Webmail via vpn access
I have a blackberry curve 8330 silver. Its for personal use primarily but I also want to have access to my work email. My other personal email account I do not have a problem.
I can get to my email via a web browser on a PC, but not able to access it with my blackberry using my VPN. I go around in circles.
Go to browser, It prompts my for my user credentials which I put in,
then it says successful login,
but bounces right back to asking for my VPN login credentials.
Occassionally, I get the MS Office web access login, put in my credentials and then get bounced back to VPN login page. Put in my login credential and start at top again...
Any ideas? I do NOT want to install Enterprise Server especially since this is my personal blackberry; jus tired of having to turn my PC on to check email.
I'm in a vicious cycle... it shouldn't be this hard.
ahmedali68 wrote:
Hi, I'm trying to access internet via Intarnet access point ...
If you are simply wanting to access the public internet using the Nokia mVPN client, as opposed to accessing a corporate or private intranet, you will need to subscribe to a public VPN gateway provider. Your connection from the phone to the gateway will be VPN protected, from the gateway to your internet destinations will be normal non-VPN connections, using the IP assigned by the gateway.
If a user's VPN needs are simple, the attached Setup Guide may provide more detail than required. The essentials are: the Nokia mVPN client installed, a compatible VPN gateway (IKE/IPSec), and a VPN policy file (configured and installed). The policy file specifies how the client will connect to the gateway.
You can download pre-configured policy files for Nokia mVPN from 12vpn, they are one of the very few VPN gateway providers catering to Symbian users.
Attachments:
Nokia_Mobile_VPN_Setup_Guide_v1.0.pdf 290 KB
Similar Messages
-
Can I use domain name to access local web (& other) services via VPN?
I've just set up a VPN service for our office but, when connected via VPN, I can't seem to access our Wiki Server via our domain (http://example.private/groups/). Instead it will only let me access it via IP (http://192.168.1.2/groups/)
Is it possible to access it via http://example.private/groups/ and if so what do I need to do?
EDIT: actually, same goes with the local iChat and iCal services too.
Message was edited by: ChristiaanOkay, it's sorted. I phone Apple Support.
The solution is to open Server Admin. Go to VPN Settings, then click on the Client Information tab, then add your local DNS server to the DNS Servers list (in our case 192.168.1.2).
I would have expected the Standard configuration of Leopard Server setup to have added this by default, so I'll submit a bug report when I get a chance. -
Do I need to run DNS on a colo server being accessed remotely via VPN?
My Mac Mini Server is located in a colo site. We generally use it for Web, email and a couple of application-specific services. It has a dedicated IP address. We have a separate DNS service we use to point to the domains on the server located remotely from the server. Forward and reverse lookups work fine from the server, even though the local DNS service is turned off.
However, we now have a couple of things we want to access remotely on the server via VPN (for example, some files via AFP). The firewall blocks remote AFP requests (using the built-in firewall, not a separate box). We can connect via VPN without problems. However, AFP does not work. If I allow AFP in the firewall and try to connect, no problems at all.
Since the Mini is located by itself and will never likely have anything connected to a "local network" (never running DHCP, etc.), there generally doesn't seem to be a need to run DNS on the server.
I suspect the problem is that when you VPN into the server you are on its "local network", whatever that means, so the DNS does not resolve since the local DNS service is not running. However, I am not positive of this.
Must we run local DNS? Does it have to mirror the remote DNS that we currently reference? Can we somehow "reference" the local DNS from VPN clients trying to access local services?
I hope this question makes some sense.Bear with me please....
The Mac Mini is in a data center on a shelf, getting a direct connection to the Internet via ethernet with a fixed IP address (under the covers, I suspect that the data center is using some sort of router or switch, but I am not paying for a hardware firewall or other gateway). There is no local network for the Mini. It is not running DHCP, not handing out NAT addresses, etc. DNS is currently off. Rather than using the local DNS, the Mini is resolving its DNS needs with a DNS server located at another site, over the Internet. This seems to work fine (i.e., changeip confirms it is working and services seem to work).
I am currently using the software firewall built into SLS.
I want to turn on VPN so that remotely located computers can access services on the Mini without having to make the services visible through the firewall.
I am able to connect devices via VPN with little difficulty (iPhones, Macs, etc.). However, when I try to access services (let's use AFP as an example), I cannot access them UNLESS they are allowed through the firewall. This tells me that I am not seeing the services through the VPN, but rather through the Internet directly.
What I meant by "local network" is that the VPN allocates local IP addresses when devices log into the VPN service (10.0.x.x). There is no DHCP allocating these addresses, just VPN.
My question is: why can I not see the services on the Mini blocked by the firewall when successfully logged into VPN on the server? Isn't the whole point of the VPN to gain access to services behind the firewall?
I am guessing (with no particular information to support my thesis) that somehow without DNS running on the Mini, VPN clients are unable to access services on the Mini. I do not know for sure, however, if this is the problem. If it IS a problem, then the question is whether I should completely copy the DNS entries from the remote DNS server to the Mini and start the service. Will that solve the issue? Create conflicts with the DNS (since it is now located on both a remote service and on the Mini)? It certainly will create a maintenance headache since now I will have to maintain the DNS in both places.
I am hesitant to migrate all of my DNS services to the Mini (because I will also have to go to the domain registrars to change where they point, etc.) to eliminate the remote one. And I am not sure it will solve this problem anyway.
Sorry for all of the typing! -
Access AFP, email, Remote Desktop via VPN and local network but NOT web
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
-
Unable to access secondary subnet via VPN
I am having a problem with clients accessing a secondary subnet via VPN.
Clients on VPN are given the address on the 192.168.15.0 subnet. Once connected they can access 192.168.16.0 (Production subnet) fine, but are unable to access the 192.168.8.0 secondary subnet. If you are on the 192.168.16.0 subnet in the office you can access 192.168.8.0 subnet fine. The traffic is coming in via an ASA 5510 then traverses a Juniper firewall and a MPLS router to the secondary subnet. I'm not sure if it's a nat issue or not. Any help would be helpful.
