WYSE terminal over DSL IPSEC IOS VPN
I am having a problem establishing a connection over my WAN via a WYSE terminal to a Citrix server. We have PC's that can connect using the ICA client without any problems but the Wyse terminals fail and don't even display an image on the screen.
I have experienced problems with the 877 IPSEC VPN's over DSL before and had issues relating to MTU from PC's but this is the first occurance where the PC's are working but the Wyse terminals fail.
Has anyone experienced this before?
Thank you!
This setup applies to a specific case where the router, without enabling split tunneling, and Mobile users (Cisco VPN Client) can access the Internet via the central site router. In order to achieve this, configure the policy map in the router to point all the VPN traffic (Cisco VPN Client) to a loopback interface. This allows the Internet traffic to be port address translated (PATed) to the outside world.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml
Similar Messages
-
Hello,
I have a RD farm using 3 Win 2012 servers (1 broker and 2 session host), for internal use only, have not
configured gateway for internet access.
Users are able to connect to RD farm website and remote into terminal server, within office
but can only connect to RD farm website and cannot remote into terminal server , when connected via VPN
Its takes long time at securing connection and fails.
ThanksHi,
Thank you for your posting in Windows Server Forum.
First of all I would suggest you to configure RD gateway role on your server and pass all the connection through it because it’s a best practice to use RD Gateway in RDS Farm.
Apart from this, if you are not using RD Gateway then you must check that you have successfully forwarded port 3389 for RDS to access via VPN. Also check that you have made configuration under IIS Manager to enable Forms Authentication. Please check
this link.
In addition, please refer beneath article for additional details.
1. How to Access Windows Remote Desktop Over the Internet
2. Remote Desktop Services in Windows 2008 R2 – Part 3 – RD Web Access & RemoteApp
(For reference)
Hope it helps!
Thanks,
Dharmesh -
Hi all: I have no knowledge on this subject and need to
know some quick info.
We have a simple WAN with two P-2-P T1's to our branch
offices. Our main office also has a T1 to our ISP. We run
NW6.5 sp8 on all servers and BM3.9 in our main office as our
FW/Proxy.
So here is the deal, we are considering DSL backup lines
which most likely will be dynamic IPs through the local
telco at our branch office sites. What I would like to do
(if possible) is in the event of T1 failure shift to the DSL
lines, establish VPN connections through the internet to our
BM server.
Is this doable? Or is there a better way?In article <49D5FC96.CE15.0032.0@N0_$pam.vrapc.com>, Chris wrote:
> So what I was thinking was to get a DSL line for the branch
> office. Then when the T1 goes down, the branch would switch
> over to the DSL and connect to the cloud and establish a VPN
> connection through our T1 to the ISP (cloud).
>
This (autoswitching of a route) used to be done back in the 'olden
days', using ISDN lines as a backup to circuits for private WAN links.
While it can be done, it would need to be done at the router level.
Client-site would be ok though, as long as the traffic gets
automatically routed to the internet through the DSL link instead of
trying to go through the old (dead) WAN link. If you get a router that
has both T1 and DSL capability, it may very well be able to be
configured to use the DSL as a backup.
It would be up to your users to start and stop the Client-Site VPN
client though, and if that T1 came back up, the VPN would suddenly
break since you would lose the internet connection that the VPN was
using. If the circuits go up and down and up and down, it will be
havoc to communications.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
So tonight I updated my 4s over 3g to ios 7.1 it took forever and said connect to itunes. It said it was in recovery mode & needed to be restored but would wipe all content. I have never made a backup because my computers hard drive crashed (luckily the pics were on the phone) and now after updating like apple said I should it wants me to wipe my phone... I can't loose pics of my kids births and birthdays... I tried the holding buttons and letting off to exit recovery mode with no success... I don't know what to do but I swear if apple makes me loose the priceless pics of my kids I will never buy any apple device ever again... and I will make sure no family or friend ever does either... there has to be a way somehow.. some data recovery some program... I dunno if tinyumbrella can exit it for me without hacking or jailbreaking (which I don't dare/want to do) but i need a solution. I have researched this for hours and hours with no solution so far. If I have to pay $$ for it fine I will but after I recover my data that way I will be going to samsung... anyone with a solution would be greatly appreciated... any solution...
that makes no sense... it was only doing an update... if that's the case it should have promted me to back up first if this is even possible... there is a program that says it can recovery anything that hasn't been written over yet.. so would this not work? http://www.iphone-data-recovery.com/iphone-data-recovery.html or would the apple store be able to recover it??? i've done plenty of data recovery on computers... why wouldn't it be possible on an Iphone... does apple seriously not care about thier customers at all??? how about thier employees that are gonna get more than an earful tomorrow when I walk in there store??? No wonder samsung paid 2 million to apple in pennies when they got sued... (how does it feel to be screwed with apple?!)
-
Tcp mss adjust calculation for GRE tunnel over DSL line
hi guys,
need your advice on this one, as i search on cisco.com and netpro but unable to find the exact info that i required.
First, can anyone confirm the following calculation to find out MSS size.
Mss size = MTU size - encapsulation size - tcp header size
So for normal case;
MSS = 1500 - 48 (48 is the tcp/ip header)
so MSS = 1452
Thus in my case GRE tunnel over DSL connection;
MSS = 1492 - 24 - 48 (24 is the GRE encap; 48 is the tcp/ip header)
MSS = 1420
is this correct?
Secondly, where should the ip tcp mss-adjust to be implemented. Is it at the Dialer(DSL) interface or at Tunnel interface?I don't use the math (it doesn't work for me probably b/c I miss something). Here's how I do it-
C:\>ping 10.125.0.250 -f -l 1600
Pinging 10.125.0.250 with 1600 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 10.125.0.250 -f -l 1500
Pinging 10.125.0.250 with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 10.125.0.250 -f -l 1400
Pinging 10.125.0.250 with 1400 bytes of data:
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 19ms, Average = 19ms
C:\>ping 10.125.0.250 -f -l 1450
Pinging 10.125.0.250 with 1450 bytes of data:
Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1450 time=20ms TTL=251
Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 20ms, Average = 19ms
C:\>ping 10.125.0.250 -f -l 1475
Pinging 10.125.0.250 with 1475 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 10.125.0.250 -f -l 1470
Pinging 10.125.0.250 with 1470 bytes of data:
Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
Reply from 10.125.0.250: bytes=1470 time=22ms TTL=251
Reply from 10.125.0.250: bytes=1470 time=20ms TTL=251
Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
Ping statistics for 10.125.0.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 22ms, Average = 20ms
C:\>
1470 works and has a little bit of extra room. The tcp mss-adjust should be done on the LAN interface.
Hope it helps. -
What is the preferred dynamic routing over l2l/ipsec?
what is the preferred dynamic routing over l2l/ipsec?
Sent from Cisco Technical Support iPhone AppDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Pretty much what you might use if not IPSec.
Do you have some reason why IPSec should have a preferred routing protocol or are you just wondering if there is a preferred routing protocol for IPSec? -
Connection issues of Historical Reports Client over a non-Cisco VPN/third party VPN
When trying to run the Cisco Unified CCX Historical Reports Client over a non-Cisco VPN, the user receives an error.
The major failure is the connection problem between Historical Reports Client and Cisco Unified CCX Server.
Error :
An error occurred while communicating with web server.
All available connections to database server are in use by other client machines. Please try again later and check the log file for error 5054.
This works fine when connected to through Cisco VPN .
Is the third party VPN/ customer's web based VPN blocking the connection between UCCX server and HRC machine ??
Thanks !!!
Shridhar ReddyHi Sridhar,
Also please try accessing the database port 1504 from your client box.
Reference:
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_5/configuration/guide/uccx851pug.pdf
Hope it helps.
Anand
Pls rate helpful posts !! -
HI
Is it possible to setup an IPsec PTP vpn from an ASA to Cisco 1800 routers with HSRP? I found out how to do it from router to router but not sure if it can be done from an ASA (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml. Any help would be appreciated.
