Unable to access secondary subnet via VPN

Similar Messages

• Unable to access secondary subnet from VPN client

  Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
  The setup is as follows:
  ASA inside interface on 192.168.10.240
  VPN clients on 192.168.254.x
  I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
  Result of the command: "show startup-config"
  ASA Version 8.4(3)9
  hostname blank
  domain-name
  enable password encrypted
  passwd encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 255.255.255.224
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.10.240 255.255.255.0
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 10.10.10.253 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa843-9-k8.bin
  boot system disk0:/asa823-k8.bin
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 194.168.4.123
  name-server 194.168.8.123
  domain-name nifcoeu.com
  object network obj-192.168.0.0
  subnet 192.168.0.0 255.255.255.0
  object network obj-192.168.5.0
  subnet 192.168.5.0 255.255.255.0
  object network obj-192.168.10.0
  subnet 192.168.10.0 255.255.255.0
  object network obj-192.168.100.0
  subnet 192.168.100.0 255.255.255.0
  object network obj-192.168.254.0
  subnet 192.168.254.0 255.255.255.0
  object network obj-192.168.20.1
  host 192.168.20.1
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-01
  subnet 0.0.0.0 0.0.0.0
  object network obj-0.0.0.0
  host 0.0.0.0
  object network obj_any-02
  subnet 0.0.0.0 0.0.0.0
  object network obj-10.10.10.1
  host 10.10.10.1
  object network obj_any-03
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-04
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-05
  subnet 0.0.0.0 0.0.0.0
  object network NS1000_EXT
  host 80.4.146.133
  object network NS1000_INT
  host 192.168.20.1
  object network SIP_REGISTRAR
  host 83.245.6.81
  object service SIP_INIT_TCP
  service tcp destination eq sip
  object service SIP_INIT_UDP
  service udp destination eq sip
  object network NS1000_DSP
  host 192.168.20.2
  object network SIP_VOICE_CHANNEL
  host 83.245.6.82
  object service DSP_UDP
  service udp destination range 6000 40000
  object service DSP_TCP
  service tcp destination range 6000 40000
  object network 20_range_subnet
  subnet 192.168.20.0 255.255.255.0
  description Voice subnet
  object network 25_range_Subnet
  subnet 192.168.25.0 255.255.255.0
  description VLAN 25 client PC devices
  object-group network ISP_NAT
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service SIP_INIT tcp-udp
  port-object eq sip
  object-group service DSP_TCP_UDP tcp-udp
  port-object range 6000 40000
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
  access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
  access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
  access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
  access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
  access-list 100 extended permit icmp any any echo-reply inactive
  access-list 100 extended permit icmp any any time-exceeded inactive
  access-list 100 extended permit icmp any any unreachable inactive
  access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
  access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu management 1500
  ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  asdm history enable
  arp timeout 14400
  nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
  nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
  nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
  object network obj_any
  nat (inside,outside) dynamic interface
  object network obj_any-01
  nat (inside,outside) dynamic obj-0.0.0.0
  object network obj_any-02
  nat (inside,DMZ) dynamic obj-0.0.0.0
  object network obj-10.10.10.1
  nat (DMZ,outside) static 80.4.146.134
  object network obj_any-03
  nat (DMZ,outside) dynamic obj-0.0.0.0
  object network obj_any-04
  nat (management,outside) dynamic obj-0.0.0.0
  object network obj_any-05
  nat (management,DMZ) dynamic obj-0.0.0.0
  access-group 100 in interface outside
  route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
  route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
  route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.25.0 255.255.255.0 inside
  http 62.255.171.0 255.255.255.224 outside
  http 192.168.254.0 255.255.255.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=
  crl configure
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 2f0e024d
    quit
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    quit
  crypto isakmp identity address
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 5
  ssh 62.255.171.0 255.255.255.224 outside
  ssh 192.168.254.0 255.255.255.0 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.25.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  vpn-sessiondb max-other-vpn-limit 250
  vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.10.6 source inside prefer
  webvpn
  group-policy Remote-VPN internal
  group-policy Remote-VPN attributes
  wins-server value 192.168.10.21 192.168.10.22
  dns-server value 192.168.10.21 192.168.10.22
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Remote-VPN_splitTunnelAcl
  default-domain value
  username blank password blank encrypted privilege 0
  username blank attributes
  vpn-group-policy Remote-VPN
  username blank password encrypted privilege 0
  username blank attributes
    vpn-group-policy Remote-VPN
  tunnel-group Remote-VPN type remote-access
  tunnel-group Remote-VPN general-attributes
  address-pool VPN-Pool
  default-group-policy Remote-VPN
  tunnel-group Remote-VPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  contact-email-addr
  profile CiscoTAC-1
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236

  Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
  So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
  So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
  I hope that helps.
  Thanks
  Rizwan Rafeek

• Accessing a subnet via VPN session

  Hi everybody.
  I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
  in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
  local network: 10.30.0.0 0.0.0.0
  remote network 10.31.0.0 0.0.0.0
  ASA
  object-group network remote-network
  network-object 172.16.27.0 255.255.255.0
  network-object 10.31.0.0 255.255.0.0
  object-group network network-local
  network-object 0.0.0.0 0.0.0.0
  access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
  Router 3800
  ip access-list extended vpn
    permit ip 10.31.0.0 0.0.255.255 any
  Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
  Regards and Thanks very much!!

  Hi Ankur, thanks very much for your reply!
  this is the "sho run" in my remote router:
  I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
  this is a simple diagram of where I want to connect to:
  REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
  (10.31.0.0/24 network)                                                                                      (10.30.0.0/16network)
                                                                                                                                          |
                                                                                                                                          |
                                                                                                                                          |
                                                                                                                                          |
                                                                                                                                REMOTE USER
                                                                                                                               (10.30.23.130/25)
  REMOTESITE#sho run
  Building configuration...
  Current configuration : 10834 bytes
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname PYASU1ROU01
  boot-start-marker
  boot-end-marker
  logging buffered 64000 debugging
  no logging console
  aaa new-model
  aaa authentication login default group tac-auth local
  aaa authentication enable default group tac-auth enable
  aaa authorization console
  aaa authorization exec default group tac-auth local if-authenticated
  aaa authorization network default local
  aaa accounting exec default start-stop group tac-auth
  aaa session-id common
  clock timezone PR -3
  ip cef
  voice-card 0
  no dspfarm
  crypto pki trustpoint TP-self-signed-4112391703
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4112391703
  revocation-check none
  rsakeypair TP-self-signed-4112391703
  crypto pki certificate chain TP-self-signed-4112391703
  certificate self-signed 01
    30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
    34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
    39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
    95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
    A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
    DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
    D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
    551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
    14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
    C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
    04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
    B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
    31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
    91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
    94350AFF EA7CB2
    quit
  username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
  username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  ip ssh version 2
  crypto keyring apex
    pre-shared-key address "headquerters public ip address"
  key apex
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp profile companyname
     keyring apex
     match identity address "headquerters public ip address"
  crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
  crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
  crypto map outside 10 ipsec-isakmp
  set peer "headquerters public ip address"
  set transform-set 3DES
  set isakmp-profile companyname
  match address vpn-companyname
  interface Loopback1
  description monitoreo
  ip address 10.31.21.255 255.255.255.255
  interface GigabitEthernet0/0
  description Teysa
  ip address public ip address
  ip nat outside
  no ip virtual-reassembly
  load-interval 30
  duplex auto
  speed auto
  media-type rj45
  crypto map outside
  interface GigabitEthernet0/1
  description TO CORE-SW
  ip address 192.168.255.249 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  media-type rj45
  interface FastEthernet0/0/0
  switchport access vlan 2
  duplex full
  speed 100
  interface FastEthernet0/0/1
  switchport access vlan 10
  shutdown
  duplex full
  speed 100
  interface FastEthernet0/0/2
  switchport mode trunk
  shutdown
  interface FastEthernet0/0/3
  switchport access vlan 10
  shutdown
  duplex full
  speed 100
  interface Vlan1
  no ip address
  no ip http server
  ip http authentication aaa login-authentication default
  ip http authentication aaa exec-authorization default
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map nat interface GigabitEthernet0/0 overload
  ip access-list extended nat
  deny   ip host 172.16.27.236 10.0.0.0 0.255.255.255
  deny   ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  deny   ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.31.11.0 0.0.0.255 any
  permit ip 10.31.13.0 0.0.0.255 any
  permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
  permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
  permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
  permit ip 172.16.27.224 0.0.0.31 any
  ip access-list extended vpn-apex
  permit ip 10.50.20.0 0.0.1.255 any
  permit ip 172.16.27.0 0.0.0.255 any
  permit ip 10.31.0.0 0.0.255.255 any
  permit ip 10.30.0.0 0.0.255.255 any
  route-map nat permit 10
  match ip address nat
  control-plane
  line con 0
  password 7 xxxxxxxxxx
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  password 7 xxxxxxxxxx
  scheduler allocate 20000 1000
  ntp server 10.30.5.38
  end
  REMOTESITE#
  Regards!

