Anyconnect VPN PING replies from NAT address
I have been attmepting to setup an Anyconnect client to access an internal LAN via an ASA running 8.6(1)2.
The VPN client connects to the ASA successfully, and I get an IP address from the pool on the ASA, so far so good.
I have an issue whereby a ping from a AnyConnect VPN client to an inside host that has a static nat translation is getting a response from the nat (public) address rather than its real (inside) address as below:
C:\ ping 10.191.16.3 (inside host that is natted to lets say 123.123.123.123 on the ASA)
Pinging 10.191.16.3 with 32 bytes of data:
Reply from 123.123.123.123: bytes=32 time=62ms TTL=127
How do I get the response to come from the real address? Pinging inside hosts that do not have static NAT entries are ok.
Below is what I beleive are the relevant parts of the config..(Let me know if more is needed and I can post)
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/3
nameif InsideNet99
security-level 100
ip address 10.191.99.251 255.255.255.0
object network VPNClients
subnet 10.191.18.0 255.255.255.0
object network inside_network
subnet 10.191.16.0 255.255.254.0
nat (inside,outside) source static inside_network inside_network destination static VPNClients VPNClients no-proxy-arp route-lookup
object network inside_network
nat (inside,outside) dynamic interface
route inside 10.191.16.0 255.255.254.0 10.191.99.254 1
nat (inside,outside) source static 10.191.16.3 123.123.123.123
Hi,
Many thanks for taking the time to reply.
Here is the output you requested...
The only things I have changed are public IP's (I changed the names of a few things in the original post).
FIREWALL-01# sh run nat
nat (InsideNet99,outside) source static fp-private fp-public
nat (InsideNet99,outside) source static tmg-private tmg-public
nat (InsideNet99,outside) source static ex-private ex-public
nat (InsideNet99,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.191.18.0_24 NETWORK_OBJ_10.191.18.0_24 no-proxy-arp route-lookup
object network VRF-VLAN2
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN3
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN5
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN12
nat (InsideNet99,outside) dynamic interface
object network WIFIPUBLIC
nat (wifipublic,outside) dynamic interface
object network VRF-VLAN11
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN17
nat (InsideNet99,outside) dynamic interface
FIREWALL-01#
Other info...
object network fp-public
host ***.***.***.***
object network VRF-VLAN11
subnet 10.191.16.0 255.255.254.0
object network fp-private
host 10.191.16.1
object network tmg-private
host 10.191.16.3
object network ex-public
host **.***.***.***
object network tmg-public
host 123.123.123.123
object network ex-private
host 10.191.16.2
object network NETWORK_OBJ_10.191.18.0_24
subnet 10.191.18.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object VRF-VLAN11
The VPN client has address 10.191.18.1, pinging 10.191.16.3 and getting reply from 123.123.123.123 (The public address of 10.191.16.3).
(123.123.123.123 used for purposes of this forum, not real address).
btw, I can PING other devices on 10.191.16.0/23 that do not have static NATs on the ASA and they respond correctly from the real IP.
Similar Messages
-
Best way to allow a vpn profile only from one address
Hi,
This is a wierd request as it flies in the face of the purpose of vpn clients but I ahve my reasons:
We don't like Split-T but we have a userbase on a customer site that require it. I have made a special profile for them but they tend to hand out the .pcf to others as well as using it from home, etc. So I want to tie this group policy to a single source address.
Termination device is a 5520 with 8.x
Can it be done in the crypto definition or do I need to use an ACL entry on the outside interface?
Many thanks in advance,
MikeHi Mike,
Have a look at this complete link, implementing digital certificates for controlling your VPN ra users authorized sources.. you can also have ASA as local CA server as suppose to using third party.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1002608
Regards -
If I ping a NAT'ed IP address configured on an ASA 5505, is it handled at the firewall (as far as priority) as if I were pinging the firewall interface itself, or the end device? The reason I ask is I am seeing waves of ping latency that I can relate to data transfers, but the nothing is even close to being maxed out as far as CPU, memory, or bandwidth. My guess is this is being handled by the ASA in software instead of in hardware. Just looking for clarification.
