Hyperion Servers on Different Subnets

Similar Messages

• ACE load balancing servers on different subnets...

  Hello,
  I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
  Thanks in advanced for your support.

  Hi,
  You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
  The following extract from a configuration shows the basic principle:
  rserver host master
  ip address 10.199.95.2
  inservice
  rserver host slave
  ip address 10.199.38.68
  inservice
  serverfarm host FARM-web2-Master
  description Serverfarm Master
  probe PROBE-web2
  rserver master
  inservice
  serverfarm host FARM-web2-Slave
  description Serverfarm Slave
  probe PROBE-web2
  rserver slave
  inservice
  class-map match-any L4VIPCLASS
  2 match virtual-address 10.199.80.12 tcp eq www
  3 match virtual-address 10.199.80.12 tcp eq https
  policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
  class REMOTE-ACCESS
  permit
  policy-map type loadbalance first-match LB-POLICY
  class class-default
  serverfarm FARM-web2-Master backup FARM-web2-Slave
  policy-map multi-match L4POLICY
  class L4VIPCLASS
  loadbalance vip inservice
  loadbalance policy LB-POLICY
  loadbalance vip icmp-reply active
  loadbalance vip advertise
  nat dynamic 1 vlan 384
  service-policy input L4POLICY
  interface vlan 383
  description ACE-web2-Clientside
  ip address 10.199.80.13 255.255.255.248
  alias 10.199.80.12 255.255.255.248
  peer ip address 10.199.80.14 255.255.255.248
  access-group input ACL-IN
  access-group output PERMIT-ALL
  no shutdown
  interface vlan 384
  description ACE-web2-Serverside
  ip address 10.199.80.18 255.255.255.240
  alias 10.199.80.17 255.255.255.240
  peer ip address 10.199.80.19 255.255.255.240
  access-group input PERMIT-ALL
  access-group output PERMIT-ALL
  nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.199.80.9
  ip route 10.199.95.2 255.255.255.255 10.199.80.21
  ip route 10.199.38.68 255.255.255.255 10.199.80.21
  HTH
  Cathy

• Is it OK to have two SBS Servers with same name, on different subnets but connected over a VPN?

  Hi Everyone,
                     I'm just about to connect up two SBS 2011 Servers with the same server name but on different subnets & domains over a VPN.
  So for example both servers will have the name Server01, one would have an ip address of 192.168.85.5, the other 192.168.86.5, they both then would be connected over a VPN.
  Can anyone foresee any issues with this configuration, like DNS & DHCP requests, adding new machines to the domain, mapping drives etc.
  Many thanks,
  Nick

  Hi Larry & Strike First,
                    Thank you for your responses. I understand that this is an unusual situation. Basically I've recently taken over the IT support for this client. The client has just had a new phone system installed
  & are asking if they can speak to each office internally, which can easily be done once I setup the VPN.
  However I noticed whilst looking at this further that the Server names are the same, hence my question?
  Am I right in saying that providing the workstations  have a trust relationship with their own domain controllers through their individual domains on separate subnets, that hopefully there shouldn't be any DNS issues between the two domains and Servers?
  I could build a new VM if you feel it would be better practice to do so?
  Many thanks for your assistance,
  Nick

• In DFS, How to make servers LEAST COST for different subnets.

  Hello, We setup DFS in our domain (SERVER1) and we replicated the DFS namespace into a server which is also a member of the domain but it is on a DIFFERENT SUBNET (let's call this server SERVER2).
  How can I make sure that the SERVER2 DFS redirection should NOT go to SERVER1 unless SERVER2 is down, etc.? or How do we make sure SERVER2 clients don’t go to the wrong site and vice versa WHEN we enable DFS on multiple systems?
  I have also enable least expensive target selection (site-costing) in DFS but I am not sure if that will work.
  Note: SERVER2 is not a Domain Controller
  SERVER1 is Server 2008 Standard
  SERVER2 is Server 2008 R2 Standard
  Please help and Thank you in advance.
  Regards,
  Rod
  --- Network Security Administrator

