VPN access to server ip question
Our office just had a macmini server installed with Snow Leopard server right up to date. It serves a LAN with 11 other Macs and several printers. The LAN is connected through Asante 24 port FriendlyNet GX5-424W switch which is behind a DSL Netopia 3346N-002K Modem. The router IP is 192.168.1.254, networked machines have IP's through DHCP and some are fixed. We have a fixed IP to the outside world xx.xx.x.xxx. I requested our consulted configure my MBP 10.6.5 for VPN through the system preferences network window to allow me to connect remotely to the server and/or LAN. After a couple failed attempts, which indicated I was connected, but I could not actually mount the server by typing either the IP or server name in the GO>Connect to Server>. My consulted then advised that I would need to change the domain of my home network to 192.168.x.yyy, where x is anything but 1. This is reasonably easy to achieve, but does not really resolve the problem, because my intent was to connect while traveling where I have no control over the domain. I hope I am communicating this correctly. It does not appear to be easy to change the domain of the Netopia, even if I was bold enough to suggest messing around with it to the others at my firm. There are three of us who would like to be able to connect remotely from time to time. Are we out of luck to do it through the built in VPN option, and/or what other options are available. Thank you.
To complete my previous post:
I don't use a fixed ip, but have a dyndns account pointing to our router.
(1) In the server admin part where you put the VPN-settings:
- i use the upper range of my ip-addresses to be distributed to my VPN clients. The same subnet but starting at 192.x.x.133 (i know my biggest number in my lan is 192.x.x.45)
- authentication: ms-chap + shared key
(2) In the network preferences of your client computer: add a vpn-interface using the right connection parameters.
(3) Start testing your configuration inside your lan, and see if you get a vpn-connection. If that works, the problem probably is a port that your router doesn't open (or your forget to set it open in the interface)
Message was edited by: stefaang
Similar Messages
-
10.9.3 update stops VPN access to Server on Mac Mini
Having finally had the L2TP VPN issues solved after joining the 10.9.1 beta program for Mavericks and getting VPN access to our Mac Mini Server running again, the 10.9.3 update has broken it once more. It's been working since 10.9.1 and through both 10.9.2 and the 10.9.3 beta program, but after installing the final 10.9.3 update (without changing any settings on the Server App) last night it broke (immediatley after using the VPN to cheekily watch iPlayer abroad, so it was certainly working!) - now comes up with 'Authentication Failed'.
This happens on iOS devices as well, and all have authentication details stored (though naturally I have since tried recreating VPN configurations from scratch) so doesn't appear to be client end.Same here, although the issue is slightly different.
Updated Mac Mini with server.app to 10.9.3, L2TP VPN still works my mac running 10.9.3, connects as normal.
However other clients (windows and android) would encounter error when trying to establish connection to server.
Windows client would fail wirh Error 789, previous to the update it was working.
May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 started (Initiated by peer).
May 18 18:58:13 mms.private racoon[413]: invalid DH group 20.
May 18 18:58:13 mms.private racoon[413]: invalid DH group 19.
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 1).
May 18 18:58:13 mms.private racoon[413]: >>>>> phase change status = Phase 1 started by us
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 3).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 AUTH: success. (Responder, Main-Mode Message 5).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: receive success. (Responder, Main-Mode message 5).
May 18 18:58:13 mms.private racoon[413]: IKEv1 Phase 1 Responder: success. (Responder, Main-Mode).
May 18 18:58:13 mms.private racoon[413]: IKE Packet: transmit success. (Responder, Main-Mode message 6).
May 18 18:58:13 mms.private racoon[413]: IPSec Phase 1 established (Initiated by peer).
May 18 18:58:14 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:14 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:16 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:16 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:18 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:18 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:21 mms.private racoon[413]: IKE Packet: transmit success. (Information message).
May 18 18:58:21 mms.private racoon[413]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
May 18 18:58:23 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:23 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:31 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:31 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:58:47 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:58:47 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:59:04 mms.private racoon[413]: IKEv1 Phase 2 Initiator: dropped. (Can't continue Phase 2 without valid Phase 1).
May 18 18:59:04 mms.private racoon[413]: can't start the quick mode, invalid linked ISAKMP-SA
May 18 18:59:18 mms.private racoon[413]: IKE Packet: receive success. (Information message). -
Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access
Hi there,
I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
connect I get the following message "couldn't connect - We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
Many thanks,
RocknRollTimAny help would be much appreciated.
Kind regards,
RocknRollTim -
Anywhere Access VPN problem on Server 2012 R2
I am having trouble with Anywhere Access VPN on Server Essentials on 2012 R2.
If I use a browser from the outside world and enter my external IP address I get a login to the server.
If I use a browser from the outside world and enter the remoteaccess site I get a login to the server.
If I try to connect through the VPN from the outside world I get a login request which I complete successfully I then get:
"Error Connecting to myserver.remotewebaccess.com Error 720 a connection to the remote computer could not be established you might need to change the network settings for this connection"
Locally I go to the Essentials console and try to configure Anywhere Access.
When I open the settings window for Anywhere Access I get the message that it is updating then I get the message "Issues detected. Click repair to attempt resolving the issues" I click on "Repair", after a warning window about
availability the Repair Anywhere Access Window opens and says Setting up Remote Desktop. The green bar scrolls but it never completes. (tried for hours)
I have tried rebooting and repeating the repair, but I get the same results.
The router is a 3801HGV that does not support uPnP. I have forwarded ports 443, and 80 to the server.Hi,
Would you please let me know if refer to the suggestion that IKFI provided and solve this issue?
Based on your description, please let me know the client OS that you use firstly. Meanwhile, please refer to
the following KB, and then check if can solve this issue.
