Asa 8.2 access files share on outside network from VPN Client.

Similar Messages

• Accessing file shares from JSP

  Hi,
  I need to be able to access file shares from a JSP page. Here's the JSP code:
  <%@ page language="java" %>
  <%@ page import="java.io.*" %>
  <%@ page errorPage="errorPage.jsp" %>
  <%
  String fileSystemPath = "\\\\130.26.1.199\\MeetingManager30\\test.txt";
  File f = new File(fileSystemPath);
  f.createNewFile();
  %>The above code resides in a server with IP 130.9.68.6 and is deployed onto the Tomcat on the server.
  When I tried to run the above code, I got this error
  java.io.IOException: Access is denied at java.io.WinNTFileSystem.createFileExclusively(Native Method) at java.io.File.createNewFile(File.java:827) at org.apache.jsp.test_jsp._jspService
  (test_jsp.java:55) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:137) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServletWrapper.service
  (JspServletWrapper.java:210) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241) at
  javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247) at
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke
  (StandardWrapperValve.java:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at
  org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke
  (StandardContextValve.java:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at
  org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2422) at
  org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
  eNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171) at
  org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:163)
  at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at
  org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke
  (StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at
  org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:199) at
  org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processCon
  nection(Http11Protocol.java:711) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run
  (ThreadPool.java:687) at java.lang.Thread.run(Thread.java:536) Seems like I'm having a system level security setting problem here.
  I know it's a security issue, because I've encountered the equivalent problem in ASP/IIS, and I had to give a domain user rights to both the IIS Virtual Directory, and the file share to be able to access.
  Any ideas how to set up Tomcat to be able to access the file share successfully?
  Thanks in advance!

  Hello Veer,
  From what you have posted it looks like while logging your error another problem occurred. Did you get any output from your System.out calls? If not can you try adding a few in order to home in the problem area.
  Hussein Badakhchani
  www.orbism.com

• How to view and access files on my iBook G3 from another iMac

  **Hello, everybody on this excelent forum. I need to know how to use my Firewire conection, to view and access files in my iBook G3, from another iMac G3, both are OK in working good condition. I put this question because some days ago a Mac expert fix to me the access in my recent SwapMeet second hand aqcired iMac G3, without the original last owner password.
  this person are egoistic, and DoNot show me how he use the Firewire do this job.
  Thank You: Eduardo from NorthWest Mexico.

  Hello, Niel, Thank You very Much for your fast and kindly responce.
  the next monday I'll buy a new FireWire cable to test the metod you tell me.
  Again thanks and best regards from NW-Mexico.
  Eduardo

• Can't access any shares on the network

  Hi,
  As the topic says, I can't access any shares on the network. I've tried connecting to a Iomega NAS, Windows 7 laptop, and a macMini. In the "Shared" list in finder im able to see all the shares, I'm able to click them and see the folders they share, but when I try to open one of the folders I get an error, no matter which share it is:
  +"The operation can’t be completed because the original item for “<folder name>” can’t be found."+
  The shares can all access each other, and they can access my folders. I just can't access any folder on the network.
  I got a mac pro with osx 10.6.2 and have all the latest updates.
  How can I solve this problem?
  Thanks.

  Well, try this (I was able to fix my with these steps):
  Go Utilities > Disk Utility
  Select your Startup Disk, e.g. Macintosh HD
  Then, under the First Aid Tab, click Verify Disk Permissions.
  If there are errors, then click repair Disk Permissions.
  After it is done, restart the computer and see if your problem is resolved.
  I hope this help.
  Zeke
  www.ZekeYuen.com/blog/

• How do you access files on your time capsule from your mac?

  how do you access files on your time capsule from your mac?

  i had an old macbook pro that i had all the pictures on and i backed it up to my time capsule through time machine. i got a new macbook pro retina display recently and im wanting to see if i can get some of the pictures off of my time capsule now but i dont want all of them.

