Cant ping inside hosts from client vpn. Think its a NAT issue
Hello all, I am running into what I think is a NAT/nat exclusion issue with an IOS IPSEC VPN. I can connect to the VPN with the cisco IPSEC VPN client, and I am able to authenticate. Once I authenticate, I am not able to reach any of the inside hosts. My relevant config is below. Any help would be greatly appreciated.
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization exec default local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group businessVPN
key xxxxxx
dns 192.168.10.2
domain business.local
pool vpnpool
acl 108
crypto isakmp profile VPNclient
match identity group businessVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.1.10.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
interface Null0
no ip unreachables
interface FastEthernet0/0
ip address 111.111.111.138 255.255.255.252
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface BVI1
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
ip nat inside source route-map nat interface FastEthernet0/0 overload
ip access-list extended nat
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended nonat
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
ip access-list extended outside_in
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit tcp any any eq 443
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
permit esp any host 111.111.111.138
permit udp any host 111.111.111.138 eq isakmp
permit udp any host 111.111.111.138 eq non500-isakmp
permit ahp any host 111.111.111.138
permit gre any host 111.111.111.138
access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
route-map nat permit 10
match ip address nat
bridge 1 route ip
I believe the acl applied to the client group is backwards. It should permit traffic from the internal network to the clients pool.
To confirm you can open the Cisco VPN client statistics(after connecting) then go to the route details tab. You should see there the networks that you should be able to reach from the client. Make sure the correct ones are in there.
Regards,
Similar Messages
-
Just tried to update iPhone 4S to 6.1 and it first of all failed to back up then it failed to update (Error 11) so i had to put it in recovery mode and restore it then it failed to restore with an unknown error starting to think its an itunes issue does anyone have any advice?
if your computer is not recognizing it, try using a different USB port or different usb cable. if that doesnt work you will need to uninstall and reinstall itunes.
-
Cant ping behind cisco router (site2site vpn)
Dears;
After configure site to site vpn between cisco router and fortigate firewall,
site A : 10.0.0.0/24 behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
my cisco router configuration is
Current configuration : 2947 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
no aaa new-model
memory-size iomem 10
clock timezone cairo 2 0
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool GUEST
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip cef
controller VDSL 0
ip ssh version 2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 *********** address 4.x.x.x no-xauth
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
interface Ethernet0
no ip address
no fair-queue
interface ATM0
no ip address
ip mtu 1452
ip tcp adjust-mss 1452
no atm ilmi-keepalive
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map kon-map
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
banner motd ^C^C
end
when ping from cisco router
konsuler#ping 10.0.0.27 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
Success rate is 0 percent (0/5)
help pleaseThank you karsten
I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
-counters in
# sh crypto ipsec sa
increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
r#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer1
Uptime: 00:03:12
Session status: UP-ACTIVE
Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.x.x.x
Desc: (none)
IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
Capabilities:(none) connid:2001 lifetime:22:39:59
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407 -
ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's
Hello All,
I'm an ASA Newb.
I feel like I have tried everything posted and still no success.
PROBLEM: When connected to the SSL VPN I cannot ping any internal host's. I cannot ping anything on this inside?
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname MCASA01
domain-name mydomain.org
enable password xxbtzv6P4Hqevn4N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 VLAN
name 192.168.5.0 VPNPOOL
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname MC_DNS
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 11.11.11.202 255.255.255.252
interface Vlan3
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mydomain.org
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
keypair digicert.key
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 00b63edadf5efa057ea49da56b179132e8
3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 66.180.96.12 64.238.96.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 4000 interface inside
dhcpd domain mydomain.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 64.147.116.229 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNGP internal
group-policy VPNGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
username GaryC attributes
vpn-group-policy VPNGP
tunnel-group MCVPN type remote-access
tunnel-group MCVPN general-attributes
address-pool VPNPOOL
default-group-policy VPNGP
tunnel-group MCVPN webvpn-attributes
group-alias MCVPN enable
group-url https://11.11.11.202/MCVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
: end
My goal is to allow Remote Users to RDP(3389) through VPN.
