Unable to access internal networks over Remote acces VPN

Similar Messages

• VPN users unable to access internal network - ASA 8.3.1

  Hello,
  I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can someone point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
  The Core LAN router is 1.2.3.1.
  ASA Version 8.3(1)
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 1.2.3.2 255.255.255.0
  ip local pool anyconnect-vpn-pool 1.2.9.10-1.2.9.20 mask 255.255.255.0
  object network DataVLAN
  subnet 1.2.3.0 255.255.255.0
  object-group network Internal-Data
  network-object object DataVLAN
  nat (any,any) after-auto source dynamic Internal-Data Outside_INT
  route inside 1.2.0.0 255.255.0.0 1.2.3.1 1
  dynamic-access-policy-record DfltAccessPolicy
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc enable
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  address-pools value anyconnect-vpn-pool
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  address-pools value anyconnect-vpn-pool
  group-policy vpn-anyconnecct-policy internal
  group-policy vpn-anyconnecct-policy attributes
  vpn-tunnel-protocol svc webvpn
  webvpn
    url-list none
    svc ask enable
  tunnel-group vpn-users type remote-access
  tunnel-group vpn-users general-attributes
  address-pool anyconnect-vpn-pool
  default-group-policy vpn-anyconnecct-policy
  tunnel-group anyconnect2 type remote-access
  tunnel-group anyconnect2 general-attributes
  address-pool anyconnect-vpn-pool
  TIA.
  Mike

  Hi Rohan,
  Are you saying to replace "nat (any,any)" with "nat (inside,outside)"? I was wondering about this because I'd always done "nat (inside,outside)" but a colleague had performed the initial configuration which already contained "nat (any,any)" statement and I was not sure if this was just something new in 8.3.1. I also noticed the "global" command is no longer available.
  I will give this a try. Thanks.
  -Mike

• Unable to access the network

  Ok, I've had this problem for quite a while now
  There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?

  Bradley750 wrote:
  Ok, I've had this problem for quite a while now
  There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?
  Hi. Welcome to the forums.
  Can you give a little more information, mainly the site you're havging problems with.
  Have you tried a different browser ? What OS ?
  There are a wide variety of reasons, security products interferring, hosts file problems, browser issues etc.
  http://www.andyweb.co.uk/shortcuts
  http://www.andyweb.co.uk/pictures

• Unable to access Verizon network!

  Unable to access Verizon network! Got pop up window that "you've reached your mobile data usage limit.  Mobile data turned off. " I have option to click re-enable button but doing so may result in additional charges.  I've check settings, my mobile data box is checked. When I try to open a web page it tells me I'm off line with message "Wi-Fi and mobile data are turned off. The page can be loaded once you connect to a network. Error code: ERR_INTERNET_DISCONNECTED"  My wi-fi DOES work, it's the Verizon network that I cannot access. Someone PLEASE HELP.

  Check the graph in your Data Usage section; it sounds like you've enabled the Alert About Data Usage feature, have reached that limit, and the phone is now restricting your data usage accordingly.  For more info., see:
  How do I monitor online data usage on my Samsung Galaxy S5? | Support | SAMSUNG UK

• Unable to access shared files over network after period of time.

