DirectAccess - IPHTTPS Tunnel with native IPv6 client

Similar Messages

• Mavericks VPN dropouts with native VPN client and Cisco IPSec

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

• Airport extreme with native IPV6

  My isp free.fr provide IPV6 native
  In automatic tunnel mode AEBS provide 6to4 IPV6 mode
  I tried to change in manuel mode with this set up
  Remote IPv4 Address: my ipv4 wan address
  Remote IPv6 Address: 2a01:0e35:xxxx:xxxx::1
  Local IPv6 Address: 2a01:0e35:xxxx:xxxx::2
  LAN IPv6 Address: 2a01:0e35:yyyy:yyyy::1
  Reboot
  Local IPv6 Address of my AEX has been discovered;
  Octet 3 and 4 have been discovered too for Remote IPv6 Address and LAN IPv6 Address
  ping6 and traceroute6 to AEX: OK
  but
  IPV6 on my network doesn't work.
  Any idea ?
  Is my setup wrong or is there a AEBS bug in IPV6 mode ?
  PS: for free users i swithed off routing mode of my freebox

  I'd be interested to know if it's possible to use the AEX with an ISP that provides IPv6 native. But I would think that in such a case, you shouldn't configure it in 6to4 tunnel mode (either automatic or manual). There are two other options besides "tunnel". One is "link-local only", doesn't sound promising. The other option is "node". Did you try that? Just a wild guess.
  Bonne chance!

• AirPort Extreme compatibility with native IPv6

  Fibre To The Cabinet becomes available soon in my street, in the UK.
  Speaking to two ISPs who offer IPv6 native service, both say that their customers trying to use AirPort Extreme routers for IPv6 natively are experiencing problems.
  They both say that the device only works when setup in tunnel mode.
  My understanding is that such a setup is inferior.
  Both ISPs blame the device for the lack of compatibility.
  Has anyone here experienced this problem?
  Has anyone here found a provider with whom this works?
  Thanks for any suggestions.

  I tested it, does not really work either. I just submitted an enhancement request via apple.com/feedback to ask if they want to add native v6 over PPPoE.
  I hope they take it into account.

• 2012 R2 DirectAccess with very low client throughput

  I have a three-node Windows NLB Server 2012 R2 DirectAccess farm.  These three single purpose servers have good specs (8 cores, 32GB RAM, etc etc).  The problem that I am seeing is that the clients all have very low throughput on each session (between
  6 and 8 MBit "aka 1 MByte" per second).  This performance spec is linear since for each concurrent client that you add their throughput is also in that range.  Clients are all high-spec notebooks with Windows 8.1 Enterprise x64.  Performance
  on these clients is excellent except when transiting the DirectAccess server.  If the same client connects through AnyConnect VPN their throughput is excellent.  Additionally, when clients connect to the DA server plugged into the external traffic
  switch (aka same network as the DA external interface) the performance is identical so this isn't a WAN performance issue.  The utilization on all devices (DA servers, DA clients, network hardware) is very low so it does not appear to be a resource problem. 
  I confirmed that NULL CIPHER is used on clients so the traffic isn't being double encrypted.  This NLB started life 2 years ago as a Windows Server 2012 environment on different hardware and I've had the exact same issue.  It works "ok"
  but not the throughput that the capacity planning documentation indicates.
  Any ideas?
  Thanks,
  Mark Ringo

  Hi Mark,
  Which transition technologies does the client use to connect the DirectAccess Server?
  Using IP-HTTPS for DirectAccess connectivity has higher overhead and lower performance than Teredo. If the DirectAccess client is using IP-HTTPS instead of Teredo, the DirectAccess client will have a lower performance connection.
  When examining performance issues, one of the first places to look is the display of the
  ipconfig command on the DirectAccess server, which indicates the type of encapsulation based on the interface that has a global IPv6 address assigned.
  For detailed information, please refer to the link below,
  DirectAccess Client Connection is Slow
  http://technet.microsoft.com/en-us/library/ee844161(v=WS.10).aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• Native IPv6 with Airport stops working

