Ios VPN access form handled devices

hi
someone here had configured on a router the vpn access form handled devices?
Really i don't know where to start!

You must select one of the following modes of operation when you enable the PIX Firewall as an Easy VPN Remote device:
Client modeIn this mode, VPN connections are initiated by traffic, so resources are only used on demand. In client mode, the PIX Firewall applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the PIX Firewall. To use this mode, you must also enable the DHCP server on the inside interface, as described in " Using the PIX Firewall DHCP Server."
Network extension modeIn this mode, VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the PIX Firewall.
In network extension mode, the IP addresses of clients on the inside interface are received without change at the Easy VPN Server. If these addresses are registered with the Network Information Center (NIC), they may be forwarded to the public Internet without further processing. Otherwise, they may be translated by the Easy VPN Server or forwarded to a private network without translation.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html

Similar Messages

  • VPN connection works, but can't ping or access any other device on remote network

    I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
    The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
    My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
    Both routers are using subnet mask of 255.255.255.0
    The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
    Example:
    At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
    In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
    I'm not sure how to fix this, or whether I need to change settings on either router or the server.
    Would greatly appreciate any insight or help on this. Thanks.

    danimalapple wrote:
    I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
    The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
    My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
    Both routers are using subnet mask of 255.255.255.0
    The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
    Example:
    At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
    In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
    I'm not sure how to fix this, or whether I need to change settings on either router or the server.
    Would greatly appreciate any insight or help on this. Thanks.
    Check the DNS settings on the server (see my earlier post in this thread).

  • 10.9.3 update stops VPN access to Server on Mac Mini

    Having finally had the L2TP VPN issues solved after joining the 10.9.1 beta program for Mavericks and getting VPN access to our Mac Mini Server running again, the 10.9.3 update has broken it once more. It's been working since 10.9.1 and through both 10.9.2 and the 10.9.3 beta program, but after installing the final 10.9.3 update (without changing any settings on the Server App) last night it broke (immediatley after using the VPN to cheekily watch iPlayer abroad, so it was certainly working!) - now comes up with 'Authentication Failed'.
    This happens on iOS devices as well, and all have authentication details stored (though naturally I have since tried recreating VPN configurations from scratch) so doesn't appear to be client end.

    Same here, although the issue is slightly different.
    Updated Mac Mini with server.app to 10.9.3, L2TP VPN still works my mac running 10.9.3, connects as normal.
    However other clients (windows and android) would encounter error when trying to establish connection to server.
    Windows client would fail wirh Error 789, previous to the update it was working.
    May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 started (Initiated by peer).
    May 18 18:58:13 mms.private racoon[413]: invalid DH group 20.
    May 18 18:58:13 mms.private racoon[413]: invalid DH group 19.
    May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 1).
    May 18 18:58:13 mms.private racoon[413]: >>>>> phase change status = Phase 1 started by us
    May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
    May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 3).
    May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
    May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 AUTH: success. (Responder, Main-Mode Message 5).
    May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 5).
    May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 Responder: success. (Responder, Main-Mode).
    May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 6).
    May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 established (Initiated by peer).
    May 18 18:58:14 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
    May 18 18:58:14 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
    May 18 18:58:16 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
    May 18 18:58:16 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
    May 18 18:58:18 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
    May 18 18:58:18 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
    May 18 18:58:21 mms.private racoon[413]: IKE Packet: transmit success. (Information message).
    May 18 18:58:21 mms.private racoon[413]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
    May 18 18:58:23 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
    May 18 18:58:23 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
    May 18 18:58:31 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
    May 18 18:58:31 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
    May 18 18:58:47 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
    May 18 18:58:47 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
    May 18 18:59:04 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
    May 18 18:59:04 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
    May 18 18:59:18 mms.private racoon[413]: IKE Packet: receive success. (Information message).

