Configure VPN access on a Cisco WRV210 wireless-G vpn router -range booster
Please help....
I need to configure a vpn on a Cisco WRV210 Wireless-G VPN Router - RangeBooster, i have five users that are going to connect to a file server. windows and Mac laptops will be connecting. The file server access is all set i just need a step by step document to configure the vpn screens on the router.thanks
Hi Robert
You can refer the below link in finding out the exact config to start with.
do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
regds
Similar Messages
-
Hi All,
I am a technician in the I.T field of about 12 years. I am a rather decent troubleshooting, however wireless is not my area of expertise, but I am far from a beginner with it.
I read in some review that that phone mentioned inthe subject was a wireless killer, but I went ahead and bought it anyway.
Worked for a while with little issue, but often..as soon as I pick up the phone when receiving a phone call, my Wireless is shot.
I have tried changing frequencies from 1-11 hearing that 11 was the luckier pick. Nothing seems to be working.
It is cause and effect when I pick up the phone. Quite sick.
Plus, very recently it has been drop[ping frequently and intermittently. I have read the articles on intermittent connection and none of it seems to apply.
I am wondering if there is a way to analyze wireless traffic/noise/interference.
Live in an apartment and it usually works, but for the past month it has been the worst ever.
Any ideas?
Oh, I re-upgraded the firmware to 4,7,1,1 I think Its a WRT54GS V2
Be good.
Message Edited by souloffire on 06-20-2007 05:23 PMThere are also other things that you can do to improve your wireless connections:
First of all, give your network a unique SSID. Do not use "linksys". If you are using "linksys" you may be trying to connect to your neighbor's router. Also set "SSID Broadcast" to "enabled". This will help your computer find and lock on to your router's signal.
Poor wireless connections are often caused by radio interference from other 2.4 GHz devices. This includes wireless phones, wireless baby monitors, Bluetooth (including Bluetooth game controllers), microwave ovens, wireless mice and keyboards, wireless speakers, and your neighbor's wireless network. Even some 5+ GHz phones also use the 2.4 Ghz band. Unplug these devices, and see if that corrects your problem.
In your router, try a different channel. There are 11 channels in the 2.4 GHz band. Usually channel 1, 6, or 11 works best. Check out your neighbors, and see what channel they are using. Because the channels overlap one another, try to stay at least +5 or -5 channels from your strongest neighbors. For example, if you have a strong neighbor on channel 9, try any channel 1 through 4.
Ultimately, an apartment complex is often a difficult environment to run a wireless system. Other possible solutions include: (1) setting up a single (or perhaps just a few) wireless router in the building, and having all users share this router (2) change your system to wireless a, which runs in the 5+ GHz band or (3) change your system to a wired network.
Hope this helps. -
QuickVPN at RV110W Wireless-N VPN Firewall
Good day,
I try enable VPN remote access from internet trougth RV110W Wireless-N VPN FIREWALL with any result. Please revise my error.
Pertinent information RV110W:
WAN Server Address = 200.124.243.172
LAN Server Address = 192.168.8.111
Routing Operating Mode = Gateway
VPN Client Setting Table = Username Protocol QuickVPN
cert.pem copied into VPN CLIENT Folder
Log QuickVPN Client
2013/06/30 20:52:45 [STATUS]OS Version: Unknown
2013/06/30 20:52:45 [STATUS]One network interface detected with IP address 10.10.10.13
2013/06/30 20:52:45 [STATUS]Connecting...
2013/06/30 20:52:45 [DEBUG]Input VPN Server Address = 200.124.243.172
2013/06/30 20:52:45 [STATUS]Connecting to remote gateway with IP address: 200.124.243.172
2013/06/30 20:52:46 [STATUS]Remote gateway was reached by https ...
2013/06/30 20:52:46 [STATUS]Provisioning...
2013/06/30 20:52:49 [STATUS]Success to connect.
2013/06/30 20:52:49 [STATUS]Tunnel is configured. Ping test is about to start.
2013/06/30 20:52:49 [STATUS]Verifying Network...
2013/06/30 20:52:55 [WARNING]Failed to ping remote VPN Router!
2013/06/30 20:52:58 [WARNING]Failed to ping remote VPN Router!
2013/06/30 20:53:01 [WARNING]Failed to ping remote VPN Router!
2013/06/30 20:53:04 [WARNING]Failed to ping remote VPN Router!
2013/06/30 20:53:07 [WARNING]Failed to ping remote VPN Router!
