VPN Clients can't access internal LAN
Hello - I have seen a few other threads on this issue, but can't seem to fix mine. I have a PIX 506e. My VPN clients can connect, they get a DHCP address from our internal server no problem. But the clients can not ping me or anything else on the LAN. The clients are connecting ipsec. I know I must be missing something simple here. Here is my config. Any help would be great
Change the VPN Pool address to something else for example 192.168.10.0/24 etc. Then try and let me know. There could be ip overlap here.
Similar Messages
-
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
ASA 5505 & VPN Client will not access remote lan
I have an ASA 5505 that is on the parimeter of a hub & spoke vpn network, when I connect to this device using the VPN client I can connect to any device accross the VPN ifrastructure with the exception of the subnet that the client is connected to, for instance:
VPN client internal network connects to 192.168.113.0 /24 and is issued that ip address 192.168.113.200, the VPN client can be pinged from another device in this network however the client cannot access anyting on this subnet, all other sites can be accesed ie. main site 192.168.16.0/24, second site 192.168.110/24 and third site 192.168.112/24. The ACL Manager has a single entry of "Source 192.168.113.0/24 Destination 192.168.0.0/16 and the "Standared ACL 192.168.8.8./16 permit.
What am I doing wrong?Thanks for getting back to me, I have carried out the steps as instructed, one interesting point is that the IP address that was issued to the VPN Client 192.168.113.200 does not appear in the output.
Result of the command: "show run all sysopt"
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
========================================================================
Result of the command: "show capture drop"
3862 packets captured
1: 16:20:12.552675 eb4f.1df5.0453 1503.0100.16d1 0x97da 27: Drop-reason: (np-socket-closed) Dropped pending packets in a closed socket
2: 16:20:12.565980 802.1Q vlan#1 P0 192.168.113.2.1351 > 192.168.113.1.443: F 344642397:344642397(0) ack 2841808872 win 64834 Drop-reason: (tcp-not-syn) First TCP packet not SYN
3: 16:20:18.108469 df4c.9238.6de4 1503.0100.1615 0x80e6 27: Drop-reason: (np-socket-closed) Dropped pending packets in a closed socket
4: 16:20:49.326505 802.1Q vlan#1 P0 802.3 encap packet
5: 16:20:50.326582 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000 Drop-reason: (l2_acl) FP L2 rule drop
6: 16:20:51.326643 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
7: 16:20:52.326734 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
8: 16:20:53.326780 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
9: 16:20:54.326811 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
10: 16:20:55.326933 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
11: 16:20:56.327024 802.1Q vlan#1 P0 802.3 encap packet
12: 16:20:57.327116 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
13: 16:20:58.327131 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000 Drop-reason: (l2_acl) FP L2 rule drop
14: 16:20:59.327207 802.1Q vlan#1 P0 802.3 encap packet
15: 16:21:00.327253 802.1Q vlan#1 P0 802.3 encap packet
16: 16:21:46.298202 802.1Q vlan#2 P0 188.47.231.204.4804 > x.x.x.x: S 1269179881:1269179881(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
17: 16:21:49.249971 802.1Q vlan#2 P0 188.47.231.204.4804 >x.x.x.x: S 1269179881:1269179881(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
18: 16:22:01.331449 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
19: 16:22:02.331541 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000 Drop-reason: (l2_acl) FP L2 rule drop
20: 16:22:02.847002 802.1Q vlan#1 P0 192.168.113.102.3601 > 192.168.16.7.389: . ack 776344922 win 0 Drop-reason: (tcp-3whs-failed) TCP failed 3 way handshake
21: 16:22:03.331617 802.1Q vlan#1 P0 802.3 encap packet
22: 16:22:04.331693 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
23: 16:22:05.331769 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
24: 16:22:06.331830 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
25: 16:22:07.331907 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
26: 16:22:08.331937 802.1Q vlan#1 P0 802.3 encap packet
27: 16:22:09.332029 802.1Q vlan#1 P0 802.3 encap packet
28: 16:22:10.332075 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
29: 16:22:11.332136 802.1Q vlan#1 P0 802.3 encap packet
30: 16:22:12.332258 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
31: 16:22:24.346081 802.1Q vlan#2 P0 46.108.60.22.80 > x.x.x.x: S 3922541222:3922541222(0) ack 1002562688 win 8192 Drop-reason: (sp-security-failed) Slowpath security checks failed
32: 16:22:30.981119 802.1Q vlan#1 P0 192.168.113.102.3597 > 192.168.16.7.135: . ack 2880086683 win 0 Drop-reason: (tcp-3whs-failed) TCP failed 3 way handshake
33: 16:22:33.120583 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209 Drop-reason: (sp-security-failed) Slowpath security checks failed
34: 16:22:55.556016 802.1Q vlan#1 P0 192.168.113.103.56162 > 192.168.16.6.135: . ack 1318982887 win 0 Drop-reason: (tcp-3whs-failed) TCP failed 3 way handshake
35: 16:23:13.102671 802.1Q vlan#2 P0 192.168.16.24.2222 > 192.168.113.2.1358: . ack 965718404 win 65103
36: 16:23:13.336423 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
37: 16:23:14.336515 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000 Drop-reason: (l2_acl) FP L2 rule drop
38: 16:23:15.336591 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
39: 16:23:16.336621 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
40: 16:23:17.336698 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
41: 16:23:18.336774 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000 Drop-reason: (l2_acl) FP L2 rule drop
42: 16:23:19.336850 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
43: 16:23:20.336911 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
44: 16:23:21.337033 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
45: 16:23:22.337033 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000 Drop-reason: (l2_acl) FP L2 rule drop
46: 16:23:23.337125 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
47: 16:23:24.337156 802.1Q vlan#1 P0 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
48: 16:23:25.838900 788c.24f4.af1e 1503.0100.1644 0x6336 27:
49: 16:23:25.902602 802.1Q vlan#1 P0 192.168.113.2.1360 > 192.168.113.1.443: F 1261179433:1261179433(0) ack 346419241 win 65535 Drop-reason: (tcp-not-syn) First TCP packet not SYN
50: 16:23:26.172491 8aa9.7eaf.b518 1503.0100.162a 0xcc22 27:
51: 16:23:26.183858 802.1Q vlan#1 P0 192.168.113.2.1361 > 192.168.113.1.443: F 3073385160:3073385160(0) ack 330255452 win 65535
52: 16:23:26.411447 ac6e.3686.6139 1503.0100.16aa 0x15c4 27:
53: 16:23:26.412225 802.1Q vlan#1 P0 192.168.113.2.1362 > 192.168.113.1.443: F 3114673537:3114673537(0) ack 2528250261 win 65535
54: 16:23:54.887695 802.1Q vlan#1 P0 192.168.113.100.53324 > 192.168.16.5.1433: . ack 2023126490 win 0
55: 16:23:55.944577 802.1Q vlan#1 P0 192.168.113.100.53325 > 192.168.16.5.1433: . ack 94487779 win 0
56: 16:23:58.797871 802.1Q vlan#1 P0 192.168.113.2.1364 > 192.168.113.1.443: F 1356011818:1356011818(0) ack 2268294164 win 64505
57: 16:23:58.799153 580a.0f16.0e1a 1503.0100.1625 0x6642 27:
58: 16:24:12.472265 802.1Q vlan#1 P0 192.168.113.2.1366 > 192.168.113.1.443: F 2587530253:2587530253(0) ack 997846426 win 64501
59: 16:24:12.473059 c38c.f9d3.267b 1503.0100.16c9 0xe516 27:
60: 16:24:20.997476 802.1Q vlan#2 P0 192.168.16.7.1025 > 192.168.113.100.53333: . ack 3487921852 win 64975
61: 16:24:25.341443 802.1Q vlan#1 P0 802.3 encap packet
62: 16:24:26.341443 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
63: 16:24:27.341535 802.1Q vlan#1 P0 802.3 encap packet
64: 16:24:28.341565 802.1Q vlan#1 P0 802.3 encap packet
65: 16:24:29.341687 802.1Q vlan#1 P0 802.3 encap packet
66: 16:24:30.341748 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
67: 16:24:31.341779 802.1Q vlan#1 P0 802.3 encap packet
68: 16:24:31.744285 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.103.56171: . ack 712258524 win 65535
69: 16:24:32.341870 802.1Q vlan#1 P0 802.3 encap packet
70: 16:24:33.209385 802.1Q vlan#1 P0 192.168.113.103.56173 > 192.168.16.6.389: . ack 154944525 win 0
71: 16:24:33.341916 802.1Q vlan#1 P0 802.3 encap packet
72: 16:24:34.341962 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
73: 16:24:35.342084 802.1Q vlan#1 P0 802.3 encap packet
74: 16:24:36.342160 802.1Q vlan#1 P0 802.3 encap packet
75: 16:24:46.196843 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
76: 16:24:47.981196 802.1Q vlan#1 P0 192.168.113.101.138 > 192.168.113.255.138: udp 214
77: 16:25:24.513370 802.1Q vlan#1 P0 192.168.113.2.1370 > 192.168.113.1.443: F 2400826:2400826(0) ack 249202338 win 64383
78: 16:25:24.514377 8684.9fef.d151 1503.0100.1680 0xdf2e 27:
79: 16:25:37.346326 802.1Q vlan#1 P0 802.3 encap packet
