to participate may contact us about joining OASIS
    [c]. In addition, the public may access the information resources maintained for
    each TC: a mail list archive, document repository and public comments facility,
    which will be linked from the TC's public home page at [d].
    Please feel free to forward this announcement to any other appropriate lists.
    OASIS is an open standards organization; we encourage your feedback.
    Regards,
    Mary
    Mary P McRae
    Manager of TC Administration, OASIS
    email: mary.mcrae(AT)oasis-open.org
    web: www.oasis-open.org
    a) http://www.oasis-open.org/committees/process.php
    b) http://www.oasis-open.org/who/intellectualproperty.php
    c) See http://www.oasis-open.org/join/
    d) http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi
    CALL FOR PARTICIPATION
    OASIS Enterprise Key Management Infrastructure (EKMI) TC
    Name
    OASIS Enterprise Key Management Infrastructure (EKMI) TC
    Statement of Purpose
    Public Key Infrastructure (PKI) technology has been around for more than a
    decade, and many companies have adopted it to solve specific problems in the
    area of public-key cryptography. Public-key cryptography has been embedded in
    some of the most popular tools -- web clients and servers, VPN clients and
    servers, mail user agents, office productivity tools and many industry-specific
    applications -- and underlies many mission-critical environments today.
    Additionally, there are many commercial and open-source implementations of PKI
    software products available in the market today. However, many companies across
    the world have recognized that PKI by itself, is not a solution.
    There is also the perception that most standards in PKI have already been
    established by ISO and the PKIX (IETF), and most companies are in
    operations-mode with their PKIs -- just using it, and adopting it to other
    business uses within their organizations. Consequently, there is not much left
    to architect and design in the PKI community.
    Simultaneously, there is a new interest on the part of many companies in the
    management of symmetric keys used for encrypting sensitive data in their
    computing infrastructure. While symmetric keys have been traditionally managed
    by applications doing their own encryption and decryption, there is no
    architecture or protocol that provides for symmetric key management services
    across applications, operating systems, databases, etc. While there are many
    industry standards around protocols for the life-cycle management of asymmetric
    (or public/private) keys -- PKCS10, PKCS7, CRMF, CMS, etc. -- however, there is
    no standard that describes how applications may request similar life-cycle
    services for symmetric keys, from a server and how public-key cryptography may
    be used to provide such services.
    Key management needs to be addressed by enterprises in its entirety -- for both
    symmetric and asymmetric keys. While each type of technology will require
    specific protocols, controls and management disciplines, there is sufficient
    common ground in the discipline justifying the approach to look at
    key-management as a whole, rather than in parts. Therefore, this TC will
    address the following:
    Scope
    A) The TC will create use-case(s) that describe how and where
    the protocols it intends to create, will be used;
    B) The TC will define symmetric key management protocols,
    including those for:
    1. Requesting a new or existing symmetric key from a server;
    2. Requesting policy information from a server related to caching of keys on the
    client;
    3. Sending a symmetric key to a requestor, based on a request;
    4. Sending policy information to a requestor, based on a request;
    5. Other protocol pairs as deemed necessary.
    C) To ensure cross-implementation interoperability, the TC will create a test
    suite (as described under 'Deliverables' below) that will allow different
    implementations of this protocol to be certified against the OASIS standard
    (when ratified);
    D) The TC will provide guidance on how a symmetric key-management infrastructure
    may be secured using asymmetric keys, using secure and generally accepted
    practices;
    E) Where appropriate, and in conjunction with other standards organizations that
    focus on disciplines outside the purview of OASIS, the TC will provide input on
    how such enterprise key-management infrastructures may be managed, operated and
    audited;
    F) The TC may conduct other activities that educate users about, and promote,
    securing sensitive data with appropriate cryptography, and the use of proper
    key-management techniques and disciplines to ensure appropriate protection of
    the infrastructure.
    List of Deliverables
    1. XSchema Definitions (XSD) of the request and response protocols (by August
    2007) 2. A Test Suite of conformance clauses and sample transmitted keys and
    content that allows for clients and servers to be tested for conformance to the
    defined protocol (by December 2007)
    3. Documentation that explains the communication protocol (by August 2007)
    4. Documentation that provides guidelines for how an EKMI may be built,
    operated, secured and audited (by December 2007)
    5. Resources that promote enterprise-level key-management: white papers,
    seminars, samples, and information for developer and public use. (beginning
    August 2007, continuing at least through 2008)
    Anticipated Audiences:
    Any company or organization that has a need for managing cryptographic keys
    across applications, databases, operating systems and devices, yet desires
    centralized policy-driven management of all cryptographic keys in the
    enterprise. Retail, health-care, government, education, finance - every industry
    has a need to protect the confidentiality of sensitive data. The TC's
    deliverables will provide an industry standard for protecting sensitive
    information across these, and other, industries.
    Security services vendors and integrators should be able to fulfill their use
    cases with the TC's key management methodologies.
    Members of the OASIS PKI TC should be very interested in this new TC, since the
    goals of this TC potentially may fulfill some of the goals in the charter of the
    PKI TC.
    Language:
    English
    IPR Policy:
    Royalty Free on Limited Terms under the OASIS IPR Policy
    Additional Non-normative information regarding the start-up of the TC:
    a. Identification of similar or applicable work:
    The proposers are unaware of any similar work being carried on in this exact
    area. However, this TC intends to leverage the products of, and seek liaison
    with, a number of other existing projects that may interoperate with or provide
    functionality to the EKMI TC's planned outputs, including:
    OASIS Web Services Security TC
    OASIS Web Services Trust TC
    W3C XMLSignature and XMLEncryption protocols and working group
    OASIS Digital Signature Services TC
    OASIS Public Key Infrastructure TC
    OASIS XACML TC (and other methods for providing granular access-control
    permissions that may be consumed or enforced by symmetic key management)
    b. Anticipated contributions:
    StrongAuth, Inc. anticipates providing a draft proposal for the EKMI protocol,
    at the inception of the TC. The current draft can be viewed at:
    http://www.strongkey.org/resources/documentation/misc/skcl-sks-protocol.html
    and a working implementation of this protocol is available at:
    http://sourceforge.net/projects/strongkey for interested parties.
    c. Proposed working title and acronym for specification:
    Symmetric Key Services Markup Language (SKSML), subject to TC's approval or
    change.
    d. Date, time, and location of the first meeting:
    First meeting will be by teleconference at:
    Date: January 16, 2007
    Time: 10 AM PST, 1PM EST
    Call in details: to be posted to TC list
    StrongAuth has agreed to host this meeting.
    e. Projected meeting schedule:
    Subject to TC's approval, we anticipate monthly telephone meetings for the first
    year. First version of the protocol to be voted on by Summer 2007. StrongAuth is
    willing to assist by arranging for the teleconferences; we anticipate using
    readily available free teleconference services.
    f. Names, electronic mail addresses, of supporters:
    Ken Adler, ken(AT)adler.net
    June Leung,June.Leung(AT)FundServ.com
    John Messing, jmessing(AT)law-on-line.com
    Arshad Noor, arshad.noor(AT)strongauth.com
    Davi Ottenheimer, davi(AT)poetry.org
    Ann Terwilliger, aterwil(AT)isa.com
    g. TC Convener:
    Arshad Noor, arshad.noor(AT)strongauth.com