The remote gateway in not responding. Do you want to wait?
2013/06/30 20:53:10 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2013/06/30 20:53:56 [STATUS]Disconnecting...
2013/06/30 20:54:00 [STATUS]Success to disconnect.
Thanks for your time,
Juan L. MeraSolution: MTU to 1372 instead of default 1400
-
I have a Cisco WRV210 wireless router that wont boot correctly after enabling WMM, problem is that after I enabled WMM and router rebooted I only see the power led and DMZ led on but not the wireless led and Internet led. I tried using the reset switch several times and nothing worked. Should I dispose of it and buy a new router or is this one still repairable?
Alvaro,
Please call support since the router is still under warranty.
www.cisco.com/go/sbsc
- Marty -
i have an Airport Extreme wireless router, HP Folio laptop (company supplied) and a Canon PIXMA MX882 wireless printer,copier, scanner and fax.
when i am VPN's in thru CISCO VPN to my company Intranet site I cannot print wirelessly. i have to turn off VPN, priint and log back into the company intranet site. is there a way to configure the router so that it is not blocking the signal?
TxThe problem is not the router.. the issue is the vpn has put your computer in a different IP range with a different gateway. When you turn off the vpn the computer returns to local lan and can print.
Some vpn software allows you to set gateway to use local net instead of remote gateway or access to other webistes or local lan.
Read up the issue.
http://stevejenkins.com/blog/2010/01/using-the-local-default-gateway-with-a-wind ows-vpn-connection/
Cisco vpn client..
https://supportforums.cisco.com/thread/239113
I did not search much.. just grabbed the first article I could find that explains the issue.
The whole point of the vpn is whilst it is connected your computer is NOT part of the Local Lan .. it is part of the Remote LAN via the vpn tunnel.
It is also a security risk using split tunnelling so often it will not be allowed.
Plug the printer directly into the computer via usb or whatever.. Local connection will work.. not local lan. -
Need help configuring Cisco/Linksys wireless router to extend wi-fi signal to living room
My U-verse wireless gateway is in the back of our house. We live in an old 1920's home with solid wood walls. For our macbooks, we get a pretty decent signal, but my wife's iPad 2 get's poor wi-fi speeds. I bought a Cisco/Linksys WRT160N wireless N broadband router. I have a wired connection in my living room (going to a 4 port switch) then connected to my DVR. I tried hooking up the new router but ended up getting no signal on the iPad. In fact, it caused other issues. I ended up disconnecting it and re-booting my gateway. All came back fine. This wireless router replaces a similar unit that went out in after a power failure, so I know this can be done, but I forget exactly how I confiured the old one. I would like it to "extend" my signal to the living room, but I am also willing to create a new network (different SSID). Do I need to turn of DHCP? Are there any web sites that can assist me in configuring the router? I wish I didn't have to deal with this. The signal from the RG is great when you are in the back room (20+ down). But my wife gets about 3 down on her iPad in the living room. Thanks in advance.
Hi ,
I was doing some research on how this can be done. It does not appear there is an option in the Cisco router to set it up as an access point, but there are several options you can do to extend your network.
The first thing you can do is just set it up as a router behind router setup, and you will just have two separate networks. Make sure the DHCP pool does not conflict with the U-verse's gateway of 192.168.1.x.
The second thing you can do is connect the Ethernet cable to one of the LAN ports on your Cisco router instead of using the internet port. This should make it work like a smart switch.
With both setups, you want to probably change the SSID, network key, and wireless security settings to the same thing for wireless roaming abilities. That way, anyone that configures their wireless connection will be connected to both networks. Just make sure the wireless channels are not the same, and I would suggest having them at least 5 apart.
Hope this helps.
-ATTU-verseCare -
Cisco ASA 5505 L2TP VPN cannot access internal network
Hi,
I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
Can you jhelp me to find out the issue?
I have Cisco ASA:
inside network - 192.168.1.0
VPN network - 192.168.168.0
I have router 192.168.1.2 and I cannot ping or get access to this router.