  Hi!
  My ISP has just started supporting native IPv6, which I would like to get working with my Airport Extreme as router.
  After configuring the Airport in Router mode (AU 5.6), with automatic configuration, my router and all my devices are in fact configured with an IPv6 address.
  However, now the weird problem starts:
  After configuring the airport, it reboots, my devices receive an address, and IPv6 works!
  ....for about 10 seconds. During these 10 seconds, ping6 and telnet/browser to IPv6 addresses respond and work.
  However, after about 10 seconds, ping stops responding, and new connections time out.
  If I connect my computer directly to the cable modem, IPv6 works flawlessly.
  I can also see the IPv6 router advertisement, where I receive a /64 network delegation.
  I also know other users of the same ISP who have got this working fine with other routers.
  Are there any known problems with the Airport Extreme with IPv6 in native mode?

  jvbrandis wrote:
  that is kind of a circular argument, isn't it? Unless people start using IPv6, the usage will not become any higher...
  I was speaking of ISP's use of IPv6 when I cited only 1%. For users who's ISP's have not implemented it yet, they won't be able to use it.
  I for one would like to perform some testing from my home environment, and if the Airport Express is not able to function as an IPv6 router, I will need to replace it with a devices that works.
  Again, as far as I know it does, but in order to use it in your home environment, won't your ISP have to have implemented it natively as well (I know you said they did).
  Btw; I have been using the Aiport Express in tunnel mode, which seems to work just fine (but has very bad performance, due to the 6to4 tunneling).
  So perhaps your ISP only provides 6to4 tunneling when they said they implemented it. I know that has occurred in some Comcast areas. Perhaps a call to your ISP for some details is in order.

• Connect SQL Server 2012 from Windows Server 2003 with native client 9.0

  Hi,
  I currently have a setup where ETL tool Ab Intio, running on a Linux server, connects to the SQL Server 2005 through a passthrough Wintel server with Windows Server 2003 OS using SQL server native client 9.0
  Now I have the requirement to upgrade the SQL server from 2005 to 2012.
  My question is, will it be possible to connect to SQL server 2012 through Windows Server 2003 with native client 9.0?
  As per the specs, I need native client 11.0+ to fully support SQL Server 2012, but then, as per specs, native client 11.0 doesnot run on Windows server 2003. OS upgradation is currently not on the cards.
  So will it be possible to the run the basic queries we use currently, if we can connect SQL server 2012 through Windows Server 2003 with native client 9.0/10.0, without updgrading the OS of the Wintel server?
  Thanking you in advance! 

  Hi Soumya,
  Yes, you can use the SQL Server Native Client shipped with SQL Server 2005 to connect to a SQL Server 2012 instance, and there is no need to upgrade the operating system.
  Regards,
  Mike Yin
  TechNet Community Support

• RE: Native Forte Clients with Express Services

  I would be very interested in hearing from anyone using Express who may
  have attempted using Native Forte Clients with Express Services, especially
  what problems/issues (if any) you encountered and whether you found it to
  be a successful way to develop complex screens where the 'look and feel'
  can't be achieved with Express alone.I wrote a general-purpose windows framework which uses Express Services for its
  database access. Had I known what I was letting myself in for, I probably
  wouldn't have attempted it! I started it when Express V1 was fairly new, and
  Express Windows did not support the types and complexity of relationships
  required by the application we were developing. I soon discovered how
  difficult it is to implement a completely general framework which handles every
  possible permutation. Obviously I ended up making compromises, but what we
  have now meets our needs very well. We are about to upgrade to Express V2, so
  the real test will be whether the framework migrates smoothly to the new
  release.
  If I were starting a new project now with Express V2, I don't know if I would
  go down the same path. If you do, be aware of the following (based on my
  experience of Express V1):
  * Your design MUST obey the fundamental rules of Express Services. Your
  BusinessQueries must be fired off by the correct BusinessClient subclass,
  your BusinessClass attributes must be logged at the right time (depending
  on which concurrency scheme you are using), and you must start and end
  Express transactions (different to Forte transactions) appropriately.
  * Your design needs to take into account the difference in the way Express
  Services handles aggregate and non-aggregate associations.
  * If you manage parent-child class relationships from your windows, you must
  make sure you set and log foreign key attributes at the right time. If
  the relationship is not aggregation, you must also manage the order in
  which the records are saved to the database (if you use referential
  integrity constraints).
  * If you call Express Services directly from the windows, it is hard to
  reconcile the asynchronous nature of a windows interface with the
  database's requirement for things to happen in a certain order. (From
  memory, there was a very good discussion in this user group last year of
  what should constitute a unit of work in the windows paradigm.) If I
  were doing it again, I would move all the Express-related objects and
  method calls from the windows to a separate layer, which would manage
  putting together the data from multiple windows, assigning foreign keys
  and firing things off in the right order.
  Fiona Symon
  Babylon Software Pty Ltd

