My remote AnyConnect VPN host cannot be pinged or accessed from inside the LAN
I have a remote VPN host via Anyconnect that can reach my LAN resources without a problem; however, there is a server application that must initiate sessions to the remote host and it cannot.
Hosts within my LAN cannot ping or connect to the remote host, even though its connectivity inbound is fine.
NAT issue?
Hi mega5llc1 ,
Can you run the following command and paste the output.
Packet-tracer input inside (or name of your inside int) icmp (server ip) 8 0 (VPN IP) detailed
Hope this helps
- Randy -
Similar Messages
-
Anyconnect VPN users cannot reach LAN
I know this topic has been beat to death, but I've beat myself to death trying to get it to work. I had this working, but didn't save, then the FW did a reboot when the breaker flipped. I can log in with the VPN client. I can't reach any of the LAN resources. I believe I need a NAT exemption and I believe that I have that configured correctly, but it's not working. From the logs I can see the VPN IP pool going to the external IP interface, which means NAT is happening, when it shouldn't be. What am I missing?
ip local pool vpn_pool 10.0.251.10-10.0.251.254 mask 255.255.255.0
interface Ethernet0/0
description OUTSIDE INTERFACE
duplex full
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/1
description INSIDE INTERFACE
duplex full
nameif inside
security-level 100
ip address 10.0.250.1 255.255.255.0
boot system disk0:/asa914-k8.bin
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn-pool
subnet 10.0.251.0 255.255.255.0
object network VPN-POOL
subnet 10.0.251.0 255.255.255.0
object network LAN
subnet 10.0.250.0 255.255.255.0
object-group network PAT-SOURCE
network-object 10.0.250.0 255.255.255.0
network-object 10.0.251.0 255.255.255.0
access-list OUTSIDE_IN extended deny ip any4 any4 log debugging
access-list INSIDE_OUT extended permit ip object-group PAT-SOURCE any4 log debugging
ip verify reverse-path interface outside
no arp permit-nonconnected
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT in interface insidefirewall(config)# logging console 7
Jan 07 2014 14:41:49: %ASA-5-111008: User 'jshojayi' executed the 'logging console 7' command.
Jan 07 2014 14:41:49: %ASA-5-111010: User 'jshojayi', running 'CLI' from IP 0.0.0.0, executed 'logging console 7'
firewall(config)# Jan 07 2014 14:41:49: %ASA-6-302016: Teardown UDP connection 2097 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:50: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:50: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/60524 to outside:99.66.187.4/60524
Jan 07 2014 14:41:50: %ASA-6-302015: Built outbound UDP connection 2098 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
Jan 07 2014 14:41:50: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
Jan 07 2014 14:41:50: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
Jan 07 2014 14:41:50: %ASA-6-302015: Built inbound UDP connection 2100 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:51: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:51: %ASA-6-302015: Built outbound UDP connection 2101 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
Jan 07 2014 14:41:51: %ASA-6-302016: Teardown UDP connection 2100 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:51: %ASA-6-305012: Teardown dynamic TCP translation from any:10.0.250.34/16140 to outside:99.66.187.4/16140 duration 0:01:01
Jan 07 2014 14:41:51: %ASA-6-302013: Built inbound TCP connection 2102 for outside:10.0.251.10/52558 (10.0.251.10/52558)(LOCAL\jshojayi) to inside:10.0.250.15/3389 (10.0.250.15/3389) (jshojayi)
Jan 07 2014 14:41:52: %ASA-6-302015: Built inbound UDP connection 2103 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:52: %ASA-4-410001: Dropped UDP DNS request from inside:10.0.250.22/54745 to outside:157.56.106.189/3544; label length 128 bytes exceeds protocol limit of 63 bytes
Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/62857 to outside:99.66.187.4/62857 duration 0:00:31
Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/61237 to outside:99.66.187.4/61237 duration 0:00:31
Jan 07 2014 14:41:52: %ASA-6-302016: Teardown UDP connection 2103 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
Jan 07 2014 14:41:53: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/63938(LOCAL\jshojayi) to outside:99.66.187.4/63938
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2105 for outside:10.0.251.10/63938 (99.66.187.4/63938)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2060 for outside:10.0.251.10/60840(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 165 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2106 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2061 for outside:10.0.251.10/58388(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 335 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2105 for outside:10.0.251.10/63938(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 134 (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/55378(LOCAL\jshojayi) to outside:99.66.187.4/55378
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2107 for outside:10.0.251.10/55378 (99.66.187.4/55378)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51560(LOCAL\jshojayi) to outside:99.66.187.4/51560
Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2108 for outside:10.0.251.10/51560 (99.66.187.4/51560)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:54: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2106 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2107 for outside:10.0.251.10/55378(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 196 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2108 for outside:10.0.251.10/51560(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 160 (jshojayi)
Jan 07 2014 14:41:54: %ASA-6-302015: Built inbound UDP connection 2109 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2109 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:55: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/54078 to outside:99.66.187.4/54078
Jan 07 2014 14:41:55: %ASA-6-302015: Built outbound UDP connection 2110 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