Here is my config:
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 198.X.X.A 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network net-all
subnet 0.0.0.0 0.0.0.0
object network vpn_local
subnet 192.168.168.0 255.255.255.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool sales_addresses 192.168.168.1-192.168.168.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic net-all interface
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
object network vpn_local
nat (outside,outside) dynamic interface
object network inside_nw
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sales_policy internal
group-policy sales_policy attributes
dns-server value 75.75.75.75 76.76.76.76
vpn-tunnel-protocol l2tp-ipsec
username ----------
username ----------
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
Configure vpn 3030 snmp for cisco works 2000
vpn 3030 snmp error in cisco works 2000
I want to monitor vpn3030 through vpn monitor,so do some config on vpn3030:
1)Configuration | System | Management Protocols | SNMP
enabled port 161
2)Configuration | System | Management Protocols | SNMP Communities
public
3)Administration | Access Rights | Administrators | Modify Properties
snmp modify config
I can telent & http vpn3030,but when I run test in in cisco works 2000(server
configuration|diagnostics|connectivity tools|management station to device)
it said:
Interface Status Test Results
172.16.8.1 DOWN SNMPR failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 91 protocol: snmp_get port: 161
SNMPW failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 0 protocol: snmp_set port: 161
about my vpn3030
Monitoring | System Status Thursday, 10 October 2002 16:40:16
VPN Concentrator Type: 3030
Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 2.5.Rel Jun 21 2000
18:57:52
Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 3.0.2.Rel Apr 05 2001
20:50:58
Up For: 6d 0:04:27
Up Since: 10/04/2002 16:35:49
RAM Size: 128 MB
There is only a 6509 between cisco works 2000 server and vpn3030,and no restrictions on tcp/ip
flow.
Please help me .thanks in advance.I test it in cw2000 cdone.
This is really a strange question.
the cw2000 server ip address is 10.8.1.122
the vpn3030 's ip address is 172.16.8.1
between them is a 6509, ip address is 10.8.1.201
when I test connectivity between cw2000 server and 6509, everything is good,snmp is ok.
when i test connectivity between cw2000 server and vpn3030, everything is good,except snmp is not response,while use third party snmp program,snmp status is ok!
when I change the cw2000 server's ip address to 172.16.8.3 and connect it directly to vpn3030,test connectivity between cw2000 server and vpn3030 ,everything is good,snmp is ok. -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
Hello all.
I have just set up a new cisco DPQ3925 wireless router that Optus sent me to be able to access the higher speed internet I have signed up for.
I have a 4th gen apple extreme that I want to use to extend the wifi but when I try to update the settings via the airport utility I get a message that says it cannot do so, and to check it is in range and the wifi is set up correctly. I'm not experienced with these things but I can't think what I have done wrong.
Is anybody able to help me please.You cannot use the AE to extend wireless from a non apple router such as your cisco modem router.. they are not compatible..
You need to tie to the two devices together either with ethernet or something like EOP adapters.. They are about $120 and you can price match in officeworks. -
I understand that access points can be configured to forwards all the probe requests to cisco wifi controller. cisco MSE(mobility service engine) gets the probes from wifi controller to find the location of the mobile devices.
My question, can cisco MSE(mobility service engine) be configured to work with non-cisco access points?No and the reason why is the NMSP communication from the MSE to the WLC. Other vendors don't support this so there is no communication happening.
-Scott -
Implement a Cisco WAP200E Wireless-G Exterior Access Point
Hi everybody,
I am asked to install a Cisco WAP200E Wireless-G Exterior Access Point into my company network infrastructure.
But there is an issue that I would like you to help me to solution it.
In fact the AP mentioned above is a PoE device, and our Switch is not PoE (Cisco Catalyst 2960 24TC-L).
How to make my Wireless device works without having to change my Switch?
Thank you for helpingYou can get a POE injector & power it without changing the switch.
http://www.cisco.com/c/en/us/products/collateral/wireless/wap200e-wireless-g-exterior-access-point-poe/data_sheet_c78-503126.html
Also better if you could move this thread to Small Business Support community where you may get more responses.
HTH
Rasika
**** Pls rate all useful responses **** -
Cisco Guest Wireless Access Solution - Local Printing
Hi,
Does Cisco have a solution that provides printing for a guest WLAN. Cisco Guest wireless deployment solutions recommend terminating the guest WLAN on an anchor controller in the DMZ which causes issues when needed to print locally as the print traffic will need to traverse the DMZ anchor controller causing excessive WAN link usage.
Is there a better solution to enable a guest WLAN to print locally?FlexConnect with Split tunneling may work.
Read about this feature & see how that can be used in your branch setup. Here is the Ciscolive presentation slides the above came from.
BRKEWN-2016: Architecting Network for Branch Offices with Cisco Unified Wireless
HTH
Rasika
**** Pls rate all useful responses **** -
Configuring the iPhone and your environment for wireless corporate email
I'm posting this as a top level thread, because I'm certain that there are others out there, who like me, are trying to figure this out.
