Snom phones in secondary subnet unable to call out - SIP CANCEL in SIP log
I've been trying to diagnose this very strange problem we are having. All our servers and some SNOM phones are in the subnet 192.168.100.0, the main building. They all work fine. Phones located in two other buildings connected with high-speed fiber use subnets
192.168.1.0 and 192.168.200.0. They can receive calls but are unable to call out. This doesn't affect the Lync 2010 and 2013 desktop clients with enterprise voice...they work fine anywhere, even externally.
We are running Lync Server 2013 Standard Edition, with the latest updates applied. Mediation role is co-located. Edge server is setup and I think I have configured everything correctly. I have two network adapters, one external facing and one internal facing.
External facing one has dns settings and gateway, internal facing has neither. I have setup persistent routes that enable the edge server to ping hosts in 1.0 and 200.0 no problem. DNS is setup internally so anyone anywhere can ping the edge server (its dns
entry is routable lync2013edge.network.domain.ca). Phones used are the SNOM 720, I have the latest updates applied (8.8.3.27 UC)
On the actual SNOM phone, I will dial 7804636201. It will call and start ringing the other party. Almost exactly 10 seconds later I will hear a busy signal and then the phone displays "Media Connectivity Failure". I ran a log on SIP from the FE
Standard Edition server, here are some entries that I noticed that may have something to do with it (see bottom four paragraphs for SIP CANCEL)
TL_VERBOSE(TF_PARSE) [0]411C.2DE8::02/24/2015-17:23:42.240.0008db5d (SIPStack,CSIPMessage::ParseBufferChain:SIPMessage.cpp(694))( 0000005F03D806F0 ) Start Line: INVITE sip:7804636201;[email protected];user=phone SIP/2.0
TL_INFO(TF_PROTOCOL) [0]411C.2DE8::02/24/2015-17:23:42.269.0009106f (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[3706963737] $$begin_record
Trace-Correlation-Id: 3706963737
Instance-Id: 2F91
Direction: outgoing
Peer: lync2013.network.caedm.ca:5070
Message-Type: request
Start-Line: INVITE sip:[email protected]:5070;user=phone;maddr=lync2013.network.caedm.ca SIP/2.0
From: "Joel Smith" <sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
To: <sip:7804636201;[email protected];user=phone>
Call-ID: 3faa35f677ef48719b27c796251b0519
CSeq: 1 INVITE
Contact: <sip:[email protected];opaque=user:epid:cO0WSS9wCFqUnP0dpEh6uQAA;gruu>;reg-id=1
Via: SIP/2.0/TLS 192.168.100.17:55489;branch=z9hG4bKE036484A.405BD23C943B158E;branched=TRUE
Via: SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport;ms-received-port=51470;ms-received-cid=600
Record-Route: <sip:Lync2013.network.caedm.ca:5061;transport=tls;opaque=state:T;lr>;tag=B39FB8145D545F357B2737F43833CEB4
Max-Forwards: 69
Content-Length: 3563
Content-Type: multipart/alternative;boundary="next_part_u00iwyrezkkuxf3d"
P-Asserted-Identity: "Joel Smith"<tel:+17808092404;ext=2404>
Message-Body: --next_part_u00iwyrezkkuxf3d
Content-Type: application/sdp
Content-Transfer-Encoding: 7bit
Content-Dis; handling=optional; ms-proxy-2007fallback
TL_INFO(TF_DIAG) [0]411C.2DE8::02/24/2015-17:23:42.270.000915ec (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(802))[3706963737] $$begin_record
Severity: information
Text: Routed a locally generated response
SIP-Start-Line: SIP/2.0 100 Trying
SIP-Call-ID: 3faa35f677ef48719b27c796251b0519
SIP-CSeq: 1 INVITE
Peer: 192.168.1.201:51470
Data: destination="[email protected]"
$$end_record
TL_INFO(TF_PROTOCOL) [0]411C.2DE8::02/24/2015-17:23:42.274.000928d4 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[3706963737] $$begin_record
Trace-Correlation-Id: 3706963737
Instance-Id: 2F93
