Problem accessing an adjacent remote network over VPN (2 asa5505)
Hello all,
I have 2 ASA5505 (CORP and remote) connected via VPN. The remote site contains 2 subnets (192.168.1.0/24 and 192.168.0.0/24 (for remote VPN users)). The corp site has 192.168.2.0/24 directly connected to ASA5505 and an adjacent network connected via another device namely the 172.16.0.0/16 network.
I am able to ping site-to-site between 192.168.0 -> 192.168.2
and
192.168.1 -> 192.168.2
I am unable to ping from remote site to the 172.16 network however.
I added permit ACLs on both my NAT and CRYPTO ACLs. and when I am trying to ping the remote 172.16 network I get the following messages on my CORP ASA:
4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside
reply is timing out though.
Any tips would be appreciated!
My ACLS:
REMOTE SITE:
#NONAT
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
#CRYPTO ACL
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
CORP SITE:
#CORP
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 200
nat (inside) 1 0.0.0.0 0.0.0.0
#CRYPTO ACL
access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
Thanks in advance!
The config looks ok.
If you were trying to ping 172.16.x.x I don't see why the log would be what you displayed. Where are you pinging from, the remote site?
"4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside"
Does the 172.16 network have a route to the 192.168.0.0 and 192.168.1.0 network?
Similar Messages
-
Problem accessing company resources remotely using Cisco VPN Client
I connect to my company's network remotely using Cisco VPN client both from a PC (v 4.0.1) and from a MacBook Pro (v 4.9.00)(same configs), and use Remote Desktop to connect to my work computer, and now i'm able to use Citrix to run applications on the company server.
The problem occurs on the Mac when I'm connecting from a location that uses the same private domain IP as our company's private domain. Our company's private domain is 192.168.1.x, so when I'm using the Mac on a WiFi router that happens to be set to 192.168.1.1, the Mac can connect using VPN but the remote desktop cannot connect to my work computer. Presumably, the Mac doesn't "know" that I'm trying to go through the VPN for the connection and not connect to something locally.
This problem seems to be unique to the Mac. Every Windows machine with the same client installed has no problems no matter what WiFi I've tried. The Mac works fine on any WiFi that is not 192.168.1.x.
However, since 192.168.1.x is very common (hotels, airports, etc., its a major problem with the Mac.
Suggestions are greatly appreciated!
Also, now that we're moving to Citrix, our administrator has created a webpage on the intranet that we launch applications from, but the Mac cannot find that page when connected to VPN from 192.168.1.x. Same problem.
Thanks in advance.Hi,
I presume you have split-tunneling activated.
1. Make sure the 192.168.1.x is on the protected networks and on the MacBook client, disable "Allow local LAN access"
2. Create a separate group for the Mac users and assgn them a different pool (192.168.100.x )and advertise it in your company to point to the VPN Concentrator.
3. Use the NAT feature on your VPN concentrator.
If this helped, please rate.
Regards,
Daniel -
VPN connection issue - problem accessing individual computers on network
Hello,
So far I have set up my XServe for VPN access so I can log into my office mac network from my home mac using the L2TP protocol. The server sits behind a basic router, and the router forwards the following ports direct to the server's IP address (192.168.1.2): ports 500, 4500, 1701 and 548 (AFP).
The office network uses 192.168.1.x IP range and each computer has a static DHCP map assigned, and each machine also has a unique DNS name to simplify access to them.
My home mac uses 192.168.0.x range.
The server has NAT turned off and also the firewall off for the moment, while I test everything.
The VPN is set to provide the IP range 192.168.1.150 to 192.168.1.174 to remote clients, and in the Client Information settings pane it is set for: DNS servers = 192.168.1.2, network routing definitions = 192.168.1.0, netmask 255.255.255.0 (Private) and 0.0.0.0, netmask 0.0.0.0 (Public).
I can connect fine over VPN from home using internet connect, I am assigned an IP address with the 192.168.1.150-174 range and can connect through the "Go" menu's "Connect to server..." directly to the server on 192.168.1.2. What I cannot do is use this method to connect to any other computer on the network (for example 192.168.1.5), nor can I use DNS names to reach them.
In the internet connect app I set the DNS server as 192.168.1.2, is this correct? Also, do I need to open port 53 (DNS) on my router? Is there something else I have overlooked as this is all new to me.
