Panic when connecting to VPN

Similar Messages

• OS X Lion gets kernel panic when connecting via CIFS

  A customer of ours has problems with OS X Lion clients that get kernel panic when connecting via CIFS (Novell OES server).
  Any new on this issue?
  Tycho Sjgren
  Apoio AB

  Originally Posted by tychosjogren
  Sorry for the late response - had to check a few things with the customer.
  They use the latest OES version with all the latest sp and patches applied. They have even tested with the an OES 11 beta with the same result. The OS run as a VM on VMware in 64 bit mode attached to a SAN. Has also been tested as a plain install without VMware. The Lion version is 10.7.2.
  This is how the problem occurs:
  1. Mount the CIFS share - no problems
  2. Use the share - no problems
  3. If the network connection drops you get a message that the CIFS volume has disappeared and you are asked to unmount it. When you do that you get a kernel panic. You can force the problem to happen by turning of WiFi.
  So it is OES2 but which version (SP1, SP2, or SP3)? Interesting as I'd only heard of this with NetWare 6.5.
  Do you (and anyone else experiencing this issue in this thread) know if this has recently started happening, perhaps after the latest November 2011 Scheduled Maintenance patches were installed?
  I'll hopefully be able to do some testing tomorrow but in the meantime I've asked Novell ...
  HTH.

• Can't Browse Web when connected to VPN

  Hi, 
  I got interested in networks about a year ago.  We had some spare networking kit lying around in our office and I decided to set up a lab.
  I've been able to configure NAT w/ PAT  on a cisco 3825.
  I've got 1 access list, "Overloading" my OUTSIDE int, and a few "ip nat inside source static..." entries to handle my port forwards.
  It's a very basic setup.
  The router died recently, so I got a cheap replacement form ebay.  Setting it all up was WAY easier than last time, so I decided to try something new.... VPN.
  I'd previously had a port forward to a computer that was a VPN server, but I was able to use Cisco CCP to help me configure VPN.  Yes, technically cheating for all you CLI-heads out there, so sorry-- to make you happy, I did thoroughly inspect and spent extra time appreciating the code it wanted to inject to my router.  
  Now, I've got VPN working, and I can access all the PC's on the LAN I'm VPN'ing to, but -- I can't access the web when connected to VPN.
  I've fiddled with the access list, trying to make it ANY/ANY.
  I'm not really sure what to do.
  I looked around and most of the stuff out there is for a site-to-site, or PAT running on a tunnel... 
  My issue is pretty basic, probably.  I just cant access outside when on VPN.
  I'm more than willing to have another translation method.
  I've attached my router config.
  Can you have a look and let me know what would need changing...
  Really appreciate any insight.
  Thanks,
  Brian

  Hello Brian,
  Basically this is the VPN group:
  crypto isakmp client configuration group open
   key (something)
   dns 192.168.1.1 8.8.8.8
   domain something.com
   pool SDM_POOL_1
   save-password
   backup-gateway 192.168.1.1
   max-users 5
   netmask 255.255.255.0
   banner ^Cyou have connected to the vpn-ings!.  well done!    ^
  I see that you are doing tunnel all, and you are not split tunneling on this configuration, what you can do is to use split tunnel, under this configuration as follow:
  ip access-list extended SPLIT_TUNNEL
  permit ip XXXXX XXXXX 192.168.1.0 0.0.0.255
  XXXXX --> are the inside subnets
  Then under this:
  crypto isakmp client configuration group open
  acl SPLIT_TUNNEL
  This will allow you to have access to the internal subnets through the tunnel and have access to internet through the internet connection on your computer.
  For further details take a look to this document:
  - http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
  Don't use Any on your ACL statements for split tunneling purposes.
  Let me know how it works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Can't access non-VPN resources when connected to VPN

  I need to access web based resources over a VPN for work. My admin gave me the connection parameters, and I can connect to the VPN and access what I need, no problem. But when connected to VPN, I can't access websites, Subversion repositories, Skype, etc. that are not on the VPN.
  On Windows, there's a connection property on VPN connections called "Use default gateway". With that option cleared on my Windows machine, I can access both VPN and non-VPN resources simultaneously. I can't spot anything equivalent in the VPN connection in Network Preferences.
  So I guess the question is: what network settings on Mac (Snow Leopard) will enable me to access both VPN and normal resources simultaneously?