  First off, I don't think that this issue is related to our router, but I have been searching for a fix and can not find one. We have a WRT54GS. Now, on to our issue:
  At my work, we have a small network with computers sharing files between the others. I have attached a network diagram to help explain this better.
  Our Win7 machine is our main computer that shares an external hard drive with much information that the other computers need to access. What we have noticed is either after a sleep, or even a period of time of say, 2 hours, those files are no longer able to be accessed. The Win7 machine is still sharing them, but the WinXP machines are unable to access them anymore and my Mac can see the computer is unable to connect to the folders. I have gone and attempted to get some help over at Microsofts site but that was a fail. Here is the link to the forum post there. http://social.answers.microsoft.com/Forums/en-US/w7network/thread/f0a2e8d6-f75a-41d7-a280-c6f3adbffa...
  A member there gave me this:
  The Network connection is probably not resuming after sleep. 
  First try this, http://www.ezlan.net/Win7/power_save_win7.jpg
  It is in the Network Connection Properties under the Network card configuration.
  If it already checked this way, or does not work after checking, the Network card has to be taken out of the computer's Power Saving loop, and stay on all the time.
  Otherwise, Updating the Card with the latest OEM drivers (downloaded from the computer's support site) might help too.
  On a rare occasions, some cards might be "Quirky" in this regards and need to be replaced.
  --I would like to add that this DOESN'T ONLY happen after sleep, it also happens after a time of being used.
  I attempted those and no luck. This problem is still occurring and the only way we can fix it is by restarting the Win7 machine. But even if it is being used, we have no idea when those files are unable to be accessed.
  *I will add that the Win7 machine is still able to access the other computers when this problem occurs if that helps.
  **The Win7 machine is a Dell T3500 running Windows 7 64bit. I can provide specific hardware if needed. The drivers are all up to date as of yesterday.
  ***So upon looking in the Windows XP machine, both of the folders from the Win7 machine disappear once this problem occurs in the My Network Places folder. And one folder is on the internal drive, one is on external. The computers are in this situation now where I am unable to access them. The Win7 machine can read and write from the other computers, but the other computers can even see the Win7 Machine.
  ****All the connections are wired and are not using the wireless.
  Thanks for any help that anyone may have for me!
  Steve
  Network Map > http://scubasblog.com/network.jpg
  Dell Support Forum with same issue I posted >> http://en.community.dell.com/support-forums/network-internet-wireless/f/3324/p/19337620/19716797.asp...

  It sounds like there is incompatibility issue with XP and Win7. To isolate this, do you have another Win7 machine? Try to add it to the network and check if the shared drives are accessible after sleep. If you don't have another computer, try virtual machine and create a Win7 system.
  Update your LAN card driver from the manufacturer's site. Don't use the driver from windows update.
  Lastly, does this happen to your XP machines? Like, one of the XP machine sharing a folder and falls asleep. When it wakes up, does Win7 machine can still access the shared folder?

• Unable to access the Internet over 3G Network, Wi-Fi fine.

  Hi there,
  I'm unable to access the internet on the iPhone 3G over the 3G network. Wi-Fi is fine, no problems there, but every time I try to bring up a website in Safari over 3G I get the message "Safari can't open the page because it is not connected to the Internet".
  I have Enable 3G 'ON' under Settings > General > Network, and I have full strength on the signal meter in the top left of the Home screen. I'm in a city (Melbourne, Australia) on the Optus network, so the network itself shouldn't be the issue.
  I've tried resetting the Network Settings under Settings > Reset > Reset Network Settings, but it didn't change anything. Any other ideas?
  Cheers.

  Well, there you go, fixed! Called Optus Customer Service and they were actually helpful! Apparently there were "some components in their back-end that needed to be installed manually." The man wasn't sure why they weren't there, "glitches, blah, blah..." but at least they're there now and I have 3G access.

• Vpn client can access internet but cannot access internal network

  I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....

  enable password ********** encrypted
  passwd ********** encrypted
  hostname Firewall
  domain-name aqswdefrgt.com.sg
  access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
  access-list nat permit tcp any host 65.165.123.142 eq smtp
  access-list nat permit tcp any host 65.165.123.142 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq smtp
  access-list nat permit tcp any host 65.165.123.143 eq pop3
  access-list nat permit tcp any host 65.165.123.143 eq www
  access-list nat permit tcp any host 65.165.123.152 eq smtp
  access-list nat permit tcp any host 65.165.123.152 eq pop3
  access-list nat permit tcp any host 65.165.123.152 eq www
  access-list nat permit tcp any host 65.165.123.143 eq https
  access-list nat permit icmp any any
  ip address outside 65.165.123.4 255.255.255.240
  ip address inside 192.168.1.2 255.255.255.0
  ip verify reverse-path interface outside
  ip local pool clientpool 192.168.50.1-192.168.50.50
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
  55.255 0 0
  static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
  .255 0 0
  static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
  255.255 0 0
  static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
  5.255 0 0
  static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
  .255.255 0 0
  access-group nat in interface outside
  route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  aaa-server plexus protocol radius
  aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set myset esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map cisco 1 set transform-set myset
  crypto map dyn-map 20 ipsec-isakmp dynamic cisco
  crypto map dyn-map client authentication plexus
  crypto map dyn-map interface outside
  isakmp enable outside
  isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 40 authentication pre-share
  isakmp policy 40 encryption 3des
  isakmp policy 40 hash md5
  isakmp policy 40 group 2
  isakmp policy 40 lifetime 86400
  vpngroup vpn3000 address-pool clientpool
  vpngroup vpn3000 dns-server 192.168.1.55
  vpngroup vpn3000 wins-server 192.168.1.55
  vpngroup vpn3000 default-domain aqswdefrgt.com.sg
  vpngroup vpn3000 idle-time 1800
  vpngroup vpn3000 password ********
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80