ShawnHi,
I think you need to configure the Default PAT ACL so that it first has "deny" statemts for traffic that is NOT supposed to be NATed between the LAN and the VPN Pool
For example make this kind of ACL and NAT configuration
access-list 100 remark NAT0 for VPN Client
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
access-list 100 remark Default PAT for Internet Traffic
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
EDIT: Actually seem you might have more 10-networks behind the router
Then you could modify the ACL to this
access-list 100 remark NAT0 for VPN Client
access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 100 remark Default PAT for Internet Traffic
access-list 100 permit ip 10.0.1.0 0.0.255.255 any
Remember to mark correct answers/replys and/or rate helpfull answers
- Jouni -
Hello!!
I'm using the IPSEC Cisco VPN Network property to connect to my company.
Once I get connected, I lose internet access, because all the traffic is redirected through the tunnel and I want both, of course.
If I modify the default getaway in the routing table, with this command
route change default x.x.x.x, where this is the getaway IP when not connected to the VPN,
I gain access to internet, but I lose access through the VPN tunnel.
I was reading about it in google, and what I have to do is to add a static route to the VPN again, but I don't know how.
Could you please help me?
thanks in advance!!Hi Norbert,
I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
IPSec remote VPN with VPN client giving error
Hi ,
ASA 5505 current configuration is : (setup using ASDM)
esult of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname TEST
enable password ___________ encrypted
passwd __________ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
access-list sap_vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.224
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test_pool 192.168.10.0-192.168.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sap_vpn internal
group-policy sap_vpn attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sap_vpn_splitTunnelAcl
username test password ____________ encrypted privilege 0
username test attributes
vpn-group-policy sap_vpn
username TEST password ________________ encrypted privilege 15
tunnel-group sap_vpn type remote-access
tunnel-group sap_vpn general-attributes
address-pool test_pool
default-group-policy sap_vpn
tunnel-group sap_vpn ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b67cdffbb9567f754052e72f69ef95f1
: end
I am using VPN client with host IP 192.168.2.20 and group authentication with username:sap_vpn and preshared key as password but could not connect to vpn and getting attached error message.
ASA set up with ASDM initial wizard: inside interface (VLAN1) IP 192.168.1.1 and outside (VLAN2) IP 192.168.2.20 assigned using DHCP. I am using outside interface IP 192.168.2.20 for HOST IP in VPN client for remote connection??? is it right??
please advise for this.Hi,
current configuration for ASA 5505 for IPSec remote VPN as below:
ASA Version 8.2(5)
hostname _________
domain-name ________
enable password ___________ encrypted
passwd _________ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.7 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address ______________(public IP)
ftp mode passive
dns server-group DefaultDNS
domain-name ________
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.224.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test_pool 172.16.10.0-172.16.16.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.0.11-192.168.0.138 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy dyt_vpn internal
group-policy dyt_vpn attributes
vpn-tunnel-protocol IPSec
default-domain value _______
username test password _________ encrypted privilege 0
username test attributes
vpn-group-policy dyt_vpn
username ________ password ______________encrypted privilege 15
tunnel-group dyt_vpn type remote-access
tunnel-group dyt_vpn general-attributes
address-pool test_pool
default-group-policy dyt_vpn
tunnel-group dyt_vpn ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:eb0f7a5c2385b7400e9b9432fb2df9d1
: end
when I am assigning PUblic IP to outisde interface of ASA, it is showing outside interface down.
can anybody please help me for that.
Thanks,
Sap -
NAT traffic over a IPSec tunnel (ISR)
Hi.
I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
IPSec tunnel is created using the 10.10.1.1 IP-address.
The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
Anyone who could shed some light? Any insight appreciated.
Sheers!
/Johan ChristenssonThanks jjohnston1127!
Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
If i change it to something like this, the tunnel negotiation get triggerd.
access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
Can this behavior be changed?
Best regards,
Johan Christensson -
DMM - DMP connectivity over DSL network
Dear All,
I would like to know whether it is possible to connect DMM - DMP over DSL Network.
- I have DMM with private IP 192.168.1.100 have static net public IP 58.177.200.xx
- I have DMP with private IP 192.168.xx.xx connect under ADSL network with Dynamic IP address.
I check NAT enable on DMPDM but It ask me to enter ADSL public IP. When DSL line down and reconnect IP is change.
What Should I do?
Thank you very much
SukittiHi Sukitti,
I'm afraid this will never work. As you already saw, you can use the DMP with NAT, but the public IP needs to be fixed.
Your best approach would be to contact your ADSL service provider and request a fixed IP for that connection. Most of providers give this option for a small extra amount
Regards
Daniel -
RVS4000 to WRV200 VPN over DSL
I have tried to configure this and get the same error message - no corresponding tunnel on remote side. I have a wrv200 at home and a RVS4000 at work and am trying to configure a VPN tunnel from home to work. Both are DSL connected. Any help in getting this configured would be great, I have been working at this for a while to no avail. Thansk in advance for any light/help you can shed on this problem. FYI I have setup the VPN identical on both routers using the same preshared key and such. ???
Thanks - EdEd,
Can you post your configurations from each router? The configuration on each router has to be unique to the routers environment. If you post the configs, we can just verify they are set up properly. Change the public IP address if you are concerned about posting your IP here. Thanks. -
Duplicate remote networks and PAT - IOS VPN
This question pertains to an IOS router running c3900e-universalk9-mz.SPA.152-4.M5.
We are deploying a new VPN termination router that will support multiple IPSec tunnels to multiple unrelated external organizations. We have many of these VPN routers in other regions hosting dozens of IPsec tunnels to dozens of unrelated external organizations. In the past, to allow for IPv4 uniqueness, we have suggested (required) these external organizations to PAT their source addresses to unique public addresses owned by the external organization. In some cases, my company has provided a public range of addresses to the external organization which the external organization uses to PAT their sources before presenting the traffic to our side of the VPN tunnel.
This has served us well and scales quite well.
However, we are now faced with an external organization (the very first organization on this new VPN termination router) that wants to present my company with non-unique addresses in the 10.0.0.0/8 range. This external organization has requested that we PAT their sources for them, which I understand that technically we can do.
My first question is, if my company decides to go into the business of PATing the 10/8 sources of other external organizations, how will this impact the IP network used at the remote end of the tunnel and could these remote networks be overlapping between two or more external organizations without using some flavor of VRF? I developed a scenario below that I'd like help in understanding:
interface Port-channel20.2900
description Internet Bound (Outside)
crypto map JIM
ip address 130.96.10.243 255.255.255.248
ip nat inside
interface Port-channel20.2901
*** Transit DMZ or LAN Bound (Inside)
ip nat outside
ip address 130.96.10.251 255.255.255.248
If we had two crypto external organizations:
External Organization #1
crypto map JIM 100 ipsec-isakmp
description ***
set peer 1.1.1.1
set transform-set esp-3des-sha
set security-association lifetime seconds 28800
match address SCA
crypto isakmp key blah address 1.1.1.1
ip access-list extended SCA
permit ip host 130.96.10.92 host 130.96.10.223
access-list 7 remark *** SCA NAT List - SCA *** JMM
access-list 7 permit 10.254.0.0 0.0.255.255
ip nat pool SCA 130.96.10.223 130.96.10.223 prefix 30
ip nat inside source list 7 pool SCA overload
ip route 1.1.1.1 255.255.2552.255 130.96.10.241
ip route 10.254.0.0 255.255.0.0 130.96.10.241
External Organization #2
crypto map JIM 200 ipsec-isakmp
description ***
set peer 2.2.2.2
set transform-set esp-3des-sha
set security-association lifetime seconds 28800
match address SCB
crypto isakmp key blah address 2.2.2.2
ip access-list extended SCB
permit ip host 130.96.11.14 host 130.96.11.223
access-list 8 remark *** SCB NAT List - SCB *** JMM
access-list 8 permit 10.254.0.0 0.0.255.255
ip nat pool SCB 130.96.11.223 130.96.11.223 prefix 30
ip nat inside source list 8 pool SCB overload
ip route 2.2.2.2 255.255.2552.255 130.96.10.241
Imagine these flows are present:
Flow #
External Organization
Source
NAT Destination
Real Destination
1
1
130.96.10.92
130.96.10.223
10.254.10.10
2
2
130.96.11.14
130.96.11.223
10.254.10.10
Since our interesting traffic access-lists are based on PAT addresses, theoretically the flow could be positively associated with the crypto-map clause before PAT. Is it true that in the forward direction we have PAT, followed by routing, followed by encryption? If so, this would mean that after PAT and routing the egress interface would be the same for both flows (Port-channel20.2900) and the IP destination address would also be the same (10.254.10.10). However, the source IP address would be distinct for each flow. Since routing has already happened, isn’t the router smart enough to associate the post-PAT packet(s) with the correct crypto-map clause on the crypto-enabled interface which would be based on the access-list in the “match address” clause within the crypto-map:
ip access-list extended SCA
permit ip host 130.96.10.92 host 130.96.10.223
ip access-list extended SCB
permit ip host 130.96.11.14 host 130.96.11.223
In theory it seems this would allow duplicate IP networks at remote sites. Am I correct? If I'm wrong, where and how exactly does this fail?
