IPSEC Passthrough Enabled?
I have a 5th generation Airport Extreme. I am having trouble establishing a VPN. How can I tell whether IPSEC passthrough is enabled?
Thanks.
- VPN passthrough in your router for clients on your LAN connecting to outside VPN servers. Its not needed to support on VPN server on your LAN. Not necessary, but also not the cause of the problem.
- Use Server.app to view the logs for VPN service. You will see attempted connections, with this you can confirm that at least some of the traffic is getting through.
The most common issue is related to keys which are stored in the user databases.
What I would try, just to narrow this down, is try authenticating as a local user (the first account you setup on the server) vs network user. If you find local users work but network users don't then we'll know where to go.
Similar Messages
-
Some command to make PIX 515 E to do "IPsec passthrough"?
Some routers sold out there, eg my LinkSys WRT54GC, has the "IPsec passthrough" integrated in it. This is very useful in the case when the remote firewall doesn't have the NAT traversal enabled (and it's difficult to ask that admin to enable it).
I'm wondering if there's any command to make a PIX (515E) to have this function. Anyone knows?I know those are nice features that are already enabled on linlsys devices, but these are meant to be more of a PnP devices where no other configuration is required by the end user when in comes to IPsec or PPTP.
On the other hand on PIX/ASA firewalls this is not the case or a IOS router Ipsec capable.
In these cases Ipsec VPN ports as well as MS PPTP ports if using microsoft vpn clients need to be explicitly be opened for clients inside be able to VPN outbound.
When using cisco vpn client from inside PIX/ASA to connect to an outside RA you simply need Ipsec pass through inspection configured in your global policy for code 7.x and above.
For PIX/ASA running again code 7.x or above inspection of Ipsec-pass-thru must be enabled in global policy.
i.e cisco vpn client
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
for PPTP
policy-map global_policy
class inspection_default
inspect PPTP
For PIX 6.x you need to open up Ipsec ports udp 500(isakmp), udp 4500(nat-t) and protocol 50 (esp) and apply the acl to PIX outside interface.
i.e
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
Also it is recommended to enable nat traversal:
isakmp nat-traversal 20
The same principle applies on routes, just for reference , for example for MS PPTP it would required tcp 1732 and GRE protocol.
access-list 101 permit tcp any any eq 1723 log
access-list 101 permit gre any any log
Interface
ip access-group 101 in
or for both IPsec and PPPT
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
access-list 101 permit tcp any any eq 1723 log
access-list 101 permit gre any any log
Interface
ip access-group 101 in
Here are couple of links for reference if you would like to read them.
PPTP through firewalls
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
IPsec pass through Cisco firewalls
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169
If you have any problems implementing it let us know, its prety much straight forward once you open up the required ports.
HTH
Bst Rgds
-Jorge
PLS Rate any helpful posts if it helps -
Hi All,
I would like to get some help on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network (10.10.249.128 / 25) to be able to connect to external IPSec VPN servers.
So I created a network object with 10.10.249.128 / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:
I then added the following rules on the inside-in ACL:
However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.
For isakmp:
For ESP:
Seems like the nat rule is drawing my ESP traffic, can any one point me in the correct direction?
Kind Regards,
Jia WeiHi,
Have you tried an actual VPN Client connection through the ASA from the guest network? Or is the problem only based on testing this thing with packet-tracer on ASDM side?
I dont remember ever opening ESP/HA for Cisco VPN Client traffic -
RV042 Site-to-Stie VPN with NAT on one side
I set up a site-to-site VPN using two RV042s some time ago. One was behind a NATting router. The other was the internet interface itself.
Somewhere I had found a paper describing how to do this. It said that only ONE of them could be behind another NATting router. So, that's how this was set up. I sure wish I could find that paper again!!! Any suggestions?
Now I have to do the same thing again but can't get it working. It looks like this:
RV042 VPN public address <> cable modem <> internet <> RV042 "firewall" with IPSEC passthrough enabled <> interim subnet LAN <> RV042 VPN <> LAN
I'm getting log messages and on the remote site log (the left side of the above) like:
initial Aggressive Mode packet claiming to be from [xxx.xxx.xxx.xxx] on [same] but no connection has been authorized
and
No suitable connection for peer '10.98.76.2', Please check Phase 1 ID value
(where 10.98.76.2 is the IP address of the RV042 WAN port on the interim subnet)
I have them both in Aggressive mode as eventually I'll be using a dyndns url. But, for now, I'm using the actual IP addresses so that should not be an issue one way or the other..make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.
