Accès réseau société par VPN via une Livebox

Bonjour
      Je rencontre un problème que je vais essayer de vous exposer le plus clairement possible. Je m'occupe en intérim de l'informatique d'une société. Je viens de fournir à 2 membres de cette société 2 portables de marque DELL. Ce sont des personnes qui travaillent souvent hors de la société et qui accèdent aux serveurs de l'entreprise via Anyconnect de CISCO. Ces 2 personnes n'arrivent pas à se connecter de chez eux via leurs box personnelles. Le point commun est le fournisseur d'accès Internet: ORANGE, ce sont donc des Livebox. J'ai repris ces PC en "consultation" je les ai emmené déjeuner avec moi dans un restaurant avec wifi gratuit => pas de problème. Je les ai ensuite "invité" chez moi pour tester via ma box BOUYGUES => pas de problèmes non plus. Je pense que le paramétrage de leur box et notamment du firewall intégré doit être la clé du problème mais là je ne sais pas quel config leur faire adopter. Si vous avez déjà rencontré ce problème et surtout si vous l'avez solutionné je vous remercie de votre attention et par avance de votre aide. Je dois aussi vous préciser que je leur ai fourni ces PC en remplacement d'ancien portables DELL devenus obsolètes et qu'avec ces PC il n'y avait aucun problème
Cordialement
Bruno LEVY
IT Support A.SCHULMAN France

Merci pour la réponse.
- Pour le point 1, le PXI a une adresse fixe ; je vais voir ce que je peux faire avec l'administrateur réseau pour les restrictions d'accès, mais c'est dommage de ne pas avoir pour les systèmes PXI un onglet "Access Control" sous MAX, comme pour les systèmes FieldPoint !
- Pour le point 2 : j'avais en fait résolu le problème de protection des redémarrages avec le VI "Lock Target" sous LabVIEW (qui rajoute une clé Protect_Reboot="TRUE" dans le fichier ni-rt.ini).
Par contre, je ne vois pas comment faire le même verrouillage sous MAX, ne voyant pas de case "Protéger les redémarrages" dans l'onglet Paramètres systèmes du système déporté (que je sois ou non connecté comme administrateur) !
Cordialement,
H.L.
Pièces jointes :
Connecté.png ‏72 KB
Déconnecté.png ‏74 KB

Similar Messages

  • Comment connecter une timecapsule et une livebox par ethernet pour profiter le la puissance de la timecapsule?

    Bonjour,
    Je possede une timecapsule qui me servait de borne wi-fi pour du wimax(internet par antenne).
    Maintenant je suis chez orange avec une livebox, mais je n'arrive pas à connecter la TC avec la livebox pour recréer mon réseau.
    Connaissez vous la procédure exacte à suivre?
    Je souhaite relier la livebox à la TC avec un câble ethernet, ne pas utiliser le wifi de la livebox mais seulement celui de la TC.
    Merci.

    Dans le menu Outils, tout en bas, choisir Options..., puis aller à Couleurs.
    Je n'ai pas encore trouvé comment faire par programmation, mais je cherche
    Chilly Charly    (aka CC)
             E-List Master - Kudos glutton - Press the yellow button on the left...        

  • Comment je peux récupérer une chaine de caratères d'un fichier(txt par expl) dans une ligne (spécifiée) et une colonne (aussi spécifiée) avec notre adorable software LABVIEW

    Salut à tous,
    Comment je peux récupérer une chaine de caratères d'un fichier(txt par expl) dans une ligne (spécifiée) et une colonne (aussi spécifiée) avec notre adorable software LABVIEW.
    Thx
    Nizar
    Résolu !
    Accéder à la solution.

    Si ton fichier est un fichier tableur ce qu'a dit yohann me parait le mieux. Par contre si c'est un fichier texte qui contient une chaine au format tableur (sepération avec des tabulations) il faut utiliser "lire un fichier texte" + "Convertir un chaine au format tableur en tableau" et ensuite indexer la case qui t'intéresse.
    Maintenant si tu as un simple fichier texte  et que tu veux lire un couple ligne/colonne qui désigne un caractère précis il faut utiliser "définir la position dans le fichier" en connaissant la largeur de ton fichier texte. et la tu n'as plus qu'à rentrer dans offset: indice_ligne*largeur+indice_colonne comme une vieille réminiscence du c.
    Sebastien DEVISSCHER - Nerys

