RV082 - SRP527W - VPN behind NAT not working

Hello,
I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.
The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.
That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.
Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.
Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.
Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?
The log for the RV082 is almost empty about the link. Here's a snippet :
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: initiating Main Mode
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
System Log
gateway_to_gateway.htm is changed.
Feb 10 19:09:08 2014
VPN Log
(g2gips0): deleting connection
Feb 10 19:09:08 2014
VPN Log
(g2gips0) #8: deleting state (STATE_MAIN_I1)
Feb 10 19:09:08 2014
VPN Log
added connection description (g2gips0)
Feb 10 19:09:08 2014
VPN Log
listening for IKE messages
Feb 10 19:09:08 2014
VPN Log
forgetting secrets
Feb 10 19:09:08 2014
VPN Log
loading secrets from '/etc/ipsec.d/ipsec.secrets'
Feb 10 19:09:09 2014
System Log
gateway_to_gateway.htm is changed.
The log for the SRP527W is full of this :
Dump pluto log message in syslog  : cat /var/log/messages |grep plutoJan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2Jan  1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main ModeJan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185Jan  1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode
Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!
Best Regards

Hi again,
Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.
Anyway, i bought another router.
Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.
My settings are :
- Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)
- WAN Interface is assigned 192.168.0.246 / 24
- Gateway for the WAN interface is 192.168.0.254
- Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.
- Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.
When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)
Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".
I tried almost every configuration, none worked.
Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.
So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.
If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.
Could you help me please ? Thank you

Similar Messages

  • I have just upgraded to Lion and I now find that my VPN network does not work properly.  It worked fine with Leopard.

    I have just upgraded to Lion and now my VPN connection does not work properly.  It was working fine when I was using Leopard.  The VPN is My Private Network and we use it to link to BBC iPlayer when abroad.  It will actually connect to the VPN site and shows a UK IP address, but then when we try to load an iPlayer programme we get the message from the BBC that we are not in the country and, therefore, cannot access the site.  Any suggestions?

    Have a look at System Preferences, Accessibility, VoiceOver.
    (Command - F5).
    charlie