Direction: outgoing;source="local"
Peer: 192.168.1.201:51470
Message-Type: response
Start-Line: SIP/2.0 101 Progress Report
From: "Joel Smith" <sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
To: <sip:7804636201;[email protected];user=phone>
Call-ID: 3faa35f677ef48719b27c796251b0519
CSeq: 1 INVITE
Via: SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport;ms-received-port=51470;ms-received-cid=600
Content-Length: 0
ms-diagnostics: 12006;reason="Trying next hop";source="LYNC2013.NETWORK.CAEDM.CA";PhoneUsage="Long Distance";PhoneRoute="LocalRoute";Gateway="208.68.17.53";appName="OutboundRouting"
$$end_record
TL_INFO(TF_PROTOCOL) [1]411C.2DE8::02/24/2015-17:23:42.488.000930bc (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[741182734] $$begin_record
Trace-Correlation-Id: 741182734
Instance-Id: 2F96
Direction: incoming
Peer: lync2013.network.caedm.ca:5070
Message-Type: response
Start-Line: SIP/2.0 183 Session Progress
FROM: "Joel Smith"<sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
TO: <sip:7804636201;[email protected];user=phone>;tag=d265bdc1c8;epid=0A24894D6D
CALL-ID: 3faa35f677ef48719b27c796251b0519
CSEQ: 1 INVITE
CONTACT: <sip:[email protected];gruu;opaque=srvr:MediationServer:0wzNMLUTNFKXO5KjW1mbdQAA>;isGateway
VIA: SIP/2.0/TLS 192.168.100.17:55489;branch=z9hG4bKE036484A.405BD23C943B158E;branched=TRUE,SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport;ms-received-port=51470;ms-received-cid=600
RECORD-ROUTE: <sip:Lync2013.network.caedm.ca:5061;transport=tls;opaque=state:T;lr>;tag=B39FB8145D545F357B2737F43833CEB4
CONTENT-LENGTH: 1388
CONTENT-TYPE: application/sdp
TL_VERBOSE(TF_NETWORK) [0]411C.2DE8::02/24/2015-17:23:51.369.00098f6b (SIPStack,CRecvContext::CreateIncomingRequest:RecvContext.cpp(920))[3030787245]( 0000005F01E739D0 ) creating SIP_MID_CANCEL request
TL_VERBOSE(TF_PARSE) [0]411C.2DE8::02/24/2015-17:23:51.369.00098f90 (SIPStack,CSIPMessage::ParseBufferChain:SIPMessage.cpp(694))( 0000005F03D7E2E0 ) Start Line: CANCEL sip:7804636201;[email protected];user=phone SIP/2.0
TL_VERBOSE(TF_PARSE) [0]411C.2DE8::02/24/2015-17:23:51.369.00099054 (SIPStack,CSIPMessage::ParseNextHeader:SIPMessage.cpp(1532))( 0000005F03D7E2E0 ) Found Header: Reason: SIP;cause=488;text="Media Connectivity Failure"
TL_INFO(TF_PROTOCOL) [0]411C.2DE8::02/24/2015-17:23:51.369.000990c6 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[3706963737] $$begin_record
Trace-Correlation-Id: 3706963737
Instance-Id: 2FA0
Direction: incoming
Peer: 192.168.1.201:51470
Message-Type: request
Start-Line: CANCEL sip:7804636201;[email protected];user=phone SIP/2.0
From: "Joel Smith" <sip:[email protected]>;tag=2ksjs48fxg;epid=000413774E0401
To: <sip:7804636201;[email protected];user=phone>
Call-ID: 3faa35f677ef48719b27c796251b0519
CSeq: 1 CANCEL
Via: SIP/2.0/TLS 192.168.1.201:51470;branch=z9hG4bK-fdh7rhbbvsri;rport
Max-Forwards: 70
Content-Length: 0
$$end_record
I thought it might be a timeout issue, so I tried following these steps located here:
http://ipfone.hu/lync-mediation-server-cancel-problem/ After rebooting the server no changes were noticed.
I also checked out this website
http://blog.insidelync.com/2013/04/sip-trunking-101-with-lync-server-2013/ regarding disabling the check box "enable outbound routing failover timeout". Doing that had no effect.
Any other ideas would be appreciated.
Hi,
yes I see the config file is very simple and standard.
So the issue with snom on branch sites is random, it's correct?
From what I read in your answer, sometimes you can establish a correct communication between a snom and the called number +17804636201.
Have you tried to collect a network capture on a snom at branch location?