80: 16:25:38.346417 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
81: 16:25:39.230350 802.1Q vlan#1 P0 192.168.113.100.53340 > 192.168.16.6.135: . ack 188710898 win 0
82: 16:25:39.230395 802.1Q vlan#1 P0 192.168.113.100.53341 > 192.168.16.7.135: . ack 2767236437 win 0
83: 16:25:39.232257 802.1Q vlan#1 P0 192.168.113.100.53343 > 192.168.16.7.1025: . ack 689444713 win 0
84: 16:25:39.346478 802.1Q vlan#1 P0 802.3 encap packet
85: 16:25:40.346509 802.1Q vlan#1 P0 802.3 encap packet
86: 16:25:41.346631 802.1Q vlan#1 P0 802.3 encap packet
87: 16:25:42.346661 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
88: 16:25:43.346738 802.1Q vlan#1 P0 802.3 encap packet
89: 16:25:44.346844 802.1Q vlan#1 P0 802.3 encap packet
90: 16:25:45.346936 802.1Q vlan#1 P0 802.3 encap packet
91: 16:25:46.346936 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
92: 16:25:47.347043 802.1Q vlan#1 P0 802.3 encap packet
93: 16:25:48.347119 802.1Q vlan#1 P0 802.3 encap packet
94: 16:25:59.497197 802.1Q vlan#1 P0 192.168.113.100.53350 > 192.168.16.8.1168: . ack 1640347657 win 0
95: 16:26:09.189016 802.1Q vlan#2 P0 112.204.234.145.39894 >x.x.x.x.5900: S 3415732392:3415732392(0) win 65535
96: 16:26:09.192906 802.1Q vlan#2 P0 112.204.234.145.39893 > x.x.x.x.5900: S 4277351748:4277351748(0) win 65535
97: 16:26:09.415917 802.1Q vlan#2 P0 112.204.234.145.39902 > x.x.x.x.5900: S 2622006339:2622006339(0) win 65535
98: 16:26:12.062389 802.1Q vlan#2 P0 112.204.234.145.39894 > x.x.x.x.5900: S 3415732392:3415732392(0) win 65535
99: 16:26:12.176840 802.1Q vlan#2 P0 112.204.234.145.39893 >x.x.x.x.5900: S 4277351748:4277351748(0) win 65535
100: 16:26:12.277222 802.1Q vlan#2 P0 112.204.234.145.39902 >x.x.x.x.5900: S 2622006339:2622006339(0) win 65535
101: 16:26:18.090418 802.1Q vlan#2 P0 79.26.104.252.2960 > x.x.x.x.445: S 2362092149:2362092149(0) win 65535
102: 16:26:21.016097 802.1Q vlan#2 P0 79.26.104.252.2960 > x.x.x.x.445: S 2362092149:2362092149(0) win 65535
103: 16:26:29.047269 802.1Q vlan#1 P0 192.168.113.100.53349 > 192.168.16.8.135: . ack 1602664145 win 0
104: 16:26:29.047315 802.1Q vlan#1 P0 192.168.113.100.53351 > 192.168.16.6.135: . ack 2983532581 win 0
105: 16:26:30.854707 802.1Q vlan#1 P0 192.168.113.103.138 > 192.168.113.255.138: udp 201
106: 16:26:31.566697 802.1Q vlan#1 P0 192.168.113.100.138 > 192.168.113.255.138: udp 211
107: 16:26:49.351254 802.1Q vlan#1 P0 802.3 encap packet
108: 16:26:50.351269 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
109: 16:26:51.351345 802.1Q vlan#1 P0 802.3 encap packet
110: 16:26:52.351391 802.1Q vlan#1 P0 802.3 encap packet
111: 16:26:53.351498 802.1Q vlan#1 P0 802.3 encap packet
112: 16:26:54.351529 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
113: 16:26:55.351681 802.1Q vlan#1 P0 802.3 encap packet
114: 16:26:56.351696 802.1Q vlan#1 P0 802.3 encap packet
115: 16:26:57.351742 802.1Q vlan#1 P0 802.3 encap packet
116: 16:26:58.351910 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
117: 16:26:59.351925 802.1Q vlan#1 P0 802.3 encap packet
118: 16:27:00.352002 802.1Q vlan#1 P0 802.3 encap packet
119: 16:27:40.086131 802.1Q vlan#1 P0 192.168.113.2.1376 > 192.168.113.1.443: F 66250328:66250328(0) ack 15807648 win 64600
120: 16:27:40.086665 c969.9bb4.8522 1503.0100.160b 0xaa70 27:
121: 16:27:49.601043 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
122: 16:27:56.085536 802.1Q vlan#2 P0 192.168.16.113.61369 > 192.168.113.2.3389: . 1356749934:1356750395(461) ack 2198032306 win 32768
123: 16:28:01.356106 802.1Q vlan#1 P0 802.3 encap packet
124: 16:28:02.356198 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
125: 16:28:03.356274 802.1Q vlan#1 P0 802.3 encap packet
126: 16:28:04.356320 802.1Q vlan#1 P0 802.3 encap packet
127: 16:28:05.356426 802.1Q vlan#1 P0 802.3 encap packet
128: 16:28:06.356487 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
129: 16:28:07.356533 802.1Q vlan#1 P0 802.3 encap packet
130: 16:28:08.356625 802.1Q vlan#1 P0 802.3 encap packet
131: 16:28:09.356671 802.1Q vlan#1 P0 802.3 encap packet
132: 16:28:10.356747 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
133: 16:28:11.356808 802.1Q vlan#1 P0 802.3 encap packet
134: 16:28:11.623350 802.1Q vlan#2 P0 192.168.16.113.61370 > 192.168.113.2.3389: . ack 236838803 win 32764
135: 16:28:12.356884 802.1Q vlan#1 P0 802.3 encap packet
136: 16:28:13.517597 802.1Q vlan#1 P0 192.168.113.2.1384 > 192.168.16.24.2222: . ack 358563673 win 0
137: 16:28:36.442390 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1388: . ack 3605529264 win 65535
138: 16:28:41.392862 802.1Q vlan#1 P0 192.168.113.2.1402 > 192.168.16.6.389: . ack 3155576226 win 0
139: 16:28:46.584808 802.1Q vlan#2 P0 192.168.16.113.61370 > 192.168.113.2.3389: . ack 236894788 win 32682
140: 16:28:54.008468 802.1Q vlan#2 P0 195.57.0.146.18831 >x.x.x.x.445: S 3177136782:3177136782(0) win 65535
141: 16:28:56.157813 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 174
142: 16:28:57.070537 802.1Q vlan#2 P0 195.57.0.146.18831 > x.x.x.47.445: S 3177136782:3177136782(0) win 65535
143: 16:29:00.678492 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
144: 16:29:01.428475 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
145: 16:29:02.178625 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
146: 16:29:03.067943 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
147: 16:29:03.180090 802.1Q vlan#1 P0 192.168.113.2.1409 > 255.255.255.255.1434: udp 1
148: 16:29:03.196950 802.1Q vlan#2 P0 195.57.0.146.18831 > x.x.x.47.445: S 3177136782:3177136782(0) win 65535
149: 16:29:10.270951 802.1Q vlan#1 P0 192.168.113.21.138 > 192.168.113.255.138: udp 201
150: 16:29:13.361080 802.1Q vlan#1 P0 802.3 encap packet
151: 16:29:14.361156 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
152: 16:29:15.361202 802.1Q vlan#1 P0 802.3 encap packet
153: 16:29:16.361263 802.1Q vlan#1 P0 802.3 encap packet
154: 16:29:17.361370 802.1Q vlan#1 P0 802.3 encap packet
155: 16:29:18.361431 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
156: 16:29:19.361462 802.1Q vlan#1 P0 802.3 encap packet
157: 16:29:20.361523 802.1Q vlan#1 P0 802.3 encap packet
158: 16:29:21.361645 802.1Q vlan#1 P0 802.3 encap packet
159: 16:29:22.361675 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
160: 16:29:23.361767 802.1Q vlan#1 P0 802.3 encap packet
161: 16:29:24.361828 802.1Q vlan#1 P0 802.3 encap packet
162: 16:29:26.454276 802.1Q vlan#1 P0 192.168.113.2.1379 > 192.168.16.6.135: . ack 1950662540 win 0
163: 16:29:55.650326 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1413: . ack 1437557360 win 65535
164: 16:30:06.193486 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
165: 16:30:06.275788 802.1Q vlan#1 P0 192.168.113.2.1419 > 192.168.113.1.443: F 2901932674:2901932674(0) ack 2194877438 win 65535
166: 16:30:06.276108 f51d.deb4.fe29 1503.0100.1667 0xef26 27:
167: 16:30:06.458624 802.1Q vlan#1 P0 192.168.113.101.63801 > 23.51.192.60.443: R 2143801199:2143801199(0) ack 856889377 win 0
168: 16:30:06.943447 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
169: 16:30:07.693857 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
170: 16:30:11.228595 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.101.60989: . ack 1672597860 win 65535
171: 16:30:11.300765 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.101.60990: . ack 3222644503 win 64285
172: 16:30:11.535677 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.101.60992: . ack 4073444089 win 65535
173: 16:30:12.626234 802.1Q vlan#2 P0 192.168.16.6.1026 > 192.168.113.2.1395: . ack 1607137060 win 64650
174: 16:30:12.626676 802.1Q vlan#1 P0 192.168.113.2.1414 > 192.168.16.6.135: . ack 1802016687 win 0
175: 16:30:14.321028 802.1Q vlan#1 P0 192.168.113.100.53382 > 192.168.16.8.1168: . ack 3656217567 win 0
176: 16:30:20.957622 802.1Q vlan#1 P0 192.168.113.101.138 > 192.168.113.255.138: udp 214
177: 16:30:22.886520 802.1Q vlan#1 P0 192.168.113.101.137 > 192.168.113.255.137: udp 50
178: 16:30:23.650906 802.1Q vlan#1 P0 192.168.113.101.137 > 192.168.113.255.137: udp 50
179: 16:30:24.415261 802.1Q vlan#1 P0 192.168.113.101.137 > 192.168.113.255.137: udp 50
180: 16:30:25.366024 802.1Q vlan#1 P0 802.3 encap packet
181: 16:30:26.366069 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
182: 16:30:27.366192 802.1Q vlan#1 P0 802.3 encap packet
183: 16:30:28.366298 802.1Q vlan#1 P0 802.3 encap packet
184: 16:30:29.366314 802.1Q vlan#1 P0 802.3 encap packet
185: 16:30:30.366344 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
186: 16:30:31.366405 802.1Q vlan#1 P0 802.3 encap packet
187: 16:30:32.366512 802.1Q vlan#1 P0 802.3 encap packet
188: 16:30:33.366588 802.1Q vlan#1 P0 802.3 encap packet
189: 16:30:34.366603 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
190: 16:30:35.366726 802.1Q vlan#1 P0 802.3 encap packet
191: 16:30:36.366787 802.1Q vlan#1 P0 802.3 encap packet
192: 16:30:41.354550 802.1Q vlan#2 P2 86.144.206.150.4500 > x.x.x.42.4500: udp 1
