WRT54G / upgraded firmware, unable to access across subnets
Hi,
I have a network with 10 WRT54G (v6) 's. Recently I upgraded the firmware on two units from 1.00.7 to the latest 1.02.2 and am experiencing some network wierdness.
The wireless routers are connected via the LAN port to a linux router which is a firewall/bridge between subnets 10.1.3.x & 10.1.1.x. I have rules in place to allow my workstation to http to the 10 routers and disallow everything else. All of this is logged.
I cannot from my workstation (10.1.1.x) access the web interface on the two units I upgraded the firmware on 10.1.3.x). I can still access the web interface on the remaining units (10.1.3.x)
I can however access the web interface from the same subnet to the newly upgraded units.
I can see from the firewall log that the packet is making it out correctly and tcpdump verifies this.
Does anybody have a clue what is going on. I feel like it would be best to return to the previous firmware, but where do I find it???
Thanks,
Lee
Hi Lee,
logon to ftp://ftp.linksys.com/pub/network/ and download the previous firmware version and try downgrading the firmware...
Similar Messages
-
Multiple routers and subnets - can't access across subnets
Hey all, I'm having an issue with multiple routers and subnets on my FIOS connection. Here's how everything is setup:
Primary router:
ActionTec MI424WR Rev D (from Verizon)
WAN IP: From ISP
WAN NETMASK: From ISP
LAN IP: 192.168.1.1LAN NETMASK: 255.255.255.0
Secondary router (WAN connected to ActionTec LAN):
Belkin N750 gigabit w/ 802.11n
WAN IP: 192.168.1.2
WAN NETMASK: 255.255.255.0
LAN IP: 192.168.2.1
LAN NETMASK: 255.255.255.0
With this setup, I have the secondary router's WAN port connected to a LAN port on the primary router. Each are broadcasting an SSID and each are running DHCP to assign address to their respective subnets. Everything was well and good, except that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa -- anything connected to the Primary router was blind to systems connected to Secondary. Also, I could not ping anything on .2 from .1.
So, I added the following static route to the primary router:
DESTINATION: 192.168.2.0
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.2
Once this was added to the router, I could ping everything, so that was good. However, even though .1 can now ping .2, I can't access certain things such as the web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the browser from .1 doesn't work; however, accessing from .2 does work.
I think the ActionTec router might be blocking it, but that's just a guess. The firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in the DMZ on the ActionTec, but that didn't make a difference. I've also completely disabled the firewall on the secondary Belkin router, but still nothing.
Any help from the pros here? Much appreciated!
Solved!
Go to Solution.Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:
Primary Router:
ActionTec, MI424WR Rev D
WAN IP/NETMASK:Assigned by ISP
LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
Secondary Router:
Belkin N750 Gigabit w/ 802.11n
WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
Plug Secondary router's WAN port into a LAN port on the Primary router.
Setup Secondary router to have static LAN address (192.168.1.2)
At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
Create and apply the following static route in the Primary router: (Advanced > Routing)
RULE NAME:Network (Home/Office)
DESTINATION:192.168.2.0(your secondary subnet)
GATEWAY:192.168.1.2(secondary router's WAN IP)
NETMASK:255.255.255.0
METRIC:1
The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:
1.Click Add. You are now on Edit Network Object screen.
2.Set Description to 'Subnet 1'.
3.In Items section below, click Add.
4.Set Network Object Type to 'IP Subnet'.
5.Set Subnet IP Address to 192.168.1.0.
6.Set Subnet Mask to 255.255.255.0.
7.Click Apply. You are now back on Edit Network Object screen.
8.Click Apply. You are now back on Network Objects Screen.
9.Repeat the above steps again, but this time creating a second network object called 'Subnet 2':
Nameubnet 2
IP Subnet:192.168.2.0
Subnet Mask:255.255.255.0
Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
Create the following Advanced Filter:
SOURCE ADDRESSelect 'Subnet 1'
DEST. ADDRESSelect 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'
Click Apply. You will now be back on the Advanced Filtering page.
In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
Create the following Advanced Filter:
SOURCE ADDRESSelect 'Subnet 1'
DEST. ADDRESSelect 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'
Click Apply. You will now be back on the Advanced Filtering page.
Click Apply.
