CISCO RV180 - Limited VPN Access
Hello!
I'm using CISCO Router RV180 for incoming VPN connections. I just learned how to do it, I did all the settings and it is working now. However I have noticed that users who connect through thier VPN Clients can see the whole internal network. Can those be limited to only certain local IPs?
For example my local network is 10.x.x.x. I have CISCO Router Web Interface avaliable to login at 10.x.x.1 and the Web Server I want users to access is on 10.x.x.2. Can I forbid acceess for VPN users who connect through the CISCO IP so this 10.x.x.1 address avalable for local users only?
Dear Marty, thank you for the detailed instructions. This is a good thing to know. I have tried this out and then realized that it probably not exactly what I need, or I missed something from your write-up.
I have the webserver connected to Port 1 and I manage the CISCO Router from that webserver. The CISCO Router has IP address 10.10.10.1 and the webserver is 10.10.10.2. There are no other devices connected to the router. The webserver has additional network interfaces and all local devices are connected through that.
Till now I had port 443 forwarded by the CISCO routed to the webserver for external connections. But a security consultant adviced to switch the external clients from HTTPS to VPN (still leaving HTTPS though). That's I'm working on right now. I was adviced to use L2TP but I didn't find how I can set it up on the Router (though the manual says it should be there) so I made PPTP for now. I did that by adding IKE Policy and a VPN user (don't know if anything else is needed but it seems working fine).
When I try to connect from outside by a VPN Client which is WIn 7 (creating VPN network feature) the VPN network gets created and I can go to 10.10.10.2 to see the webserver. But I also can go to 10.10.10.1 and see the CISCO Router login page. The last one I'm trying to hide if possible. Also I didn't figure out yet if such VPN users can use other ports or it is still only 443 allowed for them. Ideally I want VPN users login and see only the webserver and only on 443 port. Not sure if that is possible.
Similar Messages
-
I have installed the Cisco RV180 VPN at a customer location.
Because this customer makes credit card transactions over the Internet, their merchant account requires a third-party to perform a security scan on the gateway. When scanning, the third-party states they are not in compliance with this report:
THREAT REFERENCE
Summary:
TLS Protocol Session Renegotiation Security Vulnerability
Risk: High (3)
Port: 443
Protocol: TCP
Threat ID: misc_opensslrenegotiation
Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
06/11/12
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.
Information From Target:
Service: 443:TCP
Session Renegotiation succeeded on 443:TCP
They are using the QuickVPN Client to connect and must be able to connect from anywhere in the world. From my understanding, port 443 must be opened for the QuickVPN Client to function. How do I block port 443 from everyone except the QuickVPN Client? Or how do I configure the RV180 to satisfy the above threat?
Thanks in advance for any information you can provide.Hi,
following config is for cisco VPN client access with dynamic allocation and split-tunnel.
Hope this helps, please rate post if it does!
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username vpnc password 0 userpass
crypto isakmp client configuration group vpncg
key grouppass
dns 4.2.2.1
wins 10.59.2.10
domain domain.com
pool ip-pool
acl 108
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip nat outside
crypto map clientmap
interface vlan1
ip address 10.59.2.1 255.255.255.0
ip nat inside
ip local pool ip-pool 10.0.230.1 10.0.230.20
access-list 108 remark VPN client split tunnel
access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255 -
VPN and limiting internet access
I posted this under the SMB as well but wanted to post under the VPN header at the same time.
Hello all, I am very new to VPN's and Firewalls so please forgive me for lack of terminology usage.
I am part of a company that has 20 internal PC's and 25 external sites (Convienient stores) that are all now being placed on a VPN. We purchased a ASA 5510 for the office and we are placing Linksys RV042 routers at the stores. What my question is, is that we have a few stores that need limited internet access because we have Subway restaurants there and they need to download and upload at times. What I dont want is to allow full access to the net because of the chance of outside attacks or viruses.
My question is, what can be done to set the VPN in place but only allow certain access to web addresses that we say is alright to have communication with?
Is this possible and / or what else needs to be purchased?
I thank you in advance for any help you can advise on.
JJThe problem with the internet is, how do you define this 'certain' addresses. Is this possible for you?
