VPN consulting

Hello everybody, I'm quite new with ASA configurations, and I am having some problems with a VPN configuration. I've configure a VPN wich
unexpectedly goes down. the strange is that the other side of the tunnel still have connectivity. another strange things is that in the MONITORING--VPN--IPsec Site to Site connections I can see always the link up.
Has anybody any idea what can I do to resolve this issue?
Thanks and regards.

Vishnu, Hi, sorry for my delay, to bring the tunnel back I just go to MONITORING--->VPN---> I filter by IPsec Site-to-Site and then I select the Connection Profile for my tunnel and then I press the Logout button (in the ASDM Interface) and after a couple of seconds the tunnels starts to works again.
my config in the far end ASA is:
REMOTESITE# sho run
: Saved
ASA Version 8.2(5)
hostname REMOTESITE
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
no nameif
no security-level
no ip address
interface Ethernet0/0.10
description Internet Inside
vlan 10
nameif InternetInside
security-level 50
ip address PRIVATE IP ADDRESS
interface Ethernet0/0.130
vlan 130
nameif inside
security-level 100
ip address PRIVATE IP ADDRESS
interface Ethernet0/1
no nameif
no security-level
no ip address
interface Ethernet0/1.19
vlan 19
nameif outside
security-level 0
ip address PUBLIC IP ADDRESS
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group network RemoteSite
network-object 10.32.0.0 255.255.0.0
object-group network LocalSite
network-object 10.30.0.0 255.255.0.0
network-object host 10.2.3.240
network-object host 10.2.3.230
network-object host 10.2.3.233
network-object host 10.2.3.243
network-object host 10.2.3.248
access-list inside_access_in extended permit ip object-group RemoteSite any
access-list inside_nat_outbound extended permit ip object-group RemoteSite any
access-list outside_1_cryptomap extended permit ip object-group RemoteSite object-group LocalSite
access-list outside_1_cryptomap extended permit ip object-group LocalSite object-group RemoteSite
access-list inside_nat0_outbound extended permit ip object-group RemoteSite object-group LocalSite
access-list inside_nat0_outbound extended permit ip object-group RemoteSite 192.168.150.0 255.255.255.0
access-list InternetInside_nat_outbound extended permit ip 172.16.1.32 255.255.255.224 any
access-list VPN-RemoteSite_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPN-RemoteSite_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list VPN-RemoteSite_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu InternetInside 1500
ip local pool RemoteSite-VPN 192.168.150.10-192.168.150.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (InternetInside) 1 access-list InternetInside_nat_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 204.181.54.177 1
route outside 10.2.3.230 255.255.255.255 204.181.54.177 1
route outside 10.2.3.233 255.255.255.255 204.181.54.177 1
route outside 10.2.3.240 255.255.255.255 204.181.54.177 1
route outside 10.2.3.243 255.255.255.255 204.181.54.177 1
route outside 10.2.3.248 255.255.255.255 204.181.54.177 1
route outside 10.30.0.0 255.255.0.0 204.181.54.177 1
route inside 10.32.0.0 255.255.0.0 10.32.2.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tac-auth protocol tacacs+
aaa-server tac-auth (inside) host 10.30.5.43
timeout 5
key *****
aaa-server tac-auth (inside) host 10.30.120.43
timeout 5
key *****
aaa authentication enable console tac-auth LOCAL
aaa authentication http console tac-auth LOCAL
aaa authentication serial console tac-auth LOCAL
aaa authentication ssh console tac-auth LOCAL
aaa authentication telnet console tac-auth LOCAL
aaa authorization command tac-auth LOCAL
aaa accounting enable console tac-auth
aaa accounting telnet console tac-auth
aaa accounting ssh console tac-auth
aaa accounting serial console tac-auth
aaa accounting command privilege 15 tac-auth
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http LocalSitePUBLICIP outside
http LocalSitePUBLICIP outside
http LocalSitePUBLICIP outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer LocalSitePUBLICIP
crypto map outside_map 1 set transform-set ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 63f6c54f
    30820234 3082019d a0030201 02020463 f6c54f30 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
    86f70d01 09021608 63697363 6f617361 301e170d 31323035 33313038 33373235
    5a170d32 32303532 39303833 3732355a 302c3111 300f0603 55040313 08636973
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b7 f802ade8
    d40ba8e6 a32d4e57 0c1dce0c 970d7f62 afb83546 aa2eeb4a 798cee09 b6ed1217
    356d486c 2cb43ce2 0754ee4f a49be90a 65a4c586 b61dd4e0 68b587fa e9f546ea
    a54a9ec6 f2f316ad 7e2bdb7d 4e0b0630 2efa0d29 7350bce1 dbe67e89 ba2c2193
    67918b03 02c6f9b3 3cca9bc9 e97a1c61 3603c1c6 6097285a 5e7b4302 03010001
    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
    04030201 86301f06 03551d23 04183016 8014d665 a29f0fd4 b60293fe c2cc6f9d
    c6c3a617 c942301d 0603551d 0e041604 14d665a2 9f0fd4b6 0293fec2 cc6f9dc6
    c3a617c9 42300d06 092a8648 86f70d01 01050500 03818100 0d3b6049 08f662e4
    e07f1113 8194da6a a221c29e d850b7b4 d5fdb695 c24c066c f272856c b5cd9712
    6a8839f3 037cdce1 3d4a326d f8d40768 c31bf450 18fab62b f36a383e b40827ee
    ab3c8290 17928639 ace48926 2a018b85 cabf73b0 e98f92b2 b7973add d194d9d2
    b144a1be ef4cb498 8c381d1e cade9141 ec80cea8 e787c65d
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh PUBLIC IP ADDRESS outside
ssh PUBLIC IP ADDRESS outside
ssh PUBLIC IP ADDRESS outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN-RemoteSite_2 internal
group-policy VPN-RemoteSite_2 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-RemoteSite_splitTunnelAcl
default-domain none
group-policy VPN-RemoteSite internal
group-policy VPN-RemoteSite attributes
vpn-filter value outside_1_cryptomap
vpn-tunnel-protocol IPSec
group-policy VPN-RemoteSite_1 internal
group-policy VPN-RemoteSite_1 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain none
username admin password 2QP3zeqDx2bZ8oiO encrypted privilege 15
username vpn-RemoteSite password YllBSswY7sUORmMr encrypted privilege 0
username vpn-RemoteSite attributes
vpn-group-policy VPN-RemoteSite_1
tunnel-group LocalSitePUBLICIP type ipsec-l2l
tunnel-group LocalSitePUBLICIP general-attributes
default-group-policy VPN-RemoteSite
tunnel-group LocalSitePUBLICIP ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group VPN-RemoteSite type remote-access
tunnel-group VPN-RemoteSite general-attributes
address-pool RemoteSite-VPN
default-group-policy VPN-RemoteSite_2
tunnel-group VPN-RemoteSite ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00cfcfa94733b8335dd7a34b36b3a18a
: end
REMOTESITE#
for my ASA in the local side I think it could be more difficult because in that device I have all the company config.