  • ASA 5510 - Version 8.2(1) - SSH, ICMP and NAT not working

    I have an ASA 5510 using version 8.2(1) and I have enabled ssh, icmp and they work from the inside network but not from the outside network. 
    Further to this, I exposed one site from the inside interface on the ASA (192.168.1.100) to outside (1.1.1.7) using NAT and it is not pingable nor accessible from the outside. I also allowed SSH from the outside network to the external IP addresses of the ASA and it is not working either.  Any ideas what I could be missing in my configuration?  I bolded the configurations involved in the ASA running configuration I copied below (please note I have replaced the real IP addresses with 1.1.1.x and 2.2.2.x):
    ASA Version 8.2(1)
    hostname fw
    domain-name net.com
    enable password eYKAfQL1.ZSbcTXZ encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    interface Ethernet0/0
    description Primary Outside (Internet)
    speed 10
    duplex full
    nameif outside
    security-level 0
    ip address 1.1.1.5 255.255.255.240
    ospf cost 10
    interface Ethernet0/1
    description inside
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    ospf cost 10
    interface Ethernet0/2
    description WLAN
    nameif WLAN
    security-level 100
    ip address 192.168.108.240 255.255.255.0
    ospf cost 10
    interface Ethernet0/3
    description Secondary Outside (Internet)
    speed 100
    duplex full
    nameif WAN2
    security-level 0
    ip address 2.2.2.133 255.255.255.192
    interface Management0/0
    description LAN/STATE Failover Interface
    time-range after_hours
    periodic weekdays 7:00 to 23:00
    boot system disk0:/asa821-k8.bin
    no ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup WLAN
    dns server-group DefaultDNS
    retries 3
    timeout 5
    name-server 8.8.8.8
    name-server 206.191.0.210
    name-server 4.2.2.1
    name-server 4.2.2.2
    domain-name net.com
    access-list WAN2_access_in extended permit icmp any any echo-reply
    access-list WAN2_access_in extended permit icmp any any time-exceeded
    access-list WAN2_access_in extended permit icmp any any source-quench
    access-list WAN2_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit icmp any any echo-reply
    access-list WLAN_access_in extended permit icmp any any time-exceeded
    access-list WLAN_access_in extended permit icmp any any source-quench
    access-list WLAN_access_in extended permit icmp any any unreachable
    access-list WLAN_access_in extended permit tcp host 192.168.1.100 eq ssh any
    access-list WLAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    access-list WLAN_access_in extended permit ip any any
    access-list time_based extended permit ip any any time-range after_hours
    access-list split_tunnel standard permit host 206.191.0.210
    access-list split_tunnel standard permit host 206.191.0.140
    access-list split_tunnel standard permit host 207.181.101.4
    access-list split_tunnel standard permit host 207.181.101.5
    access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 1.1.1.7 eq ssh
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any host 192.168.1.100 eq ssh
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
    access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.1.100 eq ssh
    pager lines 20
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu WLAN 1500
    mtu WAN2 1500
    ip local pool DHCP 192.168.1.245-192.168.1.252 mask 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface WAN2
    failover
    failover lan unit secondary
    failover lan interface FO Management0/0
    failover key *****
    failover link FO Management0/0
    failover interface ip FO 192.168.255.171 255.255.255.0 standby 192.168.255.172
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    icmp permit any WLAN
    icmp permit any WAN2
    asdm image disk0:/asdm-621.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (WAN2) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (WLAN) 1 192.168.108.0 255.255.255.0
    static (inside,outside) 1.1.1.7 192.168.1.100 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group WLAN_access_in in interface WLAN
    access-group WAN2_access_in in interface WAN2
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
    route WAN2 0.0.0.0 0.0.0.0 2.2.2.129 254
    route inside 192.168.1.100 255.255.255.255 192.168.1.0 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.108.0 255.255.255.0 WLAN
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.1.101 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 123
    type echo protocol ipIcmpEcho 4.2.2.2 interface outside
    num-packets 3
    timeout 1000
    frequency 3
    service resetoutside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    track 1 rtr 123 reachability
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    telnet timeout 5
    ssh scopy enable
    ssh 2.2.2.132 255.255.255.255 outside
    ssh 69.17.141.134 255.255.255.255 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.108.0 255.255.255.0 WLAN
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd address 192.168.108.11-192.168.108.239 WLAN
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp authenticate
    ntp server 128.100.100.128
    ntp server 132.246.168.148
    ntp server 128.100.56.135
    tftp-server inside 192.168.1.100 /
    webvpn
    group-policy Wifi internal
    group-policy Wifi attributes
    wins-server none
    dns-server value 206.191.0.210 206.191.0.140
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_tunnel
    tunnel-group Wifi type remote-access
    tunnel-group Wifi general-attributes
    address-pool DHCP
    default-group-policy Wifi
    tunnel-group Wifi ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect icmp
      inspect icmp error
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 512
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:ac25ef0642e0ecb8f0ef63219833f3ae
    : end
    asdm image disk0:/asdm-621.bin
    asdm location 192.168.1.245 255.255.255.255 inside
    asdm location 192.168.1.252 255.255.255.255 inside
    asdm history enable

    Hi,
    I can't see any problems right away in the configuration.
    I guess we could start by using the "packet-tracer" to simulate the SSH and ICMP through the firewall
    packet-tracer input outside tcp 1.1.1.1 12345 22
    packet-tracer input outside icmp 1.1.1.1 8 0
    Don'd mind the source address of 1.1.1.1. Its just an address that is located behind "outside" interface according to the ASA routing table. (As the configurations 1.1.1.0/28 is not actually configured on the ASA)
    Share the exact "packet-tracer" command used (wihtout the public IP, notice that the output contains the public IP also) and the output of the command with us here.
    Also, have you made sure that there is no old translations active on the ASA?
    You can use this command to view those
    show xlate local 192.168.1.100
    You can clear the xlates with
    clear xlate local 192.168.1.100
    - Jouni

