Access another network through VPN

Similar Questions

• Access to a remote network through VPN remote access

  Hello

  I'm having a problem with users who access VPN from home.  We currently have 3 offices facility, as shown below.  When I VPN in the Philadelphia office, I am unable to access the resources of Connecticut offices or North Carolina.

  The VPN subnet is 192.168.10.0.  Inside the office of the PA, I have no problem with NC or CT.  I have to add a static route from the Pennsylvania Treasury and NC?  If so, could you give me a hand with the correct syntax?

  Office <-----------IPSecVPN---------->Office <------------IPSecVPN------------->Office of Connecticut from Pennsylvania, North Carolina

  192.168.5.0                                                            192.168.1.0                                                        192.168.2.0

  Hello

  Yes, basically the ASA accommodation the customer VPN service in this case well enough is the same configuration related to two sites with the exception of course which is obvious

  • Networks/subnets
  • Different ACL for each VPN L2L

  Although naturally the problem for me is the WRVS4400N configuration.

  Basically, you do the same things on this unit than the other remote site.

  You add the VPN pool as another remote network for VPN L2L configurations. You also confirm that there is operation NAT0 for this network also. I don't know I can help you there as I do not know the device.

  Can you please mark it as answered and evaluate other useful answers

  Naturally ask for more and I'll try to help you if I can

  -Jouni

• burned by another router through vpn

  Hello

  Here's the deal:

  RV042G <--------VPN------->ROUTER1 ROUTER2<---lan1--><---lan2--->

  I have a RV042G connected to a router '1' (LAN1) via a VPN. I have another ('2' for LAN2) router behind the local '1' with another network router (no bridge, a different IP address).

  For now, I PING the IP wan router "2" of the RV042G, but the distant RV042G, I can't access the devices behind the router '2' on LAN2. The opposite is true, the LAN2 I can ping all devices on any LAN included behind the VPN LAN

  On the RV042G, I put a static route to indicate that the IP address of the LAN '2' was available router WAN '2', but a traceroute always shows that I don't use the VPN and ask my gateway provider instead. The static route list does not show the road, that I put.

  At this point, I'm a little lost. What can I do to tell the RV that route to ROUTER2 is via the vpn and not my provider gateway?

  Thanks for any help (and sorry for my bad English)

  After reading this guide:

  http://www.Cisco.com/c/dam/en/us/TD/docs/routers/CSBR/rv0xx/administrati...

  ... take a look on page 110. Group "remote control" is where you would list the subnets that are accessible through the VPN. Currently this group must contain "LAN1", so you'll need to add "LAN2.

  see you soon,

  SEB.

• Cannot access remote network via VPN

  Hello

  I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
  There is also a public oriented Web server in the office which must be accessible.

  I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

  I'm quite puzzled as to why it does not work. Please could someone help.

  The results of tests and the router configuration are listed below. Please let me know if you need additional information.

  Thank you and best regards,
  Simon

  1. routing on the router table
  Router #sh ip route
  Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
  xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
  C XXX.yyy.zzz.192 is directly connected, Vlan10
  GGG.hhh.125.0/32 is divided into subnets, subnets 1
  C GGG.HHH.125.34 is directly connected, Dialer0
  172.16.0.0/32 is divided into subnets, subnets 1
  S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
  S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

  2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
  > ping 172.16.100.1
  Ping 172.16.100.1 with 32 bytes of data:
  Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

  3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
  > ping 172.16.100.10
  Ping 172.16.100.10 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  4. ping the router to the successful local server
  router #ping 172.16.100.10
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

  5 see the version
  Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
  ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
  the availability of router is 1 hour, 9 minutes
  System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
  Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
  10 FastEthernet interfaces
  1 ISDN basic rate interface
  Configuration register is 0 x 2102

