Ios VPN access form handled devices
hi
someone here had configured on a router the vpn access form handled devices?
Really i don't know where to start!
You must select one of the following modes of operation when you enable the PIX Firewall as an Easy VPN Remote device:
Client modeIn this mode, VPN connections are initiated by traffic, so resources are only used on demand. In client mode, the PIX Firewall applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the PIX Firewall. To use this mode, you must also enable the DHCP server on the inside interface, as described in " Using the PIX Firewall DHCP Server."
Network extension modeIn this mode, VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the PIX Firewall.
In network extension mode, the IP addresses of clients on the inside interface are received without change at the Easy VPN Server. If these addresses are registered with the Network Information Center (NIC), they may be forwarded to the public Internet without further processing. Otherwise, they may be translated by the Easy VPN Server or forwarded to a private network without translation.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html
Similar Messages
-
VPN connection works, but can't ping or access any other device on remote network
I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
Both routers are using subnet mask of 255.255.255.0
The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
Example:
At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
I'm not sure how to fix this, or whether I need to change settings on either router or the server.
Would greatly appreciate any insight or help on this. Thanks.danimalapple wrote:
I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
Both routers are using subnet mask of 255.255.255.0
The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
Example:
At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
I'm not sure how to fix this, or whether I need to change settings on either router or the server.
Would greatly appreciate any insight or help on this. Thanks.
Check the DNS settings on the server (see my earlier post in this thread). -
10.9.3 update stops VPN access to Server on Mac Mini
Having finally had the L2TP VPN issues solved after joining the 10.9.1 beta program for Mavericks and getting VPN access to our Mac Mini Server running again, the 10.9.3 update has broken it once more. It's been working since 10.9.1 and through both 10.9.2 and the 10.9.3 beta program, but after installing the final 10.9.3 update (without changing any settings on the Server App) last night it broke (immediatley after using the VPN to cheekily watch iPlayer abroad, so it was certainly working!) - now comes up with 'Authentication Failed'.
This happens on iOS devices as well, and all have authentication details stored (though naturally I have since tried recreating VPN configurations from scratch) so doesn't appear to be client end.Same here, although the issue is slightly different.
Updated Mac Mini with server.app to 10.9.3, L2TP VPN still works my mac running 10.9.3, connects as normal.
However other clients (windows and android) would encounter error when trying to establish connection to server.
Windows client would fail wirh Error 789, previous to the update it was working.
May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 started (Initiated by peer).
May 18 18:58:13 mms.private racoon[413]: invalid DH group 20.
May 18 18:58:13 mms.private racoon[413]: invalid DH group 19.
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 1).
May 18 18:58:13 mms.private racoon[413]: >>>>> phase change status = Phase 1 started by us
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 3).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 AUTH: success. (Responder, Main-Mode Message 5).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 5).
May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 Responder: success. (Responder, Main-Mode).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 6).
May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 established (Initiated by peer).
May 18 18:58:14 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:14 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:16 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:16 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:18 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:18 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:21 mms.private racoon[413]: IKE Packet: transmit success. (Information message).
May 18 18:58:21 mms.private racoon[413]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
May 18 18:58:23 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:23 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:31 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:31 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:47 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:47 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:59:04 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:59:04 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:59:18 mms.private racoon[413]: IKE Packet: receive success. (Information message). -
I have multiple devices that have my iCloud E-mail, I want to disable the E-Mail on some of the devices but keep it on others, I do not have physical access to the ones I want to disable but I do have access to the devices I want to keep receiving mail, can I do this with a simple password reset or will that still leave all devices enabled?
The simple way would be to uncheck 'Mail' in System Preferences (or Settings)>iCloud, but as you would need access to the devices in question to do that you will have to change your password, at http://appleid.apple.com. You will then need to sign out and back on all the devices you want to be able to receive mail, and it's important that you follow this procedure and note the warning:
Firstly, if you have 'Find My iPhone/iPad/iMac' enabled on any of your devices, turn it off.
Go to http://appleid.apple.com and click 'Manage your Apple ID'. Sign in with the current ID.
Where it says 'Password & Security' and gives your current ID email address, click 'edit'.
Enter your new password and click 'Save changes'.
Now you will need to go to each of your devices and sign out in System Preferences (or Settings)>iCloud - 'Sign out' on a Mac, 'Delete this account' on an iOS device (this will not delete the account from the server).