Below is the config of the ASA. Thank you in advance
ASA Version 8.2(5)
hostname charlotte
domain-name tg.local
enable password v4DuEgO1ZTlkUiaA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.0 Peak10 description Peak10
name 192.168.116.0 Charlotte_Phones description Charlotte_Phones
name 192.168.15.0 Charlotte_SSL_VPN_Clients description Charlotte_SSL_VPN_Client s
name 192.168.17.0 Charlotte_Wireless_Data description Charlotte_Wireless_Data
name 192.168.117.0 Charlotte_Wireless_Phones description Charlotte_Wireless_Phon es
name 192.168.5.0 Huntersville description Huntersville
name 192.168.16.1 SRX_Gateway description Juniper_SRX
name 192.168.108.0 Canton_Data description Canton_Data
name 192.168.8.0 Canton_Phones description Canton_Phones
name 192.168.9.0 Canton_Wireless_Data description Canton_Wireless_Data
name 192.168.109.0 Canton_Wireless_Phones description Canton_Wireless_Phones
name 192.168.16.4 TEST_IP description TEST_IP
name 192.168.16.2 CantonGW description Canton GW 192.168.16.2
name 192.168.5.1 HuntersvilleGW
name 10.176.0.0 RS_Cloud description 10.176.0.0/12
name 172.16.8.0 RS_172.16.8.0
name 172.16.48.0 RS_172.16.48.0
name 172.16.52.0 RS_172.16.52.0
name 10.208.0.0 RS_Cloud_New
name 10.178.0.0 RS_10.178.0.0 description Rackspace DEV servers
name 10.178.0.6 RS_10.178.0.6
name 172.16.20.0 RS_172.16.20.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.63.165.219 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.16.202 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
banner login ASA Login - Unauthorized access is prohibited
banner login ASA Login - Unauthorized access is prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.16.122
name-server 8.8.8.8
domain-name tg.local
dns server-group defaultdns
name-server 192.168.16.122
domain-name tg.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_2
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.240.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_11
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_13
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object RS_Cloud 255.240.0.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object 172.16.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object RS_Cloud 255.240.0.0
network-object RS_Cloud_New 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network tgnc074.tg.local
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq https
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group network DM_INLINE_NETWORK_15
network-object Canton_Data 255.255.255.0
network-object host CantonGW
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 Ch arlotte_SSL_VPN_Clients 255.255.255.0 any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_5 ho st SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_7 Ch arlotte_SSL_VPN_Clients 255.255.255.0 host SRX_Gateway
access-list Inside_access_in extended permit icmp any any object-group DM_INLINE _ICMP_1
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 ob ject-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list Inside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.25 5.255.0 any
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 log disable
access-list Tunneled_Network_List standard permit 192.168.16.0 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Data 255.25 5.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Phones 255. 255.255.0
access-list Tunneled_Network_List standard permit Peak10 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Data 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Data 255.255.2 55.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Phones 255.255 .255.0
access-list Tunneled_Network_List standard permit Huntersville 255.255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_172.16.8.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_Cloud 255.240.0.0
access-list Tunneled_Network_List standard permit RS_Cloud_New 255.240.0.0
access-list Tunneled_Network_List standard permit RS_172.16.20.0 255.255.252.0
access-list Tunneled_Network_List standard permit Charlotte_SSL_VPN_Clients 255. 255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip Charlotte_SSL_VPN_Clients 25 5.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_11 object-group DM_INLINE_NETWORK_12
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_5 object-group DM_INLINE_NETWORK_6
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_1 object-group DM_INLINE_NETWORK_2
access-list Limited_Access extended permit ip Charlotte_SSL_VPN_Clients 255.255. 255.0 host TEST_IP
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.123
access-list Limited__VPN_Acccess_List standard permit Huntersville 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.124
access-list Limited__VPN_Acccess_List standard permit 192.168.16.0 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 172.16.8.52
access-list Limited__VPN_Acccess_List standard permit Canton_Phones 255.255.255. 0
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV1
access-list Limited__VPN_Acccess_List standard permit host RS_10.178.0.6
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV2
access-list Limited__VPN_Acccess_List standard permit host 10.178.192.103
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.10
access-list Limited__VPN_Acccess_List standard permit RS_172.16.8.0 255.255.252. 0
access-list Limited__VPN_Acccess_List standard permit 172.16.0.0 255.255.0.0
access-list Limited__VPN_Acccess_List standard permit host 10.178.133.26
access-list Limited__VPN_Acccess_List standard permit RS_Cloud_New 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit host CantonGW
access-list Limited__VPN_Acccess_List standard permit host SRX_Gateway
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.1
access-list Limited__VPN_Acccess_List standard permit RS_Cloud 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit any
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 Huntersville 255.255.255.0
access-list Outside_cryptomap extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Huntersville 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Canton_Phones 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Canton_Phones 255.255.255.0
access-list Outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Outside_access_in extended permit ip Huntersville 255.255.255.0 any log disable
access-list Outside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 any log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0 inactive
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 RS_172.16.20.0 255.255.252.0
access-list Canton_nat_outbound extended permit object-group DM_INLINE_SERVICE_6 Charlotte_SSL_VPN_Clients 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list splitacl standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging monitor informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool SSL_VPN_Pool 192.168.15.10-192.168.15.254 mask 255.255.255.0
ip local pool New_VPN_Pool 192.168.16.50-192.168.16.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
nat (Outside) 0 access-list Huntersville_nat_outbound