Thanks for your help.OK, sorry my bad. The macs did not have Personal File Sharing enabled, now they have I can link via their individual IP addresses. Doh!
But I still want use DNS names, can anyone shed any light on that? -
Using the personal hotspot feature on the iPhone 5, I am able to connect to the internet. We also use Juniper NCP client to access our local system from a remote location. A VPN connection is created, but I am unable to access servers in our network. This same functionality works using my colleagues iPhone 4.
Both phones are running iOS 6.1.3. I tried to reset network settings, but still unable to ping servers in our network. This is a feature that our sales team relies heavily on when out of the office. Hoping someone has some suggestions on what is different between the 2 phones.Hi,
Generally, this issue should be related with something called split tunneling, since you’re using a F5 vpn client, you need to look for something related to split tunneling in the F5 VPN client's documentations.
Here is an example, share it with you as a reference.
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_networkaccess.html
In addition, you can refer to the link below for more solution about this problem.
You Cannot Connect to the Internet After You Connect to a VPN Server
http://support.microsoft.com/kb/317025
NOTE
This
response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
Microsoft
does not control these sites and has not tested any software or information found on these sites.
Yolanda Zhu
TechNet Community Support -
VPN connects but unable to access resources on remote network
HI,
I'm able to ping the ASA interface once the VPN is connected but unable to access any of the resources located on the remote network such as shares and computers. The cisco vpn client shows data being sent and recieved when I ping the interface on the ASA but it doesn't recieve any data when I attempt to ping or access other resources on the network.
ASA Version 8.2(5)
hostname HOST_NAME
domain-name default.domain.invalid
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 10
duplex half
interface Ethernet0/4
speed 100
duplex full
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.8.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 12.x.x.x x.x.x.x
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.8.2
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Vipre tcp
port-object range 18082 18082
port-object range 18086 18086
object-group network town
network-object 192.168.0.0 255.255.0.0
access-list outside_20_cryptomap extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
access-list new extended permit ip host 192.168.0.1 any
access-list new extended permit ip any host 192.168.0.1
access-list outside_20_cryptomap_1 extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.252.0
access-list townoffice_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
access-list townremote_splitTunnelAcl standard permit 10.10.8.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside object-group Vipre
access-list outside_access_in extended permit tcp any object-group Vipre interface inside object-group Vipre
access-list outside_access_in extended permit tcp any eq 3389 10.10.8.0 255.255.255.0 eq 3389
access-list test extended permit ip host 192.168.0.6 host 10.10.8.155
access-list test extended permit ip host 10.10.8.155 host 192.168.0.6
access-list test extended permit ip host 10.10.8.2 host 192.168.3.116
access-list test extended permit ip host 192.168.3.116 host 10.10.8.2
access-list test extended permit ip host 10.10.8.155 host 192.168.3.116
access-list bypass extended permit ip host 10.10.8.155 host 192.168.3.116
access-list bypass extended permit tcp 192.168.0.0 255.255.0.0 10.10.8.0 255.255.255.0
access-list bypass extended permit tcp 10.10.8.0 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn 10.10.8.125-10.10.8.149 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 18082 10.10.8.2 18082 netmask 255.255.255.255
static (inside,outside) tcp interface 18086 10.10.8.2 18086 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.10.8.2 3389 netmask 255.255.255.255
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,inside) 10.10.8.0 10.10.8.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.70.119.65 1
route inside 192.168.0.0 255.255.0.0 10.10.8.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http outside
http outside
http inside
http outside
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 69.87.150.118
crypto map outside_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.10.8.0 255.255.255.0 inside
telnet timeout 5
ssh 63.161.207.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 10.8.8.2
dhcpd address 10.10.8.150-10.10.8.200 inside
dhcpd dns 10.10.8.2 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy aaa internal
group-policy aaa attributes
dns-server value 10.10.8.2 4.2.2.2
vpn-tunnel-protocol IPSec
default-domain value domainname
group-policy bbb internal
group-policy bbb attributes
wins-server value 10.10.8.2
dns-server value 10.10.8.2
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value townoffice_splitTunnelAcl
default-domain value domainname.local
group-policy townremote internal
group-policy townremote attributes