    Hi Bilge,
    did you put your text in a blender before sending it?
    I understood everything works fine except the miscellaneous menu item in the configuration tab of ERM?
    Have you already tried to clear all browser cache, close all browsers and try it again?
    Best,
    Frank

  • Cannot log in to OSX Server using ARD

    I am struggling with a problem that I cannot figure out. I posted this on the ARD discussion group and did not get a reply.
    I use ARD, latest version, all updates, to remotely control about 9 machines across two locations that are linked by a pair of NetGear FVS124G routers connected by fulltime VPN. All of the Macs are running 10.5.4, all have the latest updates across the board, as do the single OSX servers in each location both of which are running OSX 10.5.4 server with current updates.
    I can access all of the workstations using ARD without difficulty, both locally and across the VPN.
    The servers will not authenticate, returning the message, "Authentication failed to ....... Server"
    The message seems straightforward enough, its cause more obscure, and I get the same message on each of the two servers.
    The login I am attempting to use in ARD is an administrator account, sharing on the servers is set to allow full access in the sharing setting in System Preferences in both servers, and I have no trouble using either the server preferences or server admin tools to control the two servers.
    It is just that ARD won't allow the login that works with either local login or the server tools. I am able to login to each server with SSH without difficulty.
    In checking the two servers, I am surprised to see them both listed in ARD info page as OSX 10.4.11 clients (which they clearly are not), whereas they are both listed (accurately) as running the current ARD client.
    I suspect something fairly simple in my configuration of the two servers that I am overlooking since I can log into all the OSX workstations at either location from ARD at either location.
    Any help will be greatly appreciated.