  Dear Mandy,
  I have run the command DFSUTIL /PKTINFO on SERVER2 Client's computer and seems like it is referred
  to SERVER1 DFS namespace targets.
  Namespace Referrals is set to Lowest cost. 
  Here is the output of the command:
  C:\>DFSUTIL /PKTINFO
  1 entries...
  Entry: \Jessel.local\SysVol
  ShortEntry: \Jessel.local\SysVol
  Expires in 0 seconds
  UseCount: 0 Type:0x1 ( DFS )
     0:[\filesv02.Jessel.local\SysVol] AccessStatus: 0 ( ACTIVE TARGETSET )
     1:[\FILESV03.Jessel.local\SysVol]
  DfsUtil command completed successfully.
  Please advise.
  Thank You very much.
  Rod Lopez
  --- Network Security Administrator

• Can members in a pool be on different subnets using CSM

  Hello. We have recently been investigating load balancing devices, and were almost set on F5. We then overhauled our core network, including replacing one 4507R with 2 6500's, outfitted with Sup720's and FWSM modules.
  Now, we are seriously thinking about investing in the CSM or ACE module instead of the F5. I was wondering if the servers in my virtual pool can be on different subnets?
  For example, the user is looking for a web server with an IP of 192.168.110.1. This virtual ip is setup on the CSM module, and contains three physical servers, 192.168.110.10, 192.168.110.20, and 10.10.10.1 (server in a different data center, only to be used if the two primary servers go down). Will this work, or do all members in the pool need to be on the same subnet?
  Thanks.

  I would recommend the following test results published by veritest
  http://www.lionbridge.com/NR/rdonlyres/5518CDEC-0D57-446E-8E3D-2AE73DCB7EEF/0/csm_comparison.pdf
  Gilles.

• 2 different subnets on single vlan

  I have this setup.
  2 3750G switches stacked.
  I have 2 servers with IP 10.10.10.1/30 and 10.10.10.2/30 connected into port g1/0/1 and g1/0/2 respectivily on switch1 both in vlan 100
  I have another 2 servers with IP 10.10.20.1/30 and 10.10.20.2/30 connected into port g2/0/1 and g2/0/2 respectivily on switch2 both also in vlan 100.
  I need to keep this same vlan across the stack. In theory servers on same subnet in vlan 100 should be able to communicate properly, or am I wrong?
  What can I do to prevent broadcasts from propagating between subnets of this single vlan?

  Edison
  Perhaps I read the post from Sparky slightly differently than you do. The first pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine. And the second pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine.
  But I agree with you that there are flaws in this implementation. First, since the subnets are /30 they only allow two hosts and with two servers in the subnet there is nothing to act as a gateway and to provide access to "remote" addresses. Also this implementation breaks the assumption that there is a correlation between subnet and VLAN. We tend to assume that a correlation exists and that a subnet is related to a VLAN and a VLAN is related to a subnet. But VLAN is a layer 2 concept and subnet is a layer 3 concept and they are not necessarily related. There is no rule that says that a VLAN have only 1 subnet (though that is common practice). A VLAN interface with a primary IP address and a secondary IP address would certainly support 2 (or more) subnets.
  Note that this implementation does not provide the isolation that we tend to assume when we talk about subnets. We generally assume that devices in 1 subnet do not communicate directly with devices in a different subnet (because we tend to assume that each subnet is a separate broadcast domain). But this implementation puts both subnets into the same broadcast domain. So the first pair of servers will hear all the broadcasts (including ARP) from the second pair of servers and any of these servers could communicate directly with any other of the servers - certainly not bounded by the subnet.
  Sparky
  There is no way to isolate the broadcasts within the same VLAN. The basic definition of VLAN is that it is a broadcast domain. And any broadcast generated will be flooded thoughout the entire broadcast domain. The only way to restrict the broadcasts is to create 2 VLANs.
  HTH
  Rick

