Bridging identicle subnets via VPN/IPsec
We have a Cisco SB ISA550W, as does our client.
We are using software from Rockwell for programming PLCs that absolutely requires the subnet of our programmers laptops and the subnet of the PLC to be identicle in order to connect to the PLC processors. Say the client is a 192.168.111.0 subnet. Say our office is a 192.168.222.0 network.
I would like to configure a VLAN on a specific port of our ISA to 192.168.111.0 and I'm going to run an ethernet cable from that port to the programmers laptop. I'm going to statically program the LAN interface of the laptop with say 192.168.111.12 (an IP which I know to be available on the clients network and reserved for us in their DHCP server). Say the IP of the PLC processors on the clients network is 192.168.111.58 that we are wanting to connect to.
First, is this possible and is this the best way to do it? Second, should we use the Cisco AnyConnect client on our promgrammers laptop to connect to their network, OR, should I setup and IPsec tunnel between the gatways? We have a static IP on DSL, our client has a static IP with their Satellite ISP.
Comments, sugestions? Will this work? Am I going about this the right way?
Thanks!
Alex
Unfortunately what you're wanting to accomplish is not feasible. The reason is this. What you're stating is that the Programmer and the PLC must be on the same physical network which means they must be able to communicate at Layer 2. However the only time a device would send traffic to either your ISA or your client's ISA is if it requires Layer 3 routing, which means that the requestor is looking for something that is not on it's own layer 2 network. I've been racking my brain trying to figure out a way to do this using VPNs, AnyConnect, NAT, etc. and I'm not coming up with one. Most likely your only solution will be to have a device at your client's premise that you can remotely access via RDP, VNC, etc. and then leverage that device to program the PLC.
Sorry I wish I had a better answer for you.
Shawn Eftink
CCNA/CCDA
Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Similar Messages
-
Unable to access secondary subnet via VPN
I am having a problem with clients accessing a secondary subnet via VPN.
Clients on VPN are given the address on the 192.168.15.0 subnet. Once connected they can access 192.168.16.0 (Production subnet) fine, but are unable to access the 192.168.8.0 secondary subnet. If you are on the 192.168.16.0 subnet in the office you can access 192.168.8.0 subnet fine. The traffic is coming in via an ASA 5510 then traverses a Juniper firewall and a MPLS router to the secondary subnet. I'm not sure if it's a nat issue or not. Any help would be helpful.
Below is the config of the ASA. Thank you in advance
ASA Version 8.2(5)
hostname charlotte
domain-name tg.local
enable password v4DuEgO1ZTlkUiaA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.0 Peak10 description Peak10
name 192.168.116.0 Charlotte_Phones description Charlotte_Phones
name 192.168.15.0 Charlotte_SSL_VPN_Clients description Charlotte_SSL_VPN_Client s
name 192.168.17.0 Charlotte_Wireless_Data description Charlotte_Wireless_Data
name 192.168.117.0 Charlotte_Wireless_Phones description Charlotte_Wireless_Phon es
name 192.168.5.0 Huntersville description Huntersville
name 192.168.16.1 SRX_Gateway description Juniper_SRX
name 192.168.108.0 Canton_Data description Canton_Data
name 192.168.8.0 Canton_Phones description Canton_Phones
name 192.168.9.0 Canton_Wireless_Data description Canton_Wireless_Data
name 192.168.109.0 Canton_Wireless_Phones description Canton_Wireless_Phones
name 192.168.16.4 TEST_IP description TEST_IP
name 192.168.16.2 CantonGW description Canton GW 192.168.16.2
name 192.168.5.1 HuntersvilleGW
name 10.176.0.0 RS_Cloud description 10.176.0.0/12
name 172.16.8.0 RS_172.16.8.0
name 172.16.48.0 RS_172.16.48.0
name 172.16.52.0 RS_172.16.52.0
name 10.208.0.0 RS_Cloud_New
name 10.178.0.0 RS_10.178.0.0 description Rackspace DEV servers
name 10.178.0.6 RS_10.178.0.6
name 172.16.20.0 RS_172.16.20.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.63.165.219 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.16.202 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
banner login ASA Login - Unauthorized access is prohibited
banner login ASA Login - Unauthorized access is prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.16.122
name-server 8.8.8.8
domain-name tg.local
dns server-group defaultdns
name-server 192.168.16.122
domain-name tg.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_2
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.240.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_11
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_13
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object RS_Cloud 255.240.0.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object 172.16.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object RS_Cloud 255.240.0.0
network-object RS_Cloud_New 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network tgnc074.tg.local
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq https
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group network DM_INLINE_NETWORK_15
network-object Canton_Data 255.255.255.0
network-object host CantonGW
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 Ch arlotte_SSL_VPN_Clients 255.255.255.0 any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_5 ho st SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_7 Ch arlotte_SSL_VPN_Clients 255.255.255.0 host SRX_Gateway
access-list Inside_access_in extended permit icmp any any object-group DM_INLINE _ICMP_1
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 ob ject-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list Inside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.25 5.255.0 any
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 log disable
access-list Tunneled_Network_List standard permit 192.168.16.0 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Data 255.25 5.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Phones 255. 255.255.0
access-list Tunneled_Network_List standard permit Peak10 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Data 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Data 255.255.2 55.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Phones 255.255 .255.0
access-list Tunneled_Network_List standard permit Huntersville 255.255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_172.16.8.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_Cloud 255.240.0.0
access-list Tunneled_Network_List standard permit RS_Cloud_New 255.240.0.0
access-list Tunneled_Network_List standard permit RS_172.16.20.0 255.255.252.0
access-list Tunneled_Network_List standard permit Charlotte_SSL_VPN_Clients 255. 255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip Charlotte_SSL_VPN_Clients 25 5.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_11 object-group DM_INLINE_NETWORK_12
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_5 object-group DM_INLINE_NETWORK_6
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_1 object-group DM_INLINE_NETWORK_2
access-list Limited_Access extended permit ip Charlotte_SSL_VPN_Clients 255.255. 255.0 host TEST_IP
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.123
access-list Limited__VPN_Acccess_List standard permit Huntersville 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.124
