Cascaded network unable to access default gateway att 5031nv

Hello -  I have a Cisco 3750 sitting behind an ATT 5031 NV. The Cisco device has the following networks 'living' on it: 10.1.1.1 /2410.1.2.1 /2410.1.3.1 /24 All of these have DHCP pools living on the Cisco device. The default gateway they had out is the IP of the SVI (mentioned above). I am using OSPF between those networks - and they can all talk fine. I am using the 'default-information originate' command to obtain default route information. I have port Gi1/0/3 on the cisco device plugged into LAN port 4 on the ATT 5031 NV. Port Gi 1/0/3 is configured with a static IP in the 192.168.1.x network as follows:
ip address 192.168.1.2 255.255.255.0 On the ATT 5031 NV: Settings > broadband > link configuration, I have the 'cascaded network' option selected: Network Address: 10.1.0.0 Subnet Mask: 255.255.0.0 Choose the router that will host the secondary subnet:    [Cisco Device Hostname] 192.168.1.2 (IP of Gi1/0/3 on cisco device) When i do this - i can ping from the 10.x.x.x networks to both 192.168.1.2 and 192.168.1.254 IP's - but i cannot get out to the Internet (neither by IP or hostname).   I should metion that I have tried the DMZ pinhole option - where i made my Gi1/0/3 get an IP by DHCP > rebooted it > and I got my device to show up with a 108.225.x.x external IP (which again, my 10.x.x.x's could ping) but I could not ping the default gateway for that network. What am i missing here? anyone have any ideas? Config to follow:  !interface GigabitEthernet1/0/3
description DMZ to WAN
no switchport
ip address 192.168.1.2 255.255.255.0!interface Vlan1
no ip address
interface Vlan100
description MANAGEMENT
ip address 10.1.1.1 255.255.255.0
interface Vlan120
description xxxx WIFI
ip address 10.1.2.1 255.255.255.0
interface Vlan130
description xxxx DATA
ip address 10.1.3.1 255.255.255.0!router ospf 1
network 10.1.1.0 0.0.0.255 area 1
network 10.1.2.0 0.0.0.255 area 1
network 10.1.3.0 0.0.0.255 area 1
default-information originate!ip default-gateway 192.168.1.254!ip route 0.0.0.0 0.0.0.0 192.168.1.254 Any help would be greatly appricated.

Hi ,
With the cascaded router option, the purpose of that option is to pass over your static IPs so that your gateway handles the traffic. If you do have a set of static IPs available, the only thing you want to change is the cascaded router IP. The network address should be the IP of your router, so it would be 192.168.1.2 according to your setup.
If you are just trying to do a router behind router setup, you actually do not need to use the cascaded router option, and just putting it in DMZ should take care of everything.
Hope this helps.
-ATTU-verseCare

Similar Messages

Some users on network unable to access a website

I am not sure on the root of the problem with this on, so I don't really know where to post, but thought I would start here.
We are a 12 person office on a small network. Someone here was trying to access a website (http://www.shutterstock.com), and the site would just spin and spin and eventually time out. We tried on some of the other machines, and they could not access it either, with the exception of one machine, which can access the site with no problem. All of us are running the same version of everything, same security settings, etc. Anyone have any thoughts on why 1 person on the network can access the site, and the rest of us cannot?

kristin apel wrote:
All of us are running the same version of everything, same security settings, etc. Anyone have any thoughts on why 1 person on the network can access the site, and the rest of us cannot?
One possibility is that the one person who can access it is using custom DNS settings (or everyone else is and that person is not). Compare your settings in System Preferences > Network , click on the connection you're using in the left pane, and click the Advanced button. Then click on the "DNS" section and compare your settings in the DNS pane.

WLAN Clients unable to access the Gateway when more than 2 clients connect

Hi,
I have a problem with a 2106 WLAN Contoller.
The clients can connect and associate to the WLAN and get their IP details via DHCP from the internal DHCP server. However, only 2 clients can get out through the gateway at any one time. All other clients that connect will get their DHCP addresses(that match the config of the 1st 2 clients), but they cannot get to the gateway. They can ping any client on the WLAN and the controller.

