Problem accessing an adjacent remote network over VPN (2 asa5505)

Similar Messages

• Problem accessing company resources remotely using Cisco VPN Client

  I connect to my company's network remotely using Cisco VPN client both from a PC (v 4.0.1) and from a MacBook Pro (v 4.9.00)(same configs), and use Remote Desktop to connect to my work computer, and now i'm able to use Citrix to run applications on the company server.
  The problem occurs on the Mac when I'm connecting from a location that uses the same private domain IP as our company's private domain. Our company's private domain is 192.168.1.x, so when I'm using the Mac on a WiFi router that happens to be set to 192.168.1.1, the Mac can connect using VPN but the remote desktop cannot connect to my work computer. Presumably, the Mac doesn't "know" that I'm trying to go through the VPN for the connection and not connect to something locally.
  This problem seems to be unique to the Mac. Every Windows machine with the same client installed has no problems no matter what WiFi I've tried. The Mac works fine on any WiFi that is not 192.168.1.x.
  However, since 192.168.1.x is very common (hotels, airports, etc., its a major problem with the Mac.
  Suggestions are greatly appreciated!
  Also, now that we're moving to Citrix, our administrator has created a webpage on the intranet that we launch applications from, but the Mac cannot find that page when connected to VPN from 192.168.1.x. Same problem.
  Thanks in advance.

  Hi,
  I presume you have split-tunneling activated.
  1. Make sure the 192.168.1.x is on the protected networks and on the MacBook client, disable "Allow local LAN access"
  2. Create a separate group for the Mac users and assgn them a different pool (192.168.100.x )and advertise it in your company to point to the VPN Concentrator.
  3. Use the NAT feature on your VPN concentrator.
  If this helped, please rate.
  Regards,
  Daniel

• VPN connection issue - problem accessing individual computers on network

  Hello,
  So far I have set up my XServe for VPN access so I can log into my office mac network from my home mac using the L2TP protocol. The server sits behind a basic router, and the router forwards the following ports direct to the server's IP address (192.168.1.2): ports 500, 4500, 1701 and 548 (AFP).
  The office network uses 192.168.1.x IP range and each computer has a static DHCP map assigned, and each machine also has a unique DNS name to simplify access to them.
  My home mac uses 192.168.0.x range.
  The server has NAT turned off and also the firewall off for the moment, while I test everything.
  The VPN is set to provide the IP range 192.168.1.150 to 192.168.1.174 to remote clients, and in the Client Information settings pane it is set for: DNS servers = 192.168.1.2, network routing definitions = 192.168.1.0, netmask 255.255.255.0 (Private) and 0.0.0.0, netmask 0.0.0.0 (Public).
  I can connect fine over VPN from home using internet connect, I am assigned an IP address with the 192.168.1.150-174 range and can connect through the "Go" menu's "Connect to server..." directly to the server on 192.168.1.2. What I cannot do is use this method to connect to any other computer on the network (for example 192.168.1.5), nor can I use DNS names to reach them.
  In the internet connect app I set the DNS server as 192.168.1.2, is this correct? Also, do I need to open port 53 (DNS) on my router? Is there something else I have overlooked as this is all new to me.
  Thanks for your help.

  OK, sorry my bad. The macs did not have Personal File Sharing enabled, now they have I can link via their individual IP addresses. Doh!
  But I still want use DNS names, can anyone shed any light on that?

• Using the personal hotspot feature on the iPhone 5, I am able to connect to the internet.  We also use Juniper NCP client to access our system remote.  A VPN connection is created, but I am unable to access servers on our network.  This works on iPhone 4.

  Using the personal hotspot feature on the iPhone 5, I am able to connect to the internet.  We also use Juniper NCP client to access our local system from a remote location.  A VPN connection is created, but I am unable to access servers in our network.  This same functionality works using my colleagues iPhone 4.
  Both phones are running iOS 6.1.3.  I tried to reset network settings, but still unable to ping servers in our network.  This is a feature that our sales team relies heavily on when out of the office.  Hoping someone has some suggestions on what is different between the 2 phones.

