10.6.8 can ping /trace but no connection online

Similar Messages

• Cisco ASA 5505 can ping gateway but can't ping internet

  Good day to all!
  Sorry if I post this on the wrong group, I am having a bit of a problem on configuring an ASA 5505 firewall. And I scoured google but can't seem to find a specific link to my issues.
  It is on a routed mode, have successfully configured inside and outside vlans. Hosts inside vlan can ping each other. Hosts on outside vlan can also ping each other. Problem is, when I am pinging 8.8.8.8, I received ????? Please see config below.
  Any help greatly appreciated.
  TIA!
  : Saved
  ASA Version 8.4(3)
  hostname ciscoasan
  enable password bD3fGYMFeJJTATOJ encrypted
  passwd 2KF1w9ErdI.2KYOU encrypted
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   description INSIDE
   nameif inside
   security-level 100
   ip address 10.10.10.2 255.255.255.0
  interface Vlan2
   description OUTSIDE
   nameif outside
   security-level 0
   ip address 203.127.68.2 255.255.255.240
  ftp mode passive
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  access-list outside_access_in extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network obj_any
   nat (inside,outside) dynamic interface
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 203.127.68.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.10.10.0 255.255.255.0 inside
  http authentication-certificate inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny  
    inspect sunrpc
    inspect xdmcp
    inspect sip  
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:6b3e0ce99eda3d2563cf9f392f8001b7
  : end

  Hi badingdong,
  Remove these lines:
  no nat (inside,outside) after-auto source dynamic any interface
  no access-group outside_access_in in interface outside
  If you have more inside subnets need access to internet, please make sure that you have a static route in place as shown below.
  route inside 10.0.0.0 255.0.0.0 10.10.10.1
  Also make sure that you have a correct DNS server is assigned on your internal hosts.
  Thanks
  Rizwan Rafeek

• Workstations can ping servers, but servers cannot ping workstations

  We are setting up a new network using two Dell servers, one T420 and the other T320, both which are running Windows Server 2008 R2. Upon setting up the domain, we have come to find out that all workstations can ping the terminal and domain controller but
  the servers cannot ping the workstations. Also the workstations will not stay on the domain, they change back to unidentified network upon restarting. Any help would  be great, Thanks in advance.

  1.Make sure that each server has static network settings. Do not use DHCP to configure the network settings of your servers. Also make sure to provide exclusions for the range of static addresses for your servers.
  2.DC should have its own address as primary and 127.0.0.1 as secondary (assumes single DNS server)
  3.Make sure that a domain controller providing DNS services is up and running when any computer reboots. If single DC it may take 5 minutes or more for DNS to start up when rebooted. (always best to have at least two DC's for redundancy / disaster recovery)
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• C310 place to set DNS address(es​)? Can print wireless but cannot connect to web services.

  Wireless connection setup with no problem for printing (static IPs all around with WEP). Opened port on CA firewall but not on router(?) Can print across wireless network but cannot connect to web services. Thinking that I need to enter DNS(s) but cannot find anywhere to enter them.

  Hi,
  Open your browser and type in the ip adress of your printer. This will bring you to an internal page of the aio. On the networking tab you shouild be able to set your dns.
  Say "Thanks" by clicking the Kudos Star in the post that helped you.
  Although I work for HP my posts and replies are my own
  Please mark the post that solves your problem as "Accepted Solution"

• WRT54GL - ruter can ping/trace LAN no access (solved?)

  Hi. I encountered a strange problem today, resulting in my computers going offline. They could still talk to the ruter and would get valid ips/etc, but no internet. (tracert www.google.com would fail, no ping, etc) The ruter, however, could trace and ping everything out there. My computers also had working internet with the ruter disconnected. I searched this forum and found that lots of ppl had similar problems on WRT54G version, and that apparantly downgrading to a previous firmware version would help. ( i had the latest firmware ) I could not find it, but i googeled some and found an article with some open source firmware: http://www.extremetech.com/article2/0,1697,1934574,00.asp I downloaded and installed this firmware: http://www.thibor.co.uk/ Did factory reset after installing. Not only did it solve my problems, but the firmware is superior to the stuff that came with the ruter. I do hope that this can be of some use to someone out there wanting to strangle or kill the two horned ruter right now

  Its working now.. just had to remove the '!' (exclamation mark) from
  gateway="default gw 192.168.1.1"
  ROUTES=(!gateway)
  I think that it was added by the gnome-network-manager app.

