Cannot ping for either from host to guest nor from guest to host
Hi I have installed virtual box 4.1.20 r80170
my host os is centos 6.3 64 bit
my guest os is oracle linux 5.8 64 bit
I've using bridge adapter for the network settings, but I'm neither able to ping
from host to guest
from guest to host
may I know what's wrong?
how should I trouble shoot this?
my host os network configurations is as follow:
[oracle@localhost ~]$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr E8:E0:B7:D2:F9:54
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:20 Memory:c4800000-c4820000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3488 errors:0 dropped:0 overruns:0 frame:0
TX packets:3488 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:320590 (313.0 KiB) TX bytes:320590 (313.0 KiB)
wlan0 Link encap:Ethernet HWaddr 9C:B7:0D:96:F4:DF
inet addr:192.168.0.199 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::9eb7:dff:fe96:f4df/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22932 errors:0 dropped:0 overruns:0 frame:0
TX packets:22068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15525818 (14.8 MiB) TX bytes:5127595 (4.8 MiB)
I'm using wlan0 on the host os
my eth0 configurations on the guest os is as follow:
#Intel Corporation 82540EM Gigabit Ethernet Controller
DEVICE=etho0
BOOTPROTO=static
HWADDR:08:00:27:08:19:50
ONBOOT:yes
DHCPHOSTNAME=source.localdomain
IPADDR=192.168.0.11
NETMASK-192.168.0.1
TYPE=Ethernet
USERCTRL=no
IPV6INIT=no
PEERDNS=yes
I've a router to connect to the Internet. It is dlink DIR-615
I've done a dmesg while pinging from guest to host here's the partial output:
spurious NAK ON isa0060/serio0
some program might be trying to acces hardware directly
e100:eth0 NIC link is up 1000 Mbp
Full Duplex, Flow Control: RX
ADDRCONF (NETDEV_UP) eth0: link is not ready
ADDRCONF (NETDEV_CHANGE): eth0 becomes ready
eth0: no IPv6 routes present
Any assistance is deeply appreciated!
thanks a lot!
Edited by: oraclewannabe2 on Aug 25, 2012 11:28 AM
Edited by: oraclewannabe2 on Aug 25, 2012 12:10 PM
Hi ,
This is OL 6.
Now,after doing guestadditions this is working fine altough I am not sure what exactly guest addition is.
Additionally,I installed firefox in same VM but when I click on firefox then nothing comes up.
Best regards,
Vishal
Similar Messages
-
I phone won't charge! neither from my I mac nor from the wall and using different cables!
My iphone ran out of battery completely and know it won't charge at all it's dead. Won't charge from my Imac nor from the wall. I tried even tried using different cables. What else can I try?
Lawrence Finch wrote:
If you charge it with your computer and your computer goes to standby it will stop charging. For overnight charging you should use the AC adapter.
That's not entirely true, when I upgraded to Leopard I found the phone continues to charge even after my Powerbook is asleep. -
Nexus: HSRP on vrf vlan - Active Nexus cannot ping physical ip and VIP but Standby can
Hi Cisco experts,
Has anybody experienced this kind of problem with HSRP on vrf vlan, wherein the Active Nexus cannot ping the its own Physical IP and VIP from Global vrf to Internal VRF but it can ping the physical ip of the standby. While on the Standby you can ping all ( Physical of Active, VIP, and its own physical IP.
Hope you can help me on this matter. See attached ping test for clearer view. I can show the config if needed just request.
Thanks all.yes you need it.
This is how you assign the serverfarm to the vip.
switch/User1(config)# policy-map multi-match SLB1
switch/User1(config-pmap)# class VIP-250-81
switch/User1(config-pmap-c)# no loadbalance policy SF_Linux4
switch/User1(config-pmap-c)#
gdufour-cat6k1#ping 192.168.100.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.250, timeout is 2 seconds:
Success rate is 0 percent (0/5)
gdufour-cat6k1#
[Resuming connection 1 to 127.0.0.30 ... ]
switch/User1(config-pmap-c)# loadbalance policy SF_Linux4
switch/User1(config-pmap-c)#
gdufour-cat6k1#ping 192.168.100.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.250, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
gdufour-cat6k1# -
Cannot ping IAS RADIUS from WLC 2504
I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server. All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server. The only thing that cannot ping the RADIUS server is the WLC itself. Nothing in the FW is blocking connectivity. Any ideas?
