My remote AnyConnect VPN host cannot be pinged or accessed from inside the LAN

I have a remote VPN host via Anyconnect that can reach my LAN resources without a problem; however, there is a server application that must initiate sessions to the remote host and it cannot.
Hosts within my LAN cannot ping or connect to the remote host, even though its connectivity inbound is fine.
NAT issue?

Hi mega5llc1 ,
Can you run the following command and paste the output.
Packet-tracer input inside (or name of your inside  int) icmp  (server ip) 8 0 (VPN IP) detailed
Hope this helps
- Randy -

Similar Messages

  • Anyconnect VPN users cannot reach LAN

    I know this topic has been beat to death, but I've beat myself to death trying to get it to work. I had this working, but didn't save, then the FW did a reboot when the breaker flipped. I can log in with the VPN client. I can't reach any of the LAN resources. I believe I need a NAT exemption and I believe that I have that configured correctly, but it's not working. From the logs I can see the VPN IP pool going to the external IP interface, which means NAT is happening, when it shouldn't be. What am I missing?
    ip local pool vpn_pool 10.0.251.10-10.0.251.254 mask 255.255.255.0
    interface Ethernet0/0
    description OUTSIDE INTERFACE
    duplex full
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/1
    description INSIDE INTERFACE
    duplex full
    nameif inside
    security-level 100
    ip address 10.0.250.1 255.255.255.0
    boot system disk0:/asa914-k8.bin
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network vpn-pool
    subnet 10.0.251.0 255.255.255.0
    object network VPN-POOL
    subnet 10.0.251.0 255.255.255.0
    object network LAN
    subnet 10.0.250.0 255.255.255.0
    object-group network PAT-SOURCE
    network-object 10.0.250.0 255.255.255.0
    network-object 10.0.251.0 255.255.255.0
    access-list OUTSIDE_IN extended deny ip any4 any4 log debugging
    access-list INSIDE_OUT extended permit ip object-group PAT-SOURCE any4 log debugging
    ip verify reverse-path interface outside
    no arp permit-nonconnected
    nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
    nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
    nat (any,outside) after-auto source dynamic PAT-SOURCE interface
    access-group OUTSIDE_IN in interface outside
    access-group INSIDE_OUT in interface inside

    firewall(config)# logging console 7
    Jan 07 2014 14:41:49: %ASA-5-111008: User 'jshojayi' executed the 'logging console 7' command.
    Jan 07 2014 14:41:49: %ASA-5-111010: User 'jshojayi', running 'CLI' from IP 0.0.0.0, executed 'logging console 7'
    firewall(config)# Jan 07 2014 14:41:49: %ASA-6-302016: Teardown UDP connection 2097 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:41:50: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
    Jan 07 2014 14:41:50: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/60524 to outside:99.66.187.4/60524
    Jan 07 2014 14:41:50: %ASA-6-302015: Built outbound UDP connection 2098 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
    Jan 07 2014 14:41:50: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
    Jan 07 2014 14:41:50: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361
    Jan 07 2014 14:41:50: %ASA-6-302015: Built inbound UDP connection 2100 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
    Jan 07 2014 14:41:51: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
    Jan 07 2014 14:41:51: %ASA-6-302015: Built outbound UDP connection 2101 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)
    Jan 07 2014 14:41:51: %ASA-6-302016: Teardown UDP connection 2100 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:41:51: %ASA-6-305012: Teardown dynamic TCP translation from any:10.0.250.34/16140 to outside:99.66.187.4/16140 duration 0:01:01
    Jan 07 2014 14:41:51: %ASA-6-302013: Built inbound TCP connection 2102 for outside:10.0.251.10/52558 (10.0.251.10/52558)(LOCAL\jshojayi) to inside:10.0.250.15/3389 (10.0.250.15/3389) (jshojayi)
    Jan 07 2014 14:41:52: %ASA-6-302015: Built inbound UDP connection 2103 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
    Jan 07 2014 14:41:52: %ASA-4-410001: Dropped UDP DNS request from inside:10.0.250.22/54745 to outside:157.56.106.189/3544; label length 128 bytes exceeds protocol limit of 63 bytes
    Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/62857 to outside:99.66.187.4/62857 duration 0:00:31
    Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/61237 to outside:99.66.187.4/61237 duration 0:00:31
    Jan 07 2014 14:41:52: %ASA-6-302016: Teardown UDP connection 2103 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:41:53: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
    Jan 07 2014 14:41:53: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
    Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/63938(LOCAL\jshojayi) to outside:99.66.187.4/63938
    Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2105 for outside:10.0.251.10/63938 (99.66.187.4/63938)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:41:53: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061
    Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2060 for outside:10.0.251.10/60840(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 165 (jshojayi)
    Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2106 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
    Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2061 for outside:10.0.251.10/58388(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 335 (jshojayi)
    Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2105 for outside:10.0.251.10/63938(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 134 (jshojayi)
    Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/55378(LOCAL\jshojayi) to outside:99.66.187.4/55378
    Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2107 for outside:10.0.251.10/55378 (99.66.187.4/55378)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51560(LOCAL\jshojayi) to outside:99.66.187.4/51560
    Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2108 for outside:10.0.251.10/51560 (99.66.187.4/51560)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:41:54: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355
    Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2106 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2107 for outside:10.0.251.10/55378(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 196 (jshojayi)
    Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2108 for outside:10.0.251.10/51560(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 160 (jshojayi)
    Jan 07 2014 14:41:54: %ASA-6-302015: Built inbound UDP connection 2109 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2109 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
    Jan 07 2014 14:41:55: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/54078 to outside:99.66.187.4/54078
    Jan 07 2014 14:41:55: %ASA-6-302015: Built outbound UDP connection 2110 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
    Jan 07 2014 14:41:55: %ASA-6-302015: Built inbound UDP connection 2111 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2072 for outside:10.0.251.10/58472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2080 for outside:10.0.251.10/62680(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2073 for outside:10.0.251.10/59472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2076 for outside:10.0.251.10/60425(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2096 for outside:10.0.251.10/52985(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:07 bytes 175 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2075 for outside:10.0.251.10/53507(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(59472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60425)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(53507)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2077 for outside:10.0.251.10/57569(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2078 for outside:10.0.251.10/54477(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(62680)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2079 for outside:10.0.251.10/56608(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)
    Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(56608)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(54477)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(52985)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(57569)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2111 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:41:59: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]
    Jan 07 2014 14:41:59: %ASA-6-302015: Built outbound UDP connection 2112 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)
    Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
    Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935
    Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60840)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58388)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2114 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
    Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2114 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/52140 to outside:99.66.187.4/52140 duration 0:00:31
    Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64609 to outside:99.66.187.4/64609 duration 0:02:32
    Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2092 for outside:10.0.251.10/51932(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 198 (jshojayi)
    Jan 07 2014 14:41:59: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/57116(LOCAL\jshojayi) to outside:99.66.187.4/57116
    Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2115 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
    Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793
    Jan 07 2014 14:42:00: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(51932)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:42:00: %ASA-6-302016: Teardown UDP connection 2115 for outside:10.0.251.10/57116(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:01 bytes 99 (jshojayi)
    Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2117 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/58663(LOCAL\jshojayi) to outside:99.66.187.4/58663
    Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2118 for outside:10.0.251.10/58663 (99.66.187.4/58663)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/49740(LOCAL\jshojayi) to outside:99.66.187.4/49740
    Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2119 for outside:10.0.251.10/49740 (99.66.187.4/49740)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:42:00: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
    Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2098 for outside:68.94.156.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 176
    Jan 07 2014 14:42:04: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355
    Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2118 for outside:10.0.251.10/58663(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 148 (jshojayi)
    Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2119 for outside:10.0.251.10/49740(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 142 (jshojayi)
    Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
    Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2101 for outside:68.94.157.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 220
    Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
    Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533
    Jan 07 2014 14:42:04: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2122 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)
    Jan 07 2014 14:42:04: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51200(LOCAL\jshojayi) to outside:99.66.187.4/51200
    Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2123 for outside:10.0.251.10/51200 (99.66.187.4/51200)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)
    Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2122 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)
    Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
    Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2123 for outside:10.0.251.10/51200(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 182 (jshojayi)
    Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/53977 to outside:99.66.187.4/53977 duration 0:00:30
    Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64875 to outside:99.66.187.4/64875 duration 0:00:43
    Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/58618 to outside:99.66.187.4/58618 duration 0:00:43
    Jan 07 2014 14:42:04: %ASA-6-302015: Built outbound UDP connection 2124 for outside:192.168.1.254/67 (192.168.1.254/67) to identity:99.66.187.4/68 (99.66.187.4/68)
    Jan 07 2014 14:42:05: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:42:05: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/60404 to outside:99.66.187.4/60404 duration 0:00:43
    Jan 07 2014 14:42:05: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
    Jan 07 2014 14:42:05: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510
    Jan 07 2014 14:42:06: %ASA-6-302016: Teardown UDP connection 2110 for outside:68.94.156.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 132
    Jan 07 2014 14:42:07: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:42:07: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0
    Jan 07 2014 14:42:07: %ASA-6-302016: Teardown UDP connection 2112 for outside:68.94.157.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 165
    +Jan 07 2014 14:42:08: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]
    Jan 07 2014 14:42:08: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/14848 laddr 99.66.187.4/14848