Thanks,
MattIf I ping a NAT'ed IP address configured on an ASA 5505, is it handled at the firewall (as far as priority) as if I were pinging the firewall interface itself, or the end device? The reason I ask is I am seeing waves of ping latency that I can relate to data transfers, but the nothing is even close to being maxed out as far as CPU, memory, or bandwidth. My guess is this is being handled by the ASA in software instead of in hardware. Just looking for clarification.
Thanks,
Matt -
ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp
Hello all,
I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
ASA Version 8.2(1)
hostname MafSecASA
domain-name mafsec.com
names
interface Vlan1
nameif inside
security-level 100
ip address 10.4.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 7.3.3.2 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.20.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mafsec.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.4.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 6 ip 8.8.8.8 8.8.4.4
dhcpd address 10.4.0.15-10.4.0.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd option 3 ip 10.4.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_split_tunnel
vlan none
address-pools value SSLVPNPool2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username user1 password
username user1 attributes
service-type remote-access
username user2 password
tunnel-group SSLVPNGROUP type remote-access
tunnel-group SSLVPNGROUP general-attributes
address-pool SSLVPNPool2
default-group-policy SSLVPN
tunnel-group SSLVPNGROUP webvpn-attributes
group-alias SSLVPN enable
prompt hostname context
Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
: end
Thank in advance for any help!Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.
--Jason -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
VPN anyconnect no Ping ip firewall
II have a management network 192.168.5.x and VPN network 192.168.25.x. I can ping a all my network elements except to firewall (ASA5510). The ASA has the IP 192.168.5.1. I think that the firewall has some restriction but I don't know. I have 8.2 software and anyconnenct 3.0 and work fine. If I am in the management network (192.168.5.7), I can ping to firewall. The restrict is with the VPN network.
Thanks,
Sent from Cisco Technical Support iPhone AppHi,
I gather you are trying to ping the ASA inside interface from a connected VPN Client?
To my understanding this is not possible.
You can't ping an interface IP address from behind some other interface on the ASA. In this case it would be a ICMP echo coming from outside to inside interface IP
To otherwise enable ICMP to ASA interface use the following command format
icmp permit/deny
- Jouni -
How can I direct all my contact form replies (from my website), to my personal email address?
I have embedded the code to my website but would like all of my contact form replies to be directed to my email address. How can I do this by revising the embedded code. Also will I still be able to receive replies after recieving 5000? At this point will I need a premium account?Email notifications are a feature of the Basic and Plus account.
The free account only allows for 50 responses. The Plus (Premium) account allows for 5000.
Randy -
Is it possible to run AnyConnect VPN from an XP Virtual Machine
I am trying to setup my ASA firewall to accept AnyConnect VPN connections from an XP client running in VMware ESXi 5.1.
Does anyone know if this is even possible?
If this helps any - from an internal XP Virtual Machine, I can run ASDM to manage the firewall.
ASA IOS 9.2(2)
ASDM 7.2(2)
In my physical environment:
I have proven my VPN setup is functional between the ASA and physical XP laptop.
The physical laptop running XP can make a successful AnyConnect VPN connection to the ASA. This VPN session works as expected as I can access the LAN and all servers on the inside LAN of the ASA once the VPN session is established.
Thank you
FrankHi Jody,
My vm XP and physical XP attributes are identical BUT do not match yours.
Not sure what this means? :-|
Any ideas?
BTW, my XP clients are operating as standalone; I.E. no Windows domain.
! VM XP
C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Power Users:(OI)(CI)C
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
C:\Documents and Settings\me>
! Physical PC
C:\Documents and Settings\me>cacls "%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
BUILTIN\Administrators:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Power Users:(OI)(CI)C
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
C:\Documents and Settings\me> -
My replies to emails sent to me at one address are set to respnd from another address!!
Is there a way to remedy that. When I get messages at my default address and hit reply my blackberry sends the reply from another address different from the receiving address!!! Weird!!
Tools menu (Alt_T) > Account settings > Return receipts for the "per account" settings and a link to the global setting. If however your using Microsoft Exchange or another corporate mail server you may have no choice in the matter. The server over rides local settings, and adjustment required the server admin to make changes.
-
Problem with AnyConnect VPN on ASA 5505
Hello everyone,
We're troubleshooting an issue where a client cannot pass any traffic across an AnyConnect VPN with an ASA5505 as the endpoint. The client receives and IP address in the 172.16.0.1/24 range and the ASA creates a static route to the 10.0.0.0/24 internal network but we cannot ping or connect to any internal IP address. The connection appears to fully build and pass traffic (based on the byte counts which increase) but we can't talk to the main network.
Does anyone have any ideas as to what I can check?
Thanks!
RyanAnyConnect client should not be in the same subnet as the internal hosts. It needs to be unique subnet within your environment, so you were on the right path initially.
If you can share your config, that would be easier for us to check.
In the meantime, a few things to check:
1) Have you configured split tunnel policy?
2) Do you have NAT exemption configured?
3) Any VPN filter configured that might be blocking the traffic?
4) Does the internal network know how to route back to the VPN Pool subnet (ie: via the ASA)
5) Lastly, do you have "inspect icmp" configured? -
Really Need Some Help with CME 8.6 using IOS as Firewall and Anyconnect VPN on Phones
Hello,
I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6. I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio. It's as if no audio is going back and forth. When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.8.1 192.168.8.19
ip dhcp pool owhvoip
network 192.168.8.0 255.255.248.0
default-router 192.168.8.1
option 150 ip 192.168.8.1
lease 30
multilink bundle-name authenticated
isdn switch-type primary-ni
crypto pki server cme_root
database level complete
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
crypto pki token default removal timeout 0
crypto pki trustpoint cme_root
enrollment url http://192.168.8.1:80
revocation-check none
rsakeypair cme_root
crypto pki trustpoint cme_cert
enrollment url http://192.168.8.1:80
revocation-check none
crypto pki trustpoint TP-self-signed-2736782807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736782807
revocation-check none
rsakeypair TP-self-signed-2736782807
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
vpn-group 1
vpn-gateway 1 https://66.111.111.111/SSLVPNphone
vpn-trustpoint 1 trustpoint cme_cert leaf
vpn-profile 1
host-id-check disable
voice class codec 1
codec preference 1 g711ulaw
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
voice translation-rule 1
rule 1 /9400/ /502/
rule 2 /9405/ /215/
rule 3 /9410/ /500/
voice translation-rule 2
rule 1 /.*/ /541999999/
voice translation-rule 100
rule 1 /^9/ // type any unknown plan any isdn
voice translation-profile Inbound_Calls_To_CUE
translate called 1
voice translation-profile InternationalType
translate called 100
voice translation-profile Local-CLID
translate calling 2
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
hw-module pvdm 0/1
hw-module sm 1
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-12,24
class-map type inspect match-any sslvpn
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
policy-map type inspect firewall-policy
class type inspect sslvpn
inspect
class class-default
drop
policy-map type inspect outside-to-router-policy
class type inspect router-access
inspect
class class-default
drop
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
service-policy type inspect outside-to-router-policy
interface Loopback0
ip address 192.168.17.1 255.255.248.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
zone-member security internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.8.1 255.255.248.0
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 192.168.17.2 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.17.1
no keepalive
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
zone-member security trusted
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
tftp-server flash:apps31.9-3-1ES26.sbn
control-plane
voice-port 0/0/0:23
voice-port 0/3/0
voice-port 0/3/1
mgcp profile default
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0
sccp
sccp ccm group 1
bind interface GigabitEthernet0/1
associate ccm 1 priority 1
associate profile 1 register CME-CONF
dspfarm profile 1 conference
codec g729br8
codec g729r8
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 4
associate application SCCP
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:192.168.17.2
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 10 pots
description Incoming Calls To AA
translation-profile incoming Inbound_Calls_To_CUE
incoming called-number .
port 0/0/0:23
dial-peer voice 20 pots
description local 10 digit dialing
translation-profile outgoing Local-CLID
destination-pattern 9[2-9].........
incoming called-number .
port 0/0/0:23
forward-digits 10
dial-peer voice 30 pots
description long distance dialing
translation-profile outgoing Local-CLID
destination-pattern 91..........
incoming called-number .
port 0/0/0:23
forward-digits 11
dial-peer voice 40 pots
description 911
destination-pattern 911
port 0/0/0:23
forward-digits all
dial-peer voice 45 pots
description 9911
destination-pattern 9911
port 0/0/0:23
forward-digits 3
dial-peer voice 50 pots
description international dialing
translation-profile outgoing InternationalType
destination-pattern 9T
incoming called-number .