  I have found a workaround. It isn't optimal, and it's disappointing that VPN is so poorly supported on Mac. Though the specific IPs are probably applicable only to the particular VPN I connect to, maybe the general idea can be of help to others and your network admins can supply the particular IPs you need.
  1. My Admin had me open Network Preferences, select the VPN connection, click the Tools icon at the bottom, and select Set Service Order. In that dialog, move the VPN connection to the bottom of the list (my EVDO modem that gets me my internet connection is fist in the list). Apply this change.
  2. Next, my admin asked me to run the following in Terminal, once when VPN was not connected (but internet was connected), and again with VPN connected, and send him the output:
  *netstat -nr*
  3. After looking at the terminal output, admin told me to run the following in Terminal with the VPN connected:
  *sudo route add -net 10.123 -netmask 255.255.0.0 10.123.50.1*
  After disconnecting both VPN and Internet connection and reactivating each in turn (internet, then VPN), I was able to access both VPN and non-VPN resources simultaneously.
  The bad news is that every time I need to connect I have to run route add in Terminal and enter my password. I will probably make a shell script to at least run the command so I don't have to remember it.
  Here's hoping this helps if others bump into this pernicious little problem.

• Kerberos issue when connecting via VPN

  Hi,
  I am have some issues when connecting via VPN.
  The following kdc log is issued when I log via VPN
  May 02 12:12:21 ATHENA.MYDOMAIN.LAN krb5kdc[163](info): DISPATCH: repeated (retransmitted?) request from 192.168.2.5, resending previous response
  May 02 12:12:21 ATHENA.MYDOMAIN.LAN krb5kdc[163](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.5: UNKNOWN_SERVER: authtime 1146535939, [email protected] for ldap/[email protected], Server not found in Kerberos database
  I also have a system log May 2 12:12:21 ATHENA DirectoryService[41]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
  This logs only happen while logging through VPN.
  Any idea?
  Cheers
  Ben

  Hi,
  When using your VPN are yo using Terminal LIcense or Remote Desktop Connection?
  Please do the following to save form settings:
  1. Only 1 module should be open when using form settings.
      Close other modules that doesn't need.
  2. Close the module after changed. To make sure the settings are saved.
  3. Always close all the module before exiting SBO program, use the click FIle and Exit habit.
  4. Terminal Licensing should be use when connecting remotely.
  Thanks.
  Clint

• Users can only connect to RD farm website and cannot remote into terminal server , when connected via VPN

  Hello,
  I have a RD farm using 3 Win 2012 servers (1 broker and 2 session host), for internal use only, have not
  configured gateway for internet access.
  Users are able to connect to RD farm website and remote into terminal server, within office
  but can only connect to RD farm website and cannot remote into terminal server , when connected via VPN
  Its takes long time at securing connection and fails.
  Thanks

  Hi,
  Thank you for your posting in Windows Server Forum.
  First of all I would suggest you to configure RD gateway role on your server and pass all the connection through it because it’s a best practice to use RD Gateway in RDS Farm. 
  Apart from this, if you are not using RD Gateway then you must check that you have successfully forwarded port 3389 for RDS to access via VPN. Also check that you have made configuration under IIS Manager to enable Forms Authentication. Please check
  this link.
  In addition, please refer beneath article for additional details.
  1. How to Access Windows Remote Desktop Over the Internet
  2. Remote Desktop Services in Windows 2008 R2 – Part 3 – RD Web Access & RemoteApp
  (For reference)
  Hope it helps! 
  Thanks,
  Dharmesh

• Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

  In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
  on this computer" and un-checked "Use simple certificate selection".
  My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
  client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
  drop down.
  Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
  TIA,
  -Rick

  Hi Rick,
  Thank you for your patience.
  According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
  know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• MBP Kernel Panic when connecting to HDTV (DVI)