Jan 07 2014 14:41:55: %ASA-6-302015: Built inbound UDP connection 2111 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2072 for outside:10.0.251.10/58472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2080 for outside:10.0.251.10/62680(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2073 for outside:10.0.251.10/59472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2076 for outside:10.0.251.10/60425(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2096 for outside:10.0.251.10/52985(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:07 bytes 175 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2075 for outside:10.0.251.10/53507(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(59472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60425)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(53507)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2077 for outside:10.0.251.10/57569(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2078 for outside:10.0.251.10/54477(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(62680)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2079 for outside:10.0.251.10/56608(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(56608)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(54477)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(52985)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(57569)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2111 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:59: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
Jan 07 2014 14:41:59: %ASA-6-302015: Built outbound UDP connection 2112 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60840)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58388)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2114 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2114 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/52140 to outside:99.66.187.4/52140 duration 0:00:31
Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64609 to outside:99.66.187.4/64609 duration 0:02:32
Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2092 for outside:10.0.251.10/51932(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 198 (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/57116(LOCAL\jshojayi) to outside:99.66.187.4/57116
Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2115 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
Jan 07 2014 14:42:00: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(51932)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:00: %ASA-6-302016: Teardown UDP connection 2115 for outside:10.0.251.10/57116(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:01 bytes 99 (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2117 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/58663(LOCAL\jshojayi) to outside:99.66.187.4/58663
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2118 for outside:10.0.251.10/58663 (99.66.187.4/58663)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/49740(LOCAL\jshojayi) to outside:99.66.187.4/49740
Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2119 for outside:10.0.251.10/49740 (99.66.187.4/49740)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:00: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2098 for outside:68.94.156.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 176
Jan 07 2014 14:42:04: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2118 for outside:10.0.251.10/58663(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 148 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2119 for outside:10.0.251.10/49740(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 142 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2101 for outside:68.94.157.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 220
Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
Jan 07 2014 14:42:04: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2122 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51200(LOCAL\jshojayi) to outside:99.66.187.4/51200
Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2123 for outside:10.0.251.10/51200 (99.66.187.4/51200)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2122 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2123 for outside:10.0.251.10/51200(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 182 (jshojayi)
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/53977 to outside:99.66.187.4/53977 duration 0:00:30
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64875 to outside:99.66.187.4/64875 duration 0:00:43
Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/58618 to outside:99.66.187.4/58618 duration 0:00:43
Jan 07 2014 14:42:04: %ASA-6-302015: Built outbound UDP connection 2124 for outside:192.168.1.254/67 (192.168.1.254/67) to identity:99.66.187.4/68 (99.66.187.4/68)
Jan 07 2014 14:42:05: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:05: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/60404 to outside:99.66.187.4/60404 duration 0:00:43
Jan 07 2014 14:42:05: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
Jan 07 2014 14:42:05: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
Jan 07 2014 14:42:06: %ASA-6-302016: Teardown UDP connection 2110 for outside:68.94.156.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 132
Jan 07 2014 14:42:07: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:07: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
Jan 07 2014 14:42:07: %ASA-6-302016: Teardown UDP connection 2112 for outside:68.94.157.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 165
+Jan 07 2014 14:42:08: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
Jan 07 2014 14:42:08: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/14848 laddr 99.66.187.4/14848 -
I cannot ping any VIP from within the ACE or from rservers
I cannot ping any VIP from within the ACE or from rservers. Is this expected? I have rservers in other serverfarms that need to be able to communicate with the VIP of other serverfarms. Any help is greatly appreciated.
