Windows 8.1 connected by VPN, contents of mapped drives "disappears" intermittently.
I have a client with a Windows 8.1 Pro laptop who works in a satellite office and connects to the main office via VPN. The main office is running SBS 2011. The user has his G drive mapped to a share on the server and will be working on 2 or 3 files,
he'll then go to open the G drive to find another file and he'll see that only the files/folders he's actually been working on are showing up, the rest of the contents of the drive seems to "disappear". I believe this is caused by the VPN dropping
connection (not proven yet). The problem is that even if you reconnect to the VPN, those files don't re-appear... or they might be back when he comes back into the office after doing some calls. We can make the files instantaneously re-appear if
he grabs his notebook, walks across the street from the satellite office to the main office and plugs into the hardwired network... but this is less than practical, and impossible if he's actually on the road somewhere.
He does not have "offline files" active for the G drive, nor do we really want to do that... but I'm thinking that Windows is going into some sort of half-baked automatic offline files mode when the VPN goes away. I've played with
registry and group policy settings in reference to offline files in the hope that would rectify the issue but to no avail.
We don't particularly care that the files are unavailable when the VPN isn't connected, the client understands they aren't local files. What is really the big issue is that activating the VPN doesn't make the files reappear and that there doesn't seem
to be any consistent way of "forcing" the issue except to physically hardware to the lan segment the server is on.
This was working just fine on the client's old system under Windows 7 Pro, but just since moving to a new laptop with Windows 8.1 it has become flakey.
Any suggestions hints or tips are appreciated.
Cheers,
Mike
P.S. When I say the files "disappear", they are just invisible to this user... they are still physically on the server and accessible by all other users on the LAN.
I will have to double check again to make sure I'm telling the truth (I've gone through so many iterations in the past weeks I can't remember which way is up :-) but I believe that the drive was showing in offline files, but that attempting sync (even
repeatedly) did not bring the drive contents back. Which also begs the question, if the user has not made the drive "available offline" why would it be acting like it is? I've considered actually making it available offline, but I don't want
all of that data on his laptop and I'm also concerned that we'd then have more problems as he continues to work for hours and days on his offline copies.
I should also add that I was able to work with the client on Friday and we were able to determine that the VPN is NOT dropping as we're able to ping devices on the LAN side immediately once the files disappear.
Cheers,
Mike
Similar Messages
-
Windows 8 Mapped Drives Disappear - Offline Cache
Hi,
We have a Windows 8 machine that has a mapped network drive and we enabled this to be "always available".
When the laptop is connected to the domain the mapped drive is there fine, and you can see that the offline file symbol is on the network folder! However when you reboot the machine and it is not connected to the network the folder disappears from My Computer!
If I then open "run" and type the folder path of the server where this mapped drive is mapped to i am able to view the files fine so they are there and working offline but not via My Computer or the drive letter.
I have tried the following:
Disable and re-enable offline files
Remove all offline files and then re-sync
Any suggestions very much appreciated!
ThanksCheck the Sync Center settings.
Control Panel --> Sync Center
Click Manage offline files and select the General tab.
Verify that the status is showing enabled. -
Not able to access my remote machine using VPN in Windows 8.
VPN connected successfully resulting internet disconnection .
I am using Wireless 3G datacard device for internet.
But the same VPN connection is working fine in WIFI & I able to access remote machine. Not sure why the problem when connecting from device.
Plz help me out guys.
Thanks in AdvanceWhat kind of VPN client are you using? You can try the following suggestion for a test.
1) Get into VPN Properties
2) Select "Security" tab
3) Click "Allow these protocols" radio button and check the "Microsoft CHAP Version 2 (MS-CHAP v2)" box
4) Select Networking Tab; select "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
5) Click "Advanced"
6) Uncheck box for "Use default gateway on remote network"
Niki Han
TechNet Community Support -
Running Windows 7 and connecting to VPN
There is an issue at my university with signing on to its VPN netword using Lion. I want to install Windows7 on my mac so I can run the VPN connection through windows (which should theoretically work). My question is this: If I connected to the VPN through Windows on my MacBook and then switch to the MacOS, will I remain connected to the VPN or will I be dropped once I swtich from Windows to MacOS?
It should drop because the settings are different. Settings don't transfer over.
-
I still cannot believe that you cannot do a scheduled backup to a network drive in windows server 2008. You can only do it to a local internal/external drive. Microsoft are you crazy? That goes against all best practices for backing up your data when you should have a backup at least 60 miles away from the original server. Gives us back the NT Backup tool or provide a solution for this.
Your feedback is valid. This issue has been fixed in WS2008 R2.
Thanks,
Prabu Ambravaneswarn [MSFT]
Prabu A [MSFT] ---- This posting is provided "AS IS" with no warranties, and confers no rights
That doesn't exactly help people who run windows server 2008 now does it?
something so trivial that could be done in server 2003 with NTBackup and it wasnt included in server 2008? WHo overlooked that.
Why can this not be fixed in server 2008 with a update or a service pack?
Also, then why is it you can do a MANUAL backup to a network drive, but not a scheduled one? -
Software install in Windows 7 doesn't see mapped drives
I've looked through the related topics that came up when I started to write this, but I am not sure they answer my questions fully.
I am trying to install software on a Windows 7 box as the Administrator. My mapped drives are fine, I can see them and they are not dropping off to the middle of nowhere. What is happening though is that when I attempt to install software, the only thing
that is showing is my local drives, not my networked drives. My work around so far is do it via UNC.
Is there an easy fix for this or do I have to continue with my workaround of doing installs via UNC?Hi,
I would like to confirm that does this issue occur on all the software you tried to install?
You may try to
disable User Account Control (UAC) to test the issue.
If it does not work, I also would like to suggest you enable NetBIOS to test the issue.
1. Click "Start", input "NCPA.CPL" (without quotation marks) and press Enter.
2. Right click on the connection that you use for the local connection, and then click "Properties".
3. Click Continue button to verify the administrator permission.
4. Click to select "Internet Protocol Version 4 (TCP/IPv4)", and then click "Properties".
5. Click "Advanced" button in the open window. On the "WINS" tab, click to select "Enable NetBIOS over TCP/IP", and then click "OK" to save the setting.
If the issue persists, I also would like to suggest you disable the antivirus program and test the issue in
Clean Boot.
What is the result?
Regards,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Mapped Drive B:\ to a network share but does not show up in Windows Explorer.
I mapped drive B: to a network share but it does not show up in Windows explorer. I can go to the drive by typing b:\ but is not visible in explorer. But if I login as local admin it shows up in windows explorer. Any suggestions?
Hi Lloyd Reeves,
Based on my research, I would like to suggest the following:
Disconnect the mapped drive and map it again.
Ensure the user is using an administrator account; or change another user account to have a try.
Create a shortcut for a share folder and see if it will disappear.
In addition, it would be helpful for future troubleshooting if you could help to collect the following information:
Which method did you use to map drive?
Was there any error message in the Event log? If so, please provide the detailed information.
For your information, please refer to this similar case:
http://social.technet.microsoft.com/Forums/windows/en-US/6acab187-c46c-4ff9-8604-196c64ea8995/mapped-drives-not-visible-in-explorer-although-shown-in-map-network-drive?forum=w7itpronetworking
Regards,
Lany Zhang -
Hello,
i am trying to connect to my corporation VPN Server " ISA 2006" using windows 8.1 client built in VPN, but its returned the following error:
Event ID 20227: dialed a connection named "VPN connection Name" which has failed. The error code returned on failure is 789.
VPN connection is working fine with windows XP and windows 7 with no issue , this error is only appear when try to connect to using windows 8 client machine.
this error is shows only on windows 8.1 client , same procedures used to enroll the certificate from internal CA " IPsec Type" is followed .
below are the ISA server specifications:
VPN Server : ISA 2006.
windows Server version 2003.
appreciate your quick help and reply .
ThanksThanks for your reply.
i would like to add another point for this case, that when we are trying to enroll a certificate from internal CA web enrollment directly using windows 8 " internet explorer 11" , its install a certificate without Digital
Signature and non-repudiation in key usage property, then when try to connect , its will give the above error 789 ..
when try to enroll a certificate into windows 7 " internet explorer 10" and then export and import this certificate into windows 8.1 machine "with the name of
windows 8.1 machine" into windows 8.1 machine, the VPN is working normally and without issue.
The properties of the Certificate are difference between windows 7 machine and windows 8 machine is key usage missing the Digital Signature and non-repudiation properties when enroll
from windows 8.1 " internet explorer 11", this is in fact because of
we don't have an option for key usage " both" when subment a certificate on web enrollment page from windows 8 machine ,, the only option available is exchange "
no signature and both option available "
i believe that there is something wrong when using windows 8.1 internet explorer 11 so its gave a certificate with wrong key usage property .
appreciate your quick help in this .
thanks -
User cannot connect through VPN (Windows 2008 R2)
Hello,
TechNet has been a major help for some resent server and network problems our office has been having.
There is one ongoing issue that no matter how much I try to fix, it wants to be stubborn and refuse to work properly.
We have a user who has the necessary permissions to VPN using our router's IP address. Just recently, she found that she was unable to VPN. This was the beginning of our technical issues as after rebooting the router, our main server, and our QuickBooks
server, we lost internet and access to the main server. Those issues have been resolved. However, the user is still unable to VPN.
I have looked up every error code that has been presented when trying to connect to VPN (807 and 800 are the most frequent), and unfortunately, none of the solutions suggested worked. These errors occur when connecting through the WAN Miniport. I am trying
to find out if I am overlooking something.
What has been tried:
Router rebooted
Created new user in Active Directory
Deleting VPN Users group and readding to user
Changing tunneling protocol to L2TP instead of PPTP. Then, created a rule in Windows Advanced Firewall to allow UDP 1701.
Creating new VPN connection.
Confirmed with ISP that there are no issues with router
I am not extremely familiar with Windows 2008 R2 and every fix I see online is extremely in depth with not much walkthrough information.
I greatly appreciate any support anyone might be able to provide.
Thank you!Hi ,
According to your description, my understanding is that the client can’t access the VPN with error code 800 and 807.
I have noticed that it failed to ping the VPN server form the client. The VPN server should be connected from the client without VPN connection established. I suggest you to turn off firewall temporarily on both sides of client and VPN server, then
try to ping the IP address of the VPN server’s interface which is connected to extranet network.
If ping failed, there might be network connectivity problem. If ping successfully, check to see if the port is open for turning traffic. Detailed troubleshooting steps you may reference the link below:
I received error 800, which says the VPN server is unreachable:
http://technet.microsoft.com/en-us/library/cc772616(WS.10).aspx#BKMK_1
Troubleshooting commom VPN related errors:
http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
If this problem still exits, does other user successfully access the VPN? Or just specified device can’t access? Would you simply describe the deployment of the VPN, such TCP/IP settings, VPN type.
Best Regards,
Eve Wang -
Problems connect to vpn since upgrading to Windows 8.1
Since upgrading from Windows 8.0 to 8.1, although normal web access is OK, I can no longer connect to vpn services - receiving error 619. Using another laptop running Windows 7 SP1 on the same router I can connect without any problems. Please help. I have
limited technical knowledge with networking.The instructions below are included on the site. These do not make sense in Windows 8.1. Right clicking on the 'vpn connection' does not give any additional pop up options (so no properties to change). I also cannot find any options to change the
'Security' settings as described. These instructions are for Windows 8.0, is 8.1 really that much different?
"........Click on the
monitor icon on the bottom right-hand corner;
Right–click on the “VPNForUK.COM” connection, and choose “Properties” from the menu.
Select “Security” tab and for “Type of VPN” select “Point to Point Tunneling Protocol (PPTP)”;
Click “OK”;
Click again on the monitor icon on the bottom right-hand corner, and click “Connect” to “VPNForUK.COM”;
In the
next fields type “vpnforuk” as VPN username and VPN password found from website and click “OK”;........" -
I'm just about ready to ragequit for the day. I've been pouring through dozens of support pages, youtube videos, tutorials. The lack of true documentation on problems like this has me considering a start-up business that specifically deals with these frustrations. Clearly I could make millions!
I will detail everything about this problem as best as I can, to avoid confusion later with questions:
Here's what I have for hardware:
1) A Public IP Address. We'll just call it X.X.X.X.
2) A D-Link DI-604 router (yes they DO support VPN services, with a router address of 192.168.1.254.
This router is running Firmware Version 3.53, the last firmware released for it on Wed, 18 Apr 2007 (YES I AM AWARE THE ROUTER IS OLD, DEFLECTING THIS ISSUE BY TELLING ME TO GET A NEWER ROUTER WITHOUT FIRST READING THROUGH EVERYTHING BELOW IS NOT A HELPFUL CONTRIBUTION TO THE PROBLEM, D-LINK HAS CONFIRMED THIS ROUTER SUPPORTS VPN PASSTHROUGHS).
3) A Mac Mini Server running 10.6.8, router address of 192.168.1.10.
Here are the ports that I've allowed through the router, pointed directly at 192.168.1.10 (aka my Server):
UDP Port 500
UDP Port 1701
UDP Port 4500
TCP & UDP Port 1723
Here is how I have the VPN Service configured on my Server:
L2TP is Enabled.
Starting IP address range of 192.168.1.180
Ending IP Address range of 192.168.1.189
PPP Authentication: Directory Service with Authentication set to MS-CHAPv2
IPSec Authentication is set to Shared Secret, let's just say the secret is "derp" without quotes.
PPTP is Disabled.
Client Information:
DNS Servers point to my router: 192.168.1.254
Search Domains is empty.
Network Routing Definition is empty.
Logging:
Verbose logging is enabled.
VPN Service is: Running.
Server User Information
Access to VPN Services:
Allow only users and groups below:
(I have users dedicated to this, but for the sake of this topic let's just say one of them is "misterderp" without quotes)
The Hardware I'm Using to Connect to the VPN Server:
I have a Macbook Pro running 10.6.8, another laptop running Windows XP Professional Service Pack 3, and another laptop running Windows 7 Home Premium 64-bit Service Pack 1. All 3 laptops acquire an IP Address via DHCP from the Router (192.168.1.254). Below is what happens when I try to set up a VPN connection on all 3 machines:
Computer #1: MacBook Pro, running 10.6.8
Settings: (this is in System Preferences > Network, by the way):
New VPN Connection
Server Address: X.X.X.X. (this is our Public IP Address)
Account Name: misterderp (this is the account who has access granted to use VPN)
Authentication Settings > User Authentication:
Password: (password given to misterderp from server)
Authentication Settings > Machine Authentication:
Shared Secret: derp (as specified in the L2TP tab of the VPN Service on the Server)
At this point I will try to connect. I receive the following error message:
=========
VPN Connection
The L2TP-VPN server did not respond. Try reconnecting. If the problem persists, verify your settings and contact your Administrator.
=========
Computer #2: Laptop, running Windows XP Professional Service Pack 3
Settings: (this is in Control Panel > Network Connections, by the way):
Add a New Connection
VPN Server Selection: X.X.X.X. (this is our Public IP Address)
Smart Card
Do not use my Smart Card
New VPN Connection Properties
General Tab:
Host Name: X.X.X.X.
Security Tab:
Security Options:
Advanced Custom Settings
Data Encryption: Require encryption (disconnect if server declines)
Allow These Protocols: Microsoft CHAP Version 2 (MS-CHAP v2)
IPSec Settings
Use Preshared key for authentication: derp (as specified in the L2TP tab of the VPN Service on the Server)
At this point I will try to connect. I am using the Account Name misterderp, and the password given to this account from the server. I receive the following error message:
=========
Error 800: Unable to establish the VPN connection. The VPN server may be unreachable, or security parameters may not be configured properly for this connection.
=========
Computer #3: Laptop, running Windows 7 Home Premium x64 Service Pack 1
Settings: (this is in Control Panel > Network and Internet > Network and Sharing Center, by the way):
Set Up a Connection or Network:
Connect to a workplace
Use my Internet Connection
Internet Address: X.X.X.X. (this is our Public IP Address)
Type your username and password:
User name: misterderp (specified on the Server to have VPN access)
Password: password given to the misterderp account
VPN Connection Properties:
Security Tab:
Type of VPN: Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)
Advanced Settings: Use preshared key for authentication: derp (as specified in the L2TP tab of the VPN Service on the Server)
Data Encryption: Require encryption (disconnect if server declines)
Allow these protocols: Microsoft CHAP Version 2 (MS-CHAP v2)
At this point I will try to connect. The window hangs at "Connecting to X.X.X.X. using "WAN Miniport (L2TP)"". After about 30 seconds, I receive the following error message:
=========
Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during intiial negotiations with the remote computer.
=========
So there you have it, 3 sources of unintelligible frustration.
You're probably wondering, HEY, WHAT ABOUT THE LOG ON YOUR SERVER ADMIN PAGE?
I've been looking at the log, and there's a whole lot of nothing. The only thing I have is this:
#Start-Date: 2012-02-17 14:01:46 CST
#Fields: date time s-comment
2012-02-17 14:01:46 CSTLoading plugin /System/Library/Extensions/L2TP.ppp
2012-02-17 14:01:46 CSTListening for connections. . .
So the Server's not getting ANYTHING, let alone spit out errors.
Now you might be wondering, ALRIGHT, WHAT ABOUT VPN-ING WITHIN YOUR OWN NETWORK, THAT PROBABLY WORKS RIGHT?
Yes it does. Without any question, my MacBook Pro will connect to the VPN Service so long as I'm connecting DIRECTLY to the Server through its local IP address, and not trying to reach it through a public IP address that's forwarding the requests through the ports I've assigned.
At this point I am at a complete loss. I believe I have done everything correctly, but it would appear that my router isn't playing nice with VPN requests. If there is/are any other ports I should be turning on to point to my server, I would like to know what ones those are.
If there are any tweaks or additional settings I should know about for the Windows computers (especially Windows 7), I would like to know what those are.
If at the end of this post that you've just read and know with irrefutable proof or a reasonably educated decision that this router magically will not serve my VPN needs AT ALL, I would like to know a reasonably-priced alternative, preferably something that is not an Extreme Base Station, Time Capsule, or other product because my ISP hates Apple-based routers for a reason even they do not understand
If at the end of htis post that you've just read and know with irrefutable proof or a reasonably educated decision that I would be better off attempting this with PPTP on this D-Link Router, and if you know how to set the correct settings on Server Admin, forward the correct ports on the router I have, I would like to know that
Thank you for reading this wall of text, anyone willing to help me with this is an amazing personHi Esther,
After 3 months, I was finally able to revisit this issue. Here are the results of my nmap TCP test using your code:
Gerchak$ nmap -T5 XX.XX.XXX.XX
Starting Nmap 6.00 ( http://nmap.org ) at 2012-05-22 17:50 CDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.68 seconds
And here are the results of my UDP test using your code:
Gerchak$ sudo nmap -sU -T5 -p 500,1701,4500,9999 XX.XX.XXX.XX
Starting Nmap 6.00 ( http://nmap.org ) at 2012-05-22 17:51 CDT
Nmap scan report for xxx-bb-xxx-3-ws-6.xxx.xxxxxxxxxxxx.net (XX.XX.XXX.XX)
Host is up (0.096s latency).
PORT STATE SERVICE
500/udp open isakmp
1701/udp open|filtered L2TP
4500/udp open|filtered nat-t-ike
9999/udp open|filtered distinct
Obviously there's something wrong since the TCP scan registered a major problem, so I redid the scan per nmap's recommendations:
Gerchak$ nmap -Pn XX.XX.XXX.XX
Starting Nmap 6.00 ( http://nmap.org ) at 2012-05-22 17:55 CDT
Nmap scan report for xxx-bb-xxx-3-ws-6.xxx.xxxxxxxxxxxx.net (XX.XX.XXX.XX)
Host is up (0.14s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
427/tcp closed svrloc
500/tcp closed isakmp
548/tcp open afp
1723/tcp closed pptp
5002/tcp closed rfe
5003/tcp open fm
5004/tcp closed avt-profile-1
5222/tcp open xmpp-client
8080/tcp open http-proxy
So, where should I go from here? 1723 is closed off yet my router says it's open. I'm just about ready to throw my hands up in the air and just purchase a different router. -
Internet disconnects when trying to connect a vpn on a different user account on the same computer
Im trying to have one user account with my real ip address and another user account on windows 8 with a vpn connection. Everytime i switch (i dont logout i just lock the user) then try to connect a vpn on the other user account the internet disconnects
on the other user account. It's like it wants to change my entire internet connection to use the vpn instead of having a seperate connection on each user account. is there a way around this or am i stuck having to use two laptops? I also unchecked
Use default gateway on remote network on the vpn.
Hi,
Try to temporary disable firewall to see if the same issue occurs.
Leo Huang
TechNet Community Support
This is definitely not the answer. Why is it marked as the answer? -
MaxDB Connection Issue for Content Server
Hi All,
We have installed Content Server 6.40 on Windows 203 server.
We are able to visit the Url http://host:port/ContentServer/ContentServer.dll?serverInfo
But while creatng a repository i am facing issues..its throwing error that
"HTTP error: 500 (Internal Server Error) "CreateTab ContentStorage, connect error SQLConnect failed, [Microsoft][ODBC Driver Manager] Data s"
Checked these two notes 698915, 301352 and ru the comman to register MaxDB drivers and got that message that the drivers registered successfulyy.
But still i am not able to create repository uing CSADMIN.
Also ,when tryng to connect to MaxDB using superdba or contro user ,its throwing error "-2 ERR_USRFAIL authorization failed "
Even the control user i amnot able to login.I am giving the password which i gave during installation.
Database is SDB
Pls suggest.
Regards
AjayHello Ajay,
1. I recommend you to create the SAP ticket, if you failed to connect to MaxDB
using superdba or control user with known to you passwords.
2. Could you post the password, which you used during the installation.
In the past the issue was with using passwords more as 9 symbols with Unicode MAXDB.
If you was using, for example, "test123456" password => try to connect to the database
with u201Ctest12345u201D password < first 9 symbols of the password you used during the installation >.
Thank you and best regards, Natalia Khlopina -
Connection to VPN doesn't work with exclamation mark on Network symbol
Hello everyone,
I'm new to this forum and not really professional in VPN stuff, though I'm an experienced computer user and programmer. I'm using Cisco VPN
5.0.07.0440-k9-x64 from the Paul Scherrer Institute on Windows 8 64-bit. The program was working previously fine, but at some point, whenever I connect to VPN and login, I lose connection to the internet, and nothing related to my internet connection work, and I see an exclamation mark on the wireless network symbol. And when I disconnect the VPN, I get everything back to normal.