• Multiple RAC databases on same GI using different subnets for Public i/face

  Hello. We are configuring a 2 node cluster. That cluster will host several RAC databases. For security reasons our networking team want to create separate subnets for the application traffic to each specific RAC database on the cluster.
  E.g. application 1 has 2 application servers that will connect to RAC database PROD1 via one subnet, application 2 has 3 application servers that will connect to RAC database PROD2 via a different subnet, etc.
  In addition the networking team want to configure a separate management subnet that DBAs etc. will use to administer all RAC databases and infrastructure in the cluster.
  Grid Infrastructure version 11.2.0.2. Database versions will vary from 10.2.0.x to 11.2.0.2. All databases will utilise RAC.
  We want to take advantage of SCAN listener functionality to support connectivity to all databases on the cluster. Forum thread 2199620 [https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620] suggests that 11gR2 supports multiple subnets, which looks to be exactly the feature we need. Please can you confirm how this works and point us to any documentation (standard docs, white papers, MOS, etc.) that might help us configure this.
  Document referenced in thread 2199620 was not exactly what we were looking for, and didn't translate too well in Google Translate.
  Any guidance much appreciated. Thanks, Rich.
  Similar threads:
  https://cn.forums.oracle.com/forums/thread.jspa?messageID=9846298? (Dual SCAN on multi homed cluster)
  https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620 (scan listener in OAM VLAN)
  Edited by: 887449 on 26-Sep-2011 01:41

  Thanks Levi. Your advice is very much appreciated.
  Your statement that we can only have one SCAN listener listening on one public network is actually the clarification I was looking for.
  For anyone else reading this thread I believe this gives us 3 options:
  1) Configure a SCAN listener and have all applications, and all management/administration, connecting to the corresponding database on the same cluster via that SCAN listener, all on the same subnet.
  2) Configure a SCAN listener for use by all applications connecting to the corresponding database on the same cluster, and use TNSNAMES/VIP for management/administration traffic, both on separate subnets (by configuring the LISTENER_NETWORKS parameter)
  3) Configure a SCAN listener for use by applications connecting to one of the databases on the cluster via one subnet, use TNSNAMES/VIP for all other applications connecting to other databases, each using their own subnet. Plus, the management/administration could be via another subnet utilising TNSNAMES/VIP.
  From our perspective we will work out the best one for us and implement accordingly.
  Thanks again for your timely and comprehensive response.

• Multiple VIPs in Different Subnets

  Is there any way to setup the CSS with VIPs in different subnets. If we were using an inline configuration, I don't see how this would be possible.
  Let's assume three subnets A, B, and C. We would like to have a VIP in subnet A pointing to all the web servers in subnet A. Same for subnets B and C.
  I guess we could configure a trunk port with a CIRCUIT interface in each of the subnets A, B, and C. This would allow clients to route to the VIP in each subnet. My concern is the return traffic. With only one default route in the CSS, all return traffic would traverse one CIRCUIT interface. Am I correct, or am I misunderstanding something?
  Thanks!
  Tom

  I believe you are correct. We have practically the same scenario working here. I have a /29 allocated to the front-end of the CSS and the upstream HSRP routers (call that vlan 10). Then I have multiple subnets for backend servers behind the CSS setup as an 802.1q trunk vlans (call them VLAN 100, 101, 102, etc). I route for those subnets belonging to VLANs 101, 102, etc on the upstream routers to point to the VRRP address of the CSS (the VRRP address of the CSS in VLAN 10). I also route whatever IP used as a virtual to the CSS VRRP address as well. So my upstream routes will have routes to the VIPs and the backend VLANs all pointing to the CSS's VRRP address.
  Casey

• Joining domain - different subnet

  I currently have a 2012 server (AD) at our company's office (office1).
  I would like to setup a hardware vpn connection between our main office and a new department (office2). This requires different subnets for each router.
  Is it possible to join the domain from office2?
  What would be the required dns setttings?