• WRT54G can ping internet, but connected devices cannot.

  When I do a factory reset of our WRT54G router and configure it for our setup, everything works fine for a while (undetermined, random amount of time). We use it primarily for wireless access, and connect an iphone, ipad, mac, pc devices to it with no problem and can access the internet fine.
  After some period of time, all devices can still connect to the WRT54G via wireless, but cannot access the internet either by browser or ping/tracert commands. Meanwhile, the WRT54G diagnostics can successfully perform pings and tracerts to both IP address and URLs (so DNS *is* working fine)
  I connected a computer to the WRT54G via cat5 cable while the wireless devices could not access the internet, and the wired computer could *not* access the internet either. However, from the admin section of the WRT54G we could ping/tracert with no problems.
  Any ideas what causes this to drop and what we can do (other than factory reset) to fix it, and perhaps to prevent it?
  ..Rick..

  This isn't a home setup.  My wrt54G is connected to a DMZ switch which is connected to our gateway router and then out to the 100mpbs pipe.
  All of our LAN is working fine, and as I mentioned in the original post, the WRT54G can always ping an external site (both via URL and IP address), as well as being able to do a traceroute.
  When the connected devices can no longer get to the internet through the router, the router can still do the pings and traceroutes, so I conclude that there is no interruption in internet service. It stops at the WRT54G.  It always accepts wireless connections.

• When trying to connect to google+, I get a message that I need a new version of Firefox. I have the newest version (6). I can get gmail, but cannot connect to google+. Please help

  I cannot connect to my new google+ account using Firefox 6. When I try to access google+ I get a message that I need to update Firefox, which I have done twice. I can access gmail and everything else that google has to offer - I think. Please help.
  Thank you

  Open System Preferences > Network > Advanced > Proxies
  Deselect any checked boxes on the left then click OK.
  If none of those boxes were selected, it might be a Safari extension causing the proxy dialog.
  From the Safari menu bar click Safari > Preferences then select the Extensions tab. Turn that OFF, quit and relaunch Safari to test.
  If that helped, turn one extension on then quit and relaunch Safari to test until you find the incompatible extension then click uninstall.

• IPad can see wifi but no connection

  iPad2 wifi can see network and tick against it. However, Safari con not open page and just hangs. Anyone have any idea please. Iphone works fine on same wifi.
  Many thanks.

  A few more things that you can try.
  Turn WiFi off - restart the iPad - turn WiFi on again and then try to connect again. Restart the iPad by holding down on the sleep button until the red slider appears and then slide to shut off. To power up hold the sleep button until the Apple logo appears and let go of the button. Try to join again.
  Go to Settings>General>Reset>Reset Network Settings. Then select your WiFi network again and try to join again.
  Go to Settings>WiFi>Tap on the arrow next to your network name and then tap on Forget this Network in the next window. Then back out of the setting and go back to WiFi and let the iPad find your home network and then tap on the network name and try joining it again.
  Do the same thing as above except don't tap on Forget this Network - tap on Renew Lease at the bottom.

• After upgrading to Lion, I can not connect to my NAS drive. I can see it but not connect. Any ideas?

  The drive is a Lacie 4 tb model. 2 (2) tb drives, cofigured raid 0.

  Please follow these instructions:
  Lion: Connecting to legacy (pre-Lion) AFP services - and Mac OS X (server):
  https://discussions.apple.com/thread/3258472

• Airport card can see networks but can't connect all of a sudden

  I have an older MacBook running 10.6.8 (snow leopard) and it's been working fine. All of a sudden, it can see networks, but cannot connect. I get an alert with an exclamation point and "no Internet connection". My iPad can connect just fine; same network, same location as usual, so I know it's not an issue with the network/router (my husband's computer works fine as well). If my airport card went, I wouldn't be able to see any networks at all, right?  Is there anything I can do?  My AppleCare has run out, due to the age of my computer and I don't want to put hundreds into fixing it, either (nor can I afford it). Has anyone had this happen?  Any suggestions?  Thanks!

