Accessing Xserve Desktop Out Of Network via VPN or Remote Desktop

Similar Messages

• Can I connect to my microsoft network via VPN and download network files?

  Can I connect to my microsoft network via VPN and download network files to my iPad2?  If so, what app is required?

  There are several apps available from App Store but the one I use is iTeleport.
  Oops the Windows specific version is called Jaadu Remote Desktop for Windows
  Message was edited by: Joe Bailey to add Windows version

• 4150L - Works on web, but can not connect via VPN or Remote Desktop

  Recently purchased a 4150L and installed the latest firmware.  We have been able to access all public websites without any problems.  But, when we try and access our customers computers via VPN (various types) or Remote Desktop, we can't connect.  We can sign-in to VPN, but when we try and access the computer, it says "can't connect".  Exact same message with Remote Desktop.   We are able to connet when use a Verizon phone as a hotspot and from every other internet service that we have tried (i.e. hotels, starbucks, etc.)   It appears it is an issue with the 4150L.
  Verizon Tech Support has been no help!
  All ideas are appreciated!
  Thanks,
  Skip

  Skip,
  VPN traffic should be allowed through on the MiFi 4510L by default.  I know I do not have any issues with mine on either the Cisco IPSec or Cisco SSL VPN Clients.
  If Verizon DNS is interferring then perhaps you could try to connect to your VPN via a direct IP Address instead of a URL.  Not sure what VPN client you have but there should be a No DNS option to connect if you know the correct IP.  You could also try switching your DNS to one of the free ones such as the one offered by Google or any of the others.
  VPN's carry alot of overhead on existing connections in my experience.  Its not untypical to have a 3G connection cut in half when a VPN is applied.  Try running a speed test to make sure your connection is atleast 1 MB on download before initiating a connection.  If the performance of the MiFi is too poor in that area it may never be stable enough to support a connection.  Feel free to post some Speedtest.net averages so we can see what you are working with.
  Something to note about the MiFi 4510L is that it is on the SIM card network.  That means that NAT is always going to be an issue and block your users from providing a truely public IP Address.  Directly remoting to them through any means will be nearly impossible.

• Asa 8.2 access files share on outside network from VPN Client.

  please help me
  I have cisco asa 5505 with 8.2
  outside is 111.22.200.51
  inside is 192.168.1.0/24 dhcp
  vpnpool is 192.168.10.1-192.168.10.30
  configured split tunnel to vpn client to access web
  I was able to connect from outside via vpn.
  Goal is access fileserver(on window) on 111.22.200.21 from vpn clients.
  internal client can access the share folder
  vpn client cannot access ther share on 111.22.200.21
  ============================
  names
  name 192.168.1.1 ciscogw
  name 111.21.200.1 umgw
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
   switchport access vlan 5
  interface Ethernet0/4
  interface Ethernet0/5
   switchport access vlan 5
  interface Ethernet0/6
   switchport access vlan 5
  interface Ethernet0/7
   switchport access vlan 5
  interface Vlan1
   nameif inside
   security-level 100
   ip address ciscogw 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 111.22.200.51 255.255.255.0
  interface Vlan5
   no nameif
   security-level 50
   ip address dhcp setroute
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns server-group DefaultDNS
   domain-name vpn.nmecsc.org
  access-list RAteam_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 192.168.10.1-192.168.10.30 mask 255.255.255.224
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 111.22.200.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
    quit
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.5-192.168.1.50 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd wins 111.22.210.65 111.22.210.61 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
   enable outside
  group-policy DfltGrpPolicy attributes
   banner value WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected.
  group-policy RA_SSLVPN internal
  group-policy RA_SSLVPN attributes
   vpn-tunnel-protocol webvpn
   webvpn
    url-list value team
  group-policy RAteam internal
  group-policy RAteam attributes
   wins-server value 111.22.210.65
   dns-server value  8.8.8.8 8.8.4.4
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value RAteam_splitTunnelAcl
   default-domain value vpn.nmecsc.org
  username teamssl2 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
  username teamssl2 attributes
   vpn-group-policy RA_SSLVPN
  username team2 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
  username team2 attributes
   vpn-group-policy RAteam
  username teamssl1 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
  username teamssl1 attributes
   vpn-group-policy RA_SSLVPN
  username team1 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
  username team1 attributes
   vpn-group-policy RAteam
  tunnel-group team type remote-access
  tunnel-group team general-attributes
   default-group-policy RA_SSLVPN
  tunnel-group team webvpn-attributes
   group-alias team enable
   group-url https://111.22.200.51/team enable
  tunnel-group RAteam type remote-access
  tunnel-group RAteam general-attributes
   address-pool vpnpool
   default-group-policy RAteam
  tunnel-group RAteam ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:680b9059ca6ca6610857bab04d855031