There is an option in VPNs called split tunneling, which has a "Exclude specified" mode, that might help.
Regards\
Farrukh -
Cisco 2504 WLC client VPN Access
Hi,
I was reading couple of posts related to Cisco WLC + Client VPN passthrough .. and got a query.
https://supportforums.cisco.com/thread/2183687
https://supportforums.cisco.com/thread/2219356
The second link says that "Remote Acces VPN connections through the WLC work out of the box". Is this True? No need to configure Layer 3 VPN-Pass though for the SSID?
They are using WPA2+PSK as Layer 2 Security. Here WPA2-PSK + VPN Passthrough is the right combination for WLAN Layer2 + Layer 3 Security?
Thanks,
JaganIt works out of the box... you don't need to configure any passthrough.. just connect to the ssid and VPN away.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.)
Post the config of your ASA and someone will be able to assist.
-
Cisco ASA 5505 VPN with iPhone
Hello Everyone. I am a newbie to the Cisco appliances, so please bear with me. I am trying to configure this unit to allow iPhone VPN access to our network to sync LOTUS DOMINO (Not Exchange) user's Email, Contacts, and Calendar. We have a Sonicwall NSA 2400 that is our main router, so the ASA will only be used for VPN access, not routing. It will be in the DMZ providing VPN access for the iPhones. With the VPN connected, we need to limit access to only those services required by the iphone to sync information. The Software version on the Cisco is 7.2(4). If there is anyone that could help me out, I would greatly appreciate it. Please remember I am new to this, so please be patient. Where do I begin? I hope to hear from anyone soon.
Hi,
I cannot help you with the Cisco side of the equation, but do you know about Lotus Traveler? It's free from IBM and essentially adds ActiveSync support to your Domino email environment. The iPhone is configured with an Exchange ActiveSync account and pointed to the Lotus Traveler server (which sits in your DMZ and only needs port 80/443 access). It gives you full push email/contacts/calendar (Blackberry-like) functionality.
Like I said, it's a free add-on from IBM Lotus for all licensed Domino users. -
Help, How to configure cisco ASA5505 to permit access to internal LAN
Hi everyone,
Once more I am stuck into another dilemma , I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool.
From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN.
I hope my explaination does make sense, I am available at any time if further information is needed. Please find attached my ASA config.
Best regards,
BENMany thanks Marvin,
I have configured the router ospf the way you instructed me, I have changed the VPN Pool to a complete different class of 10.0.1.0/24, I have also configured : access-list OUTSIDE_IN_ACL permit icmp any any echo-relpy and access-group OUTSIDE_IN_ACL in interface outside. but I can only from my VPN connection ping both interfaces of the ASA and nothing else.
Please find attached my ASA and the layer 3 switch configs. And also ASA and L3 Switch ip route output.
Note this: When connected to my VPN, cmd>ip config /all it showing as follows: ip address 10.0.1.100
Subnet Mask 255.0.0.0
Def Gateway 10.0.0.1
dns server 192.168.30.3
Best regards,
BEN.
Message was edited by: Bienvenu Ngala -
Can I use the guest network on a AE connected to a Cisco RV180?
I have not been able to connect to the guest network on my AE with a Cisco RV180 as the gateway. I read in an older post that the guest network my not work on all equipment, that it must be connected to a "simple" modem. Just want to find out if the Cisco is compatable.
The AirPort Express does need to connect to a simple modem in order for the Guest Network feature to work correctly.
According to Cisco the RV180 is a VPN Router, so it would not be compatible with the AirPort Express for the purpose that you ask about.
Cisco RV180 VPN Router Data Sheet [Cisco Small Business RV ... -
HELP!! Cisco RV180 Port Forwarding
Someone please advise as to this is the first time I've tried to setup port forwarding using the Cisco RV180 Router. I have a Cisco RV180 Router, a Ruckus 7055 access point and a power distribution unit. I'd like to be able to access the router remotely and also the devices behind the router (the ruckus access point and the power distribution unit). I'm assuming that I'll need to assign the Cisco RV180 router a static IP address and I'm assuing that this static address should be assigned to the WAN port? I'd also like to configure port forwarding so that I can access the ruckus and the PDU remotely also. I've tried assigning a static IP address to the WAN port of the RV180 but I cannot ping this device remotely. Anyone have any advice on accessing the RV180 remotely? I've populated all of the correct fields for the WAN settings (ip, gateway, subnet, etc.) , and my static ip address is valid.Thank you in advance.
