Cannot navigate once connected to VPN
I need all my traffic to go through the VPN when i'm connected to it, unfortunately, when i do connect, if i check the box (i'm on OpenBox btw) "Use this connection only for resources on it's network" i have internet connection, but i cannot browse the VPN resources, if i uncheck it, i lose all kinds of connection.
Here are my results of "route -n"
Without being connected to VPN
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlp6s0
192.168.0.0 0.0.0.0 255.255.255.0 U 303 0 0 wlp6s0
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 wlp6s0
192.168.0.4 127.0.0.1 255.255.255.255 UGH 303 0 0 lo
being connected to VPN
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
172.40.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 303 0 0 wlp6s0
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 wlp6s0
192.168.0.4 127.0.0.1 255.255.255.255 UGH 303 0 0 lo
195.59.xx.xx 192.168.0.1 255.255.255.255 UGH 0 0 0 wlp6s0
being 195.59.xx.xx my VPN ip.
Any ideas? Suggestions?
Thanks.
Hey, thanks for your help guys, however i still have the issues, i believe ewaller is correct and this route is being added when i connect to the VPN, here is the "ip route" output
[soto@arch ~]$ ip route
default dev tun0 proto static
172.40.0.0/24 dev tun0 proto kernel scope link src 172.40.0.99
192.168.0.0/24 dev wlp6s0 proto kernel scope link src 192.168.0.4 metric 9
192.168.0.4 via 127.0.0.1 dev lo metric 303
195.59.xx.62 via 192.168.0.1 dev wlp6s0 proto static
if i try to add another route i get
[soto@arch ~]$ sudo ip route add 172.40.0.0/24 dev tun0
RTNETLINK answers: File exists
pinging 172.40.0.1 is not responding
[soto@arch ~]$ sudo ping 172.40.0.1
PING 172.40.0.1 (172.40.0.1) 56(84) bytes of data.
--- 172.40.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2007ms
=/
Last edited by tehsoto (2014-01-17 18:50:19)
Similar Messages
-
Gmail in Mail app disconnects once connected to VPN in LION
hi ,
i am new to MAC . i have configured mac mail for all my email ids . I have configured my company email along with my personal email . I have to connect tthrough vpn to access my cpmpany emails . i am using built in cisco vpn in LION to connect . But once i connect to vpn all my remaing emails get disconnected in mail app . there will be no updation in any of my personal emails(gmail). But i am able to acces my personal email when i login through browser.
if my company is not allowing to access gmail when connected to vpn then it shouldn't be accessable through browser . i am able to access my mails through browsers. Even gmail in ichat disconnects once i connect to VPN i could see yahoo connected some times in ichat but never for gmail .
Once i disconnect from vpn all mails will be back to orginal state and my company mail shows disconnected . which is acceptable as i am not connected to vpn to access it .
Is it problem with mail app or vpn ?
thanks
somWhen you delete a POP account in Mail it deletes the messages in the Inbox. These should download again as All Mail. BTW, when you select Archive it will move messages out of the Inbox to the All Mail folder.
I suggest you start with a new Mail profile. This will not include any previous emails and accounts. We can discuss importing those later.
Quit Mail
Go to the User's Library folder. This folder is hidden by default. To unhide: Select the Finder in the Dock. Under Go in the Menu bar > hold down the Option key and you’ll see the Library.
Scroll to Containers. Drag the com.apple.mail folder to the Desktop
Rename Mail folder to MailXX (you can revert if needed)
Go to Preferences. If you find any com.apple.mail.plist files, delete these.
Log out under the Apple in the Menu bar
Log in
Open Mail
Before you add your Gmail account, I suggest you do a bit of clean up in your browser first.
See suggestions here.
Use Gmail with Mavericks Mail
http://www.needhelp4mac.com/2013/12/use-gmail-with-mavericks-mail/
It will take some time to download 19 GB. Note: some users have selected not to sync the All Mail folder. You might want to disable sync at first until you get your folders and new Inbox downloaded. After adding All Mail, I would let it sync overnight.