  Hello sarcastabtch,
  The following article should be helpful in restoring your internet connection via WiFi.
  Wi-Fi: How to troubleshoot Wi-Fi connectivity
  http://support.apple.com/kb/HT4628
  Cheers,
  Allen

• Zimbra Server - can receive email but not send

  I need to connect to a Zimbra Server for secure email - I can receive email but not connect. I get a connection refused error for sending email.
  I am using a G4 mac, Mac Mail, OS X 10.4.11, AT&T dsl service.
  Can anyone tell me what settings need to be changed to make the connection for outgoing email?
  Thanks!
  John

  I don't have a Zimbra server to try to connect to, but I see directions for setting up Zimbra for Mac's Mail elsewhere, like near the bottom of this page...
  http://its.lafayette.edu/help/email/zimbraclientupdate
  I see this one uses Port 465, which is different than the last one I checked.

• I can Ping FW inside interface but can not connect to remote resources

  dear all
  i configer my asa 5520 through ASDM to enable VPN Connection , i follow the cisco steps and it works fine and the anyconnect version 3.1 in Windows 8 - one day troubleshoot for this point only - can connect and have an IP address from the range , but i have something wrong in NAT may be because all guides talking about old ASDM ( NAT Exempt) but i am confeused to apply it on the new ASDM.
  i can ping the inside interface  from my labtop which using anyconnect , but i can not access anything else inside my network
  Please anyone has a solution , please describe it using ASDM , thanks for help
  This is my configuration
  interface GigabitEthernet0/1
  description
  nameif SRV_ZONE
  security-level 50
  ip address 192.168.1.1 255.255.255.0
  interface GigabitEthernet0/2
  description
  nameif TRUST_ZONE
  security-level 100
  ip address 172.17.200.1 255.255.255.0
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif MGMT
  security-level 0
  ip address 10.10.10.1 255.255.255.0
  dns server-group DefaultDNS
  domain-name xxx.xxx.xxx
  object network obj-192.168.1.11
  host 192.168.1.11
  object network obj-xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object service obj-tcp-source-eq-25
  service tcp source eq smtp
  object network obj-192.168.1.12
  host 192.168.1.12
  object network obj-xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object network obj-192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  object service obj-tcp-eq-25
  service tcp destination eq smtp
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj-0.0.0.0
  host 0.0.0.0
  object network obj_any-01
  subnet 0.0.0.0 0.0.0.0
  object network obj-172.17.8.8
  host 172.17.8.8
  object network obj-172.17.0.0
  subnet 172.17.0.0 255.255.0.0
  object network obj_any-02
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-03
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-04
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-05
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-06
  subnet 0.0.0.0 0.0.0.0
  object network obj.172.17.8.115
  host 172.17.8.115
  object network obj.xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object service http
  service tcp source eq www destination eq www
  object network obj.xxx.xxx.xxx.xxx
  host xxx.xxx.xxx.xxx
  object service https
  service tcp source eq https destination eq https
  object service newservice
  service tcp source eq pop3 destination eq pop3
  object network mail
  host 172.17.8.8
  description mail     
  object network 192.168.1.11
  host 192.168.1.11
  description smtp     
  object service smtpnew
  service tcp source eq 587 destination eq 587
  object network VPN_RANGE
  description VPN ACCESS RANGE  
  object network VPN_PoOL
  subnet 172.17.16.0 255.255.255.0
  description vpn
  object-group network DM_INLINE_NETWORK_1
  network-object host 192.168.1.11
  network-object host 192.168.1.12
  object-group network Eighth_Floor
  network-object 172.17.8.0 255.255.255.0
  object-group service WEB_SERVICES
  service-object tcp destination eq www
  object-group network ENT_SERVERS
  network-object host 192.168.1.11
  network-object host 192.168.1.1
  object-group network DM_INLINE_NETWORK_2
  network-object 172.17.200.0 255.255.255.0
  network-object 172.17.8.0 255.255.255.0
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  port-object eq smtp
  object-group service web tcp
  port-object eq www
  port-object eq xxx
  port-object eq ftp
  port-object eq xxx
  port-object eq xxx
  object-group service xxx_Web_and_Email
  service-object object http
  service-object tcp destination eq pop3
  service-object tcp destination eq smtp
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0
  access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 any
  access-list justice_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
  access-list xxx-VPN_splitTunnelAcl remark vpn
  access-list xxx-VPN_splitTunnelAcl standard permit 172.17.16.0 255.255.255.0
  access-list xxx-VPN_splitTunnelAcl standard permit any
  access-list cap extended permit tcp any host xxx.xxx.xxx.xxx eq smtp log
  access-list cap1 extended permit tcp host 192.168.1.11 any eq smtp
  access-list SRV_ZONE_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp
  access-list SRV_ZONE_nat_outbound extended permit ip host 192.168.1.11 any
  access-list TRUST_ZONE_access_in extended permit ip host 172.17.88.108 any
  access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.3.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.10.50.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit ip 172.17.8.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit ip 172.17.200.0 255.255.255.0 any
  access-list TRUST_ZONE_access_in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.1.12
  access-list TRUST_ZONE_cryptomap extended permit ip xxx.xxx.xxx.xxx 255.255.255.248 any
  access-list outside_access_in extended permit tcp any host 192.168.1.11 eq smtp
  access-list outside_access_in extended permit tcp any host 172.17.8.8 eq www
  access-list outside_access_in extended permit tcp any host 192.168.1.12 object-group web
  access-list outside_access_in extended permit tcp any host 172.17.8.8 eq pop3
