Internet connexion problem for remote site in Site to site VPN asa 5505

Similar Messages

• How to set up NAT for two servers using same port with ASDM ASA 5505

  Hi there,
  We have a new installation of a ASA 5505 and are trying to get some NAT issues straightened out. Here is the scenario: On our internal network, we have two servers running Filemaker Server, a relational database server that clients connect with using port 5003. Our goal is to be able to allow users from the outside to access either of these servers as needed. I know how to set up a simple static NAT rule and matching Access rule in ASDM which would be fine for a case in which only one server using a given port is running on a network, but for simple static rules I seem to be blocked from entering a different translated port number from the orginal port number, which becomes a problem when two servers we need to access from the outside are running software using the same port number.
  What is the simplest way to address this need? I am guessing that I need to set up a scenario like this, where port 5004 (or any arbitrarily choosen unused port, can be used to access the second server:
  Outside user enters   FQDN:5004  and this translates to Database server # 1 as   192.168.1.40:5003
  and
  Outside user enters   FQDN:5003  and this translates to Database server # 1 as   192.168.1.38:5003
  If so, what is the easist way to get this done? Or is there a better what to handle this scenario?
  Thanks in advance,
  James

  I would create two objects and use object NAT
  object network Obj_5004
  host 192.168.1.40
  object network Obj_5004
  nat (inside,outside) static service tcp 5003 5004
  object network Obj_5003
  host 192.168.1.38
  object network Obj_5003
  nat (inside,outside) static service tcp 5003 5003
  Of course you will need to open your outside interface for tcp ports 5003 and 5004 to make this happen

• Creative Internet Camera Live for Remote Monitoring

  I can not get the DDNS domain name feature to install. I get a message that says user name already being used. I have tried numerous versions of names and get the same message. Also, at one point in the install process I get a message that the DDNS site is not responding and try again.

  You can access your camera from the internet by the address of your internet connection. Usually, this is the outside interface on the router connected to your cable modem, or the address of your dsl modem. This should show as the remote IP address on the Home display for your camera. (If it doesn't, something is wrong!)
  Then, provided you have done the dmz thing for your camera, you can go to someplace outside and you should be able to reach your camera by that ip address. For example:
  http://66.42.3.97/ And you should get a prompt to login to your camera...
  Took me a few tries but I got both the ip address and the creativeddns to work.
  cath

• Shared Review problem for remote review SME

  One of my SMEs works offsite via a VPN connection. When she tries to participate in the shared review process from the PDF location on the network drive, she has display problems (all the text is highlighted in black) and she can't "connect" to see other's comments. The PDF displays fine if she downloads it to her hard drive she can see shared comments but of course is then unable interact with the shared process.
  She's developed an elaborate and time consuming work around, but I need a solution for her problem. She's using the current version of Reader and I'm generating PDFs using Acrobat 9 Pro Extended.
  This is not an issue for any of my other offsite SMEs.
  Thoughts?

  What are the instructions for Acrobat Pro v11.0.10?
  There is no option to save as "Archive copy" only "PDF-X/A" but that returns an error that it can't be saved.
  All instances of Shared Review sessions have been removed from the the "Tracker..." dialog, but I am still getting server pings. By all rights, there should be no more pings to any server. When I am actually in my network where the server is visible, Adobe is connecting without my permission.
  How can I get the server pings to completely stop in Acrobat Pro v11.0.10?

• S2S VPN - ASA 5505 to ASA 5540 - Routing Problems

  I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
  Current running config:
  ASA Version 8.2(5)
  hostname asa15
  enable password XXXXX encrypted
  passwd XXXXX encrypted
  names
  name 10.0.0.0 remote-network
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.5.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm location remote-network 255.0.0.0 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 172.16.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 99.X.X.7
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA
  crypto map outside_map 1 set reverse-route
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 28800
  vpn-addr-assign local reuse-delay 5
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 172.16.5.100-172.16.5.130 inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  tunnel-group 99.X.X.7 type ipsec-l2l
  tunnel-group 99.X.X.7 ipsec-attributes
  pre-shared-key XXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  : end

  just out of curiosity, why do you have
  route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
  You already set your default route through DHCP setroute under the interface. this could be the issue.
  If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
  Does the remote device have the correct default gateway?
  May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
  Patrick

• How to create accounts for remote users in 1841

  Hi,
  I was wondering how can i create accounts for remote users to be able to vpn please ? I have setup the vpn server successfully.
  Regard,