Similar Messages

Solution Needed: Using VPN as a Jump off for multiple users to connect outbound to multiple 3rd party VPN

I work for a healthcare consulting company, we have 50+ consultants that work remotely from their home. We currently are cloud managed and for various reasons are looking for a solution to streamline our connection to our Clinics' personal VPNs. Our Clinics' VPNs vary greatly in regards to vendor and type of connection.
What we want to do:
Create a Jumpoff where all our consultants (simultaneously as well) can remote VPN into. From there be able to jump out to any of our Clinics' VPNs.
We need this because we have some consultants with foreign IPs and we also want to connect from Google Chromebooks which don't play nice with every type of our Clinics' VPNs. So the our Jump Off Box will have all the needed connections for any type of VPNs our Clinics use.
This solution should connect to our Clinics' side from their default VPN settings - Just a regular VPN connection from us to them.
From what I have been told is that this was attempted in the past:
Consultants VPN'd to our cloud server - RDPd to a machine and then VPNd out to our clinics. However this locked down the VPN and only one consultant could jump out.
What Cisco Product would allow us to do so?
How would this be set up?
Do we set up the Router to handle outbound connections?
Any input would be greatly appreciated.

Hi Jay, there are a number of ways you can do this I can help you setup an initial recommendation on what products to get please send me an email at [email protected] hope to hear from you soon!

Exchange 2013 Mail Flow Through VPN

I have 2 Exchange servers in 2 different AD sites. Is it possible to route mail flow between the 2 sites through a VPN tunnel? I want to force mail flow between the 2 servers to route externally through the internet.
Appreciate any feedback.

Hi Chester,
we have a DNS record for mail and this record is pointing to our private IP address of CAS server. Network team has done network configuration for that particular IP to route the traffic through VPN tunnel to the Exchange servers in other site. Another thing
for you to think is Private IP request won't go to internet and will go to DNS server in that site and once the DNS server will resolve that request against IP address the traffic will be routed to that server.
Kindly mark this as answer if found helpful. Thanks.
Regards, Riaz Javed Butt | Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365 | msexchgeek.wordpress.com

Vista 64 bit and vpn client

I have received the bad news of one of my users had purchased a new machine w/o consulting me! :^(
It's Vista Home Prem. 64 bit. Having been able to avoid the vista thing, I have not done any installs to this point. Does the VPN Vista client work on the 64 bit OS?
Thanks in advance

Any other alternatives?
Originally Posted by Mysterious
shesser wrote:
> I have received the bad news of one of my users had purchased a new
> machine w/o consulting me! :^(
> It's Vista Home Prem. 64 bit. Having been able to avoid the vista
> thing, I have not done any installs to this point. Does the VPN Vista
> client work on the 64 bit OS?
>
> Thanks in advance
>
>
no