  Hi,
  Generally, this issue should be related with something called split tunneling, since you’re using a F5 vpn client, you need to look for something related to split tunneling in the F5 VPN client's documentations.
  Here is an example, share it with you as a reference.
  http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_networkaccess.html
  In addition, you can refer to the link below for more solution about this problem.
  You Cannot Connect to the Internet After You Connect to a VPN Server
  http://support.microsoft.com/kb/317025
  NOTE
  This
  response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
  Microsoft
  does not control these sites and has not tested any software or information found on these sites.
  Yolanda Zhu
  TechNet Community Support

• VPN connects but unable to access resources on remote network

  HI,
  I'm able to ping the ASA interface once  the VPN is connected but unable to access any of the resources located on the remote network such as shares and computers. The cisco vpn client shows data being sent and recieved when I ping the interface on the ASA but it doesn't recieve any data when I attempt to ping or access other resources on the network. 
  ASA Version 8.2(5)
  hostname HOST_NAME
  domain-name default.domain.invalid
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  speed 10
  duplex half
  interface Ethernet0/4
  speed 100
  duplex full
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.8.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 12.x.x.x x.x.x.x
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 10.10.8.2
  domain-name default.domain.invalid
  same-security-traffic permit intra-interface
  object-group service Vipre tcp
  port-object range 18082 18082
  port-object range 18086 18086
  object-group network town
  network-object 192.168.0.0 255.255.0.0
  access-list outside_20_cryptomap extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
  access-list new extended permit ip host 192.168.0.1 any
  access-list new extended permit ip any host 192.168.0.1
  access-list outside_20_cryptomap_1 extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
  access-list townoffice_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
  access-list townremote_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
  access-list outside_access_in extended permit tcp any interface outside object-group Vipre
  access-list outside_access_in extended permit tcp any object-group Vipre interface inside object-group Vipre
  access-list outside_access_in extended permit tcp any eq 3389 10.10.8.0 255.255.255.0 eq 3389
  access-list test extended permit ip host 192.168.0.6 host 10.10.8.155
  access-list test extended permit ip host 10.10.8.155 host 192.168.0.6
  access-list test extended permit ip host 10.10.8.2 host 192.168.3.116
  access-list test extended permit ip host 192.168.3.116 host 10.10.8.2
  access-list test extended permit ip host 10.10.8.155 host 192.168.3.116
  access-list bypass extended permit ip host 10.10.8.155 host 192.168.3.116
  access-list bypass extended permit tcp 192.168.0.0 255.255.0.0 10.10.8.0 255.255.255.0
  access-list bypass extended permit tcp 10.10.8.0 255.255.255.0 192.168.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn 10.10.8.125-10.10.8.149 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-522.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 1 192.168.0.0 255.255.0.0
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface 18082 10.10.8.2 18082 netmask 255.255.255.255
  static (inside,outside) tcp interface 18086 10.10.8.2 18086 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 10.10.8.2 3389 netmask 255.255.255.255
  static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
  static (inside,inside) 10.10.8.0 10.10.8.0 netmask 255.255.255.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 12.70.119.65 1
  route inside 192.168.0.0 255.255.0.0 10.10.8.250 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http  outside
  http  outside
  http  inside
  http  outside
  http inside
  http  outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt noproxyarp inside
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 40 set pfs
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 60 set pfs
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 80 set pfs
  crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 100 set pfs
  crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 20 match address outside_20_cryptomap_1
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer 69.87.150.118
  crypto map outside_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal 30
  telnet 10.10.8.0 255.255.255.0 inside
  telnet timeout 5
  ssh 63.161.207.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd dns 10.8.8.2
  dhcpd address 10.10.8.150-10.10.8.200 inside
  dhcpd dns 10.10.8.2 interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy aaa internal
  group-policy aaa attributes
  dns-server value 10.10.8.2 4.2.2.2
  vpn-tunnel-protocol IPSec
  default-domain value domainname
  group-policy bbb internal
  group-policy bbb attributes
  wins-server value 10.10.8.2
  dns-server value 10.10.8.2
  vpn-tunnel-protocol IPSec l2tp-ipsec
  split-tunnel-policy tunnelall
  split-tunnel-network-list value townoffice_splitTunnelAcl
  default-domain value domainname.local
  group-policy townremote internal
  group-policy townremote attributes
  wins-server value 10.10.8.2
  dns-server value 10.10.8.2 4.2.2.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value townremote_splitTunnelAcl
  default-domain value domainanme
  group-policy remote internal
  group-policy remote attributes
  wins-server value 10.10.8.2
  dns-server value 10.10.8.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value townremote_splitTunnelAcl
  default-domain value dksecurity.local
  address-pools value vpn
  username xxxx password . encrypted privilege 15
  username xxxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxxx password . encrypted privilege 15
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy dksecurityremote
  username xxx password  encrypted privilege 15
  username xxx password  encrypted privilege 15
  username xxxx attributes
  vpn-group-policy remote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy remote
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy remote
  username xxxx password  encrypted privilege 15
  username xxx password  encrypted privilege 15
  username xxx attributes
  vpn-group-policy remote
  tunnel-group 69.87.150.118 type ipsec-l2l
  tunnel-group 69.87.150.118 ipsec-attributes
  pre-shared-key *****
  tunnel-group remote type remote-access
  tunnel-group remote general-attributes
  address-pool vpn
  default-group-policy townremote
  tunnel-group townremote ipsec-attributes
  pre-shared-key *****
  isakmp keepalive disable
  tunnel-group townremote type remote-access
  tunnel-group townremote general-attributes
  address-pool vpn
  default-group-policy townremote
  tunnel-group lansingremote ipsec-attributes
  pre-shared-key *****
  class-map tcp-bypass
  match access-list bypass
  class-map test
  match access-list new
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    no dns-guard
    no protocol-enforcement
    no nat-rewrite
  policy-map global_policy
  class test
  class inspection_default
  policy-map tcp
  class tcp-bypass
    set connection random-sequence-number disable
    set connection advanced-options tcp-state-bypass
  service-policy global_policy global
  service-policy tcp interface inside
  prompt hostname context
  call-home reporting anonymous prompt 2
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:c724d6744097760d94a7dcc79c39568a
  : end

