Remote Access....im confused !

Hi All,
im trying to set up remote acces (i.e i wou like to be able to connect via my home ADSL, to a remote site that we have a 851 router.
I have checked many scenarios and seen many configurations but they were not very helpful..so i would like to start fresh from teh beginning.
What technologies should i be reading about.
i have come accross VPDN, cisco easy VPN etc.
Can someone point me to the correct direction, and some sample configurations if possible ,
Thank you,
George

Hi Stephen,
thanks for the reply.
I managed to configure the router using cli (Easy vpn) but i still need to spend some time to make sure i understand all the commands fully.
One question that i want to ask (i asked this in another topic and not got an answer) is the difference in implementation of a remote access user . i mean i have seen it being configured using VPDN and cisco easy vpn !!! which one is the prefered way to go.
on more thing.
i managed to configure the router and i can connect to it using cisco VPN client but windows VPN connection will not connect. any ideas on this?
Also, please can someone tell me the commands (and give brief explanation) that i need to configure so that i can use some usernames-passwords for remote access-VPN (i want these names to be able to connect to Easy VPN but not login on router.)
i include my current configuration.
Thanks,
George

Similar Messages

Remote Access VPN, no split tunneling, internet access. NAT translation problem

Hi everyone, I'm new to the forum. I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices. The configuration has been working without issues for the last couple years.
I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
I reviewed the new NAT rules for the VPN and found the culprit.
I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
Here are the NAT rules I have in place: (The "inactive" rule is the culprit. As soon as I enable this rule, the port forwarding hits a wall)
nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source dynamic VPN_Subnet interface inactive
object network obj_any
nat (inside,outside) dynamic interface
object network XXX_HTTP
nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Any help would be appreciated.

Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
With Regards,
Safwan

How do I remotely access a friend's Windows XP desktop using my ibook?

I hope I am posting this question in the right forum/thread:
I am not quite a newbie on the Mac, however when it comes to issues such as remote access, virtual private networks, etc., I am pretty much lost. I've even poured over the posts here to see if they answer any of my questions, but confusion is setting in, so I thought I'd just put my question out there to see if anyone can give me a simple answer:
I have a friend who keeps having trouble with anything and everything to do with her Windows XP computer, from passwords to router/modem configurations. When she calls, I need to stop everything I'm doing and drive to her house to try to resolve her issue. It would save me (and her) a lot of energy and heartache if I could merely remotely access her computer (she has windows xp home edition) to help her out.
What is the best way to remotely access her PC from my MAC?
Thanks in advance for your help!
ibook G4 Mac OS X (10.4.10)

Microsoft provides a Remote Desktop Client for Mac OS X. Check it out here - http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/ misc/rdcupdate103.xml&secid=80&ssid=10&flgnosysreq=True
For actual connection, I have not tried this, but if you get her public IP, you should be able to connect to her PC.
Macbook Mac OS X (10.4.10)

Someone Remote Accessed my MacBook Pro. What do I do now?

About a month ago I was watching a movie on my laptop whilst in the bath (laptop on a chair by the side of the bath, obviously). Then I paused the full-screen playback, so I could rinse my hair (too much detail, you say),
I immediately noticed the cursor moving around. The person remote accessing it was trying to get off full-screen mode. They managed to do it, then located a file in a folder (I can't recall the names, but it looked like an application I didn't recognise).
I then chose to shutdown the computer as soon as possible. I did this by pressing and holding down the power button (in the top right corner of the laptop bottom part). I then went out into the street to see if any suspicious van was parked near by (or person was camped out in the woods behind my dwelling). I saw nothing suspicious. I asked the next door neighbour, and they said maybe one of their kids (under teenager age) had done it (I've not heard since if they asked their kids about it). I did this because there wasn't a password on the wireless router I was using at the time (there is now), so thought someone could have access my laptop via the unprotected wireless router.
I then set my laptop up to have a login password required (I used to, but got sick of having to enter it each time, so switch to auto login). I also turned on 'Firewall', which I'd turned off for some reason.
HELP: How do I know if this person can still 'see' or access my computer? How can I tell if they have stolen sensitive inform (e.g. I had all my passwords in a password-protected Keychain Access note; could they have 'seen' that if they viewed my screen when I had it open. A relate point is that this Keychain Access note was deleted when I updated to Mac OS 10.6.8, but I think this is an already-known issue, f*cking annoying though it is!). Moreover, can they see what I'm typing right now?!
Basically, what are the next steps I should take?