access-list Limited__VPN_Acccess_List standard permit 192.168.16.0 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 172.16.8.52
access-list Limited__VPN_Acccess_List standard permit Canton_Phones 255.255.255. 0
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV1
access-list Limited__VPN_Acccess_List standard permit host RS_10.178.0.6
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV2
access-list Limited__VPN_Acccess_List standard permit host 10.178.192.103
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.10
access-list Limited__VPN_Acccess_List standard permit RS_172.16.8.0 255.255.252. 0
access-list Limited__VPN_Acccess_List standard permit 172.16.0.0 255.255.0.0
access-list Limited__VPN_Acccess_List standard permit host 10.178.133.26
access-list Limited__VPN_Acccess_List standard permit RS_Cloud_New 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit host CantonGW
access-list Limited__VPN_Acccess_List standard permit host SRX_Gateway
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.1
access-list Limited__VPN_Acccess_List standard permit RS_Cloud 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit any
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 Huntersville 255.255.255.0
access-list Outside_cryptomap extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Huntersville 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Canton_Phones 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Canton_Phones 255.255.255.0
access-list Outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Outside_access_in extended permit ip Huntersville 255.255.255.0 any log disable
access-list Outside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 any log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0 inactive
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 RS_172.16.20.0 255.255.252.0
access-list Canton_nat_outbound extended permit object-group DM_INLINE_SERVICE_6 Charlotte_SSL_VPN_Clients 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list splitacl standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging monitor informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool SSL_VPN_Pool 192.168.15.10-192.168.15.254 mask 255.255.255.0
ip local pool New_VPN_Pool 192.168.16.50-192.168.16.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
nat (Outside) 0 access-list Huntersville_nat_outbound
nat (Inside) 0 access-list Inside_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 70.63.165.217 1
route Inside Canton_Phones 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Data 255.255.255.0 CantonGW 1
route Inside Charlotte_SSL_VPN_Clients 255.255.255.0 SRX_Gateway 1
route Inside Charlotte_Wireless_Data 255.255.255.0 SRX_Gateway 1
route Inside Canton_Data 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Phones 255.255.255.0 CantonGW 1
route Inside Charlotte_Phones 255.255.255.0 SRX_Gateway 1
route Inside 192.168.116.219 255.255.255.255 CantonGW 1
route Inside Charlotte_Wireless_Phones 255.255.255.0 SRX_Gateway 1
route Inside Peak10 255.255.255.0 SRX_Gateway 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record TGAD_AccessPolicy
aaa-server TGAD protocol ldap
aaa-server TGAD (Inside) host 192.168.16.122
ldap-base-dn DC=tg,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn user,CN=Users,DC=tg,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 Inside
http Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 1 match address Outside_cryptomap
crypto map Outside_map0 1 set pfs
crypto map Outside_map0 1 set peer 74.218.175.168
crypto map Outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 2 match address Outside_cryptomap_2
crypto map Outside_map0 2 set peer 192.237.229.119
crypto map Outside_map0 2 set transform-set ESP-3DES-MD5
crypto map Outside_map0 3 match address Outside_cryptomap_1
crypto map Outside_map0 3 set peer 174.143.192.65
crypto map Outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map0 interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=charlotte
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=charlotte
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 48676150
3082024c 308201b5 a0030201 02020448 67615030 0d06092a 864886f7 0d010105
05003038 31123010 06035504 03130963 6861726c 6f747465 31223020 06092a86
4886f70d 01090216 13636861 726c6f74 74652e74 68696e6b 67617465 301e170d
31323039 32353038 31373333 5a170d32 32303932 33303831 3733335a 30383112
30100603 55040313 09636861 726c6f74 74653122 30200609 2a864886 f70d0109
02161363 6861726c 6f747465 2e746869 6e6b6761 74653081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181008e d3e1ac63 a8a39dab 02170491
2bf104d2 732c7fd7 7065758b 03bb9772 c8ab9faf 0e5e9e93 bfb57eea a849c875
7899d261 8d426c37 9749d3d7 c86ca8e0 1d978069 3d43e7c5 569bb738 37e9bb31
0ebd5065 01eb7a05 87933d2d 786a722e 8eee16e7 3207510b f5e7e704 cbddbda2
a6b9ae45 efaba898 b8c921b6 2b05c0fb 1b0a9b02 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 8014fb93 35da7dd5 15d8e2ad 8e05ccf7 b5c333cc 95ac301d
0603551d 0e041604 14fb9335 da7dd515 d8e2ad8e 05ccf7b5 c333cc95 ac300d06
092a8648 86f70d01 01050500 03818100 6851ae52 5383c6f6 9e3ea714 85b2c5a0
fd720959 a0b91899 806bad7a 08e2208e de22cad0 6692b09a 7152b21e 3bbfce68
cc9f1391 8c460a04 a15e1a9e b18f829d 6d42d9bd ed5346bd 73a402f7 21e0c746
02757fb6 b60405a9 ac3b9070 8c0f2fba d12f157b 85dd0a8b 2e9cf830 90a19412
c7af1667 37b5ed8e c023ea4d 0c434609
quit
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 172.221.228.164 255.255.255.255 Outside
ssh Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
ssh 192.168.16.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint1 Outside
webvpn
enable Outside
enable Inside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.16.122 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value tg.local
split-dns value tg.local
group-policy LimitedAccessGroupPolicy internal
group-policy LimitedAccessGroupPolicy attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value thinkgate.local
split-tunnel-all-dns disable
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
default-domain value tg.local
group-policy Site-to-Site_Policy internal
group-policy Site-to-Site_Policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy LimitedAccessGroupPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_Pool
tunnel-group LimitedAccessTunnelGroup type remote-access
tunnel-group LimitedAccessTunnelGroup general-attributes
address-pool SSL_VPN_Pool
default-group-policy LimitedAccessGroupPolicy
tunnel-group 208.104.76.178 type ipsec-l2l
tunnel-group 208.104.76.178 ipsec-attributes
pre-shared-key *****
tunnel-group 74.218.175.168 type ipsec-l2l
tunnel-group 74.218.175.168 ipsec-attributes
pre-shared-key *****
tunnel-group TGAD_ConnectionProfile type remote-access
tunnel-group TGAD_ConnectionProfile general-attributes
authentication-server-group TGAD
default-group-policy GroupPolicy1
tunnel-group 174.143.192.65 type ipsec-l2l
tunnel-group 174.143.192.65 general-attributes
default-group-policy GroupPolicy2
tunnel-group 174.143.192.65 ipsec-attributes
pre-shared-key *****
tunnel-group 192.237.229.119 type ipsec-l2l
tunnel-group 192.237.229.119 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ef741b4905b43dc36d0f621e06508840
: end
charlotte#What does the packet-tracer say, what does the IPsec associations say (packets encrypted/decrypted)?
This might be faster that going through your hundreds of lines of config. -
Accessing a subnet via VPN session
Hi everybody.
I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
local network: 10.30.0.0 0.0.0.0
remote network 10.31.0.0 0.0.0.0
ASA
object-group network remote-network
network-object 172.16.27.0 255.255.255.0
network-object 10.31.0.0 255.255.0.0
object-group network network-local
network-object 0.0.0.0 0.0.0.0
access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
Router 3800
ip access-list extended vpn
permit ip 10.31.0.0 0.0.255.255 any
Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
Regards and Thanks very much!!Hi Ankur, thanks very much for your reply!
this is the "sho run" in my remote router:
I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
this is a simple diagram of where I want to connect to:
REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
(10.31.0.0/24 network) (10.30.0.0/16network)
|
|
|
|
REMOTE USER
(10.30.23.130/25)
REMOTESITE#sho run
Building configuration...
Current configuration : 10834 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname PYASU1ROU01
boot-start-marker
boot-end-marker
logging buffered 64000 debugging
no logging console
aaa new-model
aaa authentication login default group tac-auth local
aaa authentication enable default group tac-auth enable
aaa authorization console
aaa authorization exec default group tac-auth local if-authenticated
aaa authorization network default local
aaa accounting exec default start-stop group tac-auth
aaa session-id common
clock timezone PR -3
ip cef
voice-card 0
no dspfarm
crypto pki trustpoint TP-self-signed-4112391703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112391703
revocation-check none
rsakeypair TP-self-signed-4112391703
crypto pki certificate chain TP-self-signed-4112391703
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
94350AFF EA7CB2
quit
username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
crypto keyring apex
pre-shared-key address "headquerters public ip address"
key apex
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile companyname
keyring apex
match identity address "headquerters public ip address"
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto map outside 10 ipsec-isakmp
set peer "headquerters public ip address"
set transform-set 3DES
set isakmp-profile companyname
match address vpn-companyname
interface Loopback1
description monitoreo
ip address 10.31.21.255 255.255.255.255
interface GigabitEthernet0/0
description Teysa
ip address public ip address
ip nat outside
no ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
crypto map outside
interface GigabitEthernet0/1
description TO CORE-SW
ip address 192.168.255.249 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
switchport access vlan 2
duplex full
speed 100
interface FastEthernet0/0/1
switchport access vlan 10
shutdown
duplex full
speed 100
interface FastEthernet0/0/2
switchport mode trunk
shutdown
interface FastEthernet0/0/3
switchport access vlan 10
shutdown
duplex full
speed 100
interface Vlan1
no ip address
no ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat interface GigabitEthernet0/0 overload
ip access-list extended nat
deny ip host 172.16.27.236 10.0.0.0 0.255.255.255
deny ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.31.11.0 0.0.0.255 any
permit ip 10.31.13.0 0.0.0.255 any
permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
permit ip 172.16.27.224 0.0.0.31 any
ip access-list extended vpn-apex
permit ip 10.50.20.0 0.0.1.255 any
permit ip 172.16.27.0 0.0.0.255 any
permit ip 10.31.0.0 0.0.255.255 any
permit ip 10.30.0.0 0.0.255.255 any
route-map nat permit 10
match ip address nat
control-plane
line con 0
password 7 xxxxxxxxxx
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxx
scheduler allocate 20000 1000
ntp server 10.30.5.38
end
REMOTESITE#
Regards! -
Can only connect one user at a time via VPN?
Hi, long-term Mac user but new to OS X Server. Dug thru the forums quite a bit but couldn't find an answer to this one - hopefully I wasn't searching with the wrong keywords.
Installed OS X Server 10.6 on a MacBook (white, 1 generation back) at the office. Sits behind an Airport Extreme, which is connected to Comcast. Other machines at the office are NOT routed through the Server, but rather connect directly to the Airport Extreme for internet access. I've set up server.mydomainname.com to point to our Comcast address, and I am able to connect via VPN to the server without any problems, and access the server using the server.mydomainname.com address which I pointed to my Comcast IP address, as long as I check "Send all traffic over VPN connection" on my client.
However, when I'm logged in via VPN on one computer, and then log in via VPN on another computer (with the same UID or a different one), the first one loses all connectivity through the VPN - it's as if it had been logged off.
In Server Admin, under the Settings|Network tabs, I have Computer Name set up as "theserver", and Local Hostname as "theserver" (so I can access via theserver.private). VPN is set up to enable L2TP over IPsec, sharing ranges 10.0.1.200 thru 10.0.1.220; no load balancing, no PPTP. Client DNS servers is set to 10.0.1.29.
Any ideas as to why I can only connect with one client at a time?Thanks. I didn't see anything interesting, but then again I'm not up on VPN details. Here's the scenario:
First, I logged in as "user1", and I can use the VPN.
Then, I logged in as "user2", and I can use the VPN with user2, but user1 is no longer able to do anything over the VPN.
Then I hung up with user2, but user1 still can't see anything over the VPN.
Then I hung up and reconnected with user1, and user1 can use the VPN again.
Here's part of the log for this activity. I've replaced potentially identifying info with "XYZ" for safety. Appreciate any thoughts on this!
Tue Oct 19 07:33:08 2010 : L2TP received ICCN
Tue Oct 19 07:33:08 2010 : L2TP connection established.
Tue Oct 19 07:33:08 2010 : using link 1
Tue Oct 19 07:33:08 2010 : Using interface ppp1
Tue Oct 19 07:33:08 2010 : Connect: ppp1 <--> socket[34:18]
Tue Oct 19 07:33:08 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : lcp_reqci: returning CONFACK.
Tue Oct 19 07:33:08 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : sent [CHAP Challenge id=0x18 <XYZ>, name = "myserver.private"]
Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : rcvd [CHAP Response id=0x18 <XYZ>, name = "user2"]
Tue Oct 19 07:33:08 2010 : sent [CHAP Success id=0x18 "S=XYZ M=Access granted"]
Tue Oct 19 07:33:08 2010 : CHAP peer authentication succeeded for user2
Tue Oct 19 07:33:08 2010 : DSAccessControl plugin: User 'user2' authorized for access
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfReq id=0x1]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-NAK
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
Tue Oct 19 07:33:08 2010 : Unsupported protocol 0x8057 received
Tue Oct 19 07:33:08 2010 : sent [LCP ProtRej id=0x2 80 47 01 01 00 0f 01 0a 02 1b 63 ff fe a0 dd da]
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x1 <ms-dns1 0.0.0.1> <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfRej id=0x1 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfAck id=0x1]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-ACK
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : ipcp: up
Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:08 2010 : found interface en0 for proxy arp
Tue Oct 19 07:33:08 2010 : local IP address 10.0.1.29
Tue Oct 19 07:33:08 2010 : remote IP address 10.0.1.213
Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x2 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfAck id=0x2 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSP data <payload len 26, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
<domain: name XYZ>]
Tue Oct 19 07:33:08 2010 : rcvd [IP data <src addr 10.0.1.213> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue Oct 19 07:33:08 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.213> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">]
Tue Oct 19 07:33:08 2010 : rcvd [ACSP data <payload len 0, packet seq 0, CI_DOMAINS, flags: ACK>]
Tue Oct 19 07:33:34 2010 : rcvd [LCP TermReq id=0x2 "User request"]
Tue Oct 19 07:33:34 2010 : LCP terminated by peer (User request)
Tue Oct 19 07:33:34 2010 : ipcp: down
Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:34 2010 : sent [LCP TermAck id=0x2]
Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:34 2010 : L2TP received CDN
Tue Oct 19 07:33:34 2010 : Connection terminated.
Tue Oct 19 07:33:34 2010 : Connect time 0.5 minutes.
Tue Oct 19 07:33:34 2010 : Sent 777000 bytes, received 105388 bytes.
Tue Oct 19 07:33:34 2010 : L2TP disconnecting...
Tue Oct 19 07:33:34 2010 : L2TP disconnected
2010-10-19 07:33:34 PDT --> Client with address = 10.0.1.213 has hungup
Tue Oct 19 07:33:50 2010 : rcvd [LCP TermReq id=0x3 "User request"]
Tue Oct 19 07:33:50 2010 : LCP terminated by peer (User request)
Tue Oct 19 07:33:50 2010 : ipcp: down
Tue Oct 19 07:33:50 2010 : sent [LCP TermAck id=0x3]
Tue Oct 19 07:33:50 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.214).
Tue Oct 19 07:33:50 2010 : L2TP received CDN
Tue Oct 19 07:33:50 2010 : Connection terminated.
Tue Oct 19 07:33:50 2010 : Connect time 3.5 minutes.
Tue Oct 19 07:33:50 2010 : Sent 625383 bytes, received 225586 bytes.
Tue Oct 19 07:33:50 2010 : L2TP disconnecting...
Tue Oct 19 07:33:50 2010 : L2TP disconnected
2010-10-19 07:33:50 PDT --> Client with address = 10.0.1.214 has hungup
2010-10-19 07:33:59 PDT Incoming call... Address given to client = 10.0.1.216
Tue Oct 19 07:33:59 2010 : Directory Services Authentication plugin initialized
Tue Oct 19 07:33:59 2010 : Directory Services Authorization plugin initialized
Tue Oct 19 07:33:59 2010 : L2TP incoming call in progress from 'XYZ'...
Tue Oct 19 07:33:59 2010 : L2TP received SCCRQ
Tue Oct 19 07:33:59 2010 : L2TP sent SCCRP
Tue Oct 19 07:33:59 2010 : L2TP received SCCCN
Tue Oct 19 07:33:59 2010 : L2TP received ICRQ
Tue Oct 19 07:33:59 2010 : L2TP sent ICRP
Tue Oct 19 07:33:59 2010 : L2TP received ICCN
Tue Oct 19 07:33:59 2010 : L2TP connection established.
Tue Oct 19 07:33:59 2010 : using link 0
Tue Oct 19 07:33:59 2010 : Using interface ppp0
Tue Oct 19 07:33:59 2010 : Connect: ppp0 <--> socket[34:18]
Tue Oct 19 07:33:59 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : lcp_reqci: returning CONFACK.
Tue Oct 19 07:33:59 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : sent [CHAP Challenge id=0xf1 <XYZ>, name = "myserver.private"]
Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : rcvd [CHAP Response id=0xf1 <XYZ>, name = "user1"]
Tue Oct 19 07:34:00 2010 : sent [CHAP Success id=0xf1 "S=XYZ M=Access granted"]
Tue Oct 19 07:34:00 2010 : CHAP peer authentication succeeded for user1
Tue Oct 19 07:34:00 2010 : DSAccessControl plugin: User 'user1' authorized for access
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : sent [ACSCP ConfReq id=0x1]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-NAK
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
Tue Oct 19 07:34:00 2010 : Unsupported protocol 0x8057 received
Tue Oct 19 07:34:00 2010 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1b 63 ff fe 99 35 cb]
Tue Oct 19 07:34:00 2010 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 04]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-ACK
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : ipcp: up
Tue Oct 19 07:34:00 2010 : found interface en0 for proxy arp
Tue Oct 19 07:34:00 2010 : local IP address 10.0.1.29
Tue Oct 19 07:34:00 2010 : remote IP address 10.0.1.216
Tue Oct 19 07:34:00 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.216).
Tue Oct 19 07:34:00 2010 : rcvd [IP data <src addr 10.0.1.216> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue Oct 19 07:34:00 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.216> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">] -
Unable to access secondary subnet from VPN client
Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
The setup is as follows:
ASA inside interface on 192.168.10.240
VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
Result of the command: "show startup-config"
ASA Version 8.4(3)9
hostname blank
domain-name
enable password encrypted
passwd encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 255.255.255.224
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.240 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.10.253 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-9-k8.bin
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 194.168.4.123
name-server 194.168.8.123
domain-name nifcoeu.com
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.254.0
subnet 192.168.254.0 255.255.255.0
object network obj-192.168.20.1
host 192.168.20.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-10.10.10.1
host 10.10.10.1
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network NS1000_EXT
host 80.4.146.133
object network NS1000_INT
host 192.168.20.1
object network SIP_REGISTRAR
host 83.245.6.81
object service SIP_INIT_TCP
service tcp destination eq sip
object service SIP_INIT_UDP
service udp destination eq sip
object network NS1000_DSP
host 192.168.20.2
object network SIP_VOICE_CHANNEL
host 83.245.6.82
object service DSP_UDP
service udp destination range 6000 40000
object service DSP_TCP
service tcp destination range 6000 40000
object network 20_range_subnet
subnet 192.168.20.0 255.255.255.0
description Voice subnet
object network 25_range_Subnet
subnet 192.168.25.0 255.255.255.0
description VLAN 25 client PC devices
object-group network ISP_NAT
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SIP_INIT tcp-udp
port-object eq sip
object-group service DSP_TCP_UDP tcp-udp
port-object range 6000 40000
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
access-list 100 extended permit icmp any any echo-reply inactive
access-list 100 extended permit icmp any any time-exceeded inactive
access-list 100 extended permit icmp any any unreachable inactive
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj-10.10.10.1
nat (DMZ,outside) static 80.4.146.134
object network obj_any-03
nat (DMZ,outside) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 62.255.171.0 255.255.255.224 outside
http 192.168.254.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2f0e024d
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 62.255.171.0 255.255.255.224 outside
ssh 192.168.254.0 255.255.255.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.25.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.6 source inside prefer
webvpn
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
wins-server value 192.168.10.21 192.168.10.22
dns-server value 192.168.10.21 192.168.10.22
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value
username blank password blank encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
username blank password encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
tunnel-group Remote-VPN type remote-access
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
I hope that helps.
Thanks
Rizwan Rafeek -
Can't access management interface via vpn connection
Hi all,
I can't seem to be able to manage my ASA 5510 when I connect via vpn. My asa sits at a remote colo, and from my office i can connect fine. I have it configured as management-access (dmz), bc as of now we are just doing some staging and all the servers are in the dmz interface.
When i connect with the vpn client, in the routes it sees 192.168.1.0 255.255.255.0 which is the management network/interface.
For some reason I can't get access to 192.168.1.1 to use the ASDM.
Here is how i did my vpn via CLI
isakmp enable outside
isakmp identity address
isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ip local pool vpnpool 10.1.1.2-10.1.1.10
access-list split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
group-policy xxxxx internal
group-policy xxxxx attributes
dns value
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
username xxxxx password
username xxxxxx attributes
vpn-group-policy xxxx
username xxxxxx password
username xxxxxx attributes
vpn-group-policy xxxx
username xxxx password
username xxxx attributes
vpn-group-policy xxxx
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
address-pool vpnpool
tunnel-group xxxx ipsec-attributes
pre-shared-key
access-list vpnra permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra
nat (dmz) 0 access-list vpnra
nat (management) 0 access-list vprna
crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside
Any help would be much appreciatedit seems like you are missing a line:
management-access "interface"
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1631964 -
4150L - Works on web, but can not connect via VPN or Remote Desktop
Recently purchased a 4150L and installed the latest firmware. We have been able to access all public websites without any problems. But, when we try and access our customers computers via VPN (various types) or Remote Desktop, we can't connect. We can sign-in to VPN, but when we try and access the computer, it says "can't connect". Exact same message with Remote Desktop. We are able to connet when use a Verizon phone as a hotspot and from every other internet service that we have tried (i.e. hotels, starbucks, etc.) It appears it is an issue with the 4150L.
Verizon Tech Support has been no help!
All ideas are appreciated!
Thanks,
SkipSkip,
VPN traffic should be allowed through on the MiFi 4510L by default. I know I do not have any issues with mine on either the Cisco IPSec or Cisco SSL VPN Clients.
If Verizon DNS is interferring then perhaps you could try to connect to your VPN via a direct IP Address instead of a URL. Not sure what VPN client you have but there should be a No DNS option to connect if you know the correct IP. You could also try switching your DNS to one of the free ones such as the one offered by Google or any of the others.
VPN's carry alot of overhead on existing connections in my experience. Its not untypical to have a 3G connection cut in half when a VPN is applied. Try running a speed test to make sure your connection is atleast 1 MB on download before initiating a connection. If the performance of the MiFi is too poor in that area it may never be stable enough to support a connection. Feel free to post some Speedtest.net averages so we can see what you are working with.
Something to note about the MiFi 4510L is that it is on the SIM card network. That means that NAT is always going to be an issue and block your users from providing a truely public IP Address. Directly remoting to them through any means will be nearly impossible. -
I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise
Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
If u r using an external server for validating the incoming users, u must go for aaa server externally.
For a complete detail of deploying vpn with ipsec,
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493 -
Slow finder Browsing when accessing LAN via VPN connexion
I am running ML Server, latest upadte on a 2010 Mac Mini Server machine.
When I am connected to my network from a remote location via VPN, and I try to browse my LAN structure with Finder, it takes ages for the list of folders/files to appear and refresh.
I have checked my VPN configuration and tried different type (L2TP, PPTP) but nothing significantly differ in term of browsing speed.
I also appreciate that the network connection at the remote location, as well as the upload speed on my local network can influence the overwal browsing speed... but after several test, I confirm I have more than 3 Mbps bandwith for upload on the local network, and 20 Mbps minimum on the remote location.
I also tried AFP / SMB, but does not seem to change anything.
So, I guess I hope the Community has already experienced the issue and some of you guys may have found a workaround to this issue.
Many thanks.why not try cisco ipsec
Input the following settings:
Interface: VPN
VPN Type: Cisco IPSec
Service Name: This can be anything, I left the default.
Edit the new interface details as follows:
Server Address: cisco.vpntraffic.com or other country vpn such as Portugal VPN
Account Name: Your vpn account
Password: Your vpn password
How to setup Mac OS X Built-In Cisco VPN -
Transfer files from mac to company drives via VPN?
I have several files that I design/update on my mac which I want to write to a company network drive.
On my PC I go through the installed VPN (I have host address, passwords etc). I am new to mac's and wondered if a similar method is available?
Any step by step instructions would be very much appreciated.
Al
iMac 2006 Mac OS X (10.4.5)It depends on the VPN system being used by the office.
If it uses PPTP or L2TP, just open /Application/Utilities/Internet Connect and create a new VPN connection profile.
Fill in the blanks and click connect. With luck you'll be connected to the office network via VPN and can do whatever you would normally do while in the office.
If the office VPN uses IPSec as its VPN protocol, or doesn't work with the built-in client then you may need to install a separate VPN client. You should be able to get this from the network administrators, or you can try one of the third-party clients such as VPNTracker or DigiTunnel. -
Configure WRV200 to connect BEFVP41 via VPN
I'm currently having problem connecting WRV200 to BEFVP41 via VPN, wonder if someone can help, thanks!
(Key Not recognized)
BEFVP41:
Local Security Group: 192.168.2.0 / 255.255.255.0
Remote Security Group: 192.168.1.0 / 255.255.255.0
Remote Security Gateway: WAN IP address of WRV200
Encryption: 3DES
Authentication: SHA
Key Management: Auto (IKE)
PFS (Perfect Forward Secrecy) - checked
Pre-shared Key: XXXXXXX
Key Lifetime: 3600 seconds
WRV200:
Local Security Group: 192.168.1.0 / 255.255.255.0
Remote Security Group: 192.168.2.0 / 255.255.255.0
Remote Security Gateway: WAN IP address of BEFVP41
Key Exchange Method: Auto (IKE)
Operation Mode: Main
ISAKMP Encryption Method: 3DES
ISAKMP Authentication Method: SHA1
ISAKMP Key Lifetime (s): 3600
PFS: Enable
IPSec Encryption Method: 3DES
IPSec Authentication Method: SHA1
IPSec Key Lifetime(s): 3600
Pre-Shared Key: XXXXXXX
Dead Peer Detection - checked
Detection Delay(s): 30
Detection Timeout(s): 120
DPD Action: Recover Connection
Checked If IKE failed more than 5 times block this unauthorized IP for 60 seconds
Checked Anti-replayDisable the firewall & try to ping the Remote secure address .... let me know the results....
-
At my office I have an iMac 2013 with ARD client 3.7.1
At home I have an iMac 2013 with ARD 3.7.2
I would like to connect from my iMac at home to my office iMac via VPN (Cisco IPSec) and ARD.
According to my IT-department I'm behind the Firewall with a VPN connection, so they do not have to set any ports.
The connection to my office is made and I see my office iMac in the list (scanner).
Everything is also set right in system preferences and Remote Management is checked on my office iMac.