Thank you,
Gary
Message was edited by: Gary CulwellHello Jon,
Thank you so much for your response. Clients will not be connect to a specific RDP server. I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access. So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
Would you say this would work:
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
Do you have examples?
Thank you,
Gary -
Route inside does not work on ASA 8.2(3), ASA cannot ping inside hosts
Hi Guys,
I have a problem on one our ASA seems to acting strange.
I have copy these routes below on ASA, and able to ping only 10.126.0.32.
route inside 10.126.0.10 255.225.255.255 10.20.3.1
route inside 10.126.0.30 255.225.255.255 10.20.3.1
route inside 10.126.0.31 255.225.255.255 10.20.3.1
route inside 10.126.0.32 255.225.255.255 10.20.3.1
route inside 10.126.0.140 255.225.255.255 10.20.3.1
route inside 10.126.0.141 255.225.255.255 10.20.3.1
route inside 10.126.0.142 255.225.255.255 10.20.3.1
When I saved the configuration and checking back on ASA running-configuration, none of above routes exists.
MYASA(config)# route inside 10.126.0.10 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.30 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.31 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.32 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.140 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.141 255.225.255.255 10.20.3.1
MYASA(config)# route inside 10.126.0.142 255.225.255.255 10.20.3.1
MYASA(config)# end
MYASA# show run | in route inside
route inside 10.0.0.0 255.0.0.0 10.20.3.1 1
route inside 10.96.0.0 255.224.0.0 10.20.3.1 1
route inside 10.96.0.10 255.225.255.255 10.20.3.1 1
route inside 10.96.0.30 255.225.255.255 10.20.3.1 1
route inside 10.96.0.31 255.225.255.255 10.20.3.1 1
route inside 10.96.0.32 255.225.255.255 10.20.3.1 1
route inside 10.96.0.140 255.225.255.255 10.20.3.1 1
route inside 10.96.0.141 255.225.255.255 10.20.3.1 1
route inside 10.96.0.142 255.225.255.255 10.20.3.1 1
route inside 10.100.1.61 255.255.255.255 10.20.3.1 1
route inside 10.101.20.112 255.255.255.255 10.0.0.254 1
route inside 10.101.20.113 255.255.255.255 10.0.0.254 1
route inside 10.101.20.114 255.255.255.255 10.0.0.254 1
route inside 10.101.20.115 255.255.255.255 10.0.0.254 1
route inside 10.101.20.201 255.255.255.255 10.0.0.254 1
route inside 10.101.20.202 255.255.255.255 10.0.0.254 1
route inside 10.101.20.204 255.255.255.255 10.0.0.254 1
route inside 10.101.20.205 255.255.255.255 10.0.0.254 1
route inside 10.101.22.22 255.255.255.255 10.20.3.1 1
route inside 10.101.24.100 255.255.255.255 10.0.0.254 1
route inside 10.101.24.101 255.255.255.255 10.0.0.254 1
route inside 10.101.25.0 255.255.255.0 10.20.3.1 1
route inside 10.126.0.32 255.255.255.255 10.20.3.1 1
route inside 67.215.65.132 255.255.255.255 10.20.3.1 1
route inside 192.168.1.3 255.255.255.255 10.0.0.254 1
route inside 192.168.1.4 255.255.255.255 10.0.0.254 1
route inside 192.168.151.0 255.255.255.0 10.20.3.1 1
route inside 192.168.151.48 255.255.255.240 10.0.0.254 1
route inside 205.210.235.0 255.255.255.0 10.0.0.254 1
route inside 205.210.236.0 255.255.255.0 10.20.3.1 1
route inside 205.210.237.0 255.255.255.0 10.0.0.254 1
route inside 205.210.238.0 255.255.255.0 10.0.0.254 1
route inside 205.210.239.0 255.255.255.0 10.0.0.254 1
route inside 205.210.240.0 255.255.255.0 10.0.0.254 1
route inside 205.210.241.0 255.255.255.0 10.0.0.254 1
MYASA#
It maybe a bug on the ASA?
Thanks
Rizwan RafeekHi Vibhor,
Well, problem is resolved from Cisco Tech support, it boiled down a bug.
