Setup openvpn to access the client's lan
i have the following topology: http://imgur.com/ANEtu
i want to be able to access 10.20.30.2 from the server.
restrictions:
- 10.20.30.2 cannot be modified in any way
- VPN client is windows.
is this possible?
You haven't explained the diagram or your setup very well.... I'm going to assume that:
1. Address 10.20.30.2 = Client's Default Gateway.
2. You are using a routed style OpenVPN configuration.
Enabling routing and configuring a Source NAT (SNAT) on the client to make all the routed traffic appear to come from 10.20.30.3
You will need to put a route on the server for 10.20.30.x (I'm assuming it's a /24 network) via the VPN tunnel so it knows where to find that address space.
Of course you will lose visibility on 10.20.30.2 as to whether it is actually the client, or the server 'behind' the client that traffic originates from.
Also, I don't know how to put a SNAT on Windows. AFAIK there is no native way to do it, but I'm sure *someone* somewhere has written something to do it.
Last edited by fukawi2 (2012-01-11 22:13:38)
Similar Messages
-
Can ASA5505 forward remote-access-VPN clients to LAN
I currently have ASA-5505 and 2911-Router and I'm trying to configure VPN topology.
Can ASA5505 forward remote-access-VPN clients to LAN operated by a different router?
Are these two cases possible?:
(1) ASA-5505 and 2911-Router are on separate WAN interfaces, each directly connected to ISP. But then can I connect one of other LAN interfaces of ASA-5505 into a switch managed by 2911-Router to inject remote-SSL-VPN clients into the LAN managed by the router?
(2) ASA-5505 is behind 2911-Router. Can 2911 Router assign a public ip address or have public ip address VPN-access attempts directly be forwarded to ASA-5505 when there is only one public ip address available?
Long put short, can ASA-5505 inject its remote-access-VPN clients as one of hosts on the LAN managed by 2911-router?
Thanks.I could help you more if you can explain the purpose of this setup and the connectivity between the ASA and router.
You can enable reverse-route on the Dynamic map on the ASA. The ASA will install a static route for the client on the routing table. You can use a Routing protocol to redistribute the static routes to your switch on the LAN side of the ASA. -
Remote Access VPN clients on LAN IP range
I need to setup a VPN Client configuration where the clients receive an IP on the LAN IP address range.
Attached is my config with the pool in its own range.(non-pertinent configuration excluded)
I've modified my pool to place the clients in a range within the LAN ip scheme. I have also modified my 110 ACL to exclude the NAT and my 111 ACL to allow for split-tunneling by the client.
When I connect, I get the proper address but I am unable to ping any devices internally.
Any suggestions as to the configuration or troubleshooting would be appreciated. I have seen documentaiton that it will not work in the form of TAC cases and config guides, but they were specific to ASA and Pix devices. I have not found any configuration guides of IOS routers showing examples of this configuration, but I did see mention in a config guide that said "if you assign addresses from a non-local subnet" which tells me that it is an option to assign local addresses.Ok, let's go
you should assign a pool that has a diferent range than your internal like
ip pool vpn_pool 10.0.0.1 10.0.0.10
then you must NAT it to make it seems it came from inside to whatever you want to be the destination, then do the following
configure your external interface as "nat outside"
fastethernet 0/0
ip nat outside
Configure your internal interface as "nat inside"
fastethernet 0/1
ip nat inside
configure the NAT
ip nat outside sourse static network 10.0.0.0 192.168.0.0 255.255.255.240
please rate if helps -
How to access the client PCs via RDP FROM Windows Server 2003
Hopefully this is not an ignorant question, but every thread I've read focuses on client PCs not being able to access the terminal server. I have the opposite problem. I am working remotely and have full access to the servers (some of which are virtuals).
I need to be able to connect to the various workstations, but I cannot. Is this just a setting I have misconfigured? Is there any software I can deploy to these PCs that will allow me to log in and update their workstations?
Any help is sincerely appreciated.
- JeffHi Jeff,
Thank you for your posting in Windows Server Forum.
You can able to take RDP for client system from server. But keep in mind that; client system can only allow 1 RDP session at a time for administrator purpose. For that you need to have permission for taking rdp session.
Also you need to verify that “Remote Desktop Service” service is running and also need to verify the below thread as per snap.
In addition, if you want to manage all the server and client system, then you can use Remote Desktop Connection Manager to manage all the client and server remotely.
Hope it helps!
Thanks.