All the subnets are not reachable over the VPN

Hi all,
We have a EZVPN connection to one of our branch office. Connectivity diagram is attached with this discussion.
HO LAN (10.1.0.0/16 & 192.6.14.0/24) --------- ASA5520-------- Internet ---------- Cisco2911-------- LAN of remote location (10.2.0.0/16)
we are using 10.2.0.0/26 subnet at remote office and 10.1.0.0/16 & 192.6.14.0/24 subnets at HO. From HO through 10.1.0.0/16 & 192.6.14.0/24 all the devices are reachable except the firewall which is connected with GigabitEthernet0/2 interface of cisco2911 router(on which VPN is created).
Its a fortigate firewall and it is reachable locally from the network 10.2.0.0/16. I believe its an issue with phase2 ACLs but didn't able to resolve the issue.
I'm not able to take GUI / CLI interfaces of fortigate firewall even i'm not able to ping the IP of GigabitEthernet0/2 interface of cisco2911.
kindly advise on same.
Below is the configuration of ASA5520 of HO and cisco2911 router of branch office
ASA5520:-
access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list Outside_cryptomap_65534.191 extended permit ip object-group DM_INLINE_NETWORK_103 10.2.0.0 255.255.0.0
jashanmalasa/sec/act# sho run obj
jashanmalasa/sec/act# sho run object-group | b DM_INLINE_NETWORK_103
object-group network DM_INLINE_NETWORK_103
network-object 10.1.0.0 255.255.0.0
network-object 192.6.14.0 255.255.255.0
group-policy AUHNEW internal
group-policy AUHNEW attributes
dns-server value 192.6.14.189 192.6.14.182
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
ip-comp disable
re-xauth disable
pfs enable
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
default-domain value xxxxxx
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
tunnel-group AUHNEW type remote-access
tunnel-group AUHNEW general-attributes
authorization-server-group LOCAL
default-group-policy AUHNEW
tunnel-group AUHNEW ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp ikev1-user-authentication none
Cisco2911:-
Current configuration : 10258 bytes
! Last configuration change at 19:06:18 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname AUHOffice_RTR
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
card type e1 0 0
no aaa new-model
clock timezone AST 4 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip name-server 213.42.xxx.xxx
multilink bundle-name authenticated
isdn switch-type primary-net5
crypto pki token default removal timeout 0
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
fax protocol pass-through g711ulaw
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
codec preference 4 g729br8
voice class h323 1
h225 timeout tcp establish 3
voice translation-rule 1
rule 1 /^9$.*$/ /\1/
voice translation-rule 2
rule 1 /^0$2.......$$/ /00\1/
rule 2 /^0$3.......$$/ /00\1/
rule 3 /^0$4.......$$/ /00\1/
rule 4 /^0$5........$$/ /00\1/
rule 5 /^0$6.......$$/ /00\1/
rule 6 /^0$7.......$$/ /00\1/
rule 7 /^0$9.......$$/ /00\1/
rule 8 /^00$.*$/ /0\1/
rule 9 /^.......$/ /0&/
rule 10 // /000\1/
voice translation-rule 3
rule 1 /^3../ /026969&/
voice translation-profile FROM_PSTN
translate calling 2
translate called 1
voice translation-profile TO_PSTN
translate calling 3
license udi pid CISCO2911/K9 sn xxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module pvdm 0/0
hw-module sm 1
username admin privilege 15 secret 4 Ckg/sS5mzi4xFYrh1ggXo92THcL6Z0c6ng70wM9oOxg
redundancy
controller E1 0/0/0
framing NO-CRC4
pri-group timeslots 1-10,16
crypto ipsec client ezvpn jashanvpn
connect auto
group AUHNEW key jashvpn786
mode network-extension
peer 83.111.xxx.xxx
acl 150
nat allow
nat acl 110
xauth userid mode interactive
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.2.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1430
ip policy route-map temp
duplex auto
speed auto
crypto ipsec client ezvpn jashanvpn inside
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.2.0.1
interface GigabitEthernet0/1
description *** Connected to 40MB Internet ***
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.2.0.11 255.255.255.248
duplex auto
speed auto
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
interface SM1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.2.0.3 255.255.255.248
!Application: CUE Running on SM
service-module ip default-gateway 10.2.0.1
interface SM1/1
description Internal switch interface connected to Service Module
no ip address
interface Vlan1
no ip address
interface Dialer0
description *** JASHANMAL 40MB Internet ***
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 0252150B0C0D5B2748
ppp pap sent-username xxxxxx password 7 15461A5C03217F222C
crypto ipsec client ezvpn jashanvpn
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.2.0.0 255.255.248.0 10.2.0.2
ip route 10.2.0.3 255.255.255.255 SM1/0
ip route 10.2.6.1 255.255.255.255 10.2.0.2
ip route 10.2.7.1 255.255.255.255 10.2.0.2
ip route 172.16.5.0 255.255.255.0 10.2.0.2
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny   ip 172.16.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 100 permit ip 10.2.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 110 deny   ip 10.2.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip host 10.2.6.1 any
access-list 110 permit ip host 10.2.6.2 any
access-list 110 permit ip host 10.2.6.3 any
access-list 110 permit ip host 10.2.6.4 any
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.201.72 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.254.136 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 216.52.207.67 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.151.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.148.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.149.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.150.22 eq www
access-list 110 permit tcp 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.4.0 0.0.0.255 any
access-list 150 permit ip 10.2.0.0 0.0.0.255 any
access-list 150 permit ip 10.2.1.0 0.0.0.255 any
access-list 150 permit ip 10.2.2.0 0.0.0.255 any
access-list 150 permit ip 10.2.3.0 0.0.0.255 any
access-list 150 permit ip 10.2.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.6.0 0.0.0.255 any
access-list 150 permit ip 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.7.0 0.0.0.255 any
route-map temp permit 100
match ip address 100
set ip next-hop 10.2.0.9
route-map temp permit 110
route-map nonat permit 10
match ip address 110
snmp-server community xxxxxxxx
snmp-server location JNC AbuDhabi Office
snmp-server contact xxxxxxxx
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host xxxxx version 2c jash
control-plane
voice-port 0/0/0:15
translation-profile incoming FROM_PSTN
bearer-cap Speech
voice-port 0/1/0
voice-port 0/1/1
voice-port 0/1/2
voice-port 0/1/3
mgcp profile default
dial-peer cor custom
name CCM
name 0
name 00
dial-peer cor list CCM
member CCM
member 0
member 00
dial-peer cor list 0
member 0
dial-peer cor list 00
member 0
member 00
dial-peer voice 100 voip
corlist incoming CCM
preference 1
destination-pattern [1-8]..
session target ipv4:10.1.2.12
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 101 voip
corlist incoming CCM
huntstop
preference 2
destination-pattern [1-8]..
session target ipv4:10.1.2.11
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 201 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 0[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
dial-peer voice 202 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 00[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 0
dial-peer voice 203 pots
corlist outgoing 00
translation-profile outgoing TO_PSTN
destination-pattern 000T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 00
gateway
timer receive-rtp 1200
gatekeeper
shutdown
call-manager-fallback
secondary-dialtone 0
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 4
ip source-address 10.2.0.1 port 2000
max-ephones 58
max-dn 100
system message primary Your Current Options SRST Mode
transfer-pattern .T
alias 1 300 to 279
call-forward pattern .T
time-zone 35
date-format dd-mm-yy
cor incoming 0 1 100 - 899
line con 0
password 7 030359065206234104
login local
line aux 0
password 7 030359065206234104
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 110E1B08431B09014E
login local
transport input all
line vty 5 15
password 7 030359065206234104
login local
transport input all
scheduler allocate 20000 1000
ntp master 1
end