You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\. -
Unable to access secondary subnet via VPN
I am having a problem with clients accessing a secondary subnet via VPN.
Clients on VPN are given the address on the 192.168.15.0 subnet. Once connected they can access 192.168.16.0 (Production subnet) fine, but are unable to access the 192.168.8.0 secondary subnet. If you are on the 192.168.16.0 subnet in the office you can access 192.168.8.0 subnet fine. The traffic is coming in via an ASA 5510 then traverses a Juniper firewall and a MPLS router to the secondary subnet. I'm not sure if it's a nat issue or not. Any help would be helpful.
Below is the config of the ASA. Thank you in advance
ASA Version 8.2(5)
hostname charlotte
domain-name tg.local
enable password v4DuEgO1ZTlkUiaA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.0 Peak10 description Peak10
name 192.168.116.0 Charlotte_Phones description Charlotte_Phones
name 192.168.15.0 Charlotte_SSL_VPN_Clients description Charlotte_SSL_VPN_Client s
name 192.168.17.0 Charlotte_Wireless_Data description Charlotte_Wireless_Data
name 192.168.117.0 Charlotte_Wireless_Phones description Charlotte_Wireless_Phon es
name 192.168.5.0 Huntersville description Huntersville
name 192.168.16.1 SRX_Gateway description Juniper_SRX
name 192.168.108.0 Canton_Data description Canton_Data
name 192.168.8.0 Canton_Phones description Canton_Phones
name 192.168.9.0 Canton_Wireless_Data description Canton_Wireless_Data
name 192.168.109.0 Canton_Wireless_Phones description Canton_Wireless_Phones
name 192.168.16.4 TEST_IP description TEST_IP
name 192.168.16.2 CantonGW description Canton GW 192.168.16.2
name 192.168.5.1 HuntersvilleGW
name 10.176.0.0 RS_Cloud description 10.176.0.0/12
name 172.16.8.0 RS_172.16.8.0
name 172.16.48.0 RS_172.16.48.0
name 172.16.52.0 RS_172.16.52.0
name 10.208.0.0 RS_Cloud_New
name 10.178.0.0 RS_10.178.0.0 description Rackspace DEV servers
name 10.178.0.6 RS_10.178.0.6
name 172.16.20.0 RS_172.16.20.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.63.165.219 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.16.202 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
banner login ASA Login - Unauthorized access is prohibited
banner login ASA Login - Unauthorized access is prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.16.122
name-server 8.8.8.8
domain-name tg.local
dns server-group defaultdns
name-server 192.168.16.122
domain-name tg.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_2
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.240.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_11
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_13
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object RS_Cloud 255.240.0.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object 172.16.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object RS_Cloud 255.240.0.0
network-object RS_Cloud_New 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network tgnc074.tg.local
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq https
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group network DM_INLINE_NETWORK_15
network-object Canton_Data 255.255.255.0
network-object host CantonGW
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 Ch arlotte_SSL_VPN_Clients 255.255.255.0 any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_5 ho st SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_7 Ch arlotte_SSL_VPN_Clients 255.255.255.0 host SRX_Gateway
access-list Inside_access_in extended permit icmp any any object-group DM_INLINE _ICMP_1
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 ob ject-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list Inside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.25 5.255.0 any
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 log disable
access-list Tunneled_Network_List standard permit 192.168.16.0 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Data 255.25 5.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Phones 255. 255.255.0
access-list Tunneled_Network_List standard permit Peak10 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Data 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Data 255.255.2 55.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Phones 255.255 .255.0
access-list Tunneled_Network_List standard permit Huntersville 255.255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_172.16.8.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_Cloud 255.240.0.0
access-list Tunneled_Network_List standard permit RS_Cloud_New 255.240.0.0
access-list Tunneled_Network_List standard permit RS_172.16.20.0 255.255.252.0
access-list Tunneled_Network_List standard permit Charlotte_SSL_VPN_Clients 255. 255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip Charlotte_SSL_VPN_Clients 25 5.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_11 object-group DM_INLINE_NETWORK_12