"route inside 10.126.0.32 255.225.255.255 10.20.3.1", this route already existed, and yet it only one route shows up out of 7 copied, that is a bug.
Thanks for your reply.
Regards
Rizwan Rafeek. -
Please Help!! - Ping to and from MPLS/VPN
I am having strange ping results and cannot understand why. My gut feeling is that this stems from a lack of understanding of the technology.
First, I have leaked a Vrf subnet into the global vrf so that I can have reachability to some devices in the vrf and the devices themselves can have reachability to services outside of the cloud.
I know this design is going to seem a little convoluted so bear with me. I have built a model of my providers network whereby the connected routes between the CE and PE are public addresses, the internal routes are private addresses in the 10.0.0.0/8 network. I am running BGP between the PE and CE, and then redistributing static routesinto OSPF for the actual MPLS network routing.
Then of the backbone (Area 0) of the OSPF network, I have a connection to what I will call my Services network where resources such as DNS/DHCP, Internet, and Call Manager reside.(See diagram).
What happens is that on the PE that is directly connected to the CE, I cannot ping the network contained in the CE unless I actually specify an interface other than the address of the directly connected interface.
If I go to the P router I can ping just fine. Even if I go to the Services network I am successful so I know that I have been somewhat successful in leaking the subnet located in the VPN vrf.
On the flip side, When I am in the CE, I cannot ping to the Services network, or any network that is in the 10.0.0.0/8 space, so I am almost certain there is a routing principle that I am missing here.
Sorry for the long post, but I am trying to include the pertinent information that I hope will lead to some assistance.Lejoe,
You were correct in discovering that the route was missing from the 3750 metro point back to the connected route between the PE and CE. I added this and I am not able to ping the services network from the CE router. Thanks very much for this. I am glad it was a simple resolution.
As far as the duplicate address on the 3750 Metro and the PE, the interface on the 3750 was left over from a previous design and is inactive. Thanks for catching as I would need to clean it up regardless.
You were also correct in saying that if I source the ping from within the vrf, then I am able to ping. However, I thought that I took care of this by leaking the route to the global config. Here is the global ruoting table on the PE router.
S 68.139.201.28/30 is directly connected, FastEthernet1/0
C 68.1.1.4/30 is directly connected, FastEthernet0/0
O IA 68.2.1.4/30 [110/12] via 68.1.1.5, 23:30:42, FastEthernet0/0
O IA 68.1.2.4/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
O IA 68.1.0.1/32 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
C 68.1.1.1/32 is directly connected, Loopback0
O IA 68.0.1.0/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
O IA 68.2.1.1/32 [110/13] via 68.1.1.5, 23:30:42, FastEthernet0/0
O IA 68.0.2.0/30 [110/3] via 68.1.1.5, 23:30:42, FastEthernet0/0
O IA 68.2.0.1/32 [110/3] via 68.1.1.5, 23:30:42, FastEthernet0/0
O IA 68.255.1.0/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
10.0.0.0/16 is subnetted, 1 subnets
S 10.152.0.0 [1/0] via 68.139.201.30, FastEthernet1/0
O*E2 0.0.0.0/0 [110/1] via 68.1.1.5, 23:30:42, FastEthernet0/0
If you take a look at the configs, I have placed the directly connected route into the global table by using a static route on the PE router:
ip route 68.139.201.28 255.255.255.252 FastEthernet1/0
I would like to understand why I cannot ping the directly connected route from the PE, especially when it is in the routing table. Would you know why this is? -
I have found the answer in below url. but howerver i am not sure from where the "accessToken" coming.