  Hello Kevin,
  Normally, it has been corrected from the last public release 2.
  Hope this helps.
  Daniel Nguyen
  Kevin Klein wrote:
  >
  We had a similar problem. We reported the problem to Forte technical
  support and they determined that it is a bug. I don't know if this has been
  fixed in the 3.0.F release.
  The Stopwatch seems to be accurate for long (several second) intervals, but
  it can't be trusted for measuring short intervals.
  Kevin Klein
  Millennium Partners, Inc.
  -----Original Message-----
  From: [email protected] <[email protected]>
  To: [email protected] <[email protected]>
  Date: Tuesday, December 30, 1997 1:40 PM
  Subject: The Forte Stopwatch
  All,
  At our site we are using Windows NT 4.0 clients and a Windows NT
  Server with Forte 3.0.E.0.
  Periodically, we use the Forte StopWatch class to measure durations for
  access to data. We've noticed
  a strange phenomenon, and we're not sure if it's simply circumstance or if
  there's a problem. All of the
  measured durations that we receive through the Split method appear to
  contain either a 0 or a 9 in the
  tenth-of-a-second position. For example, values of 1011 and 1912. Has
  anybody noticed this?
  Thank you,
  Keith
  Name: Kevin Klein.vcf
  Part 1.2 Type: text/x-vcard
  Encoding: 7bit

• DirectAccess Force Tunneling via proxy server (TMG)

  Hello
  I am looking to enable Force Tunneling for DirectAccess.  All web traffic would then go via TMG proxy.  This is all fine, but in the past this was once configured and stopped IMAP from working?  
  The question is, would forced tunneling only send http/https traffic to the proxy by design and all other traffic directly out? Other traffic does traverse the proxy when internal to the LAN but I am sure DA treats this a little different in terms of what
  protocols are forwarded - Is this correct?
  If this is the case then I am assumming the firewall infrastructure is stopping IMAP?
  Thanks

  Hi There - it is a strong recommendation even in Microsoft deployments not to use Force Tunnelling unless you really have to. Using Force Tunnelling will always revert to IP-HTTPS which is still technically the slowest of the transition technologies. This
  means DirectAccess clients use only IP-HTTPS to obtain IPv6 connectivity to the DirectAccess servers over the IPv4 Internet.  IP-HTTPS has much higher overheads than IPv6, 6to4 or Teredo. Also your proxy server will handle every request and consume
  plenty of bandwidth and you cannot put NRPT exemptions in force tunnelling as all traffic has to come through the tunnel. There is also the small issue of captive portals. There are more things to list but the above should be enough to start an argument on
  why not to do it !!
  You could implement a split tunnel with enforced web proxy (seeing as you have TMG) as per the guide / recommendations by Shannon Fritz below (which works well in reality.
  http://www.concurrency.com/infrastructure/web-filtering-for-directaccess-users-55/
  Kr
  John Davies