193: 16:31:41.317641 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
194: 16:31:41.410135 802.1Q vlan#2 P2 86.144.206.150.4500 > x.x.x.42.4500: udp 1
195: 16:31:42.067531 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
196: 16:31:42.625211 802.1Q vlan#1 P0 192.168.113.2.1425 > 192.168.16.6.1026: . ack 324632995 win 0
197: 16:31:42.817447 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
198: 16:31:43.621641 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
199: 16:31:44.364391 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
200: 16:31:45.114373 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
201: 16:32:17.514194 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: P ack 705237681 win 64410
202: 16:32:17.712991 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: . ack 705237697 win 64394
203: 16:32:19.914289 802.1Q vlan#1 P0 192.168.113.2.1441 > 192.168.113.1.443: F 3616971343:3616971343(0) ack 2537053001 win 64501
204: 16:32:19.914976 0aee.f71f.4e9f 1503.0100.1693 0x6f0c 27:
205: 16:32:29.859559 802.1Q vlan#1 P0 192.168.113.2.1442 > 192.168.113.1.443: F 1397115987:1397115987(0) ack 4256161373 win 64503
206: 16:32:29.860749 dd44.a305.9308 1503.0100.1656 0x8911 27:
207: 16:32:37.739189 802.1Q vlan#1 P0 192.168.113.100.50120 > 192.168.16.5.1433: . ack 2902970569 win 0
208: 16:32:44.122887 802.1Q vlan#1 P0 192.168.113.2.1443 > 192.168.113.1.443: F 2657615761:2657615761(0) ack 4200892746 win 64503
209: 16:32:44.124062 f6a1.d7ab.e83a 1503.0100.1680 0xc43a 27:
210: 16:32:47.656719 802.1Q vlan#1 P0 192.168.113.100.49261 > 192.168.16.7.1025: . ack 3158609488 win 0
211: 16:33:04.969783 802.1Q vlan#1 P0 192.168.113.2.1445 > 192.168.113.1.443: F 814444399:814444399(0) ack 1634267102 win 64503
212: 16:33:04.970881 aa38.dfad.c613 1503.0100.1676 0x82be 27:
213: 16:33:12.628095 802.1Q vlan#2 P0 192.168.16.6.1026 > 192.168.113.2.1435: . ack 2283288029 win 65171
214: 16:33:27.120065 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: P 1127604049:1127604142(93) ack 2305443558 win 64394
215: 16:33:27.720421 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: P 1127604049:1127604142(93) ack 2305443558 win 64394
216: 16:33:28.925199 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: P 1127604049:1127604142(93) ack 2305443558 win 65535
217: 16:33:30.033689 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: P 1127604049:1127604142(93) ack 2305443558 win 65535
218: 16:33:31.240466 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: P 1127604049:1127604142(93) ack 2305443558 win 65535
219: 16:33:33.658123 802.1Q vlan#2 P0 192.168.16.8.1145 > 192.168.113.102.1106: P 1127604049:1127604142(93) ack 2305443558 win 65535
220: 16:34:28.894362 802.1Q vlan#2 P0 78.8.246.9.4932 > x.x.x.47.445: S 3906206304:3906206304(0) win 65535
221: 16:34:31.868103 802.1Q vlan#2 P0 78.8.246.9.4932 > x.x.x.47.445: S 3906206304:3906206304(0) win 65535
222: 16:34:39.949657 802.1Q vlan#1 P0 192.168.113.102.138 > 192.168.113.255.138: udp 201
223: 16:35:01.222492 802.1Q vlan#1 P0 192.168.113.100.68 > 255.255.255.255.67: udp 300
224: 16:35:01.650952 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
225: 16:35:02.400995 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
226: 16:35:03.151084 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
227: 16:35:04.022093 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
228: 16:35:04.772146 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
229: 16:35:05.522220 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
230: 16:35:20.168295 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
231: 16:35:20.524264 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
232: 16:35:20.918333 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
233: 16:35:21.274354 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
234: 16:35:21.668346 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
235: 16:35:22.024412 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
236: 16:35:41.391978 802.1Q vlan#1 P0 192.168.113.102.138 > 192.168.113.255.138: udp 201
237: 16:35:41.734932 802.1Q vlan#2 P0 192.168.16.10.445 > 192.168.113.102.3524: . ack 2927988043 win 63730
238: 16:35:44.540041 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
239: 16:35:45.290100 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
240: 16:35:45.678050 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
241: 16:35:46.040143 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
242: 16:35:46.220005 802.1Q vlan#1 P0 192.168.113.100.138 > 192.168.113.255.138: udp 211
243: 16:35:46.428124 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
244: 16:35:47.178213 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
245: 16:35:48.479345 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
246: 16:35:49.229373 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
247: 16:35:49.979380 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
248: 16:36:01.674388 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 180
249: 16:36:01.674952 802.1Q vlan#1 P0 192.168.113.103.138 > 192.168.113.255.138: udp 181
250: 16:36:01.675074 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
251: 16:36:31.389170 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.103.56182: . ack 1459294663 win 65535
252: 16:36:31.674174 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 180
253: 16:36:32.426354 802.1Q vlan#1 P0 192.168.113.103.56183 > 192.168.16.6.389: . ack 3653264448 win 0
254: 16:36:32.426384 802.1Q vlan#1 P0 192.168.113.103.56183 > 192.168.16.6.389: . ack 3653264448 win 0
255: 16:37:01.673808 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 180
256: 16:37:05.540468 802.1Q vlan#1 P0 192.168.113.103.56179 > 192.168.16.6.1026: . ack 2381360421 win 0
257: 16:37:29.018050 802.1Q vlan#1 P0 0.0.0.0.68 > 255.255.255.255.67: udp 323
258: 16:37:29.019545 802.1Q vlan#1 P0 192.168.113.2.67 > 255.255.255.255.68: udp 327
259: 16:37:31.263887 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49158: . ack 978836481 win 65297
260: 16:37:31.442710 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49167: . ack 4028718881 win 65221
261: 16:37:31.524920 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49170: . ack 1787569991 win 65535
262: 16:37:31.631391 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49171: . ack 1175931771 win 65221
263: 16:37:31.673472 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 180
264: 16:37:31.910536 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49175: . ack 1489216443 win 65535
265: 16:37:32.324140 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49173: . ack 3658936090 win 65458
266: 16:37:32.368785 802.1Q vlan#1 P0 192.168.113.100.49165 > 192.168.16.6.389: . ack 72233897 win 0
267: 16:37:32.483510 802.1Q vlan#1 P0 192.168.113.100.138 > 192.168.113.255.138: udp 211
268: 16:37:32.531146 802.1Q vlan#1 P0 192.168.113.100.49157 > 192.168.16.7.389: . ack 4263416637 win 0
269: 16:37:32.736488 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
270: 16:37:32.998788 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49182: . ack 3004547102 win 64245
271: 16:37:33.069179 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49184: . ack 3786025013 win 65535
272: 16:37:33.111429 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209
273: 16:37:33.486501 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
274: 16:37:34.236529 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
275: 16:37:34.548982 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.49190: . ack 713312844 win 65535
276: 16:37:35.396524 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
277: 16:37:36.149940 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
278: 16:37:36.914289 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
279: 16:37:37.630094 802.1Q vlan#1 P0 192.168.113.100.55930 > 192.168.16.7.53: . ack 1516588584 win 0
280: 16:37:37.727364 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
281: 16:37:38.477529 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
282: 16:37:39.227527 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
283: 16:37:39.458716 802.1Q vlan#1 P0 192.168.113.100.138 > 192.168.113.255.138: udp 181
284: 16:37:39.458853 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
285: 16:37:39.499577 802.1Q vlan#1 P0 192.168.113.100.68 > 255.255.255.255.67: udp 300
286: 16:37:39.548280 802.1Q vlan#1 P0 192.168.113.100.138 > 192.168.113.255.138: udp 211
287: 16:37:39.972529 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
288: 16:37:40.040555 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
289: 16:37:40.722618 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
290: 16:37:40.790608 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
291: 16:37:41.332029 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.55936: . ack 764822756 win 65297