Configuring the iPhone for Enterprise Use
With Apple’s release of the iPhone, IT organizations are presented with an interesting challenge. Senior execs, gadget heads, and technoratti are all flocking to this device, heralded as the be all and end all of smartphone telecommunications technology. As these devices begin to flood into our organizations, we are met with the challenge to ‘make it work’.
After much explaining that the iPhone is not intended for Enterprise integration, and many discussions surrounding the technical feasibility of bringing said devices into the fold, and being the resident Mac and Linux head with an iPhone in hand, I decided to embark on the mission of making one ‘work’. I succeeded in part, however it’s not the kind of ‘work’ that is going to be viable for most end users.
First of all, it’s important to understand that the email client for the iPhone is a modified version of Mac’s Mail program. Not the best client in the world, but it does support Exchange integration. It also does external email sources, such as Yahoo and gMail, very well. For my interest though, I’m focusing on the Exchange integration functionality, as that is just about everyone’s corporate standard.
Bringing this task to fruition requires some understanding about the limitations of the iPhone, as well as some of its current quirks. Wireless802.11x, EDGE, VPN and Mail are all components necessary to provide a serviceable solution for mobile email access, and each of these things has some peculiarities that don’t appear to be fully worked out by Apple at this time.
For instance, within my organization, we have a secured wireless connectivity option available within our building; however, the SSID of this network is not broadcast, for the obvious reasons. SO, connecting the iPhone to it is a manual process of defining the network, and automatic reconnection seems to be very hit or miss, so it becomes far less of an option for any form of direct network access to your Exchange environment. (As an example, I had to redefine that network, on the iPhone, at least half a dozen times during this process.)
The other components have equally quirky issues, and I will discuss the how’s to get around them below.
In coordinating this into a cohesive plan however, I will break this into three sections;
1. Wireless and EDGE connectivity
2. VPN access to your network
3. Connecting to Exchange
So, without further ado;
Wireless and EDGE Connectivity
The wireless capabilities of the iPhone are, on the surface at least, excellent. It connects seamlessly to unsecured networks, offers the option of prompted or unprompted automatic connectivity, and is capable of 802.11G performance. Not bad for such a small package. However, it is very limited in the forms of secure network access it supports. These are, to quote Apple’s website; (and my iPhone)
WEP Password
WEP hex or ASCII
WPA (personal)
WPA2 (personal)
Now, due to the obvious security problems in implementing WEP security, it’s likely that any network you run into is going to be WPA or WPA2. The iPhone ONLY supports the personal versions of these protocols, so be aware of this going into the situation. If you’re not connecting to your work or school wireless, and you’re entering the information correctly, then it’s probably because they have the Enterprise version of one of the protocols enabled. If that is the case, then you’re either hunting for unsecured hotspots, or else depending on EDGE.
In my case, I did have access to a WPA2 (Personal) enabled wireless signal to connect to my internal network. I thought my problem was half solved! I defined the connection, the wireless capability of the phone worked perfectly, and I was connected. I was wrong. Apparently, and judging from the Mac forums I’m not alone in this, the iPhone does not do a very good job of RE-connecting to a secured wireless network. It does an even worse job, when this is coupled with the fact that it doesn’t do a very good job reconnecting to a wireless network with an unpublished SSID.
After much fiddling and research into this, I determined that this simply was not the way to go, and I abandoned the idea. I wasn’t about to compromise my network security in order to get this silly phone working! So, that left me with either unsecured WiFi, or EDGE.
Either one of these connects pretty seamlessly, and gives me a relatively decent Internet connection. There are some issues being reported of the iPhone swapping between EDGE and WiFi for not apparent reason, but that said, it can still be made to work.
Now that I had this connection outside of my network, I obviously had to consider options for getting a secured connection into my network, which of course leads us to;
VPN Access Into Your Network
Being that this device was touted as the ‘real internet’ I was very excited to see if I could achieve this connection through my SSL VPN appliance. To make a long story short, I could not. Because Apple’s idea of the ‘Real Internet’ apparently does not include those wacky concepts like Java support, this proved to be impossible. My Apple cohorts will scream that it does support JavaScript, but we all know that that and 2 bucks will get you a small coffee at Starbucks… and not much more.