  No, you do not need a DC in the remote office.  I thought you were asking if it were possible to create a domain on a different subnet in a remote office, since you said you had another department there.  Departments often have other servers,
  and then there would be a benefit for a DC there.  But if there are no servers there, no need for a DC.  If it required a domain in every remote office, it would be next to impossible to have any remote users as every remote user would need
  to run a domain controller - which obviously is not a requirement.
  The simplest way is VPN with two routers.
  Or, Windows Server comes with a capability call Direct Access which would allow people to have access to the corporate information over the internet - no need for a VPN.  It even allows users with mobile laptops to have access to corporate from wherever
  they have access to the internet - nothing special is required on their machines other than Windows 7 or later.
  .:|:.:|:. tim

• Active Directory on Different Subnet

  Hello All,
  I have a Leopard Server configured as an OD master, which is also connected to a Windows Active Directory domain. I do this to import my 100 or so users from the AD into the OD, thereby giving them iCal accounts.
  The problem I'm having is that I recently moved the Leopard Server onto another subnet, which breaks the connection to the AD. When I try to rebuild the connection through Directory Utility, I get the following error:
  Unable to add the domain. An unexpected error of type -14090 (eDSAuthFailed) occurred.
  The servers have to be on different subnets for many complicated and convoluted reasons that wouldn't be appropriate to get into... but putting them on the same subnet is out of the question right now.
  Anyone have any information that might help?
  Thanks,
  Chris

  DNS will do it every time The lack of reverse resolution is the hidden time bomb on most every AD deployment. Just remember to have DNS and time working. With those two done correct, you are 99% of the way to success.
  And the Strontium 90 is mostly scientific, in an dark and pessimistic view of nuclear proliferation and environmental impact. But that is getting too serious for the forums Thanks for noticing and glad I could help.

• File Server Migration from 2008 Standard to 2012 Standard accross different subnet

  Hi
  Im going to migrate File server from Windows 2008 Standard server to Windows 2012 Standard . Source and Destination Servers are on different subnets . According to this
  http://technet.microsoft.com/en-us/library/jj863566.aspx I cannot use Server migrations tool in-built into 2012 .  Im not sure if I can use file server migration toolkit 1.2?.  
  Also my Domain controllers are mixture of Windows 2003, 2008 , 2008 R2 and I've upgraded the schema level to 2012 R2 . Is there anything else I need to be aware of ?
  Can anyone please recommended best way to go about doing this migration . Is file server migration toolkit 1.2 is compatible ?  .
  Only reason I don't want to use Robocopy to this is because If I miss a small setting etc then I will face unwanted downtime.
  I presume Migration toolkit will also create all the Quotas etc on the destination server .
  Thanks
  mumtaz

  Hi mumtaz, 
  We could use file server migration toolkit 1.2 to migrate file server between the two subnets. In order to maintain security settings after the migration, please ensure the security of files and folders after they are migrated to a target file server, the File
  Server Migration Wizard applies permissions that are the same as or more restrictive than they were on the source files and folders, depending on the option you select.
  In the meantime, quota cannot migrate by this tool but we can export and import the quota using dirquota command. Export the templates as xml and then import to new server:
  dirquota template export /file:C:\test.xml
  dirquota template import /file:C:\test.xml
  For more detailed information, please see:
  Template Export and Import Scenarios
  http://technet.microsoft.com/en-us/library/cc730873(WS.10).aspx
  Regards,
  Mandy
  If you have any feedback on our support, please click
  here
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• WDS PXE DHCP, Clients on different subnet