  • Problems deploying par file via Netweaver Developer Studio

    Hello,
    I have problems deploying a par file using the SAP Netweaver Developer Studio.
    In the SNWDS i configure the following:
    Window -> Preferences -> SAP Enterprise Portal
    Alias: IEP
    Host: khz059
    Port: 52900
    Login: Administrator
    Description: Testportal
    The logon Url of the portal is http://khz059:5290052900/irj/portal
    If i try to upload a par file via "Quick PAR Upload" i get the error messages:
    "Unable to connect to the portal
    Operation failed: Please make sure the server 'IEP' (khz059:52900) is running or check the log (sap-plugin.log) for more detail."
    Am I using the proper settings? Am I using the wrong port?
    I don't know whats wrong.
    Can anyone help me?
    The logfile shows:
    [12.09.05 / 14:53] #ERROR LEVEL# com.sap.portal.developmentTools.ideSpecific.eclipse.wizards.sapmakepar.SAPMPWizard$1 > No Information
    java.io.IOException: Error writing to server
         at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:302)
         at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:314)
         at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:634)
         at com.sap.portal.developmentTools.general.wizards.upload.DeployEngine.readResponse(DeployEngine.java:361)
         at com.sap.portal.developmentTools.general.wizards.upload.DeployEngine.uploadPar(DeployEngine.java:433)
         at com.sap.portal.developmentTools.general.wizards.upload.DeployEngine.deploy(DeployEngine.java:220)
         at com.sap.portal.developmentTools.ideSpecific.eclipse.wizards.sapmakepar.SAPMPWizard$1.processUpload(SAPMPWizard.java:404)
         at com.sap.portal.developmentTools.ideSpecific.eclipse.wizards.sapmakepar.SAPMPWizard$1.run(SAPMPWizard.java:338)
         at org.eclipse.jface.operation.ModalContext.runInCurrentThread(ModalContext.java:302)
         at org.eclipse.jface.operation.ModalContext.run(ModalContext.java:252)
         at org.eclipse.jface.wizard.WizardDialog.run(WizardDialog.java:758)
         at com.sap.portal.developmentTools.ideSpecific.eclipse.wizards.sapmakepar.SAPMPWizard.performFinish(SAPMPWizard.java:519)
         at org.eclipse.jface.wizard.WizardDialog.finishPressed(WizardDialog.java:608)
         at org.eclipse.jface.wizard.WizardDialog.buttonPressed(WizardDialog.java:321)
         at org.eclipse.jface.dialogs.Dialog$1.widgetSelected(Dialog.java:423)
         at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:89)
         at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:81)
         at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:840)
         at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:2022)
         at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:1729)
         at org.eclipse.jface.window.Window.runEventLoop(Window.java:583)
         at org.eclipse.jface.window.Window.open(Window.java:563)
         at com.sap.portal.developmentTools.general.uploader.QuickPARUploader.run(QuickPARUploader.java:146)
         at org.eclipse.ui.internal.PluginAction.runWithEvent(PluginAction.java:251)
         at org.eclipse.jface.action.ActionContributionItem.handleWidgetSelection(ActionContributionItem.java:456)
         at org.eclipse.jface.action.ActionContributionItem.handleWidgetEvent(ActionContributionItem.java:403)
         at org.eclipse.jface.action.ActionContributionItem.access$0(ActionContributionItem.java:397)
         at org.eclipse.jface.action.ActionContributionItem$ActionListener.handleEvent(ActionContributionItem.java:72)
         at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:81)
         at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:840)
         at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:2022)
         at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:1729)
         at org.eclipse.ui.internal.Workbench.runEventLoop(Workbench.java:1402)
         at org.eclipse.ui.internal.Workbench.run(Workbench.java:1385)
         at com.tssap.util.startup.WBLauncher.run(WBLauncher.java:79)
         at org.eclipse.core.internal.boot.InternalBootLoader.run(InternalBootLoader.java:858)
         at org.eclipse.core.boot.BootLoader.run(BootLoader.java:461)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at com.sap.ide.eclipse.startup.Main.basicRun(Main.java:291)
         at com.sap.ide.eclipse.startup.Main.run(Main.java:789)
         at com.sap.ide.eclipse.startup.Main.main(Main.java:607)
    Best regards,
    Nils Kloth