-
Upgrading to Lion server has been a bit frustrating to say the least!
I had VPN working and with the upgrade it has stopped. I hope someone can help with my setup. It has worked before.
Here is my setup.
I have an internet router provided by my ISP. The firewall is turned off, but I have Ipsec passthrough enabled.
Apple Airport extreme in bridge-mode to which my server is connected by ethernet and other clients by wireless.
Server firewall is turned on with the vpn ports open via Server Admin app
vpn service activated.
user is setup for vpn service
This setup has worked before the upgrade.
With the firewall on or off, I get the same error message: vpn server did not respond. I am testing this from my iphone's 3G connection which has worked before, so it is not my carrier's problem.
Somehow I suspect my server has a firewall problem.
Another problem I have since the upgrade and which may be related to this issue is that I can no longer use airplay to stream music from my server to an airport express with the firewall enabled. When it is turned off, the server streams music without a hitch. I have opened all the ports for airplay to work, have ticked them, unticked them and reticked them, but to no avail.
This last problem has led me to think that the vpn issue is a firewall issue has the ports seem open, just as the airplay ports seem open, but are apparently not.
Can any one offer any help with this?
Thanks for your time.
jeffHello JeHarry,
I would recommend you to follow the TechNet to migrate SBS 2008 to 2012 R2 Essentials. Don't skip any part.
https://technet.microsoft.com/en-us/library/jj200141.aspx
Troubleshooting VPN Issues on 2012
http://blogs.technet.com/b/sbs/archive/2014/06/11/troubleshooting-common-vpn-issues-on-windows-server-2012-r2-essentials.aspx
Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help. -
OS X 10.4 VPN: no response to L2TP client?
OS X 10.4 VPN: no response to L2TP client?
Hi. I have an OS X Server 10.4.7. I've set it up as a VPN server using L2TP with a shared IPSec secret. The server is behind a D-Link DI-808HV router. The router has IPSec passthrough enabled, and I have UDP ports 500, 1701, and 4500 open.
When I try to connect with an OS X Tiger client, I get a "Connecting to VPN Server" message for a while, then "Server did not respond." In the VPN server log, there is no sign that anything occurred - no log entries at all for the attempted connection.
Where else should I look to troubleshoot this?
I've tried PPTP, which at least makes a connection but the fails at the negotiation with the error "Wed Sep 13 13:50:28 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xe9f24d50> <pcomp> <accomp>]" in the log.
Thanks
DavidHi Leif -
In my case, strictly for pptp, I am able to connect, and get assigned an ip number, but the authentication always fails. The log looks like this:
2006-09-14 23:29:04 PDT Incoming call... Address given to client = 192.168.0.251
Thu Sep 14 23:29:04 2006 : Directory Services Authentication plugin initialized
Thu Sep 14 23:29:04 2006 : Directory Services Authorization plugin initialized
Thu Sep 14 23:29:04 2006 : PPTP incoming call in progress from '71.204.113.243'...
Thu Sep 14 23:29:05 2006 : PPTP connection established.
Thu Sep 14 23:29:05 2006 : using link 0
Thu Sep 14 23:29:05 2006 : Using interface ppp0
Thu Sep 14 23:29:05 2006 : Connect: ppp0 <--> socket[34:17]
Thu Sep 14 23:29:05 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:08 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:11 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:14 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:17 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:20 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:23 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:26 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:29 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:32 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x45a3b82e> <pcomp> <accomp>]
Thu Sep 14 23:29:35 2006 : LCP: timeout sending Config-Requests
Thu Sep 14 23:29:35 2006 : Connection terminated.
Thu Sep 14 23:29:35 2006 : PPTP disconnecting...
Thu Sep 14 23:29:35 2006 : PPTP disconnected
2006-09-14 23:29:35 PDT --> Client with address = 192.168.0.251 has hungup
I have done almost everything I know to do - The mac is behind a netgear router, and is set up as the "DMZ". I can access file sharing, ARD, Web Services, FTP directly to the server fine, and have set this type of configuration up several times with no problems.
The only difference here is that this is the first time I have set up OSX Server 10.4.7 on an Intel Mac.
Any ideas you have would be appreciated as I have spent countless hours changing settings - from standalone server, to OD Master, etc. - to try to eliminate that error.