Dharmesh Solanki -
Applet needing to access the client system
Hi,
Ive got an applet that I need to be able to launch a .exe that exists on a client's computer...the applet is going to be signed etc.
Ive read that it can do this if the client running it explicitly allows the applet access to the required resources...
My problem is I need the applet to run with as little hastle as possible....preferrably it pops up a security warning, says who the applet is from and if the user accepts the certificate, the applet has access to what it needs...I cant have the client having to go download this or that or bring up another program to grant access.
I know that this is possible through Active X controls and basically I just need to know whether or not its even worth while attempting to develop a solution in Java. If you can give me any info at all in any level of detail (the more the better) I would be eternally in your debt. (Ive got 2 days to solve this problem.)
Thankyou for your time.
Sincerely,
Nickolas Fellows
[email protected]Oh hey,
Ive been looking at something call authenticode as a solution....anyone know if this will give me the effect I desire? I wish I could get away with sticking with pure Java tools but this is war!!
Thx,
Nick
[email protected] -
SolMan Setup ... does the client matters?
Hello,
I am new to SolMan and did my first setup with errors. Afterwards I realized that I called the Solman_setup from two different clients (000 and 001). Does it matter from which client I call the setup? Which one would be the right one?
Thanks a lot,
VanessaHi Diego
This note is relevant to client copy, the thread is about in what client customer must execute solman_setup, customer can execute the setup independent of the client as the activations will occur globally, for example, BC-SETS, etc.
This note informs the following:
=========================================================================================
One frequently asked question in relation to the client copy and the transaction solman_setup is :
In transaction Solman_Setup, while activating the BC set's, a "Piece List" transport is generated and is expected to be imported in the working client. If I have already performed the client copy as suggested above, why would I require the transport again ? Isnt the data already copied from 000 to the working client ?
When you activate the BC sets certain tables are overwritten with the data in the BC sets and hence the "Piece List" transport is required to get that data back from client 000 to client 100. The "Piece List" transport does not contain all the customizing settings
from client 000. It contains only the data that gets overwritten by the BC set Activation and hence it is necessary to perform this step.
The logical sequence of events is you first perform the client copy and then execute the steps in transaction Solman_Setup.
=========================================================================================
It`s just informing how to proceed in case of client copy and solman_setup, but the customer can execute the solman setup in client 001 for example. -
Setup mySQL and access the same from jsp
Hi,
I have installed the MySQL in local desktop in d: drive. As per the documentation, have created my.cnf file to point sql directory in d drive.
Now I dont know how to proceed further. I need to see if MySQL installation is fine, create table and access the data in jsp page. Please advice.
Thanks in advance.For MySQL help try a MySQL forum.
For connecting to the database, use JDBC. You can get the MySQL JDBC driver from www.mysql.com.
From there just follow standard java database connection setup.
http://java.sun.com/docs/books/tutorial/jdbc/index.html -
How do I access the Client Tools?
I've installed the Oracle9i client. How do I start the applications.
Thanks.HI
Use "netca" for Network Configuration
"oemapp worksheet" for client
If u dont find command
got to <Oracle_Home>/bin and execute
Dhanaji -
How do I access the remote(requesting) clients IP address through the Portal API?
How can I access the remote(requesting) clients IP address through the Portal API?
On our 4.5 - IIS system, we can acces it using the Request.ServerVariables("Remote_Addr") in the ASP pages.
We are deploying 5.0 on Java Portal and would like to be able to do this through the Portal's API so I can call it in one of our custom login Activity space or control etc.
I have looked documentation for the HTTPServletRequest object. It seems like we should be able to access it through one of the methods getRemoteAddr if we can get a handle to HTTPServletRequest object through the Plumtree's framework.
I think the XPRequest object encapsulates the HTTPServletRequest but I didn't see getRemoteAddr method listed in the Javadocs.
Is there a way to access the client's IP address through the Plumtree's framework?
I need to do this so we know the location of the user and in our business case we have fixed IP adresss which let us identify which location is user accessign the system from. We can't do this through preferences or profile because we have to use generic userid for the specifc group of users.
Any help on this would be appreciated.
Thanks.
VanitaHi, Vanita. For now, you can use
stringsClientIP = HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"].ToString();
Hope that helps!
Sarah -
RMI call back - How to refer to the client project from the server project?
Hi, I am working on an RMI assignment which basically needs me to use the RMI call back for the server to notify the clients.
I have 2 projects , one for the client and another for the server.