Thanks for you reply. here is the config. I removed other rserver and serverfarm config that does not have to do with this issue.
logging enable
logging fastpath
logging standby
logging console 4
logging timestamp
logging trap 4
logging history 4
logging buffered 4
logging persistent 4
logging monitor 4
logging device-id hostname
logging host 172.26.254.185 udp/514
logging host 172.26.221.25 udp/514
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit tcp any any
access-list INBOUND line 32 extended permit udp any any
access-list ORADB line 8 extended permit tcp any any
probe http CITRIX
interval 30
passdetect interval 15
passdetect count 6
open 1
probe tcp HYPERION
port 19000
interval 2
faildetect 2
passdetect interval 2
passdetect count 2
receive 2
open 1
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
probe tcp W15SPSWFET001_PROBE
interval 5
passdetect interval 5
connection term forced
open 1
parameter-map type connection TIMEOUT
set timeout inactivity 43200
parameter-map type http test
persistence-rebalance
set header-maxparse-length 2006
rserver host w0bairwatch003
description MDM-SEG
ip address 172.20.60.73
inservice
rserver host w0bairwatch004
description MDM-SEG
ip address 172.20.60.74
inservice
rserver host w0bairwatch005
description MDM-DEVICE
ip address 172.20.60.75
inservice
rserver host w0bairwatch006
description MDM-DEVICE
ip address 172.20.60.76
inservice
rserver host w0bhamobile001
description Lotus Notes Traveler Server
ip address 172.20.60.57
inservice
rserver host w0bhamobile002
description Lotus Notes Traveler Server
ip address 172.20.60.58
inservice
serverfarm host MDMDEVICE
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bairwatch005
inservice
rserver w0bairwatch006
serverfarm host MDMSEG
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bairwatch003
inservice
rserver w0bairwatch004
inservice
serverfarm host TRAVLR
predictor leastconns
probe PROBE_SERVICE_ICMP
rserver w0bhamobile001
inservice
rserver w0bhamobile002
inservice
class-map match-all MDMDEVICE-VIP
2 match virtual-address 172.20.48.35 any
class-map match-all MDMSEG-VIP
2 match virtual-address 172.20.48.33 any
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
201 match protocol ssh any
202 match protocol telnet any
203 match protocol icmp any
204 match protocol https any
205 match protocol http any
206 match protocol xml-https any
207 match protocol snmp any
class-map match-all TRAVLR-VIP
2 match virtual-address 172.20.48.34 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match MDMDEVICE
class class-default
serverfarm MDMDEVICE
policy-map type loadbalance first-match MDMSEG
class class-default
serverfarm MDMSEG
policy-map type loadbalance first-match TRAVLR
class class-default
serverfarm TRAVLR
policy-map multi-match CLIENTS-VIPS
class MDMDEVICE-VIP
loadbalance vip inservice
loadbalance policy MDMDEVICE
loadbalance vip icmp-reply active
class MDMSEG-VIP
loadbalance vip inservice
loadbalance policy MDMSEG
loadbalance vip icmp-reply active
class TRAVLR-VIP
loadbalance vip inservice
loadbalance policy TRAVLR
loadbalance vip icmp-reply active
interface vlan 48
ip address 172.20.48.10 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input CLIENTS-VIPS
no shutdown
interface vlan 60
ip address 172.20.60.10 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 172.20.48.1 -
I am not able to use the ftp export in Muse. When I enter my host, name and password, I get a long interlude of rainbow wheel and finally the message that my ftp host cannot be found. I have verified the name and that it is port 21. I can export to html and use another ftp client to upload (to the same server) but this is tedious and making minor changes is painful. Have you encountered this and found a solution?
Hi Susan,
In that case I will recommend that you consult a local technician/IT team and see if there is some network connectivity issue with your machine.
- Abhishek Maurya -
Anyconnect VPN peers cannot ping, RDP each other
I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1). I have a remote access VPN set up and the remote access users are able to log in and access LAN resources. I can ping the VPN peers from the remote LAN. My problem that the VPN peers cannot ping (RDP, ectc..) each other. Pinging one VPN peer from another reveals the following error in the ASA Log.
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure.