  I have a 15" MacBook Pro that has been working perfectly since I got it. I tried today to connect it to my Hitachi 51" HDTV (via DVI) and got an instant Kernel Panic. I used my 15" Powerbook with this HDTV without any issues.
  I've searched and found folks with kernel panics when waking their MBP if the RAM is faulty, but nothing at all about issues when connecting an external display. I am running with all the latest updates, firmware update, etc.
  I don't have any problems connecting to a 23" Cinema display or to a 19" Samsung LCD, but I tried several times to connect to the HDTV and got a kernel panic each time. I changed resolutions on one try and still got the same issue (720x480 so the TV would see it as 480p). I even tried booting up with the display already connected and it kernel panic'd when it tried to switch into the full OS X GUI.
  The specific error is in the panic.log is:
  Sat Jun 10 16:23:48 2006
  panic(cpu 0 caller 0x0019CAEF): Unresolved kernel trap (CPU 0, Type 0=divide error), registers:
  CR0: 0x80010033, CR2: 0x35863000, CR3: 0x00d6e000, CR4: 0x000006e0
  EAX: 0x00000001, EBX: 0x00000000, ECX: 0x251a36fc, EDX: 0x00000000
  ESP: 0x251a360c, EBP: 0x251a36d8, ESI: 0x00000000, EDI: 0x00000000
  EFL: 0x00010247, EIP: 0x0078ca44, CS: 0x00000008, DS: 0x0a8c0010
  Backtrace continues...
  Kernel loadable modules in backtrace (with dependencies):
  com.apple.kext.ATINDRV(4.2.6)@0x771000
  dependency: com.apple.iokit.IOGraphicsFamily(1.4.3)@0x574000
  dependency: com.apple.iokit.IONDRVSupport(1.4.3)@0x58f000
  com.apple.iokit.IONDRVSupport(1.4.3)@0x58f000
  dependency: com.apple.iokit.IOPCIFamily(2.0)@0x565000
  dependency: com.apple.iokit.IOGraphicsFamily(1.4.3)@0x574000
  So definitely something with the graphics subsystem. Anyone have any hints?
  MacBook Pro 2GHz 2GB RAM ATI x1600 256MB Mac OS X (10.4.6)

  What happens if you boot from the DVD that came with the MBP instead of booting from your hard drive? It could have something to do with your configuration.

• Default Gateway when connected to VPN

  Thanks for reading!
  This is probably a dump question so bear with me...
  I have set up a VPN connection with a Cisco ASA 5505 fronting internet, with the customers environment behind it (on the same subnet), When connected ot the VPN I can reach the inside Router fronting me and one switch behind the Router (every switch is connected to the router), but nothing else.
  My beet is that the Router is messing with my connection, but,, nevermind that!, the setup ain't complete anyway... my question is more related to the Gateway I'm missing when I'm, from the outside, is connected to the VPN on the ASA, could this mess it up? Shouldn't I have a Standard-Gateway in the ipconfig settings in windows?
  This is who it looks like now:
          Anslutningsspecifika DNS-suffix . : VPNOFFICE
          IP-adress . . . . . . . . . . . . : 10.10.10.1
          Nätmask . . . . . . . . . . . . . : 255.255.255.0
          Standard-gateway  . . . . . . . . :
  The internal network is :
  172.16.12.0 255.255.255.0
  Below is my config for the ASA, thanks a lot!!!!!!!
  !FlASH PÅ ROUTERN FRÅN BÖRJAN
  !asa841-k8.bin
  hostname DRAKENSBERG
  domain-name default.domain.invalid
  enable password XXXXXXX
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.12.4 255.255.255.0
  interface Vlan10
  nameif outside
  security-level 0
  ip address 97.XX.XX.20 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 10
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nonat extended permit ip 172.16.12.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list MSS_EXCEEDED_ACL extended permit tcp any any
  access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL
  access-list VPN-SPLIT-TUNNEL standard permit 172.16.12.0 255.255.255.0
  tcp-map MSS-MAP
    exceed-mss allow
  pager lines 24
  logging enable
  logging timestamp
  logging buffer-size 8192
  logging console notifications
  logging buffered notifications
  logging asdm notifications
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN 10.10.10.1-10.10.10.40 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image disk0:/asdm-625-53.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 172.16.12.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 97.XX.XX.17 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.16.12.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 172.16.12.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  group-policy VPNOFFICE internal
  group-policy VPNOFFICE attributes
  dns-server value 215.122.145.18
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN-SPLIT-TUNNEL
  default-domain value VPNOFFICE
  split-dns value 215.122.145.18
  msie-proxy method no-proxy
  username admin password XXXXXX privilege 15
  username Daniel password XXXXX privilege 0
  username Daniel attributes
  vpn-group-policy VPNOFFICE
  tunnel-group VPNOFFICE type remote-access
  tunnel-group VPNOFFICE general-attributes
  address-pool VPN
  default-group-policy VPNOFFICE
  tunnel-group VPNOFFICE ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map MSS_EXCEEDED_MAP
  match access-list MSS_EXCEEDED_ACL
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp error
    inspect pptp
    inspect ipsec-pass-thru
    inspect icmp
  class MSS_EXCEEDED_MAP
    set connection advanced-options MSS-MAP
  service-policy global_policy global
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  Cryptochecksum:aaa1f198bf3fbf223719e7920273dc2e
  : end

