10.5: VPN clients can't connect to each other
Hey all,
I've got a bit of an odd problem. Got my VPN server setup and working fine on 10.5.4. Clients can connect in, mount file shares, etc. However, if we have multiple clients connected in via VPN, they can't connect to each other. They can't ping each other or anything. I've checked firewalls, etc, on the client machines, and everything looks fine.
Machines within the network can ping and connect to them both, it's just when they're trying to connect to one another that the problem occurs. Any ideas why this might be, and any possible solutions?
Thanks in advance,
Paul
OS X Server / VPN /The L2TP-VPN server did not respond
Similar Messages
-
ASA 5505 VPN clients can't ping router or other clients on network
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
: end
Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
Thanks.I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
here is the runnign config again:
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location Server 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:78864f4099f215f4ebdd710051bdb493 -
VPN client can't connect Error message in log is
I_Cookie=E8639EE347B0332A R_Cookie=2E769D3CBD38C09F) reason = DEL_REASON_WE_FAILED_AUTH
What does this mean? How do you fix it?Thomas
I would interpret this to mean that you failed authentication when you attempted to connect. When you attempt to connect do you get a prompt? If not (and I suspect this is the case) it would indicate a problem in setting up the group authentication in the client. If you do get a prompt then it would indicate a problem with the setup of your ID or password in the server or that you have incorrectly entered ID or password.
Be careful that group name is entered correctly (including upper case or lower case matching).
Be careful that passwords are correctly enterred (including upper case or lower case matching and no trailing blanks).
HTH
Rick -
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
Server 2003 VPN clients can't verify username and password
Hi,
Hoping someone can help or point me in the right direction. I have a Windows Server 2003 R2 standard SP2 running RRAS. It has Dual NIC's and is configured for PPTP VPN. I am using a BT Business Hub 5 for internet access and using the BT Static IP service.
The BT Hub assigns the static IP address chosen to the Server using DHCP. The firewall is configured to port forward PPTP traffic to the 2003 server. This all works correctly.
The 2003 server is on a domain where the DC is a 2008 R2 server. The DC also acts as the DNS and DHCP for the network.
The default gateway for the domain is pointed towards our WinGate proxy server which also acts as a DNS server.
The 2003 server LAN NIC is configured manually, usually I would not configure a deafult gateway on the LAN NIC as the WAN NIC needs the default gateway for the BT Hub.
The problem I am having is if a default gateway is configured on the LAN NIC, I can connect to the VPN and it will logon to the network. Once connected everything works ok. If the connection drops, when trying to reconnect the client can no longer verify
the user name and password against the domain and the connection is refused.
If I do not have a default gateway configured in the LAN NIC the VPN clients can not verify the username and password for the domain at all and I get RPC failure errors in the event viewer with the source dnsapi.
Once this error occurs the only way I can get the clients to reconnect is to disable the WAN NIC, restart the RRAS service and enable the WAN NIC again.
Any insight will be much appreciated.Hello,
for Networking configuration questions better ask in
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home#forum=winserverNIS&filter=alltypes&sort=lastpostdesc&content=Search
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
SBS2008 VPN Clients can't Remote Desktop to PCs
Hello,
I have a network running SBS2008, it has RRAS configured on it and clients connect to it fine. However, while connected to the VPN, I can't connect to PC Clients via RDP. I connect to server via RDP no problem. And I can connect
to PCs via RDP from the server or other PCs on the network. I just can't connect through a VPN connection. RRAS uses DHCP from the server to assign IPs so VPN clients are on the same subnet as the domain PCs.
RWW also works fine for connecting to PCs, but we would like to be able to connect via VPN as well. And it should work, I can ping a PC I'm trying to connect to over the VPN connection, no problem. I researched and saw something about the group
policy, but this is a very small network and doesn't really use that. I made the changes described in the Windows Firewall settings but it made no difference. I also went and turned off the Windows firewall on the PC I was trying to connect to,
but it still didn't make a difference. Is there any other reason this wouldn't work?
ThanksI found out that the issue was caused by the Symantec Endpoint Protection client installed on the server. It was blocking traffic between VPN clients and PCs on the network. I just reconfigured it to allow that traffic and it worked
fine afterward.
Hi Rayminette,
Glad to hear that you have solved this issue and thanks for sharing your solution in the forum. Your time and efforts are highly appreciated.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
VPN Clients can't access internal LAN
Hello - I have seen a few other threads on this issue, but can't seem to fix mine. I have a PIX 506e. My VPN clients can connect, they get a DHCP address from our internal server no problem. But the clients can not ping me or anything else on the LAN. The clients are connecting ipsec. I know I must be missing something simple here. Here is my config. Any help would be great
Change the VPN Pool address to something else for example 192.168.10.0/24 etc. Then try and let me know. There could be ip overlap here.