  access-list outside_access_in extended permit ip 172.17.16.0 255.255.255.0 any inactive
  access-list vpn remark vpn
  access-list vpn standard permit 172.17.16.0 255.255.255.0
  pager lines 24
  logging enable
  logging trap informational
  logging asdm informational
  logging host TRUST_ZONE 172.17.8.100
  mtu INT_ZONE 1500
  mtu SRV_ZONE 1500
  mtu TRUST_ZONE 1500
  mtu MGMT 1500
  ip local pool VPN_POOL 172.17.16.100-172.17.16.254 mask 255.255.255.0
  ip verify reverse-path interface INT_ZONE
  ip verify reverse-path interface SRV_ZONE
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any SRV_ZONE
  icmp permit any TRUST_ZONE
  asdm image disk0:/asdm-635.bin
  no asdm history enable
  arp timeout 14400
  nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.11 obj-xxx.xxx.xxx.xxx service any obj-tcp-source-eq-25
  nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.12 obj-xxx.xxx.xxx.xxx
  nat (SRV_ZONE,INT_ZONE) source dynamic obj-192.168.1.0 interface service obj-tcp-eq-25 obj-tcp-eq-25
  nat (INT_ZONE,SRV_ZONE) source static any any destination static 192.168.1.11 obj-172.17.8.8 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
  nat (TRUST_ZONE,INT_ZONE) source static VPN_PoOL VPN_PoOL destination static VPN_PoOL VPN_PoOL
  object network obj_any
  nat (SRV_ZONE,INT_ZONE) dynamic obj-0.0.0.0
  object network obj_any-01
  nat (SRV_ZONE,MGMT) dynamic obj-0.0.0.0
  object network obj-172.17.8.8
  nat (TRUST_ZONE,INT_ZONE) static xxx.xxx.xxx.xxx service tcp www www
  object network obj-172.17.0.0
  nat (TRUST_ZONE,SRV_ZONE) static 172.17.0.0
  object network obj_any-02
  nat (TRUST_ZONE,INT_ZONE) dynamic interface
  object network obj_any-03
  nat (TRUST_ZONE,SRV_ZONE) dynamic interface
  object network obj_any-04
  nat (TRUST_ZONE,INT_ZONE) dynamic obj-0.0.0.0
  object network obj_any-05
  nat (TRUST_ZONE,SRV_ZONE) dynamic obj-0.0.0.0
  object network obj_any-06
  nat (TRUST_ZONE,MGMT) dynamic obj-0.0.0.0
  object network obj.172.17.8.115
  nat (TRUST_ZONE,INT_ZONE) static obj.xxx.xxx.xxx.xxx service tcp www www
  object network mail
  nat (TRUST_ZONE,INT_ZONE) static obj-xxx.xxx.xxx.xxx service tcp pop3 pop3
  nat (TRUST_ZONE,INT_ZONE) after-auto source static obj-172.17.8.8 obj-xxx.xxx.xxx.xxx service https https
  access-group outside_access_in in interface INT_ZONE
  access-group DMZ_access_in in interface SRV_ZONE
  access-group TRUST_ZONE_access_in in interface TRUST_ZONE
  route INT_ZONE 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  route TRUST_ZONE 10.10.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 10.11.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 10.12.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 10.13.0.0 255.255.0.0 172.17.200.254 1
  route TRUST_ZONE 172.17.0.0 255.255.0.0 172.17.200.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication serial console LOCAL
  http server enable
  http 172.17.8.0 255.255.255.0 TRUST_ZONE
  http 172.17.8.155 255.255.255.255 TRUST_ZONE
  http 172.17.8.45 255.255.255.255 TRUST_ZONE
  http 10.10.10.2 255.255.255.255 MGMT
  http 192.168.1.12 255.255.255.255 SRV_ZONE
  http 0.0.0.0 0.0.0.0 INT_ZONE
  http 172.17.200.0 255.255.255.0 TRUST_ZONE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map pol 1 match address TRUST_ZONE_cryptomap
  crypto dynamic-map pol 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map INT_ZONE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map TRUST_ZONE_map0 1 ipsec-isakmp dynamic pol
  crypto map TRUST_ZONE_map0 interface TRUST_ZONE
  crypto map INT_ZONE_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map INT_ZONE_map0 interface INT_ZONE
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  fqdn SEC-xxx-FW1
  subject-name CN=SEC-xxx-FW1
  no client-types
  proxy-ldc-issuer
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment self
  subject-name CN=SEC-xxx-FW1
  keypair sslvpnkeypair
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 31
      57f4e52e 6b851966 77515d62 c209a0df 1c32ce94 bb90cbce 497cfd04 6745ea85
      efb75f85 2ae1ad35 344d94ab 915e01ab d3292626 ac697a52 b4ed6632 d3ed2332 ae
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate e6054352
      c64f3661 30f14c3d 06b5f039 9f14560d 3b154fd1 42782268 7531689e 8e547d91
      85e88415 e326f653 74733a6c a3f5c935 f7e83f56 f6
    quit
  crypto isakmp enable INT_ZONE
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 INT_ZONE
  ssh 172.17.8.0 255.255.255.0 TRUST_ZONE
  ssh 10.10.10.2 255.255.255.255 MGMT
  ssh timeout 5
  console timeout 0
  management-access TRUST_ZONE
  vpn load-balancing
  interface lbpublic INT_ZONE
  interface lbprivate INT_ZONE
  priority-queue INT_ZONE
    tx-ring-limit 256
  threat-detection basic-threat
  threat-detection scanning-threat
  threat-detection statistics host number-of-rate 3
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint1 INT_ZONE
  webvpn
  enable INT_ZONE
  svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
  svc enable
  tunnel-group-list enable
  group-policy xxx-VPN internal
  group-policy xxx-VPN attributes
  dns-server value xx.xx.xx.xx xx.xx.xx.xx
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value xxx-VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol webvpn
  group-policy GPNEW internal
  group-policy GPNEW attributes
  dns-server value 172.17.8.41
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  default-domain value xxx.xxx.xxx
  address-pools value VPN_POOL
  username VPNAM password xxx encrypted
  username VPNAM attributes
  service-type remote-access
  vpn-group-policy xxx-VPN
  tunnel-group xxx-VPN type remote-access
  tunnel-group xxx-VPN general-attributes
  dhcp-server 172.17.8.41
  tunnel-group xxx-VPN ipsec-attributes
  pre-shared-key *****
  tunnel-group pol type ipsec-l2l
  tunnel-group pol ipsec-attributes
  pre-shared-key *****
  trust-point ASDM_TrustPoint0
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  address-pool VPN_POOL
  default-group-policy GPNEW
  tunnel-group SSLClientProfile webvpn-attributes
  group-alias SSLVPNClient enable
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect ip-options
    inspect pptp
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:78a941e3f509dec8f3570c60061eedaa
  : end