Any idea?
http://social.msdn.microsoft.com/forums/windowsapps/en-us/816291e7-8081-46e0-8ec3-e67613d1621f/requestdigest-is-undefined-in-sharepoint-hosted-app?forum=appsforsharepoint
NavaneethOkay. Finally i found solution after 2 weeks :)
Below is the way to use. Note its working in both Single Page App and Client App Part as well
var formDigest; //Declare the variable
//Document Ready
$(document).ready(function () {
hostweburl = decodeURIComponent(getQueryStringParameter('SPHostUrl'));
appweburl = decodeURIComponent(getQueryStringParameter('SPAppWebUrl'));
scriptbase = hostweburl + '/_layouts/15/';
CharacterAnimation();
$.getScript(scriptbase + 'SP.Runtime.js', function ()
$.getScript(scriptbase + 'SP.js', function ()
$.getScript(scriptbase + 'SP.RequestExecutor.js', getFormDigest);
//Get Form Digest Value
function getFormDigest() {
var appweburl = decodeURIComponent(getQueryStringParameter('SPAppWebUrl'));
$.ajax({
url: appweburl + "/_api/contextinfo",
type: "POST",
headers: {
"accept": "application/json;odata=verbose",
"contentType": "text/xml"
success: function (data) {
requestdigest = data;
var formDigest = data.d.GetContextWebInformation.FormDigestValue;
DoSomething(formDigest);
error: function (err) {
alert(JSON.stringify(err));
//Do Something Method
function DoSomething(formDigest) {
var urltest = appweburl + "/_api/SP.AppContextSite(@target)/web/lists/getByTitle('List1')/getitems(query=@v1)?@v1={\"ViewXml\":\"<View><Query><Where><BeginsWith><FieldRef Name='Title'/><Value Type='Text'>A</Value></BeginsWith></Where></Query><RowLimit>1</RowLimit></View>\"}&@target='"
+ hostweburl + "'";
$.ajax({
url: urltest,
type: "POST",
headers: {
"Accept": "application/json; odata=verbose",
"Content-Type": "application/json; odata=verbose",
"X-RequestDigest": formDigest
contentType: 'application/json',
success: function (data) {
alert(data); // Finally found [Object][Object] :)
error: function (data) {
alert(data.responseText);
Navaneeth -
Detecting and displaying images inside SWF from same web page its embedded in
Great forum and appreciate the great help I've been getting
here. I am getting a bit more used to Flex now - the collection of
controls is pretty amazing.
I am trying to create an ImabeBrowse.SWF which when embedded
on a web page, it would then automatically show thumbnails of all
the images from that same page. Has anyone done anything like this
in AS3?
From documentation, it sounds like I would need to write some
Javascript which would traverse the HTML's DOM to get all image
URL's, and then pass these into the SWF?
If one of you experts could share some code, that'd be
greatly appreciated!!Asking for more.........
Yes, I do agree there is no need to create an additional DAD when we want to call a procedure from infrastructure database (iasdb) because giving grant to public or portal_public schema is enough.
But why is it that even after following the right way to create a DAD for HR schema in infrastucture database fails to call a procedure?
The error which I get is:-
Database Log In Failed
TNS is unable to connect to destination. Invalid TNS address supplied or destination is not listening. This error can also occur because of underlying network transport problems.
Verify that the TNS name in the connectstring entry of the DAD for this URL is valid and the database listener is running.
The details for rajhr DAD
Database Connectivity Information
Database Username : HR
Database Password : hr
Databse Connection String : <blank>
I have left database connection string blank as the infrastructure database is local.
Is it that I cannot have two DAD for a local database eventhough they point to two different users?
Med Vennlig Hilsen
Rajesh -
TS2446 I cant bye any thing from some of games its given me contact i tuns support
I dint know what is the problem to bye some thing frome some games
iTunes Customer Service Contact - http://www.apple.com/support/itunes/contact.html > Get iTunes support via Express Lane > iTunes > iTunes Store
-
Hi Twice recently I have lost access to my BT homehub broadband wifi have tried all sorts inc turning everything off from router through tried also to disconnect my Ipad accedd and then reinstall but again no joy Im not very tech savvy so basic instructions please
I stll have access to broadband on my desk top so i dont think the problem is with provider or router more like the connection between my router and my Ipad
please can anyone help really lost without my IPad have using my desktop now
Thanks AnnDo you have other mobile devices that can connect to your wifi with out issue?
Try this:
Reboot ipad by pressing and holding both the home and sleep/wake buttons at the same time until the apple logo appears on the screen, then let go. Then try to connect to network.