In the client project, I have a client interface and the main client class implements this interface.
In the server project, I have a server interface and a class that implements this interface.
I can use the server interface in the client project's code by adding the server project in the path of the client project. it lets me use the server interface in the code if I put "import.." statement.
But the issue is I can not do the same to access the client interface from within the server project's code. Since that will be a circular reference, the compiler does not let me use the client interface from within the server's code. This is putting me in a great difficulty and I am stuck here. What should I do so that I can use the client interface and the compiler won't complain?
Thanks for any help..
Regards.. jsLet me explain what I tried: I manually generated stub class of the client using the Eclipse IDE as mentioned in my previous message. The StockMSClient_Stub.class got created in my client project.
The common project has the 2 interfaces - one from the client and one from the server.
I have added reference to the common project from the client and server projects to use the interfaces.
With the above mentioned in place, when I run the server project, the registry binding of the server objects is very fine. But I am getting error in the applet at the line where I am passing the client object to the method provided by the server interface. The following is the code snippet in the applet where I am getting the error.
specifically the line: String response = objs.login(userId, password, smsClient); ====================
public void login() {
Registry reg = null;
String userId = "test";
String password = "test";
this.smsClient = new StockMSClient();
try {
reg = LocateRegistry.getRegistry(rmiHost,rmiPort);
UserInterface obj = (UserInterface) reg.lookup(rmiStrings
[1]);
User u = obj.find(userId);
if (u == null) {
System.out.println("This user is not valid");
} else {
UnicastRemoteObject.exportObject(smsClient);
reg = LocateRegistry.getRegistry(rmiHost, rmiPort);
LoginLogoutInterface objs = (LoginLogoutInterface) reg
.lookup(rmiStrings[0]);
//getting error at the following line.
String response = objs.login(userId, password, smsClient);
System.out.println("response :" + response);
} catch (AccessException ae) {
System.out.println(ae);
} catch (NotBoundException nbe) {
System.out.println(nbe);
} catch (RemoteException re) {
System.out.println(re);
} //end login()====================
Error is:
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.UnmarshalException: error unmarshalling arguments; nested exception is:
java.lang.ClassNotFoundException: sms.rmi.graphics.StockMSClient_Stub (no security manager: RMI class loader disabled)================
I don't know why this is happening..Please help.
thanks & regards, js
Message was edited by:
jsitaraman -
Read a directory on the clients box
All,
I have written some code that when you make a pick in the web browser I want it to give you a list of files in a directory on your computer.
File current_dir = new File("e:\\pro_work\\.proi");
String file_list[] = current_dir.list();
This is a piece of the code I use and it seems to work fine when I am testing the application on my own box. When I go over to another persons machine and try it . I get the directory listing of my computer. I am using Netbeans as the server until I get it finished and deploy it. Any help on how Ithe client would see the list of iles on there machine would be appreciated. ThanksNo, you can't access the client computer with java code.
Java runs on the server. Thats why they call it Java Server Pages.
You would need an applet/activex control to access the client computer's file system. -
ADF Faces + hardware device in the client side.( adf swing or adf java fx)
We are using adf+swing in desktop app.
We like ADF Faces but we need interations with Hardware device in the client side: scan reader, web cam, bar code reader, finger prints reader …
How to do that’s in the adf faces web environment ( what about with sandbox security) how to obtain in the adf faces web page in the client side de video streams.
In the future adf will be use Java FX?
Thanks
Juan Carlos LlanesHi,
see sample 71 http://www.oracle.com/technetwork/developer-tools/adf/learnmore/index-101235.html#CodeCornerSamples
You can use ActiveX plugins or JavaApplet to access the client system. To reach out of the sandbox, it will require a certificate
In the future adf will be use Java FX?
No. -
Exchange setup error: "There was a problem accessing the registry on this computer"
Hi,
i am trying to install Exchange 2007 SP1 in a Windows 2003 Server standard 32 bits version.
During the "Readiness checks" i received the next error in "Hub transport role prerequisites":
Error:
There was a problem accessing the registry on this computer. This may happen if the Remote Registry service is not running; it may also indicate a network problem.
Remote Registry service is running. I've searched for the error in google and in some topics appears that the error is due to the "Client for Microsoft Networks" and "File and Printer Sharing" is not installed in the LAN properties. The server has 2 network cards and in both of them is checked. One of the connections is disabled.
I dont know what more to do, any help will be appreciated.
ThanksNo, firewall is disabled.