  thanks god
  i solve the problem
  the problem is in NAT
  i creat an object with the ip address host from VPN pool and name it vpn
  then i do the nat from inside to that host as the following picture...
  trust zone is the inside zone
  vpn is the outside vpn host...
  thanks and hope it helps anyone else...

• DNS Issues - Can ping server name and IPs but not FQDNs.

  Hi All, 
  Hopefully some one can help me here, I am having an issue where one of my domain attached servers cannot ping any FQDNs in the environment but it can ping the host names and the IPs and look up the host names from a reverse look up. 
  We have done the following troubleshooting:
  Flushed and registered DNS cache.
  Restarted the DNS client and net logon services on the effected server
  Preformed standard checks and commands such as:
  Checked the event logs and found there were warnings for DNS registration.
  Compared the DNS settings in the network adapters across the rest of the servers in the environment and found that they were all the same. DNS Suffixes are added in the correct order and are set to register.
  Pinging FQDNs which is not giving any results.
  Tracert FQDNs which is also not giving any results.
  Nslookup which is querying the DNS server directly and giving results as expected
  Ran the command which reported successful: dcdiag /test:registerindns /dnsdomain:sub.domain.net /v
  Checked and updated the permissions on DNS for the affected server to give the server full control of its own DNS entry. 
  Replaced the DNS Client service DLL with one from a server that is working as expected. 
  Also worth noting is that the affected server (as well as every other server in the environment) has 2 NICs, one that communicates with DNS and AD and the other does not have any DNS IPs set. 
  Not this is not the first time this happened, a reboot fixed the issue before but it seems to be a reoccurring problem now. 
  If any one can shed some light on this issue I would be grateful.
  Regards,
  Steve. 