Go to settings, Toggle airplane mode on/off. Make sure bluetooth is off. Turn on wif (airplane mode off). Try to connect.
Reset Network Settings
Go to settings/general/reset/reset network settings. Then try to connect to network.
If its your home router, then reboot router by unplugging for 5-10min. (do this while you're resetting network settings).
If problem persists, then check for firmware updates on your router.(you check router manufacturer support website for downloads and instructions). -
ASA 5505: unable to ping external hosts
Hi,
I have a LAN behind ASA 5505, interface NAT/PAT is configured.
External interface is configured for PPPoE.
Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:
icmp permit any inside
icmp permit any outside
access-list outside_access_in extended permit icmp any any
Protocol inspections and fixups are default.
When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:
302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session
313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside
302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
Where 202.xx.yy.zz is IP of external interface of ASA.
This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?
Any help will be highly appreciated.
Thank you.
AlexAlex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-group outside_access_in in interface outside
or icmp inspection instead of acl.
policy-map global_policy
class inspection_default
inspect icmp
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
HTH
Jorge -
Cant install new apps from Itunes
Hi
I an buy and download new apps. But I cant ionstall them in to my Iphone4I think its the syncronicing thats not worikng any one know way ?
-
My Home button on my Ipod Touch is compleatly unresponsive, i dont think its a software issue it might be a hardware issue, does anyone have a solution??!
It does sound like hardware and only Apple can help you.
-
My remote AnyConnect VPN host cannot be pinged or accessed from inside the LAN
I have a remote VPN host via Anyconnect that can reach my LAN resources without a problem; however, there is a server application that must initiate sessions to the remote host and it cannot.
Hosts within my LAN cannot ping or connect to the remote host, even though its connectivity inbound is fine.
NAT issue?Hi mega5llc1 ,
Can you run the following command and paste the output.
Packet-tracer input inside (or name of your inside int) icmp (server ip) 8 0 (VPN IP) detailed
Hope this helps
- Randy - -
VPN client cannot access inside hosts
Hello,
I have an ASA 5505 device with the attached configuration and my vpn clients can connect to it fine. Although, once a vpn client is connected they cannot RDP, ping, or telnet any internal hosts. The goal is to have a connected vpn client to have all access rights as anyone sitting on the internal network. Any assistance is greatly appreciated.
: Saved
ASA Version 7.2(3)
hostname Kappa-GW01
domain-name Kappa.com
enable password xxxxxxxxx encrypted
names
name 172.20.42.42 UMEFTP2 description UMAP FTP2
name 172.20.40.246 UMEMAIL1 description Exchange Server
name 172.20.41.3 UMERPS
name x.x.81.81 Wilkes
name x.x.84.41 KappaPittston
dns-guard
interface Ethernet0/0
shutdown
nameif outside
security-level 0
ip address x.x.148.194 255.255.255.248
interface Ethernet0/1
nameif Outside_Windstream
security-level 0
ip address x.x.205.210 255.255.255.240
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd 7Tpgc2AiWGxbNjkj encrypted
boot system disk0:/asa723-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name Kappa.com
object-group network Blue_Bell_Internal_Networks
description Blue Bell internal network Group
network-object 192.168.100.0 255.255.255.0
network-object 10.0.0.0 255.255.255.0
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
object-group network VPN-Sites
network-object host Wilkes
network-object host KappaPittston
object-group network Michigan_VPN_GRP
network-object 172.20.40.0 255.255.252.0
object-group network ASA_OutSide_Vendors
description ASA OutSide Vendor Access
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
access-list KappaVPN_splitTunnelAcl remark Blue Bell Office
access-list KappaVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list KappaVPN_splitTunnelAcl remark Williamston Office
access-list KappaVPN_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
access-list KappaVPN_splitTunnelAcl remark Pittston Office
access-list KappaVPN_splitTunnelAcl standard permit 10.0.10.0 255.255.255.0
access-list KappaVPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.20.40.0 255.255.252.0 inactive
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.30.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
