CISCO RV180 - Limited VPN Access

Hello!
I'm using CISCO Router RV180 for incoming VPN connections. I just learned how to do it, I did all the settings and it is working now. However I have noticed that users who connect through thier VPN Clients can see the whole internal network. Can those be limited to only certain local IPs?
For example my local network is 10.x.x.x. I have CISCO Router Web Interface avaliable to login at 10.x.x.1 and the Web Server I want users to access is on 10.x.x.2. Can I forbid acceess for VPN users who connect through the CISCO IP so this 10.x.x.1 address avalable for local users only?

Dear Marty, thank you for the detailed instructions. This is a good thing to know. I have tried this out and then realized that it probably not exactly what I need, or I missed something from your write-up.
I have the webserver connected to Port 1 and I manage the CISCO Router from that webserver. The CISCO Router has IP address 10.10.10.1 and the webserver is 10.10.10.2. There are no other devices connected to the router. The webserver has additional network interfaces and all local devices are connected through that.
Till now I had port 443 forwarded by the CISCO routed to the webserver for external connections. But a security consultant adviced to switch the external clients from HTTPS to VPN (still leaving HTTPS though). That's I'm working on right now. I was adviced to use L2TP but I didn't find how I can set it up on the Router (though the manual says it should be there) so I made PPTP for now. I did that by adding IKE Policy and a VPN user (don't know if anything else is needed but it seems working fine).
When I try to connect from outside by a VPN Client which is WIn 7 (creating VPN network feature) the VPN network gets created and I can go to 10.10.10.2 to see the webserver. But I also can go to 10.10.10.1 and see the CISCO Router login page. The last one I'm trying to hide if possible. Also I didn't figure out yet if such VPN users can use other ports or it is still only 443 allowed for them. Ideally I want VPN users login and see only the webserver and only on 443 port. Not sure if that is possible.

Similar Messages

  • Help with Cisco RV180 VPN

    I have installed the Cisco RV180 VPN at a customer location.
    Because this customer makes credit card transactions over the Internet, their merchant account requires a third-party to perform a security scan on the gateway.  When scanning, the third-party states they are not in compliance with this report:
    THREAT REFERENCE
    Summary:
    TLS Protocol Session Renegotiation Security Vulnerability
    Risk: High (3)
    Port: 443
    Protocol: TCP
    Threat ID: misc_opensslrenegotiation
    Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
    06/11/12
    CVE 2009-3555
    Multiple vendors TLS protocol implementations are prone to a  security vulnerability related to the session-renegotiation process  which allows man-in-the-middle attackers to insert data into HTTPS  sessions, and possibly other types of sessions protected by TLS or SSL, by  sending an unauthenticated request that is processed retroactively by a  server in a post-renegotiation context.
    Information From Target:
    Service: 443:TCP
    Session Renegotiation succeeded on 443:TCP
    They are using the QuickVPN Client to connect and must be able to connect from anywhere in the world.  From my understanding, port 443 must be opened for the QuickVPN Client to function.  How do I block port 443 from everyone except the QuickVPN Client?  Or how do I configure the RV180 to satisfy the above threat?
    Thanks in advance for any information you can provide.

    Hi,
    following config is for cisco VPN client access with dynamic allocation and split-tunnel.
    Hope this helps, please rate post if it does!
    aaa new-model
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    username vpnc password 0 userpass
    crypto isakmp client configuration group vpncg
    key grouppass
    dns 4.2.2.1
    wins 10.59.2.10
    domain domain.com
    pool ip-pool
    acl 108
    crypto ipsec transform-set myset esp-aes esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    interface FastEthernet0/0
    ip nat outside
    crypto map clientmap
    interface vlan1
    ip address 10.59.2.1 255.255.255.0
    ip nat inside
    ip local pool ip-pool 10.0.230.1 10.0.230.20
    access-list 108 remark VPN client split tunnel
    access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255