-
VPN clients can't see network resources unless Firewall is disabled.
If the firewall is turned off, connected VPN clients can access other PCs over the VPN. But I would like to enable a rule that allows them to access computers even with the firewall turned on. I just don't know what the rule should be.
Hi,
Any update? If you could update us at your convenience that would be wonderful.
Regards
Yolanda Zhu
TechNet Community Support -
Vpn client can access internet but cannot access internal network
I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....
enable password ********** encrypted
passwd ********** encrypted
hostname Firewall
domain-name aqswdefrgt.com.sg
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nat permit tcp any host 65.165.123.142 eq smtp
access-list nat permit tcp any host 65.165.123.142 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq smtp
access-list nat permit tcp any host 65.165.123.143 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq www
access-list nat permit tcp any host 65.165.123.152 eq smtp
access-list nat permit tcp any host 65.165.123.152 eq pop3
access-list nat permit tcp any host 65.165.123.152 eq www
access-list nat permit tcp any host 65.165.123.143 eq https
access-list nat permit icmp any any
ip address outside 65.165.123.4 255.255.255.240
ip address inside 192.168.1.2 255.255.255.0
ip verify reverse-path interface outside
ip local pool clientpool 192.168.50.1-192.168.50.50
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
.255.255 0 0
access-group nat in interface outside
route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server plexus protocol radius
aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client authentication plexus
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool clientpool
vpngroup vpn3000 dns-server 192.168.1.55
vpngroup vpn3000 wins-server 192.168.1.55
vpngroup vpn3000 default-domain aqswdefrgt.com.sg
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80 -
Mac10.x client can't connect to File Server on Windows2008 Failover Cluster
Installation of a cluster was made according to the document "Failover Cluster Step-by-Step Guide: Configuring a Two-Node File Server Failover Cluster " http://technet.microsoft.com/en-us/library/cc731844.aspx.
My Mac OS X 10.5.2 and Mac OS X 10.4.11 clients be able to connect to a non-cluster file server on a Windows 2008 (the File Services role) and also to old file cluster on a Windows 2003.
Why Mac clients can't connect to Windows 2008 Failover Cluster?Are you running a firewall on the Macs. If yes does it work with out the firewall? If it works with out the firewall that means you will have to create a custom ipf rule which includes the both the physical an virtual IP addresses of your cluster.
-
Some clients can't connect after 10.6.6 update - the see an error -43
Hi There,
I'm a designer so am not all that technical but have managed to setup and maintain OS X servers since 10.5.
I've just updated the server to 10.6.6 and now some of our clients can't connect - they get the following error:
"There was an error connecting to the server. Check the server name or IP address and try again.
If you are unable to resolve the problem contact your system administrator."
If I click OK to the error above on the client, I see another error which reads:
"The operation cannot be completed because one or more required items cannot be found.
(Error code -43)"
I've restarted the server and the clients but no luck.
The server is running the following services:
- AFP
- DNS
- Firewall
- NFS (although I don't remember setting this up - is this started with AFP?)
- Open Directory
I can ping the server and login via ARD so not sure why we see the first IP address error as mentioned above.
Any help or suggestions would be most welcome.
Regards
BenOne question, is this when you hit "Connect to Server" or is this after you've established a connection and try to open/edit/save files?
Here is some general advice:
1) I assume your whole network is behind a router and that we are talking a small office environment (5-10 people) and not some large enterprise. If so the Firewall service can probably be disabled. As a matter of fact if your issue is that clients can't connect at all the firewall may actually be causing your problem.
2) NFS can almost certainly be disabled. Its generally only used for two reasons 1) The netboot service needs it. 2) You support unix/bsd clients. I can see from your list of services that netboot isn't something you're doing and I doubt that as a designer you would have much use for unix/bsd systems. -
How many clients can be connected to an Access Point
Hi friend,
I want to know how many clients can be connected in Cisco AP 1140.
Best Regard,
Marco.Hi,
As Stephen mention the best answer is it depends.
What you need to keep in mind is that wireless is halfduplex and a shared medium and due to this the bandwith will go down per client.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml
Q. How many clients can associate to the AP?
A. The AP has the physical capacity to handle 2048 MAC addresses, but, because the AP is a shared medium and acts as a wireless hub, the performance of each user decreases as the number of users increases on an individual AP. Ideally, not more than 24 clients can associate with the AP because the throughput of the AP is reduced with each client that associates to the AP. -
External outlook clients can't connect to Exchange 2013
Currently running server 2012 r2 and exchange 2013 sp1...