(Cisco Controller) >show radius summ
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Disabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ none
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
1 NM 10.10.50.63 1645 Enabled 5 Enabled Disabled - none/unknown/group-0/0 none/none
2 NM 10.10.50.130 1645 Enabled 5 Enabled Disabled - none/unknown/group-0/0 none/none
Accounting Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
1 N 10.10.50.63 1646 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/none
2 N 10.10.50.130 1646 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/noneIt's in the arp cache through the default router
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... d0:c2:82:df:5b:c0
IP Address....................................... 10.30.72.250
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.30.72.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.10.10.65
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled
(Cisco Controller) >show arp switch
Number of arp entries................................ 19
MAC Address IP Address Port VLAN Type
50:57:A8:D6:DE:C0 10.10.19.1 1 5 Host
50:57:A8:D6:DE:C0 10.10.20.138 1 5 Host
50:57:A8:D6:DE:C0 10.10.50.63 1 5 Host
64:00:F1:08:A0:D0 10.30.72.1 1 0 Host
50:57:A8:9E:B5:CD 10.30.72.40 1 0 Host
50:57:A8:A1:7B:C5 10.30.72.44 1 0 Host
50:57:A8:9E:99:78 10.30.72.48 1 0 Host
50:57:A8:3B:66:E3 10.30.72.49 1 0 Host
00:07:7D:43:23:DA 10.30.72.58 1 0 Host
50:57:A8:9E:B6:1D 10.30.72.59 1 0 Host
50:57:A8:9E:95:C5 10.30.72.60 1 0 Host
50:57:A8:A1:7C:0D 10.30.72.61 1 0 Host
00:07:7D:65:36:DD 10.30.72.62 1 0 Host
50:57:A8:44:57:0C 10.30.72.63 1 0 Host
50:57:A8:CA:CC:01 10.30.72.64 1 0 Host -
Hi,
When the page is submitted for approval by using SharePoint OOTB Page Approval Workflow, it takes quite long time and prompt error message as below.
"The form cannot be submitted to the Web server either because your computer is offline or because the host server is currently unavailable.
If this problem persists, contact your network administrator."
It only happens in Internet Explorer version 8 and 9. IE version below 8 is not used in environment.
But it is working in Firefox.
Please help me on how to fix this issue.
Thanks.Hi Htet,
Here are some articles with the same issue message, you can check the setting of Link Translation rule in the ISA from below.
http://sharepointontop.blogspot.com/2012/06/form-cannot-be-submitted-to-web-server.html
http://bytelab.blogspot.com/2008/03/problem-submitting-infopath-forms-using.html
http://social.msdn.microsoft.com/forums/en-IE/sharepointcustomizationprevious/thread/84be34b3-b806-49ce-a5c2-b5ad8a1ff09f
Thanks
Daniel Yang
TechNet Community Support -
Guest VLAN cannot ping gateway
Hi Sir,
I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
wat do you think is the problem? hope you could help on this.
thanks.
Regards,
NeriHi Neri
The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
Regards
Roger -
I cannot ping any VIP from within the ACE or from rservers
I cannot ping any VIP from within the ACE or from rservers. Is this expected? I have rservers in other serverfarms that need to be able to communicate with the VIP of other serverfarms. Any help is greatly appreciated.
Thanks for you reply. here is the config. I removed other rserver and serverfarm config that does not have to do with this issue.