(The iPhone also does not support Flash, but that’s a topic for another conversation. I know, how could they leave that out? I’m amazed too, but then Steve Jobs always has been a bit too arrogant for his own good… I mean what does he expect, we’re all going to rewrite everything into QuickTime??? Please.)
Since that option didn’t work, I was left with the wide selection of two possibilities provided within the iPhone software. Either, a PPTP or L2TP VPN tunnel.
We went ahead and configured a PPTP connection on one of our Cisco routers in order to test this. It didn’t work. I couldn’t connect to it. Tried and tried. Nada. SOOOO, we said OK, and configured a L2TP connection on one of our Cisco routers, with similar results.
Figuring that this was something in the config, we called Cisco, and did the technical support dance with them for several days, trying one thing after another to get this connection to actually work. Nothing helped, and it never worked using either protocol. Then, I noticed an obscure article somewhere on some website that said something to the effect that getting one of these tunnels to work from the iPhone to Cisco was nigh on impossible.
About the same time, my senior network guy said screw it, let’s put this on a Microsoft server. And so we did. Now, this is interesting in it’s own right, because configuring out of the box L2TP or PPTP on a Microsoft server results in a default authentication method of Windows Authentication. This does not work for the iPhone, because it has no idea what to do with the Windows security token it receives. So, you authenticate, and then are immediately dropped due to an inability to communicate with the PPP server.
Fortunately, we (as do most organizations) have a Radius server. We selected Radius authentication, configured both sides of the Radius authentication setup properly, and launched the PPTP tunnel…. AND…. EUREKA!!! The iPhone’s VPN software connected, authenticated, got an IP, and I was on the network! Well, no.
After about 2 seconds, I realized that while I did indeed have a connection, I couldn’t do anything with it. Couldn’t even browse to an internal site via IP address. The connection was up, the connection was working, the connection was useless.
So, we decided to give L2TP a shot. Configured it pretty much identically to the PPTP setup, used Radius, launched the iPhone client, and finally, after many days of screwing around, it worked. Now all I needed was to get my email working, so I started working on;
Connecting to Exchange
In the Mail program on the iPhone, the first time you launch it, you’re presented with the ability to configure an email source. However on subsequent or additional accounts, you must go under Settings, Mail to get to this functionality.
Going into the Mail configuration, I selected an additional account, the account type is, of course, Exchange. The configuration components are pretty obvious, however some things of note are;
Do NOT include your domain information in the User Name field
For all Host Names, use the fully qualified domain name of the server, or else IP
You WILL need to have SMTP enabled somewhere in order to send email
Anyway, I set all this up, and nothing happened. It said that my server was not responding. Did a little research, and it turns out that the only way to connect to Exchange is through an IMAP4 connection, and just in case you didn’t know, IMAP4 is disabled by default, so you have to enable and configure it.
Went onto the Exchange server, set the service to Auto, Started the listener, and finally, at long last, EUREKA! I finally had Corporate email on my iPhone, connecting securely, and not sending anything plain text anywhere. Hooray!
Now for the problems with this solution;
First of all, it depends upon VPN access into your environment, something that you may or may not be comfortable with. One good thing is that the iPhone does prompt for password to reconnect, and will tie the continuity of the VPN connection into the general phone lock security, such that an inability to provide the appropriate access code to a locked phone results in the VPN not being accessible.
The VPN of course is dependant upon a reliable network connection. I’ve noticed that it’s somewhat graceful in switching between WiFi and EDGE, however it’s not totally graceful, and you can experience some hinky things, like being able to send and not receive, or the mail client saying ‘Connecting’ for about 5 minutes before it figures things out.
The best cure for this is to simply stop and restart the VPN connection. Note that when you reconnect, the first attempt will prompt you for a numeric password, this is meaningless unless you have the device lock turned on. Just enter anything. (I think this is another bug) THEN it will re-prompt you for your real VPN password.
This solution for email delivery is obviously dependant upon the VPN connection being active. I’ve noticed that at times the iPhone will disconnect the VPN (probably when service switching) and not bother to mention it. When that happens, of course the VPN must be restarted.
For the lazy, this is an inconvenient solution because while it would appear that the iPhone will cache the VPN password, in fact it will not. That means that each re-launch requires that you re-enter your password. Not terrible for me, but I could see it being very tedious for the average corporate user.
The OSX Mail client has several little deficiencies, which may or may not impact your use of the device in this manner. For instance, if you have subfolders defined for your inbox, and server side rules to move mail into them, then you will not see any synchronization of that mail until you actually select the subfolder. Also, since there is such poor management of attachments and downloads, moving anything around via email on this device is nigh on impossible.