Attached is the result from packet tracer of ASA5520-ASDM

VPN access to server ip question

Our office just had a macmini server installed with Snow Leopard server right up to date. It serves a LAN with 11 other Macs and several printers. The LAN is connected through Asante 24 port FriendlyNet GX5-424W switch which is behind a DSL Netopia 3346N-002K Modem. The router IP is 192.168.1.254, networked machines have IP's through DHCP and some are fixed. We have a fixed IP to the outside world xx.xx.x.xxx. I requested our consulted configure my MBP 10.6.5 for VPN through the system preferences network window to allow me to connect remotely to the server and/or LAN. After a couple failed attempts, which indicated I was connected, but I could not actually mount the server by typing either the IP or server name in the GO>Connect to Server>. My consulted then advised that I would need to change the domain of my home network to 192.168.x.yyy, where x is anything but 1. This is reasonably easy to achieve, but does not really resolve the problem, because my intent was to connect while traveling where I have no control over the domain. I hope I am communicating this correctly. It does not appear to be easy to change the domain of the Netopia, even if I was bold enough to suggest messing around with it to the others at my firm. There are three of us who would like to be able to connect remotely from time to time. Are we out of luck to do it through the built in VPN option, and/or what other options are available. Thank you.

To complete my previous post:
I don't use a fixed ip, but have a dyndns account pointing to our router.
(1) In the server admin part where you put the VPN-settings:
- i use the upper range of my ip-addresses to be distributed to my VPN clients. The same subnet but starting at 192.x.x.133 (i know my biggest number in my lan is 192.x.x.45)
- authentication: ms-chap + shared key
(2) In the network preferences of your client computer: add a vpn-interface using the right connection parameters.
(3) Start testing your configuration inside your lan, and see if you get a vpn-connection. If that works, the problem probably is a port that your router doesn't open (or your forget to set it open in the interface)
Message was edited by: stefaang

Really Need Some Help with CME 8.6 using IOS as Firewall and Anyconnect VPN on Phones

Hello,
I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6. I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio. It's as if no audio is going back and forth. When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.8.1 192.168.8.19
ip dhcp pool owhvoip
network 192.168.8.0 255.255.248.0
default-router 192.168.8.1
option 150 ip 192.168.8.1
lease 30
multilink bundle-name authenticated
isdn switch-type primary-ni
crypto pki server cme_root
database level complete
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
crypto pki token default removal timeout 0
crypto pki trustpoint cme_root
enrollment url http://192.168.8.1:80
revocation-check none
rsakeypair cme_root
crypto pki trustpoint cme_cert
enrollment url http://192.168.8.1:80
revocation-check none
crypto pki trustpoint TP-self-signed-2736782807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736782807
revocation-check none
rsakeypair TP-self-signed-2736782807
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
vpn-group 1
vpn-gateway 1 https://66.111.111.111/SSLVPNphone
vpn-trustpoint 1 trustpoint cme_cert leaf
vpn-profile 1
host-id-check disable
voice class codec 1
codec preference 1 g711ulaw
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
voice translation-rule 1
rule 1 /9400/ /502/
rule 2 /9405/ /215/
rule 3 /9410/ /500/
voice translation-rule 2
rule 1 /.*/ /541999999/
voice translation-rule 100
rule 1 /^9/ // type any unknown plan any isdn
voice translation-profile Inbound_Calls_To_CUE
translate called 1
voice translation-profile InternationalType
translate called 100
voice translation-profile Local-CLID
translate calling 2
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
hw-module pvdm 0/1
hw-module sm 1
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-12,24
class-map type inspect match-any sslvpn
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
policy-map type inspect firewall-policy
class type inspect sslvpn
inspect
class class-default
drop
policy-map type inspect outside-to-router-policy
class type inspect router-access
inspect
class class-default
drop
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
service-policy type inspect outside-to-router-policy
interface Loopback0
ip address 192.168.17.1 255.255.248.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
zone-member security internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.8.1 255.255.248.0
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 192.168.17.2 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.17.1
no keepalive
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
zone-member security trusted
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
tftp-server flash:apps31.9-3-1ES26.sbn
control-plane
voice-port 0/0/0:23
voice-port 0/3/0
voice-port 0/3/1
mgcp profile default
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0
sccp
sccp ccm group 1
bind interface GigabitEthernet0/1
associate ccm 1 priority 1
associate profile 1 register CME-CONF
dspfarm profile 1 conference
codec g729br8
codec g729r8
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 4
associate application SCCP
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:192.168.17.2
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 10 pots
description Incoming Calls To AA
translation-profile incoming Inbound_Calls_To_CUE
incoming called-number .
port 0/0/0:23
dial-peer voice 20 pots
description local 10 digit dialing
translation-profile outgoing Local-CLID
destination-pattern 9[2-9].........
incoming called-number .
port 0/0/0:23
forward-digits 10
dial-peer voice 30 pots
description long distance dialing
translation-profile outgoing Local-CLID
destination-pattern 91..........
incoming called-number .
port 0/0/0:23
forward-digits 11
dial-peer voice 40 pots
description 911
destination-pattern 911
port 0/0/0:23
forward-digits all
dial-peer voice 45 pots
description 9911
destination-pattern 9911
port 0/0/0:23
forward-digits 3
dial-peer voice 50 pots
description international dialing
translation-profile outgoing InternationalType
destination-pattern 9T
incoming called-number .
port 0/0/0:23
dial-peer voice 650 pots
huntstop
destination-pattern 650
fax rate disable
port 0/3/0
gatekeeper
shutdown
telephony-service
protocol mode ipv4
sdspfarm units 5
sdspfarm tag 1 CME-CONF
conference hardware
moh-file-buffer 90
no auto-reg-ephone
authentication credential cmeadmin tshbavsp$$4
max-ephones 50
max-dn 200
ip source-address 192.168.8.1 port 2000
service dnis dir-lookup
timeouts transfer-recall 30
system message Oregon's Wild Harvest
url services http://192.168.17.2/voiceview/common/login.do
url authentication http://192.168.8.1/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-3-1SR4-1S.loads
load 7936 cmterm_7936.3-3-21-0.bin
load 7942 SCCP42.9-3-1SR4-1S.loads
load 7962 SCCP42.9-4-2-1S.loads
time-zone 5
time-format 24
voicemail 500
max-conferences 8 gain -6
call-park system application
call-forward pattern .T
moh moh.wav
web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
dn-webedit
transfer-digit-collect orig-call
transfer-system full-consult
transfer-pattern .T
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-template 1
softkeys connected Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
button-layout 7931 2
ephone-template 2
softkeys idle Dnd Gpickup Pickup Mobility
softkeys connected Hold Park Confrn Mobility Trnsfer TrnsfVM
button-layout 7931 2
ephone-dn 1 dual-line
number 200
label Lisa
name Lisa Ziomkowsky
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 2 dual-line
number 201
label Dylan
name Dylan Elmer
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 3 dual-line
number 202
label Kimberly
name Kimberly Krueger
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 4 dual-line
number 203
label Randy
name Randy Buresh
mobility
snr calling-number local
snr 915035042317 delay 5 timeout 15 cfwd-noan 500
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 5 dual-line
number 204
label Mark
name Mark McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 6 dual-line
number 205
label Susan
name Susan Sundin
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 7 dual-line
number 206
label Rebecca
name Rebecca Vaught
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 8 dual-line
number 207
label Ronnda
name Ronnda Daniels