Do you have some other version of snom phone (300, 710, 821) to test?
Do you have some LPE ip-phone (Polycom CX600 o HP4110-4120) to test?
Regards
Luca
Luca Vitali | MCITP Lync/Exchange | snom Certified Engineer | Sonus SBC1000 Engineer
Similar Messages
-
/crystal/rptadmin - Unable to call out to destination.
We are changing the Enterprise system from a BOE 3.1 to BOE 4.1 sp2 in transaction /crystal/rptadmin.
I've made the necessary entries in each of the screens for that transaction.....including a valid / working RFC pointing to the new 4.1 system. I have also re-assigned the Roles to this new Enterprise system.
The BW Publishing service is running and connected to the registered server program ok.
However when I click on "Verify BOE definition" on the RFC Destination Tab...I get this.
"Unable to call out to destination. Verify destination in SM59" ----(and the rfc in sm59 works perfectly)
Any feedback is appreciated!
LinwoodCheck this http://service.sap.com/sap/support/notes/1670639
Cheers
Pa1 -
I noticed today that my galaxy will not connect when calling out. It has good service connection and will send texts, and I can receive calls, but it just keeps saying "dialing" when trying to make calls. Anyone have any suggestions on how to remedy this?
Hello kornari!
That's a little unusual. I want to make sure this gets fixed for you. When did you start having issues with calling? How long have you had your phone? One step to try first is to remove & reinsert the SIM card in your phone.
You can also follow the steps in our troubleshooting guide to try to get your calls working again. http://vz.to/12TLCsR
Thank you,
MichelleH_VZW
Follow us on Twitter @VZWSupport -
After 6 hours on the phone I am still unable to see my account info when I log in to My Verizon
Due to a billing error Verizon shut down my old account, issued me a new phone number and new account number. However I cannot see any of my new information for this new account when I log in to My Verizon. I have called their web support six times to correct this issue and it is still not fixed. I am told that my old username was moved to my new account and I believe this has happened because if I try to register my new account on My Verizon I get a message stating that this account is already registered for My Verizon. On top of that my bill (which I cannot see online) was incorrect and I spent another hour on the phone yesterday correcting that issue. Couple all of this with the fact that I was told a tech was coming to my home two weeks ago but he never showed up and I took a day off of work for no reason. I have been a FIOS customer for over two years but the events of this month have made me seriously consider dropping all of my services permanently. I just want my online account fixed and any assistance would be greatly appreciated
Hello Camps,
I apologize that you have been having so many problems, please PM me your contact information and I will see what we can do to assist you.
Peter C
Peter_VZ
Verizon Support
Notice: Content posted by Verizon employees is meant to be informational and does not supersede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or Plan. -
Unable to access secondary subnet via VPN
I am having a problem with clients accessing a secondary subnet via VPN.
Clients on VPN are given the address on the 192.168.15.0 subnet. Once connected they can access 192.168.16.0 (Production subnet) fine, but are unable to access the 192.168.8.0 secondary subnet. If you are on the 192.168.16.0 subnet in the office you can access 192.168.8.0 subnet fine. The traffic is coming in via an ASA 5510 then traverses a Juniper firewall and a MPLS router to the secondary subnet. I'm not sure if it's a nat issue or not. Any help would be helpful.