Error 720: No PPP Control Protocols Configured
http://support.microsoft.com/kb/314869/en-us
In addition, would you please let me know if have a DHCP Server in your local network? If not, you have to
add a static address pool. Meanwhile, please refer to the following article and check if miss something when you install VPN.
How to Install VPN on Windows Server 2012
http://www.thomasmaurer.ch/2012/07/how-to-install-vpn-on-windows-server-2012/
There is a similar question that you can also refer to.
A fix for Error 720: A Connection to the remote computer could not be established when trying to connect to
a Windows 7 VPN
http://www.paulkiddie.com/2011/06/a-fix-for-error-720-a-connection-to-the-remote-computer-could-not-be-established-when-trying-to-connect-to-a-windows-7-vpn/
Hope this helps.
Best regards,
Justin Gu -
Can connect via VPN, but can't access AFP server on same Xserve
Hi:
I've set up our XServe with MacOS X Server 10.5.2 to do AFP and VPN (L2TP only; PPTP is disabled). The XServe is a standalone server, not connected to any other direstory server.
I can connect to the XServe's AFP server from my Mac over our wired and wireless network. The AFP server shows up in the sidebar of Finder windows. So far, so good.
I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret.
But I cannot connect to the XServe itself to use Server Admin or AFP (using afp://server.company.com or afp://xxx.xxx.xxx.xxx via the Go > Connect to Server command).
The error I get while connecting to the 10.5.2 AFP server is Some data in apf://server.mycompany.com could not be read or written (Error Code -36 ). I saw this error associated with a SMB problem in 10.4.x, but SMB is not running.
Other iChat users in my office also do not automatically show up in the Bonjour list when I connect to the network. Other computers on our network do not appear in the sidebar of a Finder window. (I'm told these are to be expected, as Bonjour isn't supported (in the "local area Bonjour" over a WAN link - it's purely a multicast feature on the network in the office, and won't be routed across the VPN link. True?)
Now, here's the odd part. There is a second server (v10.4.11) on our network running AFP. I can connect to it (using afp://server.company.com via the Go > Connect to Server command) and mount its various sharepoints via the VPN.
The only thing I see in the VPN log that seems amiss is this (but I have no idea what it means):
Tue Mar 11 23:09:27 2008 : Unsupported protocol 0x8057 received
--Both the 10.5.2 and the 10.4.11 servers have DNS properly configured (though our ISP; we're not running our own DNS).
--Both servers and the client have public IP addresses and have the same subnet mask. Network Utility confirms this while connected to the VPN.
--NAT is not running. The ISP is responding with public IPs for the servers.
--The firewall for the 10.5.2 server is not running (but will be once I get this all working).
--The IP address range for the VPN server doesn't overlap our DHCP pool (which also currently uses public IP addresses).
--Any user can access any service.
--No network routing definitions have been set up.
--In essence, I've followed the steps on Pages 141-142 of the Network Services Admin Guide.
One other note: After I connect, the Network Preferences > VPN > Advanced > TCP/IP window shows the IP address for the client just fine (assigned from the VPN pool), but lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?
I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server.... And I'm not sure why I would have to if I can already successfully connect to the 10.4.11 AFP server .
What simple step am I missing?
TIA,
mm"I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret."
I suspect you mean UDP ports and you might need UDP port 1701 open too.
You only need IP protocol 50 (ESP), protocol 51 (AH) isn't used. And ESP is only used when client and server isn't behind NAT (when NAT is used only the UDP ports are used).
"Unsupported protocol 0x8057 received"
This is usually seen when you can't get GRE through but since you don't use PPTP I can't be sure why this is registered in the logs. Sometimes when connecting using PPTP you have to disconnect and then reconnect for everything to work - you might try this for L2TP too.
But if you already can reach services on any LAN nodes through the VPN I wouldn't bother with it.
As you have a firewall in front of the server you need a second alias IP on the server that you can use to get at the services running on the server through the VPN. The firewall blocks all ports protocols not opened - that's why you can't use the server main IP even if the VPN is up.
The netmask is used by all nodes to determine how big your subnet is: what part of the IP number is the network number and what range the node number is in => really: should traffic be directed to a node on the same LAN or sent directly to the gw/router for forwarding.
What you can't do is connect from a NATed network to another NATed network that both are using the same network number. (That's why people should stay away from using the "default" 192.168.0.0/24 and 192.168.1.0/24 networks for VPN server LANs).
Try your settings at http://www.jodies.de/ipcalc to see what I mean.
"...lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?"
Yes. The VPN server is the VPN gw/router.
"The firewall for the 10.5.2 server is not running (but will be once I get this all working)."
If you already have a firewall in front of your servers that is a bit redundant.
"--No network routing definitions have been set up."
"I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server"
You need routing definitions if you want to setup a split tunnel VPN or all traffic is routed through the VPN when connected. The VPN becomes the default gw.
Without ipforwarding ON in the server you can only reach nodes on the server LAN - not Internet.
DNS is needed for your servers forward and reverse names/IPs for advanced services but doesn't need to run in any of your own servers.
If you decide to do a split tunnel VPN config (adding public and private routing definitions) a reachable DNS IP for VPN clients (in VPN config on server) is needed for VPN clients or they can't use names to find anything. To reach this DNS IP if public/not on your server LAN, you need your server to forward IP DNS lookups and have a routing definition for it.
A split tunnel VPN only send traffic for your server LAN through the VPN and all other traffic directly to the local gw/router (Internet). -
VPN doesn't allow access to server
We used to keep two different addresses for the server and our IT folks wanted to consolidate them. There was no reason that the server and the vpn server addresses should be separate. However now if I have VPN connection I cannot connect to the server.