  Hello.
  I believe that you can try this:
  Router# configure terminal
  Router (config)# password encryption aes
  Router (config)# crypto ipsec client ezvpn ezvpn1
  Router (config-crypto-ezvpn)# username server_1 password 0 blue
  if you are using easy vpn.
  from: http://cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b7d.html

• ASA 5505 Problem ACL

  Dear All,
  I have a problem with the configuration of the ACL of my ASA 5505 router.
  However, the syntax seems okay
  access-list 121 extended deny icmp 192.168.0.0 255.255.255.0 any
  Thanks for your help

  Hi,
  Its hard to say when I cant see your whole configuration.
  Have you attached the ACL to an interface on the ASA?
  access-group 102 in interface
  Only then the ACL will have some effect on the traffic. Though remember to allow other traffic in the SAME ACL. Otherwise you will block all traffic from behind the interface to which you attach this ACL.
  However this ACL wont block ICMP between the hosts on the same network naturally.
  - Jouni

• Hi, every time i try downloading ios5 it reaches 100% and then the connection times out and nothing happens after that; though the internet connection is fine as i can access other sites etc. what could be the problem?i tried using 2 different modems.

  Hi, every time i try downloading ios5 it reaches 100% and then the connection times out and nothing happens after that; though the internet connection is fine as i can access other sites etc. what could be the problem?i tried using 2 different modems. Where can i download the ios5 from as my itunes is on my desktop which uses windows xp. Please help

  Download iOS 5.1
  iOS 5.1 (build 9B176) is compatible with iPad 1, iPad 2, iPhone 3GS, iPhone 4, iPhone 4S, iPod touch 3rd & 4th gen, and iPad 3. Additional builds are available for Apple TV 2 and Apple TV 3. The below download links are all direct downloads of iOS 5.1 from Apple.
  iPad 1
  iPad 2 Wi-Fi
  iPad 2 GSM (AT&T)
  iPad 2 CDMA (Verizon)
  iPad 2,4
  iPhone 3GS
  iPhone 4 GSM (AT&T)
  iPhone 4 CDMA (Verizon)
  iPhone 4S
  iPod touch 3G
  iPod touch 4G
  iPad 3 Wi-Fi
  iPad 3 GSM
  iPad 3 CDMA
  Apple TV 2 (9B179b1)
  Apple TV 3 (9B179b1)
  Source: http://osxdaily.com/2012/03/07/ios-5-1-download/

• Routing Issue for Remote Access Clients over Site to Site VPN tunnels

  I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

  Patrick, that was indeed true for a long time.
  But now it is fixed in PIX and ASA version 7.x.
  Please refer to this document for details:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• HW acceleration (direct2d) causes problems for my site , is there a script to disable it automatically?

  direct2d acceleration on FF4 causes really bad font rendering problems for my site.
  Text goes on to of each other and behind pictures making it impossible to read for some parts. Disabling HW acceleration fixes the problem. Is there a script that I could use to disable it automatically for my site?

  In fact updating my graphics was the cause of the problem. With the old drivers there were no problems. It depends on the system. So far I've tested on 6 Windows PC's. on 2 of them it worked fine. My site should be 100% W3C compliant. It works fine on 3.6, Chrome, IE and Opera

• Can we implement site catalyst for Remote desktop app like MS dynamics NAV?

  Can we implement site catalyst for Remote desktop app like MS dynamics NAV?
  please throw some insight

  Hi,
  Thank you for posting in Windows Server Forum.
  Does this happens for this particular application?
  For a test you can publish Notepad\WordPad as RemoteApp and check whether facing same issue. Please check the result and let us know. If it’s working normally then might seems there is some configuration issue with MS Dynamics App. 
  Does this happens for all user or specific users?
  Which version of RDP Client you are using for client system?
  Try to install RDP 8.1 for better feature.
  Update for RemoteApp and Desktop Connections feature is available for Windows
  http://support.microsoft.com/kb/2830477
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• IPv6 deployment problem for multiple site

  Dear Expert,
  I have a question about the deployment of IPv6 on two different site and the requirement is that client may need to auto switchover to another site while one of the ASR1002 is failure. I have using two different prefix on two sites with IPv6 stateless autoconfig like above diagram. Different prefix used for each site due to each site should use there own IPv6 prefix for Firewall Stateful(Default gateway point to local site firewall only). Client will retrieved two IPv6 addresses at the same time and it seems workable on Vista PC and Mac(Mac haven't select the High DRP one but work fine) and I haven’t try for other mobile device (have WiFi device for vlan100). Is it a valid solution? Any other solution for multiple site deploy IPv6 with Firewall no NAT enabled?
  Thank you very much!
  Regards,
  Kawaii

  One option would be to tweak the OS prefix policy table to prefer v4 to v6.  On Linux this is in /etc/gai.conf; on windows you'd run "netsh interface ipv6 set prefixpolicies ...".  The side effect would be that you'd only do v6 with the v6-only sites, not with the dual-stack sites.