  I didn't realise I had that crypto settings on, thanks my bad!!!
  But... the 172.16.12.0 network is directly connected, the Router (that to be honest is a firewall) / switches is all on the same subnet (172.16.12.X/24), so sorry I didn't explain thoroughly, was more wondering about the GW and didn't want to overcomplicate things..
  The Firewall/Router dosen't do any routing, so it should work right (I you count out the firewalling in the firewall and so forth, there shouldn't be any problems accomplishing this with the ASA)? The Firewall is more a DHCP for the clients/Firwall for the clients.. this will change in the future.. it will be removed,
  the vpn network is staticly routed back to my ASA in that firewall...
  I don't like this solution.. but this is who it looks.. for now..
  (VPN network is 10.10.10.X/24)
  But... shouldn't I see a default gateway under ipconfig when I'm connected to the VPN from internet, on the vpn client that's vpned in, is this correct?
  THANKS for all the help!

• Problems accessing 1 remote desktop when connected with VPN

  Hi everyone,
  I have an ASA 5505 and have a problem where when I connect through VPN I can RDP into a server using its internal address but I cannot RDP to another server using its internal address.
  The one I can connect to has an IP of 192.168.2.10 and the one I cannot connect to has an IP of 192.168.2.11 on port 3390.
  Both rules are configured exactly the same except for the IP addresses and I cannot see why I cannot connect to this one server.
  I am also able to connect to my camera system with an IP 192.168.2.25 on port 37777 and able to ping any other device on the internal network.
  I've also tried pinging it and telneting to port 3390 with no success.
  Here is the config.
  ASA Version 8.4(4)1
  interface Ethernet0/0
  switchport access vlan 3
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.2 255.255.255.0
  interface Vlan3
  nameif outside
  security-level 0
  ip address 10.1.1.1 255.255.255.0
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CTSG-LAN-OUT
  range 10.1.1.10 10.1.1.49
  object network CTSG-LAN-IN
  subnet 192.168.2.0 255.255.255.0
  object service RDP3389
  service tcp destination eq 3389
  description To DC
  object network SERVER-IN
  host 192.168.2.10
  object network SERVER-OUT
  host 10.1.1.50
  object network CAMERA-IN-TCP
  host 192.168.2.25
  object network CAMERA-OUT
  host 10.1.1.51
  object service CAMERA-TCP
  service tcp destination eq 37777
  object network SERVER-Virt-IN
  host 192.168.2.11
  object network SERVER-Virt-OUT
  host 10.1.1.52
  object service RDP3390
  service tcp destination eq 3390
  description To VS for Master
  object network CAMERA-IN-UDP
  host 192.168.2.25
  object service CAMERA-UDP
  service udp destination eq 37778
  object network CTSG-LAN-OUT-VPN
  subnet 10.1.1.128 255.255.255.128
  object network SERVER-Virt-IN-VPN
  host 192.168.2.11
  object network SERVER-IN-VPN
  host 192.168.2.10
  object network CAMERA-IN-VPN
  host 192.168.2.25
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list inside1_access_in remark Implicit rule: Permit all traffic to less secure networks
  access-list inside1_access_in extended permit ip any any
  access-list outside_access_in extended permit object RDP3389 any host 192.168.2.10
  access-list outside_access_in extended permit object RDP3390 any host 192.168.2.11
  access-list outside_access_in extended permit object CAMERA-TCP any host 192.168.2.25
  access-list outside_access_in extended permit object CAMERA-UDP any host 192.168.2.25
  pager lines 24
  logging enable
  logging buffer-size 10240
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool RAVPN 10.1.1.129-10.1.1.254 mask 255.255.255.128
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static SERVER-IN-VPN SERVER-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
  nat (inside,outside) source static CAMERA-IN-VPN CAMERA-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
  nat (inside,outside) source static SERVER-Virt-IN-VPN SERVER-Virt-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
  object network CTSG-LAN-IN
  nat (inside,outside) dynamic interface
  object network SERVER-IN
  nat (inside,outside) static SERVER-OUT service tcp 3389 3389
  object network CAMERA-IN-TCP
  nat (inside,outside) static CAMERA-OUT service tcp 37777 37777
  object network SERVER-Virt-IN
  nat (inside,outside) static SERVER-Virt-OUT service tcp 3390 3390
  access-group inside1_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP
  -DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  subject-name CN=SACTSGRO
  crl configure
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 15
  ssh 192.168.2.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 15
  dhcpd auto_config inside
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password xxxxx encrypted privilege 15
  username admin attributes
  vpn-group-policy DfltGrpPolicy
  tunnel-group CTSGRA type remote-access
  tunnel-group CTSGRA general-attributes
  address-pool RAVPN
  tunnel-group CTSGRA ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:0140431e7642742a856e91246356e6a2
  : end
  Thanks for your help

