VPN and Firewall

So I have kind of a different setup going here. I have an ISA Server 2006 at the front with a 2821 behind doing my internal routing and connecting to my voice provider and then to my CallManager. I am trying to setup the router to allow VPN connections through EasyVPN. Anyone ever try to allow EasyVPN connections through an ISA Firewall or a firewall period to a router behind it? Any ideas?

See the below link as a general guide:-
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml
All you have to allow thru the ISA server is:-
UDP 500 - ISAKMP
Protocol 50 - ESP and 51 - AH (if used)
if you required NAT-T then you also have to allow UDP 4500
HTH>

Similar Messages

  • Best option for VPN and Firewall..

    I am replacing my Watchguard Firebox 700 Firewall/VPN with a Cisco box. I am trying to determine what would be the best model for my environment.
    20 person company.. The only need would be for 1 or 2 different offices to connect via VPN and also our users to connect via VPN. So my needs are for firewall and VPN.. What model would you recommend?
    Thank you

    Hi,
    I would suggest ASA 5505. Take a look at the link below.
    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
    Rate it, if it helps.
    Thanks
    Gilbert

  • RV042 VPN and firewall?

    Hi,
    I have RV042s here that connect networks via IPSEC tunnels. I'd like to use the RV042 firewall to control in- and outbound network traffic to a subnet. But it seems that I cannot apply firewall rules to traffic that comes in via the VPN tunnel (IPSEC1 interface)? Is this a known limitiation? Are there any workarounds? Or am I doing something wrong?
    Thanks,
    David

    David,
    RV042 Access Rules cannot be applied to VPN traffic. This router assume the remote subnet is fully trusted. This is a common limitation in the small business routers.

  • Access to VPN and Skype from behind work's firewall

    I'm running a Powerbook G4 with OS 10.4.11. At work I have a very fast ethernet connection perfect for internet and Work (Exchange) email, however I can't seem to access my Uni email account, VPN or several other services, notably Skype or iChat (as I work away from my kids during the week this is vitally important). I can ping the server for the VPN and both sets of IT boffins assure me that all appropriate ports are open. I can access the VPN through PCs and I am at the moment broadcasting the internet through my Airport to a PC based laptop which is running Skype quite happily. I can go to a local pub/coffee shop and access all of the services through a WiFi/Airport Network, and I have access to all these services when I'm at home (again through WiFi). What am I doing wrong? Any help would be greatly appreciated
    D

    Hi,
    yes, the spilt into three subnets did help. I now can see the routers also from the LAN which solves Problem A)
    Regarding the access from WAN1 to WAN2 the background is a long story about different flatrates from Provider A and B. To keep it short: DSL is stable but very slow during some hours of the day and attached to WAN2, LTE (4G) is fast but not stable (at least 2-3 hickups per day). Therefore I need the RV042 to keep the LAN clients always online as I need it for my job. The telephone is another issue. The fritzboxes do allow VOIP over their own Internet connection but also using another Fritzbox is possible. I have my telephones connected to the DSL Box (WAN2 = 192.168.179 now) and I have a flatrate for calls to cell phones with my 4G provider (WAN1 = 192.168.178 now). As the 4G keeps failing from time to time it is very annoying when it happens during a telco (and we all know Murphys law). So the ideas is to have the telphones attached to the stable (WAN2) DSL Box and reroute it for calls to cell phones via WAN1 ( which is a feature of the boxes and worked perfectly). If the 4G fails the DSL Box uses its own Internet connection to make the call (but then I have to pay for it).
    So I need access from WAN2 (192.168.179) to WAN1 (192.168.178). I tried a static route in the WAN2 Box but it didn't work (I've used the RV042 WAN interface IP: 192.168.179.100 as Gateway).
    Kind regards
    Klaus

  • VPN and intergrated email service.