  • VPN and limiting internet access

    I posted this under the SMB as well but wanted to post under the VPN header at the same time.
    Hello all, I am very new to VPN's and Firewalls so please forgive me for lack of terminology usage.
    I am part of a company that has 20 internal PC's and 25 external sites (Convienient stores) that are all now being placed on a VPN. We purchased a ASA 5510 for the office and we are placing Linksys RV042 routers at the stores. What my question is, is that we have a few stores that need limited internet access because we have Subway restaurants there and they need to download and upload at times. What I dont want is to allow full access to the net because of the chance of outside attacks or viruses.
    My question is, what can be done to set the VPN in place but only allow certain access to web addresses that we say is alright to have communication with?
    Is this possible and / or what else needs to be purchased?
    I thank you in advance for any help you can advise on.
    JJ

    The problem with the internet is, how do you define this 'certain' addresses. Is this possible for you?
    There is an option in VPNs called split tunneling, which has a "Exclude specified" mode, that might help.
    Regards\
    Farrukh

  • Cisco 2504 WLC client VPN Access

    Hi,
    I was reading couple of posts related to Cisco WLC + Client VPN passthrough .. and got  a query.
    https://supportforums.cisco.com/thread/2183687
    https://supportforums.cisco.com/thread/2219356
    The second link says that "Remote Acces VPN connections through the WLC work out of the box". Is this True? No need to configure Layer 3 VPN-Pass though for the SSID?
    They are using WPA2+PSK as Layer 2 Security. Here WPA2-PSK + VPN Passthrough is the right combination for WLAN Layer2 + Layer 3 Security?
    Thanks,
    Jagan

    It works out of the box... you don't need to configure any passthrough.. just connect to the ssid and VPN away.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Cisco asa 5505 vpn issue

    I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through  a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.) 

    Post the config of your ASA and someone will be able to assist.

  • Cisco ASA 5505 VPN with iPhone

    Hello Everyone. I am a newbie to the Cisco appliances, so please bear with me. I am trying to configure this unit to allow iPhone VPN access to our network to sync LOTUS DOMINO (Not Exchange) user's Email, Contacts, and Calendar. We have a Sonicwall NSA 2400 that is our main router, so the ASA will only be used for VPN access, not routing. It will be in the DMZ providing VPN access for the iPhones. With the VPN connected, we need to limit access to only those services required by the iphone to sync information. The Software version on the Cisco is 7.2(4). If there is anyone that could help me out, I would greatly appreciate it. Please remember I am new to this, so please be patient. Where do I begin? I hope to hear from anyone soon.

    Hi,
    I cannot help you with the Cisco side of the equation, but do you know about Lotus Traveler? It's free from IBM and essentially adds ActiveSync support to your Domino email environment. The iPhone is configured with an Exchange ActiveSync account and pointed to the Lotus Traveler server (which sits in your DMZ and only needs port 80/443 access). It gives you full push email/contacts/calendar (Blackberry-like) functionality.
    Like I said, it's a free add-on from IBM Lotus for all licensed Domino users.

  • Help, How to configure cisco ASA5505 to permit access to internal LAN

    Hi everyone,
    Once more I am stuck into another dilemma , I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool.
    From outside (on VPN connection) I can ping the interface e0/0 (outside)  and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN.
    I hope my explaination does make sense, I am available at any time if further information is needed. Please find attached my ASA config.
    Best regards,
    BEN

    Many thanks Marvin,
    I have configured the router ospf the way you instructed me, I have changed the VPN Pool to a complete different class of 10.0.1.0/24, I have also configured : access-list OUTSIDE_IN_ACL permit icmp any any echo-relpy and access-group OUTSIDE_IN_ACL in interface outside. but I can only from my VPN connection ping both interfaces of the ASA and nothing else.
    Please find attached my ASA and the layer 3 switch configs. And also ASA and L3 Switch ip route output.
    Note this: When connected to my VPN, cmd>ip config /all it showing as follows: ip address 10.0.1.100
                                                                                                                                   Subnet Mask 255.0.0.0 
                                                                                                                                    Def Gateway 10.0.0.1 
                                                                                                                                    dns server 192.168.30.3
    Best regards,
    BEN.
    Message was edited by: Bienvenu Ngala

  • Can I use the guest network on a AE connected to a Cisco RV180?

    I have not been able to connect to the guest network on my AE with a Cisco RV180 as the gateway. I read in an older post that the guest network my not work on all equipment, that it must be connected to a "simple" modem. Just want to find out if the Cisco is compatable.