wins-server value 10.10.8.2
dns-server value 10.10.8.2 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value townremote_splitTunnelAcl
default-domain value domainanme
group-policy remote internal
group-policy remote attributes
wins-server value 10.10.8.2
dns-server value 10.10.8.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value townremote_splitTunnelAcl
default-domain value dksecurity.local
address-pools value vpn
username xxxx password . encrypted privilege 15
username xxxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxxx password . encrypted privilege 15
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy dksecurityremote
username xxx password encrypted privilege 15
username xxx password encrypted privilege 15
username xxxx attributes
vpn-group-policy remote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy remote
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy remote
username xxxx password encrypted privilege 15
username xxx password encrypted privilege 15
username xxx attributes
vpn-group-policy remote
tunnel-group 69.87.150.118 type ipsec-l2l
tunnel-group 69.87.150.118 ipsec-attributes
pre-shared-key *****
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool vpn
default-group-policy townremote
tunnel-group townremote ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group townremote type remote-access
tunnel-group townremote general-attributes
address-pool vpn
default-group-policy townremote
tunnel-group lansingremote ipsec-attributes
pre-shared-key *****
class-map tcp-bypass
match access-list bypass
class-map test
match access-list new
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no dns-guard
no protocol-enforcement
no nat-rewrite
policy-map global_policy
class test
class inspection_default
policy-map tcp
class tcp-bypass
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
service-policy global_policy global
service-policy tcp interface inside
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c724d6744097760d94a7dcc79c39568a
: endYou need to change the VPN pool ip subnet to something other than the same ip range used on the inside interface.
Sent from Cisco Technical Support iPad App -
Access AFP, email, Remote Desktop via VPN and local network but NOT web
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
-
IP lan can't acces remote network through VPN
hello
i want my asa 5505 8.2(5) to access my proxy server on remote lan through VPN
my VPN is OK, all PCs of local network can access to remote network.
but ASA on local network can't access to remote network.
i think it's a NAT problem but ....
local network 192.168.157.0/24 local IP ASA 192.168.157.1
remote netword 10.28.0.0 /16
remote proxy 10.28.1.26
my conf
ASA Version 8.2(5)
hostname ASACTM
enable password GC3gU8Dqv5.xJLCr encrypted
passwd GC3gU8Dqv5.xJLCr encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.157.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 90.89.245.154 255.255.255.248
ftp mode passive
access-list InOutside extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.157.0 255.255.255.0 192.168.57.0 255.255.255.0
access-list VPNRACTM_splitTunnelAcl standard permit 192.168.157.0 255.255.255.0
access-list InInside extended permit tcp 192.168.157.0 255.255.255.0 10.28.0.0 255.255.0.0 eq www
access-list InInside extended deny tcp 192.168.157.0 255.255.255.0 any eq www
access-list InInside extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500ip local pool POOLIPVPNCTM 192.168.57.1-192.168.57.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group InInside in interface inside
access-group InOutside in interface outside
route outside 0.0.0.0 0.0.0.0 90.89.245.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.157.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 90.80.215.141
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.157.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.157.121-192.168.157.150 inside
dhcpd dns 10.28.1.16 194.2.0.20 interface inside
dhcpd wins 10.28.1.16 10.28.1.7 interface inside
dhcpd domain vignes.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNRACTM internal
group-policy VPNRACTM attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNRACTM_splitTunnelAcl
default-domain value vignes.local
username admin password 6QiRA9AlUbU.gFTP encrypted privilege 0
username admin attributes
vpn-group-policy VPNRACTM
username ICS1 password 5nDKAM1RJweYzrBO encrypted privilege 0
username ICS1 attributes
vpn-group-policy VPNRACTM
tunnel-group 90.80.215.141 type ipsec-l2l
tunnel-group 90.80.215.141 ipsec-attributes
pre-shared-key *****
tunnel-group VPNRACTM type remote-access
tunnel-group VPNRACTM general-attributes
address-pool POOLIPVPNCTM
default-group-policy VPNRACTM
tunnel-group VPNRACTM ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2c2e2223cb7d5d83af808bb0a2b2636
: end
thanks a lotWhat do you mean by you would like the ASA to access the proxy server at the remote end?
What configuration/command have you configured on the ASA for the ASA itself to access the remote proxy server?
Do you want the PC behind the ASA to access the remote proxy server, or you want the ASA itself to access the remote proxy server?
How do you want to access the proxy server? -
Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?