    Hi Nils,
    I think you must have selected the defualt checkbox (Try and uncheck that). Also uncheck the checkbox for "<i>Yes, I want to remeber the password for deployment</i>" if it is also selected. When you deploy the par file now enter the password and try to deploy. I think this will solve your problem.
    Apart from this, try this methos of deploying the Par file.
    1) Save you project. Right click it and "Quick par Upload".
    2) On your browser type
    "http://<your_server_name>:50000/irj/servlet/prt/portal/"
    Your case:
    <i>http://khz059:52900/irj/servlet/prt/portal/</i>
    or same page you can get by navigating:
    System Administration-> Support-> Portal Runtime-> Administration Console.
    3) At the option "Please specify a Portal Archive file (PAR) and press "upload" to store it into the PCD." Deploy your par file by giving the path.
    Now you file is deployed on the server. If you want to create an Iview from this deployed .par file then :
    1) On your portal. Follow the path: Content Administrator-> Portal Content -> Portal Content(sub-option). Right click -> New from par ->iView.
    2) Here in the list you will find the par file which you have uploaded. Proceed as said.
    3) You will finally have an iView. Right click it and preview it.
    I hope this solves your problem.
    Regards
    Pravesh
    PS: Please consider rewarding points if helpful.

  • How can I connect to a VPN via PPTP?

    Hello,
    I am a foreigner living in Taiyuan, the capital city of Shanxi Province, in China. I bought my macbook the summer of 2006. It still works perfectly except I cannot connect to the internet here at the university.
    The internet here is split into two parts: local, and international. The ethernet connection allows me to access Chinese websites, but nothing else. It sounds counterintuitive but really, that's how it is. In order to get the rest of the world, all computers have to connect to a VPN via PPTP. Once this is established, viola, you have internet.
    My problem is I cannot seem to connect to the VPN. I have used Internet Connect, I have created a VPN via PPTP, and put in all the right numbers...
    the VPN IP is 202.207.128.115
    the username is tyut
    the password is tyut
    But when I try to connect, it just says it can't. Nobody at the university has been helpful because they've never used a Mac before, and besides which, they aren't used to using a computer in English.
    Can anyone help me? Or does anyone know how to get in touch with Apple Services in China (in English)?

    Yeah, but that's not the problem here. I'm an English teacher at Taiyuan University of Technology (the irony does not escape me). The other teachers have PCs and can get full internet in their apartment. Since I have a mac, it's much harder for the school technicians to help me.
    This is what my log says from the VPN connection (which does connect now.)
    Mon Oct 29 16:05:52 2007 : PPTP connecting to server '202.207.128.115' (202.207.128.115)...
    Mon Oct 29 16:05:52 2007 : PPTP connection established.
    Mon Oct 29 16:05:52 2007 : Using interface ppp0
    Mon Oct 29 16:05:52 2007 : Connect: ppp0 <--> socket[34:17]
    Mon Oct 29 16:05:52 2007 : local IP address 172.30.1.252
    Mon Oct 29 16:05:52 2007 : remote IP address 172.30.1.2
    But I still can't load any pages from the VPN connection, just the regular ethernet connection (local internet). It doesn't work if I use IP addresses instead. :-/ I unselected "send all traffic over the VPN connection" because if it's selected, I don't even get local internet.
    Looking online I found a possible fix, but it's for Windows XP. I don't know how to find the same settings on the Mac...For Windows XP:
    1. Click Start -> Control Panel
    2. Click on the Network and Internet Connections icon and then click "Network Connections". If your Control Panel is in classic view, simply double click the "Network Connections" icon.
    3. Right click on the new VPN connection and select Properties
    4. Select the "Networking" tab
    5. Verify that Internet Protocol (TCP/IP) is highlighted
    6. Click on the Properties button
    7. Within the Internet Protocol (TCP/IP) properties window, click on the "Advanced..." button. Within the Advanced TCP/IP Settings window, REMOVE the check mark next to "Use default gateway on remote network"
    8. Click "OK" to close all open windows
    Where would the "default gateway on remote network" be on a Mac?