Below is the config of the ASA. Thank you in advance
ASA Version 8.2(5)
hostname charlotte
domain-name tg.local
enable password v4DuEgO1ZTlkUiaA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.0 Peak10 description Peak10
name 192.168.116.0 Charlotte_Phones description Charlotte_Phones
name 192.168.15.0 Charlotte_SSL_VPN_Clients description Charlotte_SSL_VPN_Client s
name 192.168.17.0 Charlotte_Wireless_Data description Charlotte_Wireless_Data
name 192.168.117.0 Charlotte_Wireless_Phones description Charlotte_Wireless_Phon es
name 192.168.5.0 Huntersville description Huntersville
name 192.168.16.1 SRX_Gateway description Juniper_SRX
name 192.168.108.0 Canton_Data description Canton_Data
name 192.168.8.0 Canton_Phones description Canton_Phones
name 192.168.9.0 Canton_Wireless_Data description Canton_Wireless_Data
name 192.168.109.0 Canton_Wireless_Phones description Canton_Wireless_Phones
name 192.168.16.4 TEST_IP description TEST_IP
name 192.168.16.2 CantonGW description Canton GW 192.168.16.2
name 192.168.5.1 HuntersvilleGW
name 10.176.0.0 RS_Cloud description 10.176.0.0/12
name 172.16.8.0 RS_172.16.8.0
name 172.16.48.0 RS_172.16.48.0
name 172.16.52.0 RS_172.16.52.0
name 10.208.0.0 RS_Cloud_New
name 10.178.0.0 RS_10.178.0.0 description Rackspace DEV servers
name 10.178.0.6 RS_10.178.0.6
name 172.16.20.0 RS_172.16.20.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.63.165.219 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.16.202 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
banner login ASA Login - Unauthorized access is prohibited
banner login ASA Login - Unauthorized access is prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.16.122
name-server 8.8.8.8
domain-name tg.local
dns server-group defaultdns
name-server 192.168.16.122
domain-name tg.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_2
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.240.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_11
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_13
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object RS_Cloud 255.240.0.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object 172.16.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object RS_Cloud 255.240.0.0
network-object RS_Cloud_New 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network tgnc074.tg.local
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq https
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group network DM_INLINE_NETWORK_15
network-object Canton_Data 255.255.255.0
network-object host CantonGW
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 Ch arlotte_SSL_VPN_Clients 255.255.255.0 any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_5 ho st SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_7 Ch arlotte_SSL_VPN_Clients 255.255.255.0 host SRX_Gateway
access-list Inside_access_in extended permit icmp any any object-group DM_INLINE _ICMP_1
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 ob ject-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list Inside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.25 5.255.0 any
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 log disable
access-list Tunneled_Network_List standard permit 192.168.16.0 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Data 255.25 5.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Phones 255. 255.255.0
access-list Tunneled_Network_List standard permit Peak10 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Data 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Data 255.255.2 55.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Phones 255.255 .255.0
access-list Tunneled_Network_List standard permit Huntersville 255.255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_172.16.8.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_Cloud 255.240.0.0
access-list Tunneled_Network_List standard permit RS_Cloud_New 255.240.0.0
access-list Tunneled_Network_List standard permit RS_172.16.20.0 255.255.252.0
access-list Tunneled_Network_List standard permit Charlotte_SSL_VPN_Clients 255. 255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip Charlotte_SSL_VPN_Clients 25 5.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_11 object-group DM_INLINE_NETWORK_12
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_5 object-group DM_INLINE_NETWORK_6
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_1 object-group DM_INLINE_NETWORK_2
access-list Limited_Access extended permit ip Charlotte_SSL_VPN_Clients 255.255. 255.0 host TEST_IP
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.123
access-list Limited__VPN_Acccess_List standard permit Huntersville 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.124
access-list Limited__VPN_Acccess_List standard permit 192.168.16.0 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 172.16.8.52
access-list Limited__VPN_Acccess_List standard permit Canton_Phones 255.255.255. 0
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV1
access-list Limited__VPN_Acccess_List standard permit host RS_10.178.0.6
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV2
access-list Limited__VPN_Acccess_List standard permit host 10.178.192.103
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.10
access-list Limited__VPN_Acccess_List standard permit RS_172.16.8.0 255.255.252. 0
access-list Limited__VPN_Acccess_List standard permit 172.16.0.0 255.255.0.0
access-list Limited__VPN_Acccess_List standard permit host 10.178.133.26
access-list Limited__VPN_Acccess_List standard permit RS_Cloud_New 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit host CantonGW
access-list Limited__VPN_Acccess_List standard permit host SRX_Gateway
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.1
access-list Limited__VPN_Acccess_List standard permit RS_Cloud 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit any
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 Huntersville 255.255.255.0
