GRE Tunnel/NAT with multiple subnets and interfaces

Similar Messages

• How do you download all chapters of a video at once?  I purchased a yoga video with multiple chapters and only the first one loaded.  It says I can't download another chapter for 90 days.

  I purchased a yoga video with multiple chapters and only the first one loaded.  It says I can't download another chapter for 90 days.  How do I get all chapters to download?

  Once a device or computer is associated with your Apple ID, you cannot associate that device or computer with another Apple ID for 90 days.
  http://support.apple.com/kb/ht4627

• With multiple iPhones and iPad, how do you keep from downloading data from one device to another? ie, my calander ended up on my daughter's iPad.

  With multiple iPhones and an iPad, how do I keep from downloading info from one device to another? All of my info, example my calendar, ended up on my daughter's iPad.

  Each device has its own sync preferences with iTunes when syncing multiple devices with the same iTunes library under the same computer login account.
  If sync calendars with the same calendar is selected under the Info tab for your daughter's iPad sync preferences with iTunes, the same calendar will be synced with her iPad.

• TO DRAW A TABLE WITH MULTIPLE ROWS AND MULTIPLE COLOUMNS IN FORM

  Hi,
     How to draw a table with multiple rows and columns seperated by lines in form printing?

  check this
  http://sap-img.com/ts003.htm
  Regards
  Prabhu

• With the new Time Capsule does the beam forming occur with multiple clients, and do these clients have to be 802.11ac compatible?

  With the new Time Capsule 5th Gen does the beam forming occur with multiple clients, and do these clients have to be 802.11ac compatible?

  does the beam forming occur with multiple clients
  Yes, but Apple is unclear about how many cients can be connected simultaneously with this feature.
  do these clients have to be 802.11ac compatible?
  Yes

• How to make an editable bulleted list with multiple lines and custom bullets?

  How do I create an editable bulleted list in Acrobat Pro? I've figured out how to add text fields with multiple lines, and how to add a list box, but I don't see the check box for multiple lines in the list box or how to add bullet points. Can someone please give me step by step instructions? Also is it possible to use custom bullet points?

  Is it a text field or a list box field? The two are not the same...
  The bullets are something that the user will have to enter manually (into a text field, they can only select values in a list-box).
  They can use any unicode character, or special characters if the font used for that field allows for it. You can't use images for the bullets, if that's what you mean.

• Posting an Idoc with Multiple Headers and Multiple Lines

  Hi all,
  I have a scenario like this fileXIIdoc
  Invoice file comes in text file with multiple header and multiple lines like this
  111               aaa     13214234    US   (header)
  09082010     ABC    9999            A     (Line)
  222               ccc     43454543    US   (header)
  09082010     XYZ    7777            B     (Line)
  09082010     PQR    8888            C     (Line)
  I need to post single Idoc with all the headers and lines
  we are planning to use Custom Idoc,Is this possible by having the header segment as unbounded??
  Regards
  Edited by: Vamsi Krishna on Sep 8, 2010 8:05 PM

  hi,
  lets go again.
  you have to edit the custom IDoc and change the ocurrance on the header segment. also modify the details segment adding an addtional field that identify which header that this detail belong.
  for this case you cannot change the occurrance in SAP PI because you wont identify what i have told you before.  in PI apply to change the occurrance if you could send ONE Idoc Per Header.
  now is better clear???
  Let us know.
  Thanks
  Rodrigo P-.

• Can bookmarks be protable for multiple computers? Is it an option to log on and use my bookmarks with multiple computers and locations? Thanks

  Can bookmarks be protable for multiple computers? Is it an option to log on and use my bookmarks with multiple computers and locations? Thanks

  Profile is a folder which store all your personal data in a safe place
  * https://support.mozilla.com/en-US/kb/Profiles
  You can use this button to go to the current Firefox profile folder:
  * Help > Troubleshooting Information > Profile Directory: Open Containing Folder
  here explain how to backup profile
  * https://support.mozilla.com/en-US/kb/Backing%20up%20your%20information
  Here explain how to restore it
  *https://support.mozilla.com/en-US/kb/Recovering%20important%20data%20from%20an%20old%20profile

• Import Illustrator File with multiple layers and sublayers as composition retaining all layers and sublayers

  I have drawn a country map with multiple layers and sublayers including streets, cities, rail lines, ...
  Now I want to create a template for my collegues in After Effects.
  For this I want to import the .ai file into After Effects retaining all sublayers and layers in compositions and subcompositions.
  When I do that, I get the first couple of layers correctly, the other ones comes in one merged composition.
  What can I do, to get all layers each as a layer in After Effects?
  Yours, Raphael

  Illustrator only imports the first level of layers. If you have groups or paths below you need to release the groups to layers. The layers will then be stacked in order as sub layers. Then you need to move them up.
  The steps are to select a layer in the Illustrator layer panel, then without selecting any specific element in the layer click on the menu in the top right corner and select release to layers. All a elements in that layer will be converted to layers. Now select them all and drag them up above the original layer. This will leave the original layer empty and put all elements in new layers.
  Here's a tutorial I did a zillion years ago which uses this technique to turn a blend into a morph.
  Morphing With Adobe Illustrator. I hope this helps.