Thanks - Bob
Mac Mini 1.66ghz Mac OS X (10.4.7) Universal 10.4.7 OSX Server -
Here's hoping you can help me - I've done everything possible - believe me! When using my Linksys BEFW11S4 router with my VPN s/w (MS Remote Access - MSRA) .. my VPN is not stable and drops consistently every 10/15/20 minutes. It is getting very very frustrating!! I believe MSRA is configured for IPSec encryption. Right now I am trying to undertsand - what is 'IPSec Passthrough' enabled/disabled mean? This is enabled on the Linksys config page - Security tab/VPN Passthrough section. I am wondering if this may be contributing to my problem. Please advise.
When I say I have done everything, I mean this:
wireless laptop is configured to use static ip
wireless router has been upgraded to latest firmware
MTU size has been reset to 1365
port forwarding/triggering has been setup
no firewall S/W
Nothing is working. Even though the wireless router is probably 3+ years old, it is hard for me to believe it is the H/W. Someone recommended I buy a NetGear wireless router. I'm trying to give this one more shot!
Please help if you can .. many thanks!! Rachel (frustrated in CA)Hello again,
Yes I was on DHCP - yet Linksys Support suggested I go with assigning Static IP, so I did that and it still isn't working well - dropping consistently every 10 - 15 minutes. Linksys Support somewhat "guaranteed" me the Static IP assignment would work - and it doesn't.
In any case, yes I am accessing my VPN wireless - via my wireless laptop. It is my work VPN S/W. I believe it is built on MSRA - Microsoft Remote Access.
In any case, I talked to a colleague this AM - and I think I've come to the conclusion it is time to buy another router; this one too old to work with new laptop. He recommended the Linksys WRT54G product.
Unless you have any other recommendations and/or troubleshooting ideas?
Thanks,
Rachel -
Replaced WRT54G with WRT120N, same settings, no DSL?
Hello. Thanks for looking at my problem...
My setup:
1 DSL model
1 WRT120N
1 PC via Ethernet
1 Laptop via Ethernet
1 PS3 via wireless
My DSL modem works fine without the router. I can connect directly to the modem and the internet works. When I connect the computers over the router, they cannot recieve internet. I believe that at one point I was able to get the computers to talk to eachother, though.
As you can guess, I want this router to take my dsl and pass it to all my computers. I had this previous setup functioning with my WRT54G. With the WRT120N, I've copied the settings from the old router as best as I could. I've included all the settings that seem relevant; I did not include the wireless settings because the internet doesn't even work through ethernet. But I will post those too if you need them.
The settings on my WRT120N:
Setup - Basic Setup
Internet Connection Type: Automatic Configuration - DHCP
Host Name: Blank
Domain Name: Blank
MTU: Manual
Size: 1500
Local IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
Start IP Address: .100
Max Users: 50
Client Lease Time: 1440
Setup - DDNS
Disabled
Setup - MAC Address Clone
Disabled
Setup - Advanced Routing
NAT: Disabled
Dynamic Routing (RIP): Enabled
Static Routing: All blank
Security - Firewall
SPI Firewall Protection: Enabled
Internet Filter-
Filter Anonymous Internet Requests: Y
Filter Multicast: Y
Filter Internet NAT Redirection: N
Filter IDENT (Port 113): Y
Web Filter-
Proxy: N
Java: N
ActiveX: N
Cookies: N
Security - VPN Passthrough
IPSec PassThrough: Enabled
PPTP PassThrough: Enabled
L2TP PassThrough: Enabled
Access Restrictions - Internet Access Policy
All Disabled
Applications and Gaming - Single Port Forwarding
All Disabled
Applications and Gaming - Port Range Forwarding
All Disabled
Applications and Gaming - Port Range Triggering
All Disabled
Applications and Gaming - DMZ
All Disabled
Applications and Gaming - QoS
WMM Support: Enabled
No Acknowledgement: Disabled
Internet Access Priority Category: Disabled
If anything looks wrong to you, please let me know. Thank you for reading!As your Internet Service Provider is DSL follow this link to configure the router.
-
WRVS4400N Won't allow L2TP traffic to passthrough
The latest in a series of issues with the WRVS4400N:
As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN. That leaves us with one of two options:
1) Obtain iPSecuritas and configure an IPSec tunnel with it. Problematic for many, but it can be done. I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi. This leaves you with solution 2:
2) Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N. I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
L2TP is a problem, though. Nothing I try gets through this 4400N. As stated above I have L2TP passthrough enabled. I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address. No go, no traffic gets through.
Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone. Voila! L2TP traffic connects as expected. This proves it is the WRVS4400N not doing its thing.
I have checked the logs on the WRVS4400N and nothing appears at all. I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check.
I am using Firmware v1.0.16 because v1.1.03 is not stable on my router. Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
/rant: I have to say I am begining to hate the WRVS4400N. This temperamental beast has a lot of frustration and long hours over the past two years; in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.gv wrote:
1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
Thanks for the reply. Comments/follow-up on each of your numbered responses:
1) Port 1701 is off. Plenty of sites insist it must be open, so I tried it out of desperation. Lots of bad information on the internet, as we all know.
2a) My IPSec server has always been the NAT gateway itself (the WRVS4400N). That's not the problem. My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN. QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N. THis leaves me with having to use 3rd partyclient solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.
I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel. THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network. I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable. Very frustrating.
I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.
If it's so problematic, and such a bad idea, why allow it? Especially on devices marketed to SOHO consumers who are bound to have less networking savvy? In fact, the Linksys products ship with these options ENABLED by default.
3) I've done all that.
Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
Passthrough disabled, ports forwarded
Dec 7 07:38:40 - Drop by Port Scan UDP
Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
Dec 7 07:41:30 - [VPN Log]: shutting down
Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
passthrough enabled, ports not forwarded
Dec 7 07:47:28 - [VPN Log]: shutting down
Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
passthrough enabled, ports forwarded
BLANK LOG! Not a single entry in the WRVS4400N's log files.
Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N. L2TP connections work fine until the WRVS4400N is in the mix.
So, I'm back to the same original question:
How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...?
Message Edited by DistortedLoop on 12-07-2008 08:02 AM -
L2TP over IPSEC Static NAT trouble
I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. As of right now i have two open issues that i cannot figure out. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts.
The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail. The config is below.
To sum up, and put this in perspective i need to be able to do the following...
VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
As well as any help with DNS. Please advise, thank you.
-tony
: Saved
ASA Version 8.2(1)
hostname fw-01
enable password HOB2xUbkoBliqazl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.103.6.0 K2CONT description K2 Control Network
name 10.103.5.0 K2FTP description K2 FTP Network
name 10.103.1.0 NET description Internal Network Core Subnet
name 10.1.4.0 WBND description WBND Business Network
name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
name 10.103.2.50 ENG-PC description Engineering PC
name 10.103.2.56 NAV-PC description Navigator PC
name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
name 10.103.2.0 GEN-NET description General Broadcast Network
name 10.103.4.0 INEWS-NET description INEWS Network
name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
name 10.103.3.0 TELE-NET description TELEMETRICS Network
name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
name 10.103.4.80 MOSGW description "MOS Gateway."
name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
name 209.118.74.10 PF-EXT-0 description PF External Server 0
name 209.118.74.19 PF-EXT-1 description PF External Server 1
name 209.118.74.26 PF-EXT-2 description PF External Server 2
name 209.118.74.80 PF-EXT-3 description PF External Server 3
name 10.103.4.37 PIXPWR description Pixel Power System 0
name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
name 10.103.4.121 ignite
name 10.103.3.89 telemetrics
name 10.1.4.50 vpn_3000
name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
name 10.1.4.40 NAT-ENG-PC description Engineering HP
name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
name 10.1.1.0 WCIU description WCIU
name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
name 10.2.1.0 A-10.2.1.0 description WCIU 2
name 10.1.50.0 VPN-POOL description VPN ACCESS
interface Ethernet0/0
description "Internal Network 10.103.1.0/24"
nameif inside
security-level 100
ip address 10.103.1.1 255.255.255.0
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/2
nameif COMCAST_PUBLIC
security-level 0
ip address 173.161.x.x 255.255.255.240
interface Ethernet0/3
description "WBND Business Network 10.1.4.0/24"
nameif outside
security-level 0
ip address 10.1.4.8 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone Indiana -4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-OK
description "ICMP types we want to permit."
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
object-group network INTERNAL-ALL
description "All internal networks."
network-object NET 255.255.255.0
network-object GEN-NET 255.255.255.0
network-object TELE-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
network-object K2FTP 255.255.255.0
network-object K2CONT 255.255.255.0
object-group service W3C
description "HTTP/S"
service-object tcp eq www
service-object tcp eq https
object-group service FTP-ALL
description "FTP Active/Passive."