Hi,
Please post the IP configuration for your gateway, the working clients and the clients having problems.
Regards,
Kristofer

RV016 - DHCP - Assign another Default Gateway IP

Maybe this is a simple issue for you but i couldnt solve it.
I am using a RV016 (192.168.1.2) as a router and DHCP. It automatically assigns its own IP which is 192.168.1.2 as a default gateway. And I can not set my RV016 to assign a static another Default Gateway IP of the server. The workstations will connect to internet via this server (192.168.1.1)
Any suggestions ?
Thanks, ....

Umut,
The RV016 does not give you the ability to assign a different gateway. If your users can get out via the 192.168.1.1 which means this servers must be doing routing as well. Which device in your network should be the default gateway ?
Thanks,
Jasbryan
Cisco Support Engineer

Wired guest access - Unable to access network

Hello,
I've configured two WLC's with the exact same config one of them has working Wired guest network the other one does not.
The only difference in the two I know of is that the one that does not work is connected to a Cisco 3550 switch, the one that works is connected to a Cisco 7600.
The problem is when I connect a computer to the wired guest network I am able to get an IP address from the Internal DHCP server but unable to access the network.
I've tried pinging the gateway's IP and I get no answer.
The Port-channel interface has the correct VLans and the vlans exist on all switches.
If anyone see an error there or might have an idea why this is not working I would appreciate the feedback.
Config follows below..
regards,
Gk

(Cisco Controller) >show running-config
802.11a cac voice tspec-inactivity-timeout ignore
802.11a cac voice stream-size 84000 max-streams 2
802.11b cac voice tspec-inactivity-timeout ignore
802.11b cac voice stream-size 84000 max-streams 2
location rssi-half-life tags 0
location rssi-half-life client 0
location rssi-half-life rogue-aps 0
location expiry tags 5
location expiry client 5
location expiry calibrating-client 5
location expiry rogue-aps 5
Cisco Public Safety is not allowed to set in thisdomain
ap syslog host global 255.255.255.255
auth-list ap-policy ssc enable
custom-web ext-webserver add 1 217.28.176.114
dhcp create-scope guestnetwork
dhcp address-pool guestnetwork 192.168.34.2 192.168.34.200
dhcp default-router guestnetwork 192.168.34.254
dhcp enable guestnetwork
dhcp dns-servers guestnetwork 212.30.200.200 212.30.200.199
dhcp network guestnetwork 192.168.34.0 255.255.255.0
local-auth method fast server-key *****
interface create guestnetwork 331
interface create guestnetwork-wired 332
interface address ap-manager 10.255.255.90 255.255.255.248 10.255.255.94
interface address dynamic-interface guestnetwork 192.168.34.1 255.255.255.0 192.168.34.254
interface address dynamic-interface guestnetwork-wired 192.168.35.1 255.255.255.0 192.168.35.254
interface address management 10.255.255.89 255.255.255.248 10.255.255.94
interface address service-port 10.60.4.200 255.255.255.0
interface address virtual 1.1.1.1
interface dhcp ap-manager primary 10.255.255.89
interface dhcp dynamic-interface guestnetwork primary 10.255.255.89
interface dhcp management primary 10.255.255.89
interface dhcp service-port disable
interface vlan ap-manager 226
interface vlan guestnetwork 331
interface vlan guestnetwork-wired 332
interface vlan management 226
interface port ap-manager 29
interface port guestnetwork 29
interface port guestnetwork-wired 29
interface port management 29
lag enable
load-balancing window 5
mesh security eap
mgmtuser add root **** read-write
mobility group domain XXXXXXX
mobility symmetric-tunneling enable
network otap-mode disable
network rf-network-name XXXXXXX
radius acct add 1 XXXXXXX 1813 ascii ****
radius auth add 1 XXXXXXX 1812 ascii ****
radius auth management 1 disable
spanningtree port mode off 1
spanningtree port mode off 2
sysname XXXXXXX
time ntp interval 3600
time ntp server 1 XXXXXXX
wlan create 1 hotspot hotspot
guest-lan create 1 hotspot-wired
wlan interface 1 guestnetwork
guest-lan interface 1 guestnetwork
wlan custom-web webauth-type external 1
wlan custom-web ext-webauth-url https://XXXXXXX
wlan session-timeout 1 disable
wlan wmm allow 1
wlan wmm allow 18
wlan security wpa disable 1
wlan security wpa disable 18
wlan radius_server auth add 1 1
wlan radius_server acct add 1 1
guest-lan radius_server auth add 1 1
guest-lan radius_server acct add 1 1
wlan dhcp_server 1 0.0.0.0 required required
wlan enable 1
guest-lan enable 1