  I just upgrade asa to 9.3
  add access-list but still no luck. I attached the diagram.
  name 192.168.1.1 ciscogw
  ip local pool vpnpool 192.168.10.1-192.168.10.50 mask 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address ciscogw 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 111.22.200.51 255.255.255.0
  boot system disk0:/asa923-k8.bin
  ftp mode passive
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_26
   subnet 192.168.10.0 255.255.255.192
  access-list ipsec_group_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  access-list ipsec_group_splitTunnelAcl standard permit host 111.22.200.21
  access-list ipsec_group_splitTunnelAcl standard permit 111.22.200.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.10.0_26 NETWORK_OBJ_192.168.10.0_26 no-proxy-arp route-lookup
  object network obj_any
   nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 111.22.200.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
   enable outside
   tunnel-group-list enable
  group-policy ssl_vpn internal
  group-policy ssl_vpn attributes
   vpn-tunnel-protocol ssl-clientless
   webvpn
    url-list value carino
  group-policy DfltGrpPolicy attributes
  group-policy ipsec_group internal
  group-policy ipsec_group attributes
   dns-server value 8.8.8.8 8.8.4.4
   vpn-tunnel-protocol ikev1
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value ipsec_group_splitTunnelAcl

• How do you access a machine connected to network via internet sharing?

  I have a G5 which shares its airport connection via its ethernet connection with an iMac. Now I'd like to access the iMac from a MacBook Pro which has a wireless connection. Is this at all possible? Right now the G5 and iMac know about each other as do the MacBook and iMac. But the iMac and MacBook don't seem to have a connection. Do I have to do something on the G5 so the iMac and MacBook are known to each other?

  Well it seems I missed the response when it occurred. Need to check my notification settings. Any way, to answer and summarize:
  1. Yes the G5 had a wireless connection to an Airport.
  2. The G5 was connected via an ethernet cable to the iMac
  3. I worded the connections wrong. I meant to say the g5 and macbook know about each other as do the g5 and iMac. But not the macbook and iMac. Know about each other in the sense that they could be references like g5.local or imac.local.
  4. I couldn't get the macbook to find a route to the imac through the g5.
  In the end I decided what I was doing was stupid, and just put the iMac back on the wireless network so it was universally visible.

• Cant access dashboards from home wireless network via my personal 10.1.3.4

  Hi,
  I installed 10.1.3.4 on my laptop at work - which worked fine. though when attempting dashboards via presentation layer at home the url cannot be displayed. I believe it is because i am using a static ip & at home on my wireless i get assigned any old ip. can anyone advise how to get around this?

  Yes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
  You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
  For dashboard A - For group Executive - User X - You have given full access.
  Now you have changed the Group name to AD_Executive. When You Login variable values would be
  User - X
  Group - Ad_Executive
  Dashboard A - No permissions.
  If you have a scenario of changing the group names then get Groups from database using Init block after authorization.

• HT4262 Can I extend a wired remote base station network via wireless WDS Remote to a Wireless WDS main base station?