• I've been paying for Adobe Premiere pro for the past Thre onth and today, despite the fact that i have paid already for the upcoming month, i cannot access it because of an "intenet connexion problem". But I'm connected and I have the right ID. What shoul

  I've been paying for Adobe Premiere pro for the past three month and today, despite the fact that i have paid already for the upcoming month, i cannot access it because of an "intenet connexion problem". But I'm connected and I have the right ID. What should I do?

  Lanakivee
  Try this it worked for me Pat Willener gave it to me off the site :
  I have not read all you wrote, so I may have missed some points. As I understand it, you installed FP 10 on IE7, but it won't play any Flash content?
  Try this
  download the FP uninstaller from http://www.adobe.com/go/tn_14157
  close all browser windows, then run the uninstaller
  download the offline ActivX installer for Internet Explorer from http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_ax.exe
  close all browser windows, then run the installer

• Move Internet facing site and remove Exchange site

  Background:
  I am running Exchange 2010 in native mode
  I have multiple AD sites connected via WAN
  I have two sites each with an Exchange CAS, HT, Mailbox server and internet connections
  I have one Edge server in the DMZ at the internet facing site A
  All mail currently flows in/out through site A via connectors
  OWA is currently hosted on the CAS/HT server at site A
  I have installed a new Edge server in the DMZ of site B and cloned the configuration.
  I am planning the move of the internet facing site to the new site where the other Exchange CAS/HT server resides.
  Once the mail flow is occurring correctly in/out site B, I need to move all mailboxes to site B and shut down the Exchange server at site A. 
  Questions:
  When I create the Edge Subscription at the new site, it offers to create a new send connector.  The CAS/HT server at site B already has a send connector to site A.  Will the new send connector cause mail flow problems if it is pointing to
  the new Edge server that is not yet updated on public DNS?  I am trying to do this in stages and I am not ready to change mail flow to site B internet.
  What needs to happen to move OWA to the Exchange server at site B?
  Once site B is handling OWA, all mail flow, and all mailboxes have been moved to that site, can I simply shut down the site A Exchange server?
  Thanks for any input on how best to plan this move.  If there is any documentation for this specific scenario, I work well from instructions but have not seen anything on the internet.

  1.  Sending can happen from both sites, regardless of where your MX records point.  In fact, you don't need an MX record to send email - just to receive.  So the new send connector in Site B won't cause issues with mail flow - messages will
  go out B and come in A until you rehome your MX record.
  2.  In order to move OWA to Site B, your external records for your OWA site need to point to the external IP address that will connect to the Site B CAS (and hopefully, you have it behind a firewall of some sort).
  3.  Not quite - you need to move your OAB generation to the new site, and make sure that all CAS virtual directories in the new site are configured to handle the connections that currently go to Site A.  See the following for what you need to do
  to decommission your Site A Exchange servers - but where it says "Exchange 2013", think "Site A Exchange servers": 
  http://technet.microsoft.com/en-us/library/ee332361(v=exchg.141).aspx

• Zzxc: When I click on a link in my email it doesn't go to the page. It is a blank page. It will work in internet explorer. When I sign in at certain sites, it doesn't redirect. Why is that?

  <blockquote>Locked by Moderator.
  Please continue the discussion in this thread: [tiki-view_forum_thread.php?locale=en-US&comments_parentId=688606&forumId=1]
  Thanks - c</blockquote>
  == Issue
  ==
  I have another kind of problem with Firefox
  == Description
  ==
  zzxc: When I click on a link in my email it doesn't go to the page. It is a blank page. It will work in internet explorer. When I sign in at certain sites, it doesn't redirect. Why is that?
  I am still having the same problem. I did what you said to do, but it didn't help. I cleared all of firefox's cache and still doesn't work.
  == Firefox version
  ==
  most recent
  == Operating system
  ==
  Windows 7
  == Plugins installed
  ==
  just windows,itunes, flash

  I have not found a way for the email hypertext to go to the FaceBook App, but I no longer click on the hypertext as I know whatever information or posting it is directing me to in FaceBook will show up when I open my FaceBook App.  I also have noticed that many pop-ups on the Browser don't actually know if you already have the software they are promoting.