nat (Inside) 0 access-list Inside_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 70.63.165.217 1
route Inside Canton_Phones 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Data 255.255.255.0 CantonGW 1
route Inside Charlotte_SSL_VPN_Clients 255.255.255.0 SRX_Gateway 1
route Inside Charlotte_Wireless_Data 255.255.255.0 SRX_Gateway 1
route Inside Canton_Data 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Phones 255.255.255.0 CantonGW 1
route Inside Charlotte_Phones 255.255.255.0 SRX_Gateway 1
route Inside 192.168.116.219 255.255.255.255 CantonGW 1
route Inside Charlotte_Wireless_Phones 255.255.255.0 SRX_Gateway 1
route Inside Peak10 255.255.255.0 SRX_Gateway 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record TGAD_AccessPolicy
aaa-server TGAD protocol ldap
aaa-server TGAD (Inside) host 192.168.16.122
ldap-base-dn DC=tg,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn user,CN=Users,DC=tg,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 Inside
http Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 1 match address Outside_cryptomap
crypto map Outside_map0 1 set pfs
crypto map Outside_map0 1 set peer 74.218.175.168
crypto map Outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 2 match address Outside_cryptomap_2
crypto map Outside_map0 2 set peer 192.237.229.119
crypto map Outside_map0 2 set transform-set ESP-3DES-MD5
crypto map Outside_map0 3 match address Outside_cryptomap_1
crypto map Outside_map0 3 set peer 174.143.192.65
crypto map Outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map0 interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=charlotte
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=charlotte
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 48676150
3082024c 308201b5 a0030201 02020448 67615030 0d06092a 864886f7 0d010105
05003038 31123010 06035504 03130963 6861726c 6f747465 31223020 06092a86
4886f70d 01090216 13636861 726c6f74 74652e74 68696e6b 67617465 301e170d
31323039 32353038 31373333 5a170d32 32303932 33303831 3733335a 30383112
30100603 55040313 09636861 726c6f74 74653122 30200609 2a864886 f70d0109
02161363 6861726c 6f747465 2e746869 6e6b6761 74653081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181008e d3e1ac63 a8a39dab 02170491
2bf104d2 732c7fd7 7065758b 03bb9772 c8ab9faf 0e5e9e93 bfb57eea a849c875
7899d261 8d426c37 9749d3d7 c86ca8e0 1d978069 3d43e7c5 569bb738 37e9bb31
0ebd5065 01eb7a05 87933d2d 786a722e 8eee16e7 3207510b f5e7e704 cbddbda2
a6b9ae45 efaba898 b8c921b6 2b05c0fb 1b0a9b02 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 8014fb93 35da7dd5 15d8e2ad 8e05ccf7 b5c333cc 95ac301d
0603551d 0e041604 14fb9335 da7dd515 d8e2ad8e 05ccf7b5 c333cc95 ac300d06
092a8648 86f70d01 01050500 03818100 6851ae52 5383c6f6 9e3ea714 85b2c5a0
fd720959 a0b91899 806bad7a 08e2208e de22cad0 6692b09a 7152b21e 3bbfce68
cc9f1391 8c460a04 a15e1a9e b18f829d 6d42d9bd ed5346bd 73a402f7 21e0c746
02757fb6 b60405a9 ac3b9070 8c0f2fba d12f157b 85dd0a8b 2e9cf830 90a19412
c7af1667 37b5ed8e c023ea4d 0c434609
quit
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 172.221.228.164 255.255.255.255 Outside
ssh Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
ssh 192.168.16.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint1 Outside
webvpn
enable Outside
enable Inside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.16.122 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value tg.local
split-dns value tg.local
group-policy LimitedAccessGroupPolicy internal
group-policy LimitedAccessGroupPolicy attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value thinkgate.local
split-tunnel-all-dns disable
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
default-domain value tg.local
group-policy Site-to-Site_Policy internal
group-policy Site-to-Site_Policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy LimitedAccessGroupPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_Pool
tunnel-group LimitedAccessTunnelGroup type remote-access
tunnel-group LimitedAccessTunnelGroup general-attributes
address-pool SSL_VPN_Pool
default-group-policy LimitedAccessGroupPolicy
tunnel-group 208.104.76.178 type ipsec-l2l
tunnel-group 208.104.76.178 ipsec-attributes
pre-shared-key *****
tunnel-group 74.218.175.168 type ipsec-l2l
tunnel-group 74.218.175.168 ipsec-attributes
pre-shared-key *****
tunnel-group TGAD_ConnectionProfile type remote-access
tunnel-group TGAD_ConnectionProfile general-attributes
authentication-server-group TGAD
default-group-policy GroupPolicy1
tunnel-group 174.143.192.65 type ipsec-l2l
tunnel-group 174.143.192.65 general-attributes
default-group-policy GroupPolicy2
tunnel-group 174.143.192.65 ipsec-attributes
pre-shared-key *****
tunnel-group 192.237.229.119 type ipsec-l2l
tunnel-group 192.237.229.119 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ef741b4905b43dc36d0f621e06508840
: end
charlotte#What does the packet-tracer say, what does the IPsec associations say (packets encrypted/decrypted)?
This might be faster that going through your hundreds of lines of config. -
Can't access management interface via vpn connection
Hi all,
I can't seem to be able to manage my ASA 5510 when I connect via vpn. My asa sits at a remote colo, and from my office i can connect fine. I have it configured as management-access (dmz), bc as of now we are just doing some staging and all the servers are in the dmz interface.
When i connect with the vpn client, in the routes it sees 192.168.1.0 255.255.255.0 which is the management network/interface.
For some reason I can't get access to 192.168.1.1 to use the ASDM.
Here is how i did my vpn via CLI
isakmp enable outside
isakmp identity address
isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ip local pool vpnpool 10.1.1.2-10.1.1.10
access-list split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
group-policy xxxxx internal
group-policy xxxxx attributes
dns value
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
username xxxxx password
username xxxxxx attributes
vpn-group-policy xxxx
username xxxxxx password
username xxxxxx attributes
vpn-group-policy xxxx
username xxxx password
username xxxx attributes
vpn-group-policy xxxx
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
address-pool vpnpool
tunnel-group xxxx ipsec-attributes
pre-shared-key
access-list vpnra permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra
nat (dmz) 0 access-list vpnra
nat (management) 0 access-list vprna
crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside
Any help would be much appreciatedit seems like you are missing a line:
management-access "interface"
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1631964 -
VPN Access to an IP that can be accessed via EIGRP
I have a question. I have a VPN that sits on the external interface using the IP of 10.5.79.X/20. I have a production network connected to a corporate network using MPLS and EIGRP to share the routes. The production network can access the corporate network, but the the VPN users can't. I need to be able to access anything on that network which is mainly a 172.18.0.0 summarized by EIGRP network. I had this working before, but can't get it working again about my Firewall dumped on me.