logging enable
logging fastpath
logging standby
logging console 4
logging timestamp
logging trap 4
logging history 4
logging buffered 4
logging persistent 4
logging monitor 4
logging device-id hostname
logging host 172.26.254.185 udp/514
logging host 172.26.221.25 udp/514
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit tcp any any
access-list INBOUND line 32 extended permit udp any any
access-list ORADB line 8 extended permit tcp any any
probe http CITRIX
interval 30
passdetect interval 15
passdetect count 6
open 1
probe tcp HYPERION
port 19000
interval 2
faildetect 2
passdetect interval 2
passdetect count 2
receive 2
open 1
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
probe tcp W15SPSWFET001_PROBE
interval 5
passdetect interval 5
connection term forced
open 1
parameter-map type connection TIMEOUT
set timeout inactivity 43200
parameter-map type http test
persistence-rebalance
set header-maxparse-length 2006
rserver host w0bairwatch003
description MDM-SEG
ip address 172.20.60.73
inservice
rserver host w0bairwatch004
description MDM-SEG
ip address 172.20.60.74
inservice
rserver host w0bairwatch005
description MDM-DEVICE
ip address 172.20.60.75
inservice
rserver host w0bairwatch006
description MDM-DEVICE
ip address 172.20.60.76
inservice
rserver host w0bhamobile001
description Lotus Notes Traveler Server
ip address 172.20.60.57
inservice
rserver host w0bhamobile002
description Lotus Notes Traveler Server
ip address 172.20.60.58
inservice
serverfarm host MDMDEVICE
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bairwatch005
inservice
rserver w0bairwatch006
serverfarm host MDMSEG
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bairwatch003
inservice
rserver w0bairwatch004
inservice
serverfarm host TRAVLR
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bhamobile001
inservice
rserver w0bhamobile002
inservice
class-map match-all MDMDEVICE-VIP
2 match virtual-address 172.20.48.35 any
class-map match-all MDMSEG-VIP
2 match virtual-address 172.20.48.33 any
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
201 match protocol ssh any
202 match protocol telnet any
203 match protocol icmp any
204 match protocol https any
205 match protocol http any
206 match protocol xml-https any
207 match protocol snmp any
class-map match-all TRAVLR-VIP
2 match virtual-address 172.20.48.34 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match MDMDEVICE
class class-default
serverfarm MDMDEVICE
policy-map type loadbalance first-match MDMSEG
class class-default
serverfarm MDMSEG
policy-map type loadbalance first-match TRAVLR
class class-default
serverfarm TRAVLR
policy-map multi-match CLIENTS-VIPS
class MDMDEVICE-VIP
loadbalance vip inservice
loadbalance policy MDMDEVICE
loadbalance vip icmp-reply active
class MDMSEG-VIP
loadbalance vip inservice
loadbalance policy MDMSEG
loadbalance vip icmp-reply active
class TRAVLR-VIP
loadbalance vip inservice
loadbalance policy TRAVLR
loadbalance vip icmp-reply active
interface vlan 48
ip address 172.20.48.10 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input CLIENTS-VIPS
no shutdown
interface vlan 60
ip address 172.20.60.10 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 172.20.48.1 -
Cannot ping RRAS Client from RRAS server.
I have recently created an RRAS pptp connection for an outside network. The RRAS client connects fine and can ping the RRAS server and every device on the RRAS servers local network. The RRAS server cannot ping the remote pptp client nor can any device on
the RRAS servers local network. RRAS is configured to be within the same subnet as the RRAS servers local network. On connection it pulls from a static IP pool.
Any help is truly appreciatedThe server is behind a nat device and for testing purposes i have disabled the firewall on both devices. Also I am having an issue where the pptp connection just stops accepting and sending data to the rras server but if you look at the active connections
the client never disconnects. I have attached ipconfig information
CLIENT
Windows IP Configuration
Host Name . . . . . . . . . . . . : Fellows-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
PPP adapter Welsh:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Welsh
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.128.66(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : BC-5F-F4-75-C5-AD
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5418:aba9:4af2:1e12%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, March 26, 2014 8:35:58 AM
Lease Expires . . . . . . . . . . : Saturday, March 29, 2014 8:35:58 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 247226356
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-C3-16-85-BC-5F-F4-75-C5-AD
DNS Servers . . . . . . . . . . . : 75.75.75.75
75.75.76.76
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{DF8CAC0D-588D-495A-9185-78C9992DC12F}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:1c88:1312:b8c2:97a9(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::1c88:1312:b8c2:97a9%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{D8973397-8880-4110-A7F9-4D1F6A1C2E8C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
SERVER
Windows IP Configuration
Host Name . . . . . . . . . . . . : IMS
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.128.65
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-10-18-8D-BC-42
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-10-18-8D-BC-40
Ethernet adapter Local Area Connection 4:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 84-2B-2B-68-6A-FA
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 84-2B-2B-68-6A-F9
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.128.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.128.254
DNS Servers . . . . . . . . . . . : 172.16.128.254
75.75.75.75
NetBIOS over Tcpip. . . . . . . . : Disabled -
FlexVPN Cannot Ping From Spoke LAN only
Topology:
Hub:
(hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP
Spoke:
(hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP
I have full reachability from both routers.
Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0
Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1
Partial reachability from lan hosts
Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)
Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24
Any help would be appreciatedWe've been working with these confs for a while, so they aren't as clean as they could be, but here they are
---HUB---
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname HUB
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP
server-private 10.0.1.15 key xxxxx
aaa authentication login default local
aaa authentication login xxxxxVPN_VPN_XAUTH local
aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP
aaa authorization exec default local
aaa authorization network default local
aaa authorization network xxxxxVPN_VPN_GROUP local
aaa authorization network FLEXVPN_AUTH-Z_LIST local
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
ip cef
no ip bootp server
ip domain name xxxxx.net
ip name-server 166.102.165.13
ip name-server 166.102.165.11
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group VPN_GROUP
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
crypto pki trustpoint FLEXVPN_RA_TP
enrollment terminal
serial-number none
fqdn vpn.xxxxx.net
ip-address none
subject-name cn=vpn.xxxxx.net
revocation-check crl
eckeypair FLEXVPN_RA_TP-Key
crypto pki certificate chain FLEXVPN_RA_TP
certificate 460000.. nvram:xxxxx#2.cer
certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer
license udi pid CISCO1921/K9 sn xxxxx
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
redundancy
crypto ikev2 authorization policy default
pool FLEX_SPOKES_POOL
route set interface
crypto ikev2 authorization policy FLEXVPN_RA_LOCAL_POLICY
pool FLEXVPN_RA_POOL
dns 10.0.1.15
netmask 255.255.255.0
def-domain xxxxx.net
route set access-list FLEXVPN_RA_ACL
crypto ikev2 proposal SHA1-only
encryption aes-cbc-256
integrity sha1
group 5
crypto ikev2 policy SHA1-only
match fvrf any
proposal SHA1-only
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 profile FLEXVPN_RA_IKEv2_PROFILE
match identity remote key-id xxxxx.net
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint FLEXVPN_RA_TP
dpd 60 2 on-demand
aaa authentication eap FLEXVPN_AUTH-C_LIST
aaa authorization group eap list FLEXVPN_AUTH-Z_LIST FLEXVPN_RA_LOCAL_POLICY
virtual-template 10
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto logging session
crypto isakmp client configuration group xxxxxVPN
key xxxxx
pool xxxxxVPN_POOL
acl xxxxxVPN_ACL
netmask 255.255.255.0
crypto isakmp profile xxxxxVPN_IKE_PROFILE
match identity group xxxxxVPN
client authentication list xxxxxVPN_VPN_XAUTH
isakmp authorization list xxxxxVPN_VPN_GROUP
client configuration address respond
virtual-template 100
crypto ipsec transform-set xxxxxVPN_SET esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile xxxxxVPN_IPSEC_PROFILE
set transform-set xxxxxVPN_SET
set isakmp-profile xxxxxVPN_IKE_PROFILE
crypto ipsec profile FLEXVPN_RA_IPSEC_PROFILE
set ikev2-profile FLEXVPN_RA_IKEv2_PROFILE
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback100
ip address 172.31.100.1 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Virtual-Template1 type tunnel
description FlexVPN hub-to-spokes
ip unnumbered Loopback100
ip mtu 1400
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface Virtual-Template10 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FLEXVPN_RA_IPSEC_PROFILE
interface Dialer0
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password xxxxx
ppp pap sent-username [email protected] password xxxxx
no cdp enable
router eigrp 1
distribute-list EIGRP_SUMMARY_PFLIST out Virtual-Template1
network 10.0.1.0 0.0.0.255
network 172.30.200.0 0.0.0.255
network 172.31.100.1 0.0.0.0
passive-interface GigabitEthernet0/0
ip local pool xxxxxVPN_POOL 172.30.255.1 172.30.255.254
ip local pool FLEX_SPOKES_POOL 172.31.100.10 172.31.100.254