• How to achieve no-downtime solution deployment on farms with multiple WFEs and LB

  Taking SharePoint Solution Deployer, my opensource PowerShell deployment script, to the next level,
  Bill Simser got me the idea of making the deployment even more smooth on farms with multiple WFEs and load balancer in order to achieve a no-downtime deployment
  The basic idea is to deploy the solutions on each WFEs one-by-one by
  1. Taking one WFE offline
  2. Installing the solution with the -local switch
  //Solution deployment
  Install-SPSolution -Identity <solutionname>.wsp –GACDeployment –CASPolicies –Local
  // Solution upgrade
  Update-SPSolution -Identity <solutionname>.wsp -LiteralPath LocalPathOfTheSolution.wsp -GacDeployment -Local
  3. Run post-deployment actions on the WFE (ie. restart services, recycle apppools or IIS reset, warmup server), which my script already does for each server
  4. Take WFE online again
  5. Repeat step 1-4 for all other WFEs
  I am struggling with three things here:
  1. The whole deployment process could be quite risky when something goes wrong in between. And in order to roll back I would require the original solution if it was already deployed before (which I can back up of course before I replace
  it)
  Anything which involves changing the content dbs should of course be done after the solutions is deployed to the whole farm, so this should not hurt in this case.
  Anyway MSDN says that the "DeployLocal" method (which I assume is the same as the -local switch in PS ) should be only used
  for
  troubleshooting purposes.
  So it would be great to hear about anyones experiences with it
  2. As there can be different types of load balancers (hardware, software) which might not be configurable through my script I assume that taking out the WFE from the the load balancer may not always be possible.
  So I thought about just taking the server offline.
  I haven't found an option yet to take only one server in the farm offline (without removing it from the farm of course), so maybe I miss something. Any ideas?
  3. Before taking a single WFE offline, I would like to assure that this server does not have any open sessions, operations of users ongoing. Unfortunately I found only the possibility to quiesce the whole farm, but not a single
  server. Am I missing something?
  Appreciate any ideas which might point me in the direction to solve the overall goal!
  SharePoint Architect, Speaker, MCP, MCPD, MCITP, MCSA, MCTS, Scrum Master/Product Owner
  Blog: www.matthiaseinig.de, Twitter:
  @mattein
  CodePlex: SharePoint Software Factory,
  SharePoint Solution Deployer

  Hi Mike, 
  unfortunately not. I tried several different approaches but didn't really success reliably with any of them. So eventually I gave up on it.
  Interesting idea though that Eric Hasley is commenting on the blog post you mentioned.
  "There is another approach that has worked for me in the past.  Because the deployment to each server is handled through a timer job,
  by stopping the timer service in a controlled fashion you can rollout your solution without incurring any user outage."
  It could work like that (in theory).
  Stop the SPTimerV4 on all servers in the farm apart from one.
  Take out the one to deploy to from the NLB
  Wait until it has no connections
  Deploy the solutions on it in the ordinary way (eg. with my
  SharePoint Solution Deployer ;))
  Put it back into the NLB and take the others out
  Wait until they have no connections left
  Activate the timer service on the others servers and let them deploy
  Put them back into the NLB
  No clue if this is actually working and you still have the problem with the NLB, so it could take a while.
  Also I am not certain what happens in state 5 if users use different versions of your solutions at the same time (old version on the remaining open connections, new version on the updated server)
  I do not have a suitable farm at hand to play with it though, so can't test it.
  Cheers
  Matthias
  Matthias Einig, CEO, SharePoint MVP
  Blog: www.matthiaseinig.de, Twitter:
  @mattein
  Projects: SharePoint Code Analysis Framework (SPCAF),SharePoint Code Check (SPCop),
  SharePoint Software Factory,
  SharePoint Solution Deployer

• Downloading .xls file with multiple rows and Columns

  Hi ALL,
  I need to genarate .xls file with multiple rows and and Columns and sent as an email.Since our customer having Problem with .CSV files need to genarate .XLS file.
  Please do the needful.
  Thanks
  Madhu

  Hi Madhu,
  You might also consider using Excel Spreadsheet XML as the target structure (namespace is urn:schemas-microsoft-com:office:spreadsheet).  When you double-click the resulting xml on a PC it automatically opens with Excel. So, users don't see a difference.  It will open up a lot of options with formatting including creating multiple worksheets if you wanted to.  Best of all you can stick with XML.
  See my response in this thread:
  Re: Convert XML data into XLS 
  Thanks,
  -Russ

• I made a project with multiple tracks and had it all panned and mixed.  Now it's only playing in the right speaker.  Not even regestering a left side in the master volume?  What happened, how can I get both sides back?

  I made a project with multiple tracks and had it all panned and mixed.  Now it's only playing in the right speaker.  Not even regestering a left side in the master volume?  What happened, how can I get both sides back?

  Thank you for that info.
  For video, the codec is MPEG-4 Video (XVID) and for audio it says MPEG Audio Layer 1/2/3 (mpga).
  There are two issues with that file:
  The first is the Xvid CODEC (not meant for editing), and then the MPEG Audio/MPGA. I would convert that file, to something that is more editable.
  Good luck,
  Hunt

• Issues with multiple subnets - ASA5510 to Vigor 2820 VPN

  Hi there,
  I am hoping someone here can help.  I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office.  We have an ASA 5510  in London, talking to a Vigor 2820 in Edinburgh. 
  The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall. 
  The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there. 
  I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel.  However, I have had much trouble adding additional subnets for our VLANs in London.
  What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
  Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules.  Looking at these rules though, I can't spot the problem.  Multiple changes of order of the rules, and reloads have not sorted out the problem.  When I run a packet trace on the main subnet it works fine.  I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
  I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
  Firstly, here's the ASA config that seemed relevant.  I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
  access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5     group 1      lifetime 28800crypto isakmp nat-traversal  30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none  wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable  ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable  backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable  nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
  Note: [branch peer ip] replaces any instances of the branch office outside IP address
  I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem.  I'd really appreciate any suggestions on how to track this down. 
  Here's the vigor config:
  So it looks to match ok to me at both ends, unless there is something I missed.  The vigor routing table shows:
  Key: C - connected, S - static, R - RIP, * - default, ~ - private*             0.0.0.0/         0.0.0.0 via [ISP gateway server],   WAN1S         [branch peer ip]/ 255.255.255.255 via [branch peer ip],   WAN1S~       192.168.40.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.50.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.10.0/   255.255.255.0 via [London office ip],    VPNS~        192.168.0.0/   255.255.255.0 via [London office ip],    VPNC~        192.168.2.0/   255.255.255.0 is directly connected,    LANS~        192.168.7.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.30.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.20.0/   255.255.255.0 via [London office ip],    VPN*     [ISP dns server]/ 255.255.255.255 via [ISP gateway server],   WAN1
  I have replaced IPs here as is shown.  You can see the vigor seems to want to route the appropriate traffic over the VPN.
  Finally, here is the packet trace output:
  ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.50.0    255.255.255.0   insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in  id=0x4529e48, priority=12, domain=permit, deny=false        hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4      Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44057f0, priority=0, domain=permit-ip-option, deny=true        hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5      Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false        hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6      Type: NAT     Subtype: rpf-checkResult: ALLOW Config:       nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in  id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: in  id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true        hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9      Type: VPN     Subtype: encryptResult: DROP  Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false        hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.50.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0Result:       input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop  Drop-reason: (acl-drop) Flow is denied by configured rule
  So it seems to find the rule, which it ought to match, but then returns DENY.  What's going on here?  Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
  For further information, this is output for the WORKING subnet - I have just taken a small part here though:
  Phase: 10     Type: VPN     Subtype: encryptResult: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false        hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.0.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0
  Thanks very much in advance for any help you can provide - I've been really stuck on this one!
  Chris

  Hi,
  Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
  Also issue the command twice.
  Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
  Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
  Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
  Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
  When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
  And looking at your configurations, it should be like this
  access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
  Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
  EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
  EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
  EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
  - Jouni

• SSL Multiple Tunnel Groups with Multiple group policies

  Hello folks.
  Have a query and cant seem to find an answer on the web.
  I have configured SSL Clientless VPN on a lab ASA5510, using 2 tunnel groups, one for enginneers and one for staff, mapped to 2 different group policies, each with different customisation. I have mapped the AD groups to the tunnel groups using both ACS and now LDAP (currently in use), both working successfully, using group lock and LDAP map of IETF-Radius-Class to Group name ensures engineers get assigned to the engineers tunnel group and staff get mapped to the staff tunnel group only.
  The question i have is....is there a way to use a single tunnel group to map the user based on AD group which will then use the correct Group-policy (1 tunnel group to multiple group-polciies). I have seen examples of doing this with different URLs but want to know if they can all use the same URL and avoid using the drop down list using aliases.
  It may be a simple "No" but it would be nice to know how to do it without using the URLs or drop down list. Users are easily confused ......

  Easy. Disable the drop-down list, and use the authentication-server (LDAP or Radius) in the DefaultWEBVPNGroup. By default when you browse to the ASA, it will be using the DefaultWEBVPNGroup. Let LDAP or Radius take care of the rest.
  You will get the functionality you are looking for.
  HTH
  PS. If this post was helpful, please rate it.

• CSS on multiple subnets and separate load balancing

  Hello,
  I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
  But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
  Basically I want to use the CSS for 3 different load balancing operations.
  Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
  Any help appreciated
  Regards Tony

  you can have as many vlan as you want.
  So yes you can do what you want.
  Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
  Gilles.