ASA Version 8.4(2)
hostname hp-asa-5510-DR
enable password 1qF1n5PuI7A.2DV. encrypted
passwd 1qF1n5PuI7A.2DV. encrypted
names
dns-guard
interface Ethernet0/0
speed 100
duplex full
nameif external
security-level 0
ip address *142.189.26 255.255.255.252
interface Ethernet0/1
nameif internal
security-level 100
ip address 10.5.64.6 255.255.240.0
interface Ethernet0/1.1
vlan 2
nameif Guest
security-level 90
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup external
dns domain-lookup internal
dns server-group DefaultDNS
name-server 208.67.222.222
dns server-group Guest
name-server 10.5.64.197
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.5.65.239
host 10.5.65.239
object network obj-10.5.65.253
host 10.5.65.253
object network obj-10.5.65.42
host 10.5.65.42
object network obj-10.5.65.219
host 10.5.65.219
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Cegedim
subnet 10.5.250.0 255.255.255.248
description dendrite site to site VPN
object network dfb
subnet 10.5.0.0 255.255.0.0
object network lausanne
subnet 192.168.250.0 255.255.255.0
description Lausanne
object network dfbgroup
subnet 10.5.0.0 255.255.0.0
object network DPT
subnet 10.5.16.0 255.255.240.0
object network hpbexch
host 10.5.64.198
object network hpbmsvpn
host 10.5.64.196
object network kacehost
host 10.5.65.189
object network hpbsentry
host 10.5.64.194
object network hpbMDM
host 10.5.64.195
object network hperoom
host 10.5.65.211
description healthpoint eroom server
object network spintranet
host 10.5.65.185
description sharepoint intranet
object network spsales
host 10.5.65.194
description sharepoint sales
object network spteams
host 10.5.65.183
description sharepoint teams
object network Guest
subnet 192.168.3.0 255.255.255.0
object network Crystal
host 10.5.65.203
object network ERPLN
host 10.5.65.234
object network ERPLNDB
host 10.5.65.237
object service dpt
service tcp source range 1 65000 destination range 1 65000
description dpt ports
object network Documentum
host 10.5.17.216
object network DPTDocumentum
host 10.5.17.216
description Documentum
object network EzDocs
host 10.5.17.235
description EzDocs
object network Aerosol
subnet 10.5.32.0 255.255.240.0
object network Brooks
subnet 10.5.128.0 255.255.240.0
object network DPTScience
subnet 10.5.48.0 255.255.240.0
object network LakeWood
subnet 10.5.80.0 255.255.240.0
object network Plant
subnet 10.5.0.0 255.255.240.0
object network warehouse
subnet 10.5.240.0 255.255.240.0
object network NotesApps
host 10.5.65.235
object network DPTNotes
host 10.5.17.246
object network DNSServer
host 10.5.64.197
object network GuestNetwork
subnet 192.168.3.0 255.255.255.0
object network KACE
host 10.5.65.189
object network mdm2
host 10.5.64.195
object network guesterooms
host 10.5.65.211
object network DNSServer2
host 10.5.64.199
object network asa_LAN
host 10.5.64.6
object network guestspsales
host 10.5.65.194
object network JohnsonControlServer
host 10.5.65.33
description JC Server
object network guestexchange
host 10.5.64.198
description Guest Exchange
object network guestmobile2
host 10.5.64.194
object network DPTDocB
host 10.5.17.215
object-group service EDI tcp
port-object eq 50080
port-object eq 6080
port-object eq www
object-group service Exchange tcp
port-object eq 587
port-object eq www
port-object eq https
port-object eq smtp
object-group service Lotus-Sametime tcp
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object eq 8081
port-object range 8082 8084
port-object range 9092 9094
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPN-MS tcp-udp
port-object eq 1701
port-object eq 1723
port-object eq 4500
port-object eq 500
object-group network Verizon-Servers
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 64.124.170.128 255.255.255.240
network-object 212.125.74.44 255.255.255.255
network-object 195.216.16.211 255.255.255.255
object-group network FDA_SecureEmail
network-object host 150.148.2.65
network-object host 150.148.2.66
object-group network Web-Server-Stuff
network-object host 204.71.89.34
network-object host 204.71.89.35
network-object host 204.71.89.33
network-object host 66.240.207.149
network-object host 68.168.88.169
network-object host 50.112.164.102
object-group service DFB-eRoom tcp
port-object eq www
port-object eq https
object-group network EDI-Customers
network-object host 129.33.204.13
network-object host 143.112.144.25
network-object host 160.109.101.195
network-object host 198.89.160.113
network-object host 199.230.128.125
network-object host 199.230.128.85
network-object host 205.233.244.208
network-object host 198.89.170.134
network-object host 198.89.170.135
network-object host 199.230.128.54
object-group service MDM tcp
description MobileIron ports
port-object eq 9997
port-object eq 9998
port-object eq https
object-group network OpenDNS
description OpenDNS Servers
network-object host 208.67.220.220
network-object host 208.67.222.222
network-object host 8.8.8.8
network-object host 68.113.206.10
object-group network healthpoint
network-object 10.5.64.0 255.255.240.0
object-group network vpnpool
network-object 10.5.79.0 255.255.255.0
object-group network dfb_group
network-object object dfbgroup
object-group network lausanne_group
network-object 192.168.250.0 255.255.255.0
object-group network DPTNetwork
network-object object DPT
network-object object Aerosol
network-object object Brooks
network-object object LakeWood
network-object object Plant
object-group network DM_INLINE_NETWORK_1
network-object object Cegedim
network-object object lausanne
group-object DPTNetwork
network-object object DPTNotes
object-group service DFB-Allow tcp
port-object eq 1025
port-object eq 1119
port-object eq 1120
port-object range 1222 1225
port-object eq 1433
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object range 16384 16403
port-object eq 1755
port-object eq 1919
port-object eq 1935
port-object range 2195 2196
port-object eq 3050
port-object eq 3080
port-object eq 3101
port-object eq 3244
port-object eq 3264
port-object eq 3306
port-object eq 3389
port-object eq 3724
port-object eq 4000
port-object eq 402
port-object range 4080 4081
port-object eq 4085
port-object eq 50080
port-object eq 5085
port-object range 5220 5223
port-object eq 5297
port-object eq 5298
port-object eq 5353
port-object eq 5550
port-object eq 5678
port-object eq 58570
port-object eq 5900
port-object eq 6080
port-object eq 6112
port-object eq 6114
port-object eq 6900
port-object eq 7800
port-object eq 8010
port-object eq 8080
port-object eq 8084
port-object eq 81
port-object eq 9081
port-object eq 9090
port-object eq 9997
port-object eq aol
port-object eq citrix-ica
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
port-object eq sip
port-object eq sqlnet
port-object eq ssh
port-object eq 442
object-group network webservers
network-object host 204.71.89.34
network-object host 204.71.89.35
object-group network DM_INLINE_NETWORK_2
network-object object KACE
network-object object guesterooms
network-object object guestspsales
network-object object JohnsonControlServer
network-object object mdm2
object-group network DM_INLINE_NETWORK_3
network-object host 10.5.65.230
network-object host 10.5.65.232
network-object object hpbexch
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service kace tcp
port-object eq 52230
port-object eq www
port-object eq https
port-object eq 445