ip local pool FLEXVPN_RA_POOL 172.30.200.1 172.30.200.254
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.30.200.0 255.255.255.0 Null0
ip access-list standard FLEXVPN_RA_ACL
permit 10.0.1.0 0.0.0.255
permit 10.0.2.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 10.0.4.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.200.0 0.0.0.255
permit 172.31.254.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
ip access-list extended xxxxxVPN_ACL
permit ip 172.30.255.0 0.0.0.255 any
permit ip 10.0.1.0 0.0.0.255 any
permit ip 172.31.254.0 0.0.0.255 any
ip prefix-list EIGRP_SUMMARY_PFLIST seq 10 permit 10.0.1.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 20 permit 172.30.200.0/24
ip prefix-list EIGRP_SUMMARY_PFLIST seq 30 permit 172.31.100.1/32
access-list 1 permit 10.0.1.0 0.0.0.255
route-map EIGRP_SUMMARY_RMAP permit 10
match ip address prefix-list EIGRP_SUMMARY_PFLIST
control-plane
banner motd Cxxxxx
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
line vty 5 15
transport input all
scheduler allocate 20000 1000
ntp update-calendar
ntp server 1.pool.ntp.org
ntp server 0.pool.ntp.org prefer
end
---SPOKE---
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname SPOKE
boot-start-marker
boot system flash:c880data-universalk9-mz.152-4.M5.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
enable secret xxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
clock calendar-valid
no ip source-route
no ip gratuitous-arps
no ip bootp server
ip domain name xxxxx.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.1
ip cef
no ipv6 cef
multilink bundle-name authenticated
key chain EIGRP_KEY_CHAIN
key 1
key-string xxxxx
license udi pid CISCO881-SEC-K9 sn FTX1740854N
archive
path ftp://xxxxx
write-memory
username xxxxx privilege 15 password xxxxx
crypto ikev2 authorization policy default
route set interface
crypto ikev2 keyring FLEX_KEY
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
crypto ikev2 profile FLEX_IKEv2
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local FLEX_KEY
aaa authorization group psk list default default
virtual-template 1
crypto ikev2 dpd 30 5 on-demand
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ipsec transform-set IKEv2 esp-gcm
mode transport
crypto ipsec profile default
set transform-set IKEv2
set ikev2-profile FLEX_IKEv2
interface Loopback101
ip address 172.31.101.3 255.255.255.255
interface Tunnel0
description FlexVPN tunnel
ip address negotiated
ip mtu 1400
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
delay 1000
tunnel source Vlan1
tunnel destination x.x.x.x
tunnel path-mtu-discovery
tunnel protection ipsec profile default
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address dhcp
no ip unreachables
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1 type tunnel
description FlexVPN spoke-to-spoke
ip unnumbered Loopback101
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
ip nhrp redirect
tunnel protection ipsec profile default
interface Vlan1
ip address 10.0.3.1 255.255.255.0
ip helper-address 10.0.1.15
no ip unreachables
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip access-list standard INTERNET_BOUND_ACL
permit 10.0.3.0 0.0.0.255
ip access-list standard MGMT_ACL
permit 172.30.255.0 0.0.0.255
permit 172.31.100.0 0.0.0.255
permit 10.0.1.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 172.30.200.0 0.0.0.255
access-list 99 permit 10.0.3.0
control-plane
banner motd xxxxx
line con 0
no modem enable
line aux 0
line vty 0 4
access-class MGMT_ACL in
privilege level 15
transport input telnet ssh
ntp update-calendar
ntp server 0.pool.ntp.org prefer
ntp server 1.pool.ntp.org
end -
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik -
ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's
Hello All,
I'm an ASA Newb.
I feel like I have tried everything posted and still no success.
PROBLEM: When connected to the SSL VPN I cannot ping any internal host's. I cannot ping anything on this inside?