• Accessing the same stateful session bean from multiple clients in a clustered environment

  I am trying to access the same stateful session bean from multiple
            clients. I also want this bean to have failover support so we want to
            deploy it in a cluster. The following description is how we have tried
            to solve this problem, but it does not seem to be working. Any
            insight would be greatly appreciated!
            I have set up a cluster of three servers. I deployed a stateful
            session bean with in memory replication across the cluster. A client
            obtains a reference to an instance of one of these beans to handle a
            request. Subsequent requests will have to use the same bean and could
            come from various clients. So after using the bean the first client
            stores the handle to the bean (actually the replica aware stub) to be
            used by other clients to be able to obtain the bean. When another
            client retrieves the handle gets the replica aware stub and makes a
            call to the bean the request seems to unpredictably go to any of the
            three servers rather than the primary server hosting that bean. If the
            call goes to the primary server everything seems to work fine the
            session data is available and it gets backed up on the secondary
            server. If it happens to go to the secondary server a bean that has
            the correct session data services the request but gives the error
            <Failed to update the secondary copy of a stateful session bean from
            home:ejb20-statefulSession-TraderHome>. Then any subsequent requests
            to the primary server will not reflect changes made on the secondary
            and vice versa. If the request happens to go to the third server that
            is not hosting an instance of that bean then the client receives an
            error that the bean was not available. From my understanding I thought
            the replica aware stub would know which server is the primary host for
            that bean and send the request there.
            Thanks in advance,
            Justin
            

            If 'allow-concurrent-call' does exactly what you need, then you don't have a problem,
            do you?
            Except of course if you switch ejb containers. Oh well.
            Mike
            "FBenvadi" <[email protected]> wrote:
            >I've got the same problem.
            >I understand from you that concurrent access to a stateful session bean
            >is
            >not allowed but there is a
            >token is weblogic-ejb-jar.xml that is called 'allow-concurrent-call'
            >that
            >does exactly what I need.
            >What you mean 'you'll get a surprise when you go to production' ?
            >I need to understand becouse I can still change the design.
            >Thanks Francesco
            >[email protected]
            >
            >"Mike Reiche" <[email protected]> wrote in message
            >news:[email protected]...
            >>
            >> Get the fix immediately from BEA and test it. It would be a shame to
            >wait
            >until
            >> December only to get a fix - that doesn't work.
            >>
            >> As for stateful session bean use - just remember that concurrent access
            >to
            >a stateful
            >> session bean is not allowed. Things will work fine until you go to
            >production
            >> and encounter some real load - then you will get a surprise.
            >>
            >> Mike
            >>
            >> [email protected] (Justin Meyer) wrote:
            >> >I just heard back from WebLogic Tech Support and they have confirmed
            >> >that this is a bug. Here is their reply:
            >> >
            >> >There is some problem in failover of stateful session beans when its
            >> >run from a java client.However, it is fixed now.
            >> >
            >> >The fix will be in SP2 which will be out by december.
            >> >
            >> >
            >> >Mike,
            >> >Thanks for your reply. I do infact believe we are correctly using
            >a
            >> >stateful session bean however it may have been misleading from my
            >> >description of the problem. We are not accessing the bean
            >> >concurrently from 2 different clients. The second client will only
            >> >come into play if the first client fails. In this case we want to
            >be
            >> >able to reacquire the handle to our stateful session bean and call
            >it
            >> >from the secondary client.
            >> >
            >> >
            >> >Justin
            >> >
            >> >"Mike Reiche" <[email protected]> wrote in message
            >news:<[email protected]>...
            >> >> You should be using an entity bean, not a stateful session bean
            >for
            >> >this application.
            >> >>
            >> >> A stateful session bean is intended to be keep state (stateful)
            >for
            >> >the duration
            >> >> of a client's session (session).
            >> >>
            >> >> It is not meant to be shared by different clients - in fact, if
            >you
            >> >attempt to
            >> >> access the same stateful session bean concurrently - it will throw
            >> >an exception.
            >> >>
            >> >> We did your little trick (storing/retrieving handle) with a stateful
            >> >session bean
            >> >> on WLS 5.1 - and it did work properly - not as you describe. Our
            >sfsb's
            >> >were not
            >> >> replicated as yours are.
            >> >>
            >> >> Mike
            >> >>
            >> >> [email protected] (Justin Meyer) wrote:
            >> >> >I am trying to access the same stateful session bean from multiple
            >> >> >clients. I also want this bean to have failover support so we want
            >> >to
            >> >> >deploy it in a cluster. The following description is how we have
            >tried
            >> >> >to solve this problem, but it does not seem to be working. Any
            >> >> >insight would be greatly appreciated!
            >> >> >
            >> >> >I have set up a cluster of three servers. I deployed a stateful
            >> >> >session bean with in memory replication across the cluster. A client
            >> >> >obtains a reference to an instance of one of these beans to handle
            >> >a
            >> >> >request. Subsequent requests will have to use the same bean and
            >could
            >> >> >come from various clients. So after using the bean the first client
            >> >> >stores the handle to the bean (actually the replica aware stub)
            >to
            >> >be
            >> >> >used by other clients to be able to obtain the bean. When another
            >> >> >client retrieves the handle gets the replica aware stub and makes
            >> >a
            >> >> >call to the bean the request seems to unpredictably go to any of
            >the
            >> >> >three servers rather than the primary server hosting that bean.
            >If
            >> >the
            >> >> >call goes to the primary server everything seems to work fine the
            >> >> >session data is available and it gets backed up on the secondary
            >> >> >server. If it happens to go to the secondary server a bean that
            >has
            >> >> >the correct session data services the request but gives the error
            >> >> ><Failed to update the secondary copy of a stateful session bean
            >from
            >> >> >home:ejb20-statefulSession-TraderHome>. Then any subsequent requests
            >> >> >to the primary server will not reflect changes made on the secondary
            >> >> >and vice versa. If the request happens to go to the third server
            >that
            >> >> >is not hosting an instance of that bean then the client receives
            >an
            >> >> >error that the bean was not available. From my understanding I
            >thought
            >> >> >the replica aware stub would know which server is the primary host
            >> >for
            >> >> >that bean and send the request there.
            >> >> >
            >> >> >Thanks in advance,
            >> >> >Justin
            >>
            >
            >
            