access-list Outside_cryptomap extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Huntersville 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Canton_Phones 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Canton_Phones 255.255.255.0
access-list Outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Outside_access_in extended permit ip Huntersville 255.255.255.0 any log disable
access-list Outside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 any log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0 inactive
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 RS_172.16.20.0 255.255.252.0
access-list Canton_nat_outbound extended permit object-group DM_INLINE_SERVICE_6 Charlotte_SSL_VPN_Clients 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list splitacl standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging monitor informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool SSL_VPN_Pool 192.168.15.10-192.168.15.254 mask 255.255.255.0
ip local pool New_VPN_Pool 192.168.16.50-192.168.16.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
nat (Outside) 0 access-list Huntersville_nat_outbound
nat (Inside) 0 access-list Inside_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 70.63.165.217 1
route Inside Canton_Phones 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Data 255.255.255.0 CantonGW 1
route Inside Charlotte_SSL_VPN_Clients 255.255.255.0 SRX_Gateway 1
route Inside Charlotte_Wireless_Data 255.255.255.0 SRX_Gateway 1
route Inside Canton_Data 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Phones 255.255.255.0 CantonGW 1
route Inside Charlotte_Phones 255.255.255.0 SRX_Gateway 1
route Inside 192.168.116.219 255.255.255.255 CantonGW 1
route Inside Charlotte_Wireless_Phones 255.255.255.0 SRX_Gateway 1
route Inside Peak10 255.255.255.0 SRX_Gateway 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record TGAD_AccessPolicy
aaa-server TGAD protocol ldap
aaa-server TGAD (Inside) host 192.168.16.122
ldap-base-dn DC=tg,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn user,CN=Users,DC=tg,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 Inside
http Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 1 match address Outside_cryptomap
crypto map Outside_map0 1 set pfs
crypto map Outside_map0 1 set peer 74.218.175.168
crypto map Outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 2 match address Outside_cryptomap_2
crypto map Outside_map0 2 set peer 192.237.229.119
crypto map Outside_map0 2 set transform-set ESP-3DES-MD5
crypto map Outside_map0 3 match address Outside_cryptomap_1
crypto map Outside_map0 3 set peer 174.143.192.65
crypto map Outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map0 interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=charlotte
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=charlotte
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 48676150
3082024c 308201b5 a0030201 02020448 67615030 0d06092a 864886f7 0d010105
05003038 31123010 06035504 03130963 6861726c 6f747465 31223020 06092a86
4886f70d 01090216 13636861 726c6f74 74652e74 68696e6b 67617465 301e170d
31323039 32353038 31373333 5a170d32 32303932 33303831 3733335a 30383112
30100603 55040313 09636861 726c6f74 74653122 30200609 2a864886 f70d0109
02161363 6861726c 6f747465 2e746869 6e6b6761 74653081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181008e d3e1ac63 a8a39dab 02170491
2bf104d2 732c7fd7 7065758b 03bb9772 c8ab9faf 0e5e9e93 bfb57eea a849c875
7899d261 8d426c37 9749d3d7 c86ca8e0 1d978069 3d43e7c5 569bb738 37e9bb31
0ebd5065 01eb7a05 87933d2d 786a722e 8eee16e7 3207510b f5e7e704 cbddbda2
a6b9ae45 efaba898 b8c921b6 2b05c0fb 1b0a9b02 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 8014fb93 35da7dd5 15d8e2ad 8e05ccf7 b5c333cc 95ac301d
0603551d 0e041604 14fb9335 da7dd515 d8e2ad8e 05ccf7b5 c333cc95 ac300d06
092a8648 86f70d01 01050500 03818100 6851ae52 5383c6f6 9e3ea714 85b2c5a0
fd720959 a0b91899 806bad7a 08e2208e de22cad0 6692b09a 7152b21e 3bbfce68
cc9f1391 8c460a04 a15e1a9e b18f829d 6d42d9bd ed5346bd 73a402f7 21e0c746
02757fb6 b60405a9 ac3b9070 8c0f2fba d12f157b 85dd0a8b 2e9cf830 90a19412
c7af1667 37b5ed8e c023ea4d 0c434609
quit
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 172.221.228.164 255.255.255.255 Outside
ssh Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
ssh 192.168.16.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint1 Outside
webvpn
enable Outside
enable Inside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.16.122 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value tg.local
split-dns value tg.local
group-policy LimitedAccessGroupPolicy internal
group-policy LimitedAccessGroupPolicy attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value thinkgate.local
split-tunnel-all-dns disable
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
default-domain value tg.local
group-policy Site-to-Site_Policy internal
group-policy Site-to-Site_Policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy LimitedAccessGroupPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_Pool
tunnel-group LimitedAccessTunnelGroup type remote-access
tunnel-group LimitedAccessTunnelGroup general-attributes
address-pool SSL_VPN_Pool
default-group-policy LimitedAccessGroupPolicy
tunnel-group 208.104.76.178 type ipsec-l2l
tunnel-group 208.104.76.178 ipsec-attributes
pre-shared-key *****
tunnel-group 74.218.175.168 type ipsec-l2l
tunnel-group 74.218.175.168 ipsec-attributes
pre-shared-key *****
tunnel-group TGAD_ConnectionProfile type remote-access
tunnel-group TGAD_ConnectionProfile general-attributes
authentication-server-group TGAD
default-group-policy GroupPolicy1
tunnel-group 174.143.192.65 type ipsec-l2l
tunnel-group 174.143.192.65 general-attributes
default-group-policy GroupPolicy2
tunnel-group 174.143.192.65 ipsec-attributes
pre-shared-key *****
tunnel-group 192.237.229.119 type ipsec-l2l
tunnel-group 192.237.229.119 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ef741b4905b43dc36d0f621e06508840
: end
charlotte#What does the packet-tracer say, what does the IPsec associations say (packets encrypted/decrypted)?