  • RV016 V3 vs RV082 V3 VPN Tunnel Backup not available on RV016

    VPN tunnel backup is not available on the RV016 firmware version 4.0.2.08 (it IS on the RV082. The data sheet and the manual for the RV016 is wrong. I have purchased several RV016 hardware V3 and several RV082 hardware V3. Both have the same current firmware version. We have noted that the RV016 does not have the VPN tunnel failover option found in the RV082. It also does not have split DNS (noted in the manual. A I would have thought that the firmware would provide equal options on the RV042, RV082, and RV016. Good job, Cisco!

    We did not have VPN back up with the V1 RV016, either. Also tried V2 and at the time it was not working. The product that we have found works as expected is the Peplink Balance. There is still a few second delay on failover, but if you have two broadband connections, it is imperceptible. We gave up on the Cisco products.

  • Zone Base Forewall for VPN connections does not work after IOS upgrade

    Hi all,
    We use cisco router 2911 as corporate gateway - there is Zone Based Firewall implemented - I upgraded IOS to last version (15.2(2)T1) - originaly version 15.1(4)M1 - to solve issue with Anyconnect connections (bug CSCtx38806) but I found that after upgrade the VPN users are not able to communicate with sources in other zones.
    More specific
    WebVPN use this virtual template interface
    interface Virtual-Template100
    description Template for SSLVPN
    ip unnumbered GigabitEthernet0/1.100
    zone-member security INSIDE
    There are other zones VOICE, LAB, ...
    In the policy any connection is allowed (used inspection of icmp, tcp and udp) from INSIDE zone to VOICE or LAB zone
    After VPN connection I am able to reach resources in INSIDE zone (which is the most important), but not in other zones. Before upgrade it worked.
    Once I changed zone in Virtual-Template interface to VOICE, I was able to reach sources in VOICE zone but not in any other. I searched more and found the stateful firewall is not working for connections from VPN as ping is blocked by policy on returning way - it means by policy VOICE->INSIDE, once I allowed communication from "destination" zone to INSIDE zone - the connections started to work, but of cause it is not something I want to setup.
    Does anybody has the same experiance?
    Regards
    Pavel

    It seems to me I should add one importatant note - if client is connected directly in INSIDE zone, he can reach resources in other zones without any issue - so the problem is only when the client is connected by VPN - not in ZBF policy setup.
    Pavel

  • Static NAT not working

    Hi,
    I'm configuring a 1841 router with 4-port FE WIC card.
    Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.
    I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.
    In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.
    My config follows. Am I missing something? Hope someone can help me.
    Thanks in advance.
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
    ip address 10.10.10.1 255.255.255.248
    duplex auto
    speed auto
    interface FastEthernet0/1
    description $ETH-LAN$
    ip address 192.168.2.2 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/0/0
    interface FastEthernet0/0/1
    interface FastEthernet0/0/2
    interface FastEthernet0/0/3
    interface Vlan1
    ip address 192.168.0.6 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23
    ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 2 remark SDM_ACL Category=2
    access-list 2 permit 192.168.0.18 0.0.0.128

    Albert
    It looks to me like your NAT is working. I get similiar results in my NAT table.
    2600_connect#sh ip nat trans
    Pro Inside global Inside local Outside local Outside global
    1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388
    2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274
    3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---
    Line 1) is a dynamic translation from inside to outside for ping.
    Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)
    to 172.16.1.9 (which gets Natted to 10.15.1.3)
    Line 3) is the permanent static translation that gets entered when from the
    config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"
    Relevant Router config
    ======================
    interface FastEthernet0/0
    description Connection to CR02
    ip address 10.15.1.1 255.255.255.240
    ip nat inside
    ip pim dense-mode
    no ip route-cache
    speed 100
    full-duplex
    interface FastEthernet0/1
    description Connection to P1
    ip address 172.16.1.9 255.255.255.248
    ip nat outside
    ip pim dense-mode
    no ip route-cache
    speed 100
    full-duplex
    router eigrp 20
    redistribute connected
    redistribute static
    network 10.0.0.0
    network 172.16.0.0
    no auto-summary
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23
    ip classless
    access-list 1 permit 10.15.1.0 0.0.0.15
    =====================
    Are you sure it is a natting problem ?
    Jon