  • I have multiple devices that have my iCloud E-mail, I want to disable the E-Mail on some of the devices but keep it on others, I do not have physical access to the ones I want to disable but I do have access to the devices I want to keep receiving mc

    I have multiple devices that have my iCloud E-mail, I want to disable the E-Mail on some of the devices but keep it on others, I do not have physical access to the ones I want to disable but I do have access to the devices I want to keep receiving mail, can I do this with a simple password reset or will that still leave all devices enabled?

    The simple way would be to uncheck 'Mail' in System Preferences (or Settings)>iCloud, but as you would need access to the devices in question to do that you will have to change your password, at http://appleid.apple.com. You will then need to sign out and back on all the devices you want to be able to receive mail, and it's important that you follow this procedure and note the warning:
    Firstly, if you have 'Find My iPhone/iPad/iMac' enabled on any of your devices, turn it off.
    Go to http://appleid.apple.com and click 'Manage your Apple ID'. Sign in with the current ID.
    Where it says 'Password & Security' and gives your current ID email address, click 'edit'.
    Enter your new password and click 'Save changes'.
    Now you will need to go to each of your devices and sign out in System Preferences (or Settings)>iCloud - 'Sign out' on a Mac, 'Delete this account' on an iOS device (this will not delete the account from the server).
    Then sign back in with your new ID. Your iCloud data will disappear from your devices when you sign out, but reappear when you sign back in.
    I re-iterate: before you start, turn off 'Find My Mac' (or whatever) or you will need the services of Support.
    The devices on which you have not changed the password will throw up continual error messages as they attempt to contact iCloud and fail.

  • Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access

    Hi there,
    I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
    Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
    connect I get the following message "couldn't connect -  We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
    Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
    to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
    RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
    can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
    Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
    the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
    being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
    VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
    Many thanks,
    RocknRollTim

    Any help would be much appreciated.
    Kind regards,
    RocknRollTim

  • IOS iCloud access is a real flaw. There should be a way to access my iCloud stuff on the web from my portables

    iOS iCloud access is a real flaw. There should be a way ic an use my mobile devices to access my iCloud content on the web. The push probably works if you are on a fits network, but ia m in a rural community and use my iPad as a laptop when I am working .Apple please fix this. It is unnecessary.
    I miss steve. He was such a fascist for good design

    What iCloud content are you trying to access that is not already on the iPad? Maybe I am misunderstanding your statement, but all of your iCloud content is already on the iPad. Why do you need to access your iCloud.com account on the web?

  • ACS/ASA authentication for vpn access vs. console management access

    I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

    Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
    By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
    In your case it should be VPNUSERS group in ACS.
    HTH
    Ahmed

  • VPN access to a Watchguard firewall using Radius credentials

    Good morning, I have an Ipod Touch 4G that I would like to use to connect to our Watchguard firewall using the built in VPN client and pptp 
    I am the person onsite that manages the Watchguard firewall(s) (x553 with 10.2.12 firmware) , which are setup for pptp vpn access using Windows Radius servers.  The users use their Active Directory credentials to make the VPN connections.
    I have several macs at home, including an iMac and Mac mini and both of them can easily make VPN connections to the Watchguard firewall using pptp VPN access with Radius credentials.  T
    The setup I have been trying on the ipod Touch 4g is using the dns name for the firewall (published in Network Solutions DNS).  I have also tried the outside address of each firewall.  For the account, since we are using a Radius connection into Active Directory, I put my login in the format of domain\username .  RSA SecurID is On, the Encryption level is set to Auto and Send all traffic is off.
    In my testing so far, the Ipod Touch starts the connection, starts authenticating to Radius and fails.  If I turned off RSA SecurID, no authentication is attempted, so it looks like this needs to stay turned on.  It doesn't seem to matter is Send all traffic is off or on.  Having it off is preferable as I don't want to send all Internet traffic through the firewall when connected via VPN.
    So, I basically duped the setup of the VPN on the Ipod Touch based on my setup that's working on the Mac Mini and Imacs at home.  But VPN on the iPod Touch 4g with the latest version of IOS is not working.
    Does anyone have this kind of configuration working on the iPod Touch 4g or know if this is a shortcoming of this version of the Ipod or IoS?
    Thanks,
    Leo