Then sign back in with your new ID. Your iCloud data will disappear from your devices when you sign out, but reappear when you sign back in.
I re-iterate: before you start, turn off 'Find My Mac' (or whatever) or you will need the services of Support.
The devices on which you have not changed the password will throw up continual error messages as they attempt to contact iCloud and fail. -
Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access
Hi there,
I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
connect I get the following message "couldn't connect - We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
Many thanks,
RocknRollTimAny help would be much appreciated.
Kind regards,
RocknRollTim -
iOS iCloud access is a real flaw. There should be a way ic an use my mobile devices to access my iCloud content on the web. The push probably works if you are on a fits network, but ia m in a rural community and use my iPad as a laptop when I am working .Apple please fix this. It is unnecessary.
I miss steve. He was such a fascist for good designWhat iCloud content are you trying to access that is not already on the iPad? Maybe I am misunderstanding your statement, but all of your iCloud content is already on the iPad. Why do you need to access your iCloud.com account on the web?
-
ACS/ASA authentication for vpn access vs. console management access
I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.
Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
In your case it should be VPNUSERS group in ACS.
HTH
Ahmed -
VPN access to a Watchguard firewall using Radius credentials
Good morning, I have an Ipod Touch 4G that I would like to use to connect to our Watchguard firewall using the built in VPN client and pptp
I am the person onsite that manages the Watchguard firewall(s) (x553 with 10.2.12 firmware) , which are setup for pptp vpn access using Windows Radius servers. The users use their Active Directory credentials to make the VPN connections.
I have several macs at home, including an iMac and Mac mini and both of them can easily make VPN connections to the Watchguard firewall using pptp VPN access with Radius credentials. T
The setup I have been trying on the ipod Touch 4g is using the dns name for the firewall (published in Network Solutions DNS). I have also tried the outside address of each firewall. For the account, since we are using a Radius connection into Active Directory, I put my login in the format of domain\username . RSA SecurID is On, the Encryption level is set to Auto and Send all traffic is off.
In my testing so far, the Ipod Touch starts the connection, starts authenticating to Radius and fails. If I turned off RSA SecurID, no authentication is attempted, so it looks like this needs to stay turned on. It doesn't seem to matter is Send all traffic is off or on. Having it off is preferable as I don't want to send all Internet traffic through the firewall when connected via VPN.
So, I basically duped the setup of the VPN on the Ipod Touch based on my setup that's working on the Mac Mini and Imacs at home. But VPN on the iPod Touch 4g with the latest version of IOS is not working.
Does anyone have this kind of configuration working on the iPod Touch 4g or know if this is a shortcoming of this version of the Ipod or IoS?
Thanks,
LeoI fixed my vpn connection on the iPod Touch. This is what works for Radius login to a Watchguard firewall:
Server (DNS name or ip address).
Account domainname\username
RSA SecurIT off
Encryption level Auto
Send All Traffic off.
Leo -
Libusb requires write access to USB device nodes [SOLVED]
Hi,
I have used gtkam to upload photos from my camera for some time now - though on an occasional basis because I don't take very many photographs. On attempting to use it today for the first time in a while I find that I can't do so as a user.
"libusb couldn't open USB device /dev/bus/usb/003/002: Permission denied.
libusb requires write access to USB device nodes."
Can anyone tell me how to fix this please?
Last edited by perseus (2011-01-03 22:46:46)I did some additional research and found the udev file for libgphoto2: /lib/udev/rules.d/40-gphoto.rules
I also realized that my camera is not listed in that file:
Bus 001 Device 011: ID 04a9:31f6 Canon, Inc.
I tried to add this device and vendor ID to the list of Canon cameras and restarting udev
ATTRS{idVendor}=="04a9", ATTRS{idProduct}=="31f6", ENV{ID_GPHOTO2}="1", ENV{GPHOTO2_DRIVER}="proprietary", MODE="0660", GROUP="camera"
# killall udevd && udevd -d
Unfortunately this didn't work out.
I also tried to add the following line to that gphoto udev file as suggested by Digital Cameras wiki
PROGRAM="/lib/udev/check-ptp-camera", MODE="0660", GROUP="camera"
Still nothing after restarting udev...
My next try was adding the camera to the HAL fdi file /usr/share/hal/fdi/information/20thirdparty/10-camera-libgphoto2.fdi and restarting HAL.
This didn't help either.
I'm getting short on clues...
For sure I can access the camera as root but that's not what I want to do.