    The AirPort Express does need to connect to a simple modem in order for the Guest Network feature to work correctly.
    According to Cisco the  RV180 is a VPN Router, so it would not be compatible with the AirPort Express for the purpose that you ask about.
    Cisco RV180 VPN Router Data Sheet [Cisco Small Business RV ...

  • HELP!! Cisco RV180 Port Forwarding

    Someone please advise as to this is the first time I've tried to setup port forwarding using the Cisco RV180 Router. I have a Cisco RV180 Router, a Ruckus 7055 access point and a power distribution unit. I'd like to be able to access the router remotely and also the devices behind the router (the ruckus access point and the power distribution unit). I'm assuming that I'll need to assign the Cisco RV180 router a static IP address and I'm assuing that this static address should be assigned to the WAN port? I'd also like to configure port forwarding so that I can access the ruckus and the PDU remotely also. I've tried assigning a static IP address to the WAN port of the RV180 but I cannot ping this device remotely. Anyone have any advice on accessing the RV180 remotely? I've populated all of the correct fields for the WAN settings (ip, gateway, subnet, etc.) , and my static ip address is valid.Thank you in advance.

    Hello sirflex,
    As you have mentioned you need to configure a static nat for the devices which you have done when you configure a port forwarding.
    Have you configured access rules under firewall>access Rules. Add the access rules for the ping and the Http and Https services.
    Can you capture the packets at the WAN port while you are pinging the WAN port and the firmware version on the device.
    Which mode are you running the device gateway or router. You can check it under Netwroking>Routing>Routing Mode.
    Thanks,
    Prithvi
    Please mark answered and rate for helpful posts.

  • Ios VPN access form handled devices

    hi
    someone here had configured on a router the vpn access form handled devices?
    Really i don't know where to start!

    You must select one of the following modes of operation when you enable the PIX Firewall as an Easy VPN Remote device:
    Client modeIn this mode, VPN connections are initiated by traffic, so resources are only used on demand. In client mode, the PIX Firewall applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the PIX Firewall. To use this mode, you must also enable the DHCP server on the inside interface, as described in " Using the PIX Firewall DHCP Server."
    Network extension modeIn this mode, VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the PIX Firewall.
    In network extension mode, the IP addresses of clients on the inside interface are received without change at the Easy VPN Server. If these addresses are registered with the Network Information Center (NIC), they may be forwarded to the public Internet without further processing. Otherwise, they may be translated by the Easy VPN Server or forwarded to a private network without translation.
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html

  • VPN Access via LDAP authentication

    Hello everyone,
    I have setup an OS X server to serve as our department's VPN server. I am attempting to configure it to use an existing linux LDAP server for authentication, so that we don't need to have local accounts on the server. In the Directory Utility I have entered the information to point to our LDAP, and have it configured as RFC 2307 (Unix) for LDAP mappings. Everything in the Directory Utility appears that it considers the LDAP connection to be valid. In fact, from a terminal I can successfully finger users in LDAP.
    In the Server Admin, I have selected the users that I wish to have VPN access (the LDAP users also show up in this list). However, when I try to connect to it, it fails almost immediately. Here is a snippet of the server's VPN log file (I have changed the IP addresses and hostname in the logfile to "*"):
    2010-05-11 20:37:13 EDT Incoming call... Address given to client = **.***.***.**
    Tue May 11 20:37:14 2010 : Directory Services Authentication plugin initialized
    Tue May 11 20:37:14 2010 : Directory Services Authorization plugin initialized
    Tue May 11 20:37:14 2010 : PPTP incoming call in progress from '**.***.***.**'...
    Tue May 11 20:37:14 2010 : PPTP connection established.
    Tue May 11 20:37:14 2010 : using link 0
    Tue May 11 20:37:14 2010 : Using interface ppp0
    Tue May 11 20:37:14 2010 : Connect: ppp0 <--> socket[34:17]
    Tue May 11 20:37:14 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:14 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : lcp_reqci: returning CONFACK.
    Tue May 11 20:37:17 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : sent [LCP EchoReq id=0x0 magic=0xaef8a1b5]
    Tue May 11 20:37:17 2010 : sent [CHAP Challenge id=0xc6 <7636b1bad668b175a847d43875397f99>, name = "***.*****.edu"]
    Tue May 11 20:37:17 2010 : rcvd [LCP EchoReq id=0x0 magic=0x1b8adf3d]
    Tue May 11 20:37:17 2010 : sent [LCP EchoRep id=0x0 magic=0xaef8a1b5]
    Tue May 11 20:37:17 2010 : rcvd [LCP EchoRep id=0x0 magic=0x1b8adf3d]
    Tue May 11 20:37:17 2010 : rcvd [CHAP Response id=0xc6 <4a2f0f54d4ce55fe6d1308a8206c4b02000000000000000046f6233c5bb9ea82f6ef2164eb55ed a3355a931a6762101300>, name = "mouck"]
    Tue May 11 20:37:17 2010 : sent [CHAP Failure id=0xc6 "\37777777677:\r\002"]
    Tue May 11 20:37:17 2010 : CHAP peer authentication failed for mouck
    Tue May 11 20:37:17 2010 : sent [LCP TermReq id=0x2 "Authentication failed"]
    Tue May 11 20:37:17 2010 : rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
    Tue May 11 20:37:17 2010 : sent [LCP TermAck id=0x2]
    Tue May 11 20:37:17 2010 : Connection terminated.
    Tue May 11 20:37:17 2010 : PPTP disconnecting...
    Tue May 11 20:37:17 2010 : PPTP disconnected
    I am unsure why the authentication is not working. In the past, I have tried to configure the Open Directory service to be "Connected to a Directory System" but could never get the service to start. To be honest, I'm not even positive I need to have the Open Directory service running, since the authentication should hopefully be passed to our existing LDAP.
    Any thoughts or suggestions would be greatly appreciated. Thanks very much!