This might be faster that going through your hundreds of lines of config. -
Unable to access secondary subnet from VPN client
Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
The setup is as follows:
ASA inside interface on 192.168.10.240
VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
Result of the command: "show startup-config"
ASA Version 8.4(3)9
hostname blank
domain-name
enable password encrypted
passwd encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 255.255.255.224
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.240 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.10.253 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-9-k8.bin
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 194.168.4.123
name-server 194.168.8.123
domain-name nifcoeu.com
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.254.0
subnet 192.168.254.0 255.255.255.0
object network obj-192.168.20.1
host 192.168.20.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-10.10.10.1
host 10.10.10.1
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network NS1000_EXT
host 80.4.146.133
object network NS1000_INT
host 192.168.20.1
object network SIP_REGISTRAR
host 83.245.6.81
object service SIP_INIT_TCP
service tcp destination eq sip
object service SIP_INIT_UDP
service udp destination eq sip
object network NS1000_DSP
host 192.168.20.2
object network SIP_VOICE_CHANNEL
host 83.245.6.82
object service DSP_UDP
service udp destination range 6000 40000
object service DSP_TCP
service tcp destination range 6000 40000
object network 20_range_subnet
subnet 192.168.20.0 255.255.255.0
description Voice subnet
object network 25_range_Subnet
subnet 192.168.25.0 255.255.255.0
description VLAN 25 client PC devices
object-group network ISP_NAT
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SIP_INIT tcp-udp
port-object eq sip
object-group service DSP_TCP_UDP tcp-udp
port-object range 6000 40000
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
access-list 100 extended permit icmp any any echo-reply inactive
access-list 100 extended permit icmp any any time-exceeded inactive
access-list 100 extended permit icmp any any unreachable inactive
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj-10.10.10.1
nat (DMZ,outside) static 80.4.146.134
object network obj_any-03
nat (DMZ,outside) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 62.255.171.0 255.255.255.224 outside
http 192.168.254.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2f0e024d
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 62.255.171.0 255.255.255.224 outside
ssh 192.168.254.0 255.255.255.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.25.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.6 source inside prefer
webvpn
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
wins-server value 192.168.10.21 192.168.10.22
dns-server value 192.168.10.21 192.168.10.22
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value
username blank password blank encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
username blank password encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
tunnel-group Remote-VPN type remote-access
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
I hope that helps.
Thanks
Rizwan Rafeek -
Unable to call or text while overseas, but calling the US is ok
I used to have a Blackberry Bold through Verizon and had no problems using it overseas. A month or so I upgraded to a HTC DNA and as usual, called Verizon to sign up for their global data plan, and took my HTC overseas. Once in Europe, I was unable to call or text locally, or even sending or receiving texts to/from the US. I tried calling the US and that did work. I tried the "+" and "00" and had all the correct country/city codes locally. I called Verizon back home and the global service tech just asked me to keep trying the "00" but it didn't work. The only thing I did turn off on my phone was the "roaming data". My airplane mode is off. I am still overseas currently, but not able to communicate. Everytime I cross the border I do get Verizon standard texts saying how much it will cost if I turn on my data, and etc. Any ideas or suggestions? Thanks.