I got almost the same problem when I installed Kaspersky Internet Security due to some suspicion on security, but then I removed it and everything was back to normal. After that, the VPN worked for some time, and again didn't work anymore at some point. First thing I tried is disabling the Windows Firewall, and it didn't help.
My network adapter is: Qualcomm Atheros AR9002WB-1NG Wireless Network Adapter
In my network adapter, I can't change the TCP/IP v4 Configuration. When I double click, it says something like: "For the configuration of TCP/IP, there must be a network device installed and activated" (The sentence is translated from German, my Windows is German).
Is there like a "global reset" that would get the VPN to work again? What should I do?
Please advise, and if you require any piece of information, let me know.
Thank you.I'm using now VPNC on linux. No more cisco! Crappy program and crappy support!
-
Problems accessing 1 remote desktop when connected with VPN
Hi everyone,
I have an ASA 5505 and have a problem where when I connect through VPN I can RDP into a server using its internal address but I cannot RDP to another server using its internal address.
The one I can connect to has an IP of 192.168.2.10 and the one I cannot connect to has an IP of 192.168.2.11 on port 3390.
Both rules are configured exactly the same except for the IP addresses and I cannot see why I cannot connect to this one server.
I am also able to connect to my camera system with an IP 192.168.2.25 on port 37777 and able to ping any other device on the internal network.
I've also tried pinging it and telneting to port 3390 with no success.
Here is the config.
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 3
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan3
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CTSG-LAN-OUT
range 10.1.1.10 10.1.1.49
object network CTSG-LAN-IN
subnet 192.168.2.0 255.255.255.0
object service RDP3389
service tcp destination eq 3389
description To DC
object network SERVER-IN
host 192.168.2.10
object network SERVER-OUT
host 10.1.1.50
object network CAMERA-IN-TCP
host 192.168.2.25
object network CAMERA-OUT
host 10.1.1.51
object service CAMERA-TCP
service tcp destination eq 37777
object network SERVER-Virt-IN
host 192.168.2.11
object network SERVER-Virt-OUT
host 10.1.1.52
object service RDP3390
service tcp destination eq 3390
description To VS for Master
object network CAMERA-IN-UDP
host 192.168.2.25
object service CAMERA-UDP
service udp destination eq 37778
object network CTSG-LAN-OUT-VPN
subnet 10.1.1.128 255.255.255.128
object network SERVER-Virt-IN-VPN
host 192.168.2.11
object network SERVER-IN-VPN
host 192.168.2.10
object network CAMERA-IN-VPN
host 192.168.2.25
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside1_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list inside1_access_in extended permit ip any any
access-list outside_access_in extended permit object RDP3389 any host 192.168.2.10
access-list outside_access_in extended permit object RDP3390 any host 192.168.2.11
access-list outside_access_in extended permit object CAMERA-TCP any host 192.168.2.25
access-list outside_access_in extended permit object CAMERA-UDP any host 192.168.2.25
pager lines 24
logging enable
logging buffer-size 10240
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAVPN 10.1.1.129-10.1.1.254 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static SERVER-IN-VPN SERVER-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static CAMERA-IN-VPN CAMERA-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static SERVER-Virt-IN-VPN SERVER-Virt-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
object network CTSG-LAN-IN
nat (inside,outside) dynamic interface
object network SERVER-IN
nat (inside,outside) static SERVER-OUT service tcp 3389 3389
object network CAMERA-IN-TCP
nat (inside,outside) static CAMERA-OUT service tcp 37777 37777
object network SERVER-Virt-IN
nat (inside,outside) static SERVER-Virt-OUT service tcp 3390 3390
access-group inside1_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP
-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SACTSGRO
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 15
dhcpd auto_config inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxx encrypted privilege 15
username admin attributes
vpn-group-policy DfltGrpPolicy
tunnel-group CTSGRA type remote-access
tunnel-group CTSGRA general-attributes
address-pool RAVPN
tunnel-group CTSGRA ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0140431e7642742a856e91246356e6a2
: end
Thanks for your helpOk,
So you basically have configured the router so that you can connect directly to the ASA using the Cisco VPN Client. And also the objective was to in the end only allow traffic to the LAN through the VPN Client connection ONLY.
