Routing issue for remote vpn user and spoke
Hi all,
i have configure VPN (see attached file)
before upgrading ASA from 8.3 to 8.4, SPOKES was able to communicate between them and also remote VPN users was able to access spoke site.
after upgrade ASA HUB, neither spoke-to-spoke nor remoteuser---to---spoke cannot communicate
here is NAT exemption configuration on ASA HUB. only this ASA have been upgrade. nothing have been done on other site
object network 172.17.8.0
subnet 172.17.8.0 255.255.255.0
object network 10.100.96.0
subnet 10.100.96.0 255.255.240.0
object network VPN-SUBNET
subnet 172.20.1.0 255.255.255.0
nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0
nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0
nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0
same-security traffic permit intra-interface
same-security traffic permit inter-interface
Please do you know what can be the problem ?
thanks so much for your help
Since you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.
Pls "clear xlate" after removing it and let us know how it goes.
Similar Messages
-
Routing Issue for Remote Access Clients over Site to Site VPN tunnels
I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?
Patrick, that was indeed true for a long time.
But now it is fixed in PIX and ASA version 7.x.
Please refer to this document for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml -
Authentication for easy vpn users using windows ad and xauth on pix firewa
Hii
We need to authenticate the VPN client users from windows as pix as the network device where all vpn configuration done
Need the accounting for those vpn users.
Thanks
Manish GaurPlease guide meManish,
Which version of the pix os are you running 6.x.x or 7.x.x. If your using 6 your have to use radius. Follow this guide for radius:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
For the actual pix configuration its easiest to run through the vpn wizard in PDM (PIX Device Manager)
The radius guide should work for 7.0 if you run the ADSM Wizard for the vpn portion.
Patrick
Please rate any posts that are helpful. -
One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.
Some other info from the client end:
I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
Also Tunnel received 0 and sent 115119
Encryption is 168-bit 3-DES
Authentication is HMAC-SHA1
also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
also Transparent tunneling is selcted but in the stats it states it is inactive
I am connecting with the Cisco VPN Client Ver 5.0.07.0440
This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
I need to see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
I still cannot seem to find the issue with this config and any help will be greatly appreciated.
This is the config
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password somepassword
hostname hostname
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network internal_trusted_net
network-object 192.168.40.0 255.255.255.0
object-group icmp-type icmp_outside
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object source-quench
access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list OutToIn permit ip any any
access-list outbound permit ip any any
(NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.40.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside it still does not work.
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community $XXXXXX$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
crypto dynamic-map clientmap 50 set transform-set 3des_strong
crypto map vpn 50 ipsec-isakmp dynamic clientmap
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_client_pool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remote-vpn split-tunnel split_tunnel
vpngroup remote-vpn idle-time 10800
vpngroup remote-vpn password ANOTHER PASSWORD
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.40.0 255.255.255.0 inside
ssh timeout 30
console timeout 60
dhcpd address 192.168.40.100-192.168.40.131 inside
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username AUSER password PASSWORD privilege 15
terminal width 80
****************** End of config
I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network) was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
Thank you once again.Hi,
PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
Here is a PDF of the original ASA5500 Series.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Here is a PDF of the new ASA5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
Could you provide the requested outputs?
From the PIX after connection test
show crypto ipsec sa
Screen captures of the VPN Client routing and statistics sections.
- Jouni -
AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN
Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
JoAAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html -
Central Site Internet Connectivity for MPLS VPN User
What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?
Hello,
Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
Kind Regards,
M. -
VPN hub and spoke topology, hub using two interfaces
Hi,
I'm facing a problem with Cisco ASA 5500 running software 8.4.
I know, i know, VPN hub and spoke was already discussed many times. But all these discussions are about a hub using only one interface, the outside/public interfcae.
My topology is slightly different.
LAN-A - VPN peer A <--> (Internet) <--> (outside if)-ASA-B-(inside if) <--> (corporate network) <--> (outside if)-ASA-C-(inside if) <--> LAN-C
VPN communication should flow between LAN-A and LAN-C.
Phase I and phase II are working on both tunnels (A-B, B-C). Therefore cryptomaps should be right.
IPsec SA for tunnel A-B is explicit for LAN-A and LAN-C.
IPsec SA for tunnel B-C connects any with LAN-C.
What I can see on ASA-B is incoming traffic from LAN-A on tunnel A-B.
That does not trigger an SA for tunnel B-C!
Traffic initiated from LAN-C, I can see on ASA-B as incoming traffic, SA for LAN-A to LAN-C is build up on tunnel B-C.
Traffic seems to enter tunnel A-B as I can see outgoing traffic on ASA-B.
Of course, NAT exemption is configured for traffic between LAN-A and LAN-C.
Why doesn't incoming traffic from LAN-A initiate SA on tunnel B-C?
It looks like incoming traffic from LAN-A enters ASA-B and is dropped or send anywhere but the right direction.
I admit I'm clueless.
Any help would be appreciated.
Thanks folks.Analyzing the config files you revealed the inactiv NAT exemption for traffic flow between LAN-A and LAN-C.
Furthermore a static route fro LAN-C out the inside interface was missing.
Fixing both communication works fine.
Thanks for the real good support. -
2 tier security for remote vpn ?
Hi,
I have a cisco PIX 501 in which remote VPN is configured for our company. Currently, for the remote users, the authentication is just a vpn groupname and a password. All the users use the same credentials for logging in. Can I have separate remote vpn users using their own login crentials with a single vpngroup?You can achive this via the x-auth feature, please check out the following links:
PIX 6.x:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008010a206.shtml
7.x and later
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
Regards
Farrukh -
Hello, dear colleagues.
We are using Windows Server 2012 R2 as Remote Desktop Server. Also use Windows Server 2008 R2 with Remote Desktop Service Manager to control RDS user sessions (Send Message, Disconnect, Logoff, Query Info).
Send Message, Disconnect, Logoff options works only for users in Administrators group.
I can't to configure permissions for Remote Desktop Users, specific user or AD group.
To set permissions I'm running RDS Host Configuration on Windows Server 2008 R2 and connect to Windows Server 2012 R2. Then double-click
RDP-Tcp, Security tab, add specific user account , AD group or configure
advanced permissions
for Remote Desktop Users.
But, as I sad above, these options works only for users in Administrators group. How to make it work for Remote Desktop Users or specific user, AD group?
Thanks.
P.S. If move specific user from Remote Desktop Users group to Administrators group on
Windows Server 2012 R2 - it works.Hi,
You can prevent administrators from changing the permissions for a connection by applying the
Do not allow local administrators to customize permissions Group Policy setting.
This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Apart there is one command with which you can set the permission for that check the related
article. Additionally checkthis
thread for more detail.
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Group Policy for Remote Desktop Users
Hi,
Currently my users use desktops and have user and computer GPOs applied (typical things like logon scripts etc.) at the OU level where they reside e.g. Finance Users, Sales Users etc.
I am planning a Remote Desktop 2012 environment.
I have read the following:
TechNet cc779327
So, my understanding is that I create a new OU for my Remote Desktop Server only (not users), and create a new security Group for my RD Users and a security group for my RD server.
Remote Desktop Servers OU
* RD User GPO (filter on RD User security Group and RD Computer Security Group)
* RD Computer GPO (filter on RD User security Group and RD Computer Security Group)
I then apply all computer settings to the RD Computer GPO (loopback processing, Windows installer, hide shortcuts etc.).
I then apply all user settings to the RD User GPO (app specific, templates etc.)
Why not consolidate the two GPOs into one?
If I set computer settings in the computer GPO, and apply it as above to filter to the RD Server group and RD Users Group will this apply to only users un the RD User Group...or ALL users since I added the server to the filter?
If a user currently gets a setting in their normal OU e.g. Finance logon script, will they still get it on the Remote Desktop? Or do I need to copy that GPO setting to my new RD User GPO also?
Am I right to add both RD Server and RD User groups to the filter on both RD User and RD Computer GPOs?
Loopback processing - merge or replace typically for Remote Desktop?Hi,
Thank you for posting in Windows Server Forum.
Create OU for RDS Server in Active Directory. Create security group for users who will use Remote Desktop Host (i.e. RDS Users). Create GPO (i.e. RDS Server Lock Down). In Security Filtering delete Authenticated Users, add RDS Server Account, and the security
group created in previous step.
Please check beneath article might useful for better understanding.
Lock Down Remote Desktop Services Server 2012
How to secure your remote desktop server with GPO
Hope it helps!
Thanks,
Dharmesh -
How i said on the question. I tried to upgrade the ios on the phone and I was asked for my icloud user and password. I don’t remember these exactly and I tried several times with different options but unsuccessfully. I also forget my email used to configurate the phone. I have the phone box and the bill. I sent you an email with my problem and attachments with the box informations, the bill and the reset request. What to do? You said to me:
Your request comes from an unrecognized email domain. Apple accepts email requests only from email domains for Apple-authorized carriers.
Please re-submit your request using your official carrier domain.
but this email is authorized, what to do??
respectfully, BebaIf you have forgotten then these links are the only way to resolve
http://www.apple.com/support/appleid/
As long as you have owned the iPhone from new and your Apple id is the one used to activate when new
OR have you recently purchased the iPhone secondhand ? -
I have two ipods in my house that were set up under the same email. I have since assigned two different emails. How can I change the game center account so that is not shared by both ipods because it is for two different users and they are not happy?
By "game center account", do you mean Apple ID?
If so, you can change it.
1. Tap settings and navigate to iTunes and App Stores
2. Tap "Apple ID" and then tap "Sign Out"
3. Log in with a different ID. -
Known Issues for Windows 10 SDK and Tools
Please read about Known Issues for Windows 10 developers in the Known Issues for Windows 10 SDK and Tools
forumTo fix this issue, your computer must be connected to the internet to download these components.
Make sure your computer is connected to the internet.
Open Control Panel, and select Programs and Features.
Select Microsoft Visual Studio 2015 RC, click Change, and then click
Modify.
Select the feature “Universal Windows App Development Tools”, and click
Update. -
Procedure for creating a user and assigning him a role
Hi folks,
has anyone of you a procedure for creating a user and then assigning him a spezial role?
The procedure has 2 arguments username and password. I think that its an easy one but I
have not found the right packages.
Thankscreate or replace procedure new_user(username_in IN VARCHAR2, password_in IN VARCHAR2) is
C_TEMP_TSP CONSTANT VARCHAR2(30) := 'TEMP';
C_DEFAULT_TSP CONSTANT VARCHAR2(30) := 'USERS';
C_DEFAULT_ROLE CONSTANT VARCHAR2(30) := 'SPECIALROLE';
begin
execute immediate 'create user ' || username_in ||
' identified by ' || password_in ||
' default tablespace ' || C_DEFAULT_TSP ||
' temporary tablespace ' || C_TEMP_TSP;
execute immediate 'grant '|| C_DEFAULT_ROLE ||' to '||username_in;
end new_user; -
Any know issues for JRE 1.6 and BOXI 3.1
Any know issues for JRE 1.6 and BOXI 3.1
Our most stable JRE with which we've had best results has been JRE_1.6.0_07
Hope this helps.
Maybe you are looking for
-
Serial number error while creating the production order
Hello frds, I am getting the following error while creating the production order. "Item 000000 requires exactly 100 serial numbers for the asset". If i give 100 serial numbers in the order, the error is solved. But i do not want to assign 100 serial
-
Applications become unclickable, still run in background?
Some users (important note: _All running Intel Macs, All ran the Migration Assistant, 10.4.10_) are finding that certain applications (Microsoft Office, Mail ... ) are becoming "orphaned" from the window server. They launch fine, after a while howeve
-
Publishing crystal reports to web
Can anyone give me an idea of how to publish the crystal reports to web. I know we need Crystal Reports Server for that. Apart from that what are the other steps.
-
About 4 days ago all of the items in my iCloud Calendar started to disappear from my iPad and iPhone. I have been using iCloud as my master calendar for my PC, iPad, and iPhone since iCloud was introduced. Now all of a sudden things are starting to
-
Skype crashes after a few minutes
Skype always crashes. Anywhere from 5 to 30 minutes but it never fails to crash. Even when I'm not actively using it, besides an active group chat going. I've done mulitple uninstalls, including completely cleaning registry entries and any/all files