Below is my ASA running-config:
ASA Version 8.3(1)
hostname ciscoasa
domain-name dental.local
enable password 9ddwXcOYB3k84G8Q encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.128
domain-name dental.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network RAVPN
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access remark VPN client local LAN access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VpnPeers remark allow vpn peers to ping each other
access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address [email protected]
logging recipient-address [email protected] level informational
logging rate-limit 1 600 level 6
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static RAVPN RAVPN
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
object network obj_any
nat (inside,outside) dynamic interface
object network RAVPN
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair billvpnkey
proxy-ldc-issuer
crl configure
crypto ca server
cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
issuer-name CN=ciscoasa
smtp from-address admin@ciscoasa
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
**hidden**
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 10bdec50
**hidden**
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.1.50-192.168.1.99 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
svc enable
tunnel-group-list enable
internal-password enable
smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value dental.local
webvpn
svc modules value vpngina
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.1.128
vpn-tunnel-protocol l2tp-ipsec
default-domain value dental.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.128
vpn-simultaneous-logins 4
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock value RAVPN
split-tunnel-network-list value Local_LAN_Access
default-domain value dental.local
webvpn
url-list value DentalMarks
svc modules value vpngina
svc profiles value dellstudio type user
svc ask enable default webvpn
smart-tunnel enable SmartTunnelList
username wketchel1 password 5c5OoeNtCiX6lGih encrypted
username wketchel1 attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
username wketchel attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc modules none
svc profiles value DellStudioClientProfile type user
username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
username jenniferk attributes
vpn-group-policy DfltGrpPolicy
webvpn
svc profiles value DellStudioClientProfile type user
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group RAVPN webvpn-attributes
group-alias RAVPN enable
tunnel-group RAVPN ipsec-attributes
pre-shared-key *****
tunnel-group RAVPN ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group WebSSLVPN type remote-access
tunnel-group WebSSLVPN webvpn-attributes
group-alias WebSSLVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 173.194.64.108
prompt hostname context
hpm topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: endHi,
Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
I would suggest the following changes
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
object network LAN
subnet 192.168.1.0 255.255.255.0
object-group network PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
The above should enable
Dynamic PAT for LAN and VPN users
NAT0 for the traffic between LAN and VPN
NAT0 for traffic between VPN users
You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
no nat (inside,any) source static any any destination static RAVPN RAVPN
no nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
no object network obj_any
no object network RAVPN
In the event that you dont want to change the configurations that much you might be fine just by adding this
object network VPN-POOL
subnet 10.10.10.0 255.255.255.0
nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
- Jouni -
VPN client connected to VPN but can't ping or access to server
HI ,
i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
Software itself shown connected but request time out when ping.
Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
aaa new-model
aaa authentication login userauthen local
aaa authorization network adminmap group VPNClient
aaa authorization network groupauthor local
aaa authorization network map-singapore local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key emptyspace address 203.142.83.218 no-xauth
crypto isakmp keepalive 15 periodic
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group map-singapore
key cisco123
dns 192.168.6.3
domain cisco.com
pool ippool
acl 102
crypto isakmp profile VPNclient
match identity address 27.54.43.210 255.255.255.255
match identity group vpnclient
client authentication list userauthen
client configuration address respond
crypto ipsec security-association idle-time 86400
crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set DYNSET
set isakmp-profile VPNclient
reverse-route
crypto map VPNMAP client authentication list userauthen
crypto map VPNMAP isakmp authorization list map-singapore
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
crypto map VPNMAP 11 ipsec-isakmp
description VPN to ASA5520
set peer 203.142.83.218
set security-association lifetime kilobytes 14608000
set security-association lifetime seconds 86400
set transform-set REMSET
match address 100
interface GigabitEthernet0/0
ip address 27.54.43.210 255.255.255.240
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
crypto map VPNMAP
interface GigabitEthernet0/1
ip address 192.168.6.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex full
speed 100
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
ip local pool ippool 10.20.1.0 10.20.1.100
ip forward-protocol nd
ip pim bidir-enable
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.6.3 27.54.43.212
ip route 0.0.0.0 0.0.0.0 27.54.43.209
ip route 192.168.1.0 255.255.255.0 27.54.43.209
ip route 192.168.151.0 255.255.255.0 192.168.6.151
ip route 192.168.208.0 255.255.255.0 27.54.43.209
ip access-list extended RA_SING
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip any any log
access-list 1 remark Local Network
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 192.168.151.0 0.0.0.255
access-list 2 remark VPNClient-range
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.168.6.0 0.0.0.255
access-list 10 permit 192.168.102.0 0.0.0.255
access-list 10 permit 192.168.151.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
access-list 101 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip any any log
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 120 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 120
control-plane
alias isakmp-profile sh crypto isakmp sa
alias exec ipsec sh crypto ipsec sa
banner motd ^CC^CI did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.
-
This was my previous discussion with Adobe Chat, which I CANNOT FIND a link to now.
It's a catch 22. I think Adobe still had my old email address, which I have deleted with Comcast.
Therefore, Adobe cannot send me a change of password form, nor can I update my email.
I think Chat is my best bet, but cannot find link.
Note, I may not be able to receive forum responses, if Adobe notifies my old email address.
If I need to sign in to get responses, I cannot do that either. Adobe reports an error if I use my old address.
I cannot update my email address, without signing in.
Adobe, and everyone else needs to have links for: Forgot Your Password? -AND- Forgot Your Email (or changed it).
Please reach me outside of Adobe at: <Removed by Moderator>
I am a registered customer with products on file.
Chat History:
Sandesh: May I have the email address to which you have access ?
you: Correct address is:<Removed by Moderator>
But, do I have to login to download updates. I got the dialog directly from LR, when I opened it.
Sandesh: May I have the serial number of the product please ?
you: LR 5: <serial number removed by moderator>
Sandesh: Thank you.
Sandesh: May I know the exact error message you are getting ?
you: NO DATA RECEIVED. In the meantime, I found another LR ID: <serial number removed by moderator> in case you need it.
Sandesh: Sure.
Sandesh: May I know whether you are using the Dvd or the download ?
my comment (I already said download above).
you: Trying to download from your Adobe web site.
Sandesh: Okay.
Sandesh: Please allow me a moment.
Sandesh: Could you please copy paste the URL of the download link you are using on the chat screen so that I can check ?
Sandesh: Are we still connected?
Added today: 8/19/2014:
The link the download button is on, is:
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=5823&fileID=5837
Loading message says: Waiting for download.adobe.com
The page the error is on, is:
http://download.adobe.com/pub/adobe/lightroom/win/5.x/Lightroom_5_LS11_win_5_6.exe
Then, while Sandesh was researching, I had to leave the room for too long and then had to go out. So,
Sandesh: Since we have not heard from you for some time, we will now end this chat.Michael Miller please try a different web browser. You may also want to review your host file to ensure the Adobe servers are not being blocked. You can find details on how to review your host file at Sign in, activation, or connection errors | CC, CS6, CS5.5 - http://helpx.adobe.com/x-productkb/policy-pricing/activation-network-issues.html.
I was able to download the Lightroom 5.6 update without any errors. If you continue to face difficulties you may want to try a different Internet connection or download the update onto a USB drive on a different computer. -
i am in remote n/w vietnam .... my 5 yr old macbook 9.4.3 version of iphoto is malfunctioning ... it allows my to download photos from my camera ...... but then it freezes and I have to hit "force quit" even though it does not signal "not responding". As a consequence .... I cannot do anything with my photos .... I gather from the dead ends I have run into ... all my time relate rights have expired ... so can anyone suggest how the problem can be overcome short of smashing the thing and buying a new one when next I get to civilization?
Thanks mate ...
yes I have an upgraded Iphoto 11 from 9.4.3 ........ unfortunately .... no it didn't solve the problem. Of course my illiteracy is no help ..... but I did as you suggested and nothing changed at all. When I highlight a photo I am unable to minimize it and despite changing folders (ie:photos to events) all that happens is that the events folder opens behind the opened photo. The only solution is to go to "force quit" even though there is no sign to say "iphoto is not responding". and start again ..... very frustrating. Appreciate any suggestion you have ...
Nev -
Cannot delete a video clip from iPad, the Edit button doesn't appear ?
With iMovie for iOS (iPad) I try to permanently delete a video clip from my iPad.
I follow the article http://support.apple.com/kb/PH3186. But even if the video clip I want to delete is not used in a project, I simply do not find the Edit button in the upper-left corner above the Video browser as mentionned.
This is a screenshot
the Ipad is running iOS 5.1.1 (9B206), the video are not stored in 'pellicule'
Am I crazy ?
Thank you for any help.Did you shoot the video in iMovie?
Or did you shoot it via the camera app?
If it was shot in the camera app, then it needs to be deleted in the Photos app.
Can you see the video in the photos app?
You can permanently delete a video clip from your device as long as it’s not in the Camera Roll or the Photos app. -
VPN client cannot access inside hosts
Hello,
I have an ASA 5505 device with the attached configuration and my vpn clients can connect to it fine. Although, once a vpn client is connected they cannot RDP, ping, or telnet any internal hosts. The goal is to have a connected vpn client to have all access rights as anyone sitting on the internal network. Any assistance is greatly appreciated.
: Saved
ASA Version 7.2(3)
hostname Kappa-GW01
domain-name Kappa.com
enable password xxxxxxxxx encrypted
names
name 172.20.42.42 UMEFTP2 description UMAP FTP2
name 172.20.40.246 UMEMAIL1 description Exchange Server
name 172.20.41.3 UMERPS
name x.x.81.81 Wilkes
name x.x.84.41 KappaPittston
dns-guard
interface Ethernet0/0
shutdown
nameif outside
security-level 0
ip address x.x.148.194 255.255.255.248
interface Ethernet0/1
nameif Outside_Windstream
security-level 0
ip address x.x.205.210 255.255.255.240
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd 7Tpgc2AiWGxbNjkj encrypted
boot system disk0:/asa723-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name Kappa.com
object-group network Blue_Bell_Internal_Networks
description Blue Bell internal network Group
network-object 192.168.100.0 255.255.255.0
network-object 10.0.0.0 255.255.255.0
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
object-group network VPN-Sites
network-object host Wilkes
network-object host KappaPittston
object-group network Michigan_VPN_GRP
network-object 172.20.40.0 255.255.252.0
object-group network ASA_OutSide_Vendors
description ASA OutSide Vendor Access
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 101 extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
access-list KappaVPN_splitTunnelAcl remark Blue Bell Office
access-list KappaVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list KappaVPN_splitTunnelAcl remark Williamston Office
access-list KappaVPN_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
access-list KappaVPN_splitTunnelAcl remark Pittston Office
access-list KappaVPN_splitTunnelAcl standard permit 10.0.10.0 255.255.255.0
access-list KappaVPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.20.40.0 255.255.252.0 inactive
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.30.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
access-list umeemp_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list umeemp_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
access-list umeemp_splitTunnelAcl standard permit 10.0.30.0 255.255.255.0
access-list umeemp_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 102 extended permit tcp any any eq 2000
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq smtp
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq pop3 inactive
access-list Outside_Winstream_access_in extended permit udp object-group VPN-Sites interface Outside_Windstream eq isakmp
access-list Outside_Winstream_access_in extended permit tcp object-group ASA_OutSide_Vendors host x.x.205.217 eq 4080
access-list Outside_Winstream_access_in remark SMTP Access
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq smtp
access-list Outside_Winstream_access_in remark POP access
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq pop3
access-list Outside_Winstream_access_in remark OWA Access
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq https
access-list Outside_Winstream_access_in extended permit tcp host x.x.87.65 host x.x.205.218 eq 3389
access-list Outside_Winstream_access_in extended permit udp host x.x.56.111 eq ntp host x.x.205.216 eq ntp
access-list Outside_Winstream_access_in remark OWA UMAP
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq https
access-list Outside_Winstream_access_in remark JLAN
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.215 eq https
access-list Outside_Winstream_access_in remark UMERPS
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq https
access-list Outside_Winstream_access_in remark UMERPS
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq ssh
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq https
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq 5494
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.214 eq www
access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq 8081
access-list Outside_Winstream_access_in extended permit icmp any any echo
access-list outside_6_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list outside_6_cryptomap extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_cryptomap_11 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_cryptomap_10 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_cryptomap_5 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list Outside_Windstream_cryptomap_12 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Outside_Windstream_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
access-list nonat extended permit ip any any inactive
pager lines 24
logging enable
logging asdm debugging
logging flash-bufferwrap
mtu outside 1500
mtu Outside_Windstream 1500
mtu inside 1500
mtu management 1500
ip local pool vpn-pool 192.168.100.100-192.168.100.200
no failover
monitor-interface outside
monitor-interface Outside_Windstream
monitor-interface inside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside_Windstream) 1 x.x.205.216 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.20.40.0 255.255.252.0
nat (inside) 1 10.0.0.0 255.255.0.0
static (inside,Outside_Windstream) x.x.205.217 10.0.0.20 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.220 10.0.0.21 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.218 10.0.0.15 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.215 172.20.40.145 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.211 UMEMAIL1 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.212 UMERPS netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.213 172.20.40.243 netmask 255.255.255.255
static (inside,Outside_Windstream) x.x.205.214 172.20.40.146 netmask 255.255.255.255
access-group acl_inbound in interface outside
access-group Outside_Winstream_access_in in interface Outside_Windstream
route Outside_Windstream 0.0.0.0 0.0.0.0 x.x.205.209 1
route inside 172.20.40.0 255.255.252.0 10.0.0.3 1
route inside 10.0.30.0 255.255.255.0 10.0.0.254 1
route inside 10.0.1.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server BBPA-SRV-DC01 protocol radius
aaa-server BBPA-SRV-DC01 host 10.0.0.15
timeout 5
key G6G7#02bj!
aaa-server UMAP protocol radius
aaa-server UMAP host 172.20.40.245
timeout 5
key gfrt1a
aaa-server UMAP host 172.20.40.244
timeout 5
key gfrt1a
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.0.15 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_Windstream_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_Windstream_dyn_map 40 set pfs
crypto dynamic-map Outside_Windstream_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer Wilkes
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address outside_6_cryptomap
crypto map outside_map 10 set peer KappaPittston
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map Outside_Windstream_map 5 match address Outside_Windstream_cryptomap_5
crypto map Outside_Windstream_map 5 set peer Wilkes
crypto map Outside_Windstream_map 5 set transform-set ESP-3DES-SHA
crypto map Outside_Windstream_map 10 match address Outside_Windstream_cryptomap_10
crypto map Outside_Windstream_map 10 set peer KappaPittston
crypto map Outside_Windstream_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_Windstream_map 65535 ipsec-isakmp dynamic Outside_Windstream_dyn_map
crypto map Outside_Windstream_map interface Outside_Windstream
crypto isakmp enable Outside_Windstream
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
inspect skinny
inspect pptp
service-policy global_policy global
webvpn
enable Outside_Windstream
svc image disk0:/sslclient-win-1.1.4.177.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc required
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy umeemp internal
group-policy umeemp attributes
dns-server value 172.20.40.245
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value KappaVPN_splitTunnelAcl
default-domain value umapinc.com
group-policy KappaVPN internal
group-policy KappaVPN attributes
wins-server value 10.0.0.15
dns-server value 10.0.0.15
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value umeemp_splitTunnelAcl
default-domain value kappa.loc
username gwadmin password AVjtEPq7nvtiAAk0 encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn-pool
authentication-server-group BBPA-SRV-DC01
authorization-required
tunnel-group KappaVPN type ipsec-ra
tunnel-group KappaVPN general-attributes
address-pool vpn-pool
authentication-server-group BBPA-SRV-DC01
default-group-policy KappaVPN
tunnel-group KappaVPN ipsec-attributes
pre-shared-key *
tunnel-group x.x.131.62 type ipsec-l2l
tunnel-group x.x.131.62 ipsec-attributes
pre-shared-key *
tunnel-group x.x.232.2 type ipsec-l2l
tunnel-group x.x.232.2 ipsec-attributes
pre-shared-key *
tunnel-group x.x.49.114 type ipsec-l2l
tunnel-group x.x.49.114 ipsec-attributes
pre-shared-key *
tunnel-group x.x.226.218 type ipsec-l2l
tunnel-group x.x.226.218 ipsec-attributes
pre-shared-key *
tunnel-group x.x.116.133 type ipsec-l2l
tunnel-group x.x.116.133 ipsec-attributes
pre-shared-key *
tunnel-group x.x.21.36 type ipsec-l2l
tunnel-group x.x.21.36 ipsec-attributes
pre-shared-key *
tunnel-group umeemp type ipsec-ra
tunnel-group umeemp general-attributes
address-pool vpn-pool
authentication-server-group UMAP
default-group-policy umeemp
tunnel-group umeemp ipsec-attributes
pre-shared-key *
tunnel-group x.x.81.81 type ipsec-l2l
tunnel-group x.x.81.81 ipsec-attributes
pre-shared-key *
tunnel-group x.x.84.41 type ipsec-l2l
tunnel-group x.x.84.41 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
asdm image disk0:/asdm-523.bin
no asdm history enableI'm sorry, I misunderstood what you were asking. Yes those three networks are on the inside of our ASA. we have 2 outside of the ASA (10.0.2.x, 10.0.10.x). When our clients vpn they connect to the x.x.205.210 ip address, which maps them depending on the preshared key that puts them on either the kappaVPN or the umeempVPN. (I am kind of new to configuring the ASA). When the cisco vpn client connects to the network, I checked the statistics and it lists all of our LAN networks under secure routes. I cannot ping anything inside the LAN nor can I connect RDP, telnet or anything.
Hope this answers your questions, just let me know if you need any more information.
-Rudy -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
Printing issues to local network when AnyConnect VPN in use
I have situation where I have a user connecting to the corporate office from her home network using a Win7 laptop and AnyConnect VPN 3.1.01065. She has an IP HP printer on her local network. When she is connected via VPN, she cannot print to her printer, Win saying the printer is off-line. That said, we are allowing access to the remote local network with a "split-exlude" conifiguration on the ASA:
access-list LocalLANAccess standard permit host 0.0.0.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value LocalLANAccess
"Allow local (LAN) access when using VPN" in the AC preference tab is checked. And also, she can ping the local printer when connected via VPN. however, the printer appears off-line, from the laptop perspective, when the VPN is on, and will go back "on-line" when the VPN is disconnected.
Anyone have any thoughts on how to correct this?Well, if you want a workaround to apply for all VPN Client then you need to go for split-tunnel-policy tunnelspecified instead of split-tunnel-policy excludespecified. Suppose if your corporate network is 10.0.1.0/24 and you want to give the access to this subnet for vpn users.then configuration will be as follows.
access-list CorporateLAN standard permit 10.0.1.0 255.255.255.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
no split-tunnel-policy excludespecified
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CorporateLAN
This will solve the problem globally
With Regards,
Safwan -
AnyConnect VPN and HP Office Jet Pro 8500 A910
I can print from my IBM T400 laptop running Windows 7 64-bit. However, when I log into work AnyConnect VPN, I cannot print. It says the printer is disconnected from the network even though it is connected. IT support at work says it cannot change or adjust any VPN settings. The only way I can print is to disconnect from VPN. Is there anything I can adjust on the printer software or printer itself?
This question was solved.
View Solution.Hi,
In order to print over the local network while connected to a remote VPN network might be possible by modifying the VPN split tunneling configuration.
However, it is depands on the VPN capabilities and might not be allowed due to security requirements of your IT department.
Anyway, there is no way to configure such a thing by the printer or the printer software.. it is directly affected by the network configuration, and therefore require to change the VPN settings.
Regards,
Shlomi
Say thanks by clicking the Kudos thumb up in the post.
If my post resolve your problem please mark it as an Accepted Solution -
Windows Server 2012 The licensing mode for the Remote Desktop Session Host server is not configured
Hi
I have a standard Windows Server 2012 that is hosted in the cloud by a hosting provider -
This server has been up and running fir 6 months - recently we have been getting a warning
"The licensing mode for the Remote Desktop Session Host server is not configured" - The Remote Desktop Session Host server is within its grace period, but the RD Session Host server has not been configured with any license server.
Yet, we only use this with 2 connections as part of the standard licence agreement and this server is not used as a user's desktop only an ftp and web server- do therefore we do not need to purchase any cal licences (we have another server with the same
hosting company that does not have this issue and has been up for 18months)
Please can someone advise how I resolve this issue, the hosting company states that I must resolve it as they only host and resell the server licence
Thank-you
Richard SteeleHi Richard,
You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
Thanks,
Umesh.S.K -
The Remote Desktop Session Host server is within its grace period Question
On my Windows 2012 Server, when I open the RD Licensing Diagnoser, I see this:
The Remote Desktop Session Host server is within its grace period, but the RD Session Host server has not been configured with any license server.
Configure a license server for the Remote Desktop Session Host server. If you have an existing license server, specify that license server for the RD Session Host server. Otherwise, install RD Licensing on a computer on your network and Configure RD Session
Host server to use it.
I have a few questions. First, I have 10 virtual machines setup (all Windows 7 Enterprise). I have my 10 VDI licenses for those machines. Do I need another license for my Remote Desktop Session Host? If not, how do I license my RD Session
Host Server? If so, does anyone know how much they cost? I have no licensing server. I just have my Windows 2008 server that is my AD and DNS Server (where my GPO's sit too) and my Windows 2012 server that is dedicated to only running VM's
for the remote users.you should probably speak to a licensing expert as it can start getting fairly complicated and we wouldn't want to advise you incorrectly. Generally if you speak to a LAR (Large Account Reseller) they should be able to provide the guidance you need.
You can find more information on licensing virtual desktop through this white paper
Licensing
Microsoft's Virtual Desktop Infrastructure Technology
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:
Maybe you are looking for
-
Voice memos app crashing after updating to iOS 8
After upgrading to iOS 8 today, when I launch the Voice Memos app, it attempts to re-index the memos and then in the middle of the process, it crashes. When I re-launch the app, it simply says "No Recordings". I was really distressed, because I had s
-
Having problem with dead key in Leopard
Hello. I'm having problem with dead key in Leopard. In Tiger it was working, but in Leopard dead key "'" doesn't work. In Tiger I could use OPTION key as well to get Latvian special characters (both worked - OPTION Key and dead-key), but in LEOPARD O
-
Feature Request: Option to wrap static text.
It would be really nice (in fact, demanded by my current client) to be able to have multi-line static text that appears as a paragraph. Unfortunately, static text is one-line and either stretches out the width of the entire dialog box if you let it o
-
Problems with MacBook Pro's sleep mode.
I have done several searches on the forums and cannot find a solution. I have a Mid 2012 MacBook Pro 13". Recently, my laptop does not seem to "wake up" properly from sleep mode. The laptop goes to sleep perfectly fine. The sleep indicator light is o
-
so I finished doing some work in CS five and then smacked F12 to save and to execute on the server. No such luck. I get a consistent error that says "while executing on load in _before save the following JavaScript error occurred: "in file _beforesav