  You need to change the VPN pool ip subnet to something other than the same ip range used on the inside interface.
  Sent from Cisco Technical Support iPad App

• Access AFP, email, Remote Desktop via VPN and local network but NOT web

  How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?

  How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?

• IP lan can't acces remote network through VPN

  hello
  i want my asa 5505 8.2(5) to access my proxy server on remote lan through VPN
  my VPN is OK, all PCs of local network can access to remote network.
  but ASA on local network can't access to remote network.
  i think it's a NAT problem but ....
  local network 192.168.157.0/24 local IP ASA 192.168.157.1
  remote netword 10.28.0.0 /16
  remote proxy 10.28.1.26
  my conf
  ASA Version 8.2(5)
  hostname ASACTM
  enable password GC3gU8Dqv5.xJLCr encrypted
  passwd GC3gU8Dqv5.xJLCr encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.157.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 90.89.245.154 255.255.255.248
  ftp mode passive
  access-list InOutside extended permit icmp any any
  access-list outside_1_cryptomap extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 192.168.57.0 255.255.255.0
  access-list VPNRACTM_splitTunnelAcl standard permit 192.168.157.0 255.255.255.0
  access-list InInside extended permit tcp 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0 eq www
  access-list InInside extended deny tcp 192.168.157.0 255.255.255.0 any eq www
  access-list InInside extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500ip local pool POOLIPVPNCTM 192.168.57.1-192.168.57.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group InInside in interface inside
  access-group InOutside in interface outside
  route outside 0.0.0.0 0.0.0.0 90.89.245.155 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.157.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 90.80.215.141
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 192.168.157.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.157.121-192.168.157.150 inside
  dhcpd dns 10.28.1.16 194.2.0.20 interface inside
  dhcpd wins 10.28.1.16 10.28.1.7 interface inside
  dhcpd domain vignes.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy VPNRACTM internal
  group-policy VPNRACTM attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPNRACTM_splitTunnelAcl
  default-domain value vignes.local
  username admin password 6QiRA9AlUbU.gFTP encrypted privilege 0
  username admin attributes
  vpn-group-policy VPNRACTM
  username ICS1 password 5nDKAM1RJweYzrBO encrypted privilege 0
  username ICS1 attributes
  vpn-group-policy VPNRACTM
  tunnel-group 90.80.215.141 type ipsec-l2l
  tunnel-group 90.80.215.141 ipsec-attributes
  pre-shared-key *****
  tunnel-group VPNRACTM type remote-access
  tunnel-group VPNRACTM general-attributes
  address-pool POOLIPVPNCTM
  default-group-policy VPNRACTM
  tunnel-group VPNRACTM ipsec-attributes
  pre-shared-key *****
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e2c2e2223cb7d5d83af808bb0a2b2636
  : end
  thanks a lot

  What do you mean by you would like the ASA to access the proxy server at the remote end?
  What configuration/command have you configured on the ASA for the ASA itself to access the remote proxy server?
  Do you want the PC behind the ASA to access the remote proxy server, or you want the ASA itself to access the remote proxy server?
  How do you want to access the proxy server?

• Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?

  Hi,
  First timer here so please bear with me!
  Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)
  When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.
  I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.
  Am I missing something on the options for the GP preference to set this automtically?
  I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.
  Any help would be greatly appreciated!
  Thanks a lot!
  David

  Shane,
  There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections.
  (All VPN connections are stored in the same .pbk file.)
  Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN],
  and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".
  So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
  Create a new object with Action = Update, and File Path =
  C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
  (If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
  Section Name should be the display name of your VPN connection, without the brackets.
  Property Name = IpPrioritizeRemote
  Property Value = 1
  Peter, www.skov.com, Denmark
  Peter :-)
  This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in
  "Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know
  where these are stored?
  Cheers.

• Unable to access local resources or RDP over VPN Connection

  Dear Tech People.
  I have a Windows 7 computer that I have created a VPN service through Windows on.  I am able to connect to the VPN from outside of my network with my Macbook Air.  However, I am unable to connect to the computer via RDP, nor can I ping my PC that
  I am VPN'd into (192.168.1.252).  When I am connected, the IP address that I am assigned, is 192.168.1.150.  When I run ipconfig /all, I can see the "RAS < Dial In> Interface for VPN, and it is setup with an ip address of 192.168.1.151
  with a /32 subnet mask.  There is no default gateway listed, which is why I believe that this is not working.  I cannot determine any way to make this change.
  Basically, I have a VPN connection that I can do nothing with.  I cannot access shared resources, nor can I start a remote desktop session.  The pass through is setup for PPTP with my router, which I believe is working, as I couldn't even connect
  prior to this.  Below is the full results of my ipconfig /all command on my Windows PC:
  C:\Users\Zach>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : Serenity
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : Yes
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : att.net
  PPP adapter RAS (Dial In) Interface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : RAS (Dial In) Interface
     Physical Address. . . . . . . . . :
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.1.151(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.255
     Default Gateway . . . . . . . . . :
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . : att.net
     Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
     Physical Address. . . . . . . . . : BC-5F-F4-85-5E-A8
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2602:306:ce94:2570:3144:306c:cdae:d615(Pr
  eferred)
     Temporary IPv6 Address. . . . . . : 2602:306:ce94:2570:bd83:220:80a0:eb1e(Pre
  ferred)
     Link-local IPv6 Address . . . . . : fe80::3144:306c:cdae:d615%11(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.252(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, October 26, 2013 7:27:27 PM
     Lease Expires . . . . . . . . . . : Thursday, October 31, 2013 7:28:28 AM
     Default Gateway . . . . . . . . . : fe80::22e5:64ff:fe0c:5640%11
                                         192.168.1.254
     DHCP Server . . . . . . . . . . . : 192.168.1.254
     DHCPv6 IAID . . . . . . . . . . . : 247226356
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
     DNS Servers . . . . . . . . . . . : 192.168.1.254
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter VMware Network Adapter VMnet1:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
  1
     Physical Address. . . . . . . . . : 00-50-56-C0-00-01
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::d906:32d3:7108:1227%15(Preferred)
     Autoconfiguration IPv4 Address. . : 169.254.18.39(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.0.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 335564886
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter VMware Network Adapter VMnet8:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
  8
     Physical Address. . . . . . . . . : 00-50-56-C0-00-08
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::fc76:1de8:a7c3:27dd%16(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.135.1(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 352342102
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
     DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                         fec0:0:0:ffff::2%1
                                         fec0:0:0:ffff::3%1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.att.net:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : att.net
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{20B8F51C-F852-41EF-9F9B-1D0107550D1E}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{8CCEC9EC-0685-4C6A-A87A-CED27B6C93E5}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Any thoughts or help would be greatly appreciated.

  Hi,
  I'm so glad you have solved the issue in this way.
  And thanks for your sharing, your solution shared here will provie other people in this forum with a great help!
  Regards,
  Ada Liu
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Can't get syslog messages from Remote SA520 over VPN

  I'm trying to set up a central logging server on a debian system running rsyslog.
  The syslog server is local & I have a branch office connected via a VPN. Both buildings have SA520 routers.
  I have set up both firewalls to allow ANY from each network 192.168.150.X & 19.168.160.X
  (also tried to add a rule for UDP514 but that didn't help)
  The debian system is new & has no iptables set up
  I've entered the syslog server IP in remote logging.
  I've set up facilities in Send to syslog for both routers.
  I am logging messages from the local router but don't see anything from the remote.
  I've checked with wireshark & see no syslog packages from the remote (I do see SSL negotiation & others when using the web admin and of course the functioning vpn)
  I rebooted the router to see if that mae a difference but no luck.
  Any ideas why I can't get the syslog traffic across the VPN?