  Ok,
  So you basically have configured the router so that you can connect directly to the ASA using the Cisco VPN Client. And also the objective was to in the end only allow traffic to the LAN through the VPN Client connection ONLY.
  It would seem to me to achieve that, you would only need the following NAT configurations
  VPN Client NAT0 / NAT Exempt / Identity NAT
  object network LAN
  subnet 192.168.2.0 255.255.255.0
  object network VPN-POOL
  subnet 10.1.1.128 255.255.255.128
  nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
  The purpose of the above NAT configuration is simply to tell the ASA that dont do any kind of NAT when there is traffic between the LAN network of 192.168.2.0/24 and the VPN Pool of 10.1.1.128/25. This way if you have any additional hosts on the LAN that need to be connected to, you wont have to make any form of changes to the NAT configurations for the VPN client users. You just allow the connections in the ACL (explained later below)
  Default PAT
  object-group network DEFAULT-PAT-SOURCE
  network-object 192.168.2.0 255.255.255.0
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  This configurations purpose is just to replace the earlier Dynamic PAT rule on the ASA. I guess your router will be doing the translation from the ASA "outside" interface IP address to the routers public IP address and this configuration should therefore allow normal Internet usage from the LAN.
  I would suggest removing all the other NAT configuration before adding these.
  Controlling VPN clients access to internal resources
  Also I assume that your current VPN client is configured as Full Tunnel. In other words it will tunnel all traffic to the the VPN connection while its active?
  To control the traffic coming from the VPN Client users I would suggest that you do the following
  Configure "no sysopt connection permit-vpn" This will change the ASA operation so that connections coming through a VPN connections ARE NOT allowed by default to bypass the "outside" interface ACL. Therefore after this change you can allow the connections you need in the "outside" interface ACL.
  Configure any rules you need regarding the VPN client connections to the "outside" interface ACL. Though I guess they already exist since you are connecting there without the VPN also
  I cant guarantee this with 100% certainty but it would seem to me that the above things should get you to the point where you can access the internal resources ONLY after when you have connected to the ASA through the VPN client connection. Naturally take precautions like configuration backups if you are going to do major configuration changes. Also if you are remotely managing the ASA then you also have the option to configure a timer on the ASA after which it will automatically reload. This could help in situations where a missconfiguration breaks you management connection and you have no other way to connect remotely. Then the ASA would simply reboot after the timer ran out and also reboot with the original configuration (provided you hadnt saved anything in between)
  Why are you using a different port for the other devices RDP connection? I can understand it if its used through the Internet but if the RDP connection would be used through the VPN Client only then I dont think there is no need to manipulate the default port of 3389 on the server or on the ASA.
  Also naturally if there is something on the actual server side preventing these connections then these configuration changes might not help at all.
  Let me know if I have understood something wrong
  - Jouni