port-object eq netbios-ssn
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group network VLAN_Switches
network-object host 192.168.10.10
network-object host 192.168.10.11
network-object host 192.168.10.12
network-object host 192.168.10.13
network-object host 192.168.10.14
network-object host 192.168.10.15
network-object host 192.168.10.16
network-object host 192.168.10.17
network-object host 192.168.10.1
object-group network Crystal_ERP
description Crystal Enterprise and Infor LN
network-object object Crystal
network-object object ERPLN
network-object object ERPLNDB
network-object object NotesApps
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group network GuestDNS
description DNS Servers for Guest
network-object object DNSServer
network-object object DNSServer2
object-group service DM_INLINE_TCP_3 tcp
port-object eq 3389
port-object eq 3390
object-group network DM_INLINE_NETWORK_4
group-object healthpoint
group-object vpnpool
access-list external_access_out extended permit object-group DM_INLINE_SERVICE_1 192.168.3.0 255.255.255.0 any
access-list external_access_out remark Production ACL
access-list external_access_out extended permit tcp any any object-group DFB-Allow
access-list external_access_out extended permit icmp any any
access-list external_access_out extended permit tcp any object-group Web-Server-Stuff
access-list external_access_out remark Site to Site connections
access-list external_access_out extended permit ip any object-group DM_INLINE_NETWORK_1
access-list external_access_out extended permit udp any object-group OpenDNS eq domain
access-list external_access_out extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list split standard permit 10.5.64.0 255.255.240.0
access-list split standard permit 10.5.250.0 255.255.255.248
access-list split standard permit 10.5.128.0 255.255.240.0
access-list split standard permit 10.5.144.0 255.255.240.0
access-list split standard permit 10.5.16.0 255.255.240.0
access-list split standard permit 10.5.32.0 255.255.240.0
access-list split standard permit 10.5.96.0 255.255.240.0
access-list split standard permit 10.5.80.0 255.255.240.0
access-list split standard permit 10.5.48.0 255.255.240.0
access-list split standard permit 10.5.0.0 255.255.240.0
access-list split remark lausanne
access-list split standard permit 192.168.250.0 255.255.255.0
access-list split standard permit 172.18.0.0 255.255.0.0
access-list split remark HP
access-list external_access_in extended permit object-group DM_INLINE_SERVICE_2 any 192.168.3.0 255.255.255.0
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spsales object-group DM_INLINE_TCP_2
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spteams object-group DM_INLINE_TCP_1
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spintranet object-group DM_INLINE_TCP_0
access-list external_access_in remark healthpoint erooms
access-list external_access_in extended permit tcp any object hperoom object-group DFB-eRoom
access-list external_access_in remark MDM2 VSP
access-list external_access_in extended permit tcp any object hpbMDM object-group MDM
access-list external_access_in remark New Sentry
access-list external_access_in extended permit tcp any object hpbsentry eq https
access-list external_access_in remark kace mgmt appliacne
access-list external_access_in extended permit tcp any object kacehost object-group kace
access-list external_access_in remark authentication server
access-list external_access_in extended permit object-group TCPUDP any object hpbmsvpn object-group VPN-MS
access-list external_access_in extended permit gre any object hpbmsvpn
access-list external_access_in remark HPB.NET new forest Exchange
access-list external_access_in extended permit tcp any object hpbexch object-group Exchange
access-list external_access_in remark EDI Inbound
access-list external_access_in extended permit tcp any host 10.5.65.42 object-group EDI
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list external_cryptomap extended permit ip object-group healthpoint object Cegedim
access-list external_cryptomap_1 extended permit ip object-group dfb_group object-group lausanne_group
access-list external_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DPTNetwork
access-list Guest_access_in extended deny tcp 192.168.3.0 255.255.255.0 object-group GuestDNS object-group DM_INLINE_TCP_3 inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group GuestDNS inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Guest_access_in extended deny ip 192.168.3.0 255.255.255.0 10.5.64.0 255.255.240.0
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list Guest_access_out extended permit ip any any inactive
access-list Guest_access_out extended permit ip any 192.168.3.0 255.255.255.0
no pager
logging enable
logging buffer-size 1045786
logging asdm informational
mtu external 1500
mtu internal 1500
mtu Guest 1500
mtu management 1500
ip local pool HPVPNClients 10.5.79.0-10.5.79.254 mask 255.255.255.0
ip verify reverse-path interface external
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any external
icmp permit any internal
asdm image disk0:/asdm-645.bin
no asdm history enable
arp external *142.189.93 0024.c4c0.4cc0
arp timeout 14400
nat (internal,external) source static dfb dfb destination static vpnpool vpnpool route-lookup
nat (internal,external) source static dfb dfb destination static lausanne lausanne
nat (internal,external) source static healthpoint healthpoint destination static Cegedim Cegedim
nat (external,internal) source static DPTNetwork DPTNetwork destination static Crystal_ERP Crystal_ERP no-proxy-arp
nat (internal,external) source static healthpoint healthpoint destination static DPTDocumentum DPTDocumentum unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTDocB DPTDocB unidirectional
nat (internal,external) source static healthpoint healthpoint destination static EzDocs EzDocs unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTNotes DPTNotes unidirectional
object network obj-10.5.65.239
nat (internal,external) static *142.189.82
object network obj-10.5.65.253
nat (internal,external) static *142.189.83
object network obj-10.5.65.42
nat (internal,external) static *142.189.84
object network obj-10.5.65.219
nat (internal,external) static *142.189.87
object network obj_any
nat (internal,external) dynamic interface dns
object network hpbexch
nat (internal,external) static *142.189.91
object network hpbmsvpn
nat (internal,external) static *142.189.82
object network kacehost
nat (internal,external) static *142.189.90
object network hpbsentry
nat (internal,external) static *142.189.92
object network hpbMDM
nat (internal,external) static *142.189.93
object network hperoom
nat (internal,external) static *142.189.88
object network spintranet
nat (internal,external) static *142.189.85
object network spsales
nat (internal,external) static *142.189.89
object network spteams
nat (internal,external) static *142.189.94
object network GuestNetwork
nat (Guest,external) dynamic interface
access-group external_access_in in interface external
access-group external_access_out out interface external
access-group Guest_access_in in interface Guest
access-group Guest_access_out out interface Guest
route external 0.0.0.0 0.0.0.0 *142.189.25 1
route external 10.5.16.0 255.255.240.0 *142.189.25 1
route external 10.5.32.0 255.255.240.0 *142.189.25 1
