The inside network is accessable only through IPsec, do I need enable ios FW?
I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels. There is no unecrypted access to the internet. Should I still configure the ISR firewall? If so , why?
If I get your set correctly imagined (haha)
Anyway, it really depends on you:
However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well
for split-tunnel, then configure it in your remote site.
Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly.
Best part of stateless firewall is it can be content based.
EX:
class-map match-any FILTER
match protocol http host *yahoo*
match protocol facebook
match protocol youtube
#class-map type urlfilter match-any CONTENT_DROP
#match url category Adult-Mature-Content
There are more protocols as well, and (i think) even p2p protocol can be blocked (utorrent, bitorrent etc)
Content filtering however is a subscription license and needs to be registered/enabled
SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html
Similar Messages
-
How to setup the guest network just access internet only (not touch in internal server)
I had setup the AirPort Extreme in basic and guest network, but observed the guest can access to our server currently, for the security issue, we can setup the guest network to access internet only? pleae advice and thanks
By default, a properly configured Guest network on the AirPort Extreme only allows network clients to access the Internet. No access to the "main" network's resources should be available.
This is assuming that the AirPort Extreme is the only or "main" router in your current network configuration. -
Bandwidth decrease in the inside network.
I just setup an asa5505, the isp give me 10MBPS.
When I do a internet speed test before apply a IM inspect class map, I got 8MB aprox.
after setup the IM inspection, the speed is reduced drastically to 2MBPS.
The ASA5505 has 1mb of ram, the cpu never pass the 10% and the memory in use is only 299MB.
The number of connection is low.
Its is ok?. may be an error in the configuration?this the config with the inspection enabled:
: Saved
: Written by enable_15 at 18:11:50.359 COST Sun Sep 2 2012
ASA Version 8.4(4)1
hostname ASA5505
names
interface Ethernet0/0
switchport access vlan 190
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 201
interface Ethernet0/3
description DVR-HOST
switchport access vlan 111
interface Ethernet0/4
switchport access vlan 172
interface Ethernet0/5
switchport trunk allowed vlan 11,111,172,190,200-201
switchport mode trunk
interface Ethernet0/6
switchport access vlan 172
interface Ethernet0/7
switchport access vlan 172
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan111
description DMZ for Servers
nameif dmz
security-level 50
ip address 192.168.111.1 255.255.255.0
interface Vlan172
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
interface Vlan190
description Telmex ISP
nameif isp1
security-level 0
ip address xxx.xxx.134.64 255.255.255.0
interface Vlan200
description UNE ISP
nameif isp2
security-level 0
ip address yyy.yyy.11.57 255.255.255.0
interface Vlan201
description Metrotel ISP
nameif isp3
security-level 0
ip address zzz.zzz.121.202 255.255.255.0
ftp mode passive
clock timezone COST -5
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PCoIP-host
host 192.168.111.61
description PCoIP Host
object network web-mail-host
host 192.168.111.215
description Web and Mail Host
object network smtp-host
host 192.168.111.216
object network www-host
host 192.168.111.216
object network pop3s-host
host 192.168.111.216
object network dns-tcp-host
host 192.168.111.216
object network dns-udp-host
host 192.168.111.216
object network dvr-host
host 192.168.111.202
object network dmz-network
subnet 192.168.111.0 255.255.255.0
description DMZ
object network isp1-network
subnet xxx.xxx.134.0 255.255.255.0
description Telmex Network
object network vpn-network
range 10.47.75.50 10.47.75.69
description vpn
object network inside-isp1-network
subnet 172.16.1.0 255.255.255.0
object network inside-isp2-network
subnet 172.16.1.0 255.255.255.0
object network 10.10.10-isp1-network
subnet 10.10.10.0 255.255.255.0
object network 10.10.10-isp2-network
subnet 10.10.10.0 255.255.255.0
object network 192.168.10-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.10-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp1-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.15-isp2-network
subnet 192.168.10.0 255.255.255.0
object network 192.168.50-isp1-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.50-isp2-network
subnet 192.168.50.0 255.255.255.0
description Internal Management Network
object network 192.168.100-isp1-network
subnet 192.168.100.0 255.255.255.0
object network 192.168.100-isp2-network
subnet 192.168.100.0 255.255.255.0
object-group protocol tcp-udp
protocol-object tcp
protocol-object udp
object-group protocol tcp-udp-icmp
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group service web-mail-services tcp-udp
port-object eq domain
port-object eq www
port-object eq 995