  • I cannot ping any VIP from within the ACE or from rservers

    I cannot ping any VIP from within the ACE or from rservers.  Is this expected?  I have rservers in other serverfarms that need to be able to communicate with the VIP of other serverfarms.  Any help is greatly appreciated.

    Thanks for you reply.  here is the config.  I removed other rserver and serverfarm config that does not have to do with this issue.
    logging enable
    logging fastpath
    logging standby
    logging console 4
    logging timestamp
    logging trap 4
    logging history 4
    logging buffered 4
    logging persistent 4
    logging monitor 4
    logging device-id hostname
    logging host 172.26.254.185 udp/514
    logging host 172.26.221.25 udp/514
    access-list INBOUND line 8 extended permit ip any any
    access-list INBOUND line 16 extended permit icmp any any
    access-list INBOUND line 24 extended permit tcp any any
    access-list INBOUND line 32 extended permit udp any any
    access-list ORADB line 8 extended permit tcp any any
    probe http CITRIX
      interval 30
      passdetect interval 15
      passdetect count 6
      open 1
    probe tcp HYPERION
      port 19000
      interval 2
      faildetect 2
      passdetect interval 2
      passdetect count 2
      receive 2
      open 1
    probe icmp PROBE_SERVICE_ICMP
      interval 5
      passdetect interval 5
    probe tcp W15SPSWFET001_PROBE
      interval 5
      passdetect interval 5
      connection term forced
      open 1
    parameter-map type connection TIMEOUT
      set timeout inactivity 43200
    parameter-map type http test
      persistence-rebalance
      set header-maxparse-length 2006
    rserver host w0bairwatch003
      description MDM-SEG
      ip address 172.20.60.73
      inservice
    rserver host w0bairwatch004
      description MDM-SEG
      ip address 172.20.60.74
      inservice
    rserver host w0bairwatch005
      description MDM-DEVICE
      ip address 172.20.60.75
      inservice
    rserver host w0bairwatch006
      description MDM-DEVICE
      ip address 172.20.60.76
      inservice
    rserver host w0bhamobile001
      description Lotus Notes Traveler Server
      ip address 172.20.60.57
      inservice
    rserver host w0bhamobile002
      description Lotus Notes Traveler Server
      ip address 172.20.60.58
      inservice
    serverfarm host MDMDEVICE
      predictor leastconns
      probe PROBE_SERVICE_ICMP
      rserver w0bairwatch005
        inservice
      rserver w0bairwatch006
    serverfarm host MDMSEG
      predictor leastconns
      probe PROBE_SERVICE_ICMP
      rserver w0bairwatch003
        inservice
      rserver w0bairwatch004
        inservice
    serverfarm host TRAVLR
      predictor leastconns
      probe PROBE_SERVICE_ICMP
      rserver w0bhamobile001
        inservice
      rserver w0bhamobile002
        inservice
    class-map match-all MDMDEVICE-VIP
      2 match virtual-address 172.20.48.35 any
    class-map match-all MDMSEG-VIP
      2 match virtual-address 172.20.48.33 any
    class-map type management match-any REMOTE_ACCESS
      description Remote access traffic match
      201 match protocol ssh any
      202 match protocol telnet any
      203 match protocol icmp any
      204 match protocol https any
      205 match protocol http any
      206 match protocol xml-https any
      207 match protocol snmp any
    class-map match-all TRAVLR-VIP
      2 match virtual-address 172.20.48.34 any
    policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
      class REMOTE_ACCESS
        permit
    policy-map type loadbalance first-match MDMDEVICE
      class class-default
        serverfarm MDMDEVICE
    policy-map type loadbalance first-match MDMSEG
      class class-default
        serverfarm MDMSEG
    policy-map type loadbalance first-match TRAVLR
      class class-default
        serverfarm TRAVLR
    policy-map multi-match CLIENTS-VIPS
      class MDMDEVICE-VIP
        loadbalance vip inservice
        loadbalance policy MDMDEVICE
        loadbalance vip icmp-reply active
      class MDMSEG-VIP
        loadbalance vip inservice
        loadbalance policy MDMSEG
        loadbalance vip icmp-reply active
      class TRAVLR-VIP
        loadbalance vip inservice
        loadbalance policy TRAVLR
        loadbalance vip icmp-reply active
    interface vlan 48
      ip address 172.20.48.10 255.255.255.0
      access-group input INBOUND
      access-group output INBOUND
      service-policy input REMOTE_MGMT_ALLOW_POLICY
      service-policy input CLIENTS-VIPS
      no shutdown
    interface vlan 60
      ip address 172.20.60.10 255.255.255.0
      access-group input INBOUND
      access-group output INBOUND
      service-policy input REMOTE_MGMT_ALLOW_POLICY
      no shutdown
    ip route 0.0.0.0 0.0.0.0 172.20.48.1

  • I am not able to use the ftp export in Muse. When I enter my host, name and password, I get a long interlude of rainbow wheel and finally the message that my ftp host cannot be found. I have verified the name and that it is port 21. I can export to html a

    I am not able to use the ftp export in Muse. When I enter my host, name and password, I get a long interlude of rainbow wheel and finally the message that my ftp host cannot be found. I have verified the name and that it is port 21. I can export to html and use another ftp client to upload (to the same server) but this is tedious and making minor changes is painful. Have you encountered this and found a solution?

    Hi Susan,
    In that case I will recommend that you consult a local technician/IT team and see if there is some network connectivity issue with your machine.