  • Issues Accessing VPN via Time Capsule

    My work has a VPN (via Palo Alto's Global Protect) set-up to allow for remote desktop connections.  For some future projects, it is really important that I get this working.  However, I am running into an issue that is directly related to my Apple Time Capsule (an older "flat" model, part number MC343AM/A, running the latest firmware, v7.6.4).
    Basically, I can access the VPN and remote desktop no problem if I connect my computer directly to the modem (or if I tether my computer to my phone).  However, if I connect the laptop to the router, then the VPN connects and is stable (as verified by my work's IT department), but I lose all other internet connectivity, and am unable to actually connect to the remote desktop.  This occurs if I use WiFi or connect through ethernet, and I've verified that it happens on two different computers (an iMac, and a MacBook Pro). 
    I'm wondering if it is because I use a MAC address filter to assign static IP addresses to the devices on my network?  Are there any other settings I should change on the Time Capsule to allow for the VPN passthrough?  Before I factory reset the router and lose all of my configurations (e.g., wifi security settings, etc), I was hoping someone might have run into a similar issue and would have some advice!
    Any tips would be extremely appreciated.
    Best,
    Matt

    Before I factory reset the router and lose all of my configurations (e.g., wifi security settings, etc),
    We can fix that.. export your configuration.. The TC must be open in edit area for this option to work. So at least you don't need to lose settings.
    7.6.4 has some real issues with ports.. That it establishes the vpn ok is good but it is clearly not able to pass some of the ports that are required. Are you able to ping or copy files at all over the tunnel??  it might be caused by a number of things. But you should realise that once the tunnel is open the computer is working on a different subnet.. and its own internal firewall can have issues.. or other issues at the other end.
    I would have a try at taking the firmware back to 7.6.1 and even 7.5.2 can be a good test.. since it is before BTMM with iCloud where the TC would also complicate things with ipsec security.
    To downgrade firmware simply hold down the option key while you click the version number.

  • Protection des accès réseau à un PXI via MAX ?

    Bonjour,
    1) Je pilote un PXI (châssis PXI-1036 + périphériques d'E/S numériques PXI-6511 & 6512) via un réseau local.
    Le châssis et les périphériques apparaissent donc dans l'arborescence "systèmes déportés" sous MAX depuis n'importe quel poste connecté au réseau. Conséquence : lorsque les voies de sortie ne sont pas réservées par des tâches DAQmx (programme à l'arrêt par exemple), leur état est directement modifiable sous MAX par un simple panneau de test (cf. PJ), depuis n'importe quel PC et sans avoir à ouvrir de session (donc sans mot de passe)... ce qui pose un sérieux problème de sécurité pour les appareils qui restent connectés au PXI !
    Pour les systèmes FieldPoint, des restrictions d'accès par adresses IP sont configurables sous MAX (sous l'onglet "FieldPoint Access Control")... mais rien de tel semble-t-il pour les systèmes PXI.
    Existe-t-il un moyen de protéger de façon permanente l'état des voies de sortie du PXI de modifications intempestives via un réseau et d'empêcher une réservation à distance de voies d'E/S qui empêcherait leur accès par le programme ?
    2) Même problème semble-t-il pour le redémarrage logiciel : pour les systèmes FieldPoint, on peut empêcher sous MAX le redémarrage à distance sans mot de passe. Mais je ne trouve pas de fonction équivalente pour les PXI ! J'ai donc pu, sans mot de passe, redémarrer le PXI sous MAX depuis un PC du réseau... ce qui pose là encore des problèmes de sécurité.
    Existe-t-il un moyen de bloquer cette possibilité ?
    Merci d'avance,
    H.L.
    Pièces jointes :
    PXI.png ‏118 KB

    Merci pour la réponse.
    - Pour le point 1, le PXI a une adresse fixe ; je vais voir ce que je peux faire avec l'administrateur réseau pour les restrictions d'accès, mais c'est dommage de ne pas avoir pour les systèmes PXI un onglet "Access Control" sous MAX, comme pour les systèmes FieldPoint !
    - Pour le point 2 : j'avais en fait résolu le problème de protection des redémarrages avec le VI "Lock Target" sous LabVIEW (qui rajoute une clé Protect_Reboot="TRUE" dans le fichier ni-rt.ini).
    Par contre, je ne vois pas comment faire le même verrouillage sous MAX, ne voyant pas de case "Protéger les redémarrages" dans l'onglet Paramètres systèmes du système déporté (que je sois ou non connecté comme administrateur) !
    Cordialement,
    H.L.
    Pièces jointes :
    Connecté.png ‏72 KB
    Déconnecté.png ‏74 KB