port-object eq 443
port-object eq 8080
object-group service vmware-view-services tcp-udp
port-object eq 4172
port-object eq 3389
port-object eq 22
access-list isp1-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp1-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp2-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp2-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list isp3-in extended permit object-group tcp-udp any object-group web-mail-services object dmz-network object-group web-mail-services
access-list isp3-in extended permit object-group tcp-udp any object-group vmware-view-services object dmz-network object-group vmware-view-services
access-list Split-Tunneling standard permit 192.168.111.0 255.255.255.0
access-list Split-Tunneling standard permit host xxx.xxx.134.215
pager lines 40
logging enable
logging asdm informational
mtu dmz 1500
mtu inside 1500
mtu isp1 1500
mtu isp2 1500
mtu isp3 1500
ip local pool vpnpool 10.47.75.50-10.47.75.69 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network PCoIP-host
nat (dmz,isp1) static xxx.xxx.134.61
object network helpdesk-host
nat (dmz,isp1) static xxx.xxx.134.48
object network web-mail-host
nat (dmz,isp1) static xxx.xxx.134.214
object network smtp-host
nat (dmz,isp2) static interface service tcp smtp smtp
object network www-host
nat (dmz,isp2) static interface service tcp www www
object network pop3s-host
nat (dmz,isp2) static interface service tcp 995 995
object network dns-tcp-host
nat (dmz,isp2) static interface service tcp domain domain
object network dns-udp-host
nat (dmz,isp2) static interface service udp domain domain
object network dvr-host
nat (dmz,isp3) static interface service tcp www 8080
object network dmz-network
nat (dmz,isp1) dynamic interface
object network vpn-network
nat (inside,isp1) dynamic interface
object network inside-isp1-network
nat (inside,isp1) dynamic interface
object network inside-isp2-network
nat (inside,isp2) dynamic interface
object network 10.10.10-isp1-network
nat (inside,isp1) dynamic interface
object network 10.10.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.10-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.10-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.15-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.15-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.50-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.50-isp2-network
nat (inside,isp2) dynamic interface
object network 192.168.100-isp1-network
nat (inside,isp1) dynamic interface
object network 192.168.100-isp2-network
nat (inside,isp2) dynamic interface
access-group isp1-in in interface isp1
access-group isp2-in in interface isp2
access-group isp3-in in interface isp3
route isp1 0.0.0.0 0.0.0.0 xxx.xxx.134.1 1 track 1
route isp2 0.0.0.0 0.0.0.0 200.55.66.70 254
route inside 10.10.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.10.0 255.255.255.0 172.16.1.254 1
route inside 192.168.15.0 255.255.255.0 172.16.1.254 1
route inside 192.168.50.0 255.255.255.0 172.16.1.254 1
route inside 192.168.100.0 255.255.255.0 172.16.1.254 1
route isp2 yyy.yyy.224.254 255.255.255.255 yyy.yyy.11.1 1
route isp2 yyy.yyy.249.101 255.255.255.255 yyy.yyy.11.1 1
route isp1 xxx.xxx.2.66 255.255.255.255 xxx.xxx.134.1 1
route isp1 xxx.xxx.2.85 255.255.255.255 xxx.xxx.134.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho xxx.xxx.134.1 interface isp1
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
telnet 172.16.1.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 172.16.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 5
dhcpd address 172.16.1.50-172.16.1.54 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics
webvpn
enable isp1
enable isp2
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyCon internal
group-policy GroupPolicy_AnyCon attributes
dns-server value 192.168.10.101
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunneling
default-domain none
webvpn
anyconnect keep-installer none
group-policy VPNClient internal
group-policy VPNClient attributes
wins-server value 192.168.10.101
dns-server value 192.168.10.101
vpn-tunnel-protocol ikev1
default-domain value fffffffff
username user1 password .vQx4rek encrypted privilege 15
tunnel-group AnyCon type remote-access
tunnel-group AnyCon general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_AnyCon
class-map type inspect im match-any MSN
description MSN y Yahoo
match protocol msn-im yahoo-im
match service chat file-transfer games voice-chat webcam
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect im MSN
description MSN y Yahoo
parameters
class MSN
reset
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect im MSN
class class-default
user-statistics accounting
inspect im MSN
service-policy global_policy global
prompt hostname context
service call-home
no call-home reporting anonymous
call-home
contact-email-addr gggggggggg
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end -
Routing and Remote access - internal network not accessing internet through public network!