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_5 object-group DM_INLINE_NETWORK_6
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_1 object-group DM_INLINE_NETWORK_2
access-list Limited_Access extended permit ip Charlotte_SSL_VPN_Clients 255.255. 255.0 host TEST_IP
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.123
access-list Limited__VPN_Acccess_List standard permit Huntersville 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.124
access-list Limited__VPN_Acccess_List standard permit 192.168.16.0 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 172.16.8.52
access-list Limited__VPN_Acccess_List standard permit Canton_Phones 255.255.255. 0
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV1
access-list Limited__VPN_Acccess_List standard permit host RS_10.178.0.6
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV2
access-list Limited__VPN_Acccess_List standard permit host 10.178.192.103
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.10
access-list Limited__VPN_Acccess_List standard permit RS_172.16.8.0 255.255.252. 0
access-list Limited__VPN_Acccess_List standard permit 172.16.0.0 255.255.0.0
access-list Limited__VPN_Acccess_List standard permit host 10.178.133.26
access-list Limited__VPN_Acccess_List standard permit RS_Cloud_New 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit host CantonGW
access-list Limited__VPN_Acccess_List standard permit host SRX_Gateway
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.1
access-list Limited__VPN_Acccess_List standard permit RS_Cloud 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit any
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 Huntersville 255.255.255.0
access-list Outside_cryptomap extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Huntersville 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Canton_Phones 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Canton_Phones 255.255.255.0
access-list Outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Outside_access_in extended permit ip Huntersville 255.255.255.0 any log disable
access-list Outside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 any log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0 inactive
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 RS_172.16.20.0 255.255.252.0
access-list Canton_nat_outbound extended permit object-group DM_INLINE_SERVICE_6 Charlotte_SSL_VPN_Clients 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list splitacl standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging monitor informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool SSL_VPN_Pool 192.168.15.10-192.168.15.254 mask 255.255.255.0
ip local pool New_VPN_Pool 192.168.16.50-192.168.16.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
nat (Outside) 0 access-list Huntersville_nat_outbound
nat (Inside) 0 access-list Inside_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 70.63.165.217 1
route Inside Canton_Phones 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Data 255.255.255.0 CantonGW 1
route Inside Charlotte_SSL_VPN_Clients 255.255.255.0 SRX_Gateway 1
route Inside Charlotte_Wireless_Data 255.255.255.0 SRX_Gateway 1
route Inside Canton_Data 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Phones 255.255.255.0 CantonGW 1
route Inside Charlotte_Phones 255.255.255.0 SRX_Gateway 1
route Inside 192.168.116.219 255.255.255.255 CantonGW 1
route Inside Charlotte_Wireless_Phones 255.255.255.0 SRX_Gateway 1
route Inside Peak10 255.255.255.0 SRX_Gateway 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record TGAD_AccessPolicy
aaa-server TGAD protocol ldap
aaa-server TGAD (Inside) host 192.168.16.122
ldap-base-dn DC=tg,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn user,CN=Users,DC=tg,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 Inside
http Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 1 match address Outside_cryptomap
crypto map Outside_map0 1 set pfs
crypto map Outside_map0 1 set peer 74.218.175.168
crypto map Outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 2 match address Outside_cryptomap_2
crypto map Outside_map0 2 set peer 192.237.229.119
crypto map Outside_map0 2 set transform-set ESP-3DES-MD5
crypto map Outside_map0 3 match address Outside_cryptomap_1
crypto map Outside_map0 3 set peer 174.143.192.65
crypto map Outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map0 interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=charlotte
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=charlotte
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 48676150
3082024c 308201b5 a0030201 02020448 67615030 0d06092a 864886f7 0d010105
05003038 31123010 06035504 03130963 6861726c 6f747465 31223020 06092a86
4886f70d 01090216 13636861 726c6f74 74652e74 68696e6b 67617465 301e170d
31323039 32353038 31373333 5a170d32 32303932 33303831 3733335a 30383112
30100603 55040313 09636861 726c6f74 74653122 30200609 2a864886 f70d0109
02161363 6861726c 6f747465 2e746869 6e6b6761 74653081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181008e d3e1ac63 a8a39dab 02170491
2bf104d2 732c7fd7 7065758b 03bb9772 c8ab9faf 0e5e9e93 bfb57eea a849c875
7899d261 8d426c37 9749d3d7 c86ca8e0 1d978069 3d43e7c5 569bb738 37e9bb31
0ebd5065 01eb7a05 87933d2d 786a722e 8eee16e7 3207510b f5e7e704 cbddbda2
a6b9ae45 efaba898 b8c921b6 2b05c0fb 1b0a9b02 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 8014fb93 35da7dd5 15d8e2ad 8e05ccf7 b5c333cc 95ac301d
0603551d 0e041604 14fb9335 da7dd515 d8e2ad8e 05ccf7b5 c333cc95 ac300d06
092a8648 86f70d01 01050500 03818100 6851ae52 5383c6f6 9e3ea714 85b2c5a0
fd720959 a0b91899 806bad7a 08e2208e de22cad0 6692b09a 7152b21e 3bbfce68
cc9f1391 8c460a04 a15e1a9e b18f829d 6d42d9bd ed5346bd 73a402f7 21e0c746
02757fb6 b60405a9 ac3b9070 8c0f2fba d12f157b 85dd0a8b 2e9cf830 90a19412
c7af1667 37b5ed8e c023ea4d 0c434609
quit
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 172.221.228.164 255.255.255.255 Outside
ssh Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
ssh 192.168.16.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint1 Outside
webvpn
enable Outside
enable Inside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.16.122 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value tg.local
split-dns value tg.local
group-policy LimitedAccessGroupPolicy internal
group-policy LimitedAccessGroupPolicy attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value thinkgate.local
split-tunnel-all-dns disable
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
default-domain value tg.local
group-policy Site-to-Site_Policy internal
group-policy Site-to-Site_Policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy LimitedAccessGroupPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_Pool
tunnel-group LimitedAccessTunnelGroup type remote-access
tunnel-group LimitedAccessTunnelGroup general-attributes
address-pool SSL_VPN_Pool
default-group-policy LimitedAccessGroupPolicy
tunnel-group 208.104.76.178 type ipsec-l2l
tunnel-group 208.104.76.178 ipsec-attributes
pre-shared-key *****
tunnel-group 74.218.175.168 type ipsec-l2l
tunnel-group 74.218.175.168 ipsec-attributes
pre-shared-key *****
tunnel-group TGAD_ConnectionProfile type remote-access
tunnel-group TGAD_ConnectionProfile general-attributes
authentication-server-group TGAD
default-group-policy GroupPolicy1
tunnel-group 174.143.192.65 type ipsec-l2l
tunnel-group 174.143.192.65 general-attributes
default-group-policy GroupPolicy2
tunnel-group 174.143.192.65 ipsec-attributes
pre-shared-key *****
tunnel-group 192.237.229.119 type ipsec-l2l
tunnel-group 192.237.229.119 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ef741b4905b43dc36d0f621e06508840
: end
charlotte#What does the packet-tracer say, what does the IPsec associations say (packets encrypted/decrypted)?
This might be faster that going through your hundreds of lines of config. -
hi
i have a solaris system
hostname sun
router (IP) 10.xx.xx.1
IP 10.xx.xx.20
network id 10.xx.xx.0
mask 255.255.255.0
where problem is
i can't ping from solaris machine(sun) to any PC across the subnet ( with IP as well as name).
resolution
--> /etc/defaultrouter is in order
--> network card is properly setup and running
--> can ping any system on local subnet including router(with IP ! DNS is across the subnet).
--> can ping from other PC's(win) on same subnet to systems across subnet using same default gateway settings
( that is routing settings at router are okay) .
--> netstat -r (shows following output )
sun% netstat -r
Routing Table:
Destination Gateway Flags Ref Use Interface
10.xx.xx.0 sun U 3 2460 hme0
224.0.0.0 sun U 3 0 hme0
default 10.xx.xx.1 UG 0 37756
localhost localhost UH 0 6502 lo0
sun%
--> /etc/netmasks
10.0.0.0 255.255.255.0
--> it takes unreasonably long time to set default interface for multicast during boot.
any suggestions where the problem could be.
thnx
garryHi garry
Yes you cannot ping with name unless you dont include that system's name and ip in the host file.
Due to the following reasons, you cannot ping ip across the subnet :
1. The pinging ip may be in a different vlan for which you dont have any access.
2. The default gatway has to be added which is accessable to other subnet also.
To over come your problem :
sample diagram of your problem
sub net 1- - - - - - - - - - - - - - - -
you are here |
sub net 2 - - - - - - - - - - - - route - - - - -dns / internet
|
sub net 3- - - - - - - - - - - - - - - -
is this n/w diag ok.
still you have any problem check the ACL of the router.
Regards
Sridhar M -
Unable to access secondary subnet from VPN client
Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
The setup is as follows:
ASA inside interface on 192.168.10.240
VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
Result of the command: "show startup-config"
ASA Version 8.4(3)9
hostname blank
domain-name
enable password encrypted
passwd encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 255.255.255.224
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.240 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.10.253 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa843-9-k8.bin
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 194.168.4.123
name-server 194.168.8.123
domain-name nifcoeu.com
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.254.0
subnet 192.168.254.0 255.255.255.0
object network obj-192.168.20.1
host 192.168.20.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-10.10.10.1
host 10.10.10.1
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network NS1000_EXT
host 80.4.146.133
object network NS1000_INT
host 192.168.20.1
object network SIP_REGISTRAR
host 83.245.6.81
object service SIP_INIT_TCP
service tcp destination eq sip
object service SIP_INIT_UDP
service udp destination eq sip
object network NS1000_DSP
host 192.168.20.2
object network SIP_VOICE_CHANNEL
host 83.245.6.82
object service DSP_UDP
service udp destination range 6000 40000
object service DSP_TCP
service tcp destination range 6000 40000
object network 20_range_subnet
subnet 192.168.20.0 255.255.255.0
description Voice subnet
object network 25_range_Subnet
subnet 192.168.25.0 255.255.255.0
description VLAN 25 client PC devices
object-group network ISP_NAT
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SIP_INIT tcp-udp
port-object eq sip
object-group service DSP_TCP_UDP tcp-udp
port-object range 6000 40000
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
access-list 100 extended permit icmp any any echo-reply inactive
access-list 100 extended permit icmp any any time-exceeded inactive
access-list 100 extended permit icmp any any unreachable inactive
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj-10.10.10.1
nat (DMZ,outside) static 80.4.146.134
object network obj_any-03
nat (DMZ,outside) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,outside) dynamic obj-0.0.0.0
object network obj_any-05
nat (management,DMZ) dynamic obj-0.0.0.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 62.255.171.0 255.255.255.224 outside
http 192.168.254.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2f0e024d
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 62.255.171.0 255.255.255.224 outside
ssh 192.168.254.0 255.255.255.0 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.25.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.6 source inside prefer
webvpn
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
wins-server value 192.168.10.21 192.168.10.22
dns-server value 192.168.10.21 192.168.10.22
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value
username blank password blank encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
username blank password encrypted privilege 0
username blank attributes
vpn-group-policy Remote-VPN
tunnel-group Remote-VPN type remote-access
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
I hope that helps.
Thanks
Rizwan Rafeek -
Wrt54g ver5, unable to access the config pages
wrt54g ver5
firmware ver 1.02.5
i am unable to access the internal web pages on wrt54g ver 5
can access the internet fine. it seems to be a memory corruption problem
i has been doing more and more timesSince the router works, it is doubtful (but still possible) that the firmware is corrupted. More likely there is another explanation for your problem. Here are my tips for viewing your router's web pages:
You do not need an Internet connection. The router's "web pages" are built into the router.
Use Internet Explorer, it usually works.
JavaScript must be enabled.
Use a computer that is wired to the router.
In the non-working computer, temporarily turn off your software firewall.
Point your browser to 192.168.1.1 , then login to your router. Your user name should be left blank. Your password is "admin" (with no quotes), unless you changed it.
If you are using Zone Alarm, right click on the ZA icon in the system tray (lower right corner of screen) and then click "Shutdown ZoneAlarm", and see if this fixes your problem. If this does not work, try the following with Zone Alarm: Open the ZAISS control center, go to Privacy, then temporarily turn off Ad Blocking and Cookie Control, and see if that fixes your problem.
Some Zone Alarm users have reported that adding 192.168.1.1 to their list of "trusted" addresses fixed the problem. This trick might also work with other firewalls.
If you are using Noton Internet Security with the Add-on Pack, be sure to turn off the Pop-up Blocker, and the Ad blocker. Some users have reported that they needed to uninstall the entire Norton Add-on Pack.
If you cannot get anything at 192.168.1.1 then perhaps this is not your router's address. Go to "Start" > All Programs > Accessories > Command Prompt.
A black DOS box will appear. Type in "ipconfig" (with no quotes), then hit the Enter key. Look at the "Default Gateway". Is it 192.168.1.1 ? Point your browser to the "Default Gateway", then login to your router.
If the above fails, disconnect your modem from the router, and try again. If this corrects your problem, then most likely you have a "modem-router" rather than an ordinary modem. Report back with this problem, and also state the make and exact model number of your modem (not the router).
If all of the above fails, power down your entire system, unplug it from the wall, wait one minute, then power up and try again.
If all of the above tips fail, then reset the router to factory defaults: Power down the router and disconnect all wires from it. Wait one minute. Power up the router, allow it to fully boot (1-2 minutes), then press and hold the reset button for 30 seconds, then release the button and allow the router to reset and reboot ( 2-3 minutes). Power down router. Wait one minute. Connect one computer, by wire, to a LAN port on the router. Boot up system. It should work.
If you still have trouble, then you need to download and install (or re-install) the latest firmware for your router. After the firmware upgrade, you must reset the router to factory defaults, then setup the router again from scratch. If you saved a router configuration file, DO NOT use it. -
Unable to wake emacs across subnets
We have several emac labs w/ ard active on them, however, we are unable to wake them up from our central office location. If the client is available we can observe, control and just about anything else we need to do to them. Our biggest issue is that we can't wake them up across subnets. We also have a mini running server 10.4.7 as a task server out there...any ideas
First, make sure that "wake on network administrator access" is active in the Energy Saver -> Options on your clients.
If it is, try WakeOnLan or WakeOnMac and see if either of those work. If those don't work either, then the routers on your network are probably not correctly passing the necessary packet.
Hope this helps. -
WRT54G V8 firmware upgrade, easylink issue
I was having the typical dropped connection issues that these routers seem to be famous for (WRT54G). The easylink application was installed and working. I upgraded firmware to the newly released 8.00.4. After the firmware upgrade the easylink app. still worked for all functions except for setting wireless security. For that, any changes had to be input manually through the web based utility or whatever it is called (inputting 162.198.1.1) in the adress bar.
I had a software conflict and had to uninstall the Easylink advisor software and then reinstall it. After reinstalling, the easylink will not recognize the router at all. Message states something to the effect that the router is either an old Linksys not supported by easylink or another brand. I know this has to be because the easylink has not been updated to work with the new version of the firmware.
Is there any way to get the Easylink advisor to recognize the router with the new firmware?
Or, is there a link to the previous firmware version so that I can flash the router with the previous version? Then I could get the easylink to recognize the router again and will only lose security access after I re-flash with the new firmware.
Or, is there anything else I can do to get the easylink advisor software to recognize the Router with the new Firmware installed?
ThanksThe Easy Link firmware should connects using the new firmware ....
Reset the router for few seconds ,.......After reset disable all firewall & run Easy link tool .....
It will work ..... -
I upgraded to iOS7 without incident and all has been functioning fine. However, today I am unable to access anything that requires connection. Wifi is strong, and working fine on other devices. Any suggestions?
Hi there,
You mentioned that you have tried a few troubleshooting steps already, but you may want to take a look at the article below, specifically the section titled "If you are unable to access the Internet while connected to a Wi-Fi network"
iOS: Troubleshooting Wi-Fi networks and connections
http://support.apple.com/kb/ts1398
Hope that helps,
Griff W. -
Unable to access application set in admin console after upgrade to 7.0 M
Hi Experts
I am unable to access the Application Set through BPC Administration after upgrading our development server to version 7.0 SP3. I followed the instructions as per the Upgrade guide, and there was no issues during the installation. But when trying to access the application set i receive the following error message on step 9 ( 9/10) of during the connection.
Error message: Subquery returned more than 1 value. This is not
permitted when the subquery follows =, !=, <, <= , >, >= or when the
subquery is used as an expression.
I have done all of the steps outlined as per SAP Note 1242962, but i still receive the error message. I tried to do a SQL Profiler trace, but i have been unable to find the query which returns more than one record.
Any help is appreciated
Kind Regards
DanielInteresting that you ask about upgrade vs uninstall/reinstall.
We were running BPC 5.1
We have also re-installed the Admin client to be the new version.
We have been working with an outside consulting firm to manage our system upgrade/install.
Our dev and qa environments were uninstalled then reinstalled.
When we went to production, our system was intially upgraded. I do not know why this route was chosen when that was not what was completed on dev/qa. On our production 'upgrade', we are still working through issues. We then uninstalled iis, sqlserver reporting services, both .net 1.1 and 2.0, and the BPC application. Then reinstall everything and we were getting the same errors.
Our error was at Progress 10/10 Create Database Schema and check Application server collation.
Error Message: Object Reference not set to an instance of an object.
We are able to access the appShell and test copies of the appShell, we were not able to access any custom appSets which were created prior to the upgrade, nor are we able to access any appSets that were created as a copy of the custom appSet after the upgrade.
When logged with SAP, we were directed toward note Note 1331040 - Cannot log into 7M Admin console after restore from version5 noting that we needed to do the following changes:
Note that you will need to change the following:
INSERT INTO tblDefaults VALUES ('_GLOBAL','Prev_AppSet_Version','','','7.0.112')
INSERT INTO tblDefaults VALUES ('_GLOBAL','Curr_AppSet_Version','','','7.0.112')
to
INSERT INTO tblDefaults VALUES ('_GLOBAL','Prev_AppSet_Version','','','7.0.113')
INSERT INTO tblDefaults VALUES ('_GLOBAL','Curr_AppSet_Version','','','7.0.113')
The reason is because '7.0.113' means 7 MS SP04 while '7.0.112' means SP03.
There are 8 steps in this note, for us, only the first 2 were needed. I have asked SAP to create new note/update existing accordingly.
With the table entry, we were able to successfully access our app set.
Hope our experiences can help you out.
Thanks,
Becky Zick -
I am from India using my iphone4 with Vodafone and firmware version 5.0.1(9A405). I am unable to access 3G from my device as the CELLULAR DATA NETWORK option in the settings is missing. Any methods or options for fixing the same????
I am from India using my iphone4 with Vodafone and firmware version 5.0.1(9A405). I am unable to access 3G from my device as the CELLULAR DATA NETWORK option in the settings is missing. Any methods or options for fixing the same????
-
Hello! Ever since I upgraded my iPhone 5s to IOS 7.1, I am unable to access the iPhone Keyboard if I access contacts using the recent calls tab. I am also unable to access the keyboard if I want to search for a contact as long as I went through the recent calls tab. Has anyone a fix for this problem? If you want to try it out, do the following?
Dial a number from your iPhone Keypad. After cutting the call, try to save the number you just dialled to your contacts by choosing the new contact option. You will see that you will not be able to key in the name of your new contact.Works fine for me.
Try a reset: Simultaneously hold down the Home and On buttons until the device shuts down. Ignore the off slider if it appears. Once shut down is complete, if it doesn't restart on it own, turn the device back on using the On button. In some cases it also helps to double click the Home button and close all apps BEFORE doing the reset. -
Under Snow Leopard I used a WD My World NAS to back up my Mac Pro (Mid 2010). When I upgraded to Lion I am unable to access the backup because the NAS does not yet support AFP. I have now bought a Time Capsule and want to transfer the old backup onto it.
How can I recover the NAS back up to put on my new Time Machine.
Talking to Apple Support Adviser was a waste of time on case number 239647273
Any thoughts or pointers?Keep the old OS around and just kick the tires and test new OS. Apple has a history and habit of breaking support in things like this.
You can use TimeMachine as one level of backup, and even there there were changes with Lion, I would always recommend foremost backup clones of every volume. And clone (SuperDuper etc) can be stored on something like HP NAS Media Server which also was supporting TimeMachine, iTunes - until Apple made that harder and more their own proprietary format.
Apple AirPort Time Capsule Support
Lion Communities
Cloning as a Backup Strategy
Rather than "upgrade" I would clone the system, and do a clean install, then allow Setup Assistant to import your files.
Others who are asking the same question:
http://www.bing.com/search?q=mac+os+x+lion+WD+My+World+NAS -
I am unable to access my Bank website since upgrading to Mavericks (Safari 7)
I am unable to access my Bank website since upgrading to Mavericks (Safari 7)
I get the following error message in Safari before I even have the opportunity to
connect to my bank's website.