    - Abhishek Maurya

  • Anyconnect VPN peers cannot ping, RDP each other

    I have an ASA5505 running ASA 8.3(1) and ASDM 7.1(1).  I have a remote access VPN set up and the remote access users are able to log in and access LAN resources.   I can ping the VPN peers from the remote LAN.    My problem that the VPN peers cannot ping (RDP, ectc..) each other.   Pinging one VPN peer from another reveals the following error in the ASA Log.
    Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.10.8 dst outside:10.10.10.9 (type 8, code 0) denied due to NAT reverse path failure. 
    Below is my ASA running-config:
    ASA Version 8.3(1)
    hostname ciscoasa
    domain-name dental.local
    enable password 9ddwXcOYB3k84G8Q encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 192.168.1.128
    domain-name dental.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network RAVPN
    subnet 10.10.10.0 255.255.255.0
    object network NETWORK_OBJ_10.10.10.0_28
    subnet 10.10.10.0 255.255.255.240
    object network NETWORK_OBJ_192.168.1.0_24
    subnet 192.168.1.0 255.255.255.0
    access-list Local_LAN_Access remark VPN client local LAN access
    access-list Local_LAN_Access standard permit host 0.0.0.0
    access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list VpnPeers remark allow vpn peers to ping each other
    access-list VpnPeers extended permit ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28
    pager lines 24
    logging enable
    logging asdm informational
    logging mail informational
    logging from-address [email protected]
    logging recipient-address [email protected] level informational
    logging rate-limit 1 600 level 6
    mtu outside 1500
    mtu inside 1500
    ip local pool VPNPool 10.10.10.5-10.10.10.10 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-711.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,any) source static any any destination static RAVPN RAVPN
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
    object network obj_any
    nat (inside,outside) dynamic interface
    object network RAVPN
    nat (any,outside) dynamic interface
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint LOCAL-CA-SERVER
    keypair LOCAL-CA-SERVER
    crl configure
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=ciscoasa
    keypair billvpnkey
    proxy-ldc-issuer
    crl configure
    crypto ca server
    cdp-url http://ciscoasa/+CSCOCA+/asa_ca.crl
    issuer-name CN=ciscoasa
    smtp from-address admin@ciscoasa
    crypto ca certificate chain LOCAL-CA-SERVER
    certificate ca 01
       **hidden**
      quit
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 10bdec50
        **hidden**
      quit
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet 192.168.1.1 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd address 192.168.1.50-192.168.1.99 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
    svc profiles DellStudioClientProfile disk0:/dellstudioclientprofile.xml
    svc enable
    tunnel-group-list enable
    internal-password enable
    smart-tunnel list SmartTunnelList RDP mstsc.exe platform windows
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.168.1.128
    vpn-tunnel-protocol l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    default-domain value dental.local
    webvpn
      svc modules value vpngina
    group-policy DefaultRAGroup_1 internal
    group-policy DefaultRAGroup_1 attributes
    dns-server value 192.168.1.128
    vpn-tunnel-protocol l2tp-ipsec
    default-domain value dental.local
    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.1.128
    vpn-simultaneous-logins 4
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    group-lock value RAVPN
    split-tunnel-network-list value Local_LAN_Access
    default-domain value dental.local
    webvpn
      url-list value DentalMarks
      svc modules value vpngina
      svc profiles value dellstudio type user
      svc ask enable default webvpn
      smart-tunnel enable SmartTunnelList
    username wketchel1 password 5c5OoeNtCiX6lGih encrypted
    username wketchel1 attributes
    vpn-group-policy DfltGrpPolicy
    webvpn
      svc profiles value DellStudioClientProfile type user
    username wketchel password 5c5OoeNtCiX6lGih encrypted privilege 15
    username wketchel attributes
    vpn-group-policy DfltGrpPolicy
    webvpn
      svc modules none
      svc profiles value DellStudioClientProfile type user
    username jenniferk password 5.TcqIFN/4yw0Vq1 encrypted privilege 0
    username jenniferk attributes
    vpn-group-policy DfltGrpPolicy
    webvpn
      svc profiles value DellStudioClientProfile type user
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPNPool
    authorization-server-group LOCAL
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    tunnel-group DefaultRAGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
    authentication eap-proxy
    tunnel-group RAVPN type remote-access
    tunnel-group RAVPN general-attributes
    address-pool VPNPool
    authorization-server-group LOCAL
    tunnel-group RAVPN webvpn-attributes
    group-alias RAVPN enable
    tunnel-group RAVPN ipsec-attributes
    pre-shared-key *****
    tunnel-group RAVPN ppp-attributes
    authentication pap
    authentication ms-chap-v2
    authentication eap-proxy
    tunnel-group WebSSLVPN type remote-access
    tunnel-group WebSSLVPN webvpn-attributes
    group-alias WebSSLVPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    smtp-server 173.194.64.108
    prompt hostname context
    hpm topN enable
    Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
    : end