!! UPDATE !!
I was dumb. PTP cameras are handled separately so I don't need to have the USB IDs in the udev or fdi files.
So the question is why PTP cameras are not handled correctly, why the group for these devices is not "camera"?
Last edited by KoS (2011-01-03 22:19:57) -
VPN Access via LDAP authentication
Hello everyone,
I have setup an OS X server to serve as our department's VPN server. I am attempting to configure it to use an existing linux LDAP server for authentication, so that we don't need to have local accounts on the server. In the Directory Utility I have entered the information to point to our LDAP, and have it configured as RFC 2307 (Unix) for LDAP mappings. Everything in the Directory Utility appears that it considers the LDAP connection to be valid. In fact, from a terminal I can successfully finger users in LDAP.
In the Server Admin, I have selected the users that I wish to have VPN access (the LDAP users also show up in this list). However, when I try to connect to it, it fails almost immediately. Here is a snippet of the server's VPN log file (I have changed the IP addresses and hostname in the logfile to "*"):
2010-05-11 20:37:13 EDT Incoming call... Address given to client = **.***.***.**
Tue May 11 20:37:14 2010 : Directory Services Authentication plugin initialized
Tue May 11 20:37:14 2010 : Directory Services Authorization plugin initialized
Tue May 11 20:37:14 2010 : PPTP incoming call in progress from '**.***.***.**'...
Tue May 11 20:37:14 2010 : PPTP connection established.
Tue May 11 20:37:14 2010 : using link 0
Tue May 11 20:37:14 2010 : Using interface ppp0
Tue May 11 20:37:14 2010 : Connect: ppp0 <--> socket[34:17]
Tue May 11 20:37:14 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:14 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : lcp_reqci: returning CONFACK.
Tue May 11 20:37:17 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP EchoReq id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : sent [CHAP Challenge id=0xc6 <7636b1bad668b175a847d43875397f99>, name = "***.*****.edu"]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoReq id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : sent [LCP EchoRep id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoRep id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : rcvd [CHAP Response id=0xc6 <4a2f0f54d4ce55fe6d1308a8206c4b02000000000000000046f6233c5bb9ea82f6ef2164eb55ed a3355a931a6762101300>, name = "mouck"]
Tue May 11 20:37:17 2010 : sent [CHAP Failure id=0xc6 "\37777777677:\r\002"]
Tue May 11 20:37:17 2010 : CHAP peer authentication failed for mouck
Tue May 11 20:37:17 2010 : sent [LCP TermReq id=0x2 "Authentication failed"]
Tue May 11 20:37:17 2010 : rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Tue May 11 20:37:17 2010 : sent [LCP TermAck id=0x2]
Tue May 11 20:37:17 2010 : Connection terminated.
Tue May 11 20:37:17 2010 : PPTP disconnecting...
Tue May 11 20:37:17 2010 : PPTP disconnected
I am unsure why the authentication is not working. In the past, I have tried to configure the Open Directory service to be "Connected to a Directory System" but could never get the service to start. To be honest, I'm not even positive I need to have the Open Directory service running, since the authentication should hopefully be passed to our existing LDAP.
Any thoughts or suggestions would be greatly appreciated. Thanks very much!Hi oleg,
It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:
"cannot match peerless map when peer found in previous map entry."
Please check for the same, if thats the case you are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc75090
You needed a Cisco CCO id to check the link.
Thanks
Jeet Kumar -
SRP526W to forward or provide VPN access for clients
Hi,
we are having a SRP526W here which replaced a cheap, simple router. Now we would like to set up the VPN-access for outside clients again. So far this was done by forwarding PPTP (TCP 1723 and GRE) to the Windows 2000 Routing and RAS-server inside the network.
According to this post the SRP521W, and therefore I suppose as well the SRP526W, are not able to forward GRE: https://supportforums.cisco.com/thread/2093204
Is there a way to provide VPN access for outside clients with this router? Maybe with L2TP (but then we would need to forward ESP) or IPSec (ESP and AH as far as I know)?
If there is no solution we would need to replace this device again with a cheap, simple router which is able to forward GRE - as you can imagine, we would like to save Cisco from this shame.
Kind regards
DominikHi Dominik,
It is not possible to use L2TP or PPTP from the SRP526 (This is only possible from the Ethernet WAN interface). It is possible to set up an IPSec VPN or GRE tunnel from the SRP to a peer in the network.