  Hello,
  We are having a lot of trouble trying to get pxe imaging working from our WDS server on different subnets.  We have an existing Zenworking imaging setup working as of right now, but WDS is causing more issues than I care to troubleshoot.  I have read
  blog after blog, forum post after forum post and everyone says just install it and it works!  I guess we have run into some sort of problem that nobody else has.
  Enviroment:
  2x DC's, Server 2012 R2, both run DNS, 10.5.0.101, 10.5.0.102
  1x DHCP Server, 2012 R2, 10.5.0.105
  1x WDS Server, 2012 R2, 10.5.0.41
  If I put a client on the same subnet as all of the servers it seems to work, except for the fact that it takes a while for the client to get an IP and continue to load wdsnbp.com.  I would say around 20-30 seconds.  In our zenworks enviroment it takes
  no more than 1 second to get an IP.  As for the dhcp server itself, clients receive normal dhcp offers instantly.  So that part is working properly.
  Now when I try an access the WDS pxe server from a different subnet other than the one that all of the servers are on, noting that I do have the ip helper address setup on our layer 3 switch:
  interface Vlan2025
   ip address 10.200.20.1 255.255.255.0
   ip helper-address 10.5.0.105
   ip helper-address 10.5.0.41
  It always says failed to receive boot file.  But as I said earlier, clients in windows receive dhcp leases from 10.5.0.105 without issue.
  Setting the client options in the DHCP server with options 66 and 67 works sortof, but we found that it was unreliable and often finicky.  Like having the system repeatedly ask to press f12, and even if you did press f12 it would still ask to press f12
  again.
  So I continued to do a wirehark packet capture on the port where the device was trying to get the dhcp/pxe info from the DHCP / WDS servers.  The first packet here is from the DHCP server and the second is from the WDS server.
  Bootstrap Protocol
      Message type: Boot Reply (2)
      Hardware type: Ethernet (0x01)
      Hardware address length: 6
      Hops: 0
      Transaction ID: 0xd6c565d2
      Seconds elapsed: 0
      Bootp flags: 0x8000 (Broadcast)
      Client IP address: 0.0.0.0 (0.0.0.0)
      Your (client) IP address: 10.200.20.117 (10.200.20.117)
      Next server IP address: 10.5.0.105 (10.5.0.105)
      Relay agent IP address: 10.200.20.1 (10.200.20.1)
      Client MAC address: Hewlett-_c5:65:d2 (78:e7:d1:c5:65:d2)
      Client hardware address padding: 00000000000000000000
      Server host name not given
      Boot file name not given
      Magic cookie: DHCP
      Option: (53) DHCP Message Type
          Length: 1
          DHCP: Offer (2)
      Option: (1) Subnet Mask
          Length: 4
          Subnet Mask: 255.255.255.0 (255.255.255.0)
      Option: (58) Renewal Time Value
          Length: 4
          Renewal Time Value: (21600s) 6 hours
      Option: (59) Rebinding Time Value
          Length: 4
          Rebinding Time Value: (37800s) 10 hours, 30 minutes
      Option: (51) IP Address Lease Time
          Length: 4
          IP Address Lease Time: (43200s) 12 hours
      Option: (54) DHCP Server Identifier
          Length: 4
          DHCP Server Identifier: 10.5.0.105 (10.5.0.105)
      Option: (3) Router
          Length: 4
          Router: 10.200.20.1 (10.200.20.1)
      Option: (6) Domain Name Server
          Length: 8
          Domain Name Server: 10.5.0.101 (10.5.0.101)
          Domain Name Server: 10.5.0.102 (10.5.0.102)
      Option: (15) Domain Name
          Length: 8
          Domain Name: domain.com
      Option: (255) End
          Option End: 255
  Bootstrap Protocol
      Message type: Boot Reply (2)
      Hardware type: Ethernet (0x01)
      Hardware address length: 6
      Hops: 0
      Transaction ID: 0xd2c565d2
      Seconds elapsed: 4
      Bootp flags: 0x8000 (Broadcast)
      Client IP address: 0.0.0.0 (0.0.0.0)
      Your (client) IP address: 0.0.0.0 (0.0.0.0)
      Next server IP address: 10.5.0.41 (10.5.0.41)
      Relay agent IP address: 10.200.20.1 (10.200.20.1)
      Client MAC address: Hewlett-_c5:65:d2 (78:e7:d1:c5:65:d2)
      Client hardware address padding: 00000000000000000000
      Server host name: wds1.domain.com
      Boot file name not given
      Magic cookie: DHCP
      Option: (54) DHCP Server Identifier
          Length: 4
          DHCP Server Identifier: 10.5.0.41 (10.5.0.41)
      Option: (97) UUID/GUID-based Client Identifier
          Length: 17
          Client Identifier (UUID): eb8daa31-8e62-11df-bbd8-d1c565d278e7
      Option: (60) Vendor class identifier
          Length: 9
          Vendor class identifier: PXEClient
      Option: (53) DHCP Message Type
          Length: 1
          DHCP: Offer (2)
      Option: (255) End
          Option End: 255
  What I find interesting is that the WDS server is not handing out a boot file name:
  "Boot file name not given"
  Could this be the reason why we receive the no boot file received error when trying to boot a client into pxe?
  The other thing that I noticed was that the WDS server is also responding with the:
  "    Option: (60) Vendor class identifier
          Length: 9
          Vendor class identifier: PXEClient
  Why would it be responding with this, when the dhcp is on a separate server.  Is this option only if you have DHCP and WDS on the same server?
  Any help would be appreciated as there has been too much time already spent on getting nowhere.
  Thanks,
  Dan.