  • Clientless VPN and Java not working correctly

    In a recent discovery we found that the newest version of java will not work with our Cisco SSLVPN setup
    We are using an ASA5510 with 8.0.4 IOS version and 6.1.3 ADSM version and most users use an mstsc.exe smart tunnel to rdp into our terminal server farm.
    Our laptops are being imaged with Java 6 update 3 (this works fine) then upgraded to Java 6 update 11, after which the smart tunnel appears to launch but a connection cannot be established. Reinstalling the older version of Java resolves the problem.
    I was wondering if anyone else has encountered a similar problem and found a workaround. Currently, company equipment is not being upgraded to the latest version of Java but personal equipment is a different story.

    To get the old downloader back follow the directions below.
    # In the [[Location bar autocomplete|Location bar]], type '''about:config''' and press '''Enter'''. The about:config "''This might void your warranty!''" warning page may appear.
    # Click '''I'll be careful, I promise!''', to continue to the about:config page.
    # Filter '''browser.download.useToolkitIT'''.
    # Double click and '''make sure it says true.'''
    # You now have the classic downloader back! Yay!
    Any issues or confused?
    * http://kb.mozillazine.org/About:config

  • STUMPED! VPN into ASA5510 not working

    Trying to setup remote vpn into a 5510, ran through the wizard, have the preshare and usernames, along with the pool configured. No errors when uploaded, but the Cisco VPN client does not connect at all, Reason 412. I have all crypto debugs running and I got nothing when I try to connect. If I had fat fingered the preshare or the username, I would at least think I would see some debug info when I tried to connect, but I got nothing. I have done this type of setup via the CLI on PIX and have not had problems, but I am not familiar with the new commands, and all I can find are stinking gui examples.

    Well, I rebuilt from scratch through CLI, and at least now I have some debug output, but still stumped. Still get the same error with the client.
    Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
    Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
    Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
    Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
    Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
    Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
    Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
    Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

  • VPN Split-Tunneling not working

    Hello,
    First off - thanks to all who post here.  I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes.  My first time posting so here goes.....
    I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working.  Client can connect and access the remote systems through VPN.  What is causing me a massive headache is that the client loses internet connectivity.  I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
    Notes
    1.  The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
    2.  The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
    CONFIGURATION:
    ASA Version 8.2(5)
    hostname MYHOST
    enable password mUUvr2NINofYuSh2 encrypted
    passwd UNDrnIuGV0tAPtz2 encrypted
    names
    name x.x.x.x AIME-SD
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.101.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.0.0
    interface Vlan7
    no forward interface Vlan1
    nameif DMZ
    security-level 20
    ip address 137.57.183.1 255.255.255.0
    ftp mode passive
    clock timezone MST -7
    object-group network obj_any_dmz
    access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255                                                                                        .255.0
    access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25                                                                                        5.0
    access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
    access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu DMZ 1500
    ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list no_nat
    nat (inside) 1 access-list nonat
    nat (DMZ) 10 137.57.183.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable 64000
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map batus 100 match address 10
    crypto map batus 100 set peer AIME-SD
    crypto map batus 100 set transform-set batus
    crypto map batus interface outside
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment self
    subject-name CN=MYHOST
    keypair ClientX_cert
    crl configure
    crypto ca certificate chain ASDM_TrustPoint1
    certificate 0f817951
        308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
        05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
        1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
        31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
        30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
        86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
        86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
        1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
        4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
        db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
        783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
        f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
        b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
        fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
        7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
        63ebd49d 30dd06f4 e0fa25
      quit
    crypto isakmp enable outside
    crypto isakmp policy 40
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 DMZ
    ssh timeout 10
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
    ssl trust-point ASDM_TrustPoint1 outside
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable
    group-policy ClientX_access internal
    group-policy ClientX_access attributes
    vpn-tunnel-protocol svc
    split-tunnel-network-list value split-tunneling
    default-domain value access.local
    address-pools value Internal_Range
    ipv6-address-pools none
    webvpn
      svc mtu 1406
      svc rekey time none
      svc rekey method ssl
    username ClientX password ykAxQ227nzontdIh encrypted privilege 15
    username ClientX attributes
    vpn-group-policy ClientX_access
    service-type admin
    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x ipsec-attributes
    pre-shared-key *****
    tunnel-group ClientX type remote-access
    tunnel-group ClientX general-attributes
    address-pool Internal_Range
    default-group-policy ClientX_access
    tunnel-group SSLClientProfile type remote-access
    tunnel-group SSLClientProfile general-attributes
    default-group-policy ClientX_access
    tunnel-group ClientX_access type remote-access
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
    : end
    Thank you for any help!!