(Fair disclosure: Needhelp4Mac is my site. I may receive some form of compensation, financial or otherwise, from my recommendation or link.) -
ITunes won't play via Airport Express when connected to VPN
Once connected to VPN iTunes just won't work but still plays on my computer. I believe it has something to do with the firewall but I do not know how to get around it. Can anyone help? I would love to listen to music via my stereo speakers while doing work...Thanks!
Is this what you are looking for? http://docs.info.apple.com/article.html?artnum=93396
or
http://docs.info.apple.com/article.html?artnum=108071 -
VPN Issues: Unable to access internet once connected.
I need to connect to my workplace via a VPN (Cisco IPSec) connection. Typically we use a Cisco VPN client to allow for access, but I'm using the built in support within Mountain Lion.
I am able to succesfully connect via the VPN connection, but once connected I am unable to proceed to access any websites, and when I lauch terminal and try to ping anything, it just sits and waits.
I have sorted the network connections so that the VPN is at the top of the sort order within the Network Preferences?
Any suggestions:Maybe one of these Apple support articles will help:
http://support.apple.com/kb/PH10759
http://support.apple.com/kb/PH11067
http://support.apple.com/kb/PH10755
http://support.apple.com/kb/PH11138 -
I have an Ipad mini with IOS7. A few days ago I began to have problems with wifi connectivity. I can connect to wifi with Google but cannot navigate in Safari nor any of my aps are able to acess wifi. Very strange. Not sure what to do!
Hi ..
Reset the device:
Press and hold the Sleep/Wake button and the Home button together for at least ten seconds, until the Apple logo appears.
If that doesn't help, tap Settings > General > Reset > Reset All Settings
If that doesn't help, tap Settings > General > Reset > Reset Network Settings
You may have to re enter your Wi-Fi password.
If nothing above has helped, try here > iOS: Troubleshooting Wi-Fi networks and connections -
Hello,
I have a RD farm using 3 Win 2012 servers (1 broker and 2 session host), for internal use only, have not
configured gateway for internet access.
Users are able to connect to RD farm website and remote into terminal server, within office
but can only connect to RD farm website and cannot remote into terminal server , when connected via VPN
Its takes long time at securing connection and fails.
ThanksHi,
Thank you for your posting in Windows Server Forum.
First of all I would suggest you to configure RD gateway role on your server and pass all the connection through it because it’s a best practice to use RD Gateway in RDS Farm.
Apart from this, if you are not using RD Gateway then you must check that you have successfully forwarded port 3389 for RDS to access via VPN. Also check that you have made configuration under IIS Manager to enable Forms Authentication. Please check
this link.
In addition, please refer beneath article for additional details.
1. How to Access Windows Remote Desktop Over the Internet
2. Remote Desktop Services in Windows 2008 R2 – Part 3 – RD Web Access & RemoteApp
(For reference)
Hope it helps!
Thanks,
Dharmesh -
Cannot connect to VPN through NetworkManager anymore.
I cannot connect to VPN through networkmanager anymore. Last time used it, it worked perfectly but I don't use it so often and last time was 2-3 months ago. So I don't know what went wrong, or which package upgrade broke it.
I switched to systemd a month ago, it may or may not be related.
I can still connect from the commandline using the vpn/vpn-disconnect tools.
All that happens is an alert windows saying: "The VPN connection '......' failed because there were no valid VPN secrets." And here is the journal:
NetworkManager[355]: <info> Starting VPN service 'vpnc'...
NetworkManager[356]: <info> VPN service 'vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 9214
kernel: tun: Universal TUN/TAP device driver, 1.6
kernel: tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
NetworkManager[356]: <info> VPN service 'vpnc' appeared; activating connections
NetworkManager[356]: <error> [1349687970.426748] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.
NetworkManager[356]: <info> Policy set 'MYSSIDOMITTED' (wifi0) as default for IPv4 routing and DNS.