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname MCASA01
domain-name mydomain.org
enable password xxbtzv6P4Hqevn4N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 VLAN
name 192.168.5.0 VPNPOOL
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname MC_DNS
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 11.11.11.202 255.255.255.252
interface Vlan3
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mydomain.org
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
keypair digicert.key
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 00b63edadf5efa057ea49da56b179132e8
3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 66.180.96.12 64.238.96.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 4000 interface inside
dhcpd domain mydomain.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 64.147.116.229 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNGP internal
group-policy VPNGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
username GaryC attributes
vpn-group-policy VPNGP
tunnel-group MCVPN type remote-access
tunnel-group MCVPN general-attributes
address-pool VPNPOOL
default-group-policy VPNGP
tunnel-group MCVPN webvpn-attributes
group-alias MCVPN enable
group-url https://11.11.11.202/MCVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
: end
My goal is to allow Remote Users to RDP(3389) through VPN.
Thank you,
Gary
Message was edited by: Gary CulwellHello Jon,
Thank you so much for your response. Clients will not be connect to a specific RDP server. I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access. So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
Would you say this would work:
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
Do you have examples?
Thank you,
Gary -
Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host
Hi:
Need your great help for my new ASA 5505 (8.4)
I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
ASA Version 8.4(3)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.29.8.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 177.164.222.140 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ABCtech.com
same-security-traffic permit inter-interface
object network obj_any
subnet 172.29.8.0 255.255.255.0
object service RDP
service tcp source eq 3389
object network orange
host 172.29.8.151
object network WAN_173_164_222_138
host 177.164.222.138
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
object network guava
host 172.29.8.3
object service L2TP
service udp source eq 1701
access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135
access-list inside_access_in extended deny tcp any eq 135 any
access-list inside_access_in extended deny udp any eq 135 any
access-list inside_access_in extended deny udp any any eq 135
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
89
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
w
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
tps
access-list outside_access_in extended permit gre any host 177.164.222.138
access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
01
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
.88.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit udp any any eq isakmp
access-list inside_in extended permit udp any eq isakmp any
access-list inside_in extended permit udp any any
access-list inside_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static orange interface service RDP RDP
nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
lex route-lookup
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
WW
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
_HTTPS
nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Guava protocol nt
aaa-server Guava (inside) host 172.29.8.3
timeout 15
nt-auth-domain-controller guava
user-identity default-domain LOCAL
http server enable
http 172.29.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 173.190.123.138
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.29.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcprelay server 172.29.8.3 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ABCtech_VPN internal
group-policy ABCtech_VPN attributes
dns-server value 172.29.8.3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunnel_User
default-domain value ABCtech.local
group-policy GroupPolicy_10.8.8.1 internal
group-policy GroupPolicy_10.8.8.1 attributes
vpn-tunnel-protocol ikev1 ikev2
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 10.8.8.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group ABCtech type remote-access
tunnel-group ABCtech general-attributes
address-pool ABC_HQVPN_DHCP
authentication-server-group Guava
default-group-policy ABCtech_VPN
tunnel-group ABCtech ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 173.190.123.138 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
Regards,
Julio
Security Trainer -
Cannot ping windows 2008 r2 while it is possible for another machine in the same network
Hi,
Recently I have set up a new server with windows 2008 r2 enterprise OS which is a domain member server.
At network layer I have two networks one with 192.168.1.0/22 and another with 10.0.0.0/24 network IDs.
My problem is that I cannot ping the newly installed server from a specific machine. Server's IP address is 192.168.1.56 and the specific machine's IP address is 10.0.0.12 and it is a windows XP machine. Of course I have to say that this problem belongs
only to this WinXP machine and all the layer 3 issues are tested and correct. This issue happens while at the same time I can ping domain controller which also is a windows 2008 r2 enterprise box and its IP address is 192.168.1.53. It turns more complicated
when I learned I can ping the winxp machine and connect to it from new server through remote desktop. Firewall also is not the obstacle because I turned it off completely.
Can anybody help me fix the problem?
TIA
BijanHi,
Check the path ping from xp machine to server its timing out after reaching 192.168.1.254 , What kind of a device is 192.168.1.254 IP belongs to.
Tracing
route to sp45newfs.ph45.local [192.168.1.56]
over
a maximum of 30 hops:
0 B15-333.PH45.LOCAL [10.0.0.12]
1 192.168.1.254
2 * * *
Computing
statistics for 50 seconds...