Internally everything works fine, clients can also connect externally to owa/ecp. However when using an outlook client they are unable to connect. This is my first experience with exchange 2013 so I am at a loss. What steps should I be following to get this
working properly? Or if anyone has some suggestions to get more information I can do that as well.
Thanks!
Connecting from a mobile-phone using mail.mail.com works fine.
We are using a self-signed certificate for testing purposes..Testing Outlook connectivity.
The Outlook connectivity test failed.
Additional Details
Elapsed Time: 941 ms.
Test Steps
Testing RPC over HTTP connectivity to server mail.mail.com
RPC over HTTP connectivity failed.
Additional Details
Elapsed Time: 941 ms.
Test Steps
Attempting to resolve the host name mail.mail.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: xxx.xxx.xx.x
Elapsed Time: 535 ms.
Testing TCP port 443 on host mail.mail.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 176 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 229 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.mail.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.mail.com, Issuer: CN=mail.mail.com.
Elapsed Time: 154 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.mail.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
Certificate trust is being validated.
Certificate trust validation failed.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.mail.com
A certificate chain couldn't be constructed for the certificate.
Tell me more about this issue and how to resolve it
Additional Details
The certificate chain didn't end in a trusted root. Root = CN=mail.mail.com
Elapsed Time: 33 ms. -
Outlook client can't connect in but OWA works
You need to make sure your OutlookAnywhere and AutoDiscover settings are setup properly along with Split-DNS. OutlookAnywhere and Split-DNS are vital for future-proofing your Exchange configuration and making it work properly now, regardless if you use Exchange 2007, 2010, or 2013. For Exchange 2013, OutlookAnywhere is a requirement and Split-DNS is Best Practice. If you are on Exchange 2007 or 2010, and you do not have OutlookAnywhere enabled, enable OutlookAnywhere and follow this guide.You should always use NTLM over Basic authentication, as Basic sends the username and password in the clear, and NTLM is Windows Authentication. On Exchange 2013, you also have a new option called Negotiate, which is recommended. As you follow this guide, you will set the ClientAuthenticationMethod (Internal and External if on Exchange 2013) to NTLM...
Outlook client can't connect in configured outlook on workstation but OWA works.
This topic first appeared in the Spiceworks Community -
Can't get imac's to connect to each other on my home network
Argh! I just got 27" imac and moved my 24" imac downstairs. I was able to get the two computers to connect to each other no problem yesterday. Today, they will no longer connect to each other. I cannot share screen or connect as to get to each other. I have changed no settings OTHER then renaming my hd volume. I tossed my old keychain out and my macbook has no problem connecting to the 24" imac and the 27" imac. Its just the two desktops won't connect.
Firewalls are turned off. File sharing is obviously turned on.
Any idea what happened or what changed?NO solution, but I have the same problem.
Cannot remember having made ANY changes since last night. But this evening, nothing will make my Air connect to my iMac.
However I have been noticing various problems with MobileMe leading to multiple entries in Notes (on my iPhone) instead of just one... Maybe that made a mess of my Keychain?
Frustrating...
Message was edited by: Neil Armstrong
Maybe you are looking for
-
Ipod is not recognized by itunes or finder
I have a used ipod purchased from classifieds and i am unable to sync this with itunes. it appears neither itunes or finder will reconize the device. any suggestions? I have tried different USB ports and still no connectivity. It does seem to be char
-
Seeburger As2 Receiver channel exception for large files
Hello Folks, We have JMS to seeburger AS2 interface we are facing follwing issue in As2 reciver channel for files larger than 20 MB.But In Production it is wokring fine for even 40 MB also. Delivering the message to the application usingconnection AS
-
Create a rule to delete older messages in a folder
I'm finding housekeeping in my Mac Mail time consuming and wanted to create a rule for a particular folder to delete messages older than say 2 weeks. I've tried googling and looking around for help but I can't find much. I also have another issues I
-
I upgrad Office Pro 2007 to Office Standard 2010
I upgraded my Office Pro 2007 to Office Standard 2010 yesterday and everything went fine with the exception. On this one machine the user is having word crash while he is working on it, sometimes right away, sometimes it is good for five minutes, it
-
Where can i get java se 6 runtime
I have a program that is telling me I need to download Java SE 6 Runtime. But when I click the link it gives me, it takes me to a blank page on Apple.com. How do I download Java SE 6?