Unable to Access Web Site (with same name) outside of Local Network

Hi everyone,
I have my web site (and some other services) hosted outside of my network by my hosting provider, but handle all other items using OS X Server on my network (i.e. Wiki and so forth).
The problem is now that I am unable to access my website at www.mydomain.com from within the network. I have external DNS set up for www.mydomain.com to point to my website, while mydomain.com points to my OS X Server (static IP address). Internally in OS X Server's DNS settings this used to work when I had www.mydomain.com resolving to the IP address of my web host, in addition to the default domain settings that OS X had set up. For some reason this is no longer working, and I am unable to figure out why.
Using latest version of OS X Server 3.0.2.
Any help is greatly appreciated. Thanks!
Update: this ended up being a redirect issue on the web host. I added another subdomain that was hosted externally, and it worked fine. For some reason my web host is redirecting www.mydomain.com to domain.com.

I am in Texas and cannot get to that site either. Do you know for sure the site is up and working? It could just be down (for days, a site I support was down for almost 4 full days a few weeks ago due to a virus problem).
This may (again, may) be your problem: I see you have a173.48.x.x (you really should x-out the last two octets of your IP address for privacy reasons), I am on a 173.74.x.x address; I know some people have had problems with getting to some sites now that they have a 173.x.x.x address. I think Verizon obtained addresses in that range and some of the addresses apparently previously belonged to spammers or some malicious folks.Some sites (web sites, intermeidate routers, etc.) blocked those addresses, and may not have updated their filters to remove the block on those addresses because they don't know that Verizon now owns them. If this is the problem, eventually those filters will get updated and you will be able to access the site, but this could be a fairly long time.
If you know how to contact that site I suggest you email them about the problem. You can also try turning off your router overnight and when you turn it back on the next day you may find that you have a different address (one that doesn't start with 173) that will allow you to get to the site.
I don't think there is much Verizon can do to help, it is not their site that is blocking your address (at least I don't think it is).
Hope this helps.
Justin
Verizon FiOS TV, Internet, and phone
IMG 1.6.2, Build 08.58
Keller, TX 76248