    Hi,
    Seems to me that you could clean up the current NAT configuration a bit and make it a bit clearer.
    I would suggest the following changes
    object network VPN-POOL
    subnet 10.10.10.0 255.255.255.0
    object network LAN
    subnet 192.168.1.0 255.255.255.0
    object-group network PAT-SOURCE
    network-object 192.168.1.0 255.255.255.0
    network-object 10.10.10.0 255.255.255.0
    nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
    nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
    nat (any,outside) after-auto source dynamic PAT-SOURCE interface
    The above should enable
    Dynamic PAT for LAN and VPN users
    NAT0 for the traffic between LAN and VPN
    NAT0 for traffic between VPN users
    You could then remove the previous NAT configurations. Naturally please do backup the configuration before doing the change if you wish to move back to the original configuration.
    no nat (inside,any) source static any any destination static RAVPN RAVPN
    no nat  (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.10.10.0_28  NETWORK_OBJ_10.10.10.0_28
    no nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28
    no object network obj_any
    no object network RAVPN
    In the event that you dont want to change the configurations that much you might be fine just by adding this
    object network VPN-POOL
    subnet 10.10.10.0 255.255.255.0
    nat (outside,outside) 1 source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
    But the other above configurations changes would make the current NAT configurations simpler and clearer to see each "nat" configurations purpose.
    - Jouni

  • VPN client connected to VPN but can't ping or access to server

    HI ,
    i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
    Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
    This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
    VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
    Software itself shown connected but request time out when ping.
    Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
    aaa new-model
    aaa authentication login userauthen local
    aaa authorization network adminmap group VPNClient
    aaa authorization network groupauthor local
    aaa authorization network map-singapore local
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key emptyspace address 203.142.83.218 no-xauth
    crypto isakmp keepalive 15 periodic
    crypto isakmp client configuration address-pool local ippool
    crypto isakmp client configuration group map-singapore
    key cisco123
    dns 192.168.6.3
    domain cisco.com
    pool ippool
    acl 102
    crypto isakmp profile VPNclient
       match identity address 27.54.43.210 255.255.255.255
       match identity group vpnclient
       client authentication list userauthen
       client configuration address respond
    crypto ipsec security-association idle-time 86400
    crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
    crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
    crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set DYNSET
    set isakmp-profile VPNclient
    reverse-route
    crypto map VPNMAP client authentication list userauthen
    crypto map VPNMAP isakmp authorization list map-singapore
    crypto map VPNMAP client configuration address respond
    crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
    crypto map VPNMAP 11 ipsec-isakmp
    description VPN to ASA5520
    set peer 203.142.83.218
    set security-association lifetime kilobytes 14608000
    set security-association lifetime seconds 86400
    set transform-set REMSET
    match address 100
    interface GigabitEthernet0/0
    ip address 27.54.43.210 255.255.255.240
    ip nat outside
    no ip virtual-reassembly
    duplex full
    speed 100
    crypto map VPNMAP
    interface GigabitEthernet0/1
    ip address 192.168.6.1 255.255.255.0
    ip nat inside
    no ip virtual-reassembly
    duplex full
    speed 100
    interface GigabitEthernet0/2
    description $ES_LAN$
    no ip address
    shutdown
    duplex auto
    speed auto
    ip local pool ippool 10.20.1.0 10.20.1.100
    ip forward-protocol nd
    ip pim bidir-enable
    no ip http server
    ip http authentication local
    no ip http secure-server
    ip nat inside source list 1 interface GigabitEthernet0/0 overload
    ip nat inside source list 101 interface GigabitEthernet0/0 overload
    ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
    ip nat inside source static 192.168.6.3 27.54.43.212
    ip route 0.0.0.0 0.0.0.0 27.54.43.209
    ip route 192.168.1.0 255.255.255.0 27.54.43.209
    ip route 192.168.151.0 255.255.255.0 192.168.6.151
    ip route 192.168.208.0 255.255.255.0 27.54.43.209
    ip access-list extended RA_SING
    permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
    permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
    permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
    permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny   ip any any log
    access-list 1 remark Local Network
    access-list 1 permit 192.168.6.0 0.0.0.255
    access-list 1 permit 192.168.102.0 0.0.0.255
    access-list 1 permit 192.168.151.0 0.0.0.255
    access-list 2 remark VPNClient-range
    access-list 2 permit 10.0.0.0 0.255.255.255
    access-list 10 permit 192.168.6.0 0.0.0.255
    access-list 10 permit 192.168.102.0 0.0.0.255
    access-list 10 permit 192.168.151.0 0.0.0.255
    access-list 10 permit 10.0.0.0 0.255.255.255
    access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
    access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
    access-list 101 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 101 permit ip 10.0.0.0 0.255.255.255 any
    access-list 101 permit ip 192.168.6.0 0.0.0.255 any
    access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    access-list 120 deny   ip any any log
    access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    access-list 120 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
    no cdp run
    route-map nonat permit 10
    match ip address 120
    control-plane
    alias isakmp-profile sh crypto isakmp sa
    alias exec ipsec sh crypto ipsec sa
    banner motd ^CC^C