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service INEWS-CLI
description "Ports required for INEWS client/server communications."
service-object tcp eq telnet
service-object tcp eq login
service-object tcp eq 600
service-object tcp eq 49153
service-object tcp eq 49152
service-object tcp-udp eq 1020
service-object tcp-udp eq 1019
group-object W3C
group-object FTP-ALL
service-object tcp eq ssh
service-object tcp-udp eq 1034
service-object tcp-udp eq 1035
object-group service NET-BASE
description "Base network services required by all."
service-object tcp-udp eq 123
service-object udp eq domain
object-group network INEWS-SVR
description "iNEWS Servers."
network-object INEWS0 255.255.255.255
network-object INEWS1 255.255.255.255
object-group network WCIU-INEWS
description "iNEWS Servers at WCIU."
network-object WCIU-INEWS0 255.255.255.255
network-object WCIU-INEWS1 255.255.255.255
object-group network K2-FTP
description "K2 Servers"
network-object host K2-FTP0
network-object host K2-FTP1
object-group network PF-SYS
description Internal PathFire Systems
network-object host PF-DUB-01
network-object host PF-SVR-01
object-group network INET-ALLOWED
description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
network-object host ENG-PC
network-object host NAV-PC
network-object host PF-SVR-01
group-object INEWS-SVR
group-object K2-FTP
group-object PF-SYS
network-object host PIXPWR
network-object K2CONT 255.255.255.0
object-group service GoToAssist
description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
service-object tcp eq 8200
object-group service DM_INLINE_SERVICE_1
group-object FTP-ALL
group-object W3C
service-object tcp eq ssh
service-object tcp eq telnet
group-object GoToAssist
object-group network RTI
network-object host RTISVR1
network-object host RTISVR
object-group network NAT-K2-SVR
description "Public NAT addresses of K2 Servers."
network-object host NAT-K2-FTP0
network-object host NAT-K2-FTP1
object-group network NAT-INEWS-SVR
description "Public NAT addresses of iNEWS servers."
network-object host NAT-INEWS0
network-object host NAT-INEWS1
object-group service INEWS-SVCS
description "Ports required for iNEWS inter-server communication.
group-object INEWS-CLI
service-object tcp eq 1022
service-object tcp eq 1023
service-object tcp eq 2048
service-object tcp eq 698
service-object tcp eq 699
object-group service MOS
description "Ports used for MOS Gateway Services."
service-object tcp eq 10540
service-object tcp eq 10541
service-object tcp eq 6826
service-object tcp eq 10591
object-group network DM_INLINE_NETWORK_1
network-object host WCIU-INEWS0
network-object host WCIU-INEWS1
object-group network DM_INLINE_NETWORK_2
network-object GEN-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
object-group network PF-Svrs
description External PathfFire Servers
network-object host PF-EXT-0
network-object host PF-EXT-1
network-object host PF-EXT-2
network-object host PF-EXT-3
object-group service PF
description PathFire Services
group-object FTP-ALL
service-object tcp eq 1901
service-object tcp eq 24999
service-object udp range 6652 6654
service-object udp range 6680 6691
object-group service GVG-SDB
description "Ports required by GVG SDB Client/Server Communication."
service-object tcp eq 2000
service-object tcp eq 2001
service-object tcp eq 3000
service-object tcp eq 3001
object-group service MS-SVCS
description "Ports required for Microsoft networking."
service-object tcp-udp eq 135
service-object tcp eq 445
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp-udp eq cifs
service-object tcp-udp eq domain
service-object tcp-udp eq kerberos
service-object tcp eq netbios-ssn
service-object udp eq kerberos
service-object udp eq netbios-ns
service-object tcp-udp eq 139
service-object udp eq netbios-dgm
service-object tcp eq cifs
service-object tcp eq kerberos
service-object udp eq cifs
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_2
group-object MS-SVCS
group-object NET-BASE
group-object GVG-SDB
group-object W3C
object-group service DM_INLINE_SERVICE_3
group-object GVG-SDB
group-object MS-SVCS
group-object W3C
object-group service PIXEL-PWR
description "Pixel Power Services"
service-object tcp-udp eq 10250
object-group service DM_INLINE_SERVICE_4
group-object FTP-ALL
group-object GoToAssist
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
group-object MS-SVCS
service-object ip
object-group service DM_INLINE_SERVICE_5
group-object MS-SVCS
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
object-group service IG-TELE tcp-udp
port-object range 2500 49501
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host ENG-PC
network-object host NAT-ENG-PC
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
object-group network il2k_test
network-object 207.32.225.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_8
service-object ip
group-object INEWS-CLI
service-object icmp
service-object udp
object-group service DM_INLINE_SERVICE_6
service-object ip
group-object MS-SVCS
object-group network DM_INLINE_NETWORK_5
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp
service-object udp
group-object INEWS-CLI
object-group network DM_INLINE_NETWORK_9
network-object host NAT-INEWS0
network-object host INEWS0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group network VPN-POOL
description "IP range assigned to dial-up IPSec VPN."