• Asa 5505 vpn from internet native vpn client, tcp discarted 1723

  Hello to all,
  I'm configuring this asa for to connect home users to my network using the native microsoft vpn clients with windows xp over internet.
  This asa have on the outside interface one public intenet ip and in the inside inferface have configured in the the network 192.168.0.x and i want to acces to this network from internet users using native vpn clients.
  I tested with one pc connected directly to the outside interface and works well, but when i connect this interface to internet and tried to connect on user to the vpn i can see in the logs this, and can't connect with error 800.
  TCP request discarded from "public_ip_client/61648" to outside:publicip_outside_interface/1723"
  Can help me please?, Very thanks in advance !
  (running configuration)
  : Saved
  ASA Version 8.4(3)
  hostname ciscoasa
  enable password *** encrypted
  passwd *** encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address publicinternetaddress 255.255.255.0
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network gatewayono
  host gatewayofinternetprovideraccess
  description salida gateway ono
  object service remotointerno
  service tcp destination eq 3389
  description remoto
  object network pb_clienteing_2
  host 192.168.0.15
  description Pebble cliente ingesta 2
  object service remotoexternopebble
  service tcp destination eq 5353
  description remotoexterno
  object network actusmon
  host 192.168.0.174
  description Actus monitor web
  object service Web
  service tcp destination eq www
  description 80
  object network irdeto
  host 192.168.0.31
  description Irdeto
  object network nmx_mc_p
  host 192.168.0.60
  description NMX Multicanal Principal
  object network nmx_mc_r
  host 192.168.0.61
  description NMX multicanal reserva
  object network tarsys
  host 192.168.0.10
  description Tarsys
  object network nmx_teuve
  host 192.168.0.30
  description nmx cabecera teuve
  object network tektronix
  host 192.168.0.20
  description tektronix vnc
  object service vnc
  service tcp destination eq 5900
  description Acceso vnc
  object service exvncnmxmcr
  service tcp destination eq 5757
  description Acceso vnc externo nmx mc ppal
  object service exvncirdeto
  service tcp destination eq 6531
  description Acceso vnc externo irdeto
  object service exvncnmxmcp
  service tcp destination eq 5656
  object service exvnctektronix
  service tcp destination eq 6565
  object service exvncnmxteuve
  service tcp destination eq 6530
  object service ssh
  service tcp destination eq ssh
  object service sshtedialexterno
  service tcp destination eq 5454
  object-group service puertosabiertos tcp
  description remotedesktop
  port-object eq 3389
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object object irdeto
  network-object object nmx_mc_p
  network-object object nmx_mc_r
  network-object object nmx_teuve
  network-object object tektronix
  object-group service vpn udp
  port-object eq 1723
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq https
  port-object eq pptp
  object-group network DM_INLINE_NETWORK_2
  network-object object actusmon
  network-object object tarsys
  access-list inside_access_in extended permit object remotointerno any any
  access-list inside_access_in extended permit object ssh any any
  access-list inside_access_in extended permit object-group TCPUDP any any eq www
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit object vnc any any
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit object remotointerno any object pb_clienteing_2
  access-list outside_access_in extended permit object-group TCPUDP any object actusmon eq www
  access-list outside_access_in remark Acceso tedial ssh
  access-list outside_access_in extended permit tcp any object tarsys eq ssh
  access-list outside_access_in extended permit object vnc any object-group DM_INLINE_NETWORK_1
  access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
  access-list outside_access_in extended deny icmp any any
  access-list corporativa standard permit 192.168.0.0 255.255.255.0
  access-list Split-Tunnel-ACL standard permit 192.168.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging monitor debugging
  logging asdm debugging
  logging debug-trace
  mtu inside 1500
  mtu outside 1500
  ip local pool clientesvpn 192.168.0.100-192.168.0.110 mask 255.255.255.0
  ip local pool clientesvpn2 192.168.1.120-192.168.1.130 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat (outside,inside) source static any interface destination static interface actusmon service Web Web unidirectional
  nat (outside,inside) source static any interface destination static interface tarsys service sshtedialexterno ssh unidirectional
  nat (outside,inside) source static any interface destination static interface pb_clienteing_2 service remotoexternopebble remotointerno unidirectional
  nat (outside,inside) source static any interface destination static interface irdeto service exvncirdeto vnc unidirectional
  nat (outside,inside) source static any interface destination static interface nmx_mc_p service exvncnmxmcp vnc unidirectional
  nat (outside,inside) source static any interface destination static interface nmx_mc_r service exvncnmxmcr vnc unidirectional
  nat (outside,inside) source static any interface destination static interface nmx_teuve service exvncnmxteuve vnc unidirectional
  nat (outside,inside) source static any interface destination static interface tektronix service exvnctektronix vnc unidirectional
  nat (any,outside) source dynamic DM_INLINE_NETWORK_2 interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside per-user-override
  route outside 0.0.0.0 0.0.0.0 gatewayinternetprovideracces 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  eou allow none
  aaa local authentication attempts max-fail 10
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  no sysopt connection permit-vpn
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set clientewindowsxp esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set clientewindowsxp mode transport
  crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set clientewindowsxp
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
  crypto map L2TP-VPN-MAP interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint Ingenieria
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  crypto ikev1 policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns 8.8.8.8
  dhcpd auto_config outside
  dhcpd address 192.168.0.5-192.168.0.36 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  no threat-detection basic-threat
  no threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point Ingenieria outside
  webvpn
  tunnel-group-list enable
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  wins-server none
  dns-server value 192.168.0.1
  vpn-tunnel-protocol l2tp-ipsec
  default-domain none
  group-policy DfltGrpPolicy attributes
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  group-policy ingenieria internal
  group-policy ingenieria attributes
  vpn-tunnel-protocol l2tp-ipsec
  default-domain none
  group-policy L2TP-Policy internal
  group-policy L2TP-Policy attributes
  dns-server value 8.8.8.8
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split-Tunnel-ACL
  intercept-dhcp enable
  username ingenieria password 4fD/5xY/6BwlkjGqMZbnKw== nt-encrypted privilege 0
  username ingenieria attributes
  vpn-group-policy ingenieria
  username rjuve password SjBNOLNgSkUi5KWk/TUsTQ== nt-encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool clientesvpn
  address-pool clientesvpn2
  authentication-server-group (outside) LOCAL
  authorization-server-group LOCAL
  default-group-policy L2TP-Policy
  authorization-required
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  authentication ms-chap-v2
  class-map inspection_default
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:59b54f1d10fe829aeb47bafee57ba95e
  : end
  no asdm history enable