It would seem to me to achieve that, you would only need the following NAT configurations
VPN Client NAT0 / NAT Exempt / Identity NAT
object network LAN
subnet 192.168.2.0 255.255.255.0
object network VPN-POOL
subnet 10.1.1.128 255.255.255.128
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
The purpose of the above NAT configuration is simply to tell the ASA that dont do any kind of NAT when there is traffic between the LAN network of 192.168.2.0/24 and the VPN Pool of 10.1.1.128/25. This way if you have any additional hosts on the LAN that need to be connected to, you wont have to make any form of changes to the NAT configurations for the VPN client users. You just allow the connections in the ACL (explained later below)
Default PAT
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.2.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
This configurations purpose is just to replace the earlier Dynamic PAT rule on the ASA. I guess your router will be doing the translation from the ASA "outside" interface IP address to the routers public IP address and this configuration should therefore allow normal Internet usage from the LAN.
I would suggest removing all the other NAT configuration before adding these.
Controlling VPN clients access to internal resources
Also I assume that your current VPN client is configured as Full Tunnel. In other words it will tunnel all traffic to the the VPN connection while its active?
To control the traffic coming from the VPN Client users I would suggest that you do the following
Configure "no sysopt connection permit-vpn" This will change the ASA operation so that connections coming through a VPN connections ARE NOT allowed by default to bypass the "outside" interface ACL. Therefore after this change you can allow the connections you need in the "outside" interface ACL.
Configure any rules you need regarding the VPN client connections to the "outside" interface ACL. Though I guess they already exist since you are connecting there without the VPN also
I cant guarantee this with 100% certainty but it would seem to me that the above things should get you to the point where you can access the internal resources ONLY after when you have connected to the ASA through the VPN client connection. Naturally take precautions like configuration backups if you are going to do major configuration changes. Also if you are remotely managing the ASA then you also have the option to configure a timer on the ASA after which it will automatically reload. This could help in situations where a missconfiguration breaks you management connection and you have no other way to connect remotely. Then the ASA would simply reboot after the timer ran out and also reboot with the original configuration (provided you hadnt saved anything in between)
Why are you using a different port for the other devices RDP connection? I can understand it if its used through the Internet but if the RDP connection would be used through the VPN Client only then I dont think there is no need to manipulate the default port of 3389 on the server or on the ASA.
Also naturally if there is something on the actual server side preventing these connections then these configuration changes might not help at all.
Let me know if I have understood something wrong
- Jouni
Maybe you are looking for
-
I have an IMac, an IPhone and a Macbook Pro. I use Mobile Me. The Macbook and Iphone are my primary computers. I receive email on all devices, but I cannot send email from my IMac. This does not work for a .Mac account or an AOL account. Is ther
-
How do I open a Crystal Report from Microsoft Access?
I'm looking for step-by-step instructions on how to launch a Crystal Report from a Microsoft Access application (for a dummy like me). My Crystal Report uses a connection to the Access database as the data. I have Microsoft Access 2002 with Microsoft
-
Can an iPad Air 2 battery be used to recharge it's wireless Bluetooth keyboard?
Can the battery of an iPad Air 2 be used to recharge it's bluetooth keyboard ? I have a female-female USB adapter to connect the 2 male USB cords
-
Difference between Routine & Formula
Hi All, What is the difference between writing formula in Routine & in Formula for an InfoObject in Transfer Rules Thanks Learner
-
For some reason when I go to the Videos menu on my iPod, there is no TV Shows option. I have a couple of videos listed as TV Shows but they don't seem to be available on my iPod. I know that his is a minor problem and one that is easily worked around