  Hi Steve,
  First, we should confirm if this issue is caused by DNS.
  When you ping the FQDN, does the server show the correct corresponding IP address?
  If no, there should be some error messages. If it is possible, please post the screenshot of this issue.
  To check the process about how does server resolve the FQDN, please follow the steps below:
  clear local DNS cache with command ipconfig /flushdns
  perform the network capture
  ping the specified FQDN
  Check the DNS traffic
  To download Network Monitor, please click the link below:
  http://www.microsoft.com/en-hk/download/details.aspx?id=4865
  Besides, have you tried to update the NIC driver to the latest version?
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Can't connect via Screen Share or Web Server, but can ping and ssh

  Bit of an odd problem here.
  My Mountain Lion Mac Pro (called "Trogdor" for convenience) is connected to my work university network. I can ping it from anywhere-- elsewhere on the network, from home behind a firewall. Can connect over ssh from everywhere. I can also connect to other computers (on the same network or at home behind a firewall) from Trogdor via ssh, Screen Sharing, etc.
  But I can't Screen Share into Trogdor, and I can't connect to Trogdor's built-in web server, either system-wide (in /Library/WebServer) or for my username (~/Sites). (I can connect to the web server from Trogdor.)
  Note that I can do both of these for other computers on the same network (same subnet, etc), so it's not a network issue. I can't do these from anywhere: same network or from home. I have this problem whether I use Trogdor's hostname or its IP address. (I can look up its hostname using the IP address with the "host" tool in Terminal, and vice versa.)
  So it sounds like a port issue, right? Except I don't think I've ever messed with my port settings directly. How do I diagnose the problem? Should I scan my ports? Can I return port settings to default?
  Thanks!
  Message was edited by: supercres

  Bit of an odd problem here.
  My Mountain Lion Mac Pro (called "Trogdor" for convenience) is connected to my work university network. I can ping it from anywhere-- elsewhere on the network, from home behind a firewall. Can connect over ssh from everywhere. I can also connect to other computers (on the same network or at home behind a firewall) from Trogdor via ssh, Screen Sharing, etc.
  But I can't Screen Share into Trogdor, and I can't connect to Trogdor's built-in web server, either system-wide (in /Library/WebServer) or for my username (~/Sites). (I can connect to the web server from Trogdor.)
  Note that I can do both of these for other computers on the same network (same subnet, etc), so it's not a network issue. I can't do these from anywhere: same network or from home. I have this problem whether I use Trogdor's hostname or its IP address. (I can look up its hostname using the IP address with the "host" tool in Terminal, and vice versa.)
  So it sounds like a port issue, right? Except I don't think I've ever messed with my port settings directly. How do I diagnose the problem? Should I scan my ports? Can I return port settings to default?
  Thanks!
  Message was edited by: supercres

• Can't see PC's on network, but can ping them, connect to server etc

  Hi All
  I'm experiencing something pretty bizarre.
  I have a small network at my office. There are 3 PC's, and 2 Macs, one of them a Mac Mini running 10.6.5. All computers are set to the same workgroup. All the PCs can see all the Macs, no problem.
  Yet my Mac Mini can (most of the time) only see the other Mac. (When I use Go > Network).
  I can ping all the PC's from the Mac Mini. But they won't show up in the network view.
  The annoying thing is sometimes I can see all the PC's (theres no pattern to it!) and I have connected to a printer on one of the PC's. With that particular PC, if I use 'Connect to Server' I get
  'Select the volumes you want to mount on "packing-pc" but there are no volumes in the list.
  Whats really bugging me is that sometimes all the pcs are there when I view the network, and sometimes they aren't.
  ANyone got any ideas please? I'm pulling my hair out! I wanna ditch my PC at work but until I can print reliably (to the PC with the printer attached) I can't!
  Thanks in anticipation!
  Mark

  I'm wondering if this is connected?
  http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/2c98eb8c- 8234-4060-b8a7-e484ca29df72