  Yes with this command creates this
  policy-map global_policy
      class inspection_default
       inspect pptp
  But don't work. I also tried to add the pptp and gre in the outside access rules but nothing...
  I don't understand why if a connect directly to the outside interface with the same outside network works well.
  ej: the pc have 89.120.145.14 ip and the outside asa have 89.120.145.140 and if I create one vpn in this pc the outside ip 89.120.145.140 with the correct parameters the asa don't discart 1723 and connect ok but if this ip is not of this range discards 1723...

• Directaccess - IPHTTPS error 0x80190194, Server 2012R2 / Win 8.1

  I'm trying to setup directaccess for our network.  I already have a server in our edge network with the remote access role installed for the Web Application Proxy service, so I added the DirectAccess role service to that.  According to the documentation,
  if both are a single server implementation it is supported to run both of those on the same server. 
  I configured DirectAccess, and added a win8.1 client to the DA security group to test it.  I confirmed that on the internal network, the client is able to connect to the NLS and DA shows that it is connected to the local network.  However, when
  on an outside network, DA just says it's trying to connect, and never does.  I ran the log collection tool from the DA connection settings and found that the IPHTTPS connection shows an error code 0x80190194.  
  I've searched for info on this, but so far I'm not finding anything that seems to fit my situation.  The responses to others with this error seem to point to a certificate issue.  In my case, I'm using a wildcard certificate for our public domain
  name.  The cert is signed by a major public CA, so there shouldn't be any trust issues.  The external DNS name that DA should connect to is RAS.domain.com and the certificate is for *.domain.com 
  Any suggestions on what the problem could be, or what to look at next for troubleshooting the issue, would be appreciated. 
  Thanks!

  Thank you for the reply.  I ran netsh http show ssl, and the first entry returned is:
  SSL Certificate bindings:
      IP:port                      : 0.0.0.0:443
      Certificate Hash             : 1414baa1409b2c8ffd8c2d549f460db4bcf8130f
      Application ID               : {f955c070-e044-456c-ac00-e9e4275b3f04}
      Certificate Store Name       : MY
      Verify Client Certificate Revocation : Enabled
      Verify Revocation Using Cached Client Certificate Only : Disabled
      Usage Check                  : Enabled
      Revocation Freshness Time    : 0
      URL Retrieval Timeout        : 0
      Ctl Identifier               : (null)
      Ctl Store Name               : (null)
      DS Mapper Usage              : Disabled
      Negotiate Client Certificate : Disabled
  That is followed by several entries for addresses related to our Lync and ADFS servers, published through Web Application Proxy.  All of those have the same certificate hash listed, which makes sense since I am using the same wildcard certificate for
  WAP and DA.  
  I did find a post or two indicating that the DS Mapper Usage may need to be set to enabled, so I tried that last week but it didn't seem to make any difference. 