    Hi oleg,
    It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:
    "cannot match peerless map when peer found in previous map entry."
    Please check for the same, if thats the case you are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc75090
    You needed a Cisco CCO id to check the link.
    Thanks
    Jeet Kumar

  • SRP526W to forward or provide VPN access for clients

    Hi,
    we are having a SRP526W here which replaced a cheap, simple router. Now we would like to set up the VPN-access for outside clients again. So far this was done by forwarding PPTP (TCP 1723 and GRE) to the Windows 2000 Routing and RAS-server inside the network.
    According to this post the SRP521W, and therefore I suppose as well the SRP526W, are not able to forward GRE: https://supportforums.cisco.com/thread/2093204
    Is there a way to provide VPN access for outside clients with this router? Maybe with L2TP (but then we would need to forward ESP) or IPSec (ESP and AH as far as I know)?
    If there is no solution we would need to replace this device again with a cheap, simple router which is able to forward GRE - as you can imagine, we would like to save Cisco from this shame.
    Kind regards
    Dominik

    Hi Dominik,
    It is not possible to use L2TP or PPTP from the SRP526 (This is only possible from the Ethernet WAN interface).  It is possible to set up an IPSec VPN or GRE tunnel from the SRP to a peer in the network.
    This might offer some guidance here.
    Regards,
    Andy

  • Remote VPN access with Windows 7, 64 bit

    Hey there,
    What do you guys suggest for Remote VPN access with Windows 7, 64 bit?

    Hi,
    You can configure a Remote access VPN with a  windows 7, 64 bit client. You wieall hav to download a IPsec VPN client  specially for a 64-bit machine. It should not give you much trouble.
    The  client is vpnclient-winx64-msi-5.0.07.0290-k9.exe. it is available on  cisco.com site.
    hope this helps.
    Regards,
    Anisha
    P.S.:  please mark this thread as resolved if you feel your query is resolved.  Do rate helpful posts.