access-list umeemp_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list umeemp_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
access-list umeemp_splitTunnelAcl standard permit 10.0.30.0 255.255.255.0
access-list umeemp_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 102 extended permit tcp any any eq 2000
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq smtp
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq pop3 inactive
access-list Outside_Winstream_access_in extended permit udp object-group VPN-Sites interface Outside_Windstream eq isakmp
access-list Outside_Winstream_access_in extended permit tcp object-group ASA_OutSide_Vendors host x.x.205.217 eq 4080
access-list Outside_Winstream_access_in remark SMTP Access
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq smtp
access-list Outside_Winstream_access_in remark POP access
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq pop3
access-list Outside_Winstream_access_in remark OWA Access
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq https
access-list Outside_Winstream_access_in extended permit tcp host x.x.87.65 host x.x.205.218 eq 3389
access-list Outside_Winstream_access_in extended permit udp host x.x.56.111 eq ntp host x.x.205.216 eq ntp
access-list Outside_Winstream_access_in remark OWA UMAP
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq https
access-list Outside_Winstream_access_in remark JLAN
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.215 eq https
access-list Outside_Winstream_access_in remark UMERPS
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq https
access-list Outside_Winstream_access_in remark UMERPS
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq ssh
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq https
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq 5494
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.214 eq www
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq 8081
access-list Outside_Winstream_access_in extended permit icmp any any echo
access-list outside_6_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list outside_6_cryptomap extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_cryptomap_11 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_cryptomap_10 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_cryptomap_5 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list Outside_Windstream_cryptomap_12 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
access-list nonat extended permit ip any any inactive
pager lines 24
logging enable
logging asdm debugging
logging flash-bufferwrap
mtu outside 1500
mtu Outside_Windstream 1500
mtu inside 1500
mtu management 1500
ip local pool vpn-pool 192.168.100.100-192.168.100.200
no failover
monitor-interface outside
monitor-interface Outside_Windstream
monitor-interface inside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside_Windstream) 1 x.x.205.216 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.20.40.0 255.255.252.0
nat (inside) 1 10.0.0.0 255.255.0.0
static (inside,Outside_Windstream) x.x.205.217 10.0.0.20 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.220 10.0.0.21 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.218 10.0.0.15 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.215 172.20.40.145 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.211 UMEMAIL1 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.212 UMERPS netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.213 172.20.40.243 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.214 172.20.40.146 netmask 255.255.255.255
access-group acl_inbound in interface outside
access-group Outside_Winstream_access_in in interface Outside_Windstream
route Outside_Windstream 0.0.0.0 0.0.0.0 x.x.205.209 1
route inside 172.20.40.0 255.255.252.0 10.0.0.3 1
route inside 10.0.30.0 255.255.255.0 10.0.0.254 1
route inside 10.0.1.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server BBPA-SRV-DC01 protocol radius
aaa-server BBPA-SRV-DC01 host 10.0.0.15
timeout 5
key G6G7#02bj!
aaa-server UMAP protocol radius
aaa-server UMAP host 172.20.40.245
timeout 5
key gfrt1a
aaa-server UMAP host 172.20.40.244
timeout 5
key gfrt1a
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.15 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_Windstream_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_Windstream_dyn_map 40 set pfs
crypto dynamic-map Outside_Windstream_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer Wilkes
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address outside_6_cryptomap
crypto map outside_map 10 set peer KappaPittston
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map Outside_Windstream_map 5 match address Outside_Windstream_cryptomap_5
crypto map Outside_Windstream_map 5 set peer Wilkes
crypto map Outside_Windstream_map 5 set transform-set ESP-3DES-SHA