Do you have any other evidence of this "remote access" other than seeing the cursor move around?
Did you have Screen Sharing or Remote Login turned on?
The reason I'm asking these questions is that if you did not have Screen Sharing or Remote Login turned on, it is extremely unlikely that someone actually used your Mac remotely. In part, even if your wireless network did not have a password, they would have still had to guess your Mac account login password.
Note that even if you have "auto login" enabled, any remote user must still enter your exact login password to be able to enter Screen Sharing or Remote Login. Auto-login only applies to when you start up the Mac you're in front of.
That all leads to the other reason I'm asking. I have had consistent experience of operating my Mac when my fingers are wet. When my fingers are wet, trackpad response can become very erratic. It is very possible to lose control of the cursor, and the cursor can appear to move on its own, even after I take my hands off the computer. But what's really happening is that the trackpad is confused by the moisture on it. I know from having seen this numerous times, that if I have wet hands and I want my MacBook Pro trackpad to respond reliably, I must dry off my hands and allow the trackpad to dry. Until that happens, it's not going to work properly. I am wondering if you saw wet trackpad behavior but misinterpreted it as remote access.

TC remote access by both PC and MacBook Pro

So I've finally figured out how to back up both my PC's and MAcBook to the TimeCapsule thankx to all of the information and direct help from everyone here! I still posses the problem of not being able to remotely access the TC from my PC or Macbook at home. I really need help with this as I have information stored on the TC (at work), that I need to access from home. Please, any help would be appreciated.

Ok, your setup is now much more confusing..
Is the TC in bridge?? It should be if it is behind the modem router. In which case there is no WAN port on it.
If the AT&T modem router uses dyndns then you can easily login via AFP.
You are not getting a static ip btw.. you are simply updating a url when the public ip changes.
You will need to set a static ip on the TC .. do this via dhcp to TC MAC address if possible.
Once you have a URL that is to your router, simply forward AFP port then to the IP of the TC. AFP uses. 548 TCP.. http://support.apple.com/kb/TS1629
You don't need iCloud to do this.. this is a direct link to your router. All iCloud was doing is linking your IP dynamically to the Apple servers.. which Apple keep inhouse to keep you from straying.. like a marriage with a ball and chain really.

Would you tell me If window server installed with "routing and remote access" can output firewall logs.

I install "routing and remote access" into Window Server and make it work as a firewall.
When connections are accepted or denied at firewall, would you tell me if the firewall can output the logs ?
If that function can, would you tell me how to configure ?
Thanks.

Hi Kohenro31,
I'm a little confused about configuring RRAS to work as firewall, cause we usually deploy RRAS as VPN connection, router etc, would you please post more information in detail?
Routing and Remote Access Service：
http://technet.microsoft.com/en-us/library/cc754634(v=ws.10).aspx
In addition, to view firewall event logs please check this article:
Viewing Firewall and IPsec Events in Event Viewer:
http://technet.microsoft.com/en-us/library/ff428140(v=WS.10).aspx
To enable RRAS logs, please check this article:
Enabling logs for RRAS:
http://blogs.technet.com/b/rrasblog/archive/2005/12/22/enabling-logs-for-rras.aspx
If I have any misunderstanding, please let me know.
Best Regards,
Anna Wang

Server 2003 routing and remote access not passing VPN traffic

I've inherited a network that has two IP scopes that are routed through a Windows 2003 server with Routing and Remote Access. I can ping both sides (we'll call them HQ and Plant) internally. My firewall has an IP from the HQ IP scope and when
I connect via VPN, I can see all the devices on the HQ network including the network card that is in the routing server for that "side". However, if I'm connected via VPN, I cannot get to any of the IPs on the Plant side, not even the card
in the routing server. The buck stops on the server.
I should mention, that the firewall assigns IP addresses that are on the HQ scope, so all VPN connections will have an address from that side.
I'm lost on how to get this set up so my VPN traffic coming in from the HQ side can be routed to the Plant devices.

Hi,
To be honest, your statement confused me a bit.
VPN is used for external client get access to internal resource. When we setup VPN server, we usually have two NICs. We need choose a NIC that will be used when client initiate
a connection request. I prefer to call it external NIC card. The internal one will work as DHCP relay agent. So this is a single way connection. You cannot dial from internal to external.
If I misunderstood you, please elaborate what you are trying to do.
Hope this helps.

Remote Access Options...

For many years I used Timbuktu for remote access to both Mac and Windows-based systems... now, I want to review my options for Mac to Mac (assume Leopard or newer OS) remote access to desktop and Mac OS X Server systems. Recently I used JollyFastVNC to control a few XServes being hosted and used Cyberduck for all file transfers.
I've done a clean install of Snow Leopard on my primary machine and now that I'm reinstalling things, I want to decide how best to remotely connect to my Mac-based clients. I just noticed that I can run "Screen Sharing.app" via SL (Snow Leopard) and with the correct IP and PW I can control the screen of a remote machine with a public IP address. But there are a few things missing... there is no address book so that you can quickly access different systems.... also, I'm not sure how I could access different systems located behind NAT. With Timbuktu you could access systems behind the NAT by using a port number and assigning that combo (on the router) to a local private IP behind the NAT....
For those of you that use Apple Remote Desktop, how does the licensing work. If you have the 10-pack can you control more than 10 computers? I was told (at the Apple Store) that the 10 licenses refers to the Server OS or controllers and that you could control an unlimited number of client computers--do you know that to be the case?
So, what do you like to use for remote access?
BTW: I do have one client that has a few old G3 iMacs (at least one) that is probably running Tiger but including this is not critical.
Thanks,
Robert

For those of you that use Apple Remote Desktop, how does the licensing work. If you have the 10-pack can you control more than 10 computers?
No. With the 10-user license, you can only add and work with a maximum of 10 client computers at one time.
I was told (at the Apple Store) that the 10 licenses refers to the Server OS or controllers and that you could control an unlimited number of client computers--do you know that to be the case?
If that's what you were told, you were misinformed. I can only presume that the Apple Store employee was confused and was referring to Mac OS X Server where the 10-client license allows only 10 computers to connect for file sharing but it not otherwise limited (e-mail, Workgroup Manager, etc).
If all you need is the ability to control the screen of the client, then Mac OS X Screen Sharing or VNC is probably the most cost-effective option (Mac OS X Screen Sharing uses the VNC protocol for control as does ARD). Either can be used behind an NAT router if you open and forward the ports properly. VNC applications such as JollysFastVNC are easier to configure if you need to access multiple systems behind the NAT device. You'd probably need to run a third-party VNC app on the clients so that you could change their default ports; Mac OS X only uses 5900 unless someone else here knows how to change that.
There are also third-party services such as LogMeIn which can be easier to handle for cross-Internet access, particularly if the client will be mobile (e.g. laptop), but I have no personal experience with any of those.
Regards.
Message was edited by: Dave Sawyer

How to enable second HD DVR for remote access?

I easily got my first HD DVR setup for remote access and it worked perfetly for 1 day, then it stopped working. After 2 hours on the phone with tech support, we got it to work again. However, we were unable to get my second DVR setup. He said that I could only have one DVR setup for remote access, is that true? If not, any assistance would be much appreciated.
Thank you!

glcockrum wrote:
I easily got my first HD DVR setup for remote access and it worked perfetly for 1 day, then it stopped working. After 2 hours on the phone with tech support, we got it to work again. However, we were unable to get my second DVR setup. He said that I could only have one DVR setup for remote access, is that true? If not, any assistance would be much appreciated.
Thank you!
Are you speaking of Remote Access from the Web? ...or from a mobile phone?
For Web Access it is absolutely NOT TRUE!
I have TWO DVRs. I can access both remotely from the web and schedule or delete recordings.
The tech MAY have been speaking of (or confused about) the MULTI-ROOM capability that the DVR's have.
Only one of the DVRs can be (and is) a Home Media (or Multi-Room) DVR, and therefore can share recordings with my other NON-DVR STB and communicates with any computer on my home network for PC-based Audio, Vieo and Image files, as well as connecting to the certain Internet video streaming sites.
The other DVR is a standalone machine is this regard, but regardless, it still has remote access to control it from the Web.
(I do not know anything about the Remote Access from a mobile phone capability, since I do have a Verizon Wireless contract. THAT Remote Access may indeed be limited to just a single DVR.)

Hh3 remote access

I am unalbe to access my HH3 router externally via the external ip address. when I type in the external ip on an off site computer it cannot find anything?
I have read lots of posts re port forwarding issues and issues and problems with the HH3 and while my ultimate intention is to remotely access a camera, I am confused as to why I cannot access the HH3 router remotely.
Hope someone can help as I started looking at this in November!!
Thanks.

This link should help.
Port forwarding problems
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Remote access terminal server & VOIP phone issues

I pose a question to the community. I work and manage a building that remotely accesses a terminal services server for my users to view an ERP application at our other building. Lately we have issues where those users when the let their screen idle lose their connection and have to wait with a customer on the line to reconnect to the Terminal Server. We don't have the server set to boot users off after any amount of time and the users at the other building have no issue of course since its on site. We also have a Mitel VOIP system and on regular occasion the calls go static or drop all together. Ive done trace routes from the router at both buildings and it seems to get stuck at a Level3 datacenter in Washington DC. Ive contacted my ISP's NOC asking for them to contact Level3 to look into the issue, but the responder gave me grief and...
This topic first appeared in the Spiceworks Community

Having them both kills being able to access the Net.Take out the gateway on your loopback adapter and network traffic should happen as normal :)
Is this configured only in TNSNAMES.ORA, and if so how?It's configured in listener.ora, but changing the port won't change the amount of traffic nor the Oracle load, it will just make everything slightly more confusing to everyone trying to help you troubleshoot your machine ;)
~Jer

Windows 2012 routing and remote access service with same subnet

I have internal server IP range -192.168.1.0/24
Windows routing and remote access service with vpn client IP -192.168.11../22
client side IP subnet is -192.168.1.0/24
So we wan routing \ NATING between 192.168.1.0/24 to 192.168.11.0/22 so if vpn user try to ping 192.168.11.5 it should internally forward all request to 192.168.1.5
Don't forget to mark helpful or answer connect me :- http://in.linkedin.com/in/satya11 http://facebook.com/satya.1000

Hi,
According to your description, my understanding is that VPN client and internal network has the same IP range -192.168.1.0/24. And you want to transfer internal network from IP address 192.168.1.0/24 to 192.168.11.0/22.
Agree with Charles David’s point of view. The easiest way to fix routing confusion would be to either change the VPN subnet or the VPN client subnet.
Or, if you configure Windows Server(RRAS) as VPN server, you may enable NAT to transfer internal IP address:
1. Open RRAS, add NAT.
2. New interface to NAT and configure it as public interface.
3. Open Address Pool tab, add IP address range 192.168.11.0/22.
4. Click Reservations, add reserved IP(192.168.11.0/22) and corresponding internal IP(192.168.1.0/24) one by one.
This would be a lot of workload. Besides, you may use 3rd party devices to transfer subnet IP addresses.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Remote access using ssh/vnc

Hi All!
Recently, I have managed to configure my Airport Base station to accept SSH using the port mapping/forwarding feature...
The main goal is to remotely access my mac in the office using SSH and VNC.
I was able to do this however remote Mac is using a high resolution which makes it slow to manage.[really slow].
I am currently using a Windows SSH tool called Putty.. and Real VNC to manage remote mac.
I tried to change the setting of Real VNC to a lower resolution but it would not work..accessing the remote mac will only work if my Windows VNC is set to use the
"Full" colour level.
Is this a windows issue? I haven't tried using a VNC for Mac though..
any other tool that is available out there aside from Apple Remote desktop?
Thanks, All!!!!
DP

so the system server VNC refers to the MAC os x VNC...
No, Vine Server's System Server is Vine Server starting up at boot time and is always running. Vine Server existed before Mac OS X included its own VNC server, so Vine Server's terminology is a bit confusing, but it wasn't when the started using it (it even sounds confusing when I just said it ).
the Vine server itself is the stand alone vnc.
Yes. The Vine Server is a totally separate VNC server implementation. It may be run interactively, or it may be configured to start at system boot time so it is always running (this is the system server mode of Vine Server).
so , OS X's VNC is set to only accept high res..
I do not know if it can ONLY do the resolution of the display, but anytime I've tried to use a VNC client configured for lower resolution, the Mac OS X VNC server has not behaved well. Rather than fight it, I just resort to Vine Server. It has been a rock solid VNC server.
so connecting to the Vine server should be at any port not the 5900as this is the mac os vnc default port.
If you MAKE ABSOLUTELY SURE that the Mac OS X VNC server is NOT running, you can use port 5900 for Vine Server, but I find it is safer to just give the Vine Server its own port, and commonly that is port 5901, but the Vine Server can be configured to use any port you desire.
Since I do not use a VNC client on Windows, I can not recommend any clients. However, I have heard of the following:
RealVNC
TightVNC
UltraVNC
I am sure there are others, but not being plugged into Windows culture, my depth of knowledge is very limited.

Setting up remote access for support

Need to set up remote support for my Dad's iMac. He has an airport express connected to an optonline cable modem. I have an airport connected to a charter cable modem.
Both systems are running Mavericks. I have the latest remote access app.
I tried this a year ago and could connect to him when I was on his local network but not when I was at home. Since then everything has been updated. I will be visiting him in a few week and could do any set up on his system.
I read the admin guide but it's still to confusing to me. I am able to set up and connect to computers on my local network ok.
Will ARA be able to do this? Do I need any further software? logmeon, etc?
Any tips on creating a client installer to use when I am there? I will be using his user account.
Do any changes need to be made to the routers to get through them?
Could use some help here. Thanks

https://discussions.apple.com/thread/5294202?tstart=0
Something you should be aware of is the frequency of IP address change at your father's location. Providers of residential broadband services lease an IP address for a certain duration which you have no control over and is purely arbitrary. You may be familiar with these changes?
The point is sometimes these addresses change regularly (4 hours to every few days) and sometimes they stay the same for a longer period of time such as a year or more.
Because of the nature of this change you may find you can remote assist your father one day but not the next. The situation is easily rectified with a simple phonecall to your father. He can tell you what IP address he's using by launching his browser and clicking this link:
http://myipaddress.com
He gives you his new IP address and you should be able to make a successful connection again.
Be aware IP addresses handed out by ISPs are known as routable. IP addresses handed out by Firewalls/Routers/Gateway devices such as Apple's Airport Express Base Station etc are not routable. Assuming you've not changed anything in the devices they will always be one of these three ranges: 192.168.1.x; 10.x.x.x and 172.16.16.x. You don't use any of these last three group of addresses to make the connection over the public external (internet) network but you do use them when on the same private internal network.

Remote Access VPN Clients Cannot Access inside LAN

I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: end

Hi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni

Remote Access....im confused !

Similar Messages

Maybe you are looking for