• Unable to Access Company LAN via VPN

  Hello,
  I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
  The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
  On the Cisco VPN client I can see lots of sent packets but none received.
  I think it could be to do with the NAT but from the examples I have seen I believe it should work.
  I have attached the complete running-config, as I could well have missed something.
  Many Thanks for any help on this...
  FWBKH(config)# show running-config           
  : Saved
  ASA Version 8.2(2)
  hostname FWBKH
  domain-name test.local
  enable password XXXXXXXXXXXXXXX encrypted
  passwd XXXXXXXXXXXXXXXX encrypted
  names
  name 9.9.9.9 zscaler-uk-network
  name 10.8.50.0 inside-network-it
  name 10.8.112.0 inside-servers
  name 17.7.9.10 fwbkh-out
  name 10.8.127.200 fwbkh-in
  name 192.168.10.0 bkh-vpn-pool
  interface Vlan1
  nameif inside
  security-level 100
  ip address fwbkh-in 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address fwbkh-out 255.255.255.248
  interface Vlan3
  nameif vpn
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Ethernet0/0
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown    
  interface Ethernet0/7
  shutdown
  banner login Trespassers will be Shot, Survivors will be Prosecuted!!!!
  banner motd Trespassers will be Shot, Survivors will be Prosecuted!!!!
  banner asdm Trespassers will be Shot, Survivors will be Prosecuted!!!!
  boot system disk0:/asa822-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.local
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_UDP_1 udp
  port-object eq 4500
  port-object eq isakmp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 log warnings inactive
  access-list inside_access_in extended permit ip inside-network-it 255.255.255.0 any inactive
  access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www
  access-list inside_access_in extended permit ip inside-servers 255.255.255.0 any log warnings
  access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq www
  access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq https
  access-list outside_nat0_outbound extended permit ip bkh-vpn-pool 255.255.255.0 10.8.0.0 255.255.0.0
  access-list outside_access_in extended permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 log errors inactive
  access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any
  access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
  access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
  access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu vpn 1500
  ip local pool UK-VPN-POOL 192.168.10.10-192.168.10.60 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-631.bin
  no asdm history enable
  arp timeout 14400
  nat-control  
  global (inside) 1 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 10.8.0.0 255.255.0.0 dns
  nat (outside) 0 access-list outside_nat0_outbound outside
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 17.7.9.10 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 10.8.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint BKHFW
  enrollment self
  subject-name CN=FWBKH
  crl configure
  crypto ca certificate chain BKHFW
  certificate fc968750
      308201dd 30820146 a0030201 020204fc 96875030 0d06092a 864886f7 0d010105
      05003033 310e300c 06035504 03130546 57424b48 3121301f 06092a86 4886f70d 
      ccc6f3cb 977029d5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb
      7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c53 f2
    quit
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 10.8.0.0 255.255.0.0 inside
  ssh timeout 30
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy UK-VPN-USERS internal
  group-policy UK-VPN-USERS attributes
  dns-server value 10.8.112.1 10.8.112.2
  vpn-tunnel-protocol IPSec svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value UK-VPN-USERS_splitTunnel
  default-domain value test.local
  address-pools value UK-VPN-POOL
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol webvpn
  username admin password XXXXXXXXXXXXXXXXX encrypted privilege 15
  username karl password XXXXXXXXXXXXXXX encrypted privilege 15
  tunnel-group UK-VPN-USERS type remote-access
  tunnel-group UK-VPN-USERS general-attributes
  address-pool UK-VPN-POOL
  default-group-policy UK-VPN-USERS
  tunnel-group UK-VPN-USERS ipsec-attributes
  pre-shared-key *****
  tunnel-group IT-VPN type remote-access
  tunnel-group IT-VPN general-attributes
  address-pool UK-VPN-POOL
  default-group-policy UK-VPN-USERS
  tunnel-group IT-VPN ipsec-attributes
  pre-shared-key *****
  class-map ALLOW-USER-CLASS
  match access-list USER-ACL
  class-map type inspect http match-all ALLOW-URL-CLASS
  match not request header from regex ALLOW-ZSGATEWAY
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map type inspect http ALLOW-URL-POLICY
  parameters
  class ALLOW-URL-CLASS
    drop-connection
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect ip-options
  policy-map ALLOW-USER-URL-POLICY
  class ALLOW-USER-CLASS
    inspect http
  service-policy global_policy global
  service-policy ALLOW-USER-URL-POLICY interface inside
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:00725d3158adc23e6a2664addb24fce1
  : end

  Hi Karl,
  Please make the following changes:
  ip local pool VPN_POOL_UK_USERS 192.168.254.1-192.168.254.254
  access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 192.168.254.0 255.255.255.0
  no nat (outside) 0 access-list outside_nat0_outbound outside
  access-list UK-VPN-USERS_SPLIT permit 10.8.0.0 255.255.0.0
  group-policy UK-VPN-USERS attributes
  split-tunnel-network-list value UK-VPN-USERS_SPLIT
  no access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0
  no access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0
  access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 192.168.254.0 255.255.255.0
  management-access inside
  As you can see, I did create a new pool, since you already have an interface in the 192.168.10.0/24 network, which does affect the VPN clients.
  Once you are done, connect the client and try:
  ping 10.8.127.200
  Does it work?
  Try to ping other internal IPs as well.
  Let me know how it goes.
  Portu.
  Please rate any helpful posts
  Message was edited by: Javier Portuguez

• Window 8.1 system unable to access network shares via VPN connection

  Is there something inherent to Windows 8.1 that prevents it from accessing shares on a domain?
  I know that it cannot join a domain, but does that also mean that it cannot access shares which are on a domain?
  My problem is that I have several user that are running windows 8.1 that are connecting to our network via a VPN.
  The users have domain accounts but their computers as windows 8.1 cannot joined to the domain.
  So to access network shares they have to use their domain credentials to create a VPN connection.
  Once connected the user can RDP to systems on the domain using their domain accounts, so I know that their user names/passwords and permissions are correct. They can access these systems using the computer name, so I don't feel that I have a DNS issue.
  They can see the shares on our file server, but when they try to access their departments shared file, they receive an access denied message. There are a few shares that are completely wide open, shared to all users and all departments but they cannot access
  those shares either.
  You can ping the file server, from the the client when they are connected to the VPN but you just cannot access any of the shares.
  So...
  I am thinking that it has something to do with windows 8.1 and not being able to join a domain, but I cannot find anything to explicitly support this thought.
  Other users running a variety different OS (windows 7, OSX, Linux) can all access the shares without any problems via the VPN, so I am a little stumped.

  I have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
  This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
  I can see all the shares, so dns seems to be fine right?
  So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
  When I try to create a mapped drive by machine name I receive the following message:
  Windows cannot access \\fileserver.dev.lan\all
  You do not have permissions to access \\fileserver.dev.lan. contact your network administrator  to request access.
  But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
  This only seems to happen on windows 8.1, which leads me to think that has something to do with OS. 
  I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem.

• Unable to access Standalone VM via Remote Desktop through a VPN

  Good Morning everyone, now here is my problem.
  My company is a small software development house and we test our software on Win 7 or 8 VM's running on standalone (ie not on the domain) VM's. We are running the VM's on WS2012 R2 Hyper V and when we are inside the building we are able to Remote Desktop
  onto these VM's direct without any problem. The problem comes when we want to RD onto the VM's when working from home via the VPN. When we try to connect to the VM's via RD through the VPN the Remote Desktop Connection fails with the following alert "Remote
  Desktop can't find the computer '[Computers Name]'. This might mean that '[Computers Name]' does not belong to the specified network. Verify the computer name and domain that you are trying to connect to." The only way I can connect to the VM's is
  by going onto the host server and access the VM's via Hyper V manager and use it that way.
  Now when I try to connect to a VM that is running on the Domain via the VPN I connect without any problems at all.
  So my question is why can I connect to standalone VM's via RD without any problems when in the office but when I am at home via VPN I can't but I can connect to VM's on the domain without any problems? What do I need to do to make this work?
  Phil

  Hi Darren,
  I have just tested it and when at work I can ping by name a named server and the standalone VM without any problems.
  But when I connect from the outside via the VPN I am still able to ping by name a named server but not the stand alone server. Nor can I ping the IP address of the standalone VM although I can connect to a standalone VM using its IP address via RDC
  Phil

• Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

  Problem : Unable to access user A to user B
  User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} )  --- User B
  After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
  Ping is unsuccessful from user A to user B
  Ping is successful from user B to user A, data is accessable
  After done the packet tracer from user A to user B,
  Result :
  Flow-lookup
  Action : allow
  Info: Found no matching flow, creating a new flow
  Route-lookup
  Action : allow
  Info : 192.168.5.203 255.255.255.255 identity
  Access-list
  Action : drop
  Config Implicit Rule
  Result - The packet is dropped
  Input Interface : inside
  Output Interface : NP Identify Ifc
  Info: (acl-drop)flow is denied by configured rule
  Below is Cisco ASA 5505's show running-config
  ASA Version 8.2(1)
  hostname Asite
  domain-name ssms1.com
  enable password ZZZZ encrypted
  passwd WWWW encrypted
  names
  name 82 B-firewall description Singapore office firewall
  name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
  name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
  name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
  name 122 A-forti
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.5.203 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 93 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name ssms1.com
  object-group network obj_any
  network-object 0.0.0.0 0.0.0.0
  access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
  access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
  access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
  access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
  access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-631.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 81 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http B-inside-subnet 255.255.255.0 inside
  http fw-inside-subnet 255.255.255.0 inside
  http 0.0.0.0 255.255.255.255 outside
  http 0.0.0.0 0.0.0.0 outside
  http 192.168.5.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer A-forti
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 2 match address outside_cryptomap
  crypto map outside_map 2 set peer B-firewall
  crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication pre-share
  encryption aes-192
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.5.10-192.168.5.20 inside
  dhcpd dns 165 165 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  username admin password XXX encrypted privilege 15
  tunnel-group 122 type ipsec-l2l
  tunnel-group 122 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  class-map outside-class
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    message-length maximum client auto
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  policy-map outside-policy
  description ok
  class outside-class
    inspect dns
    inspect esmtp
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect icmp
    inspect icmp error
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect sip
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
  service-policy global_policy global
  service-policy outside-policy interface outside
  prompt hostname context
  Cryptochecksum: XXX
  : end
  Kindly need your expertise&help to solve the problem

  any1 can help me ?

• Can't access management interface via vpn connection

  Hi all,
  I can't seem to be able to manage my ASA 5510 when I connect via vpn. My asa sits at a remote colo, and from my office i can connect fine. I have it configured as management-access (dmz), bc as of now we are just doing some staging and all the servers are in the dmz interface.
  When i connect with the vpn client, in the routes it sees 192.168.1.0 255.255.255.0 which is the management network/interface.
  For some reason I can't get access to 192.168.1.1 to use the ASDM.
  Here is how i did my vpn via CLI
  isakmp enable outside
  isakmp identity address
  isakmp policy 10
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400
  ip local pool vpnpool 10.1.1.2-10.1.1.10
  access-list split_tunnel standard permit 192.168.200.0 255.255.255.0
  access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
  access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
  group-policy xxxxx internal
  group-policy xxxxx attributes
  dns value
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tunnel
  username xxxxx password
  username xxxxxx attributes
  vpn-group-policy xxxx
  username xxxxxx password
  username xxxxxx attributes
  vpn-group-policy xxxx
  username xxxx password
  username xxxx attributes
  vpn-group-policy xxxx
  tunnel-group xxxx type ipsec-ra
  tunnel-group xxxx general-attributes
  address-pool vpnpool
  tunnel-group xxxx ipsec-attributes
  pre-shared-key
  access-list vpnra permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list vpnra permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list vpnra permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
  nat (inside) 0 access-list vpnra
  nat (dmz) 0 access-list vpnra
  nat (management) 0 access-list vprna
  crypto ipsec transform-set md5des esp-des esp-md5-hmac
  crypto dynamic-map dynomap 10 set transform-set md5des
  crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
  crypto map vpnpeer interface outside
  Any help would be much appreciated

  it seems like you are missing a line:
  management-access "interface"
  http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1631964

• Having trouble accessing wikis & blogs via VPN

  After I connect to our server via VPN when I'm outside of our network, I'm having trouble getting wiki and blog pages to open up. Currently I'm using the internal hostname to pull up the pages: ajax.private (we used the .private domain because it is an internal server only).
  So, when I type in: ajax.private into the browser, the page starts to load and I can see the graphics starting to load, but it never finishes loading. Likewise, if I try and access the pages using the server's internal IP address, the same thing happens. Am I doing something wrong here?
  My other services like ichat and ical are able to access and authenticate using the FQDN of ajax.private

  You'd have to provide a lot more details of the setup to have any hope of a useful response. You don't even say what kind of VPN it is. What does the network admin at work say?

• Is symbian or windows mobile better to access mac shares via vpn?

  I am considering a smart phone purchase in the next few months, and I would like to be able to browse my server via vpn from the phone the same way I can with my Palm LifeDrive. I think Symbian or Windows Mobile are my best OS choices for a phone, and I was wondering if anyone has actual experience with this. Do they use PPTP or L2TP? At this point, the iPhone cannot edit documents, so it is not a consideration, but I am also curious if it allows for this type of remote browsing through a VPN.
  Thank you for any help that you can offer.
  Michael

  I have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
  This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
  I can see all the shares, so dns seems to be fine right?
  So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
  When I try to create a mapped drive by machine name I receive the following message:
  Windows cannot access \\fileserver.dev.lan\all
  You do not have permissions to access \\fileserver.dev.lan. contact your network administrator  to request access.
  But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
  This only seems to happen on windows 8.1, which leads me to think that has something to do with OS. 
  I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem.

• Unable to access cisco asa via https or asdm!! connection interrupted message appears on the browser

  Hey guys,
  I am unable to access cisco asa device using https and cannot lunch asdm, after recent power failure at our location. I have asdm installed on my machine and whenever i try to access the asdm, receive Error: unable to lunch device manager from X.X.X.X The following is log from java console
  Trying for ASDM version file; url = https://x.x.x.x/admin/
  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
  When i try to access it from the browser it show error message
  "The connection was interrupted"
  I am running CISCO ASA 8.3 (1)
  with asdm image as asdm 7.1.3
  JAVA version installed Java 7 update 71
  I have added the https:> to exception site list and set security level to medium,
  even ssh access is not working !!
  I would appreciate if anyone can help me out!!
  Thanks
  Fareed