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object WBND 255.255.255.0
network-object VPN-POOL 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object TELE-NET 255.255.255.0
network-object host ignite
access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit icmp any any object-group ICMP-OK
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit object-group MS-SVCS any any
access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
access-list outbound extended permit icmp any any object-group ICMP-OK
access-list outbound extended permit ip GEN-NET 255.255.255.0 any
access-list outbound extended permit ip host ignite host telemetrics
access-list outbound extended permit ip host NAV-PC host 10.103.2.18
access-list outbound extended permit ip any GEN-NET 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
access-list COMCAST_access_in extended permit ip any any
access-list COMCAST_PUBLIC_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging monitor notifications
logging buffered notifications
logging asdm notifications
mtu inside 1500
mtu COMCAST_PUBLIC 1500
mtu outside 1500
mtu management 1500
ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in deny ip any any
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in deny ip any any
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any COMCAST_PUBLIC
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
no asdm history enable
arp timeout 14400
global (COMCAST_PUBLIC) 1 173.161.x.x
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
access-group outbound in interface inside per-user-override
access-group inside_access_ipv6_in in interface inside per-user-override
access-group outbound in interface COMCAST_PUBLIC
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
route outside WCIU 255.255.255.0 10.1.4.11 1
route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
route inside GEN-NET 255.255.255.0 10.103.1.2 1
route inside TELE-NET 255.255.255.0 10.103.1.2 1
route inside INEWS-NET 255.255.255.0 10.103.1.2 1
route inside K2FTP 255.255.255.0 10.103.1.62 1
route inside K2CONT 255.255.255.0 10.103.1.62 1
route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DOMCON protocol radius
accounting-mode simultaneous
aaa-server DOMCON (outside) host 10.1.4.17
timeout 5
key Tr3at!Ne
acl-netmask-convert auto-detect
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http NET 255.255.255.0 inside
http GEN-NET 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
crypto ipsec transform-set il2k-transform-set mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
crypto map VPN 10 ipsec-isakmp dynamic dyno
crypto map VPN interface COMCAST_PUBLIC
crypto map VPN interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable COMCAST_PUBLIC
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh NET 255.255.255.0 inside
ssh GEN-NET 255.255.255.0 inside
ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
ssh 10.103.1.224 255.255.255.240 outside
ssh WBND 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 20
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.103.2.52 source inside prefer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
group-policy DfltGrpPolicy attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-simultaneous-logins 100
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value MAINSERV
intercept-dhcp enable
address-pools value VPN-POOL
group-policy il2k internal
group-policy il2k attributes
dns-server value 10.1.4.17
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
username interlink password 4QnXXKO..Ry/9yKL encrypted
username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
username iphone attributes
service-type remote-access
username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
username hriczo attributes
service-type remote-access
username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
username cheighway attributes
vpn-group-policy il2k
service-type admin
username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
username roscor password jLkgabJ1qUf3hXax encrypted
username roscor attributes
service-type admin
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
authentication-server-group DOMCON LOCAL
authentication-server-group (outside) LOCAL
authentication-server-group (inside) LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
: endNo one? I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction. I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
Please help. Thank you -
Web Server 6.1 / App Server 7 passthrough
Hi
I having read a couple of posts regarding passthrough functionality between Web Server and App Server - we are still having problems that we hope someone can comment on.
We are running Sun ONE Web Server 6.1 and Sun ONE Application Server 7 (update 2) on the same server with passthrough enabled from the virtual hosts on the web server to the App server. We are using the following obj.conf settings for all our VS web servers but find that when the app server responds with a redirection to index.jsp the Web server does not correctly interpret the context and gives 404 errors. Any advice anyone can proivide would be greatly appreciated.