Hello,
Good Evening to all.
I got an issue in routing and remote access on windows 2003 server. This server is already configured as File server, domain server and Application server. Also configured as router (through routing & remote access) for connecting three different
network to each other. So This server has three NIC card installed and each NIC card represent separate network.
three different network are - 192.42.160.0/24 , 192.42.161.0/24, 192.42.162.0/24
Three NIC card installed on server as with following IP address -
NIC -1 = 192.42.160.220 , Sub- 255.255.255.0 , Gateway - NO
NIC -2 = 192.42.161.220 , Sub- 255.255.255.0 , Gateway - 192.161.220.112 (This ip for internet access so 4g router IP)
NIC -3 = 192.42.162.220, , Sub- 255.255.255.0 , Gateway - NO
Now the issue is I can reach to internet & (also pinging to router ip 192.42.161.112) from only one network that is - 192.42.161.0/24 , BUT when I trying to access internet from another two network (192.42.160.0/24 & 192.42.162.0/24) I cant access
it and moreover can't ping to internet router ip - 192.42.161.112...
So how I can access to internet from other two network also?
I was already configured static routing for all three network but still I was not success. really I don't know what exactly static routing it should be done in routing & remote access so that all three network can reach to internet?
Sorry if I am not able to explain properly. Please let me know if you need more explain on this...
Thanks to all.Dear Milos,
I am happy to hear from you....
1.- Actually the setup was done long before by another guy and right now I don't want to change it.
Nice to hear from you! Thank you so much. Actually this is first time I am using technet forum upon the suggestion from one of the my friend. So any your help from you will help me a great in this issue...
I ran the route print command and given follow are the results.
I have only added the default route as per the below routes. Please guide me know how to add other static routes for three network.
D:\Documents and Settings\Administrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 30 05 ad 8f 5c ...... Broadcom NetXtreme Gigabit Ethernet - Teefer2 Mi
niport
0x3 ...00 0e 0c a7 c4 f8 ...... Intel(R) PRO/1000 GT Desktop Adapter - Teefer2 M
iniport
0x4 ...00 0e 0c a7 c5 85 ...... Intel(R) PRO/1000 GT Desktop Adapter #2 - Teefer
2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.42.161.112 192.42.161.220 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.42.160.0 255.255.255.0 192.42.160.220 192.42.160.220 20
192.42.160.220 255.255.255.255 127.0.0.1 127.0.0.1 20
192.42.160.255 255.255.255.255 192.42.160.220 192.42.160.220 20
192.42.161.0 255.255.255.0 192.42.161.220 192.42.161.220 20
192.42.161.220 255.255.255.255 127.0.0.1 127.0.0.1 20
192.42.161.255 255.255.255.255 192.42.161.220 192.42.161.220 20
192.42.162.0 255.255.255.0 192.42.162.220 192.42.162.220 20
192.42.162.220 255.255.255.255 127.0.0.1 127.0.0.1 20
192.42.162.255 255.255.255.255 192.42.162.220 192.42.162.220 20
224.0.0.0 240.0.0.0 192.42.160.220 192.42.160.220 20
224.0.0.0 240.0.0.0 192.42.161.220 192.42.161.220 20
224.0.0.0 240.0.0.0 192.42.162.220 192.42.162.220 20
255.255.255.255 255.255.255.255 192.42.160.220 192.42.160.220 1
255.255.255.255 255.255.255.255 192.42.161.220 192.42.161.220 1
255.255.255.255 255.255.255.255 192.42.162.220 192.42.162.220 1
Default Gateway: 192.42.161.112
===========================================================================
Persistent Routes:
None
Regards & Thanks
Mahesh -
Network camera access via airport extreme ie: i need to assign a port and a
please help me i have a cabin in the mountains that is off the grid... and i use solar power... i have my internet access via wifi and an antenna... it goes to a d-link router in my electric room then from there via a cat 5 cable to a apple airport extreme base station... and i would like to plug the camera into the base station via a cat 5 cable....
i am trying to set up a network camera to via a airport extreme base station.... the tech support on the camera end (airlink 101 skyIP cam500 model aicn500) said to enable port 80 and to assign a IP address (which i have)... apple support has been unable to help me after almost 1 hour with tech support.... here is what the camera tech support page suggests....
