WLC and AP on different subnets
I would like to add a new AP to my existing controller. Currently i have about 15 AP's connected to a seperate mgt vlan for the AP's, vlan 10. It is trunked to the controller as well as the other user vlans like Private, Public, WVoIP etc. I have already started to implement EIGRP network wide instead of having a large layer 2 vlan'd network. At one of the newest locations i'm routing at, i have a new AP to connect. I'm trying to make sure this design will work before i implement it. So, i have a 3560 connected to my core 4506 with a layer 3 connection. EIGRP running as well. I plan to have the 3560 do intervlan routing with a voice vlan, data and wireless. The problem i see is how can i get the AP to talk with the controller since they are on a different subnets, over a metro E "WAN"? Any suggestions would be great.
As long as the LAP's have been primed locally first, that LAP will have the ip address of the WLC. If you want to attach the LAP to a different L3 subnet, then configure ip helper-address using the management ip of each wlc. then configure ip forward-protocol udp 12222 & ip forward-protocol udp 12223 globally on the L3 router. this along with the ip helper, will allow the LAP's to join the WLC on the other end.
Similar Messages
-
Roaming between WLC and vWLC on different code versions
Hi,
I have the following setup in our environment, a HA 5508 pair running 7.4.100 and a vWLC running 7.6.130. I have mobility setup between the two with the control and data path up and running. All the access points are setup for FlexConnect.
When I join an SSID using PSK on an AP associated with the vWLC and then roam to an AP on the 5508, I drop a few pings but stay connected no problem. However when I join an SSID using PEAP (both WLC's using Radius to Cisco ISE 1.2 for this) and repeat the test, my client actually drops my wireless connection and then rejoins.
Is this expected behaviour when running controllers on different versions? This is only temporary until I upgrade the 5508 pair.
Cheers
BrianOh... Forgot. With FlexConnect, you also want to create FlexConnect Groups. See this link:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001111.html
-Scott -
Server and router on different subnets
Hello
Scenario 1.
A Server with one NIC assings DHCP addresses within the 192.168.1.x/24 network.
The internet router is on the 192.168.0.x/24 network.
How can the DHCP clients can access the Internet?
If the scenario requires adding another NIC, no problem.
Thanks
Kostas B.Please explain your network setup further.
If you really need two subnets you must route between them and that could be achieved with OS X and two network interfaces.
Also if not using NAT in the server you need a static route in the Internet router pointing back at the second router IP on the same subnet and using that as the gw IP for the second subnet.
If you want to use VPN later using other network numbers is better. -
Dhcp: default gateway not added if ip and gateway in different subnets
Hi! Help needed with Arch's DHCP client. (dhcpcd)
Assume that ISP leased ip 78.37.180.62/24 and gateway 78.37.0.1
On my home router when you plug cable, routing table is like this:
Destination Gateway Genmask Flags Metric Ref Use Iface
78.37.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
78.37.180.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
0.0.0.0 78.37.0.1 0.0.0.0 UG 202 0 0 eth0
But on Arch it's much tinyer:
78.37.180.0 * 255.255.255.0 U 202 0 0 eth0
And no internet for me.
I've read that before adding a gateway you need to add a route to that gateway or you get an error: SIOCADDRT: No such process.
I believe this very error is what Arch's dhcp cliet gets when it tries to add the gateway.
Funny thing is if you manually add the route to the gateway, the gateway is auto-added in 5-10 sec.
# route add 78.37.0.1/32 dev eth0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
78.37.0.1 * 255.255.255.255 UH 0 0 0 eth0
78.37.180.0 * 255.255.255.0 U 202 0 0 eth0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
78.37.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
78.37.180.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
0.0.0.0 78.37.0.1 0.0.0.0 UG 202 0 0 eth0
Where to dig? Are the routes added by some script that can be modified?
Last edited by leniviy (2009-05-23 20:22:52)also, until correct route is added, someone keeps logging to daemon.log:
May 23 21:27:22 IL dhcpcd: eth0: add_route: No such process
May 23 22:33:05 IL dhcpcd: eth0: send_raw_packet: Network is down
May 23 22:34:54 IL dhcpcd: eth0: add_route: No such process
May 23 22:35:09 IL dhcpcd: eth0: add_route: No such process
May 23 22:35:24 IL dhcpcd: eth0: add_route: No such process
May 23 22:35:39 IL dhcpcd: eth0: add_route: No such process
May 23 22:35:54 IL dhcpcd: eth0: add_route: No such process
May 23 22:36:09 IL dhcpcd: eth0: add_route: No such process
May 23 22:36:24 IL dhcpcd: eth0: add_route: No such process -
Cucm Pub and Sub in different network
Can we have CUCM 10.5 publisher and subscriber in different subnets ?
Yes, as long as there is connectivity, if this is a WAN, make sure enough BW is there.