    I am wondering if anyone can aid me...
    Set up VPN on z10, works through browser but cannot connect to email server thru add email account settings. Tested hotspot with laptop and outlook which works fine. 
    Carriers ip address is blocked which is why I set up vpn, is their anyway to run the integrated email thru vpn?
     Forgive me if the terminology isn't correct but I'm not a networking guru.
     Thanks

    Hi!
    I have 2 VPN, they are home & business, and I can send and receive e-mails through both tunnels, same without VPN as well. So problem lies somewhere at another place
    Try to use e-mail without VPN and if You'll can, problem is in VPN settings, if not, then something is wrong with You e-mail account settings.
    If problem is with VPN, then something wrong is with server firewall or ports forwarding most probably.
    While You aren't network guru, I suggest to talk with e-mail tech support or VPN tech support according which case You have

  • VPN and what can I expect to see?

    When I establish a VPN connection to a Snow Leopard Server will I be able to see or use applications from other servers on the same network?
    Or do I only get to use what is on the Server I connected to?
    And the only way I have found of using anything on the Snow Leopard Server is connecting to it with Apple remote desktop? Is that it or am I missing something?
    I can connect to a server with VPN and I have all data routed through VPN ad I can not browse for server and see anything?
    I have a functioning VPN into my newest Snow Leopard Server but I would love to use data from the Leopard Server that sits next door. I am able to install client software on the Snow Leopard Server and start it up and have it connect to my database but I am hoping to bring 2 or 3 remote users into the network simultaneously and have them use the database on the Leopard Server?
    Does Apple have a VPN setup guide anywhere?
    Thanks group.

    The Airport and Time Capsule are good home routers, and good WiFi devices.
    They're also configurable as good access points, which is handy if you're running multiple WiFi devices to get coverage in a larger area.
    The devices are not particularly capable firewalls for use with servers; that's not their target market.
    Specific device suggestions? I've worked with various stuff over the years, and I generally end up either following the client's gear preferences, or running some research based on the bandwidth and expectations and features for the installation. And the budget; for a bigger budget, you can often get better features or easier integration. And the products and offerings and features change regularly in this market; each time I do this, I find different gear.
    Here's the general path...
    There are commercial and open-source options available.
    The open-source packages can generally convert a two-controller spare PC into a firewall, and most (all?) can operate with a selection of embedded x86 boxes.
    In general, I look for support of VPN (L2TP and PPTP minimally, other protocols if and as available), look for explicit listings of Linux and Mac OS X details in the manuals (not because you're going to necessarily use Linux or any particular operating system here, but because the vendor went to the effort to test with a variety of platforms), and I look for a vender that does not require downloading a VPN client, for NAT, reasonably programmable port-forwarding, and possibly (as additional features, or as specific requirements) DMZ, RADIUS, anti-malware and anti-spam mechanisms.
    Oh, and download and read the product manual before you buy the box. See if it makes any sense. (I've found this step invaluable for reducing the numbers of candidate boxes I need to evaluate.)

  • VPN and Internet Connection Sharing? (bridging remote networks)

    I'd like to try an experiment and some advice from this list will be useful.
    +Summary: Can a Mac with two interfaces activate VPN and Internet sharing simultaneously to bridge two remote networks?+
    I've created a PPTP VPN server on our XServe at work and opened the appropriate ports on our firewall. This and a second location are linked with standard (but fast) ADSL broadband. I can log in from both Mac and Windows VPN clients at an external location and indeed the experience is just like being at work- printers, file servers and other resources (eg networked Filemaker databases) are all visible. Yay.
    Question: Is it possible to extend this concept further by logging onto our VPN with once interface (eg Airport) +and then+ enabling Internet Sharing through the second interface (eg Ethernet)? Will this allow a small network connected through the second interface to all behave as though they are on the work network, with transparent access to fileservers, printers and so on, without each bothering individually with VPNs and so on? I suspect there are physical boxes that will do this, but it would be wonderful to know if I can get a Mac with two NICs to do the same job, acting as a router between the two networks. Are there any limitations to this? I am happy to tweak under the hood if need be. I just need to know if this is possible, even in theory, and what the limitations might be.
    Thanks.

    Hey Nathan...
    My VPN is down at the moment, but I think your going to have to manually configure all of the "clients" who are sharing the VPN to an IP range that your office uses. When you connect to your VPN, check your network prefs, and you'll see the IP addresses assigned to your VPN are similar to your network at the office. So, in a way, your sharing computer has 2 IP addresses... one from your modem or router at home, and one from the VPN server at the office. It's this 2nd IP address that allows you to appear to be on the network at the office.
    So, if you can find a way to set up your shared clients the same way.... it might work. It will also be VERY helpful if your IP range at home is different from the IP range at the office....192.168... for one...and 10.0.0 for the other. (Whether traffic will pass thru your "sharing server" is a different matter altogether.)
    Now, and I'm really guessing here.. if this works at all... you may be only able to access stuff from the office on your "shared clients" (ie no internet).... the way around that is to set up your VPN to allow VPN clients to pull stuff from the internet from the office thu the VPN... and for the life of me don't remember how that is done. But it will most likely be a bit slow.
    I'd start with the basics... setup one client with a manual IP address/router/dns servers, and try to ping a computer at the office. If this works... at least part of your problem is solved.
    With all that said... it may not work at all. Good Luck!

  • Controling iOS Ports and URLs Via VPN and UTM

    I'm new to actual Network Security. My dad's worked network security, I've taken Security and programing classes. But in short, I have no real money and I'm too busy living the college life (Homework tell you're hired 3 years from now.) My goal this winter is to set up a UTM in the house. I'll probably go with Astaro. If not, WS2008 is my next choice. It's a bit harder on resources, to my experience, but I'm still new, so studying is required.
    my ultimate goal is to lock down my network. No uncleared Ports or URLs. I've learned with ZoneAlarm how much I love manual control of my network and thus the applications within it. I'm not a pirate, but I don't like programs validating. It seems insulting for my computer not to trust it's creater. so I block that. My goal is to lock down my more portable systems and reroute them back into the LAN via VPN and block outgoing and incoming ports and URLs from the UTM here.
    I realized that I can apply this technique to the iOSs as well, in theory. I'm here to ask for help with this.
    My questions:
    1. Can you forward ALL networked data to and through the VPNed Network without a single leek?
    2. Has anyone tried this and what problems have you had? (Exp: some apps might not like this. I can't imagine them wasting the processor power to check for his, but it's happened with countless PC programs)
    3. In regards to question number two's tangent, I'm making a special goal to block the new iAd Urls. I'm assuming they use the commonly open port 80. they don't want people to be without ads at school.
    Has anyone seen a problem with this?
    thank you in advance. I want to publish my findings in an easy How To Manual later. Sharing is caring. haha.

    Smith Comma John wrote:
    I was asking if anyone had actually tested the IOS for leaks. either Apple making a backdoor for their sake, or one of the apps exploiting a fault somewhere.
    Given the intense scrutiny that Apple is under, I doubt either scenario is a possibility.
    What I really ment to ask was "has anyone had problems with the apps not liking URL/Port limitations forced upon them". With ZoneAlarm, you can do exactly this and all of the programs I've used cannot access the internet without concent from the user. If blocked, the end up thinking that they're off line, but Crysis, for example will not intstall unless it get's an authentication check from crytec's server. You cannot install it without internet access (Assuming no workarounds/spoofing is used). Has anyone had problems with the applications after firewalling their ipad with in a similar fashion.
    On a Mac, people use Little Snitch for this. It is very handy to make sure SPAM in your inbox doesn't phone home if you accidentally open it.
    Because all such tools are system-level, you aren't going to run the on iOS. What you can do is run DD-WRT on your router. You could control and log all inbound and outbound traffic. It is essentially a port of Linux for your router. I used it for many years until I got a Time Capsule. As far as routers go, my ancient Buffalo router with DD-WRT was significantly better than the Apple Time Capsule. My iPad works great with it. I expect DD-WRT would be able to keep you suitably entertained.
    Frankly I'm not too happy with apple right now. Tryrony comes to mind.
    Don't believe what you read on the internet, especially if Apple is the subject.

  • IpSec VPN and NAT don't work togheter on HP MSR 20 20

    Hi People,
    I'm getting several issues, let me explain:
    I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
    I'm missing something but i don't know what it is !!!!, See below the configuration.
    Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
    Note: I just have only One public Ip address.
    version 5.20, Release 2207P41, Standard
    sysname HP
    nat address-group 1 186.177.159.93 186.177.159.93
    domain default enable system
    dns proxy enable
    telnet server enable
    dar p2p signature-file cfa0:/p2p_default.mtd
    port-security enable
    acl number 2001
    rule 0 permit source 192.168.100.0 0.0.0.255
    rule 5 deny
    acl number 3000
    rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
    vlan 1
    domain system
    access-limit disable
    state active
    idle-cut disable
    self-service-url disable
    ike proposal 1
    encryption-algorithm 3des-cbc
    dh group2
    ike proposal 10
    encryption-algorithm 3des-cbc
    dh group2
    ike peer vpn-test
    proposal 1
    pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
    remote-address <Public Ip from VPN Peer>
    local-address 186.177.159.93
    nat traversal
    ipsec proposal vpn-test
    esp authentication-algorithm sha1
    esp encryption-algorithm 3des
    ipsec policy vpntest 30 isakmp
    connection-name vpntest.30
    security acl 3000
    pfs dh-group2
    ike-peer vpn-test
    proposal vpn-test
    dhcp server ip-pool vlan1 extended
    network mask 255.255.255.0
    user-group system
    group-attribute allow-guest
    local-user admin
    password cipher .]@USE=B,53Q=^Q`MAF4<1!!
    authorization-attribute level 3
    service-type telnet
    service-type web
    cwmp
    undo cwmp enable
    interface Aux0
    async mode flow
    link-protocol ppp
    interface Cellular0/0
    async mode protocol
    link-protocol ppp
    interface Ethernet0/0
    port link-mode route
    nat outbound 2001 address-group 1
    nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
    ip address dhcp-alloc
    ipsec policy vpntest
    interface Ethernet0/1
    port link-mode route
    ip address 192.168.100.1 255.255.255.0
    interface NULL0
    interface Vlan-interface1
    undo dhcp select server global-pool
    dhcp server apply ip-pool vlan1

    ewaller wrote:
    What is under the switches tab?
    Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay.  I'll let it slide.  Watch the bumping as well.
    If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original)  back here, and you are golden.
    I had a bear of a time getting the microphone working on my HP DV4, but it does work.  I'll look at the set up when I get home tonight [USA-PDT].
    Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
    So here is what it is under the switches tab

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • Works windows mobile with SSL VPN and anyconnect

    Hello,
    do anyone know if the following OS works with ASA 8.x SSL VPN client ,SSL clientless VPN and anyconnect client and Secure Desktop :
    windows mobile 5.0 Premium phone edition
    windows mobile 6.0
    windows embedded CE,Net
    windows mobile 2003
    Thank you for your help
    Michael

    [url=http://fztodds.24fast.info/washington225.html] washington [/url]
    [url=http://fztodds.24fast.info/washington16e.html] washington [/url]
    [url=http://fztodds.24fast.info/washingtond66.html] washington [/url]
    [url=http://fztodds.24fast.info/washington4e0.html] washington [/url]
    [url=http://fztodds.24fast.info/washington00b.html] washington [/url]
    [url=http://fztodds.24fast.info/washington1e7.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington0a8.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington9de.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washingtone4a.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington4ec.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington184.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washingtonb73.html] washington [/url]
    [url=http://ioinlfu.zotzoo.com/washington853.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington1a5.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtonde7.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington2b8.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington902.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtonc99.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washingtoncc7.html] washington [/url]
    [url=http://ygkbfvp.wipou.com/washington598.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtonbe2.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtone9b.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington4e0.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington327.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtonada.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washingtond2b.html] washington [/url]
    [url=http://yfldvbz.webheri.net/washington317.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington7cb.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washingtoneaf.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington259.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington8e0.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washingtonc03.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington092.html] washington [/url]
    [url=http://odwjneh.yourfreehosting.net/washington79c.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington766.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtona2e.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington4c4.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtonb9f.html] washington [/url]
    [url=http://aeaukol.rack111.com/washingtond3a.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington54a.html] washington [/url]
    [url=http://aeaukol.rack111.com/washington777.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington300.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington239.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington7b4.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washingtonad5.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washingtone03.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington399.html] washington [/url]
    [url=http://uhbayoe.hostrator.com/washington9e9.html] washington [/url]
    [url=http://ggaubio.hostevo.com/washington878.html] washington [/url]
    [url=http://ggaubio.hostevo.com/washington525.html] washington [/url]

  • Clientless SSL VPN and ActiveX question

    Hey All,
    First post for me here, so be gentle.  I'll try to be as detailed as possible.
    With the vast majority of my customers, I am able to configure an IPSEC L2L VPN, and narrow the traffic down to a very minimal set of ports.  However, I have a customer that does not want to allow a L2L VPN tunnel between their remote site, and their NOC center.  I thought this might be a good opportunity to get a clientless (they don't want to have to launch and log into a separate client) SSL VPN session setup.  Ultimately, this will be 8 individual sites, so setting up SSL VPN's at each site would be cost prohibitive from a licensing perspective.  My focus has been on using my 5510 (v8.2(5)) at my corp site as the centralized portal entrance, and creating bookmarks to each of the other respective sites, since I already have existing IPSEC VPN's via ASA5505, (same rev as the 5510 )setup with each of the sites.
    First issue I've run into is that I can only access bookmarks that point to the external address for the remote web-server (the site has a static entry mapping an external address to the internal address of the web server).  I am unable to browse (via bookmark) to the internal address of the remote web server.  Through my browser at the office, I can access the internal address fine, just not through the SSL VPN portal.  I am testing this external connectivity using a cell card to be able to simulate outside access.  Is accessing the external IP address by design, or do I have something hosed?
    Second issue I face is when I access the external address through the bookmark, I am ultimately able to log onto my remote website, and do normal browsing and javascript-type functions.  I am not able to use controls that require my company's ActiveX controls (video, primarily).  I did enable ActiveX relay, and that did allow the browser to start prompting me to install the controls as expected, but that still didn't allow the video stream through.  The stream only runs at about 5 fps, so it's not an intense stream.
    I have researched hairpinning for this situation, and "believe" that I have the NAT properly defined - even going as far as doing an ANY ANY, just for testing purposes to no avail.  I do see a decent number of "no translates" from a show nat:
      match ip inside any outside any
        NAT exempt
        translate_hits = 8915, untranslate_hits = 6574
    access-list nonat extended permit ip any any log notifications
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list nonat extended permit ip 192.168.17.0 255.255.255.0 172.16.8.0 255.255.254.0
    access-list nonat extended permit ip 192.168.16.32 255.255.255.224 172.16.8.0 255.255.254.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.16.32 255.255.255.224 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.16.32 255.255.255.224
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 192.168.17.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.18.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list D_Traffic extended permit ip 192.168.17.0 255.255.255.0 172.16.250.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host A-172.16.9.34
    access-list outside_1_cryptomap extended permit ip 192.168.16.32 255.255.255.224 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 host 172.16.62.57
    access-list outside_1_cryptomap extended permit ip 192.168.18.0 255.255.255.0 host 172.16.62.57
    access-list External_VPN extended permit ip 192.168.16.32 255.255.255.224 172.16.254.0 255.255.255.0
    access-list External_VPN extended permit ip 192.168.17.0 255.255.255.0 172.16.254.0 255.255.255.0
    access-list outside_in extended permit icmp any any log notifications
    access-list outside_in extended permit tcp any any log notifications
    pager lines 24
    logging enable
    logging asdm informational
    logging ftp-server 192.168.16.34 / syslog *****
    mtu inside 1500
    mtu outside 1500
    ip local pool Remote 172.16.254.1-172.16.254.25 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 1 interface
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.16.32 255.255.255.224
    nat (inside) 1 192.168.17.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group outside_in in interface outside
    192.168.2.0 is my corp network range
    192.168.2.171 is my internal IP for corp ASA5510
    97.x.x.x is the external interface for my corp ASA5510
    192.168.16.34 is the internal interface for the remote ASA5505
    64.x.x.x is the external interface for the remote ASA5505
    192.168.17.0, and 192.168.18.0 are two other private LANS behind the remote 5505
    As you can see, I have things reasonably wide open - with no port restrictions on this one yet - this is for troubleshooting purposes, and it will get restrictive as soon as I figure this out   Right now, the ASA5510 is pretty restrictive, and to be brutally honest, I'm not certain I'm even using the packet tracer 100% proper to be able to simulate coming from the outside of the network through my ASA5510, out to a remote ASA5505, and to a web server behind that 5505.  I'm sure that the issue is probably going to be a mix of ACL's between the 5510, and the 5505.
    I guess the main question, is Clientless SSL VPN really a good choice for this, or are there other real alternatives - especially since my client doesn't want to have to install, or use an actual client (like AnyConnect), nor do they want to have an always-on IPSEC VPN.  Am I going about this the right way?  Anyone have any suggestions, or do I have my config royally hosed?
    Thanks much for any and all ideas!

    Hey All,  I appreciate all of the views on this post.  I would appreciate any input - even if you think it might be far-fetched.  I'm grasping at straws, and am super-hesitant to tell my customer this is even remotely possible if I can't have a POC myself.  Thanks, in advance!!

  • Performance end to end testing and comparison between MPLS VPN and VPLS VPN

    Hi,
    I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
    I would appreciate any support, guidence, advice.
    Thanks
    Shahbaz

    Hi Shahbaz,
    I am not completely sure I understand your request.
    MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
    From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
    Ingress PE impose 2 labels (at least)
    Core Ps swap top most MPLS label
    Egress PE removes last label exposing underlying packet or frame.
    So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
    About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
    Riccardo

  • VPN and Remote Desktop Connection

    I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
    other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
    Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
    be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
    is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
    I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
    Thanks for your help.
    I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
    Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls
    will be accepted to this port.
    A certificate could not be found. Connections that use the L2TP protocol over IPsec  require the installation of a machine certificate, also known as a computer  certificate. No L2TP calls will be accepted.
    The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
    retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.

    Morning Trent,
    I don't know if this is still an issue for you, did you get it solved?
    If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
    to use on the server.

  • Configuring Admin Util to allow me to use VPN AND surf the rest of the net

    I am having a problem when I connect to my work network via VPN. When I do, I can no longer connect to the rest of the Internet. I was able to do this until I started using an Express (so it has been allowed by my work network).
    Here's my setup: Express is connected via Ethernet to my Verizon Fios modem. When I connect my computer directly to the Verizon modem all works fine. I have been advised that what's happening is that my Airport Express is creating a behind-the-device network that has the same exact IP address space as your office's network (when I'm connected to it via VPN).
    To fix this I've been told to "Go into the Airport administration app, click on the "Internet" icon at the top of the configuration pane for your AE, then click on the "DHCP" tab, and look at what the "DHCP Range" pull-down menu is currently set to. After writing this down (in case you need to go back to it), change to one of the other options -- e.g., if it's currently set to "10.0.", change to "192.168." or "172.16". That should be enough to move you completely out of the space that your VPN is using. Save the changes, let your AE reboot, and try using the VPN and the internet at the same time again."
    The problem is that the advisor is using Airport Admin Util version 5.x and I am using version 4.2. The screen he suggests is not where his is in his version. Could someone advise me of how I can do this via 4.2?

    Reset your iPad and see if that fixes this.
    Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider if it appears on the screen - let go of the buttons. Let the iPad start up.

Maybe you are looking for

  • PS CS3 problems with OS 10.6

    How do you turn off "Open with Rosetta" for PS CS3?

  • Serious problem of jdbc-mysql connectivity using tomcat

    hi everybody i m in serious problem since last 15-20 days. i m trying hard to make the connection jdbc-mysql using tomcat with the help of a jsp test page but every time i am facing almost the similar probems listed below in detail: to make sure that

  • Link with ITPC protocol doesn't work

    My link to xml feed to my podcast doesn't work anymore on my ipod touch (3.1.2) or iphone (3.1.3). The link work just perfect on my computer (Windows XP) and open itunes normaly The ipod touch and iphone just say that the page can't be open because t

  • Trying to retrieve content from a text field & use it in a conditional statement

    Hi Everyone, I have a form with a text field and a button. The  text field is called "orderNo", and the button is called "genOrder". Initially  the text field is empty, and clicking on the button fills the text  field with an appropriate order number

  • Acrobat Pro 9.4.6 update took away ability to print

    Not sure if anyone else is having this issue.  I am running Windows 7 platform 64 bit and recently installed the new update 9.4.6 for Acrobat Pro.  It has stopped all printing functions for PDF files.  I don't get an error and it doesn't show a print