Unable to access internal networks over Remote acces VPN

Hi,
I have set up a Remote access VPN from Home to Cisco ASA 5512-X.
I am able to connect successfully and even getting a valid IP address from VPN pool 172.21.3.1-. However I am unable to access any of the internal resources.
Internal Network: 172.20.0.0 255.255.0.0
Please if someone can help identifying the issue.
Below is the running config:-
Result of the command: "sh run"
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name M8fl.com
enable password Aoz9GlxLLvkWrTUy encrypted
passwd Gc1jA6zbgOsj63RW encrypted
names
ip local pool vpnclients 172.21.3.1-172.21.3.20 mask 255.255.0.0
ip local pool test 172.21.3.21-172.21.3.40 mask 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.20.254.250 255.255.0.0
interface GigabitEthernet0/2
description vodafone 100mb internet 195.11.180.40_29
speed 100
duplex full
nameif outside1
security-level 1
ip address 195.11.180.42 255.255.255.248
interface GigabitEthernet0/3
description Voice
nameif Voice
security-level 80
ip address 192.168.2.1 255.255.255.252
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside1
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.0.0.4
name-server 172.20.0.100
domain-name M8fl.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN1
subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_172.20.3.0_27
subnet 172.21.3.0 255.255.255.224
object network Voice_Net
subnet 172.21.20.0 255.255.255.0
object network PBX_Internal
host 192.168.2.2
description PBX Internal
object network Voice_External
host 195.11.180.43
description For PBX
object network Raith_Remote_Network
subnet 192.168.20.0 255.255.255.0
description Raith Remote Network
object network NETWORK_OBJ_172.21.3.0_27
subnet 172.21.3.0 255.255.255.224
object network NETWORK_OBJ_172.21.3.0_26
subnet 172.21.3.0 255.255.255.192
object-group network azure-networks
network-object 10.0.0.0 255.0.0.0
object-group network onprem-networks
network-object 172.20.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service test_PPTP
service-object ip
service-object tcp destination eq pptp
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
access-list outside_access_in extended permit ip object-group azure-networks object-group onprem-networks
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in_1 extended permit ip object-group onprem-networks object-group azure-networks
access-list inside_access_in_1 extended permit ip any object Voice_Net log debugging
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit ip object-group azure-networks object-group onprem-networks
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit ip any any inactive
access-list Voice_access_in extended permit ip any any log debugging
access-list outside_cryptomap extended permit ip object-group onprem-networks object Raith_Remote_Network
pager lines 24
logging enable
logging buffer-size 40000
logging buffered notifications
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu outside1 1500
mtu Voice 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside1) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside,outside1) source dynamic VLAN1 interface
nat (inside,Voice) source static VLAN1 VLAN1 destination static Voice_Net Voice_Net no-proxy-arp route-lookup
nat (Voice,outside1) source static PBX_Internal Voice_External
nat (inside,outside) source static onprem-networks onprem-networks destination static Raith_Remote_Network Raith_Remote_Network no-proxy-arp route-lookup
nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-proxy-arp route-lookup
nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_26 NETWORK_OBJ_172.21.3.0_26 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside1
access-group Voice_access_in in interface Voice
route outside1 0.0.0.0 0.0.0.0 195.11.180.41 10
route inside 172.21.20.0 255.255.255.0 172.20.20.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 172.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1350
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ASA
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 enable outside1
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 172.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.20.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 172.20.2.1-172.20.2.254 inside
dhcpd dns 10.0.0.4 172.20.0.100 interface inside
dhcpd enable inside
dhcpd dns 172.21.20.254 interface Voice
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 172.20.2.34 /tftp
webvpn
enable outside1
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
internal-password enable
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DefaultRAGroup_3 internal
group-policy DefaultRAGroup_3 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
default-domain value
group-policy "GroupPolicy_Anyconnect _profile" internal
group-policy "GroupPolicy_Anyconnect _profile" attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain none
webvpn
file-browsing enable
group-policy GroupPolicy_89.241.208.14 internal
group-policy GroupPolicy_89.241.208.14 attributes
vpn-tunnel-protocol ikev1
username test2 password encrypted privilege 15
username test1 password nt-encrypted privilege 0
username test1 attributes
vpn-group-policy DefaultRAGroup_2
username test password encrypted privilege 15
username test attributes
vpn-group-policy DefaultRAGroup_1
username EdwardM password encrypted privilege 15
username vpntest password encrypted privilege 0
username vpntest attributes
vpn-group-policy RA_VPN
username vpntest3 password nt-encrypted privilege 15
username vpntest3 attributes
service-type remote-access
username rhunton password encrypted privilege 15
username rhunton attributes
service-type admin
username e.melaugh password encrypted privilege 15
username netx password encrypted privilege 15
username netx attributes
service-type remote-access
username colin password encrypted privilege 15
username colin attributes
service-type remote-access
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
address-pool vpnclients
default-group-policy DefaultRAGroup_3
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group "Anyconnect _profile" type remote-access
tunnel-group "Anyconnect _profile" general-attributes
address-pool vpnclients
default-group-policy "GroupPolicy_Anyconnect _profile"
tunnel-group "Anyconnect _profile" webvpn-attributes
group-alias "Anyconnect _profile" enable
tunnel-group 137.117.215.177 type ipsec-l2l
tunnel-group 137.117.215.177 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group 89.241.208.14 type ipsec-l2l
tunnel-group 89.241.208.14 general-attributes
default-group-policy GroupPolicy_89.241.208.14
tunnel-group 89.241.208.14 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map type inspect ipsec-pass-thru Fairhurst
description to allow vpn to fairhurst network
parameters
esp
ah
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f4185106b309478da7804dc22d2c1a85
: end

Hi,
You seem to have this nat (inside,outside1) source dynamic VLAN1 interface at line 2 which is causing the identity Nat/ Nat exempt to fail.
It is always good to use the packet tracer feature on the ASA to see what exactly is happening.
Try this
nat (inside,outside1) 1 source static VLAN1 VLAN1 destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-pr route-lo
Let me know how it goes for you.
Regards,
Nitish Emmanuel