  I have a wired nework in a remote closet (3 PC's to a 100/1000 Linksys switch).  I have an Apple Extreme network connected to the Internet  in another remote closet allowing wireless PC's and wired PC's access to the internet and printers.  I do not have the ability to connect the two networks together via wired although they are 50' apart. 
  My objective is to configure two Airport Extreme devices so the remote wired PCs can connect via the remote/relay Airport Extremen to the main Airport base station for DHCP, internet and intranet.
  One Aiport Extreme base station is Model # A1034 and the other is Model A1408.

  Can I extend......?
  Yes, this is possible.  But sometimes, the fact that something can be done does not necessarily mean that it should be done.  In a case like this....Upsides are far outweighed by Downsides.
  Upsides
  You will have more wireless coverage (but 50 feet is a long way if there are multiple walls or ceilings in the signal path...I am not optimistic about this)
  The Ethernet ports will be enabled on the remote Extreme.
  Downsides
  The required WDS configuration will drop the performance of your newer "n" Extreme down to wireless "g" levels.
  In addition, the bandwidth on the entire network will drop by 50%. In effect, you will have a "g" wireless network running at half speed
  WDS is difficult for most users to configure. It is very easy to make a mistake and literally impossible to recover without starting all over again with the configuration attempt
  It might work. But things are going to be extremely slow. Might be OK for general Internet browsing or light email. Any file transfers or copies from one device to another are going to take a very long time.
  You also might want to review the WDS setup required to get an idea of what is involved here:
  http://support.apple.com/kb/HT4262
  As you know, a far better way to do this would be to connect the two AirPort Extremes using an Ethernet connection. If you cannot run the Ethernet cable, you might want to consider a pair of Ethernet Powerline Adapters.
  These devices send an Ethernet signal over the existing AC powerlines in your home. So, you already have the wiring in place....you just need the adapters. I've used these devices for runs up to 70-80 feet or so with good results. But, you need to understand that there are number of factors that can affect performance here.
  So, if you want to try the powerline adapters, I would strongly recommend that you understand the store's return policy in advance. The bottom line is always this.....you won't know how they will work until you install them in your home.
  Apple's instructions for a setup using Ethernet are here:
  http://support.apple.com/kb/HT4260

• Accessing a subnet via VPN session

  Hi everybody.
  I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
  in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
  local network: 10.30.0.0 0.0.0.0
  remote network 10.31.0.0 0.0.0.0
  ASA
  object-group network remote-network
  network-object 172.16.27.0 255.255.255.0
  network-object 10.31.0.0 255.255.0.0
  object-group network network-local
  network-object 0.0.0.0 0.0.0.0
  access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
  Router 3800
  ip access-list extended vpn
    permit ip 10.31.0.0 0.0.255.255 any
  Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
  Regards and Thanks very much!!