292: 16:37:41.472631 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
293: 16:37:41.540667 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
294: 16:37:41.864167 802.1Q vlan#2 P0 192.168.16.6.389 > 192.168.113.100.55934: . ack 181110485 win 64773
295: 16:37:42.355694 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
296: 16:37:43.105829 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
297: 16:37:43.855821 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
298: 16:37:58.170080 802.1Q vlan#1 P0 192.168.113.100.49155 > 192.168.16.7.135: . ack 1966960952 win 0
299: 16:37:58.172064 802.1Q vlan#1 P0 192.168.113.100.49156 > 192.168.16.7.1025: . ack 1273630770 win 0
300: 16:38:01.673198 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 180
301: 16:38:01.673549 802.1Q vlan#1 P0 192.168.113.100.138 > 192.168.113.255.138: udp 181
302: 16:38:01.673655 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
303: 16:38:01.739082 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
304: 16:38:07.355511 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
305: 16:38:08.105554 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
306: 16:38:08.855592 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
307: 16:38:09.680613 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
308: 16:38:10.430748 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
309: 16:38:11.180776 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
310: 16:38:12.134957 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.100.55944: . ack 2246367695 win 65237
311: 16:38:12.209217 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.55945: . ack 2494919019 win 64264
312: 16:38:12.561845 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
313: 16:38:12.966197 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.55948: . ack 2086593126 win 65535
314: 16:38:13.311949 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
315: 16:38:13.761389 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.55950: . ack 2045545802 win 65535
316: 16:38:14.061977 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
317: 16:38:14.223499 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.55953: . ack 1713858377 win 64292
318: 16:38:14.736351 802.1Q vlan#1 P0 192.168.113.2.1460 > 192.168.16.24.2222: . ack 1683177201 win 0
319: 16:38:14.932019 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
320: 16:38:15.682093 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
321: 16:38:16.432137 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
322: 16:38:22.554490 802.1Q vlan#2 P0 84.233.195.62.80 > x.x.x.42.41099: . ack 4144961094 win 4824
323: 16:38:22.590560 802.1Q vlan#2 P0 84.233.195.62.80 > x.x.x.42.41099: R 2988301725:2988301725(0) win 0
324: 16:38:28.171164 802.1Q vlan#1 P0 192.168.113.100.55946 > 192.168.16.6.135: . ack 1977991697 win 0
325: 16:38:28.696192 802.1Q vlan#1 P0 192.168.113.103.56188 > 192.168.16.24.2222: . ack 2408117423 win 0
326: 16:38:31.672877 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 180
327: 16:38:32.107965 802.1Q vlan#1 P0 192.168.113.103.138 > 192.168.113.255.138: udp 201
328: 16:38:35.048642 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
329: 16:38:36.682948 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.55960: . ack 4217273847 win 65535
330: 16:38:37.418145 802.1Q vlan#1 P0 192.168.113.100.55959 > 192.168.16.8.1168: . ack 2927102471 win 0
331: 16:38:39.650906 802.1Q vlan#2 P0 192.168.16.7.88 > 192.168.113.100.55965: . ack 3654544597 win 64245
332: 16:38:58.170798 802.1Q vlan#1 P0 192.168.113.100.55947 > 192.168.16.6.1026: . ack 2221560240 win 0
333: 16:39:39.647915 802.1Q vlan#2 P0 46.214.148.199.6237 > x.x.x.42.445: S 4290339150:4290339150(0) win 65535
334: 16:39:42.649868 802.1Q vlan#2 P0 46.214.148.199.6237 > x.x.x.42.445: S 4290339150:4290339150(0) win 65535
335: 16:40:05.249987 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
336: 16:40:06.000000 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
337: 16:40:06.749976 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
338: 16:40:07.344052 802.1Q vlan#1 P0 192.168.113.100.138 > 192.168.113.255.138: udp 211
339: 16:40:08.801716 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
340: 16:40:09.252031 802.1Q vlan#2 P0 192.168.16.6.139 > 192.168.113.2.1483: P 3217152810:3217152814(4) ack 4243483819 win 65463
341: 16:40:09.566087 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
342: 16:40:10.330564 802.1Q vlan#1 P0 192.168.113.100.137 > 192.168.113.255.137: udp 50
343: 16:40:11.073436 802.1Q vlan#2 P0 189.4.30.188.4049 > x.x.x.47.445: S 583807781:583807781(0) win 65535
344: 16:40:14.013030 802.1Q vlan#2 P0 189.4.30.188.4049 > x.x.x.47.445: S 583807781:583807781(0) win 65535
345: 16:40:21.073253 802.1Q vlan#2 P0 192.168.16.6.1026 > 192.168.113.2.1465: . ack 1572968133 win 64691
346: 16:40:53.498631 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.103.56193: . ack 2614204448 win 65535
347: 16:40:54.113168 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.103.56195: . ack 3619711523 win 65535
348: 16:42:05.264024 802.1Q vlan#1 P0 192.168.113.21.138 > 192.168.113.255.138: udp 201
349: 16:42:05.990610 802.1Q vlan#1 P0 802.3 encap packet
350: 16:42:06.582886 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
351: 16:42:07.831057 802.1Q vlan#1 P0 802.3 encap packet
352: 16:42:08.623075 802.1Q vlan#1 P0 802.3 encap packet
353: 16:42:09.624509 802.1Q vlan#1 P0 802.3 encap packet
354: 16:42:10.593231 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
355: 16:42:11.703485 802.1Q vlan#1 P0 802.3 encap packet
356: 16:42:12.813693 802.1Q vlan#1 P0 802.3 encap packet
357: 16:42:13.923383 802.1Q vlan#1 P0 802.3 encap packet
358: 16:42:14.963329 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
359: 16:42:15.995477 802.1Q vlan#1 P0 802.3 encap packet
360: 16:42:17.103647 802.1Q vlan#1 P0 802.3 encap packet
361: 16:42:18.103495 802.1Q vlan#1 P0 802.3 encap packet
362: 16:42:19.203511 802.1Q vlan#1 P0 0000.74da.ed6f ffff.ffff.ffff 0x8100 64:
0001 8137 ffff 0022 0004 0000 0000 ffff
ffff ffff 0452 0000 0000 0000 74da ed6f
4100 0003 0004 0000 0000 0000 0000 0000
0000
363: 16:42:20.203572 802.1Q vlan#1 P0 802.3 encap packet
364: 16:42:21.203755 802.1Q vlan#1 P0 802.3 encap packet
365: 16:43:34.032896 802.1Q vlan#2 P0 210.4.15.147.1983 > x.x.x.42.445: S 4060018625:4060018625(0) win 65535
366: 16:43:36.924375 802.1Q vlan#2 P0 210.4.15.147.1983 > x.x.x.42.445: S 4060018625:4060018625(0) win 65535
367: 16:43:51.279053 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
368: 16:43:52.028944 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
369: 16:43:52.778905 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
370: 16:43:53.583481 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
371: 16:43:54.325849 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
372: 16:43:55.075771 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
373: 16:44:43.299133 802.1Q vlan#2 P0 84.46.240.12.4739 > x.x.x.42.445: S 2644276309:2644276309(0) win 65535
374: 16:44:46.355358 802.1Q vlan#2 P0 84.46.240.12.4739 > x.x.x.42.445: S 2644276309:2644276309(0) win 65535
375: 16:45:13.762640 802.1Q vlan#2 P0 14.136.113.23.58068 > x.x.x.42.23: S 628177666:628177666(0) win 5840
376: 16:45:13.764746 802.1Q vlan#2 P0 14.136.113.23.35631 > x.x.x.47.23: S 633610575:633610575(0) win 5840
377: 16:45:13.764914 802.1Q vlan#2 P0 14.136.113.23.36646 >x.x.x.x: S 627103517:627103517(0) win 5840
378: 16:46:47.038068 802.1Q vlan#1 P0 192.168.113.103.56196 > 192.168.16.6.135: . ack 1047348019 win 0
379: 16:47:35.921812 802.1Q vlan#2 P0 50.22.199.212.80 >x.x.x.x.48383: S 1930513355:1930513355(0) ack 1004916503 win 16384
380: 16:47:36.554201 802.1Q vlan#2 P0 66.231.182.111.80 > x.x.x.x.1024: S 2203310160:2203310160(0) ack 2592535424 win 5840
381: 16:48:57.603774 802.1Q vlan#2 P0 142.4.58.113.1859 >x.x.x.x.445: S 3585080814:3585080814(0) win 65535
382: 16:49:00.493123 802.1Q vlan#2 P0 142.4.58.113.1859 > x.x.x.x.445: S 3585080814:3585080814(0) win 65535
383: 16:49:23.626462 802.1Q vlan#1 P0 192.168.113.2.1536 > x.x.x.x.53: . ack 136785297 win 0
384: 16:49:26.492848 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1537: . ack 2966267924 win 65535
385: 16:49:45.827883 802.1Q vlan#2 P0 62.75.244.214.80 > x.x.x.x.40215: S 2919672066:2919672066(0) ack 760938497 win 5840
386: 16:49:56.653225 802.1Q vlan#2 P0 220.132.215.144.4822 > x.x.x.x.23: S 2534918729:2534918729(0) win 5808
387: 16:49:56.655086 802.1Q vlan#2 P0 220.132.215.144.3935 > x.x.x.x.23: S 2538528904:2538528904(0) win 5808
388: 16:49:56.665477 802.1Q vlan#2 P0 220.132.215.144.3892 >x.x.x.x.23: S 2530221481:2530221481(0) win 5808
389: 16:50:05.196980 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
390: 16:50:05.946926 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
391: 16:50:06.696954 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