    Karsten!
    That fixed my internet access problem.  Yippee!
    Unfortunately it seems to have broken my access to the internal network.  Boo!
    I can no longer access/ping anything on the internal IP range (192.168.101.x). 
    I assume this is a nat issue somewhere along the line.  Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine).  Thank you both for your very prompt replies!!!
    Short Config
    object-group network obj_any_dmz
    access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
    access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
    access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
    access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu DMZ 1500
    ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list no_nat
    nat (inside) 1 access-list nonat
    nat (DMZ) 10 137.57.183.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
    route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    Show vpn-sessiondb svc
    Session Type: SVC
    Username     : ClientX                 Index        : 9
    Assigned IP  : 192.168.101.125        Public IP    : x.x.x.x
    Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
    License      : SSL VPN
    Encryption   : RC4 AES128             Hashing      : MD5 SHA1
    Bytes Tx     : 11662                  Bytes Rx     : 62930
    Group Policy : ClientX_access          Tunnel Group : DefaultWEBVPNGroup
    Login Time   : 22:40:56 MST Mon Jul 1 2013
    Duration     : 0h:11m:08s
    Inactivity   : 0h:00m:00s
    NAC Result   : Unknown
    VLAN Mapping : N/A                    VLAN         : none

  • Time Capsule Drive on WAN + NAT not working.

    Hi I'm having trouble setting up my TC.
    I can enable access to the drive by enabling "share disks over Ethernet WAN port" - people can simply connect to the tc drive using my WAN IP.
    What I can't do is enable NAT Port Mapping at the same time because then people can't access the drive via the WAN IP anymore.
    I then tried disabling "share disks over Ethernet WAN port" and then manually tried adding "Personal File Sharing" - it won't let me use a public port of 548 - It simply says "a public TCP port number conflicts with a file sharing port on the base station - Disable file sharing or choose a different port number". So I did, I made the public port 1000. Now people can access the drive via the WAN IP but have to add :1000 onto my ip address.
    Why can't I just enable "share disks over Ethernet WAN port" so people can access my tc via my WAN IP (without :1000) and have my local machine in the DMZ (default host) while having NAT enabled for my torrents at the same time?
    thingi

    I know that! The problem was not that simple..... You can't be in a DMZ and share your TC drive over the web at the same time.
    I used to keep my mini in the DMZ by enabling the 'default host' and setting the ip manually on the mini so it always got the same ip = no NAT error when using torrents. You can't do that and have a TC which is contactable over the wibbly web.
    So instead I took the mini out of the DMZ and set the TC to always give the same ip address to my mini by using a DHCPClient ID instead of using the default host.
    I could have used the MAC address of the ethernet port in the access control list on the TC but that would have limited me to ethernet only. Sometimes I move my mini to under the tv to watch movies but that's not got ethernet......
    That doesn't matter though because you can set the same DHCP Client IP for more than one interface in OSX This means that when my mini connects via ethernet or via airport I get the same IP address which means that the mini can continue downloading torrents without having to change the port forwarding on the TC or mess with manual IP addresses on the mini WooHoo!!!!!!
    The real beauty is that I then use the 'Set Service Order' to make ethernet first, then airport. Even when both interfaces are enabled with the same IP address OSX is clever enough to route to ethernet first due to the service order. When I unplug the ethernet cable bang my net connection swaps right over to the airport with no fuss whatsoever on the same IP Torrents continue perfectly because the correct port routing is still applied.
    This means that port forwarding always works because the mini always gets the same ip address even though it's assigned by the TC's DHCP server. I didn't know that the TC could give a specific IP to a specific client. I really didn't expect the multiple DHCP Client IP trick to work!!!!
    It also means I'm safer because I'm behind the NAT firewall instead of being open due to being in the DMZ (why apple call it default host I'll never know).
    Message was edited by: Stephen Medway

  • PIX L2L VPN behind NAT device

    I need to know if it is posible to establish a L-2-L VPN if the termination device (PIX 7.x) is behind a router with nat... All the traffic to the public IP is forwarded by the router to the PIX.
    the schema is like this:
    LAN -> FW -> Internet -> Router (NAT) -> FW (PIX) -> LAN
    (see the attached file)
    regards
    mariano

    Chris
    We are talking pix/asa here aren't we ? And we are tlakin gbout Natting your source IP addresses right ?
    If so, yes absolutely you can do this as i have done it many times in production environments.
    No you won't need statics. You do generally need a static to go from lower to higher but remember that is for the destination IP.
    Your'e not concerned with the destination IP addresses, you are only concerned with natting the source IP addresses.
    Edit - just make sure on your NAT statement that it end with "outside" as in the above example. This is how the pix knows to nat in that direction in effect.
    Jon

  • Anyconnect VPN Certificate-matching not working

    Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
    Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
    For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
    The client-profile looks like this:
    <CertificateMatch>
                <KeyUsage>
                    <MatchKey>Key_Encipherment</MatchKey>
                    <MatchKey>Digital_Signature</MatchKey>
                </KeyUsage>
                <ExtendedKeyUsage>
                    <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
                </ExtendedKeyUsage>
                <DistinguishedName>
                    <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
                        <Name>CN</Name>
                        <Pattern>masin2</Pattern>
                    </DistinguishedNameDefinition>
                </DistinguishedName>
            </CertificateMatch>
    Any suggestions/ideas? thanks for any input,
    heiki.

    enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
    I have also tried with and without different keyusage and extendedkeyusage- no difference.
    The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
    I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.