    I did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.

  • Michael Miller: Removed Cannot log in (old mail on file?) and cannot download Lightroom 5.6 from inside Lightroom.  Get NO DATA RECEIVED error. Need to get back on Chat.

    This was my previous discussion with Adobe Chat, which I CANNOT FIND a link to now.
    It's a catch 22.  I think Adobe still had my old email address, which I have deleted with Comcast.
    Therefore, Adobe cannot send me a change of password form, nor can I update my email.
    I think Chat is my best bet, but cannot find link.
    Note, I may not be able to receive forum responses, if Adobe notifies my old email address.
    If I need to sign in to get responses, I cannot do that either. Adobe reports an error if I use my old address.
    I cannot update my email address, without signing in.
    Adobe, and everyone else needs to have links for: Forgot Your Password? -AND- Forgot Your Email (or changed it).
    Please reach me outside of Adobe at: <Removed by Moderator>
    I am a registered customer with products on file.
    Chat History:
    Sandesh: May I have the email address to  which you have access ?
    you: Correct address is:<Removed by Moderator>
    But, do I have to login to download updates. I got the dialog directly from LR, when I opened it.
    Sandesh: May I have the serial number of the product please ?
    you: LR 5: <serial number removed by moderator>
    Sandesh: Thank you.
    Sandesh: May I know the exact error message you are getting ?
    you: NO DATA RECEIVED. In the meantime, I found another LR ID: <serial number removed by moderator> in case you need it.
    Sandesh: Sure.
    Sandesh: May I know whether you are using the Dvd or the download ?
    my comment (I already said download above).
    you: Trying to download from your Adobe web site.
    Sandesh: Okay.
    Sandesh: Please allow me  a moment.
    Sandesh: Could you please copy paste the URL of the download link you are using on the chat screen so that I can check ?
    Sandesh: Are we still connected?
    Added today: 8/19/2014:
    The link the download button is on, is:
    http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=5823&fileID=5837
    Loading message says: Waiting for download.adobe.com
    The page the error is on, is:
    http://download.adobe.com/pub/adobe/lightroom/win/5.x/Lightroom_5_LS11_win_5_6.exe
    Then, while Sandesh was researching, I had to leave the room for too long and then had to go out.  So,
    Sandesh: Since we have not heard from you for some time, we will now end this chat.

    Michael Miller please try a different web browser.  You may also want to review your host file to ensure the Adobe servers are not being blocked.  You can find details on how to review your host file at Sign in, activation, or connection errors | CC, CS6, CS5.5 - http://helpx.adobe.com/x-productkb/policy-pricing/activation-network-issues.html.
    I was able to download the Lightroom 5.6 update without any errors.  If you continue to face difficulties you may want to try a different Internet connection or download the update onto a USB drive on a different computer.

  • My macbook is 5 yrs old recently my iphoto has begun to malfunction. I am in remote n/w vietnam and have no card access online at the moment... but need to download my photos ... is there something I can do to refresh my 9.4.3 version ?

    i am in remote n/w vietnam .... my 5 yr old macbook 9.4.3 version of iphoto is malfunctioning ... it allows my to download photos from my camera ...... but then it freezes and I have to hit "force quit" even though it does not signal "not responding".  As a consequence .... I cannot do anything with my photos .... I gather from the dead ends I have run into ... all my time relate rights have expired ... so can anyone suggest how the problem can be overcome short of smashing the thing and buying a new one when next I get to civilization?

    Thanks mate ...
    yes I have an upgraded Iphoto 11 from 9.4.3 ........ unfortunately .... no it didn't solve the problem.  Of course my illiteracy is no help ..... but I did as you suggested and nothing changed at all.  When I highlight a photo I am unable to minimize it and despite changing folders (ie:photos to events) all that happens is that the events folder opens behind the opened photo.  The only solution is to go to "force quit" even though there is no sign to say "iphoto is not responding". and start again ..... very frustrating.  Appreciate any suggestion you have ...
    Nev

  • Cannot delete a video clip from iPad, the Edit button doesn't appear ?

    With iMovie for iOS (iPad) I try to permanently delete a video clip from my iPad.
    I follow the article http://support.apple.com/kb/PH3186. But even if the video clip I want to delete is not used in a project, I simply do not find the Edit button in the upper-left corner above the Video browser as mentionned.
    This is a screenshot
    the Ipad is running iOS 5.1.1 (9B206), the video are not stored in 'pellicule'
    Am I crazy ?
    Thank you for any help.

    Did you shoot the video in iMovie?
    Or did you shoot it via the camera app?
    If it was shot in the camera app, then it needs to be deleted in the Photos app.
    Can you see the video in the photos app?
    You can permanently delete a video clip from your device as long as it’s not in the Camera Roll or the Photos app.

  • VPN client cannot access inside hosts

    Hello,
        I have an ASA 5505 device with the attached configuration and my vpn clients can connect to it fine.  Although, once a vpn client is connected they cannot RDP, ping, or telnet any internal hosts.  The goal is to have a connected vpn client to have all access rights as anyone sitting on the internal network.  Any assistance is greatly appreciated.
    : Saved
    ASA Version 7.2(3)
    hostname Kappa-GW01
    domain-name Kappa.com
    enable password xxxxxxxxx encrypted
    names
    name 172.20.42.42 UMEFTP2 description UMAP FTP2
    name 172.20.40.246 UMEMAIL1 description Exchange Server
    name 172.20.41.3 UMERPS
    name x.x.81.81 Wilkes
    name x.x.84.41 KappaPittston
    dns-guard
    interface Ethernet0/0
    shutdown
    nameif outside
    security-level 0
    ip address x.x.148.194 255.255.255.248
    interface Ethernet0/1
    nameif Outside_Windstream
    security-level 0
    ip address x.x.205.210 255.255.255.240
    interface Ethernet0/2
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    passwd 7Tpgc2AiWGxbNjkj encrypted
    boot system disk0:/asa723-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name Kappa.com
    object-group network Blue_Bell_Internal_Networks
    description Blue Bell internal network Group
    network-object 192.168.100.0 255.255.255.0
    network-object 10.0.0.0 255.255.255.0
    network-object 10.0.1.0 255.255.255.0
    network-object 10.0.2.0 255.255.255.0
    object-group network VPN-Sites
    network-object host Wilkes
    network-object host KappaPittston
    object-group network Michigan_VPN_GRP
    network-object 172.20.40.0 255.255.252.0
    object-group network ASA_OutSide_Vendors
    description ASA OutSide Vendor Access
    access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list 101 extended permit ip 10.0.1.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list 101 extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list 101 extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
    access-list KappaVPN_splitTunnelAcl remark Blue Bell Office
    access-list KappaVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
    access-list KappaVPN_splitTunnelAcl remark Williamston Office
    access-list KappaVPN_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
    access-list KappaVPN_splitTunnelAcl remark Pittston Office
    access-list KappaVPN_splitTunnelAcl standard permit 10.0.10.0 255.255.255.0
    access-list KappaVPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.20.40.0 255.255.252.0 inactive
    access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.30.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 192.168.100.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.30.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.10.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.20.40.0 255.255.252.0 10.0.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
    access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
    access-list umeemp_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
    access-list umeemp_splitTunnelAcl standard permit 172.20.40.0 255.255.252.0
    access-list umeemp_splitTunnelAcl standard permit 10.0.30.0 255.255.255.0
    access-list umeemp_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
    access-list outside_5_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
    access-list inside_access_in extended permit ip any any
    access-list 102 extended permit tcp any any eq 2000
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq smtp
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.220 eq pop3 inactive
    access-list Outside_Winstream_access_in extended permit udp object-group VPN-Sites interface Outside_Windstream eq isakmp
    access-list Outside_Winstream_access_in extended permit tcp object-group ASA_OutSide_Vendors host x.x.205.217 eq 4080
    access-list Outside_Winstream_access_in remark SMTP Access
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq smtp
    access-list Outside_Winstream_access_in remark POP access
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq pop3
    access-list Outside_Winstream_access_in remark OWA Access
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.218 eq https
    access-list Outside_Winstream_access_in extended permit tcp host x.x.87.65 host x.x.205.218 eq 3389
    access-list Outside_Winstream_access_in extended permit udp host x.x.56.111 eq ntp host x.x.205.216 eq ntp
    access-list Outside_Winstream_access_in remark OWA UMAP
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq https
    access-list Outside_Winstream_access_in remark JLAN
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.215 eq https
    access-list Outside_Winstream_access_in remark UMERPS
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq https
    access-list Outside_Winstream_access_in remark UMERPS
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.212 eq ssh
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq https
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.213 eq 5494
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.214 eq www
    access-list Outside_Winstream_access_in extended permit tcp any host x.x.205.211 eq 8081
    access-list Outside_Winstream_access_in extended permit icmp any any echo
    access-list outside_6_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
    access-list outside_6_cryptomap extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
    access-list Outside_Windstream_cryptomap_11 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
    access-list Outside_Windstream_cryptomap_10 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
    access-list Outside_Windstream_cryptomap_5 extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
    access-list Outside_Windstream_cryptomap_12 extended permit ip 172.20.40.0 255.255.255.0 10.0.2.0 255.255.255.0
    access-list Outside_Windstream_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 172.20.48.0 255.255.252.0
    access-list nonat extended permit ip any any inactive