You will now need to forward the Second HTTP Port through your router to the IP address of the camera. If you have an AirLink101 router, we have instructions in our knowledge base for port forwarding. If you have a router from another company, you will need to contact them for instructions on port forwarding.
When accessing the camera from a remote location you will need to open a browser and type in the internet IP address of your network (not the ip address of the camera) and the port into a web browser. The address and port will need to be typed in like this:
http://x.x.x.x:port
x.x.x.x = Internet IP address
port = Second HTTP Port
Here is an example of what it would look like: http://123.123.123.123:81
can anyone please help me?i can not thank you enough for taking the time time to help me!!! i really appreciate it.... i have done the set up with the d link router and am now trying to access the camera from the web.... but i am having trouble logging in and finding it? i am not sure what ip address to enter into my web browser? i think that i need to add the ip addresss folllowed by a forward slash and then the port # 80.... but what ip address should i add? in the device info part of the d link router i have found a number of ip address's... but none of them seem to work? what am i doing wrong? or not doing? my apple base station is set up in the bridge mode with a password to protect it...
thanks again...
josh -
i cannot download updates or stuff through the play store except when in wifi. i always get an error 495. what does that mean and how do i fix it it. what is the point of having data and the android market if you can download anything unless you are in a place that has wifi. i would like to be able to download stuff through the network but it just wont let me. i always get errors after it tries downloading after a few minutes. how do you fix that.
Hi there Akorns35!
I want you to update your apps where ever your heart desires! I will be delighted to help.
This is generally a setting. Turn it off by following these steps:
Open Google Play > Choose Menu > Settings > Tap "Update over Wi-Fi only" and turn that off!
Keep us posted!
Thanks,
MelissaM_VZW
Follow us on Twitter @vzwsupport -
Everything works perfect with Macs, iPhone, iPads but I have 2 pcs that now can't access internet. The PCs connect to the airport and my other access points but no internet- The PCs sent an error of DNS
Yes, as we already said, it will do all of this if you have a good wireless signal reaching the bedroom.
Remember that an extender or repeater or whatever you want to call it can only extend the quality of signal that it receives.
The Ethernet signal that the Express delivers will only be as good as the quality of the wireless connection between the AirPort Extreme and AirPort Express.
If you have doubts, make sure that you understand the store's return policy before you buy. -
Does everyone on the wireless network have access to the shared files?
I just bought a 1TB time capsule today. I am backing up my files as I type. I also used it to set up a wireless network in my apartment. This wireless network will be used by my roommate as well.
In addiction to backing up my files using Time Machine, I am also going to use my new TC as an external hard drive to store movies, music, photos, and documents. I would like my roommate to have access to the wireless internet, but I do NOT want them to have access to my files.
I noticed that my TC shows up in the SHARED section in my finder. Does this mean that, because my roommates have access to my wireless network, that they have access to my files through the TC shared drive? If so, how can I protect my files?I found this in the Airport Help. It works with the TC drive and any other drives attached.
To set up a user account:
Open AirPort Utility, located in the Utilities folder in the Applications folder on a computer using Mac OS X, and in Start > All Programs > AirPort on a computer using Windows.
Select the device you’re setting up, and then click Manual Setup. Enter the password if necessary.
Click Disks in the toolbar, and then click File Sharing.
Choose "With accounts" from the Secure Shared Disks pop-up menu, and then click Configure Accounts.
Click Add , enter the user name, and then give the user a password.