  Dan,
  10 months later and not one reply...  I'm having the same issue, did you ever figure this out?  DHCP server is my Cisco Switch, WDS/PXE is on another network.  The WDS and PXE is working fine as I can do so from the same network as the WDS/PXE
  server.  I can also get the WDS/PXE to work if I have a MS DHCP server on a different network and populate the option 66 and option 67.  I cannot get this to work using Cisco ip helper-address for some reason.
  Thanks,

• Streaming music on different subnet

  I've got a fairly basic network setup. I'm using adsl with a cisco 837 router. My isp has assigned me 16 static ip addresses. I've got a local dhcp server which hands out a range of ip's that have been provisioned to me via my isp which are used for workstations (laptops, desktops, et al), with the remaining staticly assigned (servers for example).
  diagram;
  telco=] 837/router -> switch -> devices
  Everything is connected directly to the switch, except for wireless clients.
  Now, to keep myself from running out of the 16 assigned ip addresses, I've setup a seperate subnet for devices which won't need contact with the internet world.
  Those devices I've put under 10.1.0.0 of which I've given my airport express a 10.1.0.0 address.
  Under iTunes on my iMac the airport express is listed in the drop-down box, when I select it, it sits forever stating it's connecting to the airport express.
  On the other hand iTunes running on my laptop running windows does not present the drop-down box.
  Is there any way to correct this, without having to give the airport express a public (non 10.x.x.x) ip address?

  You have given the AE an IP address for a network,
  not a device on that network based on a standard
  subnet mask. Each network has two unassignable
  numbers, the IP address of the network, and
  broadcast. Try 10.1.0.1 for your AE.
  I was just giving an example of the network configuration, the ip address of the AE is not actually 10.1.0.0 but 10.1.0.4.
  If you want
  devices on different subnets to have access, they
  need to at least be on the same network, and then
  alter the subnet mask for them so both subnets appear
  on the same network.
  They are on the same network, in the sense that I can talk to a 10.1.0.x address from one of my public ip addresses and vice versa. The only difference is 10.1.0.x cannot talk to anything wan side where machines/devices with a public address can.
  Devices assigned with the
  public network IPs will be difficult to configure, so
  they see the private non-routable network, but I
  think it can be done???? I would try another
  scheme.... give the AE one of the static IPs and then
  NAT with it. Then it would be a Gateway to the
  computers behind it for the others in your public
  range.... but that's just me . Hope that helps.
  I am not looking to setting up NAT. I already have a gateway, the cisco 837 router. I already have a wireless access point which I recently mounted. Thus, I'm not needing any of the wifi capabilities of the AE, but just the airtunes facilities to local machines running on my lan.
  Just to reclarify, I have an ip range in the 217.155.6.x block, and to keep myself from using all of the ips in that block, I'm using 10.1.x.x addresses (non-traversable) for the remaining bits that don't require wan side communication.
  Michael