    pager lines 24
    logging enable
    logging asdm debugging
    logging flash-bufferwrap
    mtu outside 1500
    mtu Outside_Windstream 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpn-pool 192.168.100.100-192.168.100.200
    no failover
    monitor-interface outside
    monitor-interface Outside_Windstream
    monitor-interface inside
    monitor-interface management
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (Outside_Windstream) 1 x.x.205.216 netmask 255.0.0.0
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 172.20.40.0 255.255.252.0
    nat (inside) 1 10.0.0.0 255.255.0.0
    static (inside,Outside_Windstream) x.x.205.217 10.0.0.20 netmask 255.255.255.255
    static (inside,Outside_Windstream) x.x.205.220 10.0.0.21 netmask 255.255.255.255
    static (inside,Outside_Windstream) x.x.205.218 10.0.0.15 netmask 255.255.255.255
    static (inside,Outside_Windstream) x.x.205.215 172.20.40.145 netmask 255.255.255.255
    static (inside,Outside_Windstream) x.x.205.211 UMEMAIL1 netmask 255.255.255.255
    static (inside,Outside_Windstream) x.x.205.212 UMERPS netmask 255.255.255.255
    static (inside,Outside_Windstream) x.x.205.213 172.20.40.243 netmask 255.255.255.255
    static (inside,Outside_Windstream) x.x.205.214 172.20.40.146 netmask 255.255.255.255
    access-group acl_inbound in interface outside
    access-group Outside_Winstream_access_in in interface Outside_Windstream
    route Outside_Windstream 0.0.0.0 0.0.0.0 x.x.205.209 1
    route inside 172.20.40.0 255.255.252.0 10.0.0.3 1
    route inside 10.0.30.0 255.255.255.0 10.0.0.254 1
    route inside 10.0.1.0 255.255.255.0 10.0.0.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server BBPA-SRV-DC01 protocol radius
    aaa-server BBPA-SRV-DC01 host 10.0.0.15
    timeout 5
    key G6G7#02bj!
    aaa-server UMAP protocol radius
    aaa-server UMAP host 172.20.40.245
    timeout 5
    key gfrt1a
    aaa-server UMAP host 172.20.40.244
    timeout 5
    key gfrt1a
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    http 10.0.0.15 255.255.255.255 inside
    http 192.168.1.0 255.255.255.0 management
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map Outside_Windstream_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map Outside_Windstream_dyn_map 40 set pfs
    crypto dynamic-map Outside_Windstream_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 5 match address outside_5_cryptomap
    crypto map outside_map 5 set peer Wilkes
    crypto map outside_map 5 set transform-set ESP-3DES-SHA
    crypto map outside_map 10 match address outside_6_cryptomap
    crypto map outside_map 10 set peer KappaPittston
    crypto map outside_map 10 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto map Outside_Windstream_map 5 match address Outside_Windstream_cryptomap_5
    crypto map Outside_Windstream_map 5 set peer Wilkes
    crypto map Outside_Windstream_map 5 set transform-set ESP-3DES-SHA
    crypto map Outside_Windstream_map 10 match address Outside_Windstream_cryptomap_10
    crypto map Outside_Windstream_map 10 set peer KappaPittston
    crypto map Outside_Windstream_map 10 set transform-set ESP-3DES-SHA
    crypto map Outside_Windstream_map 65535 ipsec-isakmp dynamic Outside_Windstream_dyn_map
    crypto map Outside_Windstream_map interface Outside_Windstream
    crypto isakmp enable Outside_Windstream
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 3600
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  20
    telnet 10.0.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 10.0.0.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    management-access inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ftp
      inspect skinny
      inspect pptp
    service-policy global_policy global
    webvpn
    enable Outside_Windstream
    svc image disk0:/sslclient-win-1.1.4.177.pkg 1
    svc enable
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
      svc required
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    group-policy umeemp internal
    group-policy umeemp attributes
    dns-server value 172.20.40.245
    vpn-filter none
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value KappaVPN_splitTunnelAcl
    default-domain value umapinc.com
    group-policy KappaVPN internal
    group-policy KappaVPN attributes
    wins-server value 10.0.0.15
    dns-server value 10.0.0.15
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value umeemp_splitTunnelAcl
    default-domain value kappa.loc
    username gwadmin password AVjtEPq7nvtiAAk0 encrypted
    tunnel-group DefaultWEBVPNGroup general-attributes
    address-pool vpn-pool
    authentication-server-group BBPA-SRV-DC01
    authorization-required
    tunnel-group KappaVPN type ipsec-ra
    tunnel-group KappaVPN general-attributes
    address-pool vpn-pool
    authentication-server-group BBPA-SRV-DC01
    default-group-policy KappaVPN
    tunnel-group KappaVPN ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.131.62 type ipsec-l2l
    tunnel-group x.x.131.62 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.232.2 type ipsec-l2l
    tunnel-group x.x.232.2 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.49.114 type ipsec-l2l
    tunnel-group x.x.49.114 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.226.218 type ipsec-l2l
    tunnel-group x.x.226.218 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.116.133 type ipsec-l2l
    tunnel-group x.x.116.133 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.21.36 type ipsec-l2l
    tunnel-group x.x.21.36 ipsec-attributes
    pre-shared-key *
    tunnel-group umeemp type ipsec-ra
    tunnel-group umeemp general-attributes
    address-pool vpn-pool
    authentication-server-group UMAP
    default-group-policy umeemp
    tunnel-group umeemp ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.81.81 type ipsec-l2l
    tunnel-group x.x.81.81 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.84.41 type ipsec-l2l
    tunnel-group x.x.84.41 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
    : end
    asdm image disk0:/asdm-523.bin
    no asdm history enable