• Accessing File Shares Over NAT

  Hello,
  I am working with a client that set up a new sub net that uses hide NAT. When I try to access a file share on a server in a different sub net, I can only browse for a few seconds and then an error such as "Server service not started" or "network
  name no longer available" appears, and I can't browse folders on that server anymore (it has Server 2003 SP2). Netmon found that the connection was constantly being reset. If I reconfigure the same client (XP SP3) with it's original unNATed IP address,
  everything works fine, and the Windows firewall is disabled on both the server and client. Is there a trick to get CIFS or SMB or whatever to work over hide NAT?
  Thanks!

  Hi,
  SMB uses a single session for a pair of IPs and all file transfer between these 2 IPs are made over this session. This makes the file transfer more efficient over the network. On the flip side, since only one SMB session is maintained, clients coming through
  NAT will have problems since all these clients are presented as a single IP to the server. With SMB, only a single session will be maintained and thus there is nothing unique for each client. This breaks the communication.
  We will need to use NetBIOS over TCPIP in place of SMB. This can be achieved by:
  1. Disabling SMB on the server or on all the client machines by setting the registry:
  Name: SMBDeviceEnabled
  Type: REG_DWORD
  Value: 0
  The location of the registry key is:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. You may have to create this if not already existing.
  2. Block TCP port 445 for the segment accessing shares through NAT
  TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

• Access Denied trying to access file shares with correct credentials

  I am getting the Access Denied message when trying to connect to network shares from Windows 10 (9926)
  When trying to access a network share, I get the username and password prompt, and it always fails.
  Using the same credentials on a Windows 8.1 machine to connect to the same shares and it will work.
  Shares can be hosted on Windows Server 2012 R2, Windows 8.1, Linux Samba, NAS, or even \\127.0.0.1 and all will fail with the same message.
  But you can access the shares hosted on the the windows 10 machine from other remote machines.
  Credentials have been entered in the format of: domain\username,
  machinename\username, and just username
  All machines are on the same workgroup\domain
  NOTE: Typing in an invalid machine name will also bring up the credential prompt.
  I.e. entering \\QWERTY will still ask you for your username and password and fail immediately.
  The same shares worked in the version before 9926
  Peter Taylor
  Red Planet Programming Ltd

  I have the same problem, and I figured out that my windows is installed in french, and every users groups are created in french also, groups like Everyone don't exists and i can't change by console.
  Regards, Roberto Borges please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Why won't my mac file share with my network?

  I want to share my files throughout my home network, but my mac computer is the only one that is causing trouble. My other windows computers and the USB drive connected to my router is working fine. Whenever I try to look for these devices through the network folder on my mac computer, it just sits there and no other devices appear. On any other computer, they will show up within 5 seconds. I have let it sit for 5 minutes and I nothing has found up.
  How can I get these computers and usb drive to show up. This mac has been resisting me the whole way when it comes to network.