• ASA 5505: VPN Access to Different Subnets

  Hi All-
  I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN).  Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN).  Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24).  Is this even possible?  Below is the configurations on our ASA,
  Thanks in advance:
  ASA Version 8.2(5)
  names
  name 10.0.1.0 Net-10
  name 20.0.1.0 Net-20
  name 192.168.254.0 phones
  name 192.168.254.250 PBX
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 13
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.98 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.139.79 255.255.255.224
  interface Vlan3
  no nameif
  security-level 50
  ip address 192.168.5.1 255.255.255.0
  interface Vlan13
  nameif phones
  security-level 100
  ip address 192.168.254.200 255.255.255.0
  ftp mode passive
  object-group service RDP tcp
  port-object eq 3389
  object-group service DM_INLINE_SERVICE_1
  service-object ip
  service-object tcp eq ssh
  access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
  access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
  access-list inside_access_in extended permit ip any any
  access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
  access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
  pager lines 24
  logging enable
  logging timestamp
  logging monitor errors
  logging history errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu phones 1500
  ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  global (phones) 20 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list vpn_nat_inside outside
  nat (phones) 0 access-list phones_nat0_outbound
  nat (phones) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=pas-asa.null
  keypair pasvpnkey
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 28800
  vpn-sessiondb max-session-limit 10
  telnet timeout 5
  ssh 192.168.1.100 255.255.255.255 inside
  ssh 192.168.1.0 255.255.255.0 inside
  ssh Mac 255.255.255.255 outside
  ssh timeout 60
  console timeout 0
  dhcpd auto_config inside
  dhcpd address 192.168.1.222-192.168.1.223 inside
  dhcpd dns 64.238.96.12 66.180.96.12 interface inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect-essentials
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSLClientPolicy internal
  group-policy SSLClientPolicy attributes
  wins-server none
  dns-server value 64.238.96.12 66.180.96.12
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout none
  vpn-session-timeout none
  ipv6-vpn-filter none
  vpn-tunnel-protocol svc
  group-lock value PAS-SSL-VPN
  default-domain none
  vlan none
  nac-settings none
  webvpn
    svc mtu 1200
    svc keepalive 60
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression none
  group-policy DfltGrpPolicy attributes
  dns-server value 64.238.96.12 66.180.96.12
  vpn-tunnel-protocol IPSec svc webvpn
  tunnel-group DefaultRAGroup general-attributes
  address-pool SSLClientPool-10
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group PAS-SSL-VPN type remote-access
  tunnel-group PAS-SSL-VPN general-attributes
  address-pool SSLClientPool-10
  default-group-policy SSLClientPolicy
  tunnel-group PAS-SSL-VPN webvpn-attributes
  group-alias PAS_VPN enable
  group-url https://X.X.139.79/PAS_VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command dynamic-filter
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege clear level 3 mode exec command dynamic-filter
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  no call-home reporting anonymous

  Hi Jouni-
  Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0).  The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
  Per you recommendation, I removed the following configs from my ASA:
  global (phones) 20 interface
  ... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
  global (inside) 10 interface
  nat (outside) 10 access-list vpn_nat_inside outside
  .... removing these two configurations caused the inside LAN to be unreachable.  The phone LAN was not reachable, either.  So, I put the '10' configurations back.
  The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
  "portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
  What do you think?
  Thanks!

• Can ARD 3 now share a screen across 2 different subnets

  We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
  It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
  An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
  Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
  Thanks,
  Greg

  Still no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
  However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
  Thanks in advance,
  Greg