• Cisco ASA 5505 L2TP VPN cannot access internal network

  Hi,
  I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
  Can you jhelp me to find out the issue?
  I have Cisco ASA:
  inside network - 192.168.1.0
  VPN network - 192.168.168.0
  I have router 192.168.1.2 and I cannot ping or get access to this router.
  Here is my config:
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 198.X.X.A 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network net-all
  subnet 0.0.0.0 0.0.0.0
  object network vpn_local
  subnet 192.168.168.0 255.255.255.0
  object network inside_nw
  subnet 192.168.1.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool sales_addresses 192.168.168.1-192.168.168.254
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic net-all interface
  nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
  nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
  object network vpn_local
  nat (outside,outside) dynamic interface
  object network inside_nw
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.5-192.168.1.132 inside
  dhcpd dns 75.75.75.75 76.76.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy sales_policy internal
  group-policy sales_policy attributes
  dns-server value 75.75.75.75 76.76.76.76
  vpn-tunnel-protocol l2tp-ipsec
  username ----------
  username ----------
  tunnel-group DefaultRAGroup general-attributes
  address-pool sales_addresses
  default-group-policy sales_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
  : end
  Thanks for your help.

  You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
  policy-map global_policy
    class inspection_default
      inspect icmp
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Can't access internal network from VPN using PIX 506E

  Hello,
  I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
  Building configuration...
  : Saved
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 auto
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password N/JZnmeC2l5j3YTN encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  hostname SwantonFw2
  domain-name *****.com
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  access-list outside_access_in permit icmp any any
  access-list allow_ping permit icmp any any echo-reply
  access-list allow_ping permit icmp any any unreachable
  access-list allow_ping permit icmp any any time-exceeded
  access-list INSIDE-IN permit tcp interface inside interface outside
  access-list INSIDE-IN permit udp any any eq domain
  access-list INSIDE-IN permit tcp any any eq www
  access-list INSIDE-IN permit tcp any any eq ftp
  access-list INSIDE-IN permit icmp any any echo
  access-list INSIDE-IN permit tcp any any eq https
  access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  access-list swanton_splitTunnelAcl permit ip any any
  access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  no pager
  mtu outside 1500
  mtu inside 1500
  ip address outside 192.168.1.150 255.255.255.0
  ip address inside 192.168.0.35 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool VPN_Pool 192.168.240.1-192.168.240.254
  pdm location 0.0.0.0 255.255.255.0 outside
  pdm location 192.168.1.26 255.255.255.255 outside
  pdm location 192.168.240.0 255.255.255.0 outside
  pdm logging informational 100
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  nat (inside) 1 192.168.0.0 255.255.255.0 0 0
  access-group outside_access_in in interface outside
  access-group INSIDE-IN in interface inside
  route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-disconnect 0:02:00 sip-invite 0:03:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 10
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map client authentication LOCAL
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  vpngroup swanton address-pool VPN_Pool
  vpngroup swanton dns-server 192.168.1.1
  vpngroup swanton split-tunnel swanton_splitTunnelAcl
  vpngroup swanton idle-time 1800
  vpngroup swanton password ********
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.0.36-192.168.0.254 inside
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd auto_config outside
  dhcpd enable inside
  username scott password hwDnqhIenLiwIr9B encrypted privilege 15
  username norm password ET3skotcnISwb3MV encrypted privilege 2
  username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
  username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
  username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
  username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
  username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
  username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
  username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
  username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
  username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
  username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
  terminal width 80
  Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
  : end
  [OK]
  Any help will be greatly appreciated

  Bj,
  Are you trying to access network resources behind the inside interface?
  ip address inside 192.168.0.35 255.255.255.0
  If so, please make the following changes:
  1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
  2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
          vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
  3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
  4- isakmp nat-traversal 30
  Let me know how it goes.
  Portu.
  Please rate any helpful posts   