  • VPN server does not work when a second network adapter is enabled

    I have an Xserve providing DNS, filesharing, and VPN services on an office LAN. The server sits behind a gateway router and is set as a DMZ host.
    VPN has been working absoluely flawlessly on the server for some time. However, I've recently discovered that this all changes when the Xserve's second ethernet adapter is enabled.
    To illustrate:
    en0: static IP 192.168.2.250
    en1: disabled
    VPN works perfectly
    en0: static IP 192.168.2.250
    en1: static IP 192.168.2.251
    DNS settings unchanged, DMZ host unchanged
    VPN doesn't work
    The above is even true when attempting to connect internally.
    VPN is configured for L2TP, and when the second NIC is connected the VPN server logs the following (below). There are a number of other users of Lion Server users that seem to be experiencing the same log pattern, but there doesn't seem to be a definitive solution.
    I was wondering if anyone has any advice on how I could solve this problem? Is it possible to bind the VPN server to a specified network adapter?
    Thanks in advance for any help or ideas.
    (And to preempt the question of "why do you need to use both NICs", the two interfaces are to be used for load balancing. See https://discussions.apple.com/message/17655599?ac_cid=142432)
    Wed Feb 22 15:53:53 2012 : Directory Services Authentication plugin initialized
    Wed Feb 22 15:53:53 2012 : Directory Services Authorization plugin initialized
    Wed Feb 22 15:53:53 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
    Wed Feb 22 15:53:53 2012 : L2TP received SCCRQ
    Wed Feb 22 15:53:53 2012 : L2TP sent SCCRP
    2012-02-22 15:53:54 GMT          Incoming call... Address given to client = 192.168.2.229
    Wed Feb 22 15:53:54 2012 : Directory Services Authentication plugin initialized
    Wed Feb 22 15:53:54 2012 : Directory Services Authorization plugin initialized
    Wed Feb 22 15:53:54 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
    Wed Feb 22 15:53:54 2012 : L2TP received SCCRQ
    Wed Feb 22 15:53:54 2012 : L2TP sent SCCRP
    2012-02-22 15:53:56 GMT          Incoming call... Address given to client = 192.168.2.220
    Wed Feb 22 15:53:56 2012 : Directory Services Authentication plugin initialized
    Wed Feb 22 15:53:56 2012 : Directory Services Authorization plugin initialized
    Wed Feb 22 15:53:56 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
    Wed Feb 22 15:53:56 2012 : L2TP received SCCRQ
    Wed Feb 22 15:53:56 2012 : L2TP sent SCCRP
    2012-02-22 15:54:00 GMT          Incoming call... Address given to client = 192.168.2.221
    Wed Feb 22 15:54:00 2012 : Directory Services Authentication plugin initialized
    Wed Feb 22 15:54:00 2012 : Directory Services Authorization plugin initialized
    Wed Feb 22 15:54:00 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
    Wed Feb 22 15:54:00 2012 : L2TP received SCCRQ
    Wed Feb 22 15:54:00 2012 : L2TP sent SCCRP
    2012-02-22 15:54:04 GMT          Incoming call... Address given to client = 192.168.2.222
    Wed Feb 22 15:54:04 2012 : Directory Services Authentication plugin initialized
    Wed Feb 22 15:54:04 2012 : Directory Services Authorization plugin initialized
    Wed Feb 22 15:54:04 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
    Wed Feb 22 15:54:04 2012 : L2TP received SCCRQ
    Wed Feb 22 15:54:04 2012 : L2TP sent SCCRP
    2012-02-22 15:54:08 GMT          Incoming call... Address given to client = 192.168.2.226
    Wed Feb 22 15:54:08 2012 : Directory Services Authentication plugin initialized
    Wed Feb 22 15:54:08 2012 : Directory Services Authorization plugin initialized
    Wed Feb 22 15:54:08 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
    Wed Feb 22 15:54:08 2012 : L2TP received SCCRQ
    Wed Feb 22 15:54:08 2012 : L2TP sent SCCRP
    2012-02-22 15:54:12 GMT          Incoming call... Address given to client = 192.168.2.223
    Wed Feb 22 15:54:12 2012 : Directory Services Authentication plugin initialized
    Wed Feb 22 15:54:12 2012 : Directory Services Authorization plugin initialized
    Wed Feb 22 15:54:12 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
    Wed Feb 22 15:54:12 2012 : L2TP received SCCRQ
    Wed Feb 22 15:54:12 2012 : L2TP sent SCCRP
    2012-02-22 15:54:13 GMT             --> Client with address = 192.168.2.228 has hungup
    2012-02-22 15:54:14 GMT             --> Client with address = 192.168.2.229 has hungup
    2012-02-22 15:54:16 GMT             --> Client with address = 192.168.2.220 has hungup
    2012-02-22 15:54:20 GMT             --> Client with address = 192.168.2.221 has hungup
    2012-02-22 15:54:24 GMT             --> Client with address = 192.168.2.222 has hungup
    2012-02-22 15:54:28 GMT             --> Client with address = 192.168.2.226 has hungup
    2012-02-22 15:54:32 GMT             --> Client with address = 192.168.2.223 has hungup

    Try switching the order of the services in System Preferences > Network.
    Put the second one at the top.
    HTH,
    b.