My DNS has reverse lookup set correctly (AFAICT)
% host vpnserver.TLD
vpnserver.TLD is an alias for opsxserve.TLD.
opsxserve.magnet.fsu.edu has address NNN.NNN.NNN.60
% host NNN.NNN.NNN.60
60.NNN.NNN.NNN.in-addr.arpa domain name pointer opsxserve.TLD.
% host opsxserve.TLD
opsxserve.TLD has address NNN.NNN.NNN.60
But when using VPN I cannot connect to the opsxserve.TLD for calendar, mail, admin, etc. This only happens when I am outside the firewall. When inside and use VPN it all works, I have set the option to send all data over VPN.Let me try to clarify things. The server is back to the two IP configuration.
Server has 2 IP addresses and 2 dns entries one for services and one only for VPN, those would be
vpnserver @ IP 59
opsxserve @ IP 60 (where I deleted the top level domain and the first 3 sections of the ip address)
then when using VPN I have access to calendar, ldap mail, VNC, and server admin on the server.
But if use the following DNS set up to reduce IP address usage there is a problem
vpnserver alias to opsxserve
opsxserve @ IP 60
Then when using VPN from outside the firewall I cannot access iCal server, server admin etc. The server does not have its firewall turned on. All the VPN addresses assigned are on the same subnet as the server.
All the services have always run on the same box which is an early intel XServe. -
I'm trying to connect to my work's VPN. I am connected to the VPN, but I cannot access the server. I keep getting a message that says the server may not exist or is unavailable. I know that’s not the case because my coworkers are connected. Can someone please help me?
I have the same problem. It is only with tv shows and only with programs I have downloaded after the software update.
Apple support sent me the above link too....but it doesn't solve the problem...my computer is authorized and the content is in my library and will play on my Mac air, but it will not sync the tv shows, it keeps saying my computer isn't authorized for it.
No answers here, but you are definitely not alone with this issue. -
OSX Server + Billion 5200G RC VPN Access
Hello,
We are a small design studio looking at setting up a VPN to access local files whilst on the road. I believe I have all the configuration setup correctly in Mac OSX server but I am a little out of my element when know which ports to forward on the router and if it is even setup to accept VPN connections.
If anyone has experience setting up VPN access wtih the Billion 5200G RC Router I would be indebted to you.
Thanks
Michael
(designer @ false behaving animals)i ran through those processes , and for the last one got file not found
/System/Library/LaunchDaemons/com.apple.pfctl: file does not exist or is not readable or is not a regular file
is there a way to verify that the adaptive firewall is running?
thanks -
Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access
Hi everybody,
I'm trying to allow VPN access to my Mac Pro running 10.4.10 Server. I've allowed the TCP and UDP ports, but the sticking point is this: the client tries to connect but I get a bunch of these in the firewall log:
Deny P:47 xxx.xxx.xxx.xxx(address initiating VPN) 10.0.100.222(MacPro local address) in via en0
After doing some research I figured I needed to allow protocol 47 (GRE) and so tried to add a rule via the "Advanced" tab for firewalls in server manager. I click the + button, select allow, leave the other field, select GRE, and then select from:any and to:any and the in dropdown. When I try to save and activate the rule, however, it complains that there is an error and that all subsequent rules are skipped. I've tried all the possible variations (within my parameters, of course) but it won't work.
Manually inspecting the /etc/ipfw file shows the rule added but without a specification for the GRE or protocol 47 part. i.e.:
add 1050 allow from any to any in
(This looks a little like a server manager bug to me, but I digress)
So I tried manually editing the file in /etc/ipfilter but no joy.
Being somewhat new to OSX I am getting flustered. Am I completely misunderstanding something here? While a search on "VPN GRE firewall" turns up about million hits, none seem applicable to my situation. Thanks in advance.Try using the "Services" tab, selecting "any" (for example) and configuring the rule there.
The "Advanced" section will allow you to add rules that don't already exist, but there is already a rule for GRE so that might, possibly have something to do with the error you're getting. -
VPN Access on 10.4 Server
Hi All,
I'm hoping someone can help me?
I'm trying to setup VPN on OSX Server 10.4, I have enabled the service and specified the IP range to use etc. I have a static IP on the router which is supplied by O2 UK, however when I try and connect from outside the office it says it cannot find a service on the address specified. I can connect to the static IP with a login box though, so that's definitely working.
Do I need to set somewhere on the Server the static IP?
Can anybody help? Would be much appreciated.
Thanks,
Graeme.setup sftp instead
-
VPN Access to an IP that can be accessed via EIGRP
I have a question. I have a VPN that sits on the external interface using the IP of 10.5.79.X/20. I have a production network connected to a corporate network using MPLS and EIGRP to share the routes. The production network can access the corporate network, but the the VPN users can't. I need to be able to access anything on that network which is mainly a 172.18.0.0 summarized by EIGRP network. I had this working before, but can't get it working again about my Firewall dumped on me.