  OS X: How to connect with File Sharing using SMB

• Access Files on My Samsung Continuum from my Mac

  Hello,
  How can I access my files on my Samsung Continuum from my mac computer?
  Samsung says that my device cannot be mounted:
  http://ars.samsung.com/customer/usa/jsp/faqs/faqs_view_us1.jsp?PAGE_GBN=faqs_search&SITE_ID=22&PG_ID=0&AT_ID=342136&PROD_SUB_ID=0&PROD_ID=561
  Does anyone have any other ideas of how to download/access the SD card?
  thanks,

  Good morning andrewiskandar,
  The Samsung continuum comes with an 8GB pre-installed microSD memory card. Is this the card we are working with? Also, if your Mac states that it accepts the card version that you posted, then you may need a memory card adaptor to the standard SD memory card format. Once you have the adaptor, the pc or Mac will recognize the memory card. On the pc, the card will come up as an add'l drive in "My computer". On the Mac, an icon will appear on the desktop to represent the memory card. Once the computers recognize the memory card, you can manipulate and transfer media on either platform. I hope I didn't overwhelm you with too much info.
  Good luck...

• Unable to access secondary subnet from VPN client

  Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
  The setup is as follows:
  ASA inside interface on 192.168.10.240
  VPN clients on 192.168.254.x
  I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
  Result of the command: "show startup-config"
  ASA Version 8.4(3)9
  hostname blank
  domain-name
  enable password encrypted
  passwd encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 255.255.255.224
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.10.240 255.255.255.0
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 10.10.10.253 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa843-9-k8.bin
  boot system disk0:/asa823-k8.bin
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 194.168.4.123
  name-server 194.168.8.123
  domain-name nifcoeu.com
  object network obj-192.168.0.0
  subnet 192.168.0.0 255.255.255.0
  object network obj-192.168.5.0
  subnet 192.168.5.0 255.255.255.0
  object network obj-192.168.10.0
  subnet 192.168.10.0 255.255.255.0
  object network obj-192.168.100.0
  subnet 192.168.100.0 255.255.255.0
  object network obj-192.168.254.0
  subnet 192.168.254.0 255.255.255.0
  object network obj-192.168.20.1
  host 192.168.20.1
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-01
  subnet 0.0.0.0 0.0.0.0
  object network obj-0.0.0.0
  host 0.0.0.0
  object network obj_any-02
  subnet 0.0.0.0 0.0.0.0
  object network obj-10.10.10.1
  host 10.10.10.1
  object network obj_any-03
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-04
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-05
  subnet 0.0.0.0 0.0.0.0
  object network NS1000_EXT
  host 80.4.146.133
  object network NS1000_INT
  host 192.168.20.1
  object network SIP_REGISTRAR
  host 83.245.6.81
  object service SIP_INIT_TCP
  service tcp destination eq sip
  object service SIP_INIT_UDP
  service udp destination eq sip
  object network NS1000_DSP
  host 192.168.20.2
  object network SIP_VOICE_CHANNEL
  host 83.245.6.82
  object service DSP_UDP
  service udp destination range 6000 40000
  object service DSP_TCP
  service tcp destination range 6000 40000
  object network 20_range_subnet
  subnet 192.168.20.0 255.255.255.0
  description Voice subnet
  object network 25_range_Subnet
  subnet 192.168.25.0 255.255.255.0
  description VLAN 25 client PC devices
  object-group network ISP_NAT
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service SIP_INIT tcp-udp
  port-object eq sip
  object-group service DSP_TCP_UDP tcp-udp
  port-object range 6000 40000
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
  access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
  access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
  access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
  access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
  access-list 100 extended permit icmp any any echo-reply inactive
  access-list 100 extended permit icmp any any time-exceeded inactive
  access-list 100 extended permit icmp any any unreachable inactive
  access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
  access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu management 1500
  ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  asdm history enable
  arp timeout 14400
  nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
  nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
  nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
  object network obj_any
  nat (inside,outside) dynamic interface
  object network obj_any-01
  nat (inside,outside) dynamic obj-0.0.0.0
  object network obj_any-02
  nat (inside,DMZ) dynamic obj-0.0.0.0
  object network obj-10.10.10.1
  nat (DMZ,outside) static 80.4.146.134
  object network obj_any-03
  nat (DMZ,outside) dynamic obj-0.0.0.0
  object network obj_any-04
  nat (management,outside) dynamic obj-0.0.0.0
  object network obj_any-05
  nat (management,DMZ) dynamic obj-0.0.0.0
  access-group 100 in interface outside
  route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
  route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
  route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.25.0 255.255.255.0 inside
  http 62.255.171.0 255.255.255.224 outside
  http 192.168.254.0 255.255.255.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=
  crl configure
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 2f0e024d
    quit
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    quit
  crypto isakmp identity address
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 5
  ssh 62.255.171.0 255.255.255.224 outside
  ssh 192.168.254.0 255.255.255.0 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.25.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  vpn-sessiondb max-other-vpn-limit 250
  vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.10.6 source inside prefer
  webvpn
  group-policy Remote-VPN internal
  group-policy Remote-VPN attributes
  wins-server value 192.168.10.21 192.168.10.22
  dns-server value 192.168.10.21 192.168.10.22
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Remote-VPN_splitTunnelAcl
  default-domain value
  username blank password blank encrypted privilege 0
  username blank attributes
  vpn-group-policy Remote-VPN
  username blank password encrypted privilege 0
  username blank attributes
    vpn-group-policy Remote-VPN
  tunnel-group Remote-VPN type remote-access
  tunnel-group Remote-VPN general-attributes
  address-pool VPN-Pool
  default-group-policy Remote-VPN
  tunnel-group Remote-VPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  contact-email-addr
  profile CiscoTAC-1
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236

  Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
  So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
  So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
  I hope that helps.
  Thanks
  Rizwan Rafeek

• Can't access internal network from VPN using PIX 506E

  Hello,
  I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
  Building configuration...
  : Saved
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password N/JZnmeC2l5j3YTN encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  hostname SwantonFw2
  domain-name *****.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside_access_in permit icmp any any
  access-list allow_ping permit icmp any any echo-reply
  access-list allow_ping permit icmp any any unreachable
  access-list allow_ping permit icmp any any time-exceeded
  access-list INSIDE-IN permit tcp interface inside interface outside
  access-list INSIDE-IN permit udp any any eq domain
  access-list INSIDE-IN permit tcp any any eq www
  access-list INSIDE-IN permit tcp any any eq ftp
  access-list INSIDE-IN permit icmp any any echo
  access-list INSIDE-IN permit tcp any any eq https
  access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  access-list swanton_splitTunnelAcl permit ip any any
  access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  no pager
  mtu outside 1500
  mtu inside 1500
  ip address outside 192.168.1.150 255.255.255.0
  ip address inside 192.168.0.35 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool VPN_Pool 192.168.240.1-192.168.240.254
  pdm location 0.0.0.0 255.255.255.0 outside
  pdm location 192.168.1.26 255.255.255.255 outside
  pdm location 192.168.240.0 255.255.255.0 outside
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 192.168.0.0 255.255.255.0 0 0
  access-group outside_access_in in interface outside
  access-group INSIDE-IN in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup swanton address-pool VPN_Pool
  vpngroup swanton dns-server 192.168.1.1
  vpngroup swanton split-tunnel swanton_splitTunnelAcl
  vpngroup swanton idle-time 1800
  vpngroup swanton password ********
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.0.36-192.168.0.254 inside
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  username scott password hwDnqhIenLiwIr9B encrypted privilege 15
  username norm password ET3skotcnISwb3MV encrypted privilege 2
  username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
  username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
  username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
  username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
  username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
  username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
  username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
  username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
  username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
  terminal width 80
  Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
  : end
  [OK]
  Any help will be greatly appreciated

  Bj,
  Are you trying to access network resources behind the inside interface?
  ip address inside 192.168.0.35 255.255.255.0
  If so, please make the following changes:
  1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
          vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
  3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  4- isakmp nat-traversal 30
  Let me know how it goes.
  Portu.
  Please rate any helpful posts   

• ASA5505 I cannot reach to an outside network from a branch office

  My customer has a HQ office and many Branch offices. In the HQ there is an ASA5510 configured as a default gateway, From HQ customer must access to internet (everythig works fine), from Inside LAN should reach to anyway including special services like Credit Card service provider and others (it works fine). From Branch offices must reach Inside LAN hosts (it works fine), from Branch Offices must reach DMZ (it works fine), from branch offices should reach CC Service provider and here's the point of this Q, From almost all branch offices they reach CCSP fine but branch offices where an ASA5505 is installed (Offices that reach CCSP have a RV042 installed or a TPlink ER6120 installed) but offices with ASA just can ping to LAN side of CCSP's router.
  I think ASA5505 conf is an opened door configuration. Here's the 5505 configuration and also attached the network diagram. Some one can help please