• Not able to form EoIP tunnel with anchor WLC

  Hi all,
  I have a WLC at a remote site that is supposed to form an EoIP tunnel with 2 anchor WLCs located at a data center. From the site WLC and the anchor WLCs, the mobility show UP on both ends. Also I can ping to the mobility peers from each end. However, when I look into the client details on the remote site WLC, there is no Mobility Anchor IP address, which tells me that the EoIP tunnel between the site and anchor controller is not forming for some reason. Any idea what I could be missing?
  (WOHW-WC01) >show client detail 0c:3e:9f:ab:db:ed
  Client MAC Address............................... 0c:3e:9f:ab:db:ed
  Client Username ................................. N/A
  AP MAC Address................................... 0c:68:03:b9:44:70
  AP Name.......................................... WOHW-LAP016
  Client State..................................... Associated
  Client NAC OOB State............................. Access
  Wireless LAN Id.................................. 66
  Hotspot (802.11u)................................ Not Supported
  BSSID............................................ 0c:68:03:b9:44:72
  Connected For ................................... 1469 secs
  Channel.......................................... 6
  IP Address....................................... Unknown
  Gateway Address.................................. Unknown
  Netmask.......................................... Unknown
  IPv6 Address..................................... fe80::1c1a:e07c:dd48:bc7e
  Association Id................................... 3
  Authentication Algorithm......................... Open System
  Reason Code...................................... 1
  Status Code...................................... 0
  Session Timeout.................................. 0
  Client CCX version............................... No CCX support
  QoS Level........................................ Bronze
  802.1P Priority Tag.............................. disabled
  CTS Security Group Tag........................... Not Applicable
  KTS CAC Capability............................... No
  WMM Support...................................... Enabled
    APSD ACs.......................................  BK  BE  VI  VO
  Power Save....................................... ON
  Current Rate..................................... m7
  Supported Rates.................................. 9.0,12.0,18.0,24.0,36.0,48.0,
      ............................................. 54.0
  Mobility State................................... None
  Mobility Move Count.............................. 0
  Security Policy Completed........................ No
  Policy Manager State............................. STATICIP_NOL3SEC
  >>> No Mobility peer IP address <<<<
  (WOHW-WC01) >show mobility anchor wlan 66
  Mobility Anchor Export List
   WLAN ID     IP Address            Status
   66          137.183.242.149       Up                              
   66          137.183.242.150       Up                              
  (WOHW-WC01) >show mobility sum           
  Mobility Architecture ........................... Flat
  Mobility Protocol Port........................... 16666
  Default Mobility Domain.......................... WOHW_ENT1
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0x9cbf
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 3
  Mobility Control Message DSCP Value.............. 0
  Controllers configured in the Mobility Group
   MAC Address        IP Address       Group Name                        Multicast IP     Status
   bc:16:65:f9:18:60  137.183.242.150  CIN_GUEST1                        0.0.0.0          Up
   e0:2f:6d:7c:42:20  143.27.201.52    WOHW_ENT1                         0.0.0.0          Up
   f8:72:ea:ee:a0:00  137.183.242.149  CIN_GUEST1                        0.0.0.0          Up

  It works now. I changed the NAC state to "Radius-NAC". Now the mobility hand-off is occurring. 
  (WOHW-WC01) >show wlan 66 
  WLAN Identifier.................................. 66
  Profile Name..................................... PGGuest
  Network Name (SSID).............................. PGGuest
  Status........................................... Enabled
  MAC Filtering.................................... Enabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Enabled
  Network Admission Control
    Client Profiling Status ....................... Disabled
     DHCP ......................................... Disabled
     HTTP ......................................... Disabled
    Radius-NAC State............................... Enabled