    I'm sorry, I misunderstood what you were asking.  Yes those three networks are on the inside of our ASA.  we have 2 outside of the ASA (10.0.2.x, 10.0.10.x).  When our clients vpn they connect to the x.x.205.210 ip address, which maps them depending on the preshared key that puts them on either the kappaVPN or the umeempVPN.  (I am kind of new to configuring the ASA).  When the cisco vpn client connects to the network, I checked the statistics and it lists all of our LAN networks under secure routes.  I cannot ping anything inside the LAN nor can I connect RDP, telnet or anything.
    Hope this answers your questions, just let me know if you need any more information.
    -Rudy

  • Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

    Hi Guys,
    I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
    Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
    For some odd reason, I am able to ping the following, with no issues.
    Cisco 3750 SVI (192.168.1.3)
    CentOS web server (connected directly to the Cisco ASA 5505)
    I have checked and enable the following:
    Nat Exemption
    Sysopt connection permit-vpn
    ACL's
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    Added ICMP in the inspection policy
    Packet-capture - Only getting echo requests.
    Thanks in advance!

    Hi,
    I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
    object network acvpnpool
    subnet <anyconnect VPN Subnet>
    object network insidelan
    subnet <inside lan subnet>
    nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
    Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
    Regards
    Karthik

  • Printing issues to local network when AnyConnect VPN in use

    I have situation where I have a user connecting to the corporate office from her home network using a Win7 laptop and AnyConnect VPN 3.1.01065. She has an IP HP printer on her local network. When she is connected via VPN, she cannot print to her printer, Win saying the printer is off-line. That said, we are allowing access to the remote local network with a "split-exlude" conifiguration on the ASA:
    access-list LocalLANAccess standard permit host 0.0.0.0
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy excludespecified
    split-tunnel-network-list value LocalLANAccess
    "Allow local (LAN) access when using VPN" in the AC preference tab is checked. And also, she can ping the local printer when connected via VPN. however, the printer appears off-line, from the laptop perspective, when the VPN is on, and will go back "on-line" when the VPN is disconnected.
    Anyone have any thoughts on how to correct this?

    Well, if you want a workaround to apply for all VPN Client then you need to go for split-tunnel-policy tunnelspecified instead of split-tunnel-policy excludespecified. Suppose if your corporate network is 10.0.1.0/24 and you want to give the access to this subnet for vpn users.then configuration will be as follows.
    access-list CorporateLAN standard permit 10.0.1.0 255.255.255.0
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ssl-client
    no split-tunnel-policy excludespecified
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value CorporateLAN
    This will solve the problem globally
    With Regards,
    Safwan

  • AnyConnect VPN and HP Office Jet Pro 8500 A910

    I can print from my IBM T400 laptop running Windows 7 64-bit. However, when I log into work AnyConnect VPN, I cannot print. It says the printer is disconnected from the network even though it is connected. IT support at work says it cannot change or adjust any VPN settings. The only way I can print is to disconnect from VPN. Is there anything I can adjust on the printer software or printer itself?
    This question was solved.
    View Solution.

    Hi,
    In order to print over the local network while connected to a remote VPN network might be possible by modifying the VPN split tunneling configuration.
    However, it is depands on the VPN capabilities and might not be allowed due to security requirements of your IT department.
    Anyway, there is no way to configure such a thing by the printer or the printer software.. it is directly affected by the network configuration, and therefore require to change the VPN settings.
    Regards,
    Shlomi
    Say thanks by clicking the Kudos thumb up in the post.
    If my post resolve your problem please mark it as an Accepted Solution

  • Windows Server 2012 The licensing mode for the Remote Desktop Session Host server is not configured

    Hi
    I have a standard Windows Server 2012 that is hosted in the cloud by a hosting provider -
    This server has been up and running fir 6 months - recently we have been getting a warning
    "The licensing mode for the Remote Desktop Session Host server is not configured" - The Remote Desktop Session Host server is within its grace period, but the RD Session Host server has not been configured with any license server.
    Yet, we only use this with 2 connections as part of the standard licence agreement and this server is not used as a user's desktop only an ftp and web server- do therefore we do not need to purchase any cal licences (we have another server with the same
    hosting company that does not have this issue and has been up for 18months)
    Please can someone advise how I resolve this issue, the hosting company states that I must resolve it as they only host and resell the server licence
    Thank-you
    Richard Steele

    Hi Richard,
    You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
    Thanks,
    Umesh.S.K

  • The Remote Desktop Session Host server is within its grace period Question

    On my Windows 2012 Server, when I open the RD Licensing Diagnoser, I see this:
    The Remote Desktop Session Host server is within its grace period, but the RD Session Host server has not been configured with any license server.
    Configure a license server for the Remote Desktop Session Host server. If you have an existing license server, specify that license server for the RD Session Host server. Otherwise, install RD Licensing on a computer on your network and Configure RD Session
    Host server to use it.
    I have a few questions.  First, I have 10 virtual machines setup (all Windows 7 Enterprise).  I have my 10 VDI licenses for those machines.  Do I need another license for my Remote Desktop Session Host?  If not, how do I license my RD Session
    Host Server?  If so, does anyone know how much they cost?  I have no licensing server.  I just have my Windows 2008 server that is my AD and DNS Server (where my GPO's sit too) and my Windows 2012 server that is dedicated to only running VM's
    for the remote users.

    you should probably speak to a licensing expert as it can start getting fairly complicated and we wouldn't want to advise you incorrectly. Generally if you speak to a LAR (Large Account Reseller) they should be able to provide the guidance you need. 
    You can find more information on licensing virtual desktop through this white paper
    Licensing
    Microsoft's Virtual Desktop Infrastructure Technology
    Regards,
    Denis Cooper
    MCITP EA - MCT
    Help keep the forums tidy, if this has helped please mark it as an answer
    My Blog
    LinkedIn:

Maybe you are looking for

  • Voice memos app crashing after updating to iOS 8

    After upgrading to iOS 8 today, when I launch the Voice Memos app, it attempts to re-index the memos and then in the middle of the process, it crashes. When I re-launch the app, it simply says "No Recordings". I was really distressed, because I had s

  • Having problem with dead key in Leopard

    Hello. I'm having problem with dead key in Leopard. In Tiger it was working, but in Leopard dead key "'" doesn't work. In Tiger I could use OPTION key as well to get Latvian special characters (both worked - OPTION Key and dead-key), but in LEOPARD O

  • Feature Request: Option to wrap static text.

    It would be really nice (in fact, demanded by my current client) to be able to have multi-line static text that appears as a paragraph. Unfortunately, static text is one-line and either stretches out the width of the entire dialog box if you let it o

  • Problems with MacBook Pro's sleep mode.

    I have done several searches on the forums and cannot find a solution. I have a Mid 2012 MacBook Pro 13". Recently, my laptop does not seem to "wake up" properly from sleep mode. The laptop goes to sleep perfectly fine. The sleep indicator light is o

  • Beforesave error on F12

    so I finished doing some work in CS five and then smacked F12 to save and to execute on the server. No such luck. I get a consistent error that says "while executing on load in _before save the following JavaScript error occurred: "in file _beforesav