    I fixed my vpn connection on the iPod Touch.  This is what works for Radius login to a Watchguard firewall:
    Server (DNS name or ip address).
    Account domainname\username
    RSA SecurIT off
    Encryption level Auto
    Send All Traffic off.
    Leo

  • Libusb requires write access to USB device nodes [SOLVED]

    Hi,
    I have used gtkam to upload photos from my camera for some time now - though on an occasional basis because I don't take very many photographs.  On attempting to use it today for the first time in a while I find that I can't do so as a user.
    "libusb couldn't open USB device /dev/bus/usb/003/002: Permission denied.
    libusb requires write access to USB device nodes."
    Can anyone tell me how to fix this please?
    Last edited by perseus (2011-01-03 22:46:46)

    I did some additional research and found the udev file for libgphoto2: /lib/udev/rules.d/40-gphoto.rules
    I also realized that my camera is not listed in that file:
    Bus 001 Device 011: ID 04a9:31f6 Canon, Inc.
    I tried to add this device and vendor ID to the list of Canon cameras and restarting udev
    ATTRS{idVendor}=="04a9", ATTRS{idProduct}=="31f6", ENV{ID_GPHOTO2}="1", ENV{GPHOTO2_DRIVER}="proprietary", MODE="0660", GROUP="camera"
    # killall udevd && udevd -d
    Unfortunately this didn't work out.
    I also tried to add the following line to that gphoto udev file as suggested by Digital Cameras wiki
    PROGRAM="/lib/udev/check-ptp-camera", MODE="0660", GROUP="camera"
    Still nothing after restarting udev...
    My next try was adding the camera to the HAL fdi file /usr/share/hal/fdi/information/20thirdparty/10-camera-libgphoto2.fdi and restarting HAL.
    This didn't help either.
    I'm getting short on clues...
    For sure I can access the camera as root but that's not what I want to do.
    !! UPDATE !!
    I was dumb. PTP cameras are handled separately so I don't need to have the USB IDs in the udev or fdi files.
    So the question is why PTP cameras are not handled correctly, why the group for these devices is not "camera"?
    Last edited by KoS (2011-01-03 22:19:57)