VPN connects but unable to access resources on remote network

HI,
I'm able to ping the ASA interface once the VPN is connected but unable to access any of the resources located on the remote network such as shares and computers. The cisco vpn client shows data being sent and recieved when I ping the interface on the ASA but it doesn't recieve any data when I attempt to ping or access other resources on the network.
ASA Version 8.2(5)
hostname HOST_NAME
domain-name default.domain.invalid
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 10
duplex half
interface Ethernet0/4
speed 100
duplex full
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.8.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 12.x.x.x x.x.x.x
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.8.2
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Vipre tcp
port-object range 18082 18082
port-object range 18086 18086
object-group network town
network-object 192.168.0.0 255.255.0.0
access-list outside_20_cryptomap extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
access-list new extended permit ip host 192.168.0.1 any
access-list new extended permit ip any host 192.168.0.1
access-list outside_20_cryptomap_1 extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
access-list townoffice_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
access-list townremote_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside object-group Vipre
access-list outside_access_in extended permit tcp any object-group Vipre interface inside object-group Vipre
access-list outside_access_in extended permit tcp any eq 3389 10.10.8.0 255.255.255.0 eq 3389
access-list test extended permit ip host 192.168.0.6 host 10.10.8.155
access-list test extended permit ip host 10.10.8.155 host 192.168.0.6
access-list test extended permit ip host 10.10.8.2 host 192.168.3.116
access-list test extended permit ip host 192.168.3.116 host 10.10.8.2
access-list test extended permit ip host 10.10.8.155 host 192.168.3.116
access-list bypass extended permit ip host 10.10.8.155 host 192.168.3.116
access-list bypass extended permit tcp 192.168.0.0 255.255.0.0 10.10.8.0 255.255.255.0
access-list bypass extended permit tcp 10.10.8.0 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn 10.10.8.125-10.10.8.149 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 18082 10.10.8.2 18082 netmask 255.255.255.255
static (inside,outside) tcp interface 18086 10.10.8.2 18086 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.10.8.2 3389 netmask 255.255.255.255
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,inside) 10.10.8.0 10.10.8.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.70.119.65 1
route inside 192.168.0.0 255.255.0.0 10.10.8.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http outside
http outside
http inside
http outside
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 69.87.150.118
crypto map outside_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.10.8.0 255.255.255.0 inside
telnet timeout 5
ssh 63.161.207.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 10.8.8.2
dhcpd address 10.10.8.150-10.10.8.200 inside
dhcpd dns 10.10.8.2 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy aaa internal
group-policy aaa attributes
dns-server value 10.10.8.2 4.2.2.2
vpn-tunnel-protocol IPSec
default-domain value domainname
group-policy bbb internal
group-policy bbb attributes
wins-server value 10.10.8.2
dns-server value 10.10.8.2
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value townoffice_splitTunnelAcl
default-domain value domainname.local
group-policy townremote internal
group-policy townremote attributes
wins-server value 10.10.8.2
dns-server value 10.10.8.2 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value townremote_splitTunnelAcl
default-domain value domainanme
group-policy remote internal
group-policy remote attributes
wins-server value 10.10.8.2
dns-server value 10.10.8.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value townremote_splitTunnelAcl
default-domain value dksecurity.local
address-pools value vpn
username xxxx password . encrypted privilege 15
username xxxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxxx password . encrypted privilege 15
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx password encrypted privilege 15
username xxxx attributes
vpn-group-policy remote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy remote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy remote
username xxxx password encrypted privilege 15
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy remote
tunnel-group 69.87.150.118 type ipsec-l2l
tunnel-group 69.87.150.118 ipsec-attributes
pre-shared-key *****
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool vpn
default-group-policy townremote
tunnel-group townremote ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group townremote type remote-access
tunnel-group townremote general-attributes
address-pool vpn
default-group-policy townremote
tunnel-group lansingremote ipsec-attributes
pre-shared-key *****
class-map tcp-bypass
match access-list bypass
class-map test
match access-list new
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no dns-guard
no protocol-enforcement
no nat-rewrite
policy-map global_policy
class test
class inspection_default
policy-map tcp
class tcp-bypass
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
service-policy global_policy global
service-policy tcp interface inside
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c724d6744097760d94a7dcc79c39568a
: end

You need to change the VPN pool ip subnet to something other than the same ip range used on the inside interface.
Sent from Cisco Technical Support iPad App

VRF , Management access only and default gateway

Hello
I am preparing (3) new devices to become my new WAN. The topology looks like,
                 ASR1002x - Has management int and dg for remote access.
                                     Also has DG to WAN ISP via BGP
                 3750x stack - Has management int and dg for remote access. (ip vrf management 0.0.0.0 0.0.0.0 (Management vlan hsrp ip))
                                       Also has DG to ASR hsrp - which causes the Management access to drop.
                 ASA5545x - Has management int and dg for remote access.
                                      Also has DG to ASR hsrp - which causes the Management access to drop.
I MUST KEEP THESE NEW DEVICES OFF THE PRODUCTION NETWORK TO AVOID ANY POSSIBLE ROUTING ISSUES.
I have implemented unique EIGRP instances between the new devices.
These new devices have a management interface so I can access them remotely. I configured the default gateway pointing to the HSRP of the management Vlan and I have remote access.
Obviously I cannot have (2) default gateways out different interfaces, without assigning one with higher admin.
What should my management default gateway look like so I can have remote access to the device and still have the WAN/LAN routing work as needed??

found another thread with some suggestions, maybe it helps at the moment.
http://forums.lenovo.com/lnv/board/message?board.id=Special_Interest_Utilities&thread.id=6000

Setting default gateway in subnetted network

I have a /24 that i have been using as 2 x/25. Recently i was asked to subnet the network into 1x /27, 3x /28 and 1x /30. Previously I just had one default gateway. Now how will I set the default gateway for all these subnets?

Hi ,
Yes if you want to route the traffic between subnets ,then you need gateway to defined on your network elements (router /L3 switches) .
After breaking into number of subnets , ensure you have created appropriate vlan on layer 2 switch if applicable , Switch port access accrodingly .
Use Subnet calculator
https://www.cisco.com/cgi-bin/Support/IpSubnet/home.pl
HTH
sandy

Unable to access media files on network via wirele...

Up until a month ago was able to access media files through wireless, Os is wins 7, HomeHub 2. the curious thing is no problem accessing internet wirelessly, Have reconfigured Homegroup network, changed WEP key, channel no,reset connected devises then for a couple of minutes I actually access my media files then nothing , and nothing since. unable to access Hub manager from desktop icon or internet browser now. One thing that might be pertinent is that my father has just had YouView installed around the time the problem started. Contacted the call centre for help they came back informing me that you cannot share files through a BT Hub ! last resort sent an email . Anyone out there can throw me a line I'd much appreciate it

Try a factory reset of the homehub by pressing a pin into the recess button on the rear for about 20 seconds. This will put your wireless passkey which is on the homehub label so you will need to either reconnect your devices to the default wireless passkey or change it back to what you had.

Cascading RV180 as DHCP server but pointing to another default gateway router

Hi,
My network topology is as follows:
Internet <-> Residential Gateway (RG) from ISP (OEM: Pace) [192.168.1.254/255.255.255.0] <-> RV180 [192.168.1.253/255.255.255.0] <-> SG500 switch [192.168.1.250/255.255.255.0] <-> rest of network.
I know this is a cascading LAN-to-LAN arrangement. The cable from the RG to the RV180 is from a LAN port on the RG to a LAN (not WAN) port on the RV180.
I eventually want to segment my network into a few VLANs from the RV180 down. I am aware most people would recommend DHCP on the "primary" router, but the RG is non-VLAN aware, so I figure I need to handle the DHCP off the RV180. At the same time, I have also opted not to do a LAN-to-WAN cascade because I want to retain the ability to configure the RG from the rest of the network and not have to cart a computer over to the RG to do it.
On the RG, I've disabled DHCP, and placed 192.168.1.253 in the DMZ.
On the RV180, I've enabled DHCP and put it in Router mode.
The issue is that I do not have any Internet connectivity. If I allow the computers in the network to receive IP addresses over DHCP, the default gateway that is communicated is 192.168.1.253, which is the RV180. If I configure static IPv4 information on my computers to point to 192.168.1.254, I am able to connect outside, as you would expect.
How can I get the RV180 to pass out DHCP IP addresses, but point to 192.168.1.254 as the default gateway? I thought the solution might be to create a default route (or something). I went to the static routes tab but it wouldn't let me enter 0.0.0.0 as a destination IP to route through 192.168.1.254.
Further down the line, is it possible for both the RG and the RV180 to connect directly to the SG500, along with the other nodes in my network? That way the RV180 only serves to maintain the VLANs and pass out IP addresses via DHCP, instead of having it be the choke through which everything goes through on the way out?
Sorry if there is a really obvious solution to this. It's really been floundering about in the dark so would appreciate any advice