route external 10.5.80.0 255.255.240.0 *142.189.25 1
route external 10.5.128.0 255.255.240.0 *142.189.25 1
route external 10.5.240.0 255.255.240.0 *142.189.25 1
route external 10.5.250.0 255.255.255.248 *142.189.25 1
route internal 172.18.0.0 255.255.255.255 10.5.64.1 1
route external 192.168.250.0 255.255.255.0 *142.189.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-RADAuth protocol radius
aaa-server VPN-RADAuth (internal) host 10.5.65.253
key *****
radius-common-pw *****
aaa-server VPN-RADAuth (internal) host 10.5.65.240
key *****
aaa-server VPN-RADAuthHPB protocol radius
aaa-server VPN-RADAuthHPB (internal) host 10.5.64.196
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.5.0.0 255.255.0.0 internal
http 0.0.0.0 0.0.0.0 external
http 0.0.0.0 0.0.0.0 internal
snmp-server host internal 10.5.65.210 community ***** version 2c
snmp-server location Healthpoint.Vickery
snmp-server contact Jonathan Henry
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map external_map 1 match address external_cryptomap
crypto map external_map 1 set peer 64.126.222.190
crypto map external_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 2 match address external_cryptomap_1
crypto map external_map 2 set pfs
crypto map external_map 2 set peer 109.164.216.164
crypto map external_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 3 match address external_cryptomap_2
crypto map external_map 3 set peer 12.197.232.98
crypto map external_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map external_map interface external
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 4b54478c1754b7
30820563 3082044b a0030201 0202074b 54478c17 54b7300d 06092a86 4886f70d
01010505 003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504
0b132a68 7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63
6f6d2f72 65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479
20536563 75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931
11300f06 03550405 13083037 39363932 3837301e 170d3131 30313036 31393533
33395a17 0d313331 31323932 31343730 315a305b 311a3018 06035504 0a13112a
2e686561 6c746870 6f696e74 2e636f6d 3121301f 06035504 0b131844 6f6d6169
6e20436f 6e74726f 6c205661 6c696461 74656431 1a301806 03550403 13112a2e
6865616c 7468706f 696e742e 636f6d30 82012230 0d06092a 864886f7 0d010101
05000382 010f0030 82010a02 82010100 c6609ef2 c19c47e9 016ce654 d151146e
5d213545 ca896f4e cbb2624c 5ea6d7f0 7f18a82b e441020b 74d6ebd4 b7ef34c9
97b80ce0 6eb1c1cc 3b296909 8a0a2ad7 2473fb60 ff0c9320 ec9b3fe3 82a501c4
3c3855bd e0822ce1 e1d1fb03 4609639f 9359653b 091b6b48 5ce22806 234a55e5
6f80ebba cfb68a22 6cd1e64e 756f22b5 13a6178d 9ffcfbbb 5ca4b773 50089a8b
7e966a23 d4711a49 44c101fc a6b68e26 6a8d57f3 2fed1f6f ce6b0535 498c5c97
bf0577fa 9d9a1e37 4ff3b9f0 913dac74 3f4d26c9 09aac485 ccd5dfb9 7aa226e8
89075829 eff0cf99 b642e679 5a9dfe74 e5899e30 e07b6bbf a92fab33 cb8d7f65
1d974861 8b02d78b bc7908a9 e70b1b59 02030100 01a38201 ba308201 b6300f06
03551d13 0101ff04 05300301 0100301d 0603551d 25041630 1406082b 06010505
07030106 082b0601 05050703 02300e06 03551d0f 0101ff04 04030205 a0303306
03551d1f 042c302a 3028a026 a0248622 68747470 3a2f2f63 726c2e67 6f646164
64792e63 6f6d2f67 6473312d 32382e63 726c304d 0603551d 20044630 44304206
0b608648 0186fd6d 01071701 30333031 06082b06 01050507 02011625 68747470
733a2f2f 63657274 732e676f 64616464 792e636f 6d2f7265 706f7369 746f7279
2f308180 06082b06 01050507 01010474 30723024 06082b06 01050507 30018618
68747470 3a2f2f6f 6373702e 676f6461 6464792e 636f6d2f 304a0608 2b060105
05073002 863e6874 74703a2f 2f636572 74696669 63617465 732e676f 64616464
792e636f 6d2f7265 706f7369 746f7279 2f67645f 696e7465 726d6564 69617465
2e637274 301f0603 551d2304 18301680 14fdac61 32936c45 d6e2ee85 5f9abae7
769968cc e7302d06 03551d11 04263024 82112a2e 6865616c 7468706f 696e742e
636f6d82 0f686561 6c746870 6f696e74 2e636f6d 301d0603 551d0e04 16041475
346fa066 c4b0cb48 a6aaf4d5 d03124fd 1babaf30 0d06092a 864886f7 0d010105
05000382 01010080 81fec403 103ecd08 88f17283 68154d3e 92da6355 58c50ea9
b6d2a2d1 86428614 44b3f27b ae00352d 0339f481 22d2bc3c 1f7a8458 495a337f
f939fa9d 76c9635c ac1f5452 8ec504ae 6c90dfc2 70e3b620 c34aedb3 12f8facd
ce45e918 af358576 b6711324 f5d53b62 77c2bb0d 6ff7a26c 1863c7fe eae6ee42
c1855066 e994db91 af755c47 b257545f ee29c6ab 57104a27 890f7f9c f95898c8
ed30eda7 9e86ebd4 c6007d3b 640e2312 3875410b 79ddff84 11454b83 7126ebbb
ce9c916a d5839e2b 095310e0 51e7e0cd d71c4830 ec1177c8 0407c147 afa2a33a
d058fa1b de4b2771 8af206c6 27e17249 1afbd515 d3f2845d a3699196 a9a7044c
5738a868 e01e59
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable external
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.5.0.0 255.255.0.0 internal
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 10.5.0.0 255.255.0.0 internal
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.5.65.242 source internal
ssl trust-point ASDM_TrustPoint0 external
webvpn
enable external
enable internal
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
anyconnect profiles HP_Basic disk0:/HP_Basic.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy HPVPN internal
group-policy HPVPN attributes
banner value You are now connected to Healthpoint, Ltd.
wins-server none
dns-server value 10.5.64.199 10.5.64.197
dhcp-network-scope none
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
ip-comp disable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value hpb.net
split-dns none
split-tunnel-all-dns disable
user-authentication-idle-timeout none
address-pools value HPVPNClients
client-firewall none
client-access-rule none
webvpn
anyconnect keep-installer installed
anyconnect ssl compression none
anyconnect profiles value HP_Basic type user
anyconnect ask enable default anyconnect timeout 5
http-comp none
username bcline password Wpo.Polan03mKRJ9 encrypted privilege 15
username jhenry password wX50UveiwuBH7p7v encrypted privilege 15
username ittemp password zpQoWfp93rOS3NU7 encrypted privilege 5
tunnel-group HPVPN type remote-access
tunnel-group HPVPN general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuth
authentication-server-group (external) VPN-RADAuth
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPVPN webvpn-attributes
group-alias HPVPN enable
tunnel-group HPVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 64.126.222.190 type ipsec-l2l
tunnel-group 64.126.222.190 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 109.164.216.164 type ipsec-l2l
tunnel-group 109.164.216.164 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 12.197.232.98 type ipsec-l2l
tunnel-group 12.197.232.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB type remote-access
tunnel-group HPB general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuthHPB
authentication-server-group (external) VPN-RADAuthHPB
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPB webvpn-attributes
group-alias HPB disable
group-alias HPVPN_NEW enable
tunnel-group HPB ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no dns-guard
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f3c293700f62ee55af87105015fe4cd0
: endYou have to options:
1. The router that is internal must have a static route to the ASA to reach the VPN networks and must have a distribute static so that other routers that form part of EIGRP know how to route to the VPN networks.
2. You can configure on the ASA "set reverse-route" on the crypto map then configure EIGRP on the ASA and add redistribute static so that routes learned via VPN (considered static routes) can be pushed through EIGRP. -
Server Admin not connecting to Leopard Server when accessing via VPN
Hi everyone,
Recently, as the title suggests, Server Admin (or Server Preferences, for that matter) would not connect to my remote server via VPN. I'm quite sure that the server is working nicely, as the users (both of them lovely young ladies with considerable charms, which makes on-site support quite interesting, if distracting) didn't call me to complain, and I can login via SSH with no problems.
The server is a Mac Mini, connected to an Airport Extreme (gigabit N), which in turn connects to our ADSL modem, if that helps any.
Now, I did tinker around a bit with the settings before this happened, so I think it's probably my fault (well, I started my "career" of administering this server a week ago, what do you expect), so I suppose I may have inadvertently limited access to a service required for Server Admin and Server Preferences to function.
If anyone could tell me which services are absolutely necessary for Server Admin to function, or at least where to start looking, I'd be immensely grateful. I didn't yet go on site to try and wrestle the whole thing from there, as the travel costs are non-trivial, so I'd rather do it remotely, if at all possible.This is exactly the difficulty I am having with a 10.5.4 Intel xserve. I have established a VPN connection that connects me to my business LAN, and I know it has carried out the connection because there are a number of things I can access properly that are not available on the public internet. For instance, my LOM ports are restricted to my business LAN, and when I connect to the server via VPN I can access teh LOM ports and using server monitor. However, when I try to use Server Admin, nothing works. It won't connect. I too am confused. All traffic to the xserve is allowed via the business LAN. I thought all traffic was supposed to be routed to the VPN server when connected via a VPN. If this is the case, shouldn't Server Admin work? When I go on site and connect my computer directly to the business LAN, I have no difficulty using Server Admin.
-
Access to DFS root via VPN not working - error 0x80070035 keeps popping up
Dear all,
when trying to access the DFS root via VPN from a Windows 7 non-domain member computer I always receive an error stating "Windows cannot access \\eggs.local\dfs", Error Code: 0x80070035, The Network Path was not found.
I searched the internet as well as these forums in order to get to grips with this error message but didn't find anything to solve my problem.
I made sure, that NetBIOS over TCP/IP is enabled, that I have access to the VPN adapter's DNS as well as WINS servers, that DNS name resolution is working properly, DNS split tunneling is enabled, Windows Firewall is disabled, and so forth. Still no luck.
Any ideas?
Thanks Alex
Alexander Ollischer Diplom-Wirtschaftsinformatiker (FH) Citrix & Microsoft Certified Engineer (CCEA, CCEE, MCSA, MCSE, MCDBA, MCTS) Afontis IT+Services GmbH Baierbrunner Straße 15 81379 München Deutschland Telefon (089) 74 34 55-0 Fax (089) 74 34 55-55
mailto:[email protected] http://www.afontis.de http://www.itganzeinfach.de Amtsgericht München, HRB 109 005 Geschäftsführer: Thomas KlimmerHi,
Though you mentioned DNS is working properly, please check if DNS forwarder is set as set correctly.
And incase it is caused by authentication, please try to force Kerberos to use TCP - by default it using UDP and on a slow VPN connection, UDP packets may be dropped.
How to force Kerberos to use TCP instead of UDP in Windows
http://support.microsoft.com/kb/244474
Also check NTFS and Sharing permission on top of the DFS Namespace. At least give users a Read permission.
If you have any feedback on our support, please send to [email protected] -
Accessing a subnet via VPN session
Hi everybody.
I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
local network: 10.30.0.0 0.0.0.0
remote network 10.31.0.0 0.0.0.0
ASA
object-group network remote-network
network-object 172.16.27.0 255.255.255.0
network-object 10.31.0.0 255.255.0.0
object-group network network-local
network-object 0.0.0.0 0.0.0.0
access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
Router 3800
ip access-list extended vpn
permit ip 10.31.0.0 0.0.255.255 any
Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
Regards and Thanks very much!!Hi Ankur, thanks very much for your reply!
this is the "sho run" in my remote router:
I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
this is a simple diagram of where I want to connect to:
REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
(10.31.0.0/24 network) (10.30.0.0/16network)
|
|
|
|
REMOTE USER
(10.30.23.130/25)
REMOTESITE#sho run
Building configuration...
Current configuration : 10834 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname PYASU1ROU01
boot-start-marker
boot-end-marker
logging buffered 64000 debugging
no logging console
aaa new-model
aaa authentication login default group tac-auth local
aaa authentication enable default group tac-auth enable
aaa authorization console
aaa authorization exec default group tac-auth local if-authenticated
aaa authorization network default local
aaa accounting exec default start-stop group tac-auth
aaa session-id common
clock timezone PR -3
ip cef
voice-card 0
no dspfarm
crypto pki trustpoint TP-self-signed-4112391703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112391703
revocation-check none
rsakeypair TP-self-signed-4112391703
crypto pki certificate chain TP-self-signed-4112391703
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
94350AFF EA7CB2
quit
username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
crypto keyring apex
pre-shared-key address "headquerters public ip address"
key apex
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile companyname
keyring apex
match identity address "headquerters public ip address"
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto map outside 10 ipsec-isakmp
set peer "headquerters public ip address"
set transform-set 3DES
set isakmp-profile companyname
match address vpn-companyname
interface Loopback1
description monitoreo
ip address 10.31.21.255 255.255.255.255
interface GigabitEthernet0/0
description Teysa
ip address public ip address
ip nat outside
no ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
crypto map outside
interface GigabitEthernet0/1
description TO CORE-SW
ip address 192.168.255.249 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
switchport access vlan 2
duplex full
speed 100
interface FastEthernet0/0/1
switchport access vlan 10
shutdown
duplex full
speed 100
interface FastEthernet0/0/2
switchport mode trunk
shutdown
interface FastEthernet0/0/3
switchport access vlan 10
shutdown
duplex full
speed 100
interface Vlan1
no ip address
no ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat interface GigabitEthernet0/0 overload
ip access-list extended nat
deny ip host 172.16.27.236 10.0.0.0 0.255.255.255
deny ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.31.11.0 0.0.0.255 any
permit ip 10.31.13.0 0.0.0.255 any
permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
permit ip 172.16.27.224 0.0.0.31 any
ip access-list extended vpn-apex
permit ip 10.50.20.0 0.0.1.255 any
permit ip 172.16.27.0 0.0.0.255 any
permit ip 10.31.0.0 0.0.255.255 any
permit ip 10.30.0.0 0.0.255.255 any
route-map nat permit 10
match ip address nat
control-plane
line con 0
password 7 xxxxxxxxxx
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxx
scheduler allocate 20000 1000
ntp server 10.30.5.38
end
REMOTESITE#
Regards! -
Best way to access files on Xserve via VPN on iPad?
Can anyone tell be the best solution for accessing files housed on the companies Apple Xserve remotely via VPN from an iPad? Numbers / Pages etc.
thanks,
RickThe iPad doesn't natively support file systems such as those on servers, but there are third-party apps that can allow this. FileBrowser is one often mentioned, so you might look into that. VPN will be a separate issue; iOS has a built-in VPN client which works with many VPN systems, but you'll need to see if yours is supported.
Regards. -
Having trouble accessing wikis & blogs via VPN
After I connect to our server via VPN when I'm outside of our network, I'm having trouble getting wiki and blog pages to open up. Currently I'm using the internal hostname to pull up the pages: ajax.private (we used the .private domain because it is an internal server only).
So, when I type in: ajax.private into the browser, the page starts to load and I can see the graphics starting to load, but it never finishes loading. Likewise, if I try and access the pages using the server's internal IP address, the same thing happens. Am I doing something wrong here?
My other services like ichat and ical are able to access and authenticate using the FQDN of ajax.privateYou'd have to provide a lot more details of the setup to have any hope of a useful response. You don't even say what kind of VPN it is. What does the network admin at work say?
-
Is symbian or windows mobile better to access mac shares via vpn?
I am considering a smart phone purchase in the next few months, and I would like to be able to browse my server via vpn from the phone the same way I can with my Palm LifeDrive. I think Symbian or Windows Mobile are my best OS choices for a phone, and I was wondering if anyone has actual experience with this. Do they use PPTP or L2TP? At this point, the iPhone cannot edit documents, so it is not a consideration, but I am also curious if it allows for this type of remote browsing through a VPN.
Thank you for any help that you can offer.
MichaelI have done some more testing and oddly enough I can map a drive if I use the IPaddress, but not the computer name, when checking the check box "connect using different credentials"and providing they users domain credentials.
This seems to point to a DNS issue, one would think, but I can hit the file share server by name \\fileserver.dev.lan
I can see all the shares, so dns seems to be fine right?
So I don't understand why I can map a drive using do the IPaddress and not the machine name, but yet I can see and ping the server by name?
When I try to create a mapped drive by machine name I receive the following message:
Windows cannot access \\fileserver.dev.lan\all
You do not have permissions to access \\fileserver.dev.lan. contact your network administrator to request access.
But if I use the \\x.x.x.x\all using the very same user and password I get connected with no problem.
This only seems to happen on windows 8.1, which leads me to think that has something to do with OS.
I am thinking about upgrading to windows 8.1 pro, but I don't want to go though the hassle and expanse is the OS is not the problem. -
Can not access ASAs inside interface via VPN tunnels
Hi there,
I have a funny problem.
I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
All tunnels and the RAS VPN access are working fine.
I use the tunnels for Voip, terminal server access and a few other services.
The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
No problem when I connect to the interface via a host inside the network.
All telnet statments in the config are ending with the INSIDE command.
On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
For the RAS client access I use the Cisco 5.1 VPN client.
Did anybody have any suggestions?
Regards
MarcelMarcel,
Simply add on the asas you want to administer through the tunnels
management-access
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
for asa5505
management-access inside
for all others if you have management interface management0/0 defined then:
management-access management
then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
telnet 10.20.20.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
same principle for l2l vpns
Regards -
Slow finder Browsing when accessing LAN via VPN connexion
I am running ML Server, latest upadte on a 2010 Mac Mini Server machine.
When I am connected to my network from a remote location via VPN, and I try to browse my LAN structure with Finder, it takes ages for the list of folders/files to appear and refresh.
I have checked my VPN configuration and tried different type (L2TP, PPTP) but nothing significantly differ in term of browsing speed.
I also appreciate that the network connection at the remote location, as well as the upload speed on my local network can influence the overwal browsing speed... but after several test, I confirm I have more than 3 Mbps bandwith for upload on the local network, and 20 Mbps minimum on the remote location.
I also tried AFP / SMB, but does not seem to change anything.
So, I guess I hope the Community has already experienced the issue and some of you guys may have found a workaround to this issue.
Many thanks.why not try cisco ipsec
Input the following settings:
Interface: VPN
VPN Type: Cisco IPSec
Service Name: This can be anything, I left the default.
Edit the new interface details as follows:
Server Address: cisco.vpntraffic.com or other country vpn such as Portugal VPN
Account Name: Your vpn account
Password: Your vpn password
How to setup Mac OS X Built-In Cisco VPN
Maybe you are looking for
-
GAME CENTER SANDBOX?? ALL DATA ERASED
i started an app and then it asked me to log into game center, which is weird. so i did, and then it made me start a whole new account! and everythign, my friends and points and games were gone except for one game in my game center. i sitll have the
-
Authenticating Proxy problem? Can't download TV show, view account
I'm using iTunes 8.0.1 (12) on OS X 10.5.5 on a 1GHz mini. This evening I am unable to download a TV show for which I have a season pass, nor can I view my account information. Requests like "CONNECT p8-buy.itunes.apple.com:443 HTTP/1.1" clearly get
-
Payment Reference Field KIDNO Not apprearing at the time of Vendor Payment
Hi, When we are making the Vendor Payment thru F-53, we are not able to see the Payment Reference Field KIDNO there. But when the payment document is posted and we see the line items then this field KIDNO comes there as non-modifiable field. We want
-
HT1766 i got a new iPhone. i need to transfer data from my previous to the new
I got a new iPhone. I need to transfer all of my data from my old to the new. How do I do that?
-
I am a Creative Cloud member. I have tried to install Acrobat XI numerous times (and uninstall fully each time before I try again). Every time, I see the Adobe Software License Agreement, there is no further wording, just the choice of quit or accep