EDGE access to your corporate email, via a VPN, is a bit sloooooow. It works, it’s certainly fast enough for my purposes, but it’s not the slick quick access that we’ve all become accustomed to with Blackberry and Good devices. The lack of 3G support becomes a very noticeable shortcoming here.
(Why Apply didn’t simply partner with Good Technologies to crank out a client for this thing, I’ll never understand, but I guess you can refer to my comment above about certain people’s arrogance.)
The biggest problem of all of course is that it’s simply klugey. I hate klugey. But, with the capabilities at this device’s disposal, and given Apple’s ambitious, if a bit idiotic, stance that no third party will develop software for the iPhone, then this is about as good as it’s going to get for now.
It is my understanding that overseas there is some initiative underway to provide a more seamless Visto or Synchronica integration for enterprise email. However, given Apple’s unbelievably restrictive agreement with ATT regarding this device and the OTA necessity of delivering the client, I seriously doubt if we’ll see this in the near future in the US.
But I digress, so…
In Conclusion
This solution is not for the faint of heart, it doesn’t work all that well, and it has way too many moving parts that are subject to failure. However, I would say that this solution is serviceable for the corporate technology professional who needs email, and really, REALLY wants the other features of the iPhone. (ie, phone whores such as me.) It requires patience, it requires an understanding that this is not a 100% thing, and there definitely needs to be a prebuilt expectation that this device will not serve your email in anything approaching the manner to which you’ve become accustomed.
As long as all of that is okay though, then go right ahead, set it up, and enjoy!
The Short Version;
(I put this at the end because I want everyone to feel my pain!)
Wireless:
Use unsecured wireless or EDGE. Secured wireless may be serviceable as long as the SSID is broadcast, but there are known issues with this.
VPN:
L2TP, shared secret, running on Microsoft server, with Radius. (May work elsewhere, but doesn’t seem to run on Cisco at all) Accounts enabled for external access.
Exchange:
Configure IMAP4 Virtual Server on your Exchange environment, ensure that you have some SMTP resource for outbound email, use fully qualified domain names for all servers (or IP) in the mail config and do not include any domain prefix or suffix for user accounts.
The BIG Disclaimer at the End
Please note that all of this is provided ‘as is’. It worked for me, and I hope it works for you. To my knowledge, it’s not endorsed by Apple, and I’m not in the business of providing support for this thing. If it breaks something, if it doesn’t work, or if you simply don’t like it or me, I don’t care. However, if you have a question, and I’m not busy, and I feel like answering, I may lend a hand. You can email me at
Matthew dot Yotko at mac dot com
Don’t be surprised or offended if I don’t answer. Also, understand that I don’t check this address every day… Maybe a couple times a week.
Macbook Pro Mac OS X (10.4.10) iphoneThanks, now I understand why the wifi keeps dropping. On my personal wireless network, it also seems the distance from the access point is not good compared to my laptop. At work our network & exchange teams don't seem to have the desire to struggle with this "toy" until customers start forcing its adoption. I am using OWA and it works fine over EDGE. I will share your posting with them.
Thank you again.
Dell Windows XP Pro
Maybe you are looking for
-
Export to Excel - File Name WAD 7.0
Hi All, I am using Export to Excel Functionality with WAD 7.0 to export the report to excel format. I have used button web item, with an excel picture above it. The functionality works fine. But while exporting the name of excel file shown is WAD 7.0
-
Varying font size based on information entered in a field
Please let me know if there is a way to adjust the font on a fillable field so that whatever is keyed in the field will fit. We can do this in Word with autofit and were hoping that there was a way to do this in Acrobat. We are using Acrobat Pro 7, b
-
Transport of Class (CL02) and Characteristics (CT04)
Hi Gurus, Can both class and characteristics be transported using ALE. Example from DEV to QAS? I understand in CT04, it is not possible. Everything need to be done manually to the specific system/client. Thanks in advance, Azir
-
Tme Saving day light 2015 in Egypt
Dears , The Government in Egypt cancel work with time saving daylight , so i need hot-fix to adjust my time saving in our production environment as the time adjust to forward the clock one our on 1 may ,we want to cancel this action Thanks Ahmed
-
HT203128 Iphone 5s internal device error, cannot sync
I have an internal device error on iTunes 12 related to my iPhone 5s IOS 8.3. Is this a backup/restore action to get rid of the error?