Setup Logs says:
10:50:04.890: Starting Collecting Data phase.
10:50:04.921: No mapping between account names and security IDs was done
10:50:04.984: Error (Unexpected error [0x674CBB7E] while executing command '[Microsoft.Win32.RegistryKey]:penRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [System.Net.Dns]::GetHostEntry([System.Net.Dns]::GetHostName()).HostName)'.) trying to process object [Microsoft.Win32.RegistryKey]:penRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [System.Net.Dns]::GetHostEntry([System.Net.Dns]::GetHostName()).HostName), skipping object.
10:50:06.093: Completed Collecting Data phase.
10:50:06.125: Error (Rule name 'PreReq_fPassiveUninstallNoCMSPresentKey' referenced by rule 'PreReq_fPassiveUninstallNoCMSPresent' in input file is not defined) in format of rules in configuration file.
10:50:06.171: Starting Postprocessing Rules phase.
10:50:06.187: Completed Postprocessing Rules phase.
Thanks for your help! -
Remote Access VPN Clients Cannot Access inside LAN
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: endHi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni -
I have the following on my local network.
Server DomainA -> Small Business server 2003/Exchange 2003
Server DomainB -> Windows 2008 R2/Exchange 2013
Clients Domain A -> Windows XP/Outlook 2003
Clients Domain B -> Windows 7/Outlook 2007/2010
Problem: I want clients from DomainA to log into Exchange on DomainB on the same local network.
I need to know how to setup the DNS on both domains and the certificates on the DomainB Exchange server
to accept the connection from the PC on domainA. All connections from clients on domainB to server on domainB
work correctly but when adding accounts to Outlook 2003/2007 on domainA clients I am getting certificate errors.
I have purchased certificates for mail.domainb.com and autodiscover.domainb.com but I dont know how to get
the clients on domainA to recognize those external URL's of the exchange server (with the certificates bound to them) from the internal network. Hence I get domain errors.
I am getting issues when a client on DomainA tries to add an Outlook mail profile to connect to the Exchange on DomainB
Any suggestions on how to set this up?
thanksDomain A & Domain B are two separate AD Forests?
Users in Domain A either need mailbox-enabled user accounts that are in DomainB or a linked mailbox in Domain B to utilise the Exchange Server in DomainB. In either case with the help of the autodiscover service user can use the services in ExchangeB.
If the client machines are member of domainA and you are trying to access ExchangeB you will then need to leverage a custom XML file for autodiscover and force the Outlook client to use this file.
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Account>
<AccountType>email</AccountType>
<Action>redirectUrl</Action>
<RedirectUrl>https://autodiscover.domain.com/autodiscover/autodiscover.xml</RedirectUrl>
</Account>
</Response>
</Autodiscover>
Then you need to configure the client machine to query that XML file by adding the following registry key:
Refer to XML file
for Outlook 2007:
HKCU\Software\Microsoft\Office\12.0\Outlook\Autodiscover
for Outlook 2010:
HKCU\Software\Microsoft\Office\14.0\Outlook\Autodiscover
STRING_value <your_namespace> = path to XML file
you can find more information in the following link.
Controlling Outlook Autodiscover behavior
http://blogs.technet.com/b/kristinw/archive/2013/04/19/controlling-outlook-autodiscover-behavior.aspx
CK
Maybe you are looking for
-
SDCCN Error: No valid service EWN
hello All, when we try to execute the EarlyWatch Alert on Tr SDCCN the system stop with the following error in log of task Data collection failed for session 000Z000000001 EWALERT > No valid service EWN Please your help Thanks HEPC
-
I synced a new 4S to iTunes and discovered not everyting was saved from my old 3G. How do I get everything off the 3G so I can sync it to my new 4S?
-
How do i get rid of this exceptions...????
Hello every1.....can any body plz help me out ... when does the below exception arise and how do we get rid of it " ****** IllegalMonitorStateException **** " plz..............
-
ITunes radio now requires a username and password to listen to radio!
I recently noticed that when I try to listen to radio via iTunes it asks me for a "Members Only on pri.kts.-af.net" username and password. I have never had this issue before. Anyone know what happened or know where I can get a username and password?
-
SDD or Flash on Macbook Air early 2014 series
Hello, I bought a new Macbook Air 13 inches with 256 GB storage. This is an early 2014 series product. I see 2 different description about the storage device on the laptop. I read SSD and also read FLASH Storage. Are both SSD and FLASH the same? What