Can not ping internal network from ASA
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
nameif ouside3
security-level 0
ip address 10.254.17.25 255.255.255.248
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
interface GigabitEthernet0/2
nameif Lan
security-level 100
ip address 192.168.185.14 255.255.255.0
interface GigabitEthernet0/3
nameif comp
security-level 50
ip address 192.168.187.14 255.255.255.0
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list nonat extended permit ip any any
access-list nat2 extended permit ip any any
access-list nonat2 extended permit ip any any
pager lines 24
logging asdm informational
mtu ouside3 1500
mtu outside 1500
mtu Lan 1500
mtu comp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Lan) 0 access-list nonat
nat (Lan) 1 access-list nat
nat (comp) 0 access-list nonat
nat (comp) 1 access-list nat
access-group allow_ping in interface outside
router eigrp 2008
neighbor 10.254.17.10 interface outside
network 10.254.17.8 255.255.255.248
network 192.168.185.0 255.255.255.0
network 192.168.187.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap2 20 match address 110
crypto map mymap2 20 set peer 10.254.17.18
crypto map mymap2 20 set transform-set myset
crypto map mymap2 interface comp
crypto map mymap3 30 match address 110
crypto map mymap3 30 set peer 10.254.17.26
crypto map mymap3 30 set transform-set myset
crypto map mymap3 interface ouside3
crypto isakmp identity address
crypto isakmp enable ouside3
crypto isakmp enable outside
crypto isakmp enable comp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threat
This is what I get, looks like ASA does not reply. Why?
ciscoasa# sh capture cpi
5 packets captured
1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request
Similar Messages
-
Can't access internal network from VPN using PIX 506E
Hello,
I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N/JZnmeC2l5j3YTN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SwantonFw2
domain-name *****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
access-list INSIDE-IN permit tcp interface inside interface outside
access-list INSIDE-IN permit udp any any eq domain
access-list INSIDE-IN permit tcp any any eq www
access-list INSIDE-IN permit tcp any any eq ftp
access-list INSIDE-IN permit icmp any any echo
access-list INSIDE-IN permit tcp any any eq https
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list swanton_splitTunnelAcl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.150 255.255.255.0
ip address inside 192.168.0.35 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.240.1-192.168.240.254
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.1.26 255.255.255.255 outside
pdm location 192.168.240.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group INSIDE-IN in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup swanton address-pool VPN_Pool
vpngroup swanton dns-server 192.168.1.1
vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton idle-time 1800
vpngroup swanton password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.36-192.168.0.254 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username scott password hwDnqhIenLiwIr9B encrypted privilege 15
username norm password ET3skotcnISwb3MV encrypted privilege 2
username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
terminal width 80
Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
: end
[OK]
Any help will be greatly appreciatedBj,
Are you trying to access network resources behind the inside interface?
ip address inside 192.168.0.35 255.255.255.0
If so, please make the following changes:
1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
4- isakmp nat-traversal 30
Let me know how it goes.
Portu.
Please rate any helpful posts -
Can not ping oracle linux vm in Virtual Box from my host
Hy
I have setup oracle linux 7 on virtual box including vboxadditions.
But I can not ping this maschine from outside ( it works for my other vm oel 5.8 )
I did systemctl stop filewall.service
Here my Network konfiguration inside my oel7 vm:
/etc/sysconfig/network-scripts/ifcfg-enp0s8
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=public
UUID=388ee413-55e9-45e1-be1d-4f5eedc402f3
ONBOOT=yes
IPADDR0=10.20.50.101
PREFIX0=24
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
HWADDR=08:00:27:5F:87:91
Can anyone help?
Thanks
Peter SchlaegerHi,
Before discussing the network configuration of Oracle Linux 7 (By the way; it seams correct), lets talk about the VirtualBox network configuration, So the Network adapter of your VM can be attached to {NAT, Bridged Adapter, Internal Network, Host-only Adapter, ...}, what is the Adapter attached to your NIC?
Make sure the Network Adapter is the same as the your other VM (OL 5.8).
Best regards -
Extend Wireless Network using a Telstra technicolor Gateway wireless Router to Airpot extreme but Airport will only except "join a wireless network (which it does) not "extend a wireless network" (Led turns yellow and I can not get a network working on the Airpor Extreme ethernet ports but can ping Airport extreme from Technicolor Router.
Airport gets it address DHCP.Funny how I can ping the Extreme but the Hard Ethernet ports dont seem to work correctly.
When the AirPort Extreme is configured to "Join" a wireless network, the Ethernet ports are not enabled.
Oddly, the AirPort Express has a special feature that will allow it to to "Join" virtually any wireless network.....and the Ethernet port can be enabled. So, an Express would work for your purpose to provide an Ethernet connection to the media player. This assumes that the Express is located where it can receive a strong wireless signal from your main router.
Note that the Express will not provide any additional wireless coverage when it "Joins". -
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
Can not ping between remote vpn site ???
site A is l2l vpn, site B is network-extend vpn, both connect to same vpn device 5510 at central office and work well. I can ping from central office to both remote sites, But i can not ping between these two vpn sites ? Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ?? Please help ...
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
access-list OUTSIDE extended permit icmp any any
access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A
nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
crypto map VPN-MAP 50 match address HOLT-VPN-ACL
crypto map VPN-MAP 50 set peer *.*.56.250
crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
crypto map VPN-MAP interface outside
group-policy REMOTE-NETEXTENSION internal
group-policy REMOTE-NETEXTENSION attributes
dns-server value *.*.*.*
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-NET2
default-domain value *.org
nem enable
tunnel-group REMOTE-NETEXTENSION type remote-access
tunnel-group REMOTE-NETEXTENSION general-attributes
authentication-server-group (inside) LOCAL
default-group-policy REMOTE-NETEXTENSION
tunnel-group REMOTE-NETEXTENSION ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.56.250 type ipsec-l2l
tunnel-group *.*.56.250 ipsec-attributes
ikev1 pre-shared-key *****
ASA-5510# show route | include 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510# show route | include 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510#
Username : layson-ne Index : 10
Assigned IP : 192.168.46.0 Public IP : *.*.65.201
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11667685 Bytes Rx : 1604235
Group Policy : REMOTE-NETEXTENSION Tunnel Group : REMOTE-NETEXTENSION
Login Time : 08:19:12 EST Thu Feb 12 2015
Duration : 6h:53m:29s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
ASA-5510# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : *.*.56.250
Index : 6 IP Addr : *.*.56.250
Protocol : IKEv1 IPsec
Encryption : 3DES AES256 Hashing : SHA1
Bytes Tx : 2931026707 Bytes Rx : 256715895
Login Time : 02:02:41 EST Thu Feb 12 2015
Duration : 13h:10m:03sHi Rico,
You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.
example:
Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
static SITE-B SITE-B
nat (outside,outside) source dynamic SITE-B 10.10.10.254 destination
static SITE-A SITE-A
Hope this helps
Thanks
Rizwan Rafeek -
Can not ping one of the IP in DMZ3(VLAN4) but can ping IP in DMZ2(VLAN2)
Any expert advise please.
There are three DMZ in datacentre firewall (5510)..dmz1 and 2 and 3
Here is the thing between Data centre and our office network.(firewall 5510)
I logged in one of our machine Domaincontroller (10.102.28.53) in office network I can ping IP: 10.1.2.52 (VLAN2-DMZ2) in datacentre.
I can not ping 192.168.4.230 (vlan4 dmz3) in datacentre from this machine 10.102.28.53
Thanks.make sure that the the firmware version of your router is the updated one.It should be firmware version:1.50.9.you can go to www.linksys.com/download and look for wrt54gs v6-->click downloads for this product-->click firmware-click download firmware and save it on your desktop...you can also go to linksys.com/kb and search for upgrade firmware and it will give you the steps on how to upgrade the firmware of your router.
Hope it helps!! -
I can not map a network drive in window 8.1 via VPN
Dear sir / madam,
I face a big problem. My company use VPN Connection. After my company upgrade the window from Window 7 to Window8.1 , we find that we can not reconnect the network drive. please find the details below:
1. I success to map drive and then logout / switch user.
2. wait two /three hours
3. i find the drive is disconnected.
4. when I try to reconnect, window can not find again. then I try to use netstat
C:\Windows\system32>netstat
TCP 172.28.97.31:58206 test-server:http TIME_WAIT
Then, i try to use cmd
5 it show reconnect successful by net use command. However , I need waste many time and I can not find the drive in window.
if I restart window, i can reconnect it quickly and find the drive in window.
the server is window server 2008 r2 and located at difference site.
if the server and PC located at same site, it is no problem.
both the server and PC are joined in same domain.
it is dell server and Lenovo M82 PC
please help me to solve the problem
(window 7 also have this problem. However, i can click the drive and it can reconnect quictly.i cannot do this in window 8.1.......it loop again)
thanksHi,
Is there any error message throwed when you reconnect the mapped drive? Can you directly access the UNC path of the mapped drive? What VPN programs do you use? Please check if the VPN client connect correctly.
You could refer to the thread below to check if the AD account is restricted by VPN.
Can't access mapped drives through VPN when away from office
http://social.technet.microsoft.com/Forums/windows/en-US/a0ca41aa-08b8-4e46-a314-ffb7e401bd7a/cant-access-mapped-drives-through-vpn-when-away-from-office?forum=w7itpronetworking
Best Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
I can not map a network drive in window 8.1 under VPN
Dear sir / madam,
I face a big problem. My company use VPN Connection. After my company upgrade the window from Window 7 to Window8.1 , we find that we can not reconnect the network drive. please find the details below:
1. I success to map drive and then logout / switch user.
2. wait two /three hours
3. i find the drive is disconnected.
4. when I try to reconnect, window can not find again. then I try to use netstat
C:\Windows\system32>netstat
TCP 172.28.97.31:58206 test-server:http TIME_WAIT
Then, i try to use cmd , net use /delete and then try to reconnect test-server
5 it show reconnect successful by net use command. However , I need waste many time and I can not find the drive in window.
if I restart window, i can reconnect it quickly and find the drive in window.
the server are window server 2008 r2 and server 2012, they located at difference site.
if the server and PC located at same site, it is no problem.
both the server and PC are joined in same domain.
it is dell server and Lenovo M82 PC( Intel Lan 82579LM/V Driver)
please help me to solve the problem
(window 7 also have this problem. However, i can click the drive and it can reconnect quictly.i cannot do this in window 8.1.......it loop again)
thanksHi,
How did you map the network drive? Manually via GUI? Command? GPP? If you're using one of the above solutions, then try other solutions as a alternative way to check the result.
According to your description, If Windows remains unable to reconnect mapped Network Drive at login, then I would suggest you created a batch file with net use command, use it as an logon script, this provides an alternate way to reconnect drives on
a re-logon.
example
@echo off
net use * /delete /yes
net use x: \\server_name\shared_directory_name
You can find detailed information in the following link
https://helpdesk.egnyte.com/hc/en-us/articles/201638304-Mapping-a-drive-using-a-net-use-command-and-logon-scripts-for-domain-users
http://technet.microsoft.com/en-us/library/bb490717.aspx
NOTE
This
response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
Microsoft
does not control these sites and has not tested any software or information found on these sites.
Yolanda Zhu
TechNet Community Support -
I am unable to re-install itunes. The installer starts ok and then indicates that it can not access a network !! I have tried to uninstall but get the sme error message. I have used 3rd party software to uninstal but still have no joy. My pc is running Vista.
Can you anyone offer a working solution ?Many thanks.
Let's try the fixit from the following Microsoft document with that one:
Fix problems with programs that can't be installed or uninstalled -
I can not access Itunes Store from my computer.
When I run the diagnostic tool for network connectivity, my network connects but I get a Red light that says "SECURE LINK TO THE ITUNES STORE FAILED".
Can anyone help me on this problem?ITunes won't connect all I get is the "accessing iTunes store......". With the bar scrolling but no connection.
With those symptoms, I'd try the following document:
Apple software on Windows: May see performance issues and blank iTunes Store
(If there's a SpeedBit LSP showing up in Autoruns, it's usually best to just uninstall your SpeedBit Video Accelerator.) -
Nas can not access secure parts from Macbook pro
Black Armor 220 nas can not access secure parts from Macbook pro, although access sucess Public parts (no password), is any setting in Lion or else needed setup?
Late 2006 model , 15'is any network sharing files Setting for secure files sharing in a NAS(wifi with mac via internet gateway), or to be able access Public files (but not secure), the password must be the problem?
-
I can not count the data from the module. Can prompt as it to make. It is desirable with examples (data read-out from the module and data transmission between channels. It is in advance grateful.
Hello. Most of the engineers in developer exchange are more familiar
with NI products. Contacting ICS for technical support is a better
course of action. -
The report can not retrieve the data from the DB
Dear all,
I am facing a problem is that i have ready designed reports in Crystal. While refreshing the report in Crystal, it gives an error that it can not retrive the information from the database. But, if i am using the application which the report is attached, it is giving me the results and showing the report in Crystal. Even, for testing if i add a new field, i have to run it from the application, but directly from the Crsytal Reports, it displays an error.
I hope you will help me in the issue.Could you please provide more information:
What is the database? (Oracle, SQL Server, xml, etc.)
What type of connectivity? (ODBC, Native, OLE DB, etc)
Are application and Crystal Reports are running from the same machine?
What is the error message? Any error numbers? -
Can not delete Twitter mentions from the Hub
Can not delete Twitter mentions from the Hub. When I delete, they reappear in a few minutes.
I had the same problem,so i just deleted Twitter altogethet. Like was said before it must be bug among many they seem to have,including password compromises
Maybe you are looking for
-
While deploying the BPEL Process I am getting Error.
I have BPEL Process "bpel_GetReSARMSJournalsToOracle_1.0.jar" and I am deploying this process via BPEL Console. While deploying this process I am getting the below error. SelectReSARMSJournalsService.wsdl]: Error while setting JCA WSDL Property. Prop
-
How to populate values in List Box in Adobe form
Hi, How to populate values in List box in adobe forms? Thanks RB
-
Flex Builder Beta M4 uninstall failure
Flex builder beta M4 has expired 53 days earlier than promised. But that's little trouble. Awful trouble is that it is refusing to uninstall. When I am trying to uninstall, it says this, quote: quote: java.lang.InternalError: jzentry == 0, jzfile = 8
-
Future of BSP: Can it be completely replaced by WebDynpro
Hi All, I have read few tutorials on BSP as well as Webdynpro. I couldn't make out the exact difference between both of them. Please help me by answering folling questions: 1. What are the major differences between BSP and Web Dynpro 2. SAP still sup
-
Want to get the where-used hitlist to an internal table
hi everyone, while using where-used list we will get a hit list result. I want to take that hit list data to an internal table with out using any local file. Is anybody there to help me. regards, vijaya.