crypto map Outside_Windstream_map 10 match address Outside_Windstream_cryptomap_10
crypto map Outside_Windstream_map 10 set peer KappaPittston
crypto map Outside_Windstream_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_Windstream_map 65535 ipsec-isakmp dynamic Outside_Windstream_dyn_map
crypto map Outside_Windstream_map interface Outside_Windstream
crypto isakmp enable Outside_Windstream
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
inspect skinny
inspect pptp
service-policy global_policy global
webvpn
enable Outside_Windstream
svc image disk0:/sslclient-win-1.1.4.177.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc required
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy umeemp internal
group-policy umeemp attributes
dns-server value 172.20.40.245
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value KappaVPN_splitTunnelAcl
default-domain value umapinc.com
group-policy KappaVPN internal
group-policy KappaVPN attributes
wins-server value 10.0.0.15
dns-server value 10.0.0.15
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value umeemp_splitTunnelAcl
default-domain value kappa.loc
username gwadmin password AVjtEPq7nvtiAAk0 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group BBPA-SRV-DC01
authorization-required
tunnel-group KappaVPN type ipsec-ra
tunnel-group KappaVPN general-attributes
address-pool vpn-pool
authentication-server-group BBPA-SRV-DC01
default-group-policy KappaVPN
tunnel-group KappaVPN ipsec-attributes
pre-shared-key *
tunnel-group x.x.131.62 type ipsec-l2l
tunnel-group x.x.131.62 ipsec-attributes
pre-shared-key *
tunnel-group x.x.232.2 type ipsec-l2l
tunnel-group x.x.232.2 ipsec-attributes
pre-shared-key *
tunnel-group x.x.49.114 type ipsec-l2l
tunnel-group x.x.49.114 ipsec-attributes
pre-shared-key *
tunnel-group x.x.226.218 type ipsec-l2l
tunnel-group x.x.226.218 ipsec-attributes
pre-shared-key *
tunnel-group x.x.116.133 type ipsec-l2l
tunnel-group x.x.116.133 ipsec-attributes
pre-shared-key *
tunnel-group x.x.21.36 type ipsec-l2l
tunnel-group x.x.21.36 ipsec-attributes
pre-shared-key *
tunnel-group umeemp type ipsec-ra
tunnel-group umeemp general-attributes
address-pool vpn-pool
authentication-server-group UMAP
default-group-policy umeemp
tunnel-group umeemp ipsec-attributes
pre-shared-key *
tunnel-group x.x.81.81 type ipsec-l2l
tunnel-group x.x.81.81 ipsec-attributes
pre-shared-key *
tunnel-group x.x.84.41 type ipsec-l2l
tunnel-group x.x.84.41 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
asdm image disk0:/asdm-523.bin
no asdm history enableI'm sorry, I misunderstood what you were asking. Yes those three networks are on the inside of our ASA. we have 2 outside of the ASA (10.0.2.x, 10.0.10.x). When our clients vpn they connect to the x.x.205.210 ip address, which maps them depending on the preshared key that puts them on either the kappaVPN or the umeempVPN. (I am kind of new to configuring the ASA). When the cisco vpn client connects to the network, I checked the statistics and it lists all of our LAN networks under secure routes. I cannot ping anything inside the LAN nor can I connect RDP, telnet or anything.
Hope this answers your questions, just let me know if you need any more information.
-Rudy
Maybe you are looking for
-
1st time, bought audiobook from iTunes store - how do I get it on the iPod?
Just to try it, I bought Hemmingway's 'Old Man And The Sea' I've never read, just to see if I could try it on the iPod in my car as I spend so many hours in traffic. The book downloaded, it is in the 'audiobooks' tab in my iTunes, but when I plug in
-
Moving objects a certain distance at an angle
I'm trying to move an object a certain distance at a certain angle. I select the object and hit Enter to bring up the Move dialog. I enter the angle and distance, and instead of moving the specified distance, it moves some other distance. I don't get
-
Hierarchical tree in web forms 10g - form freezing
I have an application with an hierarchical tree on one of the forms - the application worked fine as client/server back in forms 6 but now that it is web enabled in 10g there are problems with the tree causing the form to freeze, then the entire appl
-
Booted from ICHAT, but not AIM
Just started up a new wireless plan with ATT and been using a wireless router...When I do not restart my router every day I consistently get kicked off ICHAT every 3 - 15 mins unexpectedly with a message stating something like, HOST cannot connect to
-
Install extra filters for Photoshop (MAC)
Just playing with Pixel Bender and the results with the standard filters are great. I installed Pixel Bender on a MAC system with CS 5.0. Reading the forum I saw some nice extra filters and try to install these but without success. Can somebody tell