port 0/0/0:23
dial-peer voice 650 pots
huntstop
destination-pattern 650
fax rate disable
port 0/3/0
gatekeeper
shutdown
telephony-service
protocol mode ipv4
sdspfarm units 5
sdspfarm tag 1 CME-CONF
conference hardware
moh-file-buffer 90
no auto-reg-ephone
authentication credential cmeadmin tshbavsp$$4
max-ephones 50
max-dn 200
ip source-address 192.168.8.1 port 2000
service dnis dir-lookup
timeouts transfer-recall 30
system message Oregon's Wild Harvest
url services http://192.168.17.2/voiceview/common/login.do
url authentication http://192.168.8.1/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-3-1SR4-1S.loads
load 7936 cmterm_7936.3-3-21-0.bin
load 7942 SCCP42.9-3-1SR4-1S.loads
load 7962 SCCP42.9-4-2-1S.loads
time-zone 5
time-format 24
voicemail 500
max-conferences 8 gain -6
call-park system application
call-forward pattern .T
moh moh.wav
web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
dn-webedit
transfer-digit-collect orig-call
transfer-system full-consult
transfer-pattern .T
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-template 1
softkeys connected Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
button-layout 7931 2
ephone-template 2
softkeys idle Dnd Gpickup Pickup Mobility
softkeys connected Hold Park Confrn Mobility Trnsfer TrnsfVM
button-layout 7931 2
ephone-dn 1 dual-line
number 200
label Lisa
name Lisa Ziomkowsky
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 2 dual-line
number 201
label Dylan
name Dylan Elmer
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 3 dual-line
number 202
label Kimberly
name Kimberly Krueger
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 4 dual-line
number 203
label Randy
name Randy Buresh
mobility
snr calling-number local
snr 915035042317 delay 5 timeout 15 cfwd-noan 500
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 5 dual-line
number 204
label Mark
name Mark McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 6 dual-line
number 205
label Susan
name Susan Sundin
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 7 dual-line
number 206
label Rebecca
name Rebecca Vaught
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 8 dual-line
number 207
label Ronnda
name Ronnda Daniels
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 9 dual-line
number 208
label Matthew
name Matthew Creswell
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 10 dual-line
number 209
label Nate
name Nate Couture
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 11 dual-line
number 210
label Sarah
name Sarah Smith
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 12 dual-line
number 211
label Janis
name Janis McFerren
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 13 dual-line
number 212
label Val
name Val McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 14 dual-line
number 213
label Shorty
name Arlene Haugen
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 15 dual-line
number 214
label Ruta
name Ruta Wells
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 16 dual-line
number 215
label 5415489405
name OWH Sales
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 17 dual-line
number 216
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 18 dual-line
number 217
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 19 dual-line
number 218
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 20 dual-line
number 219
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 21 dual-line
number 220
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 22 dual-line
number 221
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 23 dual-line
number 222
label Pam
name Pam Buresh
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 24 dual-line
number 223
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 25 dual-line
number 224
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 26 dual-line
number 225
label Elaine
name Elaine Mahan
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 27 octo-line
number 250
label Shipping
name Shipping
ephone-dn 28 dual-line
number 251
label Eli
name Eli Nourse
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 29 dual-line
number 252
ephone-dn 30 dual-line
number 253
ephone-dn 31 octo-line
number 100
label Customer Service
name Customer Service
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 32 octo-line
number 101
label Sales
name Sales
call-forward busy 214
call-forward noan 214 timeout 12
ephone-dn 33 dual-line
number 260
label Conference Room
name Conference Room
call-forward busy 100
call-forward noan 100 timeout 12
ephone-dn 100
number 300
park-slot timeout 20 limit 2 recall
description Park Slot For All Company
ephone-dn 101
number 301
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 102
number 302
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 103
number 700
name All Company Paging
paging ip 239.1.1.10 port 2000
ephone-dn 104
number 8000...
mwi on
ephone-dn 105
number 8001...