When I try to observe, curtain or control my office Imac it will not connect and after a while I get the message:
"Check if Screen Sharing is enabled". This is rather strange because with ARD Screen Sharing has to disabled.
When I try to send a file via ARD to my desktop on my office iMac, it is no problem and it arrive easily.
I also see what my current used program is, I can empty my trash bin, etc. etc. But cannot control, observe or curtain.
I also have a windows computer at my office and with same VPN connection and Microsoft Remote Desktop I can easily connect and control this computer from my Imac at home.
Is there anybody who could help me and have the solution so I can control/obersve/curtain my office iMac via VPN and ARD.
I'm searching for an answer on Internet for weeks now, but could not find a solution.I've got the exact same problem.
I have tried to kickstart ARD on the 10.4.11 (Mac OS Server).
Finder gets the "shared computers" icon available and says I can connect to the server with Screen Sharing. But it fails to connect when trying.
Have checked for old Keychains (and recreated them). -
VPN IPSEC - Contabilizar a utilização
Vocês saberiam me responder como faço para contabilizar o período de utilização de uma VPN IPSEC entre dois roteadores Cisco?
Antecipadamente grata,
AlineVocês saberiam me responder como faço para contabilizar o período de utilização de uma VPN IPSEC entre dois roteadores Cisco?
Antecipadamente grata,
Aline -
Unable to Access Company LAN via VPN
Hello,
I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
On the Cisco VPN client I can see lots of sent packets but none received.
I think it could be to do with the NAT but from the examples I have seen I believe it should work.
I have attached the complete running-config, as I could well have missed something.
Many Thanks for any help on this...
FWBKH(config)# show running-config
: Saved
ASA Version 8.2(2)
hostname FWBKH
domain-name test.local
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
names
name 9.9.9.9 zscaler-uk-network
name 10.8.50.0 inside-network-it
name 10.8.112.0 inside-servers
name 17.7.9.10 fwbkh-out
name 10.8.127.200 fwbkh-in
name 192.168.10.0 bkh-vpn-pool
interface Vlan1
nameif inside
security-level 100
ip address fwbkh-in 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address fwbkh-out 255.255.255.248
interface Vlan3
nameif vpn
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/0
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
banner login Trespassers will be Shot, Survivors will be Prosecuted!!!!
banner motd Trespassers will be Shot, Survivors will be Prosecuted!!!!
banner asdm Trespassers will be Shot, Survivors will be Prosecuted!!!!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.local
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_UDP_1 udp
port-object eq 4500
port-object eq isakmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 log warnings inactive
access-list inside_access_in extended permit ip inside-network-it 255.255.255.0 any inactive
access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www
access-list inside_access_in extended permit ip inside-servers 255.255.255.0 any log warnings
access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq www
access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq https
access-list outside_nat0_outbound extended permit ip bkh-vpn-pool 255.255.255.0 10.8.0.0 255.255.0.0
access-list outside_access_in extended permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 log errors inactive
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any
access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu vpn 1500
ip local pool UK-VPN-POOL 192.168.10.10-192.168.10.60 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 10.8.0.0 255.255.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 17.7.9.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.8.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint BKHFW
enrollment self
subject-name CN=FWBKH
crl configure
crypto ca certificate chain BKHFW
certificate fc968750
308201dd 30820146 a0030201 020204fc 96875030 0d06092a 864886f7 0d010105
05003033 310e300c 06035504 03130546 57424b48 3121301f 06092a86 4886f70d
ccc6f3cb 977029d5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb
7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c53 f2
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.8.0.0 255.255.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy UK-VPN-USERS internal
group-policy UK-VPN-USERS attributes
dns-server value 10.8.112.1 10.8.112.2
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value UK-VPN-USERS_splitTunnel
default-domain value test.local
address-pools value UK-VPN-POOL
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
username admin password XXXXXXXXXXXXXXXXX encrypted privilege 15
username karl password XXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group UK-VPN-USERS type remote-access
tunnel-group UK-VPN-USERS general-attributes
address-pool UK-VPN-POOL
default-group-policy UK-VPN-USERS
tunnel-group UK-VPN-USERS ipsec-attributes
pre-shared-key *****
tunnel-group IT-VPN type remote-access
tunnel-group IT-VPN general-attributes
address-pool UK-VPN-POOL
default-group-policy UK-VPN-USERS
tunnel-group IT-VPN ipsec-attributes
pre-shared-key *****
class-map ALLOW-USER-CLASS
match access-list USER-ACL
class-map type inspect http match-all ALLOW-URL-CLASS
match not request header from regex ALLOW-ZSGATEWAY
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http ALLOW-URL-POLICY
parameters
class ALLOW-URL-CLASS
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
policy-map ALLOW-USER-URL-POLICY
class ALLOW-USER-CLASS
inspect http
service-policy global_policy global
service-policy ALLOW-USER-URL-POLICY interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00725d3158adc23e6a2664addb24fce1
: endHi Karl,
Please make the following changes:
ip local pool VPN_POOL_UK_USERS 192.168.254.1-192.168.254.254
access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 192.168.254.0 255.255.255.0
no nat (outside) 0 access-list outside_nat0_outbound outside
access-list UK-VPN-USERS_SPLIT permit 10.8.0.0 255.255.0.0
group-policy UK-VPN-USERS attributes
split-tunnel-network-list value UK-VPN-USERS_SPLIT
no access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
no access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 192.168.254.0 255.255.255.0
management-access inside
As you can see, I did create a new pool, since you already have an interface in the 192.168.10.0/24 network, which does affect the VPN clients.
Once you are done, connect the client and try:
ping 10.8.127.200
Does it work?
Try to ping other internal IPs as well.
Let me know how it goes.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez -
Remote Access VPN (ipsec) can ping LAN interface of firewall but not clients on the company network.