  • Problème accès à réseau téléphonique

    Mon iPhone 5s est continuellement à la recherche d'un réseau téléphonique depuis que j'ai fait la mise à jour iOs 8.02.  Pourquoi?

    try using a different browser or clearing your adobe.com cookies

  • Sur aiport extrem le wifi fonctionne mais pas l'accès réseau invité

    bonjour
    le wifi fonctionne sur la borme aiport extreme
    mais impossible de mettre en activité le reseau invité
    merci de votre aide

    Merci !
    Mais ça me donne toujours le même résultat, page blanche, url à rallonge :
    https://ims-na1.adobelogin.com/ims/adobeid/SunbreakWebUI1/AdobeID/token?redirect_uri=https %3A%2F%2Faccounts.adobe.com%2F…
    Une idée ?

  • Tranfert de donnée d'un analyseur de réseau au PC via une liaison GPIB

    J'essaie de réaliser un programme pour automatiser la mesure de paramètres S de composants électronique.
    Je n'arrive pas à récupérer le fichier de la mesure (*.flp) qui est stocké sur le disque dur de l'analyseur de réseau(Rohde et Schwarz ZVCE) et à l'enregistrer sur le disque dur de mon PC.
    Je compte sur vous pour m'aider afin de terminer mon programme sous LabWindows/CVI.
    Dans l'attente de votre réponse, je vous prie d'agréer l'expression de mes salutations distinguées.
    R.SCHUBERT.

    Bonjour,
    Je vous conseille d'utiliser le driver d'instrument pour le ZVCE qui fournit des exemples de programmation en CVI:
    LabWindows/CVI Plug and Play Instrument Driver for ZVCE - Vector Network Analyzer
    http://zone.ni.com/idnet97.nsf/9b2b33e1993d877786256436006ec498/df996ac5cf16286d862568ab005fb99e?OpenDocument
    Ce driver est un driver supporté par Rohde&Schwarz.
    " This instrument driver is NOT supported or maintained by National Instruments. This driver is maintained and supported by the instrument manufacturer or a third party. The following manufacturer or third-party contact has agreed to provide technical support for this driver. Please direct all questions regarding this instrument driver to them."
    Company: Rohde & Schwarz
    Contact Name: C
    ustomer Support
    Phone: +49-(0)1805-124242
    Technical Support E-mail Contact: [email protected]
    Support URL: http://www.rohde-schwarz.com
    Bonne continuation.
    Matthieu Gourssies.

  • Can't connect to work server (windows) on MacBook Pro through VPN - via router

    Due to the nature of my job now, I am working remotely.
    The IT department hooked me up with a MacBook Pro that connects to our work server, which I know is Windows-based, via a VPN. The VPN connects just fine; however, when I go to connect to the server—it doesn't find it. It gives me:
    The server “dc03” may not exist or it is unavailable at this time. Check the server name or IP address, check your network connection, and then try again.
    Interestingly enough, the first time I used it (at Starbucks, then McDonald's) it worked, but at home it wouldn't. We isolated the issue to the router, since I could do it when plugged in, but no one could figure out what kind of settings were different or weird. I went to the store and bought 2 other routers. One worked, the Linksys, but the Belkin did. WHAT? So the cheaper one worked? This was the easiest solution, because still don't know the bottom line: why?
    Now, a local spot in town that I frequent—one that used to allow me to connect to my work server—changed routers (the "newest, fastest" AVIS). So now, I cannot connect and get that same message.
    My IT guys are stumped. I don't personally know enough about this side of technology to be of any use.
    Does anyone have any idea what's going on?