ASA Version 8.4(2)
hostname hp-asa-5510-DR
enable password 1qF1n5PuI7A.2DV. encrypted
passwd 1qF1n5PuI7A.2DV. encrypted
names
dns-guard
interface Ethernet0/0
speed 100
duplex full
nameif external
security-level 0
ip address *142.189.26 255.255.255.252
interface Ethernet0/1
nameif internal
security-level 100
ip address 10.5.64.6 255.255.240.0
interface Ethernet0/1.1
vlan 2
nameif Guest
security-level 90
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup external
dns domain-lookup internal
dns server-group DefaultDNS
name-server 208.67.222.222
dns server-group Guest
name-server 10.5.64.197
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.5.65.239
host 10.5.65.239
object network obj-10.5.65.253
host 10.5.65.253
object network obj-10.5.65.42
host 10.5.65.42
object network obj-10.5.65.219
host 10.5.65.219
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Cegedim
subnet 10.5.250.0 255.255.255.248
description dendrite site to site VPN
object network dfb
subnet 10.5.0.0 255.255.0.0
object network lausanne
subnet 192.168.250.0 255.255.255.0
description Lausanne
object network dfbgroup
subnet 10.5.0.0 255.255.0.0
object network DPT
subnet 10.5.16.0 255.255.240.0
object network hpbexch
host 10.5.64.198
object network hpbmsvpn
host 10.5.64.196
object network kacehost
host 10.5.65.189
object network hpbsentry
host 10.5.64.194
object network hpbMDM
host 10.5.64.195
object network hperoom
host 10.5.65.211
description healthpoint eroom server
object network spintranet
host 10.5.65.185
description sharepoint intranet
object network spsales
host 10.5.65.194
description sharepoint sales
object network spteams
host 10.5.65.183
description sharepoint teams
object network Guest
subnet 192.168.3.0 255.255.255.0
object network Crystal
host 10.5.65.203
object network ERPLN
host 10.5.65.234
object network ERPLNDB
host 10.5.65.237
object service dpt
service tcp source range 1 65000 destination range 1 65000
description dpt ports
object network Documentum
host 10.5.17.216
object network DPTDocumentum
host 10.5.17.216
description Documentum
object network EzDocs
host 10.5.17.235
description EzDocs
object network Aerosol
subnet 10.5.32.0 255.255.240.0
object network Brooks
subnet 10.5.128.0 255.255.240.0
object network DPTScience
subnet 10.5.48.0 255.255.240.0
object network LakeWood
subnet 10.5.80.0 255.255.240.0
object network Plant
subnet 10.5.0.0 255.255.240.0
object network warehouse
subnet 10.5.240.0 255.255.240.0
object network NotesApps
host 10.5.65.235
object network DPTNotes
host 10.5.17.246
object network DNSServer
host 10.5.64.197
object network GuestNetwork
subnet 192.168.3.0 255.255.255.0
object network KACE
host 10.5.65.189
object network mdm2
host 10.5.64.195
object network guesterooms
host 10.5.65.211
object network DNSServer2
host 10.5.64.199
object network asa_LAN
host 10.5.64.6
object network guestspsales
host 10.5.65.194
object network JohnsonControlServer
host 10.5.65.33
description JC Server
object network guestexchange
host 10.5.64.198
description Guest Exchange
object network guestmobile2
host 10.5.64.194
object network DPTDocB
host 10.5.17.215
object-group service EDI tcp
port-object eq 50080
port-object eq 6080
port-object eq www
object-group service Exchange tcp
port-object eq 587
port-object eq www
port-object eq https
port-object eq smtp
object-group service Lotus-Sametime tcp
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object eq 8081
port-object range 8082 8084
port-object range 9092 9094
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPN-MS tcp-udp
port-object eq 1701
port-object eq 1723
port-object eq 4500
port-object eq 500
object-group network Verizon-Servers
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 64.124.170.128 255.255.255.240
network-object 212.125.74.44 255.255.255.255
network-object 195.216.16.211 255.255.255.255
object-group network FDA_SecureEmail
network-object host 150.148.2.65
network-object host 150.148.2.66
object-group network Web-Server-Stuff
network-object host 204.71.89.34
network-object host 204.71.89.35
network-object host 204.71.89.33
network-object host 66.240.207.149
network-object host 68.168.88.169
network-object host 50.112.164.102
object-group service DFB-eRoom tcp
port-object eq www
port-object eq https
object-group network EDI-Customers
network-object host 129.33.204.13
network-object host 143.112.144.25
network-object host 160.109.101.195
network-object host 198.89.160.113
network-object host 199.230.128.125
network-object host 199.230.128.85
network-object host 205.233.244.208
network-object host 198.89.170.134
network-object host 198.89.170.135
network-object host 199.230.128.54
object-group service MDM tcp
description MobileIron ports
port-object eq 9997
port-object eq 9998
port-object eq https
object-group network OpenDNS
description OpenDNS Servers
network-object host 208.67.220.220
network-object host 208.67.222.222
network-object host 8.8.8.8
network-object host 68.113.206.10
object-group network healthpoint
network-object 10.5.64.0 255.255.240.0
object-group network vpnpool
network-object 10.5.79.0 255.255.255.0
object-group network dfb_group
network-object object dfbgroup
object-group network lausanne_group
network-object 192.168.250.0 255.255.255.0
object-group network DPTNetwork
network-object object DPT
network-object object Aerosol
network-object object Brooks
network-object object LakeWood
network-object object Plant
object-group network DM_INLINE_NETWORK_1
network-object object Cegedim
network-object object lausanne
group-object DPTNetwork
network-object object DPTNotes
object-group service DFB-Allow tcp
port-object eq 1025
port-object eq 1119
port-object eq 1120
port-object range 1222 1225
port-object eq 1433
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object range 16384 16403
port-object eq 1755
port-object eq 1919
port-object eq 1935
port-object range 2195 2196
port-object eq 3050
port-object eq 3080
port-object eq 3101
port-object eq 3244
port-object eq 3264
port-object eq 3306
port-object eq 3389
port-object eq 3724
port-object eq 4000
port-object eq 402
port-object range 4080 4081
port-object eq 4085
port-object eq 50080
port-object eq 5085
port-object range 5220 5223
port-object eq 5297
port-object eq 5298
port-object eq 5353
port-object eq 5550
port-object eq 5678
port-object eq 58570
port-object eq 5900
port-object eq 6080
port-object eq 6112
port-object eq 6114
port-object eq 6900
port-object eq 7800
port-object eq 8010
port-object eq 8080
port-object eq 8084
port-object eq 81
port-object eq 9081
port-object eq 9090
port-object eq 9997
port-object eq aol
port-object eq citrix-ica
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
port-object eq sip
port-object eq sqlnet
port-object eq ssh
port-object eq 442
object-group network webservers
network-object host 204.71.89.34
network-object host 204.71.89.35
object-group network DM_INLINE_NETWORK_2
network-object object KACE
network-object object guesterooms
network-object object guestspsales
network-object object JohnsonControlServer
network-object object mdm2
object-group network DM_INLINE_NETWORK_3
network-object host 10.5.65.230
network-object host 10.5.65.232
network-object object hpbexch
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service kace tcp
port-object eq 52230
port-object eq www
port-object eq https
port-object eq 445
port-object eq netbios-ssn
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group network VLAN_Switches
network-object host 192.168.10.10
network-object host 192.168.10.11
network-object host 192.168.10.12
network-object host 192.168.10.13
network-object host 192.168.10.14
network-object host 192.168.10.15
network-object host 192.168.10.16
network-object host 192.168.10.17
network-object host 192.168.10.1
object-group network Crystal_ERP
description Crystal Enterprise and Infor LN
network-object object Crystal
network-object object ERPLN
network-object object ERPLNDB
network-object object NotesApps
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group network GuestDNS
description DNS Servers for Guest
network-object object DNSServer
network-object object DNSServer2
object-group service DM_INLINE_TCP_3 tcp
port-object eq 3389
port-object eq 3390
object-group network DM_INLINE_NETWORK_4
group-object healthpoint
group-object vpnpool
access-list external_access_out extended permit object-group DM_INLINE_SERVICE_1 192.168.3.0 255.255.255.0 any
access-list external_access_out remark Production ACL
access-list external_access_out extended permit tcp any any object-group DFB-Allow
access-list external_access_out extended permit icmp any any
access-list external_access_out extended permit tcp any object-group Web-Server-Stuff
access-list external_access_out remark Site to Site connections
access-list external_access_out extended permit ip any object-group DM_INLINE_NETWORK_1
access-list external_access_out extended permit udp any object-group OpenDNS eq domain
access-list external_access_out extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list split standard permit 10.5.64.0 255.255.240.0
access-list split standard permit 10.5.250.0 255.255.255.248
access-list split standard permit 10.5.128.0 255.255.240.0
access-list split standard permit 10.5.144.0 255.255.240.0
access-list split standard permit 10.5.16.0 255.255.240.0
access-list split standard permit 10.5.32.0 255.255.240.0
access-list split standard permit 10.5.96.0 255.255.240.0
access-list split standard permit 10.5.80.0 255.255.240.0
access-list split standard permit 10.5.48.0 255.255.240.0
access-list split standard permit 10.5.0.0 255.255.240.0
access-list split remark lausanne
access-list split standard permit 192.168.250.0 255.255.255.0
access-list split standard permit 172.18.0.0 255.255.0.0
access-list split remark HP
access-list external_access_in extended permit object-group DM_INLINE_SERVICE_2 any 192.168.3.0 255.255.255.0
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spsales object-group DM_INLINE_TCP_2
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spteams object-group DM_INLINE_TCP_1
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spintranet object-group DM_INLINE_TCP_0
access-list external_access_in remark healthpoint erooms
access-list external_access_in extended permit tcp any object hperoom object-group DFB-eRoom
access-list external_access_in remark MDM2 VSP
access-list external_access_in extended permit tcp any object hpbMDM object-group MDM
access-list external_access_in remark New Sentry
access-list external_access_in extended permit tcp any object hpbsentry eq https
access-list external_access_in remark kace mgmt appliacne
access-list external_access_in extended permit tcp any object kacehost object-group kace
access-list external_access_in remark authentication server
access-list external_access_in extended permit object-group TCPUDP any object hpbmsvpn object-group VPN-MS
access-list external_access_in extended permit gre any object hpbmsvpn
access-list external_access_in remark HPB.NET new forest Exchange
access-list external_access_in extended permit tcp any object hpbexch object-group Exchange
access-list external_access_in remark EDI Inbound
access-list external_access_in extended permit tcp any host 10.5.65.42 object-group EDI
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list external_cryptomap extended permit ip object-group healthpoint object Cegedim
access-list external_cryptomap_1 extended permit ip object-group dfb_group object-group lausanne_group
access-list external_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DPTNetwork
access-list Guest_access_in extended deny tcp 192.168.3.0 255.255.255.0 object-group GuestDNS object-group DM_INLINE_TCP_3 inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group GuestDNS inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Guest_access_in extended deny ip 192.168.3.0 255.255.255.0 10.5.64.0 255.255.240.0
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list Guest_access_out extended permit ip any any inactive
access-list Guest_access_out extended permit ip any 192.168.3.0 255.255.255.0
no pager
logging enable
logging buffer-size 1045786
logging asdm informational
mtu external 1500
mtu internal 1500
mtu Guest 1500
mtu management 1500
ip local pool HPVPNClients 10.5.79.0-10.5.79.254 mask 255.255.255.0
ip verify reverse-path interface external
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any external
icmp permit any internal
asdm image disk0:/asdm-645.bin
no asdm history enable
arp external *142.189.93 0024.c4c0.4cc0
arp timeout 14400
nat (internal,external) source static dfb dfb destination static vpnpool vpnpool route-lookup
nat (internal,external) source static dfb dfb destination static lausanne lausanne
nat (internal,external) source static healthpoint healthpoint destination static Cegedim Cegedim
nat (external,internal) source static DPTNetwork DPTNetwork destination static Crystal_ERP Crystal_ERP no-proxy-arp
nat (internal,external) source static healthpoint healthpoint destination static DPTDocumentum DPTDocumentum unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTDocB DPTDocB unidirectional
nat (internal,external) source static healthpoint healthpoint destination static EzDocs EzDocs unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTNotes DPTNotes unidirectional
object network obj-10.5.65.239
nat (internal,external) static *142.189.82
object network obj-10.5.65.253
nat (internal,external) static *142.189.83
object network obj-10.5.65.42
nat (internal,external) static *142.189.84
object network obj-10.5.65.219
nat (internal,external) static *142.189.87
object network obj_any
nat (internal,external) dynamic interface dns
object network hpbexch
nat (internal,external) static *142.189.91
object network hpbmsvpn
nat (internal,external) static *142.189.82
object network kacehost
nat (internal,external) static *142.189.90
object network hpbsentry
nat (internal,external) static *142.189.92
object network hpbMDM
nat (internal,external) static *142.189.93
object network hperoom
nat (internal,external) static *142.189.88
object network spintranet
nat (internal,external) static *142.189.85
object network spsales
nat (internal,external) static *142.189.89
object network spteams
nat (internal,external) static *142.189.94
object network GuestNetwork
nat (Guest,external) dynamic interface
access-group external_access_in in interface external
access-group external_access_out out interface external
access-group Guest_access_in in interface Guest
access-group Guest_access_out out interface Guest
route external 0.0.0.0 0.0.0.0 *142.189.25 1
route external 10.5.16.0 255.255.240.0 *142.189.25 1
route external 10.5.32.0 255.255.240.0 *142.189.25 1
route external 10.5.80.0 255.255.240.0 *142.189.25 1
route external 10.5.128.0 255.255.240.0 *142.189.25 1
route external 10.5.240.0 255.255.240.0 *142.189.25 1
route external 10.5.250.0 255.255.255.248 *142.189.25 1
route internal 172.18.0.0 255.255.255.255 10.5.64.1 1
route external 192.168.250.0 255.255.255.0 *142.189.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-RADAuth protocol radius
aaa-server VPN-RADAuth (internal) host 10.5.65.253
key *****
radius-common-pw *****
aaa-server VPN-RADAuth (internal) host 10.5.65.240
key *****
aaa-server VPN-RADAuthHPB protocol radius
aaa-server VPN-RADAuthHPB (internal) host 10.5.64.196
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.5.0.0 255.255.0.0 internal
http 0.0.0.0 0.0.0.0 external
http 0.0.0.0 0.0.0.0 internal
snmp-server host internal 10.5.65.210 community ***** version 2c
snmp-server location Healthpoint.Vickery
snmp-server contact Jonathan Henry
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map external_map 1 match address external_cryptomap
crypto map external_map 1 set peer 64.126.222.190
crypto map external_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 2 match address external_cryptomap_1
crypto map external_map 2 set pfs
crypto map external_map 2 set peer 109.164.216.164
crypto map external_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 3 match address external_cryptomap_2
crypto map external_map 3 set peer 12.197.232.98
crypto map external_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map external_map interface external
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 4b54478c1754b7
30820563 3082044b a0030201 0202074b 54478c17 54b7300d 06092a86 4886f70d
01010505 003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504
0b132a68 7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63
6f6d2f72 65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479
20536563 75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931
11300f06 03550405 13083037 39363932 3837301e 170d3131 30313036 31393533
33395a17 0d313331 31323932 31343730 315a305b 311a3018 06035504 0a13112a
2e686561 6c746870 6f696e74 2e636f6d 3121301f 06035504 0b131844 6f6d6169
6e20436f 6e74726f 6c205661 6c696461 74656431 1a301806 03550403 13112a2e
6865616c 7468706f 696e742e 636f6d30 82012230 0d06092a 864886f7 0d010101
05000382 010f0030 82010a02 82010100 c6609ef2 c19c47e9 016ce654 d151146e
5d213545 ca896f4e cbb2624c 5ea6d7f0 7f18a82b e441020b 74d6ebd4 b7ef34c9
97b80ce0 6eb1c1cc 3b296909 8a0a2ad7 2473fb60 ff0c9320 ec9b3fe3 82a501c4
3c3855bd e0822ce1 e1d1fb03 4609639f 9359653b 091b6b48 5ce22806 234a55e5
6f80ebba cfb68a22 6cd1e64e 756f22b5 13a6178d 9ffcfbbb 5ca4b773 50089a8b
7e966a23 d4711a49 44c101fc a6b68e26 6a8d57f3 2fed1f6f ce6b0535 498c5c97
bf0577fa 9d9a1e37 4ff3b9f0 913dac74 3f4d26c9 09aac485 ccd5dfb9 7aa226e8
89075829 eff0cf99 b642e679 5a9dfe74 e5899e30 e07b6bbf a92fab33 cb8d7f65
1d974861 8b02d78b bc7908a9 e70b1b59 02030100 01a38201 ba308201 b6300f06
03551d13 0101ff04 05300301 0100301d 0603551d 25041630 1406082b 06010505
07030106 082b0601 05050703 02300e06 03551d0f 0101ff04 04030205 a0303306
03551d1f 042c302a 3028a026 a0248622 68747470 3a2f2f63 726c2e67 6f646164
64792e63 6f6d2f67 6473312d 32382e63 726c304d 0603551d 20044630 44304206
0b608648 0186fd6d 01071701 30333031 06082b06 01050507 02011625 68747470
733a2f2f 63657274 732e676f 64616464 792e636f 6d2f7265 706f7369 746f7279
2f308180 06082b06 01050507 01010474 30723024 06082b06 01050507 30018618
68747470 3a2f2f6f 6373702e 676f6461 6464792e 636f6d2f 304a0608 2b060105
05073002 863e6874 74703a2f 2f636572 74696669 63617465 732e676f 64616464
792e636f 6d2f7265 706f7369 746f7279 2f67645f 696e7465 726d6564 69617465
2e637274 301f0603 551d2304 18301680 14fdac61 32936c45 d6e2ee85 5f9abae7
769968cc e7302d06 03551d11 04263024 82112a2e 6865616c 7468706f 696e742e
636f6d82 0f686561 6c746870 6f696e74 2e636f6d 301d0603 551d0e04 16041475
346fa066 c4b0cb48 a6aaf4d5 d03124fd 1babaf30 0d06092a 864886f7 0d010105
05000382 01010080 81fec403 103ecd08 88f17283 68154d3e 92da6355 58c50ea9
b6d2a2d1 86428614 44b3f27b ae00352d 0339f481 22d2bc3c 1f7a8458 495a337f
f939fa9d 76c9635c ac1f5452 8ec504ae 6c90dfc2 70e3b620 c34aedb3 12f8facd
ce45e918 af358576 b6711324 f5d53b62 77c2bb0d 6ff7a26c 1863c7fe eae6ee42
c1855066 e994db91 af755c47 b257545f ee29c6ab 57104a27 890f7f9c f95898c8
ed30eda7 9e86ebd4 c6007d3b 640e2312 3875410b 79ddff84 11454b83 7126ebbb
ce9c916a d5839e2b 095310e0 51e7e0cd d71c4830 ec1177c8 0407c147 afa2a33a
d058fa1b de4b2771 8af206c6 27e17249 1afbd515 d3f2845d a3699196 a9a7044c
5738a868 e01e59
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable external
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.5.0.0 255.255.0.0 internal
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 10.5.0.0 255.255.0.0 internal
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.5.65.242 source internal
ssl trust-point ASDM_TrustPoint0 external
webvpn
enable external
enable internal
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
anyconnect profiles HP_Basic disk0:/HP_Basic.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy HPVPN internal
group-policy HPVPN attributes
banner value You are now connected to Healthpoint, Ltd.
wins-server none
dns-server value 10.5.64.199 10.5.64.197
dhcp-network-scope none
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
ip-comp disable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value hpb.net
split-dns none
split-tunnel-all-dns disable
user-authentication-idle-timeout none
address-pools value HPVPNClients
client-firewall none
client-access-rule none
webvpn
anyconnect keep-installer installed
anyconnect ssl compression none
anyconnect profiles value HP_Basic type user
anyconnect ask enable default anyconnect timeout 5
http-comp none
username bcline password Wpo.Polan03mKRJ9 encrypted privilege 15
username jhenry password wX50UveiwuBH7p7v encrypted privilege 15
username ittemp password zpQoWfp93rOS3NU7 encrypted privilege 5
tunnel-group HPVPN type remote-access
tunnel-group HPVPN general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuth
authentication-server-group (external) VPN-RADAuth
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPVPN webvpn-attributes
group-alias HPVPN enable
tunnel-group HPVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 64.126.222.190 type ipsec-l2l
tunnel-group 64.126.222.190 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 109.164.216.164 type ipsec-l2l
tunnel-group 109.164.216.164 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 12.197.232.98 type ipsec-l2l
tunnel-group 12.197.232.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB type remote-access
tunnel-group HPB general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuthHPB
authentication-server-group (external) VPN-RADAuthHPB
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPB webvpn-attributes
group-alias HPB disable
group-alias HPVPN_NEW enable
tunnel-group HPB ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no dns-guard
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f3c293700f62ee55af87105015fe4cd0
: endYou have to options:
1. The router that is internal must have a static route to the ASA to reach the VPN networks and must have a distribute static so that other routers that form part of EIGRP know how to route to the VPN networks.
2. You can configure on the ASA "set reverse-route" on the crypto map then configure EIGRP on the ASA and add redistribute static so that routes learned via VPN (considered static routes) can be pushed through EIGRP. -
Site to site VPN with windows server 2012
I am trying to connect our server to cisco site-to-site IPSec VPN with one of our partners servers, they asked us to implement the settings they gave us into our router, but actually we don't have access to the router, we are just connected directly with
our ISP. alternatively, we were informed that we can use software VPN instead, and yes we found a working one, tested and verified, but we have to pay for it to keep running.
Now my question is, having that we are running windows server 2012 R2, how can we establish this VPN connection directly from windows without the need to use third parties tools?
The only parameter that we have to connect are:
Gateway IP: xxx.xxx.xxx.xxx
Authentication Pre-shared Key: ######
Encryption: 3DES
Hash authentication: MD5
DH: Group1
No username or password is needed with this type of VPN.
Any help is appreciated.
Best regards, AbedHi,
You may try to configure the Windows Server 2012 (RRAS) as VPN router to connect to the 3rd party VPN server(compatible with Windows Server VPN).
Some samples just for your reference:
Checklist: Implementing a Site-to-Site Connection Design
https://technet.microsoft.com/en-us/library/ff687867(v=ws.10).aspx
TMG Configuring site-to-site VPN access
http://technet.microsoft.com/en-us/library/bb838949.aspx
More about how to deploy the RRAS on TMG please post in the TMG forum:
Forefront support forum
http://social.technet.microsoft.com/Forums/forefront/en-us/home?category=forefront
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
How can i access dmz server via public ip from inside?
hi all !
As shown in Figure,how can i access the server in dmz zone via public?
i can access it via private ip 192.168.1.1 now,but i can't access it via 101.100.1.2.
who can help me ?
thank you !Hi,
You would have to configure Static NAT from DMZ to INSIDE for the server in the same way you have done for DMZ to OUTSIDE.
Basically in the following way for example
object network DMZ-WEB
host 192.168.1.1
nat (dmz,inside) static 101.100.1.2
This would enable your users on the "inside" to access the "dmz" server with the public IP address. And naturally only with the public IP address after this NAT.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
Mac OSX 10.5.3 Leopard STANDARD Server CHANGEIP questions
I am confused on how to check and change TCP/IP addresses via Mac OSX Leopard 10.5.3 server in STANDARD mode.
I watched the great Sean Colins Lynda.com tutorial on OSX 10.5 Server, but i still have a few questions with how to deal with DNSs and CHANGE IP
Here is the hardware & scenario:
-- G5 Silver Doors Tower with 1.7GB Ram and Mac OSX 10.5 Leopard 10 user server
-- Cablevision ISP with there BOOST service [that allows you to set-up a server and does not block ports 25 or 80]
-- NO Static IP from Cablevison [they change it once in a blue moon when they want so I rely on DYNDNS below]
-- Apple Airport TimeCapsule [with all latest firmware updates etc]
-- DynDNS account and client software installed on server to update the DYNDNS severs with the current Cablevisions TCP/IP address
Problem and Question
===
Three times a year I will need to move this server. 1/3rd of year and at setup it is on residential Cablevision Account and Apple TimeCapsule Router, Then 2/3 of year server will be behind two funky large networks where I will have to set-up manual IP, DNS, and proxy info
I need to know what the proper process is when I want to move the Mac. When the 10.5.3 STANDARD Server is in STANDARD mode can I just change the TCP/IP address in SYSTEM PREFERENCES...NETWORK ? Do I have to run the CHANGEIP command Afterwards [or Before]
Also, for DNS config on server does it always need to have the loop back self reference [127.0.0.1] or can it just be configed from the Airport and/or network?
And, big problem for now... dumbly when I set-up the OSX Server on the TimeCapsule Network I forgot to write down the TCP/IP address used. Now I am on the second funky corporate network and can't use the command:
sudo changeip - idon't_knowip 10.0.96.48 server.cmtenyoffice.com server.cmtenyoffice.com
Also, another question for the HOSTNAME... should it be HOSTNAME or FullyQuallifiedDomainName?
My HOSTNAME seems to be "CMTE-Server.local" but I specified the FullyQualifiedDomainName to "sever.cmtenyoffice.com"
NOTE: I do NOT have this domain registered and am not yet hosting a website or email server on this machine, but I may soon register the domain and then point MX records etc to the DYNDNS record that would point to server
Anyhow, to wrap up,
1- What is the proper process for changing the TCP IP address with a Leopard 10.5.3 STANDARD SERVER?
2- What do I do with CHANGEIP command if I don't know what the STARTING TCP/IP address is?
3- For HOSTNAME should I be entering the unregistered FQDN or the "CMTE-Server.local"
Thanks for any an all info.
-- Eric ZORK Alan
-- Professional Poet & BED VLOGGERHi Eric
You use the one its using now.
If the Server is Standalone issue:
sudo changeip - oldIP newIP oldhostname newhostname
Even if nothing changes you can still issue the command, supply the system admin name and password and let it do its stuff. Prior to doing this you must change the address in the Network Preferences Pane. Although not necessary it does not hurt if you restart afterwards.
If the Server is an OD Master issue:
sudo changeip /LDAPv3/127.0.0.1 oldIP newIP oldhostname newhostname
You will not only be prompted for the system admin name and password but also for the Directory Administrator name and password. With both command you will get feedback as to what is going on. Obviously you will see more changes made if its an LDAP Server. Hostname will be the fully qualifed domain name (FQDN) defined in the DNS Service eg: myserver.mydomain.com.
man changeip
For usage. Actually prior to doing any of this and incidentally a good way of finding out not only the hostname but also the IP address associated with that name issue:
sudo changeip -checkhostname
You should run this before/after making the change. If everything checks out OK it should report 'the names match, there is nothing to change'. This is a good a test that lets you know its worked. However its not the only test. I would run host, nslookup and dig also. Next set a client to use the Server for its DNS and then test connectivity with firstly the Server's fqdn and lastly its IP Address.
Ultimately the truest test is: "what impact has the change made on clients accessing the Server and its Services successfully?"
If the Server is a mature OD Master (possibly PDC as well) with DNS, Mail, AFP, SMB, iCal and any other 2-3 additional services configured and running then issuing changeip may appear - superficially - to have worked. Occsasionally - in my experience - serious problems begin to develop with the LDAP database to the extent where the only 'cure' is to demote to Standalone, sorting out DNS and re-promoting. This can have serious repercussions if you have not made preparations to limit the re-build time prior to changing the IP address and issuing the command. Equally it can be successful. However can you take the risk?
Tony
Maybe you are looking for
-
Hello, I bought an iMac few days ago. I would like to sync ical on my iMac with my professional calendar I use in my company (from outlook web access). I was easy to manage it on my iPhone (I just add a new "exchange" mail account and ask for a calen
-
My photosmart C7250 all-in-one used to allow me to print black and white only, now it won't
My photosmart c7250 all-in-one used to allow me to print in black and white only if I changed properties to print in grayscale, black and white only. Now it says it won't print until I replace one of the empty color cartridges. I do no understand w
-
The file is not readble - error message in Illustrator CS5
My wife worked on an Illustrator CS5 file for an upcoming after school program last night, then saved and closed. This morning she tried to fine tune it before work and was presented with this message in a pop-up . . . The file is not readable . . .
-
I have tried to plug it into my mac and doing a manual sync, but still it didn't work.
-
OBIEE11.1.1.6 integration with SmartView
Hello Could anyone tell me how to integrate SmartView 11.1.1.3 with OBIEE 11.1.1.6. Regds