Hello sirflex,
As you have mentioned you need to configure a static nat for the devices which you have done when you configure a port forwarding.
Have you configured access rules under firewall>access Rules. Add the access rules for the ping and the Http and Https services.
Can you capture the packets at the WAN port while you are pinging the WAN port and the firmware version on the device.
Which mode are you running the device gateway or router. You can check it under Netwroking>Routing>Routing Mode.
Thanks,
Prithvi
Please mark answered and rate for helpful posts. -
Ios VPN access form handled devices
hi
someone here had configured on a router the vpn access form handled devices?
Really i don't know where to start!You must select one of the following modes of operation when you enable the PIX Firewall as an Easy VPN Remote device:
Client modeIn this mode, VPN connections are initiated by traffic, so resources are only used on demand. In client mode, the PIX Firewall applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the PIX Firewall. To use this mode, you must also enable the DHCP server on the inside interface, as described in " Using the PIX Firewall DHCP Server."
Network extension modeIn this mode, VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the PIX Firewall.
In network extension mode, the IP addresses of clients on the inside interface are received without change at the Easy VPN Server. If these addresses are registered with the Network Information Center (NIC), they may be forwarded to the public Internet without further processing. Otherwise, they may be translated by the Easy VPN Server or forwarded to a private network without translation.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html -
VPN Access via LDAP authentication
Hello everyone,
I have setup an OS X server to serve as our department's VPN server. I am attempting to configure it to use an existing linux LDAP server for authentication, so that we don't need to have local accounts on the server. In the Directory Utility I have entered the information to point to our LDAP, and have it configured as RFC 2307 (Unix) for LDAP mappings. Everything in the Directory Utility appears that it considers the LDAP connection to be valid. In fact, from a terminal I can successfully finger users in LDAP.
In the Server Admin, I have selected the users that I wish to have VPN access (the LDAP users also show up in this list). However, when I try to connect to it, it fails almost immediately. Here is a snippet of the server's VPN log file (I have changed the IP addresses and hostname in the logfile to "*"):
2010-05-11 20:37:13 EDT Incoming call... Address given to client = **.***.***.**
Tue May 11 20:37:14 2010 : Directory Services Authentication plugin initialized
Tue May 11 20:37:14 2010 : Directory Services Authorization plugin initialized
Tue May 11 20:37:14 2010 : PPTP incoming call in progress from '**.***.***.**'...
Tue May 11 20:37:14 2010 : PPTP connection established.
Tue May 11 20:37:14 2010 : using link 0
Tue May 11 20:37:14 2010 : Using interface ppp0
Tue May 11 20:37:14 2010 : Connect: ppp0 <--> socket[34:17]
Tue May 11 20:37:14 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:14 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : lcp_reqci: returning CONFACK.
Tue May 11 20:37:17 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP EchoReq id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : sent [CHAP Challenge id=0xc6 <7636b1bad668b175a847d43875397f99>, name = "***.*****.edu"]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoReq id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : sent [LCP EchoRep id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoRep id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : rcvd [CHAP Response id=0xc6 <4a2f0f54d4ce55fe6d1308a8206c4b02000000000000000046f6233c5bb9ea82f6ef2164eb55ed a3355a931a6762101300>, name = "mouck"]
Tue May 11 20:37:17 2010 : sent [CHAP Failure id=0xc6 "\37777777677:\r\002"]
Tue May 11 20:37:17 2010 : CHAP peer authentication failed for mouck
Tue May 11 20:37:17 2010 : sent [LCP TermReq id=0x2 "Authentication failed"]
Tue May 11 20:37:17 2010 : rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Tue May 11 20:37:17 2010 : sent [LCP TermAck id=0x2]
Tue May 11 20:37:17 2010 : Connection terminated.
Tue May 11 20:37:17 2010 : PPTP disconnecting...