  • Polycom HDX7000 behind ASA not working

    I have ran into a problem with my Polycom behind my ASA5510. I cannot receive calls from the outside and when placing calles from inside to outside the connection completes and my audio/video reaches the outside but no audio/video is returned through the firewall. I am a newbe to firewall configs so any help would be greatly appreciated. My ASA is running version 9.1(2) and below is the config as it relates to the polycom.
    object network polycom_private
    host 10.3.0.x
    object network polycom_public
    host 63.234.x.x
    object-group service h323-Group
    service-object tcp destination eq h323
    service-object object 3230-3235
    service-object object 3230-3280
    access-list outside_acl extended permit object-group h323-Group any object polycom_private
    object network polycom_private
    nat (inside,outside) static 63.234..x.x
    I have disabled h323 inspection and still i cannot make a successful connection.
    Thanks in advance.

    After working with TAC we have made a few changes on the ASA to get this partially working. I can now make outbound calls to remote sites and get audio and video to pass in both directions. However, I still cannnot get any inbound calls to pass through the ASA. Here are the changes TAC made to the ASA to get this working most of the way.
    Issue: ASA was dropping packets with 'router alert' IP option set.
    Fix: Created a new policy-map to specifically allow this traffic and applied it to the Global Policy.
    Also, enabled Skinny, SIP, H323 inspection on the global policy.
    Still working on the remote site dialing in but as of right now when testing an inbound call from a remote site for reasons unknown, we were seeing SYN on port 1720 coming in from the remote Polycom unit, being untranslated and going to the local Polycom unit, however, we never saw a Syn Ack for that.
    Work in progress..
    Jimmy

  • VBA- Code behind button not working

    I am trying to add a vba code behind a close button to close a form but error keeps coming up. Each time i click the close button a Compile Error message: Sub or Function not Defined, keeps on coming up. 
    Code is below
    Private Sub cmdClose_Click()
    On Error GoTo Err_cmdClose_Click
    ' If Me.Dirty Then Me.Dirty = False
    DoCmd.Close
    Exit_cmdClose_Click:
        Exit Sub
    Err_cmdClose_Click
    MsgBox Err.Description
        Resume Exit_cmdClose_Click
    End Sub

    Sometimes the link between the button and its event gets broken. Select the button on the form in design view. Select the On Click event in the properties sheet. Then press F7. That usually fixes it.
    Bill Mosca
    www.thatlldoit.com
    http://tech.groups.yahoo.com/group/MS_Access_Professionals

Maybe you are looking for

  • Rolling Sum by dynamic range of data

    Hello guys I have a report that looks like this: Year       Month           Local Cost 2005        1                   100 2005        2                   10 2005        3                   200 2005        4                   5 2005        5         

  • Launching an app in a desktop

    Under Leopard's Spaces I could force an application to open in an assigned desktop, i.e. Safari would be assigned to Space 2 and always open in that Space. How can I do the same thing in Lion? I want certain apps to always open in their separate desk

  • Ipod Scrolls when other that shuffle is used

    My IPod 2002 20gb works only consistantly in the shuffle mode. If I choose artist for example then choose the album and enter, it will just scroll through all the different songs but never stop. I have done a reset but no change in operation Dell Ins

  • Putting an applet window inside a dialog box

    I am relatively new to Java, and have recently been introduced to swing and applets. Is it possible to put an applet window inside a dialog box? If this is a dumb question, I apologize in advance. Thank you, Jonathan

  • After Effects Audio Render

    A few days ago I rendered a project with an audio file (a WAV file) and everthing rendered perfect. Today I tried to render again the same project, but now when I hit render, my render stays on the first frame and doesn't move from there; it freezes.