This might offer some guidance here.
Regards,
Andy -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
I have an iPad 1 that is currently showing software updated at version 5.1.1. Is it possible to update to iOS version 7 on this device? My goal is to get Garage Band on this device and the app store is telling me I need iOS version 7.
Hi,
If you really need to upgrade you can save a bit of money and get an older version than the ipad Air.
First, you can sell your ipad 1 to places like gazelle.com, cashforyourmac.com, sellyour mac.com, or many others out there. The sites I listed give you cash. At this point gazelle.com is giving $70.00 for any ipad 1 in 'good' condition. And cashforyourmac will give you $25.00 over what gazelle.com or sellyourmac.com offers you. Shipping is free.
Then, with that money, go the the Apple online certified refurbished store. As an example, a new 64gb Air costs $699.00. A refurbed 4th gen 64gb costs $529.00 and a 3rd gen 64gb costs $499.00. Personally, I'd skip the 3rd gen. So if you buy a 4th gen 64gb at $529.00 minus what you can get from a sale to above, you can get an ipad 4 64gb for just over $430.00, a savings of savings of about $270.00. (A new 32gb Air is $599.00, a 4th gen 32gb is $449.00, and a 3rd gen 32gb is not on the site right now.) Google it and check if you can get better offers anywhere else. But getting one from the Apple refurb store gives you an essentially new ipad and using the above sites, you're not locked in with a particular site which will give you a gift card and restrict you to their store/site.
Each Apple refurbished ipad (any version) comes with a new front and back cover, a brand new battery, same return policy, and a full one year warranty with 90 days of phone support. Each comes in a white box like a new ipad with the wall charger and usb cable. The only difference is that it says in small print on the bottom of the box that it is Apple certified refurbished. Also, if you buy refurbs, be sure to check the store many times a day. They can come and go quickly, so when you see what you want, buy it right away. Shipping is free and pretty fast. (We bought two a year and a half ago and they have been great!)
Hope this helps. -
ASA 5510 and VPN access to remote site over Ext WAN
ASA 5510
int client IP 172.0.1.XXX /24
VPN Client IP 172.0.1.248 /29
Static routes in the ASA
1) 0.0.0.0 --- points to router1
2) 172.29.1.1 --- Points to router2
3) 172.29.1.2 --- Points to router2
Router1 Internet connection // VPN access in path
Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
................../---- ROUTER 1
..Inside -- ASA --- outside (switch 2 rtrs)
..................\---- ROUTER 2
If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
3000 packets captured
1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?Hi,
Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
Something like this:-
access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
nat (Inside) 0 access-list NONAT -
How do I restrict access to 4 devices using ACS
Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
We are now trying to implement 4 new users, however we only want them
to have access to 4 devices-routers (4 IP addresses)-and only have
basic level 1 functions in the router
Is this done under Network Access Filter or Network Access Group?
Do I need to create a new group or can I somehow implent that intoI'm using ACS v 4.2 on windows server-TACACS
Under NAF I have configured the IP's of the server I want them to access under Selected Items
Under NAR I have permitted calling point
with the NAF and * *
Under the Group Settings
Network Access Restrictions (NAR)
Shared Network Access Restrictions
Only Allow network access when
All selected NARs result in permi
all selected NARs result in permit..with the NAR i just configured in the selected NAR list
Maybe you are looking for
-
A problem with return order with free goods
Hello I am working on ECC 6.0 I am facing a problem with the return order the case is I created an order of 1000 pc with inclusive free goods (w/o item generation) condition record that for every 10 pc over the 100 the customer will take 1 free pc 1
-
Hello, we have both Creative Cloud membership and Creative Cloud for team. Can you help me with the difference and if i need to have both? We have 9 employees that are using it. Just not sure if i'm paying for something i don't need. Thank you
-
Hi , My question is more specific to FI (functional). Watz the best way to upload the COst center planning?(KP06)? this is done for every quarter at my client. BDC pgm is looking more complicated.(table control, there are few disabled fields which ne
-
My iPhoto will not export pictures to a folder on my desktop. It goes a the way to the last step (the blue exporting line goes all the way across and then stops. It won't complete the process) How can I fix this?
-
Rendering problem - Please help!
I'm a FCE 4.0 newbie who is assembling my first presentation using stills in .tif format. I've been adding stills to the presentation, inserting them into the timeline without transitions (at the advice of a friend who said not to overtax the applica