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 9 dual-line
number 208
label Matthew
name Matthew Creswell
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 10 dual-line
number 209
label Nate
name Nate Couture
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 11 dual-line
number 210
label Sarah
name Sarah Smith
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 12 dual-line
number 211
label Janis
name Janis McFerren
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 13 dual-line
number 212
label Val
name Val McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 14 dual-line
number 213
label Shorty
name Arlene Haugen
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 15 dual-line
number 214
label Ruta
name Ruta Wells
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 16 dual-line
number 215
label 5415489405
name OWH Sales
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 17 dual-line
number 216
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 18 dual-line
number 217
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 19 dual-line
number 218
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 20 dual-line
number 219
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 21 dual-line
number 220
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 22 dual-line
number 221
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 23 dual-line
number 222
label Pam
name Pam Buresh
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 24 dual-line
number 223
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 25 dual-line
number 224
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 26 dual-line
number 225
label Elaine
name Elaine Mahan
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 27 octo-line
number 250
label Shipping
name Shipping
ephone-dn 28 dual-line
number 251
label Eli
name Eli Nourse
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 29 dual-line
number 252
ephone-dn 30 dual-line
number 253
ephone-dn 31 octo-line
number 100
label Customer Service
name Customer Service
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 32 octo-line
number 101
label Sales
name Sales
call-forward busy 214
call-forward noan 214 timeout 12
ephone-dn 33 dual-line
number 260
label Conference Room
name Conference Room
call-forward busy 100
call-forward noan 100 timeout 12
ephone-dn 100
number 300
park-slot timeout 20 limit 2 recall
description Park Slot For All Company
ephone-dn 101
number 301
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 102
number 302
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 103
number 700
name All Company Paging
paging ip 239.1.1.10 port 2000
ephone-dn 104
number 8000...
mwi on
ephone-dn 105
number 8001...
mwi off
ephone-dn 106 octo-line
number A00
description ad-hoc conferencing
conference ad-hoc
ephone-dn 107 octo-line
number A01
description ad-hoc conferencing
conference ad-hoc
ephone-dn 108 octo-line
number A02
description ad-hoc conferencing
conference ad-hoc
ephone 1
device-security-mode none
mac-address 001F.CA34.88AE
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:2 2:31
ephone 2
device-security-mode none
mac-address 001F.CA34.8A03
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:12
ephone 3
device-security-mode none
mac-address 001F.CA34.898B
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 4
device-security-mode none
mac-address 001F.CA34.893F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 5
device-security-mode none
mac-address 001F.CA34.8A71
ephone-template 1
max-calls-per-button 2
username "susan"
paging-dn 103
type 7931
button 1:6
ephone 6
device-security-mode none
mac-address 001F.CA34.8871
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:7 2:31 3:32
ephone 7
device-security-mode none
mac-address 001F.CA34.8998
ephone-template 1
max-calls-per-button 2
username "matthew"
paging-dn 103
type 7931
button 1:9
ephone 8
device-security-mode none
mac-address 001F.CA36.8787
ephone-template 1
max-calls-per-button 2
username "nate"
paging-dn 103
type 7931
button 1:10
ephone 9
device-security-mode none
mac-address 001F.CA34.8805
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:5
ephone 10
device-security-mode none
mac-address 001F.CA34.880C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:14
ephone 11
device-security-mode none
mac-address 001F.CA34.8935
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:3
ephone 12
device-security-mode none
mac-address 001F.CA34.8995
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:8 2:31
ephone 13
device-security-mode none
mac-address 0021.5504.1796
ephone-template 2
max-calls-per-button 2
paging-dn 103
type 7931
button 1:4
ephone 14
device-security-mode none
mac-address 001F.CA34.88F7
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:23
ephone 15
device-security-mode none
mac-address 001F.CA34.8894
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:26
ephone 16
device-security-mode none
mac-address 001F.CA34.8869
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:28 2:27
ephone 17
device-security-mode none
mac-address 001F.CA34.885F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:11
ephone 18
device-security-mode none
mac-address 001F.CA34.893C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 19
device-security-mode none
mac-address 001F.CA34.8873
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 20
device-security-mode none
mac-address A456.3040.B7DD
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:13
ephone 21
device-security-mode none
mac-address A456.30BA.5474
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:15 2:16 3:32
ephone 22
device-security-mode none
mac-address A456.3040.B72E
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:1
ephone 23
device-security-mode none
mac-address 00E0.75F3.D1D9
paging-dn 103
type 7936
button 1:33
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
webvpn gateway sslvpn_gw
ip address 66.111.111.111 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint cme_cert
inservice
webvpn context sslvpn_context
ssl encryption 3des-sha1 aes-sha1
ssl authenticate verify all
policy group SSLVPNphone
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
svc default-domain "bendbroadband.com"
virtual-template 1
default-group-policy SSLVPNphone
gateway sslvpn_gw domain SSLVPNphone
authentication certificate
ca trustpoint cme_root
inservice
end