  I do have the correct IP address of the syslog server set up. I do not want email logs so have not enabled that.
  My setup is
  remote lan > SA520-remote (192.168.160.1) > [ site to site IPSec VPN over WAN ] > SA520-local (192.168.150.1) > syslog server (192.168.150.25) & local lan
  Firewall is set up to allow ANY IN & OUT to local lan on both routers.
  I have also set up specific rules for UDP 514 Syslog traffic (no difference, currently disabled)
  syslog server has -no- firewall at the moment.
  Syslog server is receiving messages from the local router with no issues.
  Log Severity is set to Information &  Log Facility is set up to send to Syslog.
  I have also setup a SNMP trap on the syslog server & pointed the remote router to it in hopes of diagnosing the issue.
  Both routers have the latest firmware applied.
  Using wireshark on the syslog server I see no traffic on UDP 514 (syslog) or UDP 162 (snmp)
  I can use the WUI for the remote & ping the 160.1 with no problem. Both ping & TLS/TCP traffic show up in wireshark on the syslog server when I do so.
  It looks to me like there is a problem routing the syslog messages out of the router & then back through the VPN.
  Worst case I'll set up another syslog server on an old machine at the remote location & then cron the logs to the central syslog server but it really seems I shouldn't have to.

• Problems accessing sky's remote record option

  Has anyone found a good way to access the sky site in particular the remote record options in the tv guide. They have this fancy javascript based system that is a bit sluggish on a pc/mac but it crashes the iphone based safari. They have an option for a screen reader version which doesnt seem to work but this doesnt on a full computer either so thats a sky problem.
  If anyone has found any way around it I would appreciate a post as it would be a useful function to have
  Thanks
  Nick

  TV Plus is now available in iTunes and provides Sky+ Remote Record
  http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=292756958&mt=8

• Locking problems accessing applications on a network drive post upgrade

  I recently upgraded to Windows 7 and JDeveloper 11.1.2.0.0
  After the upgrade, every time I open an application on a network drive and navigate into one of the projects, I get the following error.
  SEVERE: Unable to open environment /H:/dev/wssEmployer_6-22/.data/
  com.sleepycat.je.EnvironmentLockedException: (JE 3.3.98) A je.lck file exists in H:\dev\wssEmployer_6-22\.data\00000019 The environment can not be locked for single writer access.Any information I find on the forums regarding this package involves using it in development. Has anyone else seen this? Is there something I have to do on my machine or network to make this work?
  Thanks

  Actually, it seems to have been a problem with Novell for some reason. Our sys admin created a new network drive to store the working copy on, and this error stops. Thanks for the reply though.

• Layer 2 network over VPN

  Is it possible to extend the subnet (same broadcast domain) across a VPN tunnel? .For example we have 10.1.100.X in VLAN 100 at HQ can we use the same VLAN and same IP range at a remote site on the other side of the VPN tunnel, if so can they forward broadcast traffic?
  Siddhartha       

  You need to look into L2 tunneling (L2TP being possibly the choice, includes L2tp ovet ipsec).
  Both SSL and IPsec are L3 solutions, you can share same subnet as a LAN interface but you might have problem with broadcasts depending on your configuration and actual needs.

• Apple remote desktop over vpn - not working

  Hi,
  I've been using ARD within my firewall and it's been working great.  I am currently traveling and logged in via VPN (PPPT) for the first time and although I can see the computers (two) that I want to log into, I am not able to connect to them.
  I am able to access my file server fine, it just seems to be ARD that does not work...  I have an Asus RT-N66U as my router/VPN server.
  HELP!!!!

  have you tried scanning the network in ARD while connected via VPN

• Duplicate private networks over vpn !

  A customer is having the same private network as my company does, but i have to build a vpn between those 2 networks.
  Our site has a ASA5510 and the customer has a PIX 515e. How should i do this ?
  Many thanks for helping me.
  Gerard Schurink

  You could inspire yourself with this document
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml