WLC and AP on different subnets

I would like to add a new AP to my existing controller. Currently i have about 15 AP's connected to a seperate mgt vlan for the AP's, vlan 10. It is trunked to the controller as well as the other user vlans like Private, Public, WVoIP etc. I have already started to implement EIGRP network wide instead of having a large layer 2 vlan'd network. At one of the newest locations i'm routing at, i have a new AP to connect. I'm trying to make sure this design will work before i implement it. So, i have a 3560 connected to my core 4506 with a layer 3 connection. EIGRP running as well. I plan to have the 3560 do intervlan routing with a voice vlan, data and wireless. The problem i see is how can i get the AP to talk with the controller since they are on a different subnets, over a metro E "WAN"? Any suggestions would be great.

As long as the LAP's have been primed locally first, that LAP will have the ip address of the WLC. If you want to attach the LAP to a different L3 subnet, then configure ip helper-address using the management ip of each wlc. then configure ip forward-protocol udp 12222 & ip forward-protocol udp 12223 globally on the L3 router. this along with the ip helper, will allow the LAP's to join the WLC on the other end.

Similar Messages

  • Roaming between WLC and vWLC on different code versions

    Hi,
    I have the following setup in our environment, a HA 5508 pair running 7.4.100 and a vWLC running 7.6.130.  I have mobility setup between the two with the control and data path up and running.  All the access points are setup for FlexConnect.
    When I join an SSID using PSK on an AP associated with the vWLC and then roam to an AP on the 5508, I drop a few pings but stay connected no problem.  However when I join an SSID using PEAP (both WLC's using Radius to Cisco ISE 1.2 for this) and repeat the test, my client actually drops my wireless connection and then rejoins.
    Is this expected behaviour when running controllers on different versions?  This is only temporary until I upgrade the 5508 pair.
    Cheers
    Brian

    Oh... Forgot.  With FlexConnect, you also want to create FlexConnect Groups.  See this link:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001111.html
    -Scott

  • Server and router on different subnets

    Hello
    Scenario 1.
    A Server with one NIC assings DHCP addresses within the 192.168.1.x/24 network.
    The internet router is on the 192.168.0.x/24 network.
    How can the DHCP clients can access the Internet?
    If the scenario requires adding another NIC, no problem.
    Thanks
    Kostas B.

    Please explain your network setup further.
    If you really need two subnets you must route between them and that could be achieved with OS X and two network interfaces.
    Also if not using NAT in the server you need a static route in the Internet router pointing back at the second router IP on the same subnet and using that as the gw IP for the second subnet.
    If you want to use VPN later using other network numbers is better.

  • Dhcp: default gateway not added if ip and gateway in different subnets

    Hi! Help needed with Arch's DHCP client. (dhcpcd)
    Assume that ISP leased ip 78.37.180.62/24 and gateway 78.37.0.1
    On my home router when you plug cable, routing table is like this:
    Destination Gateway Genmask Flags Metric Ref Use Iface
    78.37.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
    78.37.180.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
    0.0.0.0 78.37.0.1 0.0.0.0 UG 202 0 0 eth0
    But on Arch it's much tinyer:
    78.37.180.0 * 255.255.255.0 U 202 0 0 eth0
    And no internet for me.
    I've read that before adding a gateway you need to add a route to that gateway or you get an error: SIOCADDRT: No such process.
    I believe this very error is what Arch's dhcp cliet gets when it tries to add the gateway.
    Funny thing is if you manually add the route to the gateway, the gateway is auto-added in 5-10 sec.
    # route add 78.37.0.1/32 dev eth0
    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    78.37.0.1 * 255.255.255.255 UH 0 0 0 eth0
    78.37.180.0 * 255.255.255.0 U 202 0 0 eth0
    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    78.37.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
    78.37.180.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
    0.0.0.0 78.37.0.1 0.0.0.0 UG 202 0 0 eth0
    Where to dig? Are the routes added by some script that can be modified?
    Last edited by leniviy (2009-05-23 20:22:52)

    also, until correct route is added, someone keeps logging to daemon.log:
    May 23 21:27:22 IL dhcpcd: eth0: add_route: No such process
    May 23 22:33:05 IL dhcpcd: eth0: send_raw_packet: Network is down
    May 23 22:34:54 IL dhcpcd: eth0: add_route: No such process
    May 23 22:35:09 IL dhcpcd: eth0: add_route: No such process
    May 23 22:35:24 IL dhcpcd: eth0: add_route: No such process
    May 23 22:35:39 IL dhcpcd: eth0: add_route: No such process
    May 23 22:35:54 IL dhcpcd: eth0: add_route: No such process
    May 23 22:36:09 IL dhcpcd: eth0: add_route: No such process
    May 23 22:36:24 IL dhcpcd: eth0: add_route: No such process

  • Cucm Pub and Sub in different network

    Can we have CUCM 10.5 publisher and subscriber in different subnets ?

    Yes, as long as there is connectivity, if this is a WAN, make sure enough BW is there.

  • Management and AP Manager on Different Subnets ...

    Hello,
    I am getting ready to implement a WLAN where the customer has designed the Management and AP Manger to be on different subnets.  I have never done a WLAN implementation in this manner because per Cisco's config guide it states ...
    "The AP-manager interface’s IP address must be different from the management interface’s IP address and may or may not be on the same subnet as the management interface. However, Cisco recommends that both interfaces be on the same subnet for optimum access point association."
    So, I have always followed this recommendation and have always made the 2 interfaces be in the same subnet with IP's in sequential order.  The config guide does say it'll work but I am just not sure what if anything do I have to do for this to work properly ... or if there is really a difference on how the process works doing it either way.
    I plan on using LAG with Layer 3 ... most times I place the APs in the same wireless subnet/vlan as the management interface and AP manager but in this case or until I get more info it looks like they all may be in different subnets. So, if that's the case would I just need to use the Option 43 so the APs can find the WLC and if that is the case would I put the AP Manager IP or still use the WLC IP ... guess I would have that same question if I went the DNS route?  Or do I still use the WLC IP address for the APs to join and at that point the AP Manager would take over the LWAPP communications?
    Thanks for all your help in advance!

    You should be using the WLC Management IP as documented in "Cisco 440X Series Wireless LAN Controllers Deployment Guide". Below is quoted from that document.
    "The IP address of the WLC Management Interface should be used for Option 43 and DNS resolution of
    CISCO-LWAPP-CONTROLLER.localdomain." For further information, see the section on "Understanding
    Deployment Basics" beginning on page 13. Detailed information on using vendor specific DHCP Option 43
    for WLC discovery is included in Appendices C, D, and E of this document.
    Also there is no issue having the AP Manager and Management interfaces in different vlans although not recommended, just be sure to allow both vlans across the trunk to the WLC. I would also recommend placing your APs in different vlans than the WLC Mgmt/AP Mgr vlan. Cisco recommends having no more than 60-100 APs per vlan to minimize re-association problems in case of network failure.

  • IP and VIP adresses temporary on different subnets

    I was wondering if it's possible to add a third node temporary on a different subnet ?
    I mean.. now my two nodes have these IP: XXX.XXX.0.5 and XXX.XXX.0.6 , VIP are: XXX.XXX.7.15 and XXX.XXX.7.16
    Is it possible to add a third node with IP YYY.YYY.0.7 and VIP YYY.YYY.7.17 ?
    Of course they can ping each other and successfully use ssh equivalence...
    Thanks.

    Unfortunately not, the nature of the way VIPs work means that that must be on the same subnet throughout the cluster

  • Management and native Vlan in different subnet??

    Can i have a management ip and native vlan in different subnet on a AIR-1242 and 2960 switch?
    Native on Switch = 1.
    Interface vlan 100 = 10.10.1.25X /24
    BVI ip in vlan 100 = 10.10.1.25X /24
    -HM-

    Hi,
    Thanks for the update..
    Ok in short YES this can be done.. here is the AP configuration..
    Step 1>> Configure the SSID and map it with respective Vlans..
    Step 2>> Create the sub interafce int dot11 0.5 / int fa 0.5 (encapsulation dot1q 5 , bridge-group 5)and int dot11 0.6 / int fa 0.6(encapsulation dot1q 6 , bridge-group 6)
    Step 3>> Create the sub interface 0.100 for both Radio and Fa and under this (encapsulation dot1q 100 native , bridge-group 1)
    Step 4>> Make sure all the interafces are up and running and Try to ping the VLAN 100 interafce ip addr from the AP to verify.
    lemme know if this answered your question..
    Regards
    Surendra
    ====
    Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

  • How to map two different subnets to one SSID

      Hi Experts ,
    we have two offices in same city at different location however we are planning to bring both the office at same location.
    Now lets say site A has controller 5508 configured with 24 AP's with 10.10.10.x subnet for internal SSID and Site B which is shifting to Site A campus has different subnet ( 10.10.20.x )  for same SSID.
    Site B has no controller since they had connection with H-reap and they were using different subnet for internal SSID ( 10.10.20.x ) .....
    Now i need to add their AP's in Site A controller which will be extended wireless LAN however we would like to keep same subnet ( 10.10.20.x )  what Site B has for wireless clients which is really confusing me ....
    I have already client subnet for site A with 10.10.10.x /24 subnet  and nearly 200 users are already using this wireless client subnet....
    How do i add their ( Site B ) subnet / 10.10.20.x  with same SSID configured  which is globally only one SSID  ?
    limitations :
    I can not create new SSID for site B since same will be broadcasting even in Site A AP's
    Is this possible to map one more subnet of site B to existing SSID with already different subnet ( 10.10.10.x ) ?
    Your suggestions will be really helpful for me to go ahead and understand in better manner ...

    Well first off, you need to bring that subnet over to site a without breaking any routing. Once you do that then sites B subnet will have a different vlan than site A of course. Now with both subnets working in site A, you create a dynamic interface on the WLC for that new subnet. Create an AP group for both sites, you can name it by vlan or by any name you want. Now in the ap group for site A, you define what SSID's you want and map the vlan to that ap groups. Then add sites A AP's to that group. You do this also for site B's AP's and map the SSID to the new subnet you brought over and move the AP's to that group. The APs from site B would have to be setup in local mode not hreap.
    Makes sense
    Sent from Cisco Technical Support iPhone App

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • Internal DHCP scope for AP on WLC 7.0 (on diff subnet)

    hi All,
    I would like to know if it is possible to assign dhcp pool on a different subnet to the WLC management interface?
    Eg: Management Interface is on 172.16.4.100 /24
    I would like to use the WLC Internal DHCP to assign IP to my APs on the a different range 172.16.2.x /24
    Is that possible?
    I  have tried assigning dhcp scope for the AP within the same subnet as  the management interface and it works. But that is not my requirement
    Apparently i need my AP to be sitting on a different vlan
    please advise

    No its not possible.. this works only if the AP and the WLC management interface is in the same subnet!! to ur issue we use something called as DHCP OPTION 43, google search DHCP OPTION 43 + cisco, the first link that u get wil help you!!
    Please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • Mobility groups, failover across different subnets

    I've been reading up on 5.1 and am wondering how and if actual failover across subnets is an option.
    I understand the roaming of clients from controllers in the same MG on diff subnets.
    How does it work if your primary "anchor" isn't alive to replicate the DB entry to the off-subnet controller? Say if my local WIsm's die and the backup is in the next state, how will the AP's maintain connectivity?
    thanks!

    Yes, but tha ap's will take the new configuration from that WLC. Also... users will get tunneled back to that wlc and be dumped off in that subnet. So make sure you understand the ssid and what ip's clients will get when they associate to different wlc's. That should do it.

  • WLC4402: same VLAN, different subnet - can it work?

    Hi,
    I bumped into a interesting issue with WLC4402. Management interface and prod-interface were in a same vlan, but they have different subnets. It seems that "there are two subnets in a same vlan" - 192.168.66.0/24 is defined as primary network in the router and 192.168.72.0/24 as secondary. See the pic attached.
    At the moment there is v.4.2.176.0 running and it works. When I tried to upgrade it to v.6.0.199.4 something goes wrong. Controller changed prod-interface port to 0 and I can't change it back to 1 or 2. My best quess is that the WLC is not able to handle this kind of setup...but why is it working at the moment??
    Any comments would be most appreciated. Thank you.
    -Petri

    It's actually a wonder/miracle that someone was able to configure this in the first place, to my opinion.
    Maybe it was configured with an old WLC release and survived with the upgrade to 4.2
    For sure, this is definitely something that the WLC now prevents you to configure. It's not supposed to work, just an example, if you get layer 2 traffic on that vlan (arp for example), where to reply ? you can't know from which subnet it comes from. So it basically means that you are bridging the 2 subnets together and then why not just giving them the same vlan id then ? effect would be the same.
    It's anyway going against the linux routing engine, so I'm still wondering how it was working on 4.2
    It was probably bridging vlans and doing some unefficient forwarding without you realizing it. So definitely something you should avoid configuring.

  • ASA 5505: VPN Access to Different Subnets

    Hi All-
    I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN).  Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN).  Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24).  Is this even possible?  Below is the configurations on our ASA,
    Thanks in advance:
    ASA Version 8.2(5)
    names
    name 10.0.1.0 Net-10
    name 20.0.1.0 Net-20
    name 192.168.254.0 phones
    name 192.168.254.250 PBX
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 13
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.98 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.139.79 255.255.255.224
    interface Vlan3
    no nameif
    security-level 50
    ip address 192.168.5.1 255.255.255.0
    interface Vlan13
    nameif phones
    security-level 100
    ip address 192.168.254.200 255.255.255.0
    ftp mode passive
    object-group service RDP tcp
    port-object eq 3389
    object-group service DM_INLINE_SERVICE_1
    service-object ip
    service-object tcp eq ssh
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list inside_access_in extended permit ip any any
    access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
    access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
    pager lines 24
    logging enable
    logging timestamp
    logging monitor errors
    logging history errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu phones 1500
    ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (inside) 10 interface
    global (outside) 1 interface
    global (phones) 20 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 10 access-list vpn_nat_inside outside
    nat (phones) 0 access-list phones_nat0_outbound
    nat (phones) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=pas-asa.null
    keypair pasvpnkey
    crl configure
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    vpn-sessiondb max-session-limit 10
    telnet timeout 5
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh Mac 255.255.255.255 outside
    ssh timeout 60
    console timeout 0
    dhcpd auto_config inside
    dhcpd address 192.168.1.222-192.168.1.223 inside
    dhcpd dns 64.238.96.12 66.180.96.12 interface inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect-essentials
    svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy SSLClientPolicy internal
    group-policy SSLClientPolicy attributes
    wins-server none
    dns-server value 64.238.96.12 66.180.96.12
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout none
    vpn-session-timeout none
    ipv6-vpn-filter none
    vpn-tunnel-protocol svc
    group-lock value PAS-SSL-VPN
    default-domain none
    vlan none
    nac-settings none
    webvpn
      svc mtu 1200
      svc keepalive 60
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression none
    group-policy DfltGrpPolicy attributes
    dns-server value 64.238.96.12 66.180.96.12
    vpn-tunnel-protocol IPSec svc webvpn
    tunnel-group DefaultRAGroup general-attributes
    address-pool SSLClientPool-10
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    tunnel-group PAS-SSL-VPN type remote-access
    tunnel-group PAS-SSL-VPN general-attributes
    address-pool SSLClientPool-10
    default-group-policy SSLClientPolicy
    tunnel-group PAS-SSL-VPN webvpn-attributes
    group-alias PAS_VPN enable
    group-url https://X.X.139.79/PAS_VPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege cmd level 3 mode exec command packet-tracer
    privilege show level 5 mode exec command import
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command asp
    privilege show level 3 mode exec command cpu
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command vlan
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command ipv6
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command eigrp
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpnclient
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command wccp
    privilege show level 3 mode exec command dynamic-filter
    privilege show level 3 mode exec command webvpn
    privilege show level 3 mode exec command module
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode exec command compression
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege clear level 3 mode exec command dynamic-filter
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context
    no call-home reporting anonymous

    Hi Jouni-
    Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0).  The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
    Per you recommendation, I removed the following configs from my ASA:
    global (phones) 20 interface
    ... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
    global (inside) 10 interface
    nat (outside) 10 access-list vpn_nat_inside outside
    .... removing these two configurations caused the inside LAN to be unreachable.  The phone LAN was not reachable, either.  So, I put the '10' configurations back.
    The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
    "portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
    What do you think?
    Thanks!

  • Can ARD 3 now share a screen across 2 different subnets

    We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
    It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
    An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
    Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
    Thanks,
    Greg

    Still no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
    However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
    Thanks in advance,
    Greg

Maybe you are looking for

  • Is it possible to have PDF and PNG versions of 'same' folio

    Is it possible when copying over the articles to have one folio as PDF and another as PNG? Tried doing this by setting up an alternative folio as PNG and copying across the articles that were created for the original PDF folio, but they still appear

  • Urgent Workflow

    Hi everyone, I have landed a job this Saturday however it is different to what i am use to, i will explain my requirements and hopefully someone here will have the best solution. On Saturday I am going to a cheerleading comp and both myself and anoth

  • User Exit that triggers for Change operation

    Hi All.. I want a user exit which triggers when I enter into an infotype(2001) from tcode PA30. My actual requirement is to show the field REFNR in display mode. By using the exit PBAS0001 exit0001 I can make the field REFNR in displaymode for create

  • Icloud account cannot be used to unlock this iphone

    Hi I previously managed to set-up my iphone then lock it out by entering my passcode incorrectly too many times.  In the end I have to restore the phone via itunes (which took 3 hrs)!. I'm now trying to reset-up the phone, when I turned it on it reme

  • Cannot extract dimension .csv files from HFM to be able to use maploader

    Hi All! We are in the middle of implementing FDM at a financial consolidation project. During this build we would like to use FDM to load HFM with data. To help the users we would like to offer them the Maploader.xml which is provided in the mapping