  • VPN Access via LDAP authentication

    Hello everyone,
    I have setup an OS X server to serve as our department's VPN server. I am attempting to configure it to use an existing linux LDAP server for authentication, so that we don't need to have local accounts on the server. In the Directory Utility I have entered the information to point to our LDAP, and have it configured as RFC 2307 (Unix) for LDAP mappings. Everything in the Directory Utility appears that it considers the LDAP connection to be valid. In fact, from a terminal I can successfully finger users in LDAP.
    In the Server Admin, I have selected the users that I wish to have VPN access (the LDAP users also show up in this list). However, when I try to connect to it, it fails almost immediately. Here is a snippet of the server's VPN log file (I have changed the IP addresses and hostname in the logfile to "*"):
    2010-05-11 20:37:13 EDT Incoming call... Address given to client = **.***.***.**
    Tue May 11 20:37:14 2010 : Directory Services Authentication plugin initialized
    Tue May 11 20:37:14 2010 : Directory Services Authorization plugin initialized
    Tue May 11 20:37:14 2010 : PPTP incoming call in progress from '**.***.***.**'...
    Tue May 11 20:37:14 2010 : PPTP connection established.
    Tue May 11 20:37:14 2010 : using link 0
    Tue May 11 20:37:14 2010 : Using interface ppp0
    Tue May 11 20:37:14 2010 : Connect: ppp0 <--> socket[34:17]
    Tue May 11 20:37:14 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:14 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : lcp_reqci: returning CONFACK.
    Tue May 11 20:37:17 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
    Tue May 11 20:37:17 2010 : sent [LCP EchoReq id=0x0 magic=0xaef8a1b5]
    Tue May 11 20:37:17 2010 : sent [CHAP Challenge id=0xc6 <7636b1bad668b175a847d43875397f99>, name = "***.*****.edu"]
    Tue May 11 20:37:17 2010 : rcvd [LCP EchoReq id=0x0 magic=0x1b8adf3d]
    Tue May 11 20:37:17 2010 : sent [LCP EchoRep id=0x0 magic=0xaef8a1b5]
    Tue May 11 20:37:17 2010 : rcvd [LCP EchoRep id=0x0 magic=0x1b8adf3d]
    Tue May 11 20:37:17 2010 : rcvd [CHAP Response id=0xc6 <4a2f0f54d4ce55fe6d1308a8206c4b02000000000000000046f6233c5bb9ea82f6ef2164eb55ed a3355a931a6762101300>, name = "mouck"]
    Tue May 11 20:37:17 2010 : sent [CHAP Failure id=0xc6 "\37777777677:\r\002"]
    Tue May 11 20:37:17 2010 : CHAP peer authentication failed for mouck
    Tue May 11 20:37:17 2010 : sent [LCP TermReq id=0x2 "Authentication failed"]
    Tue May 11 20:37:17 2010 : rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
    Tue May 11 20:37:17 2010 : sent [LCP TermAck id=0x2]
    Tue May 11 20:37:17 2010 : Connection terminated.
    Tue May 11 20:37:17 2010 : PPTP disconnecting...
    Tue May 11 20:37:17 2010 : PPTP disconnected
    I am unsure why the authentication is not working. In the past, I have tried to configure the Open Directory service to be "Connected to a Directory System" but could never get the service to start. To be honest, I'm not even positive I need to have the Open Directory service running, since the authentication should hopefully be passed to our existing LDAP.
    Any thoughts or suggestions would be greatly appreciated. Thanks very much!

    Hi oleg,
    It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:
    "cannot match peerless map when peer found in previous map entry."
    Please check for the same, if thats the case you are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc75090
    You needed a Cisco CCO id to check the link.
    Thanks
    Jeet Kumar

  • SRP526W to forward or provide VPN access for clients

    Hi,
    we are having a SRP526W here which replaced a cheap, simple router. Now we would like to set up the VPN-access for outside clients again. So far this was done by forwarding PPTP (TCP 1723 and GRE) to the Windows 2000 Routing and RAS-server inside the network.
    According to this post the SRP521W, and therefore I suppose as well the SRP526W, are not able to forward GRE: https://supportforums.cisco.com/thread/2093204
    Is there a way to provide VPN access for outside clients with this router? Maybe with L2TP (but then we would need to forward ESP) or IPSec (ESP and AH as far as I know)?
    If there is no solution we would need to replace this device again with a cheap, simple router which is able to forward GRE - as you can imagine, we would like to save Cisco from this shame.
    Kind regards
    Dominik

    Hi Dominik,
    It is not possible to use L2TP or PPTP from the SRP526 (This is only possible from the Ethernet WAN interface).  It is possible to set up an IPSec VPN or GRE tunnel from the SRP to a peer in the network.
    This might offer some guidance here.
    Regards,
    Andy

  • ASA 5505: VPN Access to Different Subnets

    Hi All-
    I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN).  Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN).  Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24).  Is this even possible?  Below is the configurations on our ASA,
    Thanks in advance:
    ASA Version 8.2(5)
    names
    name 10.0.1.0 Net-10
    name 20.0.1.0 Net-20
    name 192.168.254.0 phones
    name 192.168.254.250 PBX
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 13
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.98 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.139.79 255.255.255.224
    interface Vlan3
    no nameif
    security-level 50
    ip address 192.168.5.1 255.255.255.0
    interface Vlan13
    nameif phones
    security-level 100
    ip address 192.168.254.200 255.255.255.0
    ftp mode passive
    object-group service RDP tcp
    port-object eq 3389
    object-group service DM_INLINE_SERVICE_1
    service-object ip
    service-object tcp eq ssh
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list inside_access_in extended permit ip any any
    access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
    access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
    pager lines 24
    logging enable
    logging timestamp
    logging monitor errors
    logging history errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu phones 1500
    ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (inside) 10 interface
    global (outside) 1 interface
    global (phones) 20 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 10 access-list vpn_nat_inside outside
    nat (phones) 0 access-list phones_nat0_outbound
    nat (phones) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=pas-asa.null
    keypair pasvpnkey
    crl configure
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    vpn-sessiondb max-session-limit 10
    telnet timeout 5
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh Mac 255.255.255.255 outside
    ssh timeout 60
    console timeout 0
    dhcpd auto_config inside
    dhcpd address 192.168.1.222-192.168.1.223 inside
    dhcpd dns 64.238.96.12 66.180.96.12 interface inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect-essentials
    svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy SSLClientPolicy internal
    group-policy SSLClientPolicy attributes
    wins-server none
    dns-server value 64.238.96.12 66.180.96.12
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout none
    vpn-session-timeout none
    ipv6-vpn-filter none
    vpn-tunnel-protocol svc
    group-lock value PAS-SSL-VPN
    default-domain none
    vlan none
    nac-settings none
    webvpn
      svc mtu 1200
      svc keepalive 60
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression none
    group-policy DfltGrpPolicy attributes
    dns-server value 64.238.96.12 66.180.96.12
    vpn-tunnel-protocol IPSec svc webvpn
    tunnel-group DefaultRAGroup general-attributes
    address-pool SSLClientPool-10
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    tunnel-group PAS-SSL-VPN type remote-access
    tunnel-group PAS-SSL-VPN general-attributes
    address-pool SSLClientPool-10
    default-group-policy SSLClientPolicy
    tunnel-group PAS-SSL-VPN webvpn-attributes
    group-alias PAS_VPN enable
    group-url https://X.X.139.79/PAS_VPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege cmd level 3 mode exec command packet-tracer
    privilege show level 5 mode exec command import
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command asp
    privilege show level 3 mode exec command cpu
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command vlan
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command ipv6
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command eigrp
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpnclient
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command wccp
    privilege show level 3 mode exec command dynamic-filter
    privilege show level 3 mode exec command webvpn
    privilege show level 3 mode exec command module
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode exec command compression
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege clear level 3 mode exec command dynamic-filter
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context
    no call-home reporting anonymous

    Hi Jouni-
    Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0).  The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
    Per you recommendation, I removed the following configs from my ASA:
    global (phones) 20 interface
    ... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
    global (inside) 10 interface
    nat (outside) 10 access-list vpn_nat_inside outside
    .... removing these two configurations caused the inside LAN to be unreachable.  The phone LAN was not reachable, either.  So, I put the '10' configurations back.
    The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
    "portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
    What do you think?
    Thanks!

  • I have an iPad 1 that is currently showing software updated at version 5.1.1.  Is it possible to update to iOS version 7 on this device?  My goal is to get Garage Band on this device and the app store is telling me I need iOS version 7.

    I have an iPad 1 that is currently showing software updated at version 5.1.1.  Is it possible to update to iOS version 7 on this device?  My goal is to get Garage Band on this device and the app store is telling me I need iOS version 7.