mwi off
ephone-dn 106 octo-line
number A00
description ad-hoc conferencing
conference ad-hoc
ephone-dn 107 octo-line
number A01
description ad-hoc conferencing
conference ad-hoc
ephone-dn 108 octo-line
number A02
description ad-hoc conferencing
conference ad-hoc
ephone 1
device-security-mode none
mac-address 001F.CA34.88AE
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:2 2:31
ephone 2
device-security-mode none
mac-address 001F.CA34.8A03
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:12
ephone 3
device-security-mode none
mac-address 001F.CA34.898B
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 4
device-security-mode none
mac-address 001F.CA34.893F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 5
device-security-mode none
mac-address 001F.CA34.8A71
ephone-template 1
max-calls-per-button 2
username "susan"
paging-dn 103
type 7931
button 1:6
ephone 6
device-security-mode none
mac-address 001F.CA34.8871
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:7 2:31 3:32
ephone 7
device-security-mode none
mac-address 001F.CA34.8998
ephone-template 1
max-calls-per-button 2
username "matthew"
paging-dn 103
type 7931
button 1:9
ephone 8
device-security-mode none
mac-address 001F.CA36.8787
ephone-template 1
max-calls-per-button 2
username "nate"
paging-dn 103
type 7931
button 1:10
ephone 9
device-security-mode none
mac-address 001F.CA34.8805
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:5
ephone 10
device-security-mode none
mac-address 001F.CA34.880C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:14
ephone 11
device-security-mode none
mac-address 001F.CA34.8935
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:3
ephone 12
device-security-mode none
mac-address 001F.CA34.8995
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:8 2:31
ephone 13
device-security-mode none
mac-address 0021.5504.1796
ephone-template 2
max-calls-per-button 2
paging-dn 103
type 7931
button 1:4
ephone 14
device-security-mode none
mac-address 001F.CA34.88F7
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:23
ephone 15
device-security-mode none
mac-address 001F.CA34.8894
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:26
ephone 16
device-security-mode none
mac-address 001F.CA34.8869
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:28 2:27
ephone 17
device-security-mode none
mac-address 001F.CA34.885F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:11
ephone 18
device-security-mode none
mac-address 001F.CA34.893C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 19
device-security-mode none
mac-address 001F.CA34.8873
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 20
device-security-mode none
mac-address A456.3040.B7DD
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:13
ephone 21
device-security-mode none
mac-address A456.30BA.5474
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:15 2:16 3:32
ephone 22
device-security-mode none
mac-address A456.3040.B72E
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:1
ephone 23
device-security-mode none
mac-address 00E0.75F3.D1D9
paging-dn 103
type 7936
button 1:33
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
webvpn gateway sslvpn_gw
ip address 66.111.111.111 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint cme_cert
inservice
webvpn context sslvpn_context
ssl encryption 3des-sha1 aes-sha1
ssl authenticate verify all
policy group SSLVPNphone
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
svc default-domain "bendbroadband.com"
virtual-template 1
default-group-policy SSLVPNphone
gateway sslvpn_gw domain SSLVPNphone
authentication certificate
ca trustpoint cme_root
inservice
endI think your ACL could be the culprit.
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly. If they work fine then we know that we need to open som ports there.
Please remember to select a correct answer and rate helpful posts -
SA520 NAT/PAT not working with NAT address
The SA520 I have is configured on one public IP address and an exchange server is behind it. THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520. It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address. When this happens the email gets blocked due to spam lists. Then the email will work again correctly.. and then go back. If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)? I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25. How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?Hi John,
In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN. Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address. Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s). See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server. As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace) After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture. Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com. On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button. Open file with Wireshark/Ethereal and observe the source and destination address of the packets. They should have the ALIAS address and not the WAN IP address.
If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
If there are issues, you can post the captures as a personal message to me.
I hope the above will help narrow the issue a bit.
Best regards,
Julio -
Error 1722 Installing Anyconnect VPN (Windows 7)
Hi,
i'm trying to install Anyconnect VPN Client (anyconnect-win-2.5.2006-web-deploy-k9) to connect the university wifi, but i always get an error 1722
There
is a problem with this Windows Installer package. Ein Programm, das als
Teil des Setups ausgeführt wird, wurde nicht wie erwartet beendet.
Contact your support personnel or package vendor.