392: 16:50:33.087489 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
393: 16:50:34.330854 802.1Q vlan#1 P0 192.168.113.103.138 > 192.168.113.255.138: udp 201
394: 16:51:48.139961 802.1Q vlan#2 P0 41.84.159.34.3753 > x.x.x.x.445: S 1632777117:1632777117(0) win 65535
395: 16:51:51.117700 802.1Q vlan#2 P0 41.84.159.34.3753 >x.x.x.x.445: S 1632777117:1632777117(0) win 65535
396: 16:52:16.155723 802.1Q vlan#2 P0 118.157.40.230.17343 > x.x.x.x.45093: udp 30
397: 16:52:16.173620 802.1Q vlan#2 P0 118.157.40.230.17343 > x.x.x.x.45093: udp 20
398: 16:52:19.312148 802.1Q vlan#2 P0 118.157.40.230.17343 > x.x.x.x.45093: udp 20
399: 16:52:25.864243 802.1Q vlan#2 P0 118.157.40.230.17343 > x.x.x.x.45093: udp 20
400: 16:52:33.102457 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209
401: 16:52:38.334028 802.1Q vlan#2 P0 118.157.40.230.17343 > x.x.x.x.45093: udp 20
402: 16:53:02.396128 802.1Q vlan#2 P0 118.157.40.230.17343 >x.x.x.x.45093: udp 20
403: 16:53:13.157355 802.1Q vlan#1 P0 192.168.113.2.1554 > 192.168.16.24.2222: . ack 460543479 win 0
404: 16:53:31.871552 802.1Q vlan#2 P0 118.157.40.230.17343 > x.x.x.x.45093: udp 20
405: 16:55:40.103220 802.1Q vlan#2 P0 79.13.79.231.2042 > x.x.x.x.445: S 3623912103:3623912103(0) win 65535
406: 16:55:42.940411 802.1Q vlan#2 P0 79.13.79.231.2042 > x.x.x.40.445: S 3623912103:3623912103(0) win 65535
407: 16:56:01.209049 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
408: 16:56:01.814548 802.1Q vlan#1 P0 192.168.113.2.1561 > 192.168.16.6.1026: . ack 3029302484 win 0
409: 16:56:01.958995 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
410: 16:56:02.709008 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
411: 16:56:03.515110 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
412: 16:56:04.255891 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
413: 16:56:05.005874 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
414: 16:56:35.329649 802.1Q vlan#2 P0 192.168.16.6.389 > 192.168.113.2.1573: . ack 2011530329 win 65280
415: 16:57:18.817050 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.103.56207: . ack 3180698784 win 65535
416: 16:57:18.887191 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.103.56208: . ack 2540987118 win 65535
417: 16:58:00.045529 802.1Q vlan#2 P0 192.168.16.6.135 > 192.168.113.2.1570: . ack 1936024672 win 65263
418: 16:58:03.923337 802.1Q vlan#1 P0 192.168.113.2.1571 > 192.168.16.6.1026: . ack 4000727925 win 0
419: 16:58:24.150276 802.1Q vlan#1 P0 192.168.113.2.1584 > 192.168.16.24.2222: . ack 1251414172 win 0
420: 16:58:39.814090 802.1Q vlan#2 P0 192.168.16.6.389 > 192.168.113.2.1231: R 3143068825:3143068825(0) win 0
421: 16:58:48.666560 802.1Q vlan#1 P0 192.168.113.103.56210 > 192.168.16.6.389: . ack 1501688799 win 0
422: 17:00:05.206547 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
423: 17:00:05.956508 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
424: 17:00:06.706506 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
425: 17:00:28.431206 802.1Q vlan#2 P0 71.244.82.240.4041 >x.x.x.x.445: S 362528713:362528713(0) win 65535
426: 17:00:31.485356 802.1Q vlan#2 P0 71.244.82.240.4041 > x.x.x.x.445: S 362528713:362528713(0) win 65535
427: 17:02:34.845735 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
428: 17:02:50.268998 802.1Q vlan#2 P0 128.68.207.98.1642 > x.x.x.x.445: S 3558079521:3558079521(0) win 65535
429: 17:02:51.441536 802.1Q vlan#2 P0 95.37.124.146.2470 > x.x.x.x.445: S 3847235035:3847235035(0) win 65535
430: 17:02:53.252779 802.1Q vlan#2 P0 128.68.207.98.1642 > x.x.x.x.445: S 3558079521:3558079521(0) win 65535
431: 17:02:54.298949 802.1Q vlan#2 P0 95.37.124.146.2470 > x.x.x.x.445: S 3847235035:3847235035(0) win 65535
432: 17:03:24.651104 802.1Q vlan#1 P0 192.168.113.2.1604 > 192.168.16.24.2222: . ack 927286160 win 0
433: 17:05:23.439979 802.1Q vlan#2 P0 221.132.33.39.3471 > x.x.x.x.445: S 2983629597:2983629597(0) win 65535
434: 17:05:25.237002 802.1Q vlan#2 P0 204.111.67.69.4533 > x.x.x.x.445: S 1412418025:1412418025(0) win 65535
435: 17:05:26.407663 802.1Q vlan#2 P0 221.132.33.39.3471 > x.x.x.x.445: S 2983629597:2983629597(0) win 65535
436: 17:05:28.156669 802.1Q vlan#2 P0 204.111.67.69.4533 >x.x.x.x.445: S 1412418025:1412418025(0) win 65535
437: 17:05:41.544069 802.1Q vlan#2 P0 106.3.103.188.40760 > x.x.x.x.445: S 1656511640:1656511640(0) win 65535
438: 17:05:44.548021 802.1Q vlan#2 P0 106.3.103.188.40760 > x.x.x.x.445: S 1656511640:1656511640(0) win 65535
439: 17:06:11.262620 802.1Q vlan#2 P0 95.51.201.5.2510 > x.x.x.x.445: S 3351917967:3351917967(0) win 65535
440: 17:06:14.298766 802.1Q vlan#2 P0 95.51.201.5.2510 > x.x.x.x.445: S 3351917967:3351917967(0) win 65535
441: 17:07:16.002975 802.1Q vlan#2 P0 37.59.0.72.22 > x.x.x.x.80: S 1208637086:1208637086(0) ack 1 win 14600
442: 17:07:33.093028 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209
443: 17:08:11.139015 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
444: 17:08:11.888961 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
445: 17:08:12.638959 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
446: 17:08:13.446571 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
447: 17:08:14.185842 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
448: 17:08:14.935788 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
449: 17:10:05.434685 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
450: 17:10:06.184698 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
451: 17:10:06.934628 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
452: 17:13:48.562791 802.1Q vlan#2 P0 45.131.126.147.53949 >x.x.x.x.14768: . win 16384
453: 17:14:33.697626 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
454: 17:17:41.242846 802.1Q vlan#2 P0 174.138.175.180.5139 > x.x.x.x.5060: udp 417
455: 17:17:41.260789 802.1Q vlan#2 P0 174.138.175.180.5139 > x.x.x.x.5060: udp 418
456: 17:17:41.293014 802.1Q vlan#2 P0 174.138.175.180.5139 > x.x.x.x.5060: udp 418
457: 17:18:26.144813 802.1Q vlan#1 P0 192.168.113.2.1665 > 192.168.16.24.2222: . ack 3674161483 win 0
458: 17:18:47.300216 802.1Q vlan#2 P0 192.168.16.6.1026 > 192.168.113.2.1651: . ack 963481079 win 65535
459: 17:19:40.849702 802.1Q vlan#2 P0 93.63.181.21.62986 > x.x.x.x.445: S 274304149:274304149(0) win 65535
460: 17:19:43.733055 802.1Q vlan#2 P0 93.63.181.21.62986 > x.x.x.x.445: S 274304149:274304149(0) win 65535
461: 17:20:01.536120 802.1Q vlan#2 P0 31.47.40.58.2982 > x.x.x.x.445: S 2578199672:2578199672(0) win 16384
462: 17:20:04.582275 802.1Q vlan#2 P0 31.47.40.58.2982 > x.x.x.x.445: S 2578199672:2578199672(0) win 16384
463: 17:20:04.943875 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
464: 17:20:05.693888 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
465: 17:20:06.443900 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
466: 17:20:16.571320 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
467: 17:20:17.318800 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
468: 17:20:18.068798 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
469: 17:20:18.875885 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
470: 17:20:19.615645 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
471: 17:20:20.365627 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
472: 17:20:21.752738 802.1Q vlan#2 P0 192.168.16.6.139 > 192.168.113.2.1678: P 640741668:640741672(4) ack 2410017920 win 65463
473: 17:21:27.330320 802.1Q vlan#2 P0 109.3.51.11.80 >x.x.x.x.40328: R 0:0(0) ack 987376948 win 0
474: 17:22:33.083537 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209
475: 17:23:13.037092 802.1Q vlan#1 P0 192.168.113.2.1686 > 192.168.16.24.2222: . ack 2164880831 win 0
476: 17:23:23.507862 802.1Q vlan#2 P0 192.168.16.24.2222 > 192.168.113.2.1687: . ack 3400485149 win 64451
477: 17:24:03.007293 802.1Q vlan#2 P0 114.34.110.185.35787 > x.x.x.x.23: S 475586745:475586745(0) win 5808
478: 17:24:03.013381 802.1Q vlan#2 P0 114.34.110.185.56372 > x.x.x.x.23: S 471207272:471207272(0) win 5808
479: 17:24:03.015410 802.1Q vlan#2 P0 114.34.110.185.37824 > x.x.x.x.23: S 470577274:470577274(0) win 5808
480: 17:25:10.359997 802.1Q vlan#2 P0 126.91.113.22.33902 > x.x.x.x.56490: udp 30
481: 17:25:10.379939 802.1Q vlan#2 P0 126.91.113.22.33902 > x.x.x.x..56490: udp 20
482: 17:25:13.498478 802.1Q vlan#2 P0 126.91.113.22.33902 > x.x.x.x.56490: udp 20
483: 17:25:19.907927 802.1Q vlan#2 P0 126.91.113.22.33902 > x.x.x.x.56490: udp 20
484: 17:25:32.359631 802.1Q vlan#2 P0 126.91.113.22.33902 > x.x.x.x.56490: udp 20
485: 17:25:56.363415 802.1Q vlan#2 P0 126.91.113.22.33902 > x.x.x.x.56490: udp 20
486: 17:26:25.632077 802.1Q vlan#2 P0 126.91.113.22.33902 > x.x.x.x.56490: udp 20
487: 17:26:36.299468 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
488: 17:29:27.531863 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1703: . ack 3505140564 win 65535
489: 17:29:28.061977 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1704: . ack 1723398161 win 65535
490: 17:30:04.984583 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
491: 17:30:05.734565 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
492: 17:30:06.484594 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
493: 17:31:08.448676 802.1Q vlan#1 P0 192.168.113.2.1705 > 192.168.16.6.135: . ack 329930795 win 0
494: 17:32:26.498753 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
495: 17:32:27.248720 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
496: 17:32:27.998681 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
497: 17:32:28.805210 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
498: 17:32:29.545565 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
499: 17:32:30.295669 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
500: 17:33:15.029081 802.1Q vlan#2 P0 37.59.0.72.22 > x.x.x.x.80: S 1846440469:1846440469(0) ack 1 win 14600
501: 17:34:32.666683 802.1Q vlan#2 P0 186.210.159.134.1497 >x.x.x.x.445: S 731294763:731294763(0) win 65535
502: 17:34:35.327314 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1738: . ack 4248243050 win 65516
503: 17:34:35.604262 802.1Q vlan#2 P0 186.210.159.134.1497 > x.x.x.x.445: S 731294763:731294763(0) win 65535
504: 17:34:36.750998 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1748: . ack 1292574253 win 65535
505: 17:34:37.026670 802.1Q vlan#1 P0 192.168.113.2.1741 > 192.168.16.6.389: . ack 3709459071 win 0
506: 17:34:53.094096 802.1Q vlan#2 P0 81.191.253.254.1679 > x.x.x.x.23: S 1795047884:1795047884(0) win 5840
507: 17:34:53.094126 802.1Q vlan#2 P0 81.191.253.254.1160 > x.x.x.x.23: S 1792069562:1792069562(0) win 5840
508: 17:34:53.102182 802.1Q vlan#2 P0 81.191.253.254.4513 > x.x.x.x.23: S 1799422964:1799422964(0) win 5840
509: 17:36:39.992441 802.1Q vlan#2 P0 192.168.16.6.1026 > 192.168.113.2.1739: . ack 577382098 win 64563
510: 17:36:43.723198 802.1Q vlan#2 P0 173.199.71.146.22 > x.x.x.x.80: R 0:0(0) ack 1 win 0
511: 17:37:33.073894 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209
512: 17:38:24.955700 802.1Q vlan#1 P0 192.168.113.2.1761 > 192.168.16.24.2222: . ack 1222119482 win 0
513: 17:38:34.073040 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
514: 17:38:35.042249 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
515: 17:40:04.993661 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
516: 17:40:05.743674 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
517: 17:40:06.493718 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
518: 17:44:36.412759 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
519: 17:44:37.162757 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
520: 17:44:37.912886 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
521: 17:44:38.717217 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
522: 17:44:39.459616 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
523: 17:44:40.209766 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
524: 17:44:41.660412 802.1Q vlan#2 P0 46.108.60.22.80 > x.x.x.x.23736: S 1810069934:1810069934(0) ack 1517738109 win 8192
525: 17:46:36.157737 802.1Q vlan#1 P0 192.168.113.2.1789 > 192.168.16.6.135: . ack 89468705 win 0
526: 17:46:36.157782 802.1Q vlan#1 P0 192.168.113.2.1790 > 192.168.16.6.1026: . ack 3579387297 win 0
527: 17:47:40.965648 802.1Q vlan#2 P0 78.139.165.57.4297 > x.x.x.x.445: S 2908035217:2908035217(0) win 65535
528: 17:47:43.945385 802.1Q vlan#2 P0 78.139.165.57.4297 > x.x.x.x.445: S 2908035217:2908035217(0) win 65535
529: 17:49:57.610640 802.1Q vlan#2 P0 31.31.89.9.22 > x.x.x.x.80: S 1417858380:1417858380(0) ack 1 win 14600
530: 17:50:05.143699 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
531: 17:50:05.893630 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
532: 17:50:06.643658 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
533: 17:50:35.205967 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
534: 17:52:12.181204 802.1Q vlan#2 P0 91.227.122.90.80 > x.x.x.x.35714: S 3170841931:3170841931(0) ack 4036991100 win 5840
535: 17:52:33.064190 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209
536: 17:53:09.887390 802.1Q vlan#2 P0 192.168.16.6.1026 > 192.168.113.2.1822: . ack 2934231246 win 65171
537: 17:53:12.554857 802.1Q vlan#1 P0 192.168.113.2.1826 > 192.168.16.24.2222: . ack 972433877 win 0
538: 17:56:46.342297 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
539: 17:56:47.092326 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
540: 17:56:47.842272 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
541: 17:56:48.648236 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
542: 17:56:49.389170 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
543: 17:56:50.139168 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
544: 17:57:13.840181 802.1Q vlan#2 P0 50.22.199.212.80 > x.x.x.x.56495: S 99028886:99028886(0) ack 4216075886 win 16384
545: 17:57:39.906081 802.1Q vlan#2 P0 114.26.202.181.4346 > x.x.x.x.445: S 1063524641:1063524641(0) win 65535
546: 17:57:43.000442 802.1Q vlan#2 P0 114.26.202.181.4346 > x.x.x.x.445: S 1063524641:1063524641(0) win 65535
547: 17:58:13.018858 802.1Q vlan#1 P0 192.168.113.2.1864 > 192.168.16.24.2222: . ack 4207183994 win 0
548: 17:59:39.260194 802.1Q vlan#2 P0 192.168.16.6.88 > 192.168.113.2.1872: . ack 1374926765 win 65535
549: 18:00:04.949566 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
550: 18:00:05.699579 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
551: 18:00:06.449576 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
552: 18:00:44.472158 802.1Q vlan#2 P0 212.70.128.163.2239 >x.x.x.x.445: S 490660798:490660798(0) win 65535
553: 18:00:47.456076 802.1Q vlan#2 P0 212.70.128.163.2239 > x.x.x.x.445: S 490660798:490660798(0) win 65535
554: 18:01:18.987894 802.1Q vlan#2 P0 114.43.54.76.3486 > x.x.x.x.445: S 4082553752:4082553752(0) win 65535
555: 18:01:21.981745 802.1Q vlan#2 P0 114.43.54.76.3486 > x.x.x.x.445: S 4082553752:4082553752(0) win 65535
556: 18:02:33.932477 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 218
557: 18:03:01.819980 802.1Q vlan#2 P0 46.108.60.22.80 > x.x.x.x.30843: S 1487269552:1487269552(0) ack 569782833 win 8192
558: 18:04:43.108270 802.1Q vlan#2 P0 192.168.16.6.389 > 192.168.113.2.1902: . ack 2909854688 win 65130
559: 18:05:26.707894 802.1Q vlan#2 P0 61.160.247.40.6000 > x.x.x.47.3389: S 476708864:476708864(0) win 16384
560: 18:05:26.715813 802.1Q vlan#2 P0 61.160.247.40.6000 > x.x.x.42.3389: S 983564288:983564288(0) win 16384
561: 18:05:26.731941 802.1Q vlan#2 P0 61.160.247.40.6000 > x.x.x.40.3389: S 1910964224:1910964224(0) win 16384
562: 18:06:12.440528 802.1Q vlan#2 P0 192.168.16.6.1026 > 192.168.113.2.1899: . ack 3842669121 win 64563
563: 18:07:27.736488 802.1Q vlan#2 P2 81.196.79.244.40632 > x.x.x.42.445: S 1550760725:1550760725(0) win 65535
564: 18:07:30.656155 802.1Q vlan#2 P2 81.196.79.244.40632 > x.x.x.42.445: S 1550760725:1550760725(0) win 65535
565: 18:07:33.054654 802.1Q vlan#1 P0 192.168.113.2.138 > 192.168.113.255.138: udp 209
566: 18:08:13.949017 802.1Q vlan#1 P0 192.168.113.2.1915 > 192.168.16.24.2222: . ack 1717558933 win 0
567: 18:08:56.271973 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
568: 18:08:57.021956 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
569: 18:08:57.771902 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
570: 18:08:58.593307 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
571: 18:08:59.334394 802.1Q vlan#1 P0 192.168.113.2.137 > 192.168.113.255.137: udp 50
572: 18:09:00.0843 -
IPSEC VPN clients can't reach internal nor external resources
Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
translate_hits = 5402387, untranslate_hits = 1519419
## Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
object network vpn_nat
nat (outside,outside) dynamic interface
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****Hi,
I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
asa# show capture capo
12 packets captured
1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
asa# show capture capi
8 packets captured
1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
Packet-capture.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.32.1 255.255.255.255 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Additional Information:
Static translate 10.0.0.72/0 to 10.0.0.72/0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5725528, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow -
VPN Clients can't access DMZ Network
Hello,
I will try to describe my problem as best as possible. The title says VPN clients cannot access DMZ network, but that is not exactly the problem, the situation is this, a group of users are using an actual 10.x network where they have their servers and pretty much everything. The users must be relocated into a new network, the 172.16.x. In a point in time they will not have to use 10.x anymore, but meanwhile, they need access to that network.
I have an ASA 5510 as default gateway for the new network (172.16.x.x), one interface e0/0 connected to the outside (internet), interface e0/1 to the inside and other interface connected to the actual 10.x (which I call DMZ), so basically I am using the ASA as a bridge using NAT to grant access to the users in the network 172.16.x to the resources in the 10.x network while the migration is completed.
All the users must use the path to the internet thru the ASA using the NAT overload to the outside interface and I put in place a NAT policy to 10.x to allow access to the 10.x network only when the internal users 172.16.x try to reach that path and so far, everything is working just fine for the internal users.
Now for some reason, when I do VPN, the VPN clients cannot reach the 10.x network, even when they are supposed to be in the internal network (because they are doing VPN right?) .
I have enabled split tunneling with NAT exempt the 172.16 network and I am not sure if that is causing the problem, because when I trace from my PC the 172.16.16.1 address using the VPN I get the proper route path, but when I try to reach 10.x, my PC is using its default gateway and not the VPN gateway which has a route to 10.x.
I’m not even sure if what I am trying to do is possible, I want VPN users to be able to access a 10.x network using NAT overload with the Interface of the ASA plugged to the 10.x network, just like the internal users are doing right now.
Any help or advice will be highly appreciated.Allow clients to access DMZ, add exempt NAT rule, add both the "same-security-traffic" thru cli. Please give it a try.
Sent from Cisco Technical Support iPad App -
Vpn client can access internet but cannot access internal network
I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....
enable password ********** encrypted
passwd ********** encrypted
hostname Firewall
domain-name aqswdefrgt.com.sg
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nat permit tcp any host 65.165.123.142 eq smtp
access-list nat permit tcp any host 65.165.123.142 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq smtp
access-list nat permit tcp any host 65.165.123.143 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq www
access-list nat permit tcp any host 65.165.123.152 eq smtp
access-list nat permit tcp any host 65.165.123.152 eq pop3
access-list nat permit tcp any host 65.165.123.152 eq www
access-list nat permit tcp any host 65.165.123.143 eq https
access-list nat permit icmp any any
ip address outside 65.165.123.4 255.255.255.240
ip address inside 192.168.1.2 255.255.255.0
ip verify reverse-path interface outside
ip local pool clientpool 192.168.50.1-192.168.50.50
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
.255.255 0 0
access-group nat in interface outside
route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server plexus protocol radius
aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client authentication plexus
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool clientpool
vpngroup vpn3000 dns-server 192.168.1.55
vpngroup vpn3000 wins-server 192.168.1.55
vpngroup vpn3000 default-domain aqswdefrgt.com.sg
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80 -
Can't access internal network from VPN using PIX 506E
Hello,
I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N/JZnmeC2l5j3YTN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SwantonFw2
domain-name *****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
access-list INSIDE-IN permit tcp interface inside interface outside
access-list INSIDE-IN permit udp any any eq domain
access-list INSIDE-IN permit tcp any any eq www
access-list INSIDE-IN permit tcp any any eq ftp
access-list INSIDE-IN permit icmp any any echo
access-list INSIDE-IN permit tcp any any eq https
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list swanton_splitTunnelAcl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.150 255.255.255.0
ip address inside 192.168.0.35 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.240.1-192.168.240.254
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.1.26 255.255.255.255 outside
pdm location 192.168.240.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group INSIDE-IN in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup swanton address-pool VPN_Pool
vpngroup swanton dns-server 192.168.1.1
vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton idle-time 1800
vpngroup swanton password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.36-192.168.0.254 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username scott password hwDnqhIenLiwIr9B encrypted privilege 15
username norm password ET3skotcnISwb3MV encrypted privilege 2
username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
terminal width 80
Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
: end
[OK]
Any help will be greatly appreciatedBj,
Are you trying to access network resources behind the inside interface?
ip address inside 192.168.0.35 255.255.255.0
If so, please make the following changes:
1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
4- isakmp nat-traversal 30
Let me know how it goes.
Portu.
Please rate any helpful posts -
Server 2003 VPN clients can't verify username and password
Hi,
Hoping someone can help or point me in the right direction. I have a Windows Server 2003 R2 standard SP2 running RRAS. It has Dual NIC's and is configured for PPTP VPN. I am using a BT Business Hub 5 for internet access and using the BT Static IP service.
The BT Hub assigns the static IP address chosen to the Server using DHCP. The firewall is configured to port forward PPTP traffic to the 2003 server. This all works correctly.
The 2003 server is on a domain where the DC is a 2008 R2 server. The DC also acts as the DNS and DHCP for the network.
The default gateway for the domain is pointed towards our WinGate proxy server which also acts as a DNS server.
The 2003 server LAN NIC is configured manually, usually I would not configure a deafult gateway on the LAN NIC as the WAN NIC needs the default gateway for the BT Hub.
The problem I am having is if a default gateway is configured on the LAN NIC, I can connect to the VPN and it will logon to the network. Once connected everything works ok. If the connection drops, when trying to reconnect the client can no longer verify
the user name and password against the domain and the connection is refused.
If I do not have a default gateway configured in the LAN NIC the VPN clients can not verify the username and password for the domain at all and I get RPC failure errors in the event viewer with the source dnsapi.
Once this error occurs the only way I can get the clients to reconnect is to disable the WAN NIC, restart the RRAS service and enable the WAN NIC again.
Any insight will be much appreciated.Hello,
for Networking configuration questions better ask in
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home#forum=winserverNIS&filter=alltypes&sort=lastpostdesc&content=Search
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
VPN clients can't see network resources unless Firewall is disabled.
If the firewall is turned off, connected VPN clients can access other PCs over the VPN. But I would like to enable a rule that allows them to access computers even with the firewall turned on. I just don't know what the rule should be.
Hi,
Any update? If you could update us at your convenience that would be wonderful.
Regards
Yolanda Zhu
TechNet Community Support -
AnyConnect VPN Clients IP Address access rules
I setup ASA5540 for SSL-VPN (clientless) works fine.
But I try to use Client (AnyConnect) to access internal resources, it is failed. It is stiil initiate sessions from remote client IP.
I need to initiate session from client IP assigned by ASA5540 box (same with Cisco VPN client connect to Cat65 SVC module).
How I setup it?I use Cisco VPN client (remote access VPN)to connect ASA.
There is a configuration setup for group authentication/w password on Cisco VPN client.I do not know to setup on ASA to match this?
Second, remote client connect ASA, I should get the client IP address which I setup on ASA.
It should use this IP to connect ASA internal net,but I failed.( Both Cisco VPN and AnyConnect)
How I setup this ( SSL VPN on this ASA works). -
I saved photos from my Macbook Pro onto my Iphone (using itunes, 4 years ago). My macbook is now dead and I need to get the photos I saved off of my iphone 3GS transferred to a pc. Any help... From my PC I can only access "internal storage"
The iphone is not a storage/backup device. The picture sycn is one way - computer to iphone. The photos are also reduced in size when synced to iphone so they are not of the original quality
It has always been very basic to always maintain a backup of your computer.
Have you failed to do this?
If so, not good at all, you can e-mail the pics to yourself - keep in mind they will never be of the original quality -
ASA 5505 IPSEC VPN connected but can't access to LAN
ASA : 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
VPN Pool: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.
I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.
Below is my configure, do I mis-configure anything?
ASA Version 8.2(5)
hostname asatest
domain-name XXX.com
enable password 8Fw1QFqthX2n4uD3 encrypted
passwd g9NiG6oUPjkYrHNt encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.253 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name vff.com
access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging device-id hostname
logging host inside 10.1.1.230
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (inside) host 10.1.1.108
nt-auth-domain-controller 10.1.1.108
http server enable
http 10.1.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.0.0 255.255.252.0 inside
ssh timeout 20
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpntest internal
group-policy vpntest attributes
wins-server value 10.1.1.108
dns-server value 10.1.1.108
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntest_splitTunnelAcl
default-domain value XXX.com
split-tunnel-all-dns disable
backup-servers keep-client-config
address-pools value vpnpool
username admin password WeiepwREwT66BhE9 encrypted privilege 15
username user5 password yIWniWfceAUz1sUb encrypted privilege 5
username user3 password umNHhJnO7McrLxNQ encrypted privilege 3
tunnel-group vpntest type remote-access
tunnel-group vpntest general-attributes
address-pool vpnpool
authentication-server-group AD
authentication-server-group (inside) AD
default-group-policy vpntest
strip-realm
tunnel-group vpntest ipsec-attributes
pre-shared-key BEKey123456
peer-id-validate nocheck
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: endI change a Machine's gateway to this ASA and capture again, now we can see some reply.
All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?
what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?
add two gateways to all PCs and swtichwes?
1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 68
10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137: udp 50
21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request -
Subnet mask 255.255.255.255 assigned to VPN client - can't ping LAN
Hi,
I configured PIX 501 with PPTP VPN to connect to the small office (PIX FW, Win 2000 Server, several Win clients, LAN IP 10.0.0.X/24):
ip local pool mypool 10.0.0.101-10.0.0.105
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username xxxx password *********
vpdn enable outside
I can connect to the office using Win VPN client, but I can't ping any hosts in the office network. I suspect that the reason for that is subnet mask assigned to the VPN client: 255.255.255.255. ipconfig of the VPN client:
PPP adapter Office:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Default GW is missing too, but I think this is not the main problem.