I think your ACL could be the culprit.
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly. If they work fine then we know that we need to open som ports there.
Please remember to select a correct answer and rate helpful posts

Remote access vpn not working, VPNC client

Hi,
I have configured a remote access vpn client on cisco ASA 5520 with the following configuration. we are using cisco vpn client.
tunnel-group consultant type remote-access
tunnel-group consultant general-attributes
address-pool VPN
authentication-server-group RSA-AAA LOCAL
default-group-policy consultant
tunnel-group consultant ipsec-attributes
pre-shared-key *
group-policy consultant internal
group-policy consultant attributes
vpn-idle-timeout 120
vpn-session-timeout 720
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value access-spilt
access-list access-spilt standard permit host 10.101.50.60
One of the linux users is using vpnc and once the user connects to the vpn and the user adds a static route on the machine with the destination pointing to the vpn interface, for example 10.101.50.0/24, user is able to reach all the hosts in the subnet even though the access list on the firewall is configured for one host 10.101.50.60.
I did the same test on a windows machine, but was only able to reach the specific host allowed through vpn. why is the network filter not working for vpnc. please advise.
Thanks

Hi have solved the issue . enabling the demo 3DES & AES now my VPN is connecting
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
thx to friend "Jennifer Halim"

Easy VPN Server? Hmmm.. Not so Easy...

I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more, I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
Current configuration : 12356 bytes
! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router-wan
boot-start-marker
boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 100000000
enable password xxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone EDT -4 0
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 172.16.2.1 172.16.2.199
ip dhcp excluded-address 172.16.3.1 172.16.3.199
ip dhcp excluded-address 172.16.4.1 172.16.4.199
ip dhcp pool 192.168.1.0
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease infinite
ip dhcp pool 172.16.2.0
network 172.16.2.0 255.255.255.0
dns-server 172.168.2.1
default-router 172.168.2.1
lease 0 4
ip dhcp pool 172.16.3.0
network 172.16.3.0 255.255.255.0
dns-server 172.16.3.1
default-router 172.16.3.1
lease infinite
ip dhcp pool 172.16.4.0
network 172.16.4.0 255.255.255.0
dns-server 172.16.4.1
default-router 172.16.4.1
lease 0 4
ip dhcp pool 172.16.5.0
network 172.16.5.0 255.255.255.0
dns-server 172.16.5.1
default-router 172.16.5.1
lease infinite
ip cef
ip domain name robcluett.net
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
voice service voip
allow-connections sip to sip
sip
registrar server expires max 600 min 60
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-423317436
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423317436
revocation-check none
rsakeypair TP-self-signed-423317436
archive
log config
hidekeys
vtp domain robcluett.net
vtp mode transparent
vtp version 2
username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
redundancy
vlan 3-5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group cisco
key xxxxxxxxxxxxxxxxxxxx
dns 75.75.75.75
domain robcluett.net
pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
   description "VPN Default Profile for Group Cisco"
   match identity group cisco
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   client configuration group cisco
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
description "Circuitless IP Address / Router Source IP"
ip address 172.16.1.1 255.255.255.254
interface GigabitEthernet0/0
description "WAN :: COMCAST via DHCP"
ip address dhcp client-id GigabitEthernet0/0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type rj45
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no mop enabled
interface GigabitEthernet1/0
description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
switchport mode trunk
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan2
description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
ip address 172.16.2.1 255.255.255.0
ip access-group 102 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan3
description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
ip address 172.16.3.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan4
description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
ip address 172.16.4.1 255.255.255.0
ip access-group 104 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
interface Vlan5
description "EDMZ :: VLAN 5 :: 10.10.10.0"
ip address 10.10.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan6
description "IDMZ :: VLAN 6 :: 10.19.19.0"
ip address 10.19.19.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan7
description "LAN :: VLAN 7 :: Voice 172.16.5.0
ip address 172.16.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
ip forward-protocol nd
ip flow-export source Loopback0
ip flow-top-talkers
top 10
sort-by bytes
ip dns server
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
logging trap debugging
logging source-interface Loopback0
access-list 2 remark NAT
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 172.16.2.0 0.0.0.255
access-list 2 permit 172.16.3.0 0.0.0.255
access-list 2 permit 172.16.4.0 0.0.0.255
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.19.19.0 0.0.0.255
access-list 100 remark WAN Firewall Access List
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq www
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 100 deny   ip any any log-input
access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
access-list 102 deny   ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 102 permit ip any any
access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
access-list 104 deny   ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 104 permit ip any any
access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
access-list 105 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
access-list 105 permit ip any any
snmp-server trap-source Loopback0
snmp-server location xxxxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
control-plane
mgcp profile default
telephony-service
max-conferences 12 gain -6
web admin system name cluettr password 11363894
dn-webedit
transfer-system full-consult
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
transport output all
line vty 5 15
transport input telnet ssh
transport output all
scheduler allocate 20000 1000
ntp logging
ntp source Loopback0
end
router-wan#

I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
> Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty.