<Object name="passthrough">
ObjectType fn="force-type" type="magnus-internal/passthrough"
PathCheck fn="deny-existence" path="*/WEB-INF/*"
Service type="magnus-internal/passthrough" fn="service-passthrough" servers="localhost
:81"
Error reason="Bad Gateway" fn="send-error" uri="$docroot/badgateway.html"
</Object>
<Object name="default">
NameTrans fn="assign-name" from="(/*|index.jsp)" name="passthrough"
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/apps/WebServer/ns-icons" name="es-internal"
NameTrans fn="document-root" root="$docroot"
PathCheck fn="unix-uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index" index-names="admin.jsp,index.html,home.html,index.jsp"
PathCheck fn="set-cache-control" control="no-cache"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/imagemap" fn="imagemap"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD)" type="*~magnus-internal/*" fn="send-file"
Service method="TRACE" fn="service-trace"
Error fn="error-j2ee"
AddLog fn="flex-log" name="access"
</Object>
<Object name="j2ee">
ObjectType fn="force-type" type="text/html,*/*"
Service fn="service-j2ee" method="*"
</Object>
<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi" user="$user" group="$group" dir="$dir" chroot="$chroot" nice="$nice"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
<Object name="send-precompressed">
PathCheck fn="find-compressed"
</Object>
<Object name="compress-on-demand">
Output fn="insert-filter" filter="http-compression"
</Object>
thanks!!!I don't think I explained very well! What I am trying to say is that when the web server receives a response from the App Server (i.e a redirection to /index.jsp) the browser then trys to refer to to this file on the Web Server - where it does'nt exist. I don't know if this is any clearer!
-
Currently trying to establish L2TP IPSec VPN tunnels between Windows XP remote client and Windows 2003 RRAS Server.
Both the XP remote client and the W2003 RRAS Server are behind RVS4000 routers.
Have established that the W2003 RRAS server will accept L2TP IPSec connections from clients behind the Cisco RVS4000 router [LAN clients].
Can not establish remote L2TP IPSec connections through the RVS4000 routers. Have established that PPTP VPN through the RVS4000 routers. Both routers are running version 1.3.0.5
Both RVS 4000 routers are configured for PPTP, IPSec, & L2TP VPN passthrough with UDP port 1701 being forwarded to the RRAS server by the
RVS 4000 router. PPTP VPN connections have no problem.
Error code is 792
The problem appears to be with IPSec passthrough. UDP port 1701 is being forwarded to the RRAS server. Can not create port rules for IKE 500 or IP Protocol 50/4500 on the RVS4000 because those policies conflict with forwarding UDP1701.
Any guidance on why the IPSec fails through the RVS4000 for remote access clients but IPSec is successful in establishing a connection to the RRAS server using LAN clients.I repeat one more time: Never ever forward port UDP 1701. You don't want to expose the L2TP server to the internet. If the server is configured correctly on your VPN server then it won't accept direct access to UDP port 1701 anyway. But still you don't want to do it.
L2TP or better L2TP over IPSec tunnels L2TP traffic on UDP 1701 inside an IPSec tunnel between the client and the server. If you run your VPN server inside your LAN behind a NAT router all you ever want to forward for that purpose is IPSec, i.e. ports UDP 500 and TCP/UDP 4500. Nothing else. For L2TP over IPSec all the router will ever see is IPSec traffic. The L2TP traffic is encrypted inside the IPSec tunnel. The router does not know about this.
If you forward UDP 1701 to your L2TP server you expose the L2TP server directly to the internet, removing the pre-shared key or certificate authentication and encryption of IPSec. All L2TP is completely unencrypted, then if someone has an L2TP (with no IPSec) client to connect.
The standard Windows L2TP/IPSec won't connect directly to L2TP without IPSec.
Even if the RVL allows you to forward UDP 1701 don't do it. If your VPN connection to your VPN server only works with this forwarding in place then you have a big problem with your whole VPN configuration because as I have mentioned before the router should never see any VPN traffic on UDP 1701 as it is supposed to be fully encrypted and hidden inside the IPSec tunnel... -
Fail to established ipsec with Blackberry playbook
ASA fail to established connection with Blackberry Playbook, but when using Cisco client to test the connection established....pls help...Thanks in advance... The playbook error is " Failed to established connection. (Timeout)".