  Hey lcaruso,
  thanks for information!!
  i was able to connection through console as suggested and regenerated the rsa key .. was able to connection through ssh, but the issue with the asdm or web access was not resolved. 
  I have tried few of the steps as suggested on 
  https://supportforums.cisco.com/document/49741/asa-pixfwsm-unable-manage-unit-sshtelnetasdm#collect_captures
  capture output 
  ZHHFP-FIREWALL1(config)# sh cap capin
  139 packets captured
     1: 18:50:17.654720 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: S 2567327150:2567327150(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
     2: 18:50:17.654812 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: S 590825877:590825877(0) ack 2567327151 win 8192 <mss 1380>
     3: 18:50:17.655621 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: . ack 590825878 win 65520
     4: 18:50:17.656078 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: P 2567327151:2567327332(181) ack 590825878 win 65520
     5: 18:50:17.656139 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: . ack 2567327332 win 8192
     6: 18:50:17.656475 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: FP 590825878:590825878(0) ack 2567327332 win 8192
     7: 18:50:17.657696 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: . ack 590825879 win 65520
     8: 18:50:17.657802 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: F 2567327332:2567327332(0) ack 590825879 win 65520
     9: 18:50:17.657848 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: . ack 2567327333 win 8192
    10: 18:50:17.658108 802.1Q vlan#1 P0 192.168.160.113.58085 > 192.168.160.126.8
  443: S 1351758892:1351758892(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
  also i have downgraded the java to 1.6_45 but still not luck.
  error message i received on java console
  Trying for IDM. url=https://x.x.x.x/idm/idm.jnlp/
  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
  at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
  at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
  at com.cisco.launcher.w.a(Unknown Source)
  at com.cisco.launcher.s.for(Unknown Source)
  at com.cisco.launcher.s.new(Unknown Source)
  at com.cisco.launcher.s.access$000(Unknown Source)
  at com.cisco.launcher.s$2.a(Unknown Source)
  at com.cisco.launcher.g$2.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Caused by: java.io.EOFException: SSL peer shut down incorrectly
  at sun.security.ssl.InputRecord.read(Unknown Source)
  ... 15 more
  Any help would be highly appreciated!!
  Thanks
  Fareed 

• Unable to access Internal HTTPS through VPN conn

  Anytime I have internal websites with HTTPS connections that do not have valid certificates, our VPN users are unable to make a connection. The wireshark trace shows acknowlegement number = broken TCP.  I have run Packet Tracer and it shows a problem on my DMZ???? not sure why as the traffic flow is inside to inside interface. I am at a total lost as to why...
  +++++++++++++++++++++++++++++++
  ASA 5520 with 8.4(1) code
  VPN Addressing = 172.25.17.0/24
  HTTP Server = 172.18.2.13 (port 8443)
  Can ping by IP Address or by server name
  Can access site internally after responding to the Certificate Warning
  ++++++++++++++++++++++++++++
  Any help is greatly appreciated!
  Dave

  Hi,
  The NAT configuration mentioned in your screencapture is the configuration that causes all traffic from the VPN users to be diverted to the "HomeOffice" interface because "any any" is configured
  You would either have to make the above rule more specific by removing the "any any" and adding the actual networks
  OR
  You could add a new rule BEFORE the above mentioned NAT configurations
  I am not sure what the real local interface "nameif" is (the one where the server IP is actually located) but you would need this kind of configurations
  object network SERVER
  host 172.18.2.13
  object network VPN-POOL
  subnet 172.25.17.0 255.255.255.0
  nat (serverint,outside2) 1 source static SERVER SERVER destination static VPN-POOL VPN-POOL
  The above rule should match the traffic from the VPN-POOL to the SERVER. The number "1" seen in the CLI format configurations means that it would be added to the top of the rules. The "serverint" is meant to mean the actual name of the interface where the server is located as I presume that its not located behind the "HomeOffice"
  - Jouni

• Bridging identicle subnets via VPN/IPsec

  We have a Cisco SB ISA550W, as does our client.
  We are using software from Rockwell for programming PLCs that absolutely requires the subnet of our programmers laptops and the subnet of the PLC to be identicle in order to connect to the PLC processors. Say the client is a 192.168.111.0 subnet. Say our office is a 192.168.222.0 network.
  I would like to configure a VLAN on a specific port of our ISA to 192.168.111.0 and I'm going to run an ethernet cable from that port to the programmers laptop. I'm going to statically program the LAN interface of the laptop with say 192.168.111.12 (an IP which I know to be available on the clients network and reserved for us in their DHCP server). Say the IP of the PLC processors on the clients network is 192.168.111.58 that we are wanting to connect to.
  First, is this possible and is this the best way to do it? Second, should we use the Cisco AnyConnect client on our promgrammers laptop to connect to their network, OR, should I setup and IPsec tunnel between the gatways? We have a static IP on DSL, our client has a static IP with their Satellite ISP.
  Comments, sugestions? Will this work? Am I going about this the right way?
  Thanks!
  Alex

  Unfortunately what you're wanting to accomplish is not feasible.  The reason is this.  What you're stating is that the Programmer and the PLC must be on the same physical network which means they must be able to communicate at Layer 2.  However the only time a device would send traffic to either your ISA or your client's ISA is if it requires Layer 3 routing, which means that the requestor is looking for something that is not on it's own layer 2 network.  I've been racking my brain trying to figure out a way to do this using VPNs, AnyConnect, NAT, etc. and I'm not coming up with one.  Most likely your only solution will be to have a device at your client's premise that you can remotely access via RDP, VNC, etc. and then leverage that device to program the PLC.
  Sorry I wish I had a better answer for you.
  Shawn Eftink
  CCNA/CCDA
  Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

• WRT54G / upgraded firmware, unable to access across subnets

  Hi,
  I have a network with 10 WRT54G (v6) 's.  Recently I upgraded the firmware on two units from 1.00.7 to the latest 1.02.2 and am experiencing some network wierdness.
  The wireless routers are connected via the LAN port to a linux router which is a firewall/bridge between subnets 10.1.3.x & 10.1.1.x.  I have rules in place to allow my workstation to http to the 10 routers and disallow everything else.  All of this is logged.
  I cannot from my workstation (10.1.1.x) access the web interface on the two units I upgraded the firmware on 10.1.3.x).  I can still access the web interface on the remaining units (10.1.3.x)
  I can however access the web interface from the same subnet to the newly upgraded units.
  I can see from the firewall log that the packet is making it out correctly and tcpdump verifies this.
  Does anybody have a clue what is going on.  I feel like it would be best to return to the previous firmware, but where do I find it???
  Thanks,
  Lee

  Hi Lee,
  logon to ftp://ftp.linksys.com/pub/network/ and download the previous firmware version and try downgrading the firmware...

• Unable to access FTP Site via internet

  Hello All,
  Here is a problem that I'm facing accessing my home deployed FTP Server on Windows 2008 Server via internet. Below is the description of setup at my home.
  1. I've a private network behind D-link DSL 2750U router.
  2. I've forwarded Port 21 to my FTP Server in private network (FTP Server IP: 192.168.1.2)
  3. FTP Site is deployed in IIS 7.5 with Anonymous access rights (so obviously no username and password is required to access it).
  4. In IIS 7.5, FTP Site binding is set as "
  5. I'm able to access my ftp site within private network (via command prompt and any browser).
  6. I've registered a domain name ftp.tx-fr.tk for my FTP site so that I can use it from outside world and here are settings.
  7. I'm able to ping this (ftp.tx-fr.tk ) domain name.
  8. All firewalls are disabled for testing purpose (Will implement security later, once primary issue resolves).
  Now here is the problem, whenever I type in ftp://ftp.tx-fr.tk in my browsers,
  IE 9 and Chrome prompts for username and password, whereas Mozilla throws a message as "421 Login Incorrect".
  Same happens when I use command prompt to access the FTP site using domain name.
  Here is the funny part, when I'm prompted for username password, I typed in router's credentials (U:admin, P:admin) and I get
  "Internet Explorer cannot display the webpage" in IE 9, "421 Login Incorrect" in Mozilla.
  Whereas when CMD is used to access the site, I'm able to log in using router's credential but none of the command executes
  Now is there anyone who can assist me resolving this case?
  Kind regards,
  Aniruddha

  I would have ask in IIS forums: http://forums.iis.net/
  Thanks