• ASA Smart Tunnel with OS X 10.7

  Hello,
     I've recently configured SSL VPN on an ASA failover pair running 8.4(2). The smart tunnel policy allows RDP clients (native MS client on Windows, MS Client and CoRD on Mac). Early testing looked good for both Windows and Mac. But then I had a mac user who reported that the "Application Access" button did not display in the navigation pane, and hence they can't get to where to launch Mac smart tunnel applications. The difference between those that worked and the one that doesn't is OS X v10.6 (works), OS X v10.7 (doesn't work).
     Doing a little research, I found that JRE isn't installed by default in OS X 10.7, and I found the following link:
  http://support.apple.com/kb/DL1421. After installation, and verifying that "enable applet plug-in and Web Start applications" was checked and trying again, the same results. "Application Access" is missing from the navigation bar, and hence smart tunnel apps can't be launched.
     Does anyone have an idea on what could be going wrong here?
  Thanks!
  Kurt

  Kurt,
  I just found your thread here.
  Which browser are you using on the Mac?
  I have found that with Mac OS 10.7 (lion) there are issues with the smart tunnel applet with Safari and Chrome
  However, it works as expected with Firefox.
  I actually get a Safari Web Content crash report when I try to connect with Safari.
  I have been monitoring this since 10.7 was released, I haven't opened a ticket with TAC because it appeard to be an Apple / Safari issue since the applet works with Firefox.
  I installed the latest Java update for 10.7 today and there was no change in behavior.
  I guess it's time to open a TAC ticket.

• IPS and native IPv6

  I would like to know what IDS/IPS feature or appliance is compatible with a native IPv6 network.
  Thanks in advance for your help.

  The Cisco IPS has the atomic IPv6 engine which is currently limited to about 7 signatures.
  Cisco IPS is also able to montor IPv4 packets tunneled inside of IPv6 packets.
  So with current versions the support of native IPv6 monitoring is limited.
  You would need to contact your Cisco Sale Representative for any information about future IPS versions and support for IPv6.

• How do I configure ISP native IPv6 connectivity?

  Hi!
  I'm a network engineer for SECOM, an ISP in Southeastern Colorado. We will be making native IPv6 connectivity available to residential subscribers soon, and I've been tasked with verifying support for our IPv6 platform on home router products.
  I have an AirPort Extreme purchased new in November of '09 that is running version 7.5.1, which I believe is completely current.
  Under the IPv6 tab in my Advanced settings, I have the following configuration:
  IPv6 Mode: Router
  Block incoming IPv6 connections: NOT checked
  Configure IPv6: Manually
  WAN IPv6 Address: fdXX:XXXX:XXXX:a000::2
  WAN IPv6 Prefix Length: 64
  IPv6 Default Route: fdXX:XXXX:XXXX:a000::1
  LAN IPv6 Address: fdXX:XXXX:XXXX:c000::1
  (As you can see, I'm using ULA's for testing purposes, and I've replaced the global bits with X's for security.)
  The problem is, if I plug a host into one of the LAN ports and assign it an address from the same /64 subnet (e.g. fdXX:XXXX:XXXX:c000::2), the host can't ping the Airport's assigned LAN address.
  It can ping:
  * the Airport's link-local IPv6 address, and
  * the Airport's IPv4 192.168.x.x address
  Also (and I'm gratified that this part is working), my CE router can ping the Airport's WAN IPv6 address!
  So my question is, is there something in the IPv6 configuration I'm misunderstanding? Has anyone else gotten native statically-configured IPv6 working on the AirPort Extreme?
  Thanks very much in advance,
  John E. / SECOM
  P.S. - I have verified with a packet capture that the AirPort extreme is not responding at all for the configured LAN IPv6 address; i.e., the ICMPv6 neighbor solicitation goes unanswered.
  P.P.S. - I have tried a Windows 7 host, a Windows XP host, and an IPv6-certified multitester from JDSU. All exhibit the same symptoms.

  I have follow your instruction to connect to my ISP as it shows the following message:
  Serial connection established.
  using interface sppp0
  connect: sppp0 <--> /dev/ttya
  local IP address xxxxxxxx
  remote IP address 1.1.1.1
  But when I ping www.sun.com, it shows:
  www.sun.com unknown.
  I start Mozilla and it said www.sun.com not found etc...
  What has gone wrong?
  Do I have to configure some files such as:
  /etc/resolv.conf
  /etc/hosts
  /etc/hostname ?
  or any other steps that can help me to connect to the internet?
  Thanks...