Logs when connecting through playbook...and the configuration....
ip local pool Playbook_pool 192.168.104.220-192.168.104.225 mask 255.255.255.0
access-list nonat extended permit ip 192.168.110.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list nonat extended permit ip 192.168.111.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list nonat extended permit ip 10.10.21.0 255.255.255.0 192.168.104.0 255.255.255.0
group-policy playbook_vpn_group internal
group-policy playbook_vpn_group attributes
vpn-idle-timeout 30
vpn-session-timeout 480
vpn-tunnel-protocol IPSec
ipsec-udp enable
tunnel-group playbook_users_group type remote-access
tunnel-group playbook_users_group general-attributes
address-pool Playbook_pool
authentication-server-group SecurID
default-group-policy playbook_vpn_group
tunnel-group playbook_users_group ipsec-attributes
pre-shared-key *
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
crypto dynamic-map PlayBookusers 2 set transform-set AES_SHA
crypto dynamic-map PlayBookusers 2 set security-association lifetime seconds 28800
crypto dynamic-map PlayBookusers 2 set security-association lifetime kilobytes 4608000
crypto map q9OutsideMap 45 ipsec-isakmp dynamic PlayBookusers
crypto isakmp policy 45
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
BLACKBERRY PLAYBOOK CONFIG:
profile: profile1
server address: outside IP address
gateway type: Cisco asa
authentication type: XAUTH-PSK
group username: playbook_users_group
group pwd: shared key as same as in asa tunnel-group
username: username
pwd: rsa secure ID
automatically detrmine ip: checked
automatically determine DNS: checked
IKE DH Group: 2
IKE Cipher: Aes (128-bit-key)
IKE Hash: SHA1
IKE PRF: HMAC
IPSec DH Group: 2
IPSec Cipher: AES(128-bit-key)
IPSec Hash: SHA1
IKE lifetime(seconds): 28800
IPSec lifetime(seconds): 3600
NAT keepalive(seconds): 30
DPD frequesncy(seconds): 240
Disable banner: checked
use HTTP proxy: uncheckedHi there,
At this point in time, this feature is not available on the BlackBerry PlayBook, only on your BlackBerry smartphone.
I hope this info helps!
If you want to thank someone for their comment, do so by clicking the Thumbs Up icon.
If your issue is resolved, don't forget to click the Solution button on the resolution! -
Hi,
I am trying to connect to my company's network through 3rd party VPN client using IPSec with authenticated headers. This doesn't seem to be supported by AirPort Express. Is there anything I can do to get this to work?
Thanks,
CharlyI am having the same problem. Cannot connect to the VPN with Airport Express. My IT guys says it's because Airport doesn't support IPSec passthrough, even though the specs page clearly states that it does. Apple?
http://www.apple.com/airportexpress/specs.html -
WiFi Clients getting interrupted by web passthrough
Hello,
I have a WLAN with web passthrough enabled. There is no authentication however we redirect the users to a web page that has our policy and users will have to click OK to be given access to the Internet. Some users are complaining that they have to open the browser and click OK almost every 20 minutes. In the WiSM I have disabled the session timeout thinking that it would not impose the web page frequently however it's not the case. Users are reporting that they sometimes have to close the browser and open again just to see the web page and be able to get access again. Users using handheld devices with WiFi capability are complaining more related to this web passthrough feature.Hello,
This is because of the session timeout under your WLAN.
GO --> WLAN --> ADVANCE and see if sessiontimeout is checked with 1800 seconds
This feature causes the client to get deauthenticated from the wireless network and reauthenticate. This feature is used to rekey your PTK keys with PSK and 802.1X. You can either set this to a larger time period or disable.
if you find this post helpful and resolves your issue please mark it as answered... thanks !
Maybe you are looking for
-
Trying to install new Hardrive...can't get it to format the drive
I just bought a Maxtor Maxline Plus II 250 gig hard drive for more storage and as a second bootable drive, I'm having trouble with my current drive. I installed the drive and turned on the computer, The drive comes up in disk utility but will not all
-
PowerPoint file won't open under one user account, but does under another account
Hello, I have a 10.9.5 macbook pro here that will not open a Powerpoint file under one user account. It is up-to-date with Software updates and Office 2008 is up-to-date as well. When I try to open the PowerPoint file, I get the message, "PowerPoint
-
TS3297 I have a problem with a rental movie
I rented a movie, I paid, it was approved. While it was downloading, I pressed play and the movie started playing even when the download wasn't finished. Now it's telling me that my rented movie is expired and the rented movie cannot download anymore
-
Changing the default deployment server.
Hi. Is it possible to change the default deployment server in studio Creator? I�m developing some portlets, and on my computer it takes 3 minutes to deploy a new portlet to my local host, but only a few second to deploy it to a remote server.
-
what are the roles and responsibilties of functional and technical consltant