Choose Read and Write, Read Only, or Not Allowed from the File Sharing Access pop-up menu, depending the access privileges you want to assign for this user. -
Problem loading flv over network when accessing swf through html
hi all,
i have website that loads images and videos for my company.
it's an internal thing that's meant to be shown in a network folder
that people can access.
my problem comes when i try to load videos in. on my local
machine, everything works fine, if you launch the swf directly from
the network folder, everything works fine. the problem comes when
you launch the html that the swf is embedded in. my netconnection
is successful, but when i try to load the flv using netStream.play
(using a local path like "videos/myVid.flv") if get a
NetStream.Play.StreamNotFound error.
local paths work fine when loading images etc but not videos
(even when i put the video into the images folder or vice versa).
the only way i can get this working is if i put absolute paths into
the video ( like "\\myServer\flash\videos\myVid.flv")
i'm thinking this is a sandbox problem. when you open the swf
directly, it's running on the network, so it's ok to access network
files, but when you open the html, it's being loaded to your local
computer, and isn't able to do it? both times when i print out the
sandbox type it's "localWithFile", but it just doesn't work in the
browser. but then i don't get why xml loading and image loading
works, but not video. i've also changed the export to
localWithNetworking and tried Security.allowDomain("*") but nothing
worked.
this works fine if the files are uploaded to a webserver,
btw.
i've
put
up a zip file with the relevant files (though you'll have to
stick in your own flv), though unless you have a network handy it's
going to be a bit hard to test it.
any help or points in the right direction would be
appreciated though
thanksYour files work fine with my FLV and when I try to follow
your instructions. Two days ago we had a situation that was almost
like what you've described, except that the swf would work, the
html work work (when opened directly, like
"file:///Users/colin/Desktop/video%20bug/video_bug.html", but would
not work when opened via http. If that is your real situation then
you may have the same issue we had, which is that our server had
its MIME type set wrong for handling FLVs. -
Why does my macbook pro forget the wifi network when i only set the iPhone to forget it?
i just dont get. what is the logic behind the mac synchronises network access between devices? i set my iPhone to forget a certain wifi network and now my macbook pro also forgot it, so i had to reset my router for this. pretty annoying. any workaround if i want iCloud to keep my passwords synchronised but not sure up the network access instantly on all devices?
I had to call Apple and the tech made me enter a bunch of terminal commands to fix this. Unfortunately I can't tell you excactly what it was. I think the best way would be to call Apple.
-
Photos downloaded from emails accessed only through Finder
When someone sends me photos attached to an email and I want to save them in iPhoto along with my own photos, I click on save and tell them to go to iPhoto Library. Then if I go to iPhoto, they are not there. The only place I can find them is go to Finder, click on iPhoto Library and there they are. But I want them in with the rest of my photos. How do I get them there?
MacBook Mac OS X (10.4.9)You cannot save into your iPhoto Library folder from outside of iPhoto; files that are not properly Imported will not be recognized by the database.
What you can do is save the emailed photo to your desktop, then import to iPhoto (either by dragging into iPhoto or by File > Import to Library), then delete the copy from the desktop.
If you haven't yet, you can go into your iPhoto Library folder and drag the photos you placed in there out to your desktop. Just be careful not to change anything else while you are there, as any changes made to your iPhoto Library folder from the Finder can damage your library. -
Need Help
Let's see if I can get this straight.
You have an Airport Extreme base station that is set to "Create a wireless network" and you have the box checked for "allow this network to be extended"....
Then you have an Airport Express that is set to "Extend a wireless network" which you selected the name of your network in the box...
Correct?
See this Apple document:
http://support.apple.com/kb/HT4259?viewlocale=en_US&locale=en_US
The wireless unit on the right of the diagram can be either of the newer Apple base stations.
Extreme, Express, Time Capsule -
ASA 5505 VPN no access to inside network
Trying to set up ipsec/l2tp vpn to provide full access to internal network for remote users with only Windows built-in vpn client.
The vpn client can connect successfully, but can't see anything on the inside network.
The ASA is not the gateway for hosts on the internal network
name x.y.z.129 isp-gateway
name 172.16.1.0 vpn-address-pool
name 10.11.10.0 inside-network
name x.y.z.128 outside-network
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list vpn extended permit ip inside-network 255.255.254.0 vpn-address-pool 255.255.255.0
access-list outside_access_in extended permit ip any any
global (outside) 1 interface
nat (outside) 1 vpn-address-pool 255.255.255.0
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 isp-gateway 1
ciscoasa# show route
Gateway of last resort is cic-gateway to network 0.0.0.0
C outside-network 255.255.255.128 is directly connected, outside
S 172.16.1.5 255.255.255.255 [1/0] via isp-gateway, outside
C inside-network 255.255.254.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via isp-gateway, outsideDo you configure split tunnel or no split tunnel policy?
Also when you are connected and try to access internal network, can you pls share the output of :
show cry isa sa
show cry ipsec sa -
How to manage c877(outside) in RFC1483 mode through ASA5505 from (inside)network
Hi All
Here is a quick summary of my network setup.
ISP ADSL2 -- C877 Router(RFC1483) -- ASA5505(PPPoE) -- Internal network(s).
I am trying to figure out how to correctly configure my C877 & my ASA so I can telnet and manage the C877 from one of the inside networks on the ASA5505.
With the current configuration I can ping the C877 but only from the outside (PPPoE) interface of my ASA5505. I cannot connect to it from any other inside network.
Interface connectivity is as follows:
ISP <-> C877 PoTS
C877 FA/0 <-> ASA Eth0/0[outside_public] [Zone SEC=0]
ASA Eth0/1[inside_private][Zone SEC=100] <-> HP L2 Switch
HP L2 Switch <-> Home PC.
Device IPs:
Cisco ASA [inside_private] gateway IP = 192.168.50.1 / 24
Home PC = 192.168.50.81 / 24
Router C877 IP = 192.168.50.2 / 24
Everything is working as expected, except I want to be able to manage the C877 from the Home PC, but currently I am not able to establish any connectivity to the C877 from the [inside_private] network.
Here is what I have tried so far but without luck:
Connected (a 2nd) network cable from the C877 to the L2 switch. No connectivity from the Home PC.
Connected (a 2nd) network cable from the C877 to ASA on another interface added to the [inside_private] network. No connectivity from the Home PC.
Any help much appreciated!
C877 config below:
Current configuration : 1422 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname c877
boot-start-marker
boot-end-marker
no aaa new-model
clock timezone UTC 11 0
crypto pki token default removal timeout 0
dot11 syslog
ip source-route
ip cef
ip domain name --CUT--
no ipv6 cef
multilink bundle-name authenticated
username --CUT-- privilege 15 password 7 --CUT--
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
bridge-group 1
pvc 8/35
encapsulation aal5snap
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
no ip address
bridge-group 1
interface BVI1
ip address 192.168.50.2 255.255.255.0
ip default-gateway 192.168.50.1
ip forward-protocol nd
no ip http server
no ip http secure-server
snmp-server community public RO
snmp-server ifindex persist
control-plane
bridge 1 protocol ieee
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input all
end
ASA5505 config below:
ASA Version 9.1(3)
hostname asa5505
enable password --CUT-- encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd --CUT-- encrypted
names
interface Ethernet0/0
switchport access vlan 10
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 20
interface Ethernet0/3
switchport access vlan 30
interface Ethernet0/4
switchport access vlan 40
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 70
interface Ethernet0/7
switchport access vlan 70
interface Vlan1
nameif inside_private
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan10
nameif outside_public
security-level 0
pppoe client vpdn group ADSL2
ip address pppoe setroute
interface Vlan20
nameif inside_dmz
security-level 70
ip address 192.168.60.1 255.255.255.0
interface Vlan30
nameif inside_guest
security-level 50
ip address 192.168.70.1 255.255.255.0
interface Vlan40
nameif inside_experimental
security-level 60
ip address 10.0.0.1 255.255.0.0
interface Vlan70
nameif inside_phone
security-level 10
ip address 192.168.80.1 255.255.255.192
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside_dmz
dns server-group DefaultDNS
name-server 192.168.60.2
same-security-traffic permit intra-interface
object network LAN_private
subnet 192.168.50.0 255.255.255.0
object network LAN_dmz
subnet 192.168.60.0 255.255.255.0
object network LAN_guest
subnet 192.168.70.0 255.255.255.0
object network LAN_experimental
subnet 10.0.0.0 255.255.0.0
object network QNAP_host
host 192.168.50.9
object network INTELNUC_host
host 192.168.60.2
object network INTELNUC_prtgservice
host 192.168.60.2
object network INTELNUC_webservice
host 192.168.60.2
object network QNAP_management
host 192.168.50.9
object network QNAP_transmission
host 192.168.50.9
object network LAN_guest_wireless
range 192.168.70.31 192.168.70.50
object network QNAP_t51413
host 192.168.50.9
object network QNAP_u51413
host 192.168.50.9
object service 9000-9049
service udp destination range 9000 9049
object network C7940_u10000-20000
host 192.168.80.11
object network C7940_t5060
host 192.168.80.11
object network LAN_phone
subnet 192.168.80.0 255.255.255.192
object network SPINTEL_host
host --CUT--
object service 16384-32766
service udp source range 16384 32766
object network C7940_host
host 192.168.80.11
object service 10000-20000
service udp destination range 10000 20000
object network C7940_u5060
host 192.168.80.11
object-group network LAN_all
network-object object LAN_dmz
network-object object LAN_experimental
network-object object LAN_guest
network-object object LAN_private
network-object object LAN_phone
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service 5060 tcp-udp
port-object eq sip
object-group service 53 tcp-udp
port-object eq domain
access-list public_ACL extended permit tcp any object QNAP_host eq 8080
access-list public_ACL extended permit tcp any object QNAP_host eq 51413
access-list public_ACL extended permit udp any object QNAP_host eq 51413
access-list public_ACL extended permit tcp any object QNAP_host eq 9091
access-list public_ACL extended permit tcp any object INTELNUC_host eq 444
access-list public_ACL extended permit tcp any object INTELNUC_host eq www
access-list public_ACL extended permit object-group TCPUDP any object C7940_host eq domain inactive
access-list public_ACL extended permit tcp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit udp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit icmp object SPINTEL_host object C7940_host
access-list public_ACL extended permit object 10000-20000 object SPINTEL_host object C7940_host
access-list public_ACL extended permit ip object SPINTEL_host object C7940_host
access-list dmz_ACL extended permit icmp any any echo
access-list dmz_ACL extended permit udp any any eq snmp
access-list dmz_ACL extended permit ip object INTELNUC_host object-group LAN_all
access-list dmz_ACL extended deny ip any object LAN_private
access-list dmz_ACL extended deny ip any object LAN_guest
access-list dmz_ACL extended deny ip any object LAN_experimental
access-list dmz_ACL extended deny ip any object LAN_phone
access-list dmz_ACL extended permit ip any any
access-list guest_ACL extended permit icmp any any echo
access-list guest_ACL extended permit udp any any eq snmp
access-list guest_ACL extended permit object-group TCPUDP object LAN_guest_wireless object INTELNUC_host eq domain
access-list guest_ACL extended deny ip object LAN_guest_wireless object INTELNUC_host
access-list guest_ACL extended deny ip object LAN_guest_wireless object QNAP_host
access-list guest_ACL extended permit ip any object INTELNUC_host
access-list guest_ACL extended permit ip any object QNAP_host
access-list guest_ACL extended deny ip any object LAN_private
access-list guest_ACL extended deny ip any object LAN_dmz
access-list guest_ACL extended deny ip any object LAN_experimental
access-list guest_ACL extended deny ip any object LAN_phone
access-list guest_ACL extended permit ip any any
access-list phone_ACL extended permit udp object C7940_host object INTELNUC_host eq tftp
access-list phone_ACL extended permit icmp object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object 16384-32766 object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object-group TCPUDP object C7940_host any eq domain
access-list phone_ACL extended permit udp object C7940_host any eq ntp
access-list phone_ACL extended permit tcp object C7940_host any eq sip
access-list phone_ACL extended permit udp object C7940_host any eq sip
access-list phone_ACL extended permit ip object C7940_host any inactive
access-list phone_ACL extended permit ip object LAN_phone any inactive
pager lines 24
logging enable
logging asdm notifications
mtu inside_private 1500
mtu outside_public 1492
mtu inside_dmz 1500
mtu inside_guest 1500
mtu inside_experimental 1500
mtu inside_phone 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside_private,outside_public) source static C7940_u10000-20000 interface service 10000-20000 10000-20000
object network LAN_private
nat (inside_private,outside_public) dynamic interface
object network LAN_dmz
nat (inside_dmz,outside_public) dynamic interface
object network LAN_guest
nat (inside_guest,outside_public) dynamic interface
object network LAN_experimental
nat (inside_experimental,outside_public) dynamic interface
object network INTELNUC_prtgservice
nat (inside_dmz,outside_public) static interface service tcp 444 444
object network INTELNUC_webservice
nat (inside_dmz,outside_public) static interface service tcp www www
object network QNAP_management
nat (inside_private,outside_public) static interface service tcp 8080 8080
object network QNAP_transmission
nat (inside_private,outside_public) static interface service tcp 9091 9091
object network QNAP_t51413
nat (inside_private,outside_public) static interface service tcp 51413 51413
object network QNAP_u51413
nat (inside_private,outside_public) static interface service udp 51413 51413
object network C7940_t5060
nat (inside_private,outside_public) static interface service tcp sip sip
object network LAN_phone
nat (inside_phone,outside_public) dynamic interface
object network C7940_u5060
nat (inside_private,outside_public) static interface service udp sip sip
access-group public_ACL in interface outside_public
access-group dmz_ACL in interface inside_dmz
access-group guest_ACL in interface inside_guest
access-group phone_ACL in interface inside_phone
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside_private
snmp-server host inside_dmz 192.168.60.2 community *****
snmp-server location inside_dmz
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint localtrust
enrollment self
fqdn asa5505.--CUT--
subject-name CN=sasa5505.--CUT--
keypair sslvpnkey
crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
certificate --CUT--
telnet 192.168.50.0 255.255.255.0 inside_private
telnet timeout 60
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ADSL2 request dialout pppoe
vpdn group ADSL2 localname --CUT--
vpdn group ADSL2 ppp authentication pap
vpdn username --CUT-- password --CUT-- store-local
dhcpd auto_config outside_public
dhcprelay server 192.168.60.2 inside_dmz
dhcprelay enable inside_private
dhcprelay enable inside_guest
dhcprelay enable inside_experimental
dhcprelay enable inside_phone
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server --CUT-- source inside_private
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
ssl trust-point localtrust outside_public
webvpn
anyconnect-essentials
username --CUT-- password --CUT-- encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:--CUT--Ansar,
A source group or "group" is what you need to configure on the CSS in order for the backend servers to initiate a connection outbound on the CSS. It would be helpful if you could email me directly a piece of your config. Specifically I would need the "service" section in terms of which servers need outbound access as well as the content rules you have configured and the ACL section to confirm you are not blocking anything.
As an example.
If you had
service pete
ip address 1.1.1.1
active
content pete
add service pete
protocol tcp
port 80
vip address 2.2.2.2
active
group pete_out
vip address 2.2.2.2
add service pete
active
So what happens is when the service makes an outbound connection, the source ip address is now the vip address. When the return packet comes back, the CSS recognizes it and gets it back to the backend server.
You can also apply a source group via an acl as another option.
Regards
Pete..
[email protected] -
VPN clients cannot access inside network
I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.
I realized after I posted that I should have a connection active when running this command. Here is the results:
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)
current_peer: 169.130.14.253, username: kenz
dynamic allocated peer ip: 10.27.2.2
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 208F45F5
inbound esp sas:
spi: 0x2026D973 (539416947)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x208F45F5 (546260469)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
So it looks like there are encrypts but no decrypts. What should I do now?
Maybe you are looking for
-
Install windows on my MacBook Pro7,1 (Version 10.6) **doesn't have an optical drive**
I recently replaced my HDD for a 1 GB SSD. Then I took out my optical drive and installed a HDD. I wanted the extra space to store videos and pic and such. I also upgraded the RAM. I want to use bootcamp to install windows on my macbook pro. However,
-
HT201250 How do I use Time Machine to back up an External Drive to another External Drive?
Hello, I have two 8TB Western Digital External Hard Drives with Thunderbolt ports. I have already set up a 500GB G-TECH Mini to use as the Time Machine backup for my MacBook Pro. Now, I would like to set up one of my 8TB drives to be the back up fo
-
Inline (non full-screen) video in stageWebView for iPhone (iOS)???
According to this post (below), all we need in order to allow native inline video for the iPhone is a simple Obj-C property webview.allowsInlineMediaPlayback = YES; in conjunction with adding "allowsInlineMediaPlayback" to the html5 video tag. http:/
-
Invalid Printer Specified Error
I have an application that allows the user to select the target printer from the list of available printers on the system. The following code generates the list of printers from which they select: Dim PrinterList As New List(Of String) Dim Pr
-
Pro forma invoice problems if billing plan is used
Hello experts, i have a problem again with the billing plan. To problem now is the pro- forma for following case: A billing plan is used for the items in the sales order. only at the end when the delivery gets prepared at the end, the pro forma invoi