The VPN will connect.
I can ping and connect to the ASA 5510 on it's LAN interface.
My problem is that I cannot ping or access anything on the LAN past the firewall. What am I doing wrong?
Here is my config.
Result of the command: "show config"
: Saved
: Written by enable_15 at 22:55:02.299 UTC Tue Jan 10 2012
ASA Version 8.2(5)
hostname ********
enable password UbBnTPKwu27ohfYB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network BC
network-object 10.0.3.0 255.255.255.0
network-object 10.0.4.0 255.255.255.0
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq 50000
access-list outside_access_in extended permit tcp any any eq 3390
access-list outside_access_in extended permit tcp any any eq 8066
access-list outside_access_in extended permit tcp any any eq 22225
access-list outside_access_in extended permit tcp any any eq 1600
access-list outside_access_in extended permit tcp any any eq 37260
access-list outside_access_in extended permit tcp any any eq 37261
access-list outside_access_in extended permit tcp any any eq 37262
access-list outside_access_in extended permit tcp any any eq 37263
access-list outside_access_in extended permit tcp any any eq 37264
access-list outside_access_in extended permit tcp any any eq 1435
access-list outside_access_in extended permit tcp any any eq 250
access-list outside_access_in extended permit tcp any any eq citrix-ica
access-list outside_access_in extended permit tcp any any eq 8080
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq 85
access-list outside_access_in extended permit tcp any any eq 8069
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 23032
access-list outside_access_in extended permit tcp any any eq 32023
access-list outside_access_in extended permit tcp any any eq 3399
access-list outside_access_in extended permit udp any any eq 250
access-list outside_access_in extended permit udp any any eq 5008
access-list outside_access_in extended permit icmp any any
access-list splittunn-ppso extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list splittunn-ppso extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn-pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list nonat
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 50000 10.0.4.58 50000 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.0.4.7 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 3390 10.0.3.249 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 8066 10.0.3.249 8066 netmask 255.255.255.255
static (inside,outside) tcp interface 22225 10.0.4.58 22225 netmask 255.255.255.255
static (inside,outside) tcp interface 1600 10.0.4.58 1600 netmask 255.255.255.255
static (inside,outside) tcp interface 37260 10.0.4.58 37260 netmask 255.255.255.255
static (inside,outside) tcp interface 37261 10.0.4.58 37261 netmask 255.255.255.255
static (inside,outside) tcp interface 37262 10.0.4.58 37262 netmask 255.255.255.255
static (inside,outside) tcp interface 37263 10.0.4.58 37263 netmask 255.255.255.255
static (inside,outside) tcp interface 37264 10.0.4.58 37264 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 10.0.4.240 1433 netmask 255.255.255.255
static (inside,outside) udp interface 5008 10.0.4.240 5008 netmask 255.255.255.255
static (inside,outside) udp interface 249 10.0.4.240 249 netmask 255.255.255.255
static (inside,outside) tcp interface 250 10.0.4.240 250 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.4.15 www netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica 10.0.4.15 citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.0.4.15 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 85 10.0.4.15 85 netmask 255.255.255.255
static (inside,outside) tcp interface 8069 10.0.4.236 8069 netmask 255.255.255.255
static (inside,outside) tcp interface 3399 10.0.4.236 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 23032 10.0.4.244 23032 netmask 255.255.255.255
static (inside,outside) tcp interface 32023 10.0.4.244 32023 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.3.0 255.255.255.0 10.0.4.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http x.x.x.x x.x.x.x outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet x.x.x.x 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ppso internal
group-policy ppso attributes
dns-server value 10.0.4.241 10.0.4.14
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunn-ppso
default-domain value ppso.local
split-dns value ppso.local
address-pools value vpn-pool
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool vpn-pool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:88a9b69fc3d718c3badfa99db2c7ce4fYeah, I figured out where my problem was.
My IP Local Pool range was the problem.
I was using 10.10.10.0 which conflicted with a point-to-point connection where the serial interfaces were numbered and using 10.10.10.1 and 10.10.10.2.
Traffic would leave the firewall, hit the intended host, go back through my core router, then off to the other network.
I changed my ip local pool to a different range (192.168.100.0) and my problem was solved.
Maybe you are looking for
-
OEID issues in upgradation from 3.0 to 3.1
Hi All, I am trying to upgrade to Endeca 3.1 from Endeca 3.0 but I am facing below issues. When I am trying to run install.sh for integrator ETL with eclipse-java-indigo-SR2-linux-gtk-x86_64.tar.gz I am facing below issue: [abindal@indl72020 EID_3
-
Hi, I try to build my application using Ant. Here is the fragment from build.xml: <java jar="${flex.mxmlc.jar}" fork="true"> <arg line="-file-specs ${src.dir}/${app.name}.mxml"/> <arg line="-load-config ${flex.dist.config}"/> </java> When I run this,
-
Where can I get the sample layout pages that were in the older CS Dreamweaver?
Where can I get the sample layout pages that were in the older CS Dreamweaver. You normally find them when you press "More" on the start screen and you see it on the "layout" section. On the CC version you only get 2 out of the 20 that you used to ge
-
Why does the new version 5 of firefox show up all the graphics on my web sites with a huge wide black border? They should be narrow and yellow!! I use iWeb for my web sites on an AppleMac iMac 22" wide screen.
-
Best settings for FCE4 for Canon HF100
Hey all, Looking at editing some footage in FCE4 with my Canon HF100. Am wondering what the best settings are to have my FCE4 at from the get-go. Importing with a SanDisk MicroMate. DV-NTSC? AIC? What should I have it set as? I read FCE4 only support