Thanks,
JimHey Nathan...
My VPN is down at the moment, but I think your going to have to manually configure all of the "clients" who are sharing the VPN to an IP range that your office uses. When you connect to your VPN, check your network prefs, and you'll see the IP addresses assigned to your VPN are similar to your network at the office. So, in a way, your sharing computer has 2 IP addresses... one from your modem or router at home, and one from the VPN server at the office. It's this 2nd IP address that allows you to appear to be on the network at the office.
So, if you can find a way to set up your shared clients the same way.... it might work. It will also be VERY helpful if your IP range at home is different from the IP range at the office....192.168... for one...and 10.0.0 for the other. (Whether traffic will pass thru your "sharing server" is a different matter altogether.)
Now, and I'm really guessing here.. if this works at all... you may be only able to access stuff from the office on your "shared clients" (ie no internet).... the way around that is to set up your VPN to allow VPN clients to pull stuff from the internet from the office thu the VPN... and for the life of me don't remember how that is done. But it will most likely be a bit slow.
I'd start with the basics... setup one client with a manual IP address/router/dns servers, and try to ping a computer at the office. If this works... at least part of your problem is solved.
With all that said... it may not work at all. Good Luck! -
Unable to access certain ports over Site to Site VPN
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \\192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the -
ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PrarieTow
boot-start-marker
boot-end-marker
logging buffered 52000
enable secret 5 $1$7Ab8$oFQY76OPhJm/UUkXfqCbl/
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Ch4C5eSP address x.x.y.y
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.y.y
set peer x.x.y.y
set transform-set ESP-3DES-SHA
match address 118
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
ip dhcp excluded-address 192.168.1.101 192.168.1.254
ip dhcp excluded-address 192.168.1.60
ip dhcp excluded-address 192.168.1.120
ip dhcp excluded-address 192.168.1.125
ip dhcp excluded-address 192.168.1.126
ip dhcp pool sdm-pool1
network 192.168.1.0 255.255.255.0
domain-name pltowing.local
default-router 192.168.1.1
dns-server 192.168.1.120 68.238.0.12
no ip bootp server
ip domain name pltowing
ip name-server 184.16.4.22
ip name-server 184.16.33.54
ip port-map user-protocol--8 port udp 3389
ip port-map user-protocol--9 port udp 14147
ip port-map user-protocol--2 port tcp 3489
ip port-map user-protocol--3 port udp 3489
ip port-map user-protocol--1 port udp 3390
ip port-map user-protocol--6 port udp 4431
ip port-map user-protocol--7 port tcp 3389
ip port-map user-protocol--4 port tcp 3390
ip port-map user-protocol--5 port tcp 4431
ip port-map user-protocol--13 port tcp 3487
ip port-map user-protocol--12 port udp 3488
ip port-map user-protocol--11 port tcp 3488
ip port-map user-protocol--10 port tcp 14147
ip port-map user-protocol--16 port tcp 8099
ip port-map user-protocol--15 port udp 1194
ip port-map user-protocol--14 port udp 3487
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
username prairie privilege 15 password 0 towing
archive
log config
hidekeys
ip ssh version 2
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 108
match protocol user-protocol--7
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 120
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 107
match protocol user-protocol--6
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 106
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 105
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 110
match protocol user-protocol--9
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 109
match protocol user-protocol--8
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 119
match class-map SDM_VPN_TRAFFIC
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-all sdm-nat-user-protocol--16-1
match access-group 117
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--14-1
match access-group 115
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--15-1
match access-group 116
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--12-1
match access-group 113
match protocol user-protocol--12
class-map type inspect match-all sdm-nat-user-protocol--13-1
match access-group 114
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 111
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--11-1
match access-group 112
match protocol user-protocol--11
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect sdm-nat-user-protocol--11-1
inspect
class type inspect sdm-nat-user-protocol--12-1
inspect
class type inspect sdm-nat-user-protocol--13-1
inspect
class type inspect sdm-nat-user-protocol--14-1
inspect
class type inspect sdm-nat-user-protocol--15-1
inspect
class type inspect sdm-nat-user-protocol--16-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservices
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
inspect
class type inspect sdm-protocol-http
inspect
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-access
inspect
class class-default
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
bridge irb
interface FastEthernet0
description $ETH-LAN$$FW_OUTSIDE$
ip address y.y.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
interface BVI1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip default-gateway 50.50.20.105
ip route 0.0.0.0 0.0.0.0 50.50.20.105
ip route 10.8.0.0 255.255.255.0 192.168.1.251
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.120 8099 interface FastEthernet0 8099
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static udp 192.168.1.251 1194 y.y.x.x 1194 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.125 3489 y.y.x.x 3390 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 3390 y.y.x.x 3390 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.126 3487 y.y.x.x 3487 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.126 3487 y.y.x.x 3487 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.126 3488 y.y.x.x 3488 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.126 3488 y.y.x.x 3488 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.125 3489 y.y.x.x 3489 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.120 4431 y.y.x.x 4431 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 4431 y.y.x.x 4431 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.1.120 14147 y.y.x.x 14147 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.1.120 14147 y.y.x.x 14147 route-map SDM_RMAP_1 extendable
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 50.50.20.104 0.0.0.3 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.120
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.1.125
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.1.125
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.1.120
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.1.120
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.1.120
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.1.120
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 192.168.1.120
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 192.168.1.120
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 192.168.1.120
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 192.168.1.126
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip any host 192.168.1.126
access-list 114 remark SDM_ACL Category=0
access-list 114 permit ip any host 192.168.1.126
access-list 115 remark SDM_ACL Category=0
access-list 115 permit ip any host 192.168.1.126
access-list 116 remark SDM_ACL Category=0
access-list 116 permit ip any host 192.168.1.251
access-list 117 remark SDM_ACL Category=0
access-list 117 permit ip any host 192.168.1.120
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 119 remark SDM_ACL Category=128
access-list 119 permit ip host x.x.y.y any
access-list 120 remark SDM_ACL Category=0
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=2
access-list 121 remark IPSec Rule
access-list 121 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 121 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 121
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 route ip
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
webvpn cef
endHello Frank,
Just to clarify, you have changed the rule so y.y.x.x is router WAN link:
ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map SDM_RMAP_1 extendable
and after that you could access 192.168.1.120:3389 from 192.168.2.0 networks ?
Above rule do a static translation of 192.168.1.120 3389 to your WAN link for all traffic EXCEPT VPN.
So maybe you were trying to access y.y.x.x (not 192.168.1.120) port 3389 from 192.168.2.0 networks ?
(and that traffic is not being sent via VPN but just normally routed through internet)
Michal
Maybe you are looking for
-
SELECT statement in stored procedure
I want to be able to execute a simple SELECT statement from within a stored procedure and return a stream of data which consists of all the rows from the SELECT statement. Ultimately, I want to ouput this stream of data to a Crystal Report. Apparentl
-
Hi all, sry for post sql problens in APEX forum, but i realy need help for this... I´m trying to replace : for , to make a select where in () with more then one value... but the replace function its not work with more then 1 value... like this select
-
I use windows Live email programme and the links worked fine until the new upgrade for Firefox 5.0 was done. Now I just get a pop up error message that says 'There is a problem sending the command to the programme' on any link.
-
Windows 8.1 breaks i-Cloud for Outlook - How to fix it
I updated my computer to Windows 8.1 last night. This morning, I found that Outlook could no longer read the i-Cloud calendar and contacts. My system is running Office 2010 64 bit with Windows 8 professional upgraded to 8.1. Here's the fix: 1) Log ou
-
Dear Experts.. Will any expert will tell how to stop the v3 jobs for 2lis_!3_vdkon...... Thank Radha