Hi,
First timer here so please bear with me!
Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)
When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.
I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.
Am I missing something on the options for the GP preference to set this automtically?
I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.
Any help would be greatly appreciated!
Thanks a lot!
DavidShane,
There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections.
(All VPN connections are stored in the same .pbk file.)
Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN],
and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".
So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1
Peter, www.skov.com, Denmark
Peter :-)
This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in
"Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know
where these are stored?
Cheers. -
Unable to access local resources or RDP over VPN Connection
Dear Tech People.
I have a Windows 7 computer that I have created a VPN service through Windows on. I am able to connect to the VPN from outside of my network with my Macbook Air. However, I am unable to connect to the computer via RDP, nor can I ping my PC that
I am VPN'd into (192.168.1.252). When I am connected, the IP address that I am assigned, is 192.168.1.150. When I run ipconfig /all, I can see the "RAS < Dial In> Interface for VPN, and it is setup with an ip address of 192.168.1.151
with a /32 subnet mask. There is no default gateway listed, which is why I believe that this is not working. I cannot determine any way to make this change.
Basically, I have a VPN connection that I can do nothing with. I cannot access shared resources, nor can I start a remote desktop session. The pass through is setup for PPTP with my router, which I believe is working, as I couldn't even connect
prior to this. Below is the full results of my ipconfig /all command on my Windows PC:
C:\Users\Zach>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Serenity
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : att.net
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.151(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : att.net
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : BC-5F-F4-85-5E-A8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2602:306:ce94:2570:3144:306c:cdae:d615(Pr
eferred)
Temporary IPv6 Address. . . . . . : 2602:306:ce94:2570:bd83:220:80a0:eb1e(Pre
ferred)
Link-local IPv6 Address . . . . . : fe80::3144:306c:cdae:d615%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.252(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, October 26, 2013 7:27:27 PM
Lease Expires . . . . . . . . . . : Thursday, October 31, 2013 7:28:28 AM
Default Gateway . . . . . . . . . : fe80::22e5:64ff:fe0c:5640%11
192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 247226356
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VMware Network Adapter VMnet1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d906:32d3:7108:1227%15(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.18.39(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 335564886
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VMware Network Adapter VMnet8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet
8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::fc76:1de8:a7c3:27dd%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.135.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 352342102
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-2E-8E-B2-BC-5F-F4-85-5E-A8
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.att.net:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : att.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{20B8F51C-F852-41EF-9F9B-1D0107550D1E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{8CCEC9EC-0685-4C6A-A87A-CED27B6C93E5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Any thoughts or help would be greatly appreciated.Hi,
I'm so glad you have solved the issue in this way.
And thanks for your sharing, your solution shared here will provie other people in this forum with a great help!
Regards,
Ada Liu
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Can't get syslog messages from Remote SA520 over VPN
I'm trying to set up a central logging server on a debian system running rsyslog.
The syslog server is local & I have a branch office connected via a VPN. Both buildings have SA520 routers.
I have set up both firewalls to allow ANY from each network 192.168.150.X & 19.168.160.X
(also tried to add a rule for UDP514 but that didn't help)
The debian system is new & has no iptables set up
I've entered the syslog server IP in remote logging.
I've set up facilities in Send to syslog for both routers.
I am logging messages from the local router but don't see anything from the remote.
I've checked with wireshark & see no syslog packages from the remote (I do see SSL negotiation & others when using the web admin and of course the functioning vpn)
I rebooted the router to see if that mae a difference but no luck.
Any ideas why I can't get the syslog traffic across the VPN?I do have the correct IP address of the syslog server set up. I do not want email logs so have not enabled that.
My setup is
remote lan > SA520-remote (192.168.160.1) > [ site to site IPSec VPN over WAN ] > SA520-local (192.168.150.1) > syslog server (192.168.150.25) & local lan
Firewall is set up to allow ANY IN & OUT to local lan on both routers.
I have also set up specific rules for UDP 514 Syslog traffic (no difference, currently disabled)
syslog server has -no- firewall at the moment.
Syslog server is receiving messages from the local router with no issues.
Log Severity is set to Information & Log Facility is set up to send to Syslog.
I have also setup a SNMP trap on the syslog server & pointed the remote router to it in hopes of diagnosing the issue.
Both routers have the latest firmware applied.