Any way, what is wrong with my config? How to fix subnet mask assigned to clients? Or may be my assumption is wrong and this mask is ok? What is wrong then?
Any input will be greatly appreciated!
GeorgeThanks for the prompt reply.
Here it does:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname OSTBERG-PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq pptp
access-list inbound permit gre any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.189.xxx.xxx 255.255.252.0
ip address inside 10.0.0.23 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.0.0.101-10.0.0.105
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.15 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 66.189.yyy.yyy 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 10.0.0.23 255.255.255.255 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username ********* password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxx
: end
There are remnants of old config, I just recently took over this network, some lines look odd to me, but I did not touch what works. VPN config is all mine.
PIX internal 10.0.0.23 - is a gateway for the network. DNS server in LAN - 10.0.0.15.
I've been reading about the problem and came across several posts that this subnet mask is normal, but it puzzles me - how can this host communicate with anyone else if there is no room for other hosts in this network (according to the mask)?!
Thanks again!
George -
Cannot access internal LAN after VPN connect
I know this is either an ACL or NAT issue that I cannot figure out. The nat-t config in defaulted in the IOS config for the ASA. I actually forgot the command to show the hidden default config lines. Either way, can someone take a look at my config, and let me know what I am doing wrong, again.
Thanks ahead of time.
ASA Version 8.2(2)
hostname ciscousa
enable password
names
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 14.14.11.5 255.255.255.0
interface Vlan3
shutdown
no forward interface Vlan2
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 100
duplex full
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0
access-list inside_nat0 extended permit ip any 10.12.27.0 255.255.255.0
access-list split_tunnel standard permit 1.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.12.27.100-10.12.27.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 14.14.11.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 1.1.1.0 255.255.255.0 inside
http 1.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map inet-1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map inet-1_map 65535 ipsec-isakmp dynamic inet-1_dyn_map
crypto map inet-1_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnipsec internal
group-policy vpnipsec attributes
wins-server value 1.1.1.16
dns-server value 1.1.1.16
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value company.com
tunnel-group vpnipsec type remote-access
tunnel-group vpnipsec general-attributes
address-pool vpnpool
default-group-policy vpnipsec
tunnel-group vpnipsec ipsec-attributes
pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512Hello,
I have been trying to get this to work within the last week but to no avail. I changed my config altogether and started from scratch. I have Split Tunnel working well, and I can access the VPN client from the internal LAN. But I still cannot access the internal LAN from the VPN client host. Can anyone take a look at my config and tell me what ACL\Access Group I am missing. I know I am close but I cannot get over the hump.
Thanks!
ASA Version 8.2(2)
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
interface Vlan3
shutdown
no forward interface Vlan2
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
speed 100
duplex full
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any
access-list outside_in_vpn extended permit ip 192.168.3.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list split_tunnel standard permit 192.168.0.0 255.255.0.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ipvpn 192.168.3.100-192.168.3.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_in in interface outside control-plane
access-group outside_in_vpn in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map internet-1_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHAESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet-1_map 65535 ipsec-isakmp dynamic internet-1_dyn_map
crypto map internet-1_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy vpnipsec internal
group-policy vpnipsec attributes
wins-server value 192.168.1.5
dns-server value 192.168.1.5
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value company.com
tunnel-group vpnipsec type remote-access
tunnel-group vpnipsec general-attributes
address-pool ipvpn
default-group-policy vpnipsec
tunnel-group vpnipsec ipsec-attributes
pre-shared-key *
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
Cryptochecksum:7e41045c9d7c66ac2c03c3b12ae63908 -
Can connect via VPN, but can't access AFP server on same Xserve
Hi:
I've set up our XServe with MacOS X Server 10.5.2 to do AFP and VPN (L2TP only; PPTP is disabled). The XServe is a standalone server, not connected to any other direstory server.
I can connect to the XServe's AFP server from my Mac over our wired and wireless network. The AFP server shows up in the sidebar of Finder windows. So far, so good.
I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret.
But I cannot connect to the XServe itself to use Server Admin or AFP (using afp://server.company.com or afp://xxx.xxx.xxx.xxx via the Go > Connect to Server command).
The error I get while connecting to the 10.5.2 AFP server is Some data in apf://server.mycompany.com could not be read or written (Error Code -36 ). I saw this error associated with a SMB problem in 10.4.x, but SMB is not running.
Other iChat users in my office also do not automatically show up in the Bonjour list when I connect to the network. Other computers on our network do not appear in the sidebar of a Finder window. (I'm told these are to be expected, as Bonjour isn't supported (in the "local area Bonjour" over a WAN link - it's purely a multicast feature on the network in the office, and won't be routed across the VPN link. True?)
Now, here's the odd part. There is a second server (v10.4.11) on our network running AFP. I can connect to it (using afp://server.company.com via the Go > Connect to Server command) and mount its various sharepoints via the VPN.
The only thing I see in the VPN log that seems amiss is this (but I have no idea what it means):
Tue Mar 11 23:09:27 2008 : Unsupported protocol 0x8057 received
--Both the 10.5.2 and the 10.4.11 servers have DNS properly configured (though our ISP; we're not running our own DNS).
--Both servers and the client have public IP addresses and have the same subnet mask. Network Utility confirms this while connected to the VPN.
--NAT is not running. The ISP is responding with public IPs for the servers.
--The firewall for the 10.5.2 server is not running (but will be once I get this all working).
--The IP address range for the VPN server doesn't overlap our DHCP pool (which also currently uses public IP addresses).
--Any user can access any service.
--No network routing definitions have been set up.
--In essence, I've followed the steps on Pages 141-142 of the Network Services Admin Guide.
One other note: After I connect, the Network Preferences > VPN > Advanced > TCP/IP window shows the IP address for the client just fine (assigned from the VPN pool), but lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?
I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server.... And I'm not sure why I would have to if I can already successfully connect to the 10.4.11 AFP server .
What simple step am I missing?
TIA,
mm"I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret."
I suspect you mean UDP ports and you might need UDP port 1701 open too.
You only need IP protocol 50 (ESP), protocol 51 (AH) isn't used. And ESP is only used when client and server isn't behind NAT (when NAT is used only the UDP ports are used).
"Unsupported protocol 0x8057 received"
This is usually seen when you can't get GRE through but since you don't use PPTP I can't be sure why this is registered in the logs. Sometimes when connecting using PPTP you have to disconnect and then reconnect for everything to work - you might try this for L2TP too.
But if you already can reach services on any LAN nodes through the VPN I wouldn't bother with it.
As you have a firewall in front of the server you need a second alias IP on the server that you can use to get at the services running on the server through the VPN. The firewall blocks all ports protocols not opened - that's why you can't use the server main IP even if the VPN is up.
The netmask is used by all nodes to determine how big your subnet is: what part of the IP number is the network number and what range the node number is in => really: should traffic be directed to a node on the same LAN or sent directly to the gw/router for forwarding.
What you can't do is connect from a NATed network to another NATed network that both are using the same network number. (That's why people should stay away from using the "default" 192.168.0.0/24 and 192.168.1.0/24 networks for VPN server LANs).
Try your settings at http://www.jodies.de/ipcalc to see what I mean.
"...lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?"
Yes. The VPN server is the VPN gw/router.
"The firewall for the 10.5.2 server is not running (but will be once I get this all working)."
If you already have a firewall in front of your servers that is a bit redundant.
"--No network routing definitions have been set up."
"I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server"
You need routing definitions if you want to setup a split tunnel VPN or all traffic is routed through the VPN when connected. The VPN becomes the default gw.
Without ipforwarding ON in the server you can only reach nodes on the server LAN - not Internet.
DNS is needed for your servers forward and reverse names/IPs for advanced services but doesn't need to run in any of your own servers.
If you decide to do a split tunnel VPN config (adding public and private routing definitions) a reachable DNS IP for VPN clients (in VPN config on server) is needed for VPN clients or they can't use names to find anything. To reach this DNS IP if public/not on your server LAN, you need your server to forward IP DNS lookups and have a routing definition for it.
A split tunnel VPN only send traffic for your server LAN through the VPN and all other traffic directly to the local gw/router (Internet).
Maybe you are looking for
-
Adautocfg updating wrong oracle home
We are doing a database upgrade from 8.1.7 to 9.2.0.6 per note 216550.1. The database upgrade is complete and we are now on step 21 - run autoconfig. We copied the appsutil directory from 8.1.7 home to 9.2 home and edited the xml file changing oradb
-
Cannot open itunes at all. Please help
I have recently upgraded to the newest version of itunes but everytime I try to open the program it says that a newer version of quicktime is needed to open itunes and for me to reinstall itunes. Well I have done this about twenty times and it still
-
Attachement not opened in UWL for trip requuest approver in workflow:
Hi All, Issue Description: Attachment not opening in UWL while send for approval of Travel Request but opening in ECC. Issue Object: BO: BUS2089 Method: Display Created a custom BO: ZBUS2089 and delegated to standard BUS2089. Looked Solutions: SAP N
-
I need a backup MX server, but backup MX servers are always abused for spam delivery since it's difficult to implement the same anti-spam measures on a backup MX as on the primary... Long story short, I want to use iptables to only accept port 25 whe
-
Safari closes as soon as I open it
Just started this AM, both Safarui and ipod will not open - when I select them from the bottom apps tray, they open but within a second or 2 thery close again. Have tried shutting the phone off, restarting, have downloaded the most recent updates, no