• General Settings not retained when connecting via VPN

  Forum,
  We have a user who connects to SAP via a VPN connection. Since then they have found that any form settings/column amendments made are not being retained when next logging into SAP.
  When these changes were made direct in the office, they are retained.
  My question. Is there any differences in how the settings are retained within SAP when accessing via a VPN?
  Regards,
  Juan

  Hi,
  When using your VPN are yo using Terminal LIcense or Remote Desktop Connection?
  Please do the following to save form settings:
  1. Only 1 module should be open when using form settings.
      Close other modules that doesn't need.
  2. Close the module after changed. To make sure the settings are saved.
  3. Always close all the module before exiting SBO program, use the click FIle and Exit habit.
  4. Terminal Licensing should be use when connecting remotely.
  Thanks.
  Clint

• Cant send emails from gmail or yahoo when connected to vpn

  I use a vpn to mask my IP address. When I am connected through my VPN I cannot send emails from my gmail or yahoo accounts through thunderbird
  If i disconect vpn they go through fine

  Just a guess, but if you change the outgoing server name to an IP address such as 74.125.136.108 for Gmail, does it work?
  https://support.hidemyass.com/entries/24893686-SMTP-Sending-emails-while-connected-to-VPN#thunderbird

• ITunes won't play via Airport Express when connected to VPN

  Once connected to VPN iTunes just won't work but still plays on my computer. I believe it has something to do with the firewall but I do not know how to get around it. Can anyone help? I would love to listen to music via my stereo speakers while doing work...Thanks!

  Is this what you are looking for? http://docs.info.apple.com/article.html?artnum=93396
  or
  http://docs.info.apple.com/article.html?artnum=108071

• Can't send mail when connected to vpn

  I'm hooked up with a private vpn service using OpenVpn. Everything works beautifully -- except that I can't send mail (receiving is no problem) because the SMTP ports offered through Mail 4.5 (ports 25, 465, 587) are blocked by many VPN providers as an anti-spam measure. I can't use port 993 with SSL because I live in Monaco, which has one ISP -- and it does not provide or support secure email (which is one of the reasons I want the VPN).
  Is there another port I can select for SMTP, or some configuration tricks I'm missing? Thanks...:)

  Hello Brian,
  Basically this is the VPN group:
  crypto isakmp client configuration group open
   key (something)
   dns 192.168.1.1 8.8.8.8
   domain something.com
   pool SDM_POOL_1
   save-password
   backup-gateway 192.168.1.1
   max-users 5
   netmask 255.255.255.0
   banner ^Cyou have connected to the vpn-ings!.  well done!    ^
  I see that you are doing tunnel all, and you are not split tunneling on this configuration, what you can do is to use split tunnel, under this configuration as follow:
  ip access-list extended SPLIT_TUNNEL
  permit ip XXXXX XXXXX 192.168.1.0 0.0.0.255
  XXXXX --> are the inside subnets
  Then under this:
  crypto isakmp client configuration group open
  acl SPLIT_TUNNEL
  This will allow you to have access to the internal subnets through the tunnel and have access to internet through the internet connection on your computer.
  For further details take a look to this document:
  - http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
  Don't use Any on your ACL statements for split tunneling purposes.
  Let me know how it works out!
  Please don't forget to rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• IPod Restore failed, now Kernel Panic when connect to Mac

  My iPod is a little older and has had trouble updating though the iPod Updaters so in order to get the latest updater on my iPod I've had to just restor the iPod using that specific updater. iPod Updater froze during my last restore and now I have incomplete software on my iPod and connecting it to my Mac results in immediate kernel panic. How can I get my iPod back to a usable state?
  Thanks.

  Just got back from trying this idea and IT WORKS. For people that might have this problem, I booted from the CD/DVD and lauched Disk Utility and did a Repair Disk. I did it twice actually for good measure. Afterwards I booted back to the System Folder on the HD and I performed a restore of my iPod using the iPod Updater 2005-06-26.app updater. I've read that my whatever generation iPod works best with that one (I have the click wheel with the 4 buttons above it).
  Thanks for all your help.