Source to Here This Node/Link
Hop
RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 B15-333.PH45.LOCAL [10.0.0.12]
0/ 100 = 0% |
1 0ms 0/ 100 = 0% 0/ 100 = 0% (192.168.1.254)----------(Which device has this IP)
100/ 100 =100% |
2 --- (100/ 100 =100% )---(100% loss) 0/ 100 = 0% B15-333.PH45.LOCAL [0.0.0.0]
Trace
complete.
Regards,
Srivishnu.K -
I upgraded from Dreamweaver CS4 to CS6. but now when I want to upload I get "an TFP error occured - cannot make connection to host". I spent hours with the host technician and we cant find the error. I reinstalled DW4 and it connects to host perfectly. Anyone else seen this problem?
Mac OS 10.8.5
None of these issues are causing the error in DW CS6. We have double checked all of them and we have everything exactly right. Also I have exactly the same SiteSetup in DW CS4 and that works perfectly well. Could there must be factor in 6 that didn't exist in 4? Something that isnt in the SiteSetup but in some hidden dialog box ?
I can also upload to my host using Fetch, a third party FTP. And as I said DW CS4 works fine. So the problem is not with my host, its with DW CS6 in particular.Thank you Jon, that fixed it perfectly. You have saved me from going crazy. The only difference I see now is in "Server Name" it changed what I had entered (my ftp address) to "Remote Server"; which seems odd -- but it works! Although I know there maybe also some other dialog box I have never seen
Of course I saw that menu item "Import" and but I thought thats obviously not for me: "Why would I want to import an entire website?". I did not however see "Export the selected site" for thats only a tiny icon in the footer. However I would have thought the same: "Why would I want to export my entire website?".
An observation: I've seen this problem in a lot of Adobe software, the menu-names of items are obscure, non descriptive. What would be better would be for the menu names or popups to say "Export Site Setup settings" and "Import Site Setup settings" -
Cannot check for available downloads nor download media from iTunes store.
Here's what I can do: 1) I can access the internet. 2) I can access and purchase media from the iTunes store. 3) I can stream radio through iTunes. 4) I can download podcasts.
Here's what I can't do: 1) I cannot check for available downloads. 2) I cannot download purchased media. I receive the following message in a pop up window. "Unable to Check for Available Downloads. The iTunes Store is temporarily unavailable. Please try again later."
I have tried all of the following troubleshooting guides recommended by iTunes support without success:
http://support.apple.com/kb/TS1368
iTunes for Windows: iTunes Store Connection Troubleshooting
http://support.apple.com/kb/HT1527
iTunes for Windows: Connection Issues when using Internet Filters, Accelerators, or Firewalls
http://support.apple.com/kb/TS1379
I have also removed my router out of the equation and connected directly to my cable modem so port forwarding is not an issue either. The only idea I have left is to call my ISP. Seems like a long shot. I know it is going to be something obvious.I just realized that I posted this in the wrong forum. If you are an administrator and want to move it, please feel free. Sorry.
Maybe you are looking for
-
Does someone know why september of 1978 does not exist on my iPhone?
I am trying to create a birthday alarm on september of 1978 and it doesn't work.
-
Interactive e-mail button not working in Acrobate X
I am having a problem with a PDF document that was created for me a while ago. Ever since I have upgared my reader from 9 to X(10) the interactive 'email' button that appears on every page of the document no longer launches my email client. This is a
-
User exit for me29n with project wise
hi gurus, is there any user exit for me29n .. i want to Restrict my authorizastion based on project, that is only user from that particular project should be able to release.. is it posible With Regards, Shakthi Raj N. <<Phone number removed>> Edited
-
I downloaded a large group of photos taken on my iPhone 4s to my Windows 7 computer. Some of the pictures were not rotated correctly. I tried to rotate them by right-clicking on the photos and clicking rotate. Some of them still didn't rotate. I was
-
hi, i'm using 10.6.8 and cant open pdf using safari on "my vodafone" web site. when i click on the pdf icon nothing happens?? Ive tried deleting the adobe plugin in the library option...but no luck...driving me crazy! cause it opens in my 8yr old des