  Hi Ankur, thanks very much for your reply!
  this is the "sho run" in my remote router:
  I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
  this is a simple diagram of where I want to connect to:
  REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
  (10.31.0.0/24 network)                                                                                      (10.30.0.0/16network)
                                                                                                                                          |
                                                                                                                                          |
                                                                                                                                          |
                                                                                                                                          |
                                                                                                                                REMOTE USER
                                                                                                                               (10.30.23.130/25)
  REMOTESITE#sho run
  Building configuration...
  Current configuration : 10834 bytes
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname PYASU1ROU01
  boot-start-marker
  boot-end-marker
  logging buffered 64000 debugging
  no logging console
  aaa new-model
  aaa authentication login default group tac-auth local
  aaa authentication enable default group tac-auth enable
  aaa authorization console
  aaa authorization exec default group tac-auth local if-authenticated
  aaa authorization network default local
  aaa accounting exec default start-stop group tac-auth
  aaa session-id common
  clock timezone PR -3
  ip cef
  voice-card 0
  no dspfarm
  crypto pki trustpoint TP-self-signed-4112391703
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4112391703
  revocation-check none
  rsakeypair TP-self-signed-4112391703
  crypto pki certificate chain TP-self-signed-4112391703
  certificate self-signed 01
    30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
    34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
    39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
    95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
    A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
    DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
    D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
    551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
    14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
    C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
    04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
    B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
    31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
    91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
    94350AFF EA7CB2
    quit
  username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
  username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  ip ssh version 2
  crypto keyring apex
    pre-shared-key address "headquerters public ip address"
  key apex
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp profile companyname
     keyring apex
     match identity address "headquerters public ip address"
  crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
  crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
  crypto map outside 10 ipsec-isakmp
  set peer "headquerters public ip address"
  set transform-set 3DES
  set isakmp-profile companyname
  match address vpn-companyname
  interface Loopback1
  description monitoreo
  ip address 10.31.21.255 255.255.255.255
  interface GigabitEthernet0/0
  description Teysa
  ip address public ip address
  ip nat outside
  no ip virtual-reassembly
  load-interval 30
  duplex auto
  speed auto
  media-type rj45
  crypto map outside
  interface GigabitEthernet0/1
  description TO CORE-SW
  ip address 192.168.255.249 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  media-type rj45
  interface FastEthernet0/0/0
  switchport access vlan 2
  duplex full
  speed 100
  interface FastEthernet0/0/1
  switchport access vlan 10
  shutdown
  duplex full
  speed 100
  interface FastEthernet0/0/2
  switchport mode trunk
  shutdown
  interface FastEthernet0/0/3
  switchport access vlan 10
  shutdown
  duplex full
  speed 100
  interface Vlan1
  no ip address
  no ip http server
  ip http authentication aaa login-authentication default
  ip http authentication aaa exec-authorization default
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map nat interface GigabitEthernet0/0 overload
  ip access-list extended nat
  deny   ip host 172.16.27.236 10.0.0.0 0.255.255.255
  deny   ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  deny   ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.31.11.0 0.0.0.255 any
  permit ip 10.31.13.0 0.0.0.255 any
  permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
  permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
  permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
  permit ip 172.16.27.224 0.0.0.31 any
  ip access-list extended vpn-apex
  permit ip 10.50.20.0 0.0.1.255 any
  permit ip 172.16.27.0 0.0.0.255 any
  permit ip 10.31.0.0 0.0.255.255 any
  permit ip 10.30.0.0 0.0.255.255 any
  route-map nat permit 10
  match ip address nat
  control-plane
  line con 0
  password 7 xxxxxxxxxx
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  password 7 xxxxxxxxxx
  scheduler allocate 20000 1000
  ntp server 10.30.5.38
  end
  REMOTESITE#
  Regards!

• Non-Domain computers via VPN

  I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise

  Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
  IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
  With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
  If u r using an external server for validating the incoming users, u must go for aaa server externally.
  For a complete detail of deploying vpn with ipsec,
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493

• Transfer files from mac to company drives via VPN?

  I have several files that I design/update on my mac which I want to write to a company network drive.
  On my PC I go through the installed VPN (I have host address, passwords etc). I am new to mac's and wondered if a similar method is available?
  Any step by step instructions would be very much appreciated.
  Al
  iMac 2006   Mac OS X (10.4.5)  

  It depends on the VPN system being used by the office.
  If it uses PPTP or L2TP, just open /Application/Utilities/Internet Connect and create a new VPN connection profile.
  Fill in the blanks and click connect. With luck you'll be connected to the office network via VPN and can do whatever you would normally do while in the office.
  If the office VPN uses IPSec as its VPN protocol, or doesn't work with the built-in client then you may need to install a separate VPN client. You should be able to get this from the network administrators, or you can try one of the third-party clients such as VPNTracker or DigiTunnel.

• Access AFP, email, Remote Desktop via VPN and local network but NOT web

  How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?

  How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?