• Unable to access mapped network drive, DFS

  TL;DR: Unable to map a network drive on one particular computer, except if circumventing DFS.
  OK - So I have exhausted all my options in this matter, so all suggestions are welcome. 
  Keep in mind the file system is DFS.
  1. User has been set up the same as our other users in Active Directory.
  2. Most network drives are connected via GPO. They are mapped via\\company.local\common\
  3. The users' home folder is connected via setting in AD -> Profile -> Home folder -> 
  Connect X: To \\company.local\homedir\username
  4. When the user logs on, all network drives defined in GPO are mapped OK, but the X: which is defined via "Home folder" in AD, is not connected. When trying to map it manually, we get "Access denied".
  5. If the user tries the complete path via Explorer: \\company.local\homedir\username - Error 0x80004005 Unspecified error occurs. We have googled this particular code but found nothing that applies to us.
  6. If the user tries the complete path to the folder on the actual file server, circumventing DFS, the home folder is mapped OK.
  Strange thing is: This only happens on this particular computer. If users logs on to another computer, in the same domain, receiving the same GPO etc. The X: is mapped fine via \\company.local\homedir\username
  Also if another user logs on to the problematic computer they also cannot access their X: on \\company.local\homedir\username
  So we tried updating the WLAN/LAN drivers to no avail. Might there be any settings on the network adapters that might cause this?
  Kthxbai

  If other computer has the same policy ("Send NTLMv2 response only. Refuse LM"), it should not be the cause.
  I agree that all clients should have the same Group Policy but sometimes the group policy may not be applied correctly on a client which causes issues. Thus you can try a "gpupdate /force" and see if issue persists. 
  Also you can test to access \\company.local to see if it will success. Try \\rootserver as well if it is different as DFS folder target. 
  As the issue only occurs on a specific client, maybe we can have a try with re-join domain.
  If you have any feedback on our support, please send to [email protected]

• Cannot access internal network after Tiger upgrade

  I've just upgraded an eMac (1.25GHz, 768MB) from 10.3.9 to 10.4.6. Although I can get online, access Mail and all applications, I cannot access the internal network at all.
  I've updated to 10.4.9, but still no luck. I've restarted, logged in as a different user, logged out and in again, removed the 'com.apple.networkconfig.plist' file from the 'Library/Preferences' folder, but still doesn't work.
  I can see all the aliases to the other machines on the network in the sidebar, but clicking on them brings up a message "The alias xxxx could not be opened, because the original alias could not be found.".
  Other machines can see this on on the network. File Sharing is turned on.
  Any thoughts, I'm tearing my hair out a bit!
  Powerbook G4   Mac OS X (10.4.8)  

  no good, is an afpmounter error, i solved it with an
  Archive and Install
  http://docs.info.apple.com/article.html?artnum=107120-en
  maybe someone have a solution..
  i think is an error during the update (i had the same from panther to tiger)
  with A&I and half-hour, your machine work perfectly.

• Unable to access LAN behind RV042 from QUICK VPN Client once it connects

  Hi,
  Very recently, we had implemented Site-to-Site VPN tunnel between two Linksys RV042 4-port VPN routers. Everybody in our remote site is accessing and sharing the data through this tunnel and it is working fine.
  Now, we have a plan to implement the same for our mobile clients also. For this, we had followed all the basic configuration procedures and user got connected to Quick VPN tunnel. Here is a problem we had observed. The mobile client user is connected to the tunnel, but unable to access the office LAN from the PC.
  What's the problem in configuration? What i have to do?
  Thanks
  VC Gundapaneni

  Hi There.
  have a look over here.
  http://www.linksysinfo.org/index.php?threads/netbios-issues-with-vpn.16170/

• Routing and Remote access - internal network not accessing internet through public network!