  Hi,
  Are the branch offices connected to the HQ through some ISP MPLS network since I do not see any L2L VPN configurations on the ASA5505?
  I presume this is the case. Since you say that the connections between Branch Office (with ASA5505) and HQ LAN work fine it should tell us that there should be no routing problems between those networks.
  The diagram possibly also suggests that all the Branch Office connections come to your HQ network through the same Router at the edge so if other Branc Offices connections CCSP work then there should be no routing problem between the Branch Offices and the CCSP (atleast regarding your part of the network)
  Now, some questions.
  Does the ISR Router forward traffic destined to CCSP directly to the Router at 192.168.2.249 ?
  Does the Router with the connection to the CCSP use the Internet to reach the CCSP or is there somekind of dedicated connection between these networks?
  If the Router towards CCSP uses Internet then does it lack some NAT configurations for the source network 192.168.27.0/24? Does it perhaps lack a route towards the network 192.168.27.0/24? Or is there any possible errors in the configurations (wrong gateway IP or network mask somewhere?)
  Is there any ACLs configured on the Router that has the connection to the CCSP that might block traffic?
  Does the CCSP have all the required routing information to pass traffic towards the network 192.168.27.0/24? (If were talking about a dedicated connection and not traffic through the Internet) Have they allowed traffic from the mentioned network 192.168.27.0/24 to their servers/network?
  Have you taken "packet-tracer" output from the ASA5505 to confirm that the ASA configurations allow the traffic and dont drop it for some reason?
  For example
  packet-tracer input inside tcp 192.168.27.100 12345 193.168.1.100 80
  You can modify the IP addresses (source/destination) and the used destination port and protocol to match the connections that are actually attempted.
  Have you monitored the connections on the ASA when users attempt them? This should atleast tell you why they are failing or give a hint. You could also configure traffic capture on the ASA5505 if you wanted to make sure if any traffic was coming from the CCSP towards this ASA (return traffic for connection attempt)
  Hope this helps :)
  Let me know if I missunderstood the situation wrong somehow.
  - Jouni

• Accessing file shares on Vista

  No matter what I do I cannot access an administrative share that is located on Vista from my Mac. I can explicitly share a folder and it works just fine but admin shares just give me the generic "Could not connect to server...".
  Anyone else notice this issue? Know of a fix??

  Hi,
  SMB uses a single session for a pair of IPs and all file transfer between these 2 IPs are made over this session. This makes the file transfer more efficient over the network. On the flip side, since only one SMB session is maintained, clients coming through
  NAT will have problems since all these clients are presented as a single IP to the server. With SMB, only a single session will be maintained and thus there is nothing unique for each client. This breaks the communication.
  We will need to use NetBIOS over TCPIP in place of SMB. This can be achieved by:
  1. Disabling SMB on the server or on all the client machines by setting the registry:
  Name: SMBDeviceEnabled
  Type: REG_DWORD
  Value: 0
  The location of the registry key is:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. You may have to create this if not already existing.
  2. Block TCP port 445 for the segment accessing shares through NAT
  TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

• 10.9.2 Mavericks and can no longer connect to our SMB file share on the network.

  Smb was working under 10.9.1. Now  smb and usning the finder I get "connection failed".  Both of my NAS are not out when i am using my mac book pro  thru the wifi connection.    Is any one else have the same problem?

  Same story here - smb:// worked under 10.9.1, but the Update 10.9.2 broke it.
  Some facts:
  Mac Book Pro Retina 2012
  Network connection is over WLAN (The connection is very stable and no issues else where)
  The issue seems to be caused when there are larger files (> 500MB) in the share
  smb:// works for shares with lots of folders but only small files in them
  smb:// and cifs:// are both almost unusable
  smb://  shows a blank screen for ages- Finder will eventually hang up
  cifs:// will connect fast (wow!), but the connection is very unstable for larger files
  The funny part is, that Mavericks (pre 10.9.2) was the first OS X which fixed most SMB issues of its predecessor. (SMB2 was somwhat slow, but quite usable) Now, I can not really use my Mac to work...
  Moral of the story, I think I will switch to Ubuntu 14 when it is released in April - it should support HDPI Displays.