Hi Jason, I have considered your post here for quite some time. I came to one conclusion based off your text. The entire purpose of the RV180 is a DHCP server for multiple subnet / vlan.
Here's the thing, you have a SG500 switch. Based off reading your text, this will do everything the RV180 can except the DHCP service. The limitation you are going to run in to is still going to be your gateway unit, the RG.
In the end, even with such a configuration using the RV!80 or the SG500 (layer 3), the RG will have to be configured with static routes since the RG has no concept of those other LAN segments.
Here is a post I wrote about a SG300 connecting to a RV0XX router (which doesn't understand the VLANs)
https://supportforums.cisco.com/message/3739083#3739083
Using the concept of this topic, you may be able to add aditional static routes on the RV180 sending each subnet to the common IP interface of the RG.
It would be very interesting to see if we could make that work.
-Tom
Please rate helpful posts

Unable to access the data from Data Management Gateway: Query timeout expired

Hi,
Since 2-3 days the data refresh is failing on our PowerBI site. I checked below:
1. The gateway is in running status.
2. Data source is also in ready status and test connection worked fine too.
3. Below is the error in System Health -
Failed to refresh the data source. An internal service error has occurred. Retry the operation at a later time. If the problem persists, contact Microsoft support for further assistance.
Error code: 4025
4. Below is the error in Event Viewer.
Unable to access the data from Data Management Gateway: Query timeout expired. Please check 1) whether the data source is available 2) whether the gateway on-premises service is running using Windows Event Logs.
5. This is the correlational id for latest refresh failure
is
f9030dd8-af4c-4225-8674-50ce85a770d0
6.
Refresh History error is –
Errors in the high-level relational engine. The following exception occurred while the managed IDataReader interface was being used: The operation has timed out. Errors in the high-level relational engine. The following exception occurred while the
managed IDataReader interface was being used: Query timeout expired.
Any idea what could have went wrong suddenly, everything was working fine from last 1 month.
Thanks,
Richa

Never mind, figured out there was a lock on SQL table which caused all the problems. Once I released the lock it PowerPivot refresh started working fine.
Thanks.

Unable to access my other macs in the airport network

Since I have installed Leopard 10.5.1 I am unable to access my other MACs in my airpot network for file sharing. Interesting that I can accesss my older IMAC which has TIGER 10.4.11 installed. This bug is new since I updated to 10.5.1. Its funny but "screensharing" on the other hand is working.
(I checked all possibilities in the firewall setting. (File sharing) is allowed on all MACs.
Anyone with a solution or having the same problem
Tony

Ok, they didn't post the link to my screen cap.
Here is the link to the screen cap of my problem in FireFo:.
http://i88.photobucket.com/albums/k196/ajax6677/more.png
Here is how it looks when loaded properly in IE:
http://i88.photobucket.com/albums/k196/ajax6677/more2.png
They are also attached below/

Windows 8.1 Pro Need command to disable "Use default gateway on remote network" option on VPN connection"

Hello!
I want to create bat script to create several VPN connection.
There is powershell command to create vpn connection:
add-vpnconnection -name "Test VPN" -serveraddress "vpn.example.com" -splittunneling -tunneltype "pptp"
And I need to create VPN connection without the option "Use default gateway on remote network" option on VPN connection"
Or modify this option on existent VPN connection with command.
Please help me to find command option or other command to disable "Use default gateway on remote network" option on VPN connection" feature.

http://technet.microsoft.com/nl-nl/library/ee431701%28v=ws.10%29.aspx RouteIPv4TrafficOverRAS True – Add a default gateway on the VPN connection False – Do not add default gateway on the VPN connection

Cascaded network unable to access default gateway att 5031nv

Similar Messages

Maybe you are looking for