What app and settings do I need for using VPN access

Will I find the app I need to install in the App Store and what are the settings for configuring a vpn

Depends. If you are downloading an app dedicated to VPN connectivity, you would need to consult the vendor. To simply connect via VPN natively:
Settings App > General > VPN > Add VPN configuration (and of course turn VPN ON).

Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

With Vignesh R. P.
Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
Remember to use the rating system to let Vignesh know if you have received an adequate response.
Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Hi Tenaro,
AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
Hope the above explanation helps you. Kindly revert incase of further clarification required.
Thanks & Regards,
Vignesh R P

Slow VPN on RV042

We have PPTP configured on our Cisco RV042 VPN router. About once a day we have a severe slow down with the VPN connection. I did a tracert from home and found this on the last hop:
13 900ms 1104ms 999ms wsip-[our ip address].dc.dc.cox.net
All hops leading to this are fine. Just the last hop to our ip address. Would this be a problem with our RV042 or with the Cox Cable Modem?

Hello mwsmith23,
I would check your Bandwidth settings first to make sure they are at least set to 10MB over your bandwidth provide by your ISP. So if you get 30 down and 10 up I would set the bandwidth for 40 down and 40 up to eliminate the RV042 throttling your traffic. As the RV042 bandwidth is set in Kbps just take your bandwidth and multiply it by 1024.
After that try the following:
To isolate where the latency is at I would do some pings from the local LAN of the RV042.
Each ping would be:
ping "LAN of RV042" -t -l 1500
ping "DG of the RV042's WAN IP addr" -t -l 1500
ping 8.8.8.8 -t -l 1500
Adjust the 1500 to 1472 or adjust by -10 until a ping goes out successfully. So if 1472 fails attempt with 1462 and so forth.
With this test you can see how the internal LAN is processing the traffic to the LAN of the Modem and then to the cloud. If you are seeing excessive traffic to the Modem and to the cloud then it probably is your modem and you should consult your ISP.
Hope this helps,
Michael D.

AnyConnect Client Multiple VPNs

We consult to multiple organizations and are provided VPN access to most of them. Is there a way to configure the AnyConnect to show a list of VPNs to connect to as opposed to having to enter the address everytime we want to connect?

Hi,
For this you can use the "server list" feature in the XML profile:
Server List
Or just use group-alias:
ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method
Let me know.
Portu.
Please rate any post you find helpful.

Consultas - Exportacion Excel Terminal Server

Amigos tengo otro problema
Mis sucursales que trabajan por medio de Terminal server cuando realzan algun query y lo quieren exportar a Excel, se queda bloqueado, el servidor de Terminal server Tiene 12 GB Ram, el vpn esta por un enlace E1, tengo que reiniciar la aplicacion del usuario desde el servidor y no pueden exportar nada.
Espero su ayuda

Hola Oscar
para que funcione tu exportación a excel, trabajando con Terminal Server, debes tomar en cuenta que donde trabajas es en un servidor que fisicamente se encuentra en otra parte de tu empresa de esa cuenta debes otorgar los permisos necesarios al usuario para que pueda ejacutar la aplicación de excel en el servidor.
Basicamente debe estar instalado excel en el servidor y debes verificar que el usuario con el que trabajas pueda ejecutarlo, recuerda que las sesiones en los servidores son perfiles distintos.
Cuando hayas instalado excel y el usuario pueda hacer uso de el entoces la exportación de SAP se abrirá automaticamente.
Ahora bien tienes otra alternativa, generalmente en conexiones con Terminal Server el disco local, del usuario que se conecta, se puede llevar como unidad lógica al servidor, siendo así, puedes buscar tu disco local en el servidor y grabar ahi la consulta que quieres exportar, posteriormente en el equipo local buscas la carpeta en donde guardaste la consulta y la abres con excel.
Espero te sea de utilidad.
Saludos

VPN SonicWall

I would greatly appreciate if you added the SonicWall SSL protocol. I am struggling to make the case of Blackberry towards the IT department and its consultants.
I am suggesting that Apple iOS/Google Android OS both are intrinsically flawed from a security point of view. However, VPN protocols form an important part of the overall picture, and SonicWall sees to be ahead of Juniper SSL and the others. I thought this is what Blackberry leads the industry in - enterprise secure communications, and then Blackberry ought to have the best VPN protocols.
Are you in the process of getting the SonicWall protocol and for when?

Not sure which unit you have, but...
http://www.sonicwall.com/products/vpnglobal_features.html
"SonicWALL SSL-VPN appliances are capable of integrating seamlessly into any network topology, with virtually any third-party firewall."
I'm not certain, but are you asking about how/what to Open Portwise on the Mac, or how to forward those ports from a Router?

VPN consulting

Similar Messages

Maybe you are looking for