Hello deblenheim
I'm sorry to hear your having trouble using your DNA while traveling overseas. We need to determine if this is your device or Sim card or the network over there. Please reach out to us from a different device at: 908-559-4899. I'm sure we can get to the bottom of this together.
JoeL_VZW
Please follow us on twitter @vzwsupport -
Unable to call, reach and connect with Customer Service
How come every time I call *611 or 18009220204 from my cell phone. It directs me to the *611 app. Then at the very bottom of the app, it says "call customer service" then I'm directed to enter my billing pin. Then it just cycles after I enter it back to the *611 app. Why am I unable to call customer service any more?? Very very frustrating. This app definitely has a glitch obviously and I need to speak with someone.
yes i can make calls to everyone..except verizon. i have the samsung droid charge. what is this new *611 app all about. i'm not interested in even having to view it, just so i can scroll all the way down to call customer service and ask to enter my pin..time consuming. and even more frustrating that i still can't speak to anyone.
-
My phone will not make or receive calls since i did the update to 6.0
help, my phone will not make calls and i can not recieve calls since the updates
I updated the IOS 6 a month ago and now the issue arises just today. I can make outgoing calls but unable to receive incoming calls and text messages. When someone try to call me it always says no network coverage area, but eventually the signal bar is full. And I realised that when I'm making an outgoing call, and I used another device to call my phone and it able to receive. But when I'm not calling out, the call unable to receive and it says that Out of Network Coverage Area.
Please help me... -
WiFi option is grayed out and after resetting the setting my 4s unable to call any one or unable to recharge money....???
the same thing happened to me. Last time this happened i held the home and power button until the phone turned off, then i turned it on and let it charge and it worked. Now it won't let me get past the Apple sign flickering every 5-10 seconds.
-
Unlimited World subscription but unable to call co...
Hi,
I have a unlimited world subscription and for some reason I'm unable to call to one of the countries that are in the list (Brazil), the phone I'm trying to call is a landline. Do I need to re-subscribe so the new countries for the unlimited world subscription works with my account?
BTW, I am using the format: +(country code) (area code) (number)
Thank youHi,
Unfortunately, as you initially purchased your subscription before the new countries were added, the destination Brazil is not included into your subscription.
What you can do is repurchase the subscription from the webpage, this way when the new subscription period starts (after the old already active subscription is over), the new subscription will be working for you.
Hope it helps,
Anna
Assinaturas / Skype Premium / Contacto com atendimento ao cliente da Skype /
Se a minha resposta foi útil, dá Kudos ↘. Obrigada! Eu posso não responder às mensagens privadas não solicitadas.
Si mi respuesta fue útil, dé Kudos ↘. Gracias! Puedo no responder los mensajes privados no solicitados. -
I am unable to call.plase reset security questions and send to my email plaseeee
i am unable to call.plase reset security questions and send to my email plaseeee
<Email Edited By Host>We are fellow users here on these user-to-user forums, you're not talking to iTunes Support nor Apple - I've asked the hosts to remove your email address from your post (it's not a good idea to post personal info on any public forum).
If you have a rescue email address (which is not the same thing as an alternate email address) on your account then the steps half-way down this page will give you a reset link on your account : http://support.apple.com/kb/HT5312
If you don't have a rescue email address (you won't be able to add one until you can answer your questions) then you will need to contact iTunes Support / Apple in your country to get the questions reset - which is likely to be by phone as they need to confirm your id and that it's your account.
Contacting Apple about account security : http://support.apple.com/kb/HT5699
When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 link above to add a rescue email address for potential future use -
I just backed up my 3gs iphone using itunes. All my photos and contacts have disappeared from my phone. I am unable to locate them on my computer. HELP!!!
OK, I understand. Try this ... it's much safer. It will simply restore your backup, but not do anything to your iOS:
While your iPhone is plugged in to iTunes, right click on the iPhone icon on the left side of the iTunes display.
Choose "Restore from backup ..." from the pop-up menu that appears.
Again, what this will do is place that backup back on your iPhone without changing iOS. So you should be very confident in the backup contents before doing this. -
Unable to call from my skype out account
Hi!
Iam unable to call from my skype out account to india, but i can able to call skype to skype users.pls advice.otherwise pls advice how to cancel the membership and get my money back.
Regards
RajanContact your carrier.