• Can connect via VPN, but can't access AFP server on same Xserve

  Hi:
  I've set up our XServe with MacOS X Server 10.5.2 to do AFP and VPN (L2TP only; PPTP is disabled). The XServe is a standalone server, not connected to any other direstory server.
  I can connect to the XServe's AFP server from my Mac over our wired and wireless network. The AFP server shows up in the sidebar of Finder windows. So far, so good.
  I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret.
  But I cannot connect to the XServe itself to use Server Admin or AFP (using afp://server.company.com or afp://xxx.xxx.xxx.xxx via the Go > Connect to Server command).
  The error I get while connecting to the 10.5.2 AFP server is Some data in apf://server.mycompany.com could not be read or written (Error Code -36 ). I saw this error associated with a SMB problem in 10.4.x, but SMB is not running.
  Other iChat users in my office also do not automatically show up in the Bonjour list when I connect to the network. Other computers on our network do not appear in the sidebar of a Finder window. (I'm told these are to be expected, as Bonjour isn't supported (in the "local area Bonjour" over a WAN link - it's purely a multicast feature on the network in the office, and won't be routed across the VPN link. True?)
  Now, here's the odd part. There is a second server (v10.4.11) on our network running AFP. I can connect to it (using afp://server.company.com via the Go > Connect to Server command) and mount its various sharepoints via the VPN.
  The only thing I see in the VPN log that seems amiss is this (but I have no idea what it means):
  Tue Mar 11 23:09:27 2008 : Unsupported protocol 0x8057 received
  --Both the 10.5.2 and the 10.4.11 servers have DNS properly configured (though our ISP; we're not running our own DNS).
  --Both servers and the client have public IP addresses and have the same subnet mask. Network Utility confirms this while connected to the VPN.
  --NAT is not running. The ISP is responding with public IPs for the servers.
  --The firewall for the 10.5.2 server is not running (but will be once I get this all working).
  --The IP address range for the VPN server doesn't overlap our DHCP pool (which also currently uses public IP addresses).
  --Any user can access any service.
  --No network routing definitions have been set up.
  --In essence, I've followed the steps on Pages 141-142 of the Network Services Admin Guide.
  One other note: After I connect, the Network Preferences > VPN > Advanced > TCP/IP window shows the IP address for the client just fine (assigned from the VPN pool), but lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?
  I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server.... And I'm not sure why I would have to if I can already successfully connect to the 10.4.11 AFP server .
  What simple step am I missing?
  TIA,
  mm

  "I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret."
  I suspect you mean UDP ports and you might need UDP port 1701 open too.
  You only need IP protocol 50 (ESP), protocol 51 (AH) isn't used. And ESP is only used when client and server isn't behind NAT (when NAT is used only the UDP ports are used).
  "Unsupported protocol 0x8057 received"
  This is usually seen when you can't get GRE through but since you don't use PPTP I can't be sure why this is registered in the logs. Sometimes when connecting using PPTP you have to disconnect and then reconnect for everything to work - you might try this for L2TP too.
  But if you already can reach services on any LAN nodes through the VPN I wouldn't bother with it.
  As you have a firewall in front of the server you need a second alias IP on the server that you can use to get at the services running on the server through the VPN. The firewall blocks all ports protocols not opened - that's why you can't use the server main IP even if the VPN is up.
  The netmask is used by all nodes to determine how big your subnet is: what part of the IP number is the network number and what range the node number is in => really: should traffic be directed to a node on the same LAN or sent directly to the gw/router for forwarding.
  What you can't do is connect from a NATed network to another NATed network that both are using the same network number. (That's why people should stay away from using the "default" 192.168.0.0/24 and 192.168.1.0/24 networks for VPN server LANs).
  Try your settings at http://www.jodies.de/ipcalc to see what I mean.
  "...lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?"
  Yes. The VPN server is the VPN gw/router.
  "The firewall for the 10.5.2 server is not running (but will be once I get this all working)."
  If you already have a firewall in front of your servers that is a bit redundant.
  "--No network routing definitions have been set up."
  "I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server"
  You need routing definitions if you want to setup a split tunnel VPN or all traffic is routed through the VPN when connected. The VPN becomes the default gw.
  Without ipforwarding ON in the server you can only reach nodes on the server LAN - not Internet.
  DNS is needed for your servers forward and reverse names/IPs for advanced services but doesn't need to run in any of your own servers.
  If you decide to do a split tunnel VPN config (adding public and private routing definitions) a reachable DNS IP for VPN clients (in VPN config on server) is needed for VPN clients or they can't use names to find anything. To reach this DNS IP if public/not on your server LAN, you need your server to forward IP DNS lookups and have a routing definition for it.
  A split tunnel VPN only send traffic for your server LAN through the VPN and all other traffic directly to the local gw/router (Internet).