    What is the make & model of the new wireless router that you ISP has provided you? Are you able to administer it if needed?
    For the MacBook Pro, try the following, in order, until (hopefully) resolved:
    1a. Delete Preferred Network(s)
    System Preferences > Network > Wi-Fi > Advanced > Wi-Fi tab
    Under "Preferred Networks," delete the network(s) you regularly use from the list.
    1b. Delete AirPort Keychain Entries
    Launch the "Keychain Access" application located in Applications/Utilties.
    In the windows on the left side: Select login for Keychains and "All Items" for Category.
    Click on the "Kind" filter at the top, and look for any "AirPort network password" entries...and delete them.
    1c. Add Preferred Network(s)
    System Preferences > Network > Wi-Fi > Advanced > Wi-Fi tab
    Add the preferred network(s) using the "+" button.
    Restart or log out then back in.
    2. Move System Configuration Files
    (Note: You will have to reestablish your network connections settings.)
    Go to /Library/Preferences
    Move the SystemConfiguration folder to the desktop.
    Restart your Mac. (Note: OS X will rebuild the files that are now sitting on your desktop. If this doesn't resolve the issue, you can move the folder back to it's original location.)

  • How to disconnect ASA 5505 site-to-site VPN via SSL?

    Hi all,
            sorry, bit of a newbie so this may be trivial.
    We have an ASA 5505 which has two IPSEC site-to-site VPN tunnels. One to another ASA works just fine but the other to a Checkpoint VPN locks up occasionally. I've given up on sorting the actual problem and for now we're logging it out via ASDM where it reconnects and all is fine again.
    What I'd like to do is automate this logout using the SSH interface if we detect an issue with the connection. Can anyone point me in the general direction of documentation to do this please?

    I would stick with site-to-site vpn instead of Easy VPN NEM (Network Extension Mode) for your setup.
    Can you pls share the full config on both HQ and New Facility so we can see if everything has been included in the configuration.
    Pls check your NAT statement to see if you have configure NAT exemption for that VoIP network.
    HQ should also have crypto ACL that include the VoIP network.
    What is the gateway currently configured on your PBX? and what device is that? how is the routing on that device that is set as your PBX default gateway? If you can share a topology diagram that would help too.

  • Problem while deploying new logon screen par file via NWDS

    hi
    i have a problem with deploying .par files out of the NWDS.
    i want to change the look of the logon screen in our EP Portal (SAP NetWeaver 2004s).
    when i just import the (working one) par file into NWDS and deploy it without ANY changes i get then an error when trying to call the portal:
    instead of the logonscreen i get some IView error (like IView: N/A).
    if i just copy the par file, and put it back to the pcd, everything works fine.
    my problem seems to be the "compiling/deploying" via NWDS.
    any suggestions?
    i followed the guide:
    http://help.sap.com/saphelp_nw04/helpdata/en/23/c0e240beb0702ae10000000a155106/frameset.htm
    i followed also the BLOG:
    Modifying The Logon Par(or customising the Logon Screen)
    and the help:
    http://help.sap.com/saphelp_nw04/helpdata/en/23/c0e240beb0702ae10000000a155106/content.htm
    thanks for your help.
    markus

    Markus,
    If you import the par file using NWDS, most likely you wouldn't import the associated jar files (I think 2 jars) that are originally part of the par file. So, when you make changes and update your custom jar, it would lack the two jars and your application would fail. Try downloading the par file using System Administration -> Support -> PCD Administration -> Browse Deployment..
    Save the jar file on desktop and then import it to NWDS.
    Hope this helps,
    Kiran

  • Help needed to connect to remote PPTP VPN via PIX 515e

    Hello,
    A user in our office needs to connect to a client's remote PPTP VPN but can't connect.  The user is running Windows 7.  We have a Cisco PIX 515e firewall that is running PIX Version 6.3(3) - this is what our user is having to go through to try and make the connection to the client's remote VPN.
    The client's network guys have come back and said the issue is at our side.  They say that they can see some of our traffic but not all of it. The standard error is shown below, and they say it's symptomatic of the client-side firewall not allowing PPTP traffic:
    "A connection between the VPN server and the VPN client XXX.XXX.XXX.XXX has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets."
    I have very little firewall experience and absolutely no Cisco experience I'm afraid.  From looking at the PIX config I can see the following line:
    fixup protocol pptp 1723.
    Does this mean that the PPTP protcol is enabled on our firewall?  Is this for both incoming and outgoing traffic?
    I can see no reference to GRE 47 in the PIX config.  Can anyone advise me what I should look for to see if this has been enabled or not?
    I apologise again for my lack of knowledge.  Any help or advice would be very gratefully received.
    Ros