  6. router Config
  AAA authentication login default local
  connection of local AAA VPN authentication.
  AAA authorization exec default local
  local authorization AAA VPN network
  !
  !
  AAA - the id of the joint session
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  Configuration group customer isakmp crypto ASI_Group
  key mykey
  DNS aaa.bbb.cccc.ddd
  domain mydomain.com
  pool VPN_Pool
  ACL VPN_ACL
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
  !
  crypto dynamic-map 10 DYNMAP
  game of transformation-TS1
  market arriere-route
  !
  !
  list of authentication of VPN client VPN crypto card
  card crypto VPN VPN isakmp authorization list
  crypto map VPN client configuration address respond
  card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
  !
  !
  !
  IP cef
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  username admin privilege 15 password mypassword
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface FastEthernet0
  WAN description
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  automatic duplex
  automatic speed
  PPPoE enable global group
  PPPoE-client dial-pool-number 1
  !
  interface FastEthernet2
  Description Public_LAN_Interface
  switchport access vlan 10
  full duplex
  Speed 100
  !
  FastEthernet6 interface
  Description Private_LAN_Interface
  switchport access vlan 100
  full duplex
  Speed 100
  !
  interface Vlan1
  no ip address
  !
  interface Vlan10
  Public description
  IP address xxx.yyy.zzz.193 255.255.255.248
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Vlan100
  172.16.100.1 IP address 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Dialer0
  IP unnumbered Vlan10
  no ip unreachable
  IP mtu 1452
  IP virtual-reassembly
  encapsulation ppp
  no ip mroute-cache
  Dialer pool 1
  Dialer-Group 1
  Authentication callin PPP chap Protocol
  PPP chap hostname myhostname
  PPP chap password mychappassword
  PPP ipcp dns request accept
  failure to track PPP ipcp
  PPP ipcp address accept
  VPN crypto card
  !
  IP pool local VPN_Pool 172.16.100.50 172.16.100.60
  !
  !
  no ip address of the http server
  no ip http secure server
  !
  VPN_ACL extended IP access list
  IP 172.16.100.0 allow 0.0.0.255 any
  !
  Dialer-list 1 ip protocol allow
  not run cdp
  !
  !

  Simon,

  Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

  Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

  Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

  IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

  Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

  I hope this helps.

  Luis Raga

• Cannot access remote network by VPN Site to Site ASA

  Hello everyone

  First of all I must say that I have configured the VPN site-to site a million times before.  Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

  ASA local:
  hostname gyd - asa
  domain bct.az
  activate the encrypted password of XeY1QWHKPK75Y48j
  XeY1QWHKPK75Y48j encrypted passwd
  names of
  DNS-guard
  !
  interface GigabitEthernet0/0
  Shutdown
  nameif vpnswc
  security-level 0
  IP 10.254.17.41 255.255.255.248
  !
  interface GigabitEthernet0/1
  Vpn-turan-Baku description
  nameif outside Baku
  security-level 0
  IP 10.254.17.9 255.255.255.248
  !
  interface GigabitEthernet0/2
  Vpn-ganja description
  nameif outside-Ganja
  security-level 0
  IP 10.254.17.17 255.255.255.248
  !
  interface GigabitEthernet0/2.30
  Description remote access
  VLAN 30
  nameif remote access
  security-level 0
  IP 85.*. *. * 255.255.255.0
  !
  interface GigabitEthernet0/3
  Description BCT_Inside
  nameif inside-Bct
  security-level 100
  IP 10.40.50.65 255.255.255.252
  !
  interface Management0/0
  nameif management
  security-level 100
  IP 192.168.251.1 255.255.255.0
  management only
  !
  boot system Disk0: / asa823 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  name-server 192.168.1.3
  domain bct.az
  permit same-security-traffic intra-interface
  object-group network obj - 192.168.121.0
  object-group network obj - 10.40.60.0
  object-group network obj - 10.40.50.0
  object-group network obj - 192.168.0.0
  object-group network obj - 172.26.0.0
  object-group network obj - 10.254.17.0
  object-group network obj - 192.168.122.0
  object-group service obj-tcp-eq-22
  object-group network obj - 10.254.17.18
  object-group network obj - 10.254.17.10
  object-group network obj - 10.254.17.26
  access-list 110 scope ip allow a whole
  NAT list extended access permit tcp any host 10.254.17.10 eq ssh
  NAT list extended access permit tcp any host 10.254.17.26 eq ssh
  access-list extended ip allowed any one sheep
  icmp_inside list extended access permit icmp any one
  icmp_inside of access allowed any ip an extended list
  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
  RDP list extended access permit tcp any host 192.168.45.3 eq 3389
  rdp extended permitted any one ip access list
  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
  NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
  NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
  NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
  GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
  Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
  azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
  permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
  permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
  pager lines 24
  Enable logging
  emblem of logging
  recording of debug console
  recording of debug trap
  asdm of logging of information
  Interior-Bct 192.168.1.27 host connection
  flow-export destination inside-Bct 192.168.1.27 9996
  vpnswc MTU 1500
  outside Baku MTU 1500
  outside-Ganja MTU 1500
  MTU 1500 remote access
  Interior-Bct MTU 1500
  management of MTU 1500
  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
  IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any outside Baku
  ICMP allow access remotely
  ICMP allow any interior-Bct
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  global (outside-Baku) 1 interface
  global (outside-Ganja) interface 2
  3 overall (RAS) interface
  azans access-list NAT 3 (outside-Ganja)
  NAT (remote access) 0 access-list sheep-vpn-city
  NAT 3 list nat-vpn-internet access (remote access)
  NAT (inside-Bct) 0-list of access inside_nat0_outbound
  NAT (inside-Bct) 2-nat-ganja access list
  NAT (inside-Bct) 1 access list