Tue May 11 20:37:17 2010 : PPTP disconnected
I am unsure why the authentication is not working. In the past, I have tried to configure the Open Directory service to be "Connected to a Directory System" but could never get the service to start. To be honest, I'm not even positive I need to have the Open Directory service running, since the authentication should hopefully be passed to our existing LDAP.
Any thoughts or suggestions would be greatly appreciated. Thanks very much!Hi oleg,
It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:
"cannot match peerless map when peer found in previous map entry."
Please check for the same, if thats the case you are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc75090
You needed a Cisco CCO id to check the link.
Thanks
Jeet Kumar -
SRP526W to forward or provide VPN access for clients
Hi,
we are having a SRP526W here which replaced a cheap, simple router. Now we would like to set up the VPN-access for outside clients again. So far this was done by forwarding PPTP (TCP 1723 and GRE) to the Windows 2000 Routing and RAS-server inside the network.
According to this post the SRP521W, and therefore I suppose as well the SRP526W, are not able to forward GRE: https://supportforums.cisco.com/thread/2093204
Is there a way to provide VPN access for outside clients with this router? Maybe with L2TP (but then we would need to forward ESP) or IPSec (ESP and AH as far as I know)?
If there is no solution we would need to replace this device again with a cheap, simple router which is able to forward GRE - as you can imagine, we would like to save Cisco from this shame.
Kind regards
DominikHi Dominik,
It is not possible to use L2TP or PPTP from the SRP526 (This is only possible from the Ethernet WAN interface). It is possible to set up an IPSec VPN or GRE tunnel from the SRP to a peer in the network.
This might offer some guidance here.
Regards,
Andy -
Remote VPN access with Windows 7, 64 bit
Hey there,
What do you guys suggest for Remote VPN access with Windows 7, 64 bit?Hi,
You can configure a Remote access VPN with a windows 7, 64 bit client. You wieall hav to download a IPsec VPN client specially for a 64-bit machine. It should not give you much trouble.
The client is vpnclient-winx64-msi-5.0.07.0290-k9.exe. it is available on cisco.com site.
hope this helps.
Regards,
Anisha
P.S.: please mark this thread as resolved if you feel your query is resolved. Do rate helpful posts. -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
I received a text today while at work about iCloud keychain verification code. I have not signed up for it or anything that uses it. I work out of the city with limited internet access so not sure why I would be getting this. I only got this number about a month ago. Apparently someone else had the number before because I get texts from his family members wondering whats going on. I got one yesterday and the person didn't seem to thrilled that the number was cutoff and today I got 2 texts about iCloud Keychain which I don't even know what it is. Seems suspicious to me. If the person who use to own the number is doing it he should know it is not his number anymore because he obviously didn't pay his bills. I'm not too sure about iCloud Keychain so just want to know my info safe?? It says it can store credit card numbers which is what gets me worried. Frankly I think it's pretty stupid to save that kind if information with any kind of app. But I don't want some random person trying to access my personal information because they are bitter they lost their number. Please let me know as soon as possible so I can change passwords or anything that is needed.
thanksIf it were me, I would go to my carrier and get a new number. Since you have only had it for a month, the inconvenience would be minimal.
Barry
Maybe you are looking for
-
Can anyone help with this please ? When I try to retive the password using the old email address I don't get an email.... thanks
-
How to create a secure photo gallery in Muse or other options?
I am looking at working with a phtotographer and she would like to have a secure (require login) photo gallery for her clients and also she wants to be able to upload these photos. I would like to know what the options are to do this that others have
-
XDB Deinstall and install issue in 11gR1 Db and R12.1.2 Apps
We have an issue with UTL_SMTP package. Whenever we are trying to access it through Ora-00600. I got one note 742014.1 and followed that. It worked for us and we are able to use the package without any issue. Now the problem is we have 150 + invalids
-
Blank page comes out when I try to make a copy on my HP 5610xi All In One Printer
Recently, I keep getting a Blank Page when I try to copy anything on my HP Officejet 5610xi All in One Printer. This question was solved. View Solution.
-
I can´t turn off my phone
I have a strange problem. I can't turn it off without it initiating a boot loop all on its own. Every time I press the power button and select "Power Off", it turns off and then about 5 seconds later the Sony screen comes back on, stays on for a few