    Hi Eugene,
    Thank you for taking the time to reply to me.  Please see our full PIX config below.  I've XX'd out names and IP addresses as I'm never comfortable posting those type of details in a public forum.  I hope that the information below is still sufficient for you.
    Thanks again for your help,
    Ros
    PIX(config)# en
    Not enough arguments.
    Usage:  enable password [] [level ] [encrypted]
            no enable password level
            show enable
    PIX(config)# show config
    : Saved
    : Written by enable_15 at 10:30:31.976 GMT/BDT Mon Apr 4 2011
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security10
    enable password XXX encrypted
    passwd XXX encrypted
    hostname PIX
    domain-name XXX.com
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name XX.XX.XX.XX Secondary
    access-list outside_access_in permit tcp XX.XX.XX.XX 255.255.255.240 host XX.XX.XX.XX eq smtp
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq https
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 993
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 587
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq 82
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp host XX.XX.XX.XX host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 8082
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq www
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq https
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 993
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 587
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq 82
    access-list outside_access_in permit tcp any host XX.XX.XX.XX eq smtp
    access-list outside_access_in permit tcp any host XX.XX.XX.XX. eq www
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.0.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl deny udp any any eq 135
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_40 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_60 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list USER1 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_10 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_20 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_30 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_50 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list outside_cryptomap_70 permit ip any XX.XX.XX.XX 255.255.0.0
    access-list USER2 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list USER3 permit ip any XX.XX.XX.XX 255.255.255.0
    access-list USER4 permit ip any XX.XX.XX.XX 255.255.0.0
    pager lines 24
    logging on
    logging host inside XX.XX.XX.XX
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside XX.XX.XX.XX 255.255.255.248
    ip address inside XX.XX.XX.XX 255.255.255.0
    no ip address DMZ
    ip audit info action alarm
    ip audit attack action alarm
    pdm location XX.XX.XX.XX 255.255.255.255 inside
    pdm location XX.XX.XX.XX 255.255.0.0 outside
    pdm location XX.XX.XX.XX 255.255.255.0 outside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
    static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
    static (inside,outside) XX.XX.XX.XX. XX.XX.XX.XX netmask 255.255.255.255 0 0
    static (inside,outside) XX.XX.XX.XX XX.XX.XX.XX netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
    route inside XX.XX.XX.XX 255.255.0.0 XX.XX.XX.XX 1
    timeout xlate 3:00:00
    timeout conn 2:00:00 half-closed 0:30:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp authenticate
    ntp server XX.XX.XX.XX source outside prefer
    http server enable
    http XX.XX.XX.XX 255.255.0.0 outside
    http XX.XX.XX.XX 255.255.255.0 outside
    http XX.XX.XX.XX 255.255.255.255 inside
    snmp-server host inside XX.XX.XX.XX
    no snmp-server location
    no snmp-server contact
    snmp-server community XXX
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map cola 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map dod 10 set transform-set ESP-3DES-MD5
    crypto map outside_map 10 ipsec-isakmp dynamic cola
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer XX.XX.XX.XX
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 25 ipsec-isakmp
    crypto map outside_map 25 match address USER1
    crypto map outside_map 25 set peer XX.XX.XX.XX
    crypto map outside_map 25 set transform-set ESP-3DES-MD5
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address outside_cryptomap_30
    crypto map outside_map 30 set peer XX.XX.XX.XX
    crypto map outside_map 30 set transform-set ESP-3DES-MD5
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer XX.XX.XX.XX
    crypto map outside_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 50 ipsec-isakmp
    crypto map outside_map 50 match address outside_cryptomap_50
    crypto map outside_map 50 set peer XX.XX.XX.XX
    crypto map outside_map 50 set transform-set ESP-3DES-MD5
    crypto map outside_map 60 ipsec-isakmp
    crypto map outside_map 60 match address outside_cryptomap_60
    crypto map outside_map 60 set peer XX.XX.XX.XX
    crypto map outside_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map 70 ipsec-isakmp
    crypto map outside_map 70 match address outside_cryptomap_70
    crypto map outside_map 70 set peer XX.XX.XX.XX
    crypto map outside_map 70 set transform-set ESP-3DES-MD5
    crypto map outside_map 75 ipsec-isakmp
    crypto map outside_map 75 match address USER4
    crypto map outside_map 75 set peer XX.XX.XX.XX
    crypto map outside_map 75 set transform-set ESP-3DES-MD5
    crypto map outside_map 80 ipsec-isakmp
    crypto map outside_map 80 match address USER2
    crypto map outside_map 80 set peer XX.XX.XX.XX
    crypto map outside_map 80 set transform-set ESP-3DES-MD5
    crypto map outside_map 90 ipsec-isakmp
    crypto map outside_map 90 match address USER3
    crypto map outside_map 90 set peer XX.XX.XX.XX
    crypto map outside_map 90 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet XX.XX.XX.XX 255.255.0.0 outside
    telnet XX.XX.XX.XX 255.255.255.255 inside
    telnet XX.XX.XX.XX 255.255.255.255 inside
    telnet XX.XX.XX.XX 255.255.255.255 inside
    telnet timeout 30
    ssh XX.XX.XX.XX 255.255.255.248 outside
    ssh XX.XX.XX.XX 255.255.255.248 outside
    ssh timeout 30
    management-access inside
    console timeout 0
    terminal width 80
    Cryptochecksum:XXX
    PIX(config)#