Using wireshark on the syslog server I see no traffic on UDP 514 (syslog) or UDP 162 (snmp)
I can use the WUI for the remote & ping the 160.1 with no problem. Both ping & TLS/TCP traffic show up in wireshark on the syslog server when I do so.
It looks to me like there is a problem routing the syslog messages out of the router & then back through the VPN.
Worst case I'll set up another syslog server on an old machine at the remote location & then cron the logs to the central syslog server but it really seems I shouldn't have to. -
Problems accessing sky's remote record option
Has anyone found a good way to access the sky site in particular the remote record options in the tv guide. They have this fancy javascript based system that is a bit sluggish on a pc/mac but it crashes the iphone based safari. They have an option for a screen reader version which doesnt seem to work but this doesnt on a full computer either so thats a sky problem.
If anyone has found any way around it I would appreciate a post as it would be a useful function to have
Thanks
NickTV Plus is now available in iTunes and provides Sky+ Remote Record
http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=292756958&mt=8 -
Locking problems accessing applications on a network drive post upgrade
I recently upgraded to Windows 7 and JDeveloper 11.1.2.0.0
After the upgrade, every time I open an application on a network drive and navigate into one of the projects, I get the following error.
SEVERE: Unable to open environment /H:/dev/wssEmployer_6-22/.data/
com.sleepycat.je.EnvironmentLockedException: (JE 3.3.98) A je.lck file exists in H:\dev\wssEmployer_6-22\.data\00000019 The environment can not be locked for single writer access.Any information I find on the forums regarding this package involves using it in development. Has anyone else seen this? Is there something I have to do on my machine or network to make this work?
ThanksActually, it seems to have been a problem with Novell for some reason. Our sys admin created a new network drive to store the working copy on, and this error stops. Thanks for the reply though.
-
Is it possible to extend the subnet (same broadcast domain) across a VPN tunnel? .For example we have 10.1.100.X in VLAN 100 at HQ can we use the same VLAN and same IP range at a remote site on the other side of the VPN tunnel, if so can they forward broadcast traffic?
SiddharthaYou need to look into L2 tunneling (L2TP being possibly the choice, includes L2tp ovet ipsec).
Both SSL and IPsec are L3 solutions, you can share same subnet as a LAN interface but you might have problem with broadcasts depending on your configuration and actual needs. -
Apple remote desktop over vpn - not working
Hi,
I've been using ARD within my firewall and it's been working great. I am currently traveling and logged in via VPN (PPPT) for the first time and although I can see the computers (two) that I want to log into, I am not able to connect to them.
I am able to access my file server fine, it just seems to be ARD that does not work... I have an Asus RT-N66U as my router/VPN server.
HELP!!!!have you tried scanning the network in ARD while connected via VPN
-
Duplicate private networks over vpn !
A customer is having the same private network as my company does, but i have to build a vpn between those 2 networks.
Our site has a ASA5510 and the customer has a PIX 515e. How should i do this ?
Many thanks for helping me.
Gerard SchurinkYou could inspire yourself with this document
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
Maybe you are looking for
-
I am looking for a fool-proof way to share files between Mac 10.6 and Win 7
I need to share files BOTH WAYS between Mac OS 10.6 (latest rev - 10.6.3 at the time of this post) and Windows 7 Premium. Both computers are on a private network and both are on the same workgroup. I followed this tutorial: http://macs.about.com/od/f
-
How do I create a link from a webpage to a much smaller page?
I want to link a picture on a full-sized web page to a much smaller window that contains more info about the picture - but do not know how to create a smaller window. Can anyone help?
-
File Adapter Acknowledgement in BPM - NEW Question
This is in cntinuation of my earlier question: File Adapter Acknowledgement in BPM Now I understand that the send step should wait to get the acknowledgement from file adapter. As I understand This ack may be +ve or -ve. <b>So my question is how do w
-
Hi, I have a set-up below and trying to test out the CSS, i have problem browsing from server towards the internet . It seems that the CSS is blocking it. The default gateway of the servers is 192.168.1.30 which is the circuit vlan ip facing server f
-
Time Machine storage for backups.
Hello Quick question: I've been using an external USB drive as a Time Machine backup disk since I bought my MacBook Pro 13" in 2009. The MBP hard drive is 250GB whilst the external hard drive is 80GB. I've only just reached the point where the MBP's