NetworkManager[356]: <error> [1349687973.943758] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.
NetworkManager[356]: <info> Policy set 'MYSSIDOMITTED' (wifi0) as default for IPv4 routing and DNS.
NetworkManager[356]: <info> VPN service 'vpnc' disappeared
All neccessary vpn packages for networkmanager are installed.
Google did not turn up any useful info other than a few year old threads saying "upgrade your networkmanager".Well, I managed to get the auth dialog to show up reliably by applying a couple patches from this Bugzilla: https://bugzilla.gnome.org/show_bug.cgi?id=679212
Still getting breakage in that it's not properly authenticating:
Attempting to connect to redacted:443
Using client certificate '/CN=redacted'
Client certificate expires soon at: Dec 5 02:57:05 2012 GMT
SSL negotiation with somesite.somedomain.com
Connected to HTTPS on somesite.somedomain.com
GET https://somesite.somedomain.com/
Got HTTP response: HTTP/1.0 302 Object Moved
SSL negotiation with somesite.somedomain.com
Connected to HTTPS on somesite.somedomain.com
GET https://somesite.somedomain.com/+webvpn+/index.html
GET https://somesite.somedomain.com/CACHE/sdesktop/install/binaries/sfinst
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Failed to read from SSL socket
Error fetching HTTPS response
This behavior is not what I'm getting from the command-line client, of course, so... still digging. -
Cannot connect to VPN for work on OS10.7.3
Hi All,
I need to connect to VPN so I can connect to my work server.
I currently do this on a Toshiba Lap top running Unantu with no problems. The Toshiba will be heading overseas and I need the VPN connection at home, hopefully on my Mac Book Air.
I have spent many hours searching the internet to see how to connect and have tried many ideas but cannnot find a solution.
Our work IT manager has also tried and given up.
Is there something I can install to make it work? Unfortuantly not being able to work on my Mac makes it useless to me and I will have to purchase a new laptop which can connect to VPN.
I have now tried 3 VPN connections and get the following errors -
The PPTP-VPN server did nto respon. Try reconnecting. If the problem continues, verify your settings and contact your administrator.
The IPSec Certificate is missing. Verify your settings and try reconnecting.
The VPN server did not respond. Verify the server address and try reconnecting.
Can anyone help please before I also give up, as many others have on forums, and sell the Mac?
RoxycollieHello Again LSRW,
I don't have time now to go into great detail but will try to return later.
But, you wrote "...AOL Desktop 1.5. I still find it lacking in functionality, performance, and aesthetics compared to it's predecessor, which I miss dearly.".
I am still using AOL For Mac OSX and have never installed AOL Desktop.
I don't have any problems connecting AOL to the Internet.
You can still download AOL® for
Mac OS X from AOL Downloads For Mac.
ali b -
User cannot connect through VPN (Windows 2008 R2)
Hello,
TechNet has been a major help for some resent server and network problems our office has been having.
There is one ongoing issue that no matter how much I try to fix, it wants to be stubborn and refuse to work properly.
We have a user who has the necessary permissions to VPN using our router's IP address. Just recently, she found that she was unable to VPN. This was the beginning of our technical issues as after rebooting the router, our main server, and our QuickBooks
server, we lost internet and access to the main server. Those issues have been resolved. However, the user is still unable to VPN.
I have looked up every error code that has been presented when trying to connect to VPN (807 and 800 are the most frequent), and unfortunately, none of the solutions suggested worked. These errors occur when connecting through the WAN Miniport. I am trying
to find out if I am overlooking something.
What has been tried:
Router rebooted
Created new user in Active Directory
Deleting VPN Users group and readding to user
Changing tunneling protocol to L2TP instead of PPTP. Then, created a rule in Windows Advanced Firewall to allow UDP 1701.
Creating new VPN connection.
Confirmed with ISP that there are no issues with router
I am not extremely familiar with Windows 2008 R2 and every fix I see online is extremely in depth with not much walkthrough information.
I greatly appreciate any support anyone might be able to provide.
Thank you!Hi ,
According to your description, my understanding is that the client can’t access the VPN with error code 800 and 807.
I have noticed that it failed to ping the VPN server form the client. The VPN server should be connected from the client without VPN connection established. I suggest you to turn off firewall temporarily on both sides of client and VPN server, then
try to ping the IP address of the VPN server’s interface which is connected to extranet network.
If ping failed, there might be network connectivity problem. If ping successfully, check to see if the port is open for turning traffic. Detailed troubleshooting steps you may reference the link below:
I received error 800, which says the VPN server is unreachable:
http://technet.microsoft.com/en-us/library/cc772616(WS.10).aspx#BKMK_1
Troubleshooting commom VPN related errors:
http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
If this problem still exits, does other user successfully access the VPN? Or just specified device can’t access? Would you simply describe the deployment of the VPN, such TCP/IP settings, VPN type.
Best Regards,
Eve Wang -
Cannot Connect to VPN After License Upgrade
Hello,
I am having an issue where I can't connect to VPN after upgrading the license.
The license upgraded is related to AnyConnect VPN.
I noticed from the newly upgraded license, the Encryption-3DES-AES is disabled whereas previously it was enabled.
Could it be the cause of the issue?
ASA 5512-K9
Version 8.6(1)2
Thank you in advance.
Regards,
ZulHello,
It is,
here you have the link to request it for free
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
Regards -
Outlook is disconnected while connected over VPN
In our Beijing office a user's Outlook cannot connect to exchange server, however, when he connect to VPN his Outlook can normally send or receive email.
It is so funny, have you ever encountered a similar situation or maybe you can provide a useful suggestion?Hi Frank,
Which version of Exchange server are you using?
Does this issue only happen to the certain user?
Do you have Outlook Anywhere enabled?
Did you get any error message when it failed to connect?
Please provide more information about this issue so that we can fix it more efficiently.
Meanwhile, you may follow this link to troubleshoot the issue:
http://hosting.intermedia.net/support/kb/?id=1183
Please Note: Since the web site is not hosted by
Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Since this issue is also related to Exchange server, I'd recommend you post a same question in the Exchange forum to see if there is any good suggestions:
https://social.technet.microsoft.com/Forums/office/en-US/home?category=exchangeserver
Regards,
Steve Fan
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs. -
Connect to VPN but can't ping past inside interface
Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: endHello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end -
PowerView error -Cannot create a connection to data source 'TemporaryDataSource'.
Hello and thanks for the time.
I am getting the following error when trying to create a powerview report. I don't get where is this TemporaryDataSource is and how do I check the permissions on it? that is what this error is pointing to, no? I tried re-installing the
SQL reporting add-in and no go there. SQL Browser services are running. I can see the file in Excel just can't create a powerview report. any and all help is appreciated. thanks.
<detail><ErrorCode xmlns="http://www.microsoft.com/sql/reportingservices">rsCannotRetrieveModel</ErrorCode><HttpStatus xmlns="http://www.microsoft.com/sql/reportingservices">400</HttpStatus><Message xmlns="http://www.microsoft.com/sql/reportingservices">An
error occurred while loading the model for the item or data source 'https://teamsite.domain.com/POWERPIVOT/PowerPivot%20Gallery/Test.xlsx'. Verify that the connection information is correct and that you have permissions to access the data source.</Message><HelpLink
xmlns="http://www.microsoft.com/sql/reportingservices">http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsCannotRetrieveModel&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3128.0</HelpLink><ProductName
xmlns="http://www.microsoft.com/sql/reportingservices">Microsoft SQL Server Reporting Services</ProductName><ProductVersion xmlns="http://www.microsoft.com/sql/reportingservices">11.0.3128.0</ProductVersion><ProductLocaleId
xmlns="http://www.microsoft.com/sql/reportingservices">127</ProductLocaleId><OperatingSystem xmlns="http://www.microsoft.com/sql/reportingservices">OsIndependent</OperatingSystem><CountryLocaleId xmlns="http://www.microsoft.com/sql/reportingservices">1033</CountryLocaleId><MoreInformation
xmlns="http://www.microsoft.com/sql/reportingservices"><Source>ReportingServicesLibrary</Source><Message msrs:ErrorCode="rsCannotRetrieveModel" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsCannotRetrieveModel&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3128.0"
xmlns:msrs="http://www.microsoft.com/sql/reportingservices">An error occurred while loading the model for the item or data source 'https://teamsite.domain.com/POWERPIVOT/PowerPivot%20Gallery/Test.xlsx'. Verify that the connection information is
correct and that you have permissions to access the data source.</Message><MoreInformation><Source>Microsoft.ReportingServices.ProcessingCore</Source><Message msrs:ErrorCode="rsErrorOpeningConnection" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsErrorOpeningConnection&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3128.0"
xmlns:msrs="http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'TemporaryDataSource'.</Message><MoreInformation><Source></Source><Message>For more information about this error
navigate to the report server on the local server machine, or enable remote errors</Message></MoreInformation></MoreInformation></MoreInformation><Warnings xmlns="http://www.microsoft.com/sql/reportingservices" /></detail>Hi,
Issue not supported in sharepoint on-premise team.
In addition, as this issue is related to Powerview, I suggest you create a new thread on for Powerview forum, more experts will assist you.
https://social.technet.microsoft.com/Forums/en-US/home?forum=powerview
Best Regards,
Lisa Chen
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
10.9.2 Update Issue (VPN) - Eclipse Perl debugger issues while connected to VPN
This post was initially added to this discussion: 10.9.2 Mavericks update issues
I have yet another issue related to 10.9.2 update - Eclipse Perl debugger issues while connected to VPN...
One of the big changes introduced by 10.9.2 update - are VPN changes (security fixes). Unfortunately, whatever these changes are - they "broke" Eclipse (OpenSource IDE) debugger. I am not sure if *all* programming languages (Eclipse plugins) are affected by this, but I know for sure that 'Epic' (Perl plugin) debugger *stopped working* while system is connected through VPN.
Here is the error that gets “popped-up” in the Eclipse:
Timed out while waiting for Perl debugger connection
… and here is exact exception stack that gets printed:
Unable to connect to remote host: 130.10.210.74:5000
Compilation failed in require.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
main::BEGIN() called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
eval {...} called at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 0
BEGIN failed--compilation aborted.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
Can't use an undefined value as a symbol reference at /Users/valeriy/workspace/.metadata/.plugins/org.epic.debug/perl5db.pl line 7596.
END failed--call queue aborted.
at /Users/valeriy/workspace/ROBO-PROD-RA-685/src/lib/test/Val_test.pm line 0.
(of course IP address changes dynamically for each VPN connection session)…
I was able to prove that this issue is related to 10.9.2 update:
Issue *does not* exist under 10.9.1 (I had to revert back to 10.9.1 to get it working again)
No updates were performed around the same time 10.9.2 update occurred (I verified that using Software Update log)
No configuration changes were introduced around the same time
Reverting back to 10.9.1 using Time Machine (thanks god I had backup !!!) fixed the issue
Steps to reproduce this issue:
In Eclipse, try to use 'Epic' (Perl plugin) to debug any perl script while *not* connected through VPNEpic debugger works
Connect to VPN
Start Epic debugger to debug same script
Debugger *does not* start, and "Timed out while waiting for Perl debugger connection" error pop-up comes up after some time. At the same time, exception stack (listed above) is printed in Eclipse's console
I am programmer/software developer, I work remotely (telecommute) and thus have to rely on use of VPN to connect to company's intranet. Perl - is primary language used by my team, and we use Eclipse IDE with Epic plugin - heavily. Use of Epic's debugger - is a *very large* aspect of my work, I cannot work without it. So in essense, 10.9.2 has *entirely* disrupted my ability to work! It took me almost a week to get back to normal work environment, and I cannot afford to let it happen again... I need Apple's development team resolve this VPN related issue, as soon as possible! Because of this issue, I am *stuck* with 10.9.1 and can not upgrade my laptop to any other versions. In fact, I had to disable system updates - just so I do not run into this issue again... I contacted Apple's Tech Support on 02/28 with this issue (Ref: 582428110), asking to raise trouble ticket. Since then, I tried to follow-up on that issue, but do not get any information. Please advise on the status:
is there a trouble ticket to track this issue?
is there any progress?
what's the ETA for an update that fixes this problem?
- Val
Message was edited by: vpogrebiAm I the only one experiencing this issue ???
-
Problems accessing 1 remote desktop when connected with VPN
Hi everyone,
I have an ASA 5505 and have a problem where when I connect through VPN I can RDP into a server using its internal address but I cannot RDP to another server using its internal address.
The one I can connect to has an IP of 192.168.2.10 and the one I cannot connect to has an IP of 192.168.2.11 on port 3390.
Both rules are configured exactly the same except for the IP addresses and I cannot see why I cannot connect to this one server.
I am also able to connect to my camera system with an IP 192.168.2.25 on port 37777 and able to ping any other device on the internal network.
I've also tried pinging it and telneting to port 3390 with no success.
Here is the config.
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 3
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan3
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CTSG-LAN-OUT
range 10.1.1.10 10.1.1.49
object network CTSG-LAN-IN
subnet 192.168.2.0 255.255.255.0
object service RDP3389
service tcp destination eq 3389
description To DC
object network SERVER-IN
host 192.168.2.10
object network SERVER-OUT
host 10.1.1.50
object network CAMERA-IN-TCP
host 192.168.2.25
object network CAMERA-OUT
host 10.1.1.51
object service CAMERA-TCP
service tcp destination eq 37777
object network SERVER-Virt-IN
host 192.168.2.11
object network SERVER-Virt-OUT
host 10.1.1.52
object service RDP3390
service tcp destination eq 3390
description To VS for Master
object network CAMERA-IN-UDP
host 192.168.2.25
object service CAMERA-UDP
service udp destination eq 37778
object network CTSG-LAN-OUT-VPN
subnet 10.1.1.128 255.255.255.128
object network SERVER-Virt-IN-VPN
host 192.168.2.11
object network SERVER-IN-VPN
host 192.168.2.10
object network CAMERA-IN-VPN
host 192.168.2.25
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside1_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list inside1_access_in extended permit ip any any
access-list outside_access_in extended permit object RDP3389 any host 192.168.2.10
access-list outside_access_in extended permit object RDP3390 any host 192.168.2.11
access-list outside_access_in extended permit object CAMERA-TCP any host 192.168.2.25
access-list outside_access_in extended permit object CAMERA-UDP any host 192.168.2.25
pager lines 24
logging enable
logging buffer-size 10240
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAVPN 10.1.1.129-10.1.1.254 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static SERVER-IN-VPN SERVER-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static CAMERA-IN-VPN CAMERA-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static SERVER-Virt-IN-VPN SERVER-Virt-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
object network CTSG-LAN-IN
nat (inside,outside) dynamic interface
object network SERVER-IN
nat (inside,outside) static SERVER-OUT service tcp 3389 3389
object network CAMERA-IN-TCP
nat (inside,outside) static CAMERA-OUT service tcp 37777 37777
object network SERVER-Virt-IN
nat (inside,outside) static SERVER-Virt-OUT service tcp 3390 3390
access-group inside1_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP
-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SACTSGRO
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 15
dhcpd auto_config inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxx encrypted privilege 15
username admin attributes
vpn-group-policy DfltGrpPolicy
tunnel-group CTSGRA type remote-access
tunnel-group CTSGRA general-attributes
address-pool RAVPN
tunnel-group CTSGRA ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0140431e7642742a856e91246356e6a2
: end
Thanks for your helpOk,
So you basically have configured the router so that you can connect directly to the ASA using the Cisco VPN Client. And also the objective was to in the end only allow traffic to the LAN through the VPN Client connection ONLY.
It would seem to me to achieve that, you would only need the following NAT configurations
VPN Client NAT0 / NAT Exempt / Identity NAT
object network LAN
subnet 192.168.2.0 255.255.255.0
object network VPN-POOL
subnet 10.1.1.128 255.255.255.128
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
The purpose of the above NAT configuration is simply to tell the ASA that dont do any kind of NAT when there is traffic between the LAN network of 192.168.2.0/24 and the VPN Pool of 10.1.1.128/25. This way if you have any additional hosts on the LAN that need to be connected to, you wont have to make any form of changes to the NAT configurations for the VPN client users. You just allow the connections in the ACL (explained later below)
Default PAT
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.2.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
This configurations purpose is just to replace the earlier Dynamic PAT rule on the ASA. I guess your router will be doing the translation from the ASA "outside" interface IP address to the routers public IP address and this configuration should therefore allow normal Internet usage from the LAN.
I would suggest removing all the other NAT configuration before adding these.
Controlling VPN clients access to internal resources
Also I assume that your current VPN client is configured as Full Tunnel. In other words it will tunnel all traffic to the the VPN connection while its active?
To control the traffic coming from the VPN Client users I would suggest that you do the following
Configure "no sysopt connection permit-vpn" This will change the ASA operation so that connections coming through a VPN connections ARE NOT allowed by default to bypass the "outside" interface ACL. Therefore after this change you can allow the connections you need in the "outside" interface ACL.
Configure any rules you need regarding the VPN client connections to the "outside" interface ACL. Though I guess they already exist since you are connecting there without the VPN also
I cant guarantee this with 100% certainty but it would seem to me that the above things should get you to the point where you can access the internal resources ONLY after when you have connected to the ASA through the VPN client connection. Naturally take precautions like configuration backups if you are going to do major configuration changes. Also if you are remotely managing the ASA then you also have the option to configure a timer on the ASA after which it will automatically reload. This could help in situations where a missconfiguration breaks you management connection and you have no other way to connect remotely. Then the ASA would simply reboot after the timer ran out and also reboot with the original configuration (provided you hadnt saved anything in between)
Why are you using a different port for the other devices RDP connection? I can understand it if its used through the Internet but if the RDP connection would be used through the VPN Client only then I dont think there is no need to manipulate the default port of 3389 on the server or on the ASA.
Also naturally if there is something on the actual server side preventing these connections then these configuration changes might not help at all.
Let me know if I have understood something wrong
- Jouni
Maybe you are looking for
-
I can't update my ipod touch 3gen to 4.3 why?
I have an Ipod touch 3rd generation and I restored it to update it to 4.3 and itunes still hasn't offered me the update. I have itunes 10.2 and have also tried to upgrade to 4.3 on 2 different computers. Please help Thank you
-
How to run data merge from external hard drive?
I attempting to merge a large document (~4,000 records) in CS3. The document that I'm merging the data into is also large (an 8 page newsletter). I have exported the pages of the document as a PDF and the imported them again (therefore minimizing the
-
Outgoing payment without adjustment
Hi gurus, when we posting outgoing payment in f-53, their is any option to ommit the adjustment entries (i.e. supply invoice) and save. Later on when we clear that account in f-44 we can adjust against invoice. advice me thanks in advance jaya Edited
-
When exporting Captivate 5 project as pdf, cannot open linked files (which are also pdfs)
I am a Captivate novice, using version 5 on Mac. I am thrilled that my project can be published as a pdf. Everything works great except the interactive buttons, which are supposed to open various small pdfs. I placed the linked documents in the same
-
How download cs6 in creative cloud ?
I was downloading creative cloud. All worked well except the PHOTOSHOP CS6 - the message is : " download seems damaged, try again ( -60 ). I tried but with the same results. What I should do ?