  • Anyconnect VPN via IPSec - Certificate issue

    Hi,
    I'm currently setting up a VPN-firewall and ran into problems with the certificates. I only want to enable IPSec connections via Anyconnect to the firewall. The client and the profile will be rolled out manually, so there is no need for anything web-based (portal, web-installer, SSL, etc.).
    The VPN-firewall is reached through the normal outside-firewall (NAT) via FQDN (vpn.abc.com).
    The normal setup is finished, but I have problems regarding the certificate. First I generated a CSR with "cn=fw001.abc.com", installed, bound to interface - but when I try to connect, I get the certificate error ("cert doesn't match server name" and "ca not trusted"). Then I tried a new CSR with "cn=vpn.abc.com", but it's still the same. Tomorrow I will try to get the CA-certificate to get rid of the "ca not trusted" message, but this one with the server name will still remain.
    I mean, the connection works, but it's this popup-window with the certificate warning that bothers me.
    I already had a similar configuration on another site, but there I had a wildcard certificate (*.xyz.com), which I installed as identity certificate and it worked properly.
    Questions:
    1.) Does anybody know what could be the issue here?
    2.) Do I need a certificate on the outside firewall? 
    Thanks in advance!

    Thanks for the response.
    First of all I need to state once again that I get 2 warnings:
    1.) Certificate does not match the server name.
    2.) Certificate is from an untrusted source.
    I know the procedure regarding certificates, I generated a request and got the proper signed licence, but the issue is the "server name not matching"-message. I created the CSR with the CN=vpn.abc.com, and got it signed with this CN. In the connection profile, the tunnel destination is also set to the domain and not the IP:
    "<HostAddress>vpn.abc.com</HostAddress>"
    But nevertheless, I get the message that the certificate doesn't match the server name. 
    I'm aware that the CA must be trusted on the PC, but this explains only the second message (untrusted) and not the mismatching name.
    Like I said I also tried it with CN=hostname.abc.com and sent the CSR to the signing, but it was the same issue. What name must I use so that the first message isn't showing up? 

Maybe you are looking for

  • How to print second page as continuation of First Page.

    Hello, I am printing a script. I want to print next page as continuation of first page. I am printing some contents. It is overflowing the first page, But remaining contents are not appearing at Next page. How to print that. Can any body plz help.

  • Hide the URL in Portal

    Dear All,          When we logged into portal, Wherever we navigate inside the portal, we can find the same url "http://servername:serverport/irj/portal/# "  in the address bar. How this was done? Kindly give your inputs. Regards, Eben Joyson.

  • Having trouble with blank "index" page

    I've published my site to a folder and transfered it succefully to my webhost. The only problem is that it shows up blank. I think because the index.html is blank when I open it on my harddrive to see the contents. I don't know html well enough to in

  • Cisco Prime NAM 5.1

    Hi!! I have a question!! I want to build a small demo with the new Cisco Prime NAM 5.1; however, I only have a NM-NAM module for a Cisco Router 2811. I've read the data sheets and I've come across info that the NAM 5.1 software can be installed on th

  • Missing icons in application bar Bridge CS4

    I couldn't find an answer to this in documentation or forums; hopefully this is not redundant. Using CS4, both on a G5 machine with Leopard and a MacIntel machine with Snow Leopard. Frequently when I use bridge (I always have it open), the whole sect