• Window 8.1 system unable to access network shares via VPN connection

  Is there something inherent to Windows 8.1 that prevents it from accessing shares on a domain?
  I know that it cannot join a domain, but does that also mean that it cannot access shares which are on a domain?
  My problem is that I have several user that are running windows 8.1 that are connecting to our network via a VPN.
  The users have domain accounts but their computers as windows 8.1 cannot joined to the domain.
  So to access network shares they have to use their domain credentials to create a VPN connection.
  Once connected the user can RDP to systems on the domain using their domain accounts, so I know that their user names/passwords and permissions are correct. They can access these systems using the computer name, so I don't feel that I have a DNS issue.
  They can see the shares on our file server, but when they try to access their departments shared file, they receive an access denied message. There are a few shares that are completely wide open, shared to all users and all departments but they cannot access
  those shares either.
  You can ping the file server, from the the client when they are connected to the VPN but you just cannot access any of the shares.
  So...
  I am thinking that it has something to do with windows 8.1 and not being able to join a domain, but I cannot find anything to explicitly support this thought.
  Other users running a variety different OS (windows 7, OSX, Linux) can all access the shares without any problems via the VPN, so I am a little stumped.

  I have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
  This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
  I can see all the shares, so dns seems to be fine right?
  So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
  When I try to create a mapped drive by machine name I receive the following message:
  Windows cannot access \\fileserver.dev.lan\all
  You do not have permissions to access \\fileserver.dev.lan. contact your network administrator  to request access.
  But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
  This only seems to happen on windows 8.1, which leads me to think that has something to do with OS. 
  I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem.

• Best way to access files on Xserve via VPN on iPad?

  Can anyone tell be the best solution for accessing files housed on the companies Apple Xserve remotely via VPN from an iPad? Numbers / Pages etc.
  thanks,
  Rick

  The iPad doesn't natively support file systems such as those on servers, but there are third-party apps that can allow this. FileBrowser is one often mentioned, so you might look into that. VPN will be a separate issue; iOS has a built-in VPN client which works with many VPN systems, but you'll need to see if yours is supported.
  Regards.

• Problem accessing an adjacent remote network over VPN (2 asa5505)

  Hello all,
  I have 2 ASA5505 (CORP and remote) connected via VPN. The remote site contains 2 subnets (192.168.1.0/24 and 192.168.0.0/24 (for remote VPN users)). The corp site has 192.168.2.0/24 directly connected to ASA5505 and an adjacent network connected via another device namely the 172.16.0.0/16 network.
  I am able to ping site-to-site between 192.168.0 -> 192.168.2
  and
  192.168.1 -> 192.168.2
  I am unable to ping from remote site to the 172.16 network however.
  I added permit ACLs on both my NAT and CRYPTO ACLs. and when I am trying to ping the remote 172.16 network I get the following messages on my CORP ASA:
  4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside
  reply is timing out though.
  Any tips would be appreciated!
  My ACLS:
  REMOTE SITE:
  #NONAT
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 192.168.1.0 255.255.255.0
  #CRYPTO ACL
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
  access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
  CORP SITE:
  #CORP
  access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
  access-list 200 extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
  access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
  access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
  nat (inside) 0 access-list 200
  nat (inside) 1 0.0.0.0 0.0.0.0
  #CRYPTO ACL
  access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
  access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
  access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
  Thanks in advance!

  The config looks ok.
  If you were trying to ping 172.16.x.x I don't see why the log would be what you displayed. Where are you pinging from, the remote site?
  "4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside"
  Does the 172.16 network have a route to the 192.168.0.0 and 192.168.1.0 network?