  Hello,
  Good Evening to all.
  I got an issue in routing and remote access on windows 2003 server.  This server is already configured as File server, domain server and Application server. Also configured as router (through routing & remote access) for connecting three different
  network to each other. So This server has three NIC card installed and each NIC card represent separate network.
  three different network are - 192.42.160.0/24 , 192.42.161.0/24, 192.42.162.0/24
  Three NIC card installed on server as with following IP address -
  NIC -1 = 192.42.160.220 , Sub- 255.255.255.0 , Gateway - NO
  NIC -2 = 192.42.161.220 , Sub- 255.255.255.0 , Gateway - 192.161.220.112 (This ip for internet access so 4g router IP)
  NIC -3 = 192.42.162.220,  , Sub- 255.255.255.0 , Gateway - NO
  Now the issue is I can reach to internet & (also pinging to router ip 192.42.161.112) from only one network that is - 192.42.161.0/24 , BUT when I trying to access internet from another two network (192.42.160.0/24 & 192.42.162.0/24) I cant access
  it and moreover can't ping to internet router ip - 192.42.161.112...
  So how I can access to internet from other two network also? 
  I was already configured static routing for all three network but still I was not success. really I don't know what exactly static routing it should be done in routing & remote access so that all three network can reach to internet?
  Sorry if I am not able to explain properly. Please let me know if you need more explain on this...
  Thanks to all.

  Dear Milos,
  I am happy to hear from you....
  1.- Actually the setup was done long before by another guy and right now I don't want to change it. 
  Nice to hear from you! Thank you so much. Actually this is first time I am using technet forum upon the suggestion from one of the my friend. So any your help from you will help me a great in this issue...
  I ran the route print command and given follow are the results.
  I have only added the default route as per the below routes. Please guide me know how to add other static routes for three network.
  D:\Documents and Settings\Administrator>route print
  IPv4 Route Table
  ===========================================================================
  Interface List
  0x1 ........................... MS TCP Loopback interface
  0x2 ...00 30 05 ad 8f 5c ...... Broadcom NetXtreme Gigabit Ethernet - Teefer2 Mi
  niport
  0x3 ...00 0e 0c a7 c4 f8 ...... Intel(R) PRO/1000 GT Desktop Adapter - Teefer2 M
  iniport
  0x4 ...00 0e 0c a7 c5 85 ...... Intel(R) PRO/1000 GT Desktop Adapter #2 - Teefer
  2 Miniport
  ===========================================================================
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0   192.42.161.112   192.42.161.220      1
          127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
       192.42.160.0    255.255.255.0   192.42.160.220   192.42.160.220     20
     192.42.160.220  255.255.255.255        127.0.0.1        127.0.0.1     20
     192.42.160.255  255.255.255.255   192.42.160.220   192.42.160.220     20
       192.42.161.0    255.255.255.0   192.42.161.220   192.42.161.220     20
     192.42.161.220  255.255.255.255        127.0.0.1        127.0.0.1     20
     192.42.161.255  255.255.255.255   192.42.161.220   192.42.161.220     20
       192.42.162.0    255.255.255.0   192.42.162.220   192.42.162.220     20
     192.42.162.220  255.255.255.255        127.0.0.1        127.0.0.1     20
     192.42.162.255  255.255.255.255   192.42.162.220   192.42.162.220     20
          224.0.0.0        240.0.0.0   192.42.160.220   192.42.160.220     20
          224.0.0.0        240.0.0.0   192.42.161.220   192.42.161.220     20
          224.0.0.0        240.0.0.0   192.42.162.220   192.42.162.220     20
    255.255.255.255  255.255.255.255   192.42.160.220   192.42.160.220      1
    255.255.255.255  255.255.255.255   192.42.161.220   192.42.161.220      1
    255.255.255.255  255.255.255.255   192.42.162.220   192.42.162.220      1
  Default Gateway:    192.42.161.112
  ===========================================================================
  Persistent Routes:
    None
  Regards & Thanks
  Mahesh

• Unable to access Internal HTTPS through VPN conn

  Anytime I have internal websites with HTTPS connections that do not have valid certificates, our VPN users are unable to make a connection. The wireshark trace shows acknowlegement number = broken TCP.  I have run Packet Tracer and it shows a problem on my DMZ???? not sure why as the traffic flow is inside to inside interface. I am at a total lost as to why...
  +++++++++++++++++++++++++++++++
  ASA 5520 with 8.4(1) code
  VPN Addressing = 172.25.17.0/24
  HTTP Server = 172.18.2.13 (port 8443)
  Can ping by IP Address or by server name
  Can access site internally after responding to the Certificate Warning
  ++++++++++++++++++++++++++++
  Any help is greatly appreciated!
  Dave