    Thank you for your response. As I think I understand what you are saying, you do not use the "all users" setting for remote access in the server settings, and then allow ARD to provide remote control.
    I have used the all users setting for ARD, and will try changing this on the servers. The other settings are already as you suggest.
    Thanks and will see if this works....

  • Getting help for setting up a "good" network

    Hi all,
    I've been "managing" our network and doing the IT stuff even though I'm not a "true" IT guy, just a graphic artist dabbling in the stuff. I want to get some help on moving our multiple public IP address network to a more secure single Public IP address. I don't know where I can get that help so I'm taking my chances here even though this is not specific to Apple server.
    Here's the equipment we have:
    Apple Extreme dual band
    Apple Server 10.6.3 for file services, iCal, iChat, DNS, Open directory, Address book, Web.
    FTP server using CrushFTP on a Mac Pro running 10.6.3
    Two ADSL modem from same ISP, one 16 Mbps the other 10 Mbps
    a Peplink Balance 310 for load balancing the traffic (and it's not working as advertised as far as I could configure it.
    30 static IP addresses hooked to the 16Mbps modem/router
    a gigabit switch ASANTE Intracore IC36240
    a 100 mbs switch ASANTE intracore 3524
    I'd also like to be able to log into any machine remotely with ARD. Right now, it's a peace of cake with everyone having it's own public IP address, but how will I make this work with DHCP? I'd also like to be able to have VPN enabled.
    I have no idea how to make the best of this equipment so if you have any insight or know where I can get some help to set that up, that'd be great!

    There are as many 'good' networks as there are network requirements and hardware combinations.
    Get a server-grade firewall, if that peplink router can't provide that function.
    Figure out what's up with the peplink router.
    If the peplink isn't working and if it doesn't have firewall capabilities (I've not read the specs), I'd replace it with a firewall with dual uplinks.
    Once you get DHCP going, you'll have two IP subnets, and you'll have to set up subnet routing for your gear. Other than that (and with that external server-grade firewall), the remote connections are straightforward.
    The server-grade firewall should have VPN end-point servers for pptp and l2tp, and probably ssl, and probably a DMZ. RADIUS support, likely. For this case, dual uplinks and support for running both.
    Stay out of 192.168.0.0/16 for your private stuff.
    I'd likely set up the public static IP for the router, the DMZ, and key stuff that needs to be public facing. I might well run the rest of the stuff in a private IP block.
    None of which involves Mac OS X.

Maybe you are looking for

  • Two mac laptops, one iPhone and an iPod touch. Sync apps?

    Hi there, between my wife and I, we have two Mac laptops, one iPhone and an iPod touch.  The iPod touch is new- is it possible to get the apps that have already been purchased for the iPhone, onto the iTouch?

  • NEED HELP - Text Messages showing up hours later and no more notifications

    Up until about 3 weeks ago, I was very in love with my S3 as it worked perfectly.  Then about 3 weeks ago (March 12 or so) I started receiving my text messages hours or days after they were sent.  We then went to Canada for a week and I had no mobile

  • Need to create a user policy form

    Can anyone help? I need to create a policy form in Dreamweaver CS4 that a user needs to accept, or not, before proceeding further to another page in my site? After they accept the form the functionality needs to take the individual to another page wh

  • Where is the datasource of monitory report

    Hi, everyone Is anybody know where is the datasouce of the report under "System administrator -> Minitory -> Portal", like "Request Summary". We find the time in this report do not display correctly, but activity report give the right time. Thanks, Z

  • Where did the 'rough cut' videos with Danny go??

    Hi!  I started learning muse a couple of weeks ago with Danny's 'rough cut' videos - they were excellent - clear, simple + arranged in the order you would use to design a basic web site from start to finish. Your other videos don't do this. Also, she