-
Management and AP Manager on Different Subnets ...
Hello,
I am getting ready to implement a WLAN where the customer has designed the Management and AP Manger to be on different subnets. I have never done a WLAN implementation in this manner because per Cisco's config guide it states ...
"The AP-manager interface’s IP address must be different from the management interface’s IP address and may or may not be on the same subnet as the management interface. However, Cisco recommends that both interfaces be on the same subnet for optimum access point association."
So, I have always followed this recommendation and have always made the 2 interfaces be in the same subnet with IP's in sequential order. The config guide does say it'll work but I am just not sure what if anything do I have to do for this to work properly ... or if there is really a difference on how the process works doing it either way.
I plan on using LAG with Layer 3 ... most times I place the APs in the same wireless subnet/vlan as the management interface and AP manager but in this case or until I get more info it looks like they all may be in different subnets. So, if that's the case would I just need to use the Option 43 so the APs can find the WLC and if that is the case would I put the AP Manager IP or still use the WLC IP ... guess I would have that same question if I went the DNS route? Or do I still use the WLC IP address for the APs to join and at that point the AP Manager would take over the LWAPP communications?
Thanks for all your help in advance!You should be using the WLC Management IP as documented in "Cisco 440X Series Wireless LAN Controllers Deployment Guide". Below is quoted from that document.
"The IP address of the WLC Management Interface should be used for Option 43 and DNS resolution of
CISCO-LWAPP-CONTROLLER.localdomain." For further information, see the section on "Understanding
Deployment Basics" beginning on page 13. Detailed information on using vendor specific DHCP Option 43
for WLC discovery is included in Appendices C, D, and E of this document.
Also there is no issue having the AP Manager and Management interfaces in different vlans although not recommended, just be sure to allow both vlans across the trunk to the WLC. I would also recommend placing your APs in different vlans than the WLC Mgmt/AP Mgr vlan. Cisco recommends having no more than 60-100 APs per vlan to minimize re-association problems in case of network failure. -
IP and VIP adresses temporary on different subnets
I was wondering if it's possible to add a third node temporary on a different subnet ?
I mean.. now my two nodes have these IP: XXX.XXX.0.5 and XXX.XXX.0.6 , VIP are: XXX.XXX.7.15 and XXX.XXX.7.16
Is it possible to add a third node with IP YYY.YYY.0.7 and VIP YYY.YYY.7.17 ?
Of course they can ping each other and successfully use ssh equivalence...
Thanks.Unfortunately not, the nature of the way VIPs work means that that must be on the same subnet throughout the cluster
-
Management and native Vlan in different subnet??
Can i have a management ip and native vlan in different subnet on a AIR-1242 and 2960 switch?
Native on Switch = 1.
Interface vlan 100 = 10.10.1.25X /24
BVI ip in vlan 100 = 10.10.1.25X /24
-HM-Hi,
Thanks for the update..
Ok in short YES this can be done.. here is the AP configuration..
Step 1>> Configure the SSID and map it with respective Vlans..
Step 2>> Create the sub interafce int dot11 0.5 / int fa 0.5 (encapsulation dot1q 5 , bridge-group 5)and int dot11 0.6 / int fa 0.6(encapsulation dot1q 6 , bridge-group 6)
Step 3>> Create the sub interface 0.100 for both Radio and Fa and under this (encapsulation dot1q 100 native , bridge-group 1)
Step 4>> Make sure all the interafces are up and running and Try to ping the VLAN 100 interafce ip addr from the AP to verify.
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull -
How to map two different subnets to one SSID
Hi Experts ,
we have two offices in same city at different location however we are planning to bring both the office at same location.
Now lets say site A has controller 5508 configured with 24 AP's with 10.10.10.x subnet for internal SSID and Site B which is shifting to Site A campus has different subnet ( 10.10.20.x ) for same SSID.
Site B has no controller since they had connection with H-reap and they were using different subnet for internal SSID ( 10.10.20.x ) .....
Now i need to add their AP's in Site A controller which will be extended wireless LAN however we would like to keep same subnet ( 10.10.20.x ) what Site B has for wireless clients which is really confusing me ....
I have already client subnet for site A with 10.10.10.x /24 subnet and nearly 200 users are already using this wireless client subnet....
How do i add their ( Site B ) subnet / 10.10.20.x with same SSID configured which is globally only one SSID ?
limitations :
I can not create new SSID for site B since same will be broadcasting even in Site A AP's
Is this possible to map one more subnet of site B to existing SSID with already different subnet ( 10.10.10.x ) ?
Your suggestions will be really helpful for me to go ahead and understand in better manner ...Well first off, you need to bring that subnet over to site a without breaking any routing. Once you do that then sites B subnet will have a different vlan than site A of course. Now with both subnets working in site A, you create a dynamic interface on the WLC for that new subnet. Create an AP group for both sites, you can name it by vlan or by any name you want. Now in the ap group for site A, you define what SSID's you want and map the vlan to that ap groups. Then add sites A AP's to that group. You do this also for site B's AP's and map the SSID to the new subnet you brought over and move the AP's to that group. The APs from site B would have to be setup in local mode not hreap.
Makes sense
Sent from Cisco Technical Support iPhone App -
Dynamic VLAN assignment with WLC and ACS for
Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
dot11 vlan-name STUDENT vlan 2903
dot11 vlan-name FACSTAF vlan 2905
As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this? -
Internal DHCP scope for AP on WLC 7.0 (on diff subnet)
hi All,
I would like to know if it is possible to assign dhcp pool on a different subnet to the WLC management interface?
Eg: Management Interface is on 172.16.4.100 /24
I would like to use the WLC Internal DHCP to assign IP to my APs on the a different range 172.16.2.x /24
Is that possible?
I have tried assigning dhcp scope for the AP within the same subnet as the management interface and it works. But that is not my requirement
Apparently i need my AP to be sitting on a different vlan
please adviseNo its not possible.. this works only if the AP and the WLC management interface is in the same subnet!! to ur issue we use something called as DHCP OPTION 43, google search DHCP OPTION 43 + cisco, the first link that u get wil help you!!
Please dont forget to rate the usefull posts!!
Regards
Surendra -
Mobility groups, failover across different subnets
I've been reading up on 5.1 and am wondering how and if actual failover across subnets is an option.
I understand the roaming of clients from controllers in the same MG on diff subnets.
How does it work if your primary "anchor" isn't alive to replicate the DB entry to the off-subnet controller? Say if my local WIsm's die and the backup is in the next state, how will the AP's maintain connectivity?
thanks!Yes, but tha ap's will take the new configuration from that WLC. Also... users will get tunneled back to that wlc and be dumped off in that subnet. So make sure you understand the ssid and what ip's clients will get when they associate to different wlc's. That should do it.
-
WLC4402: same VLAN, different subnet - can it work?
Hi,
I bumped into a interesting issue with WLC4402. Management interface and prod-interface were in a same vlan, but they have different subnets. It seems that "there are two subnets in a same vlan" - 192.168.66.0/24 is defined as primary network in the router and 192.168.72.0/24 as secondary. See the pic attached.
At the moment there is v.4.2.176.0 running and it works. When I tried to upgrade it to v.6.0.199.4 something goes wrong. Controller changed prod-interface port to 0 and I can't change it back to 1 or 2. My best quess is that the WLC is not able to handle this kind of setup...but why is it working at the moment??
Any comments would be most appreciated. Thank you.
-PetriIt's actually a wonder/miracle that someone was able to configure this in the first place, to my opinion.
Maybe it was configured with an old WLC release and survived with the upgrade to 4.2
For sure, this is definitely something that the WLC now prevents you to configure. It's not supposed to work, just an example, if you get layer 2 traffic on that vlan (arp for example), where to reply ? you can't know from which subnet it comes from. So it basically means that you are bridging the 2 subnets together and then why not just giving them the same vlan id then ? effect would be the same.
It's anyway going against the linux routing engine, so I'm still wondering how it was working on 4.2
It was probably bridging vlans and doing some unefficient forwarding without you realizing it. So definitely something you should avoid configuring. -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
Can ARD 3 now share a screen across 2 different subnets
We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
Thanks,
GregStill no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
Thanks in advance,
Greg
Maybe you are looking for
-
Is it possible to have PDF and PNG versions of 'same' folio
Is it possible when copying over the articles to have one folio as PDF and another as PNG? Tried doing this by setting up an alternative folio as PNG and copying across the articles that were created for the original PDF folio, but they still appear
-
Hi everyone, I have landed a job this Saturday however it is different to what i am use to, i will explain my requirements and hopefully someone here will have the best solution. On Saturday I am going to a cheerleading comp and both myself and anoth
-
User Exit that triggers for Change operation
Hi All.. I want a user exit which triggers when I enter into an infotype(2001) from tcode PA30. My actual requirement is to show the field REFNR in display mode. By using the exit PBAS0001 exit0001 I can make the field REFNR in displaymode for create
-
Icloud account cannot be used to unlock this iphone
Hi I previously managed to set-up my iphone then lock it out by entering my passcode incorrectly too many times. In the end I have to restore the phone via itunes (which took 3 hrs)!. I'm now trying to reset-up the phone, when I turned it on it reme
-
Cannot extract dimension .csv files from HFM to be able to use maploader
Hi All! We are in the middle of implementing FDM at a financial consolidation project. During this build we would like to use FDM to load HFM with data. To help the users we would like to offer them the Maploader.xml which is provided in the mapping