  Hi,
  The NAT configuration mentioned in your screencapture is the configuration that causes all traffic from the VPN users to be diverted to the "HomeOffice" interface because "any any" is configured
  You would either have to make the above rule more specific by removing the "any any" and adding the actual networks
  OR
  You could add a new rule BEFORE the above mentioned NAT configurations
  I am not sure what the real local interface "nameif" is (the one where the server IP is actually located) but you would need this kind of configurations
  object network SERVER
  host 172.18.2.13
  object network VPN-POOL
  subnet 172.25.17.0 255.255.255.0
  nat (serverint,outside2) 1 source static SERVER SERVER destination static VPN-POOL VPN-POOL
  The above rule should match the traffic from the VPN-POOL to the SERVER. The number "1" seen in the CLI format configurations means that it would be added to the top of the rules. The "serverint" is meant to mean the actual name of the interface where the server is located as I presume that its not located behind the "HomeOffice"
  - Jouni

• VPN Connects but unable to access internal devices

  Thank you in advance for any assistance that can be provided.
  I am using AnyConnect to create a VPN with an ASA 5505.  Once connected, the client needs to access a device behind a 1941 router.
  Internally, (not using VPN), all my routing is working correctly.  My VPN client can connect and when I put a route on my 1941 router, I am able to ping that particular device.  But my VPN client cannot appear to ping anything else, either the devices on the same internal range as the ASA 5505 or anything past the 1941.
  VPN Client                                      ASA 5505                                      Workstation                    1941 Router                        Far Device
  192.168.201.20 ----->   Outside IP x.x.x.x // Internal 192.168.101.1          192.168.101.56        192.168.101.2 // 192.168.8.1          192.168.8.150
  Client connects and get IP from ASA
                                                                                                          Cannot ping this                                                            Cannot ping this
                                                                                                                                             Can ping internal IP of 1941
                                                                                                                                              *(after creating a static route)
  I have been playing around with my configuration extensively to try and make this work.  Split-tunneling is enabled and is required.
  Here is my current config:
  hostnameMYHOST
  enable password mUUvr2NINofYuSh2 encrypted
  passwd UNDrnIuGV0tAPtz2 encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.101.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.0.0
  interface Vlan7
  no forward interface Vlan1
  nameif DMZ
  security-level 20
  ip address 137.57.183.1 255.255.255.0
  ftp mode passive
  clock timezone MST -7
  dns domain-lookup outside
  object-group network obj_any_dmz
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
  access-list nonat extended permit ip 192.168.201.0 255.255.255.0 any
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
  ip local pool vpn_pool 192.168.201.20-192.168.201.30 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (DMZ) 10 137.57.183.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 64000
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment self
  subject-name CN=MYHOST
  keypair ClientX_cert
  crl configure
  crypto ca certificate chain ASDM_TrustPoint1
  certificate 0f817951
      308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
      05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
      1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
      31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
      30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
      86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
      86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
      1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
      4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
      db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
      783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
      f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
      b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
      fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
      7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
      63ebd49d 30dd06f4 e0fa25
    quit
  crypto isakmp enable outside
  crypto isakmp policy 40
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 DMZ
  ssh timeout 10
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  ssl trust-point ASDM_TrustPoint1 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy ClientX_access internal
  group-policy ClientX_access attributes
  dns-server value 4.2.2.2
  vpn-tunnel-protocol svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunneling
  default-domain value access.local
  address-pools value vpn_pool
  ipv6-address-pools none
  webvpn
    svc mtu 1406
    svc rekey time none
    svc rekey method ssl
  username ClientX password ykAxQ227nzontdIh encrypted privilege 15
  username ClientX attributes
  vpn-group-policy ClientX_access
  service-type admin
  tunnel-group ClientX type remote-access
  tunnel-group ClientX general-attributes
  address-pool Internal_Range
  default-group-policy ClientX_access
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  default-group-policy ClientX_access
  tunnel-group ClientX_access type remote-access
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:da38065247f7334a5408b7ada3af29ae
  : end

  ok, lets go on ... ;-)
  Split-Tunneling: The ACL must include all networks you want to reach through the VPN:
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  access-list split-tunneling standard permit 192.168.8.0   255.255.255.0
  NAT: Don't use "any" in the nat-exemption, but specify all traffic that should not be natted:
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.168.201.0 255.255.255.0
  access-list nonat extended permit ip 192.168.8.0   255.255.255.0 192.168.201.0 255.255.255.0
  Routing: The 1941 needs a route for the vpn-pool pointing to the ASA (just in case there is no default route to the ASA)
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni