IP lan can't acces remote network through VPN
hello
i want my asa 5505 8.2(5) to access my proxy server on remote lan through VPN
my VPN is OK, all PCs of local network can access to remote network.
but ASA on local network can't access to remote network.
i think it's a NAT problem but ....
local network 192.168.157.0/24 local IP ASA 192.168.157.1
remote netword 10.28.0.0 /16
remote proxy 10.28.1.26
my conf
ASA Version 8.2(5)
hostname ASACTM
enable password GC3gU8Dqv5.xJLCr encrypted
passwd GC3gU8Dqv5.xJLCr encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.157.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 90.89.245.154 255.255.255.248
ftp mode passive
access-list InOutside extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 192.168.57.0 255.255.255.0
access-list VPNRACTM_splitTunnelAcl standard permit 192.168.157.0 255.255.255.0
access-list InInside extended permit tcp 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0 eq www
access-list InInside extended deny tcp 192.168.157.0 255.255.255.0 any eq www
access-list InInside extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500ip local pool POOLIPVPNCTM 192.168.57.1-192.168.57.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group InInside in interface inside
access-group InOutside in interface outside
route outside 0.0.0.0 0.0.0.0 90.89.245.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.157.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 90.80.215.141
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.157.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.157.121-192.168.157.150 inside
dhcpd dns 10.28.1.16 194.2.0.20 interface inside
dhcpd wins 10.28.1.16 10.28.1.7 interface inside
dhcpd domain vignes.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNRACTM internal
group-policy VPNRACTM attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNRACTM_splitTunnelAcl
default-domain value vignes.local
username admin password 6QiRA9AlUbU.gFTP encrypted privilege 0
username admin attributes
vpn-group-policy VPNRACTM
username ICS1 password 5nDKAM1RJweYzrBO encrypted privilege 0
username ICS1 attributes
vpn-group-policy VPNRACTM
tunnel-group 90.80.215.141 type ipsec-l2l
tunnel-group 90.80.215.141 ipsec-attributes
pre-shared-key *****
tunnel-group VPNRACTM type remote-access
tunnel-group VPNRACTM general-attributes
address-pool POOLIPVPNCTM
default-group-policy VPNRACTM
tunnel-group VPNRACTM ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2c2e2223cb7d5d83af808bb0a2b2636
: end
thanks a lot
What do you mean by you would like the ASA to access the proxy server at the remote end?
What configuration/command have you configured on the ASA for the ASA itself to access the remote proxy server?
Do you want the PC behind the ASA to access the remote proxy server, or you want the ASA itself to access the remote proxy server?
How do you want to access the proxy server?
Similar Messages
-
Cisco ASA 5505 - EasyVPN - ARD can't scan remote Networks
Hi all,
We have been installing Cisco ASA5505 to hook our systems and remote offices together. Our first install went great, and I can scan the remote network no problem, this network is setup using the site to site VPN setup.
Since then we have added 3 more ASA5505 so the the mix, these are not running via the Site to Site VPN but are rather using the EZVPN.
On the Remote ASAs using EasyVPN, I cannot scan the networks with ARD or even Ping.
I am wondering if anyone has any insights on this? I know this info is a bit sketchy...
I will post more as I get it.ASAs are the default gw for respective LANs. For the point 2 if i trace the packets i can see that their are blocked
packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.31/80 to 192.168.2.31/80
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside-g
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
192.168.1.42 is the ASA1 inside IP address. But i've an explicit ACL that permits ALL traffic from 192.168.1.0/24.
I've also tried to add an ACL for the specific IP for inside interface but with no results. -
Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?
Hi,
First timer here so please bear with me!
Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)
When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.
I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.
Am I missing something on the options for the GP preference to set this automtically?
I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.
Any help would be greatly appreciated!
Thanks a lot!
DavidShane,
There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections.
(All VPN connections are stored in the same .pbk file.)
Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN],
and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".
So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1
Peter, www.skov.com, Denmark
Peter :-)
This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in
"Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know
where these are stored?
Cheers. -
Sending video stream to another network through vpn
Hello,
Am christopher from TANZANIA (EAST AFRICAN COUNTRY).
Please help me.
we have our cable tv and we want to stream it to our another office in another region, where we have configured a VPN in this two offices using cisco router RV180. I have tried multicast IP but didn't work.
Please help me how do i send this video signal to another region with our VPN connection. the video is through/output in UDP.
Any advice please.The problem is routing that multicast IP to another network through VPN, and am using RV180 CISCO ROUTER.
-
Cisco VPN client can't ping remote network.
I have recently installed a Cisco 5505 and have problems with some of the Cisco VPN Hosts I connect to using the Cisco VPN dialer. The Cisco Dialer connects fine but I am unable to connect to any computers on the remote network.
I have tracked the issue down to the ones that work & the ones that don't. If the remote Cisco is on the same sub-net as the computers I am connecting to it works fine. If the remote Cisco is on a differant sub-net then the computer I am trying to connect to it won't work unless I set up a static nat for a given pc on my network.
When I run through the dynamic Nat for my network I get the following error on the 5505.
regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx
I have been trying to find a solution to this issue ever since I installed the router and have not had any luck with any of the suggestions I have found on the Web. I have attached my config.
Any help would be appreciated.
MikeThanks for your response.
Yes that exactly the setup we are trying to get to work.
I have a call into them now and will check on their set up but I have no control over how they configure their routers I can only make requests.
I was hoping there was something causing it on my side as I deal with Hospitals and they can get very picky about their security.
I guess what is confusing me is it works if it goes through a Static Nat but not if it runs through our dynamic Nat.
Mike -
MAP Toolkit inventory computers on remote domain through vpn
Evening,
Basically as the title says I need to pull inventory report using MAP toolkit from my remote domains the access of which is achieved through VPN.
When I run the MAP wizard I get to the point were it asks me to specify domain (ex domainname.microsoft) and credentials. Is there any way to make like a domain connection on my computer to another domain or specify vpnip:MAPdomainspecificport instead.
Of course would that subsequently mean I'll then specify domainuser@vpnip:domainservicesport?
Long shot I know, just thought I'd try just in case.
ThanksAlthough MAP uses WMI which relies on an RPC/DCOM protocol and PING uses ICMP, which is not the same, they both use DNS to resolve host names to IPs. If you can PING a machine using its host name from the MAP machine, then MAP should also be able
to route to it.
Please remember to click "Mark as Answer" on the post that helps you, and to click
"Unmark as Answer" if a marked post does not actually answer your question. Please
VOTE as HELPFUL if the post helps you. This can be beneficial to other community members reading the thread. -
Problem accessing an adjacent remote network over VPN (2 asa5505)
Hello all,
I have 2 ASA5505 (CORP and remote) connected via VPN. The remote site contains 2 subnets (192.168.1.0/24 and 192.168.0.0/24 (for remote VPN users)). The corp site has 192.168.2.0/24 directly connected to ASA5505 and an adjacent network connected via another device namely the 172.16.0.0/16 network.
I am able to ping site-to-site between 192.168.0 -> 192.168.2
and
192.168.1 -> 192.168.2
I am unable to ping from remote site to the 172.16 network however.
I added permit ACLs on both my NAT and CRYPTO ACLs. and when I am trying to ping the remote 172.16 network I get the following messages on my CORP ASA:
4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside
reply is timing out though.
Any tips would be appreciated!
My ACLS:
REMOTE SITE:
#NONAT
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
#CRYPTO ACL
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
CORP SITE:
#CORP
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 200
nat (inside) 1 0.0.0.0 0.0.0.0
#CRYPTO ACL
access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
Thanks in advance!The config looks ok.
If you were trying to ping 172.16.x.x I don't see why the log would be what you displayed. Where are you pinging from, the remote site?
"4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside"
Does the 172.16 network have a route to the 192.168.0.0 and 192.168.1.0 network? -
How can i use the network logon (VPN) as my default logon environment ?
Hi!
I use my laptop only for connect to my work, but every time i need to switch the last local user and click in the Network Logon icon in the bottom right corner, how can i make the network logon my default logon environment ?Hi,
Logon process cannot be easily replaced, but if your concern is just to ignore it, we can use auto logon to bypass the manual logon process:
Autologon for Windows
http://technet.microsoft.com/en-in/sysinternals/bb963905.aspx
Alex Zhao
TechNet Community Support -
How can I call remote ejb through jsp?(null)
Trying the code:
<%@ page import="si3.*,javax.ejb.*,javax.naming.*,java.util.*,java.rmi.RemoteException" %>
<%
int h=8;
int w=8;
Hashtable p = new Hashtable ();
p.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
p.put(Context.PROVIDER_URL,"t3://192.168.0.203:7001");
Context ctx= new InitialContext(p);
Object homeref = ctx.lookup("si3.test");
addHome home = (addHome) PortableRemoteObject.narrow(homeref, addHome.class);
add the_ejb = home.create();
out.println(the_ejb.add(h,w));
out.println("adf");
the_ejb.remove();
%>
yzj wrote:
> I have two server running weblogic5.1.
> If the jsp and ejb locate the same server running weblogic 5.1 ,works well .But one deploys the ejb (jndi name si3.test),the other runs the jsp.I use jsp call the remote ejb ,catch exception :
>
> GMT+08:00 2000:<E> <ServletContext-General> Root
> > cause of ServletException
> > javax.naming.NameNotFoundException: 'si3.test'; remaining name 'si3.test'
> > at
> > weblogic.jndi.toolkit.BasicWLContext.resolveName(BasicWLContext.java,
> > Compiled Code)
> > at
> > weblogic.jndi.toolkit.BasicWLContext.lookup(BasicWLContext.java:133)
> > at
> > weblogic.jndi.toolkit.BasicWLContext.lookup(BasicWLContext.java:574)
> > at javax.naming.InitialContext.lookup(InitialContext.java:349)
> > at jsp_servlet.client._jspService(client.java:90)
> > at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
> > at
> > weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
> > :124)
> > at
> > weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImp
> > l.java:744)
> > at
> > weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextImp
> > l.java:692)
> > at
> > weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContext
> > Manager.java:
> > 251)
> > at
> > weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:363)
> > at
> > weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:263)
> > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled
> > Code)
>
> Why? Can you help me? Thanks.
> The jsp's source(Client.jsp ):
> <%@ page import="si3.*,javax.ejb.*,javax.naming.*,java.util.*,java.rmi.RemoteException" %>
> <%
> int h=8;
> int w=8;
> Hashtable p = new Hashtable ();
> p.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
> p.put(Context.PROVIDER_URL,"t3://192.168.0.203:7001");
> Context ctx= new InitialContext(p);
> addHome home = (addHome) ctx.lookup("si3.test");
> add the_ejb = home.create();
> out.println(the_ejb.add(h,w));
> out.println("adf");
> the_ejb.remove();
> %>
>
>
[att1.html]
-
Can't access remote speakers through airtunes
I used to be able to access remote speakers via iTunes through my airport express. Now there isn't even a button offering the choice. I have set I tunes to look for remote speakers.
If I connect directly to the PowerMac all is good.
Did a firmware update to the Airport and am running iTunes 6.0.2
Any ideas?i installed AE Firmware 6.3. that did not really help, but didn't cause further problems as well..
i tried deleting preferences files, dit not really help either
i then downloaded the 10.4.4 Combo installer from Apples Website and after that I had my buttons for the remote speakers again.
i had the SAME problem after EVERY upgrade of iTunes in the past!!! VERY annoying -
Can't connect to work through VPN.
I have the following: Router: Linksys WRT54GS v.4 + latest firmware VPN Software: Cisco VPN Client 4.8.02.0010 Cable Internet provider: Comcast The VPN client works fine if I connect using a Sprint air card, so that part is working. I just can't connect through my home router. Any advice? I'm stumped. Thanks in advance, John Duke
access the router using http://192.168.1.1 . the default password is admin .. go to the "applications and gaming" tab and click on "port trigerring" subtab ... enter ports 1723,50,500,443-447,43-47,10000-10001 .
if this does not make any difference...try upgrading / reflashing the router's firmware and check whether it makes any difference .. -
Can't access internal network from VPN using PIX 506E
Hello,
I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N/JZnmeC2l5j3YTN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SwantonFw2
domain-name *****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
access-list INSIDE-IN permit tcp interface inside interface outside
access-list INSIDE-IN permit udp any any eq domain
access-list INSIDE-IN permit tcp any any eq www
access-list INSIDE-IN permit tcp any any eq ftp
access-list INSIDE-IN permit icmp any any echo
access-list INSIDE-IN permit tcp any any eq https
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list swanton_splitTunnelAcl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.150 255.255.255.0
ip address inside 192.168.0.35 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.240.1-192.168.240.254
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.1.26 255.255.255.255 outside
pdm location 192.168.240.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group INSIDE-IN in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup swanton address-pool VPN_Pool
vpngroup swanton dns-server 192.168.1.1
vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton idle-time 1800
vpngroup swanton password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.36-192.168.0.254 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username scott password hwDnqhIenLiwIr9B encrypted privilege 15
username norm password ET3skotcnISwb3MV encrypted privilege 2
username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
terminal width 80
Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
: end
[OK]
Any help will be greatly appreciatedBj,
Are you trying to access network resources behind the inside interface?
ip address inside 192.168.0.35 255.255.255.0
If so, please make the following changes:
1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
4- isakmp nat-traversal 30
Let me know how it goes.
Portu.
Please rate any helpful posts -
I can not map a network drive in window 8.1 via VPN
Dear sir / madam,
I face a big problem. My company use VPN Connection. After my company upgrade the window from Window 7 to Window8.1 , we find that we can not reconnect the network drive. please find the details below:
1. I success to map drive and then logout / switch user.
2. wait two /three hours
3. i find the drive is disconnected.
4. when I try to reconnect, window can not find again. then I try to use netstat
C:\Windows\system32>netstat
TCP 172.28.97.31:58206 test-server:http TIME_WAIT
Then, i try to use cmd
5 it show reconnect successful by net use command. However , I need waste many time and I can not find the drive in window.
if I restart window, i can reconnect it quickly and find the drive in window.
the server is window server 2008 r2 and located at difference site.
if the server and PC located at same site, it is no problem.
both the server and PC are joined in same domain.
it is dell server and Lenovo M82 PC
please help me to solve the problem
(window 7 also have this problem. However, i can click the drive and it can reconnect quictly.i cannot do this in window 8.1.......it loop again)
thanksHi,
Is there any error message throwed when you reconnect the mapped drive? Can you directly access the UNC path of the mapped drive? What VPN programs do you use? Please check if the VPN client connect correctly.
You could refer to the thread below to check if the AD account is restricted by VPN.
Can't access mapped drives through VPN when away from office
http://social.technet.microsoft.com/Forums/windows/en-US/a0ca41aa-08b8-4e46-a314-ffb7e401bd7a/cant-access-mapped-drives-through-vpn-when-away-from-office?forum=w7itpronetworking
Best Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Can't see bonjour services from VPN access
Hi,
i've got several Macs and devices on my local network at sub-network 192.128.1.x (router at 192.168.1.1).
With my Macbook air for instance, Finder automatically find all my devices (macs, router, windows PC, NAS...) and they are in left folder of the Finder View.
When i'm out of my home, i connect my Macbook to my home network through an VPN server (PPTP). The mapping of this VPN is 192.168.2.x.
I can mount my remote devices through manual commande (Alt K in finder - connect to...) which are in the 192.168.1.x subnet.
But the Finder can't see them automatically,
is there a way to setup Bonjour Services, or subnets, or FInder automatic browsing, to find all my devices like if i were at home ?
Thanks for any adviceSo you are use an separate account(not admin) on this mac
Bonjour usually picks up the name of the computer in sys prefs/sharing.
Edit: just checked and its getting it from the address book, so the MEcard is yours. -
Can connect to database on network but not through VPN
oracle 10g/11g
windows 2003/2008
juno pule vpn
Hi,
When I'm on the office network I can sqlplus and remote desktop to to database server, but on the VPN I can't connect with sqlplus or remote desktop, but I can tnsping.
How can this be??Hi Guys,
Hope some of you are still following this thread.
Spoke to the network guys and they are at a loss. They say that port 1521 is allowed through the vpn and firewall.
When I try to connect over the new JUNOS PULSE SVPN, I see in the listener log file that it established connection, but I think it can't see the client after it is allocated the temp listener port?
Any suggestions please?
In listener.log
===============
05-SEP-2012 20:38:06 * (CONNECT_DATA=(SERVICE_NAME=EOH_CRM_PRD)(failover_mode=(type=SESSION)(method=BASIC))(SERVER=DEDICATED)(CID=(PROGRAM=C:\oracle\app\product\11.2.0\client_1\bin\sqlplus.exe)(HOST=DBAVM)(USER=Van))) * (ADDRESS=(PROTOCOL=tcp)(HOST=10.12.200.45)(PORT=52940)) * establish * EOH_CRM_PRD * 0
Fatal NI connect error 12170.
VERSION INFORMATION:
TNS for 32-bit Windows: Version 10.2.0.2.0 - Production
Oracle Bequeath NT Protocol Adapter for 32-bit Windows: Version 10.2.0.2.0 - Production
Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 10.2.0.2.0 - Production
Time: 05-SEP-2012 20:39:07
Tracing not turned on.
Tns error struct:
ns main err code: 12535
TNS-12535: TNS:operation timed out
ns secondary err code: 12606
nt main err code: 0
nt secondary err code: 0
nt OS err code: 0
Client address: <unknown>
Maybe you are looking for
-
Photoshop CS3 Web Premium compatible with Windows 8.1
I have just received a new Computer with Windows 8.1 and want to install Photoshop CS3 Web Premium on it. Are there any issues with this Operating System and Photoshop CS3 Web Premium?
-
Yesterday I was able to take photos but around 9pm last night my rear camera stop working. I have reseted my phone and have also restored it and the camera still is not working. Also I have deleted all apps that can have access to the camera and i ha
-
I am trying to build a report based on Ref Cursor query with dynamic string as given below. OPEN loc_ref_cur_ugss_pay_car FOR 'SELECT name, email_id, job, remarks FROM employee_desc' ; On compile I am getting following error. Encountered the symbol "
-
i am new in java programming i hame on html file in which <img src="/editor/images/a1. gif" /> <img src="/editor/images/a2. gif" /> and similarly it continunue . i want these all src="/editor/images/" to replace with images/a1.gif and images/a2. gif
-
Connecting a j2me app with tomcat
I have created a J2ME application which connects to a web-server (servlets) and returns some data!! I dit it with the J2ME toolkit and tomcat and now i want to test in a real phone! So i got Siemens SL45i. How can i establish a connection with tomcat