  • ASA 5505: VPN Access to Different Subnets

    Hi All-
    I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN).  Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN).  Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24).  Is this even possible?  Below is the configurations on our ASA,
    Thanks in advance:
    ASA Version 8.2(5)
    names
    name 10.0.1.0 Net-10
    name 20.0.1.0 Net-20
    name 192.168.254.0 phones
    name 192.168.254.250 PBX
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 13
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.98 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.139.79 255.255.255.224
    interface Vlan3
    no nameif
    security-level 50
    ip address 192.168.5.1 255.255.255.0
    interface Vlan13
    nameif phones
    security-level 100
    ip address 192.168.254.200 255.255.255.0
    ftp mode passive
    object-group service RDP tcp
    port-object eq 3389
    object-group service DM_INLINE_SERVICE_1
    service-object ip
    service-object tcp eq ssh
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list inside_access_in extended permit ip any any
    access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
    access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
    pager lines 24
    logging enable
    logging timestamp
    logging monitor errors
    logging history errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu phones 1500
    ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (inside) 10 interface
    global (outside) 1 interface
    global (phones) 20 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 10 access-list vpn_nat_inside outside
    nat (phones) 0 access-list phones_nat0_outbound
    nat (phones) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=pas-asa.null
    keypair pasvpnkey
    crl configure
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    vpn-sessiondb max-session-limit 10
    telnet timeout 5
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh Mac 255.255.255.255 outside
    ssh timeout 60
    console timeout 0
    dhcpd auto_config inside
    dhcpd address 192.168.1.222-192.168.1.223 inside
    dhcpd dns 64.238.96.12 66.180.96.12 interface inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect-essentials
    svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy SSLClientPolicy internal
    group-policy SSLClientPolicy attributes
    wins-server none
    dns-server value 64.238.96.12 66.180.96.12
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout none
    vpn-session-timeout none
    ipv6-vpn-filter none
    vpn-tunnel-protocol svc
    group-lock value PAS-SSL-VPN
    default-domain none
    vlan none
    nac-settings none
    webvpn
      svc mtu 1200
      svc keepalive 60
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression none
    group-policy DfltGrpPolicy attributes
    dns-server value 64.238.96.12 66.180.96.12
    vpn-tunnel-protocol IPSec svc webvpn
    tunnel-group DefaultRAGroup general-attributes
    address-pool SSLClientPool-10
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    tunnel-group PAS-SSL-VPN type remote-access
    tunnel-group PAS-SSL-VPN general-attributes
    address-pool SSLClientPool-10
    default-group-policy SSLClientPolicy
    tunnel-group PAS-SSL-VPN webvpn-attributes
    group-alias PAS_VPN enable
    group-url https://X.X.139.79/PAS_VPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege cmd level 3 mode exec command packet-tracer
    privilege show level 5 mode exec command import
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command asp
    privilege show level 3 mode exec command cpu
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command vlan
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command ipv6
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command eigrp
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpnclient
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command wccp
    privilege show level 3 mode exec command dynamic-filter
    privilege show level 3 mode exec command webvpn
    privilege show level 3 mode exec command module
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode exec command compression
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege clear level 3 mode exec command dynamic-filter
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context
    no call-home reporting anonymous

    Hi Jouni-
    Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0).  The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
    Per you recommendation, I removed the following configs from my ASA:
    global (phones) 20 interface
    ... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
    global (inside) 10 interface
    nat (outside) 10 access-list vpn_nat_inside outside
    .... removing these two configurations caused the inside LAN to be unreachable.  The phone LAN was not reachable, either.  So, I put the '10' configurations back.
    The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
    "portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
    What do you think?
    Thanks!

  • I received a text today while at work about iCloud keychain verification code. I have not signed up for it or anything that uses it. I work out of the city with limited internet access so not sure why I would be getting this. Is my info safe??

    I received a text today while at work about iCloud keychain verification code. I have not signed up for it or anything that uses it. I work out of the city with limited internet access so not sure why I would be getting this. I only got this number about a month ago. Apparently someone else had the number before because I get texts from his family members wondering whats going on. I got one yesterday and the person didn't seem to thrilled that the number was cutoff and today I got 2 texts about iCloud Keychain which I don't even know what it is. Seems suspicious to me. If the person who use to own the number is doing it he should know it is not his number anymore because he obviously didn't pay his bills.  I'm not too sure about iCloud Keychain so just want to know my info safe?? It says it can store credit card numbers which is what gets me worried. Frankly I think it's pretty stupid to save that kind if information with any kind of app. But I don't want some random person trying to access my personal information because they are bitter they lost their number.  Please let me know as soon as possible so I can change passwords or anything that is needed.
    thanks

    If it were me, I would go to my carrier and get a new number. Since you have only had it for a month, the inconvenience would be minimal.
    Barry

Maybe you are looking for