-
Have had Wireless Home Phone connect device refreshed and updated three times since I purchased it in September 2014. Last tech I worked with on it initialized an NRB to check the network. I checked the location of the tower, which is less than one mile up the hill with clear line of site. The device always has two antennas on it. The device is great when it does work, but most of the time it rings three times and then jumps to an automated message saying the person I am calling is not available. I've actually gone up there several times to try an fix the device, but always end up calling a Verizon tech who has me unplug it, pull the battery, and they do some network stuff and then we turn it back on and it works. After the last time on 10/02/14, I called it and got the message. I drove up there, 100 miles one way, and called it while standing in the room. Got the same message. I picked up the phone, heard a dial tone and dialed my phone and it range through. I hung that phone connected to the device and call it using my cell phone. It rang through. I went home and tried to call it the next day. Again it did not ring through and I got the message after three rings. I call another phone at the facility and had them call me on my mom's phone and it is fixed it again. The fix last for a day or two and then it's broken again, like it is today. If it's a network problem then it must be fairly close to the area because no matter what we do it fails again. So much for the 99.98% reliable. This thing is a piece of junk!
I purchased this device and put it on my plan so that my mother who we placed in a home at 96 years old would have a phone connection that she could use and wouldn't flip her out. My family and her family has not been able to faithfully connect with her at this critical time in her life. I am giving Verizon 10 more days to figure this out and then I am going to ask for a total refund not to mention how much time and travel I have put into this piece of junk. Either the home connect transceiver is broken or the network is broken. Why should I pay close to $70 for a service that has not worked more than several days out of 35 days? Also I have spent close to three hours on the phone with decent technical people, but it's my time. I should send Verizon a bill for every time I have gone up there to fix this device as well.
What perplexes me is that a regular cell phone would have sufficed, but because Verizon has to have a data connection that is not available on a regular phone and it was going to cost me $30/month, I decided to go with the home connect. Seemed like a nice solution for an older person who would have a hard time using a cell phone and keeping it charged. Plus after all the fees for getting it connected, it only cost $20/month. That would be a pretty good thing, IF IT WORKED....... The other thing that irks me is, why do I have to pay for a data connection when the cell phone Verizon originally provided can't even access the network. What ever happened to adding a phone line for $10 bucks\ month? All I wanted was a simple phone. She would not be able to use anything more complex and all she needs is a phone line period.
I have no problem paying for something that works and does what it should, but this is ridiculousness. The MTF on this device is somewhere around 1 to 2 days. Out of 365 days that's about a 96.5% failure rate....... Want my advice? Get ride of this device. It sucks and it's bad marketing.jsavage9621,
It pains me to hear about your experience with the Home Phone Connect. This device usually works seamlessly and is a great alternative to a landline phone. It sounds like we've done our fair share of work on your account here. I'm going to go ahead and send you a Private Message so that we can access your account and review any open tickets for you. I look forward to speaking with you.
TrevorC_VZW
Follow us on Twitter @VZWSupport
Maybe you are looking for
-
Libtool: libgvfscommon.la has not been installed in '/usr/lib/gvfs'
Hi, I'm trying to patch gvfs-mtp. The thing is I'm getting strange warnings from libtool like: libtool: warning: '../../common/libgvfscommon.la' has not been installed in '/usr/lib/gvfs' libtool: warning: '/home/yuri/build/gvfs/src/gvfs-1.22.2/common
-
How to clean the asm instance from RAC manually
for some reason i run crs_unregister asm and crs_unregister lsnr to remove the asm and listener resource from crs yesterday and today i want rebuild the asm instance ,so i run dbca again ,but error Error when starting ASM instance on node rac1: PRKS-
-
How to create dynamic list element in Site Studio designer?
Hi all, I have installed the Site Studio Designer(10gR4).The dynamic list element that i have added in the contributor region executes a query to search and display all the files in a particular folder.In the contributor mode when i try to add/edit t
-
Create Function Module Extractor
Hello Friends, Please help me in developing the extractor. I want to write the custom extractor using the three Table fields FAGLFLEXA and FAGLFLEXT with some logic to merge data. if you have any abap code. please email me at [email protected] will b
-
Visiting mom. she just got a notice to update Firefox, and so we did... then a window popped up that said that firefox 3.6 will only be supported for a short while. If firefox goes, I Wonder if Safari will still function as a browser on this old but