It works fine in Firefox and Chrome.
Access Denied
You don't have permission to access "http://www.tdbank.com/" on this server.
Reference #18.a555ee3f.1382720248.13b74953I experienced the same problem where by I could not log into my Nationwide Bank account when I had upgraded Safari to the latest Version before Mavericks 6.1.0 on OSX Mountain Lion 10.8.5. I believe.
I already had Trusteer Rapport installed as recommended by banks.
Some Banks worked but Nationwide skipped the log in page and kept taking me to a page about Cookies telling me I needed to enable them but they were enabled. I just could not get into the Log In Page. Incidentally the Nationwides Cookies screen shot is of an out of date Cookies setting page - it is now under privacy in Safari preferences.
I then installed Rapport again when it popped up as an option and bingo I could get to the Log In page.
Took the plunge and upgraded last evening to Mavericks
Same probelm occured cannot Log In to Nationwide.
I have just stopped Trusteer Rapport and thank goodness I can get into Log On again.
However when I logged out and tried to open another site Safari crashed with the following error message
"safari quite unexpectedly while using trf.dylib plug-in"
Chose Reopen and safari opened Ok
I googled the message and that got me here - seems it is Trusteer Rapport
So someone needs to sort this out I guess Trusteer I guess?
Hope this is helpful
Cheers
John -
After upgrading my ipad 3 to ios 6 i am unable to access my i tune store from i pad3. please help me
after upgrading my ipad 3 to ios 6 i am unable to access my i tune store
Saw this on another post.
Applecare Senior Advisor Txx Bxxx (I have his contact info in an email he just sent) just confirmed with me that the problem people are having with the App Store not loading is an apple issue with there servers, ITS NOT YOUR IPAD so don't go restoring it! It's not happening to everyone however but they are looking into it, its really hit or miss.
In the meantime ...........
The Complete Guide to Using the iTunes Store
http://www.ilounge.com/index.php/articles/comments/the-complete-guide-to-using-t he-itunes-store/
Can't connect to the iTunes Store
http://support.apple.com/kb/TS1368
iTunes: Advanced iTunes Store troubleshooting
http://support.apple.com/kb/TS3297
Best Fixes for ‘Cannot Connect to iTunes Store’ Errors
http://ipadinsight.com/ipad-tips-tricks/best-fixes-for-cannot-connect-to-itunes- store-errors/
Try this first - Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider - let go of the buttons.
This works for some users. Not sure why.
Go to Settings>General>Date and Time> Set Automatically>Off. Set the date ahead by about a year.Then see if you can connect to the store.
Cheers, Tom
Maybe you are looking for
-
It's interesting.......Can u?????
101. What is true about the primary index of a table? More than one answer is correct. a) The key fields of the table make up the primary index b) The primary index ID is designated by the Database Adminstrator c) The developer designates the fields
-
Upgrading from OX 10.3.9 to OX 10.5.4 for FCP Studio 2
I hope this isn't a dumb question, but here goes. I have G5 running OX 10.3.9 and Final Cut Pro 4. Recently purchased Mac Box with OX 10.5.4 and Final Cut Express. I like the Leopard OX and decided to take the plunge and upgrade my G5 to the latest s
-
InDesign CS5 will not import Alpha Channels from images saved in Photoshop CS6
Just searched through the forums to find this thread in the (now-Read Only) Photoshop CS6 Beta forum: http://forums.adobe.com/message/4310886 Which is exactly the same issue I'm having. I just cropped about a 1000 images with alphas originally create
-
"Tax Only" feature not enabled in reserve invoice [Message 439-209]
HI Experts, I have created new company as IND_COA database and i created a Masters and Inventory Offset A/c in Equity drawer. Now, am trying to take initial qnty , wheres it says the "Tax Only" feature not enabled in reserve invoice [Message 439-20
-
Provide steps to connect HPLJ P1102w to AirPort router (MacOSX 10.5.8)
Please provide deterministic set of steps for connecting HP LJ P1102w wirelessly to AirPort router (MacOSX 10.5.8). I recently bought a HP LaserJet P1102w in the hopes that since it supports AirPrint and my OS, I should be able to quickly and easily