    Hi,
    If you really need to upgrade you can save a bit of money and get an older version than the ipad Air.
    First, you can sell your ipad 1 to places like gazelle.com, cashforyourmac.com, sellyour mac.com, or many others out there. The sites I listed give you cash. At this point gazelle.com is giving $70.00 for any ipad 1 in 'good' condition. And cashforyourmac will give you $25.00 over what gazelle.com or sellyourmac.com offers you. Shipping is free.
    Then, with that money, go the the Apple online certified refurbished store. As an example, a new 64gb Air costs $699.00. A refurbed 4th gen 64gb costs $529.00 and a 3rd gen 64gb costs $499.00. Personally, I'd skip the 3rd gen. So if you buy a 4th gen 64gb at $529.00 minus what you can get from a sale to above, you can get an ipad 4 64gb for just over $430.00, a savings of savings of about $270.00. (A new 32gb Air is $599.00, a 4th gen 32gb is $449.00, and a 3rd gen 32gb is not on the site right now.) Google it and check if you can get better offers anywhere else. But getting one from the Apple refurb store gives you an essentially new ipad and using the above sites, you're not locked in with a particular site which will give you a gift card and restrict you to their store/site.
    Each Apple refurbished ipad (any version) comes with a new front and back cover, a brand new battery, same return policy, and a full one year warranty with 90 days of phone support. Each comes in a white box like a new ipad with the wall charger and usb cable. The only difference is that it says in small print on the bottom of the box that it is Apple certified refurbished. Also, if you buy refurbs, be sure to check the store many times a day. They can come and go quickly, so when you see what you want, buy it right away. Shipping is free and pretty fast. (We bought two a year and a half ago and they have been great!)
    Hope this helps.

  • ASA 5510 and VPN access to remote site over Ext WAN

    ASA 5510
    int client IP 172.0.1.XXX /24
    VPN Client IP 172.0.1.248 /29
    Static routes in the ASA
    1) 0.0.0.0 --- points to router1
    2) 172.29.1.1 --- Points to router2
    3) 172.29.1.2 --- Points to router2
    Router1 Internet connection // VPN access in path
    Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
    ................../---- ROUTER 1
    ..Inside -- ASA --- outside (switch 2 rtrs)
    ..................\---- ROUTER 2
    If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
    At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
    Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
    I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
    3000 packets captured
    1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
    2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
    3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
    4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
    5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
    Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?

    Hi,
    Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
    Something like this:-
    access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
    nat (Inside) 0 access-list NONAT

  • How do I restrict access to 4 devices using ACS

    Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
    We are now trying to implement 4 new users, however we only want them
    to have access to 4 devices-routers (4 IP addresses)-and only have
    basic level 1 functions in the router
    Is this done under Network Access Filter or Network Access Group?
    Do I need to create a new group or can I somehow implent that into

    I'm using ACS v 4.2 on windows server-TACACS
    Under NAF I have configured the IP's of the server I want them to access under Selected Items
    Under NAR I have permitted calling point
    with the NAF and  *  *
    Under the Group Settings
    Network Access Restrictions (NAR)
      Shared Network Access Restrictions
    Only Allow network access when
    All selected NARs result in permi
    all selected NARs result in permit..with the NAR i just configured in the selected NAR list

Maybe you are looking for

  • A problem with return order with free goods

    Hello I am working on ECC 6.0 I am facing a problem with the return order the case is I created an order of 1000 pc with inclusive free goods (w/o item generation) condition record that for every 10 pc over the 100 the customer will take  1 free pc 1

  • Hello, we have both Creative Cloud and Creative Cloud for teams. Can you help me with the difference and if i need to have both?

    Hello, we have both Creative Cloud membership and Creative Cloud for team. Can you help me with the difference and if i need to have both? We have 9 employees that are using it. Just not sure if i'm paying for something i don't need. Thank you

  • COst center planning upload

    Hi , My question is more specific to FI (functional). Watz the best way to upload the COst center planning?(KP06)? this is done for every quarter at my client. BDC pgm is looking more complicated.(table control, there are few disabled fields which ne

  • Export photo to desktop

    My iPhoto will not export pictures to a folder on my desktop. It goes a the way to the last step (the blue exporting line goes all the way across and then stops. It won't complete the process) How can I fix this?

  • Rendering problem - Please help!

    I'm a FCE 4.0 newbie who is assembling my first presentation using stills in .tif format. I've been adding stills to the presentation, inserting them into the timeline without transitions (at the advice of a friend who said not to overtax the applica