I had this error and i couldn't fix it and i reinstalled the Windows 7 (HP Compaq 610). Than i could install the AnyconnectVPN. Today it tried to update, than i get the same error. Now i can't use it and i can't install it.
There are a lot of people with this problem but there is no information in internet to fix this problem.
I really need help. I don't want to reinstall the windows. (It's also not a solution).
There is a key (Standart) HKEY_LOCAL_MACHINE/SOFTWARE/..../RUNONCE without a value.
What should i do now?Have you uploaded the AnyConnect package to the vpn gateway yet? I would recommend that you uploaded the latest version: AnyConnect version 2.5.2017.
Firstly you would need to upload the package to the vpn gateway, and you would need to use the following:
anyconnect-win-2.5.2017-k9.pkg
Once you have uploaded the package to the vpn gateway, you can download and install the AnyConnect onto your Windows 7 in 2 ways:
1) From Windows 7, assuming that the vpn gateway has been configured for AnyConnect, then you can browse to the vpn gateway ip address, and the AnyConnect software will be automatically downloaded and installed on the Windows 7 machine.
2) Alternatively, you can also pre-install the AnyConnect using the following file:
anyconnect-win-2.5.2017-pre-deploy-k9.msi
Hope that helps. -
Printing issues to local network when AnyConnect VPN in use
I have situation where I have a user connecting to the corporate office from her home network using a Win7 laptop and AnyConnect VPN 3.1.01065. She has an IP HP printer on her local network. When she is connected via VPN, she cannot print to her printer, Win saying the printer is off-line. That said, we are allowing access to the remote local network with a "split-exlude" conifiguration on the ASA:
access-list LocalLANAccess standard permit host 0.0.0.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value LocalLANAccess
"Allow local (LAN) access when using VPN" in the AC preference tab is checked. And also, she can ping the local printer when connected via VPN. however, the printer appears off-line, from the laptop perspective, when the VPN is on, and will go back "on-line" when the VPN is disconnected.
Anyone have any thoughts on how to correct this?Well, if you want a workaround to apply for all VPN Client then you need to go for split-tunnel-policy tunnelspecified instead of split-tunnel-policy excludespecified. Suppose if your corporate network is 10.0.1.0/24 and you want to give the access to this subnet for vpn users.then configuration will be as follows.
access-list CorporateLAN standard permit 10.0.1.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
no split-tunnel-policy excludespecified
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CorporateLAN
This will solve the problem globally
With Regards,
Safwan -
Jabber for IPhone/IPad and Anyconnect VPN
I have just setup Jabber for iPhone and iPad in a CUCM 8.6/Presence 8.6 enviornment. Works great when on my wireless network at work.
The problem I have is that it doesn't work with Anyconnect VPN. Running 8.4 code and can access the CUPS website from the iPhone/iPad when on vpn. It just will not connect the Jabber clients. I have attached the logs for review.
There is only one difference in our wireless connectivity and VPN connectivity that I can think of at this point. Could it be my DHCP configuration not offering option 150 for tftp on the VPN? I am using a local pool on the ASA but it doesn't offer option 150 for tftp.It's been a while so I don't recall exactly what I did. That said: I want to say that I connected it via the wireless network to let it pull down it's configuration and after it pulled down the initial configuration I was good to go on VPN.
Maybe you are looking for
-
I'm using iPad 3 and iOS 6.0.1 . Actually i know that normally a badge appears on the settings app when a new software update is out . I don't know why nothing appears on my iPad ! Yesterday , i was checking on a new software update in settings<gener
-
How to use Rand() (ANSI Function)as such in Oracle
I need to use Rand() function as such in ANSI format in oracle how to use it. I don't want to use the available DBMS_RANDOM.RANDOM(), i want to use ANSI Function as such in Oracle Please help me
-
Why missing personal hotspot in my iphone 4s after upgrade ios 7 ?
why missing personal hotspot in my iphone 4s after upgrade ios 7 ?
-
Spool not generated when creating the TO from TR
Hello, I am facing a issue while creating Transfer order. My scenario is like below: 1) Create Goods issue MB1A with two items 2) Create Transfer order from Material document 3) TO is created with 2 items 4) But spool is generated only for one item.
-
Hello everyone I have a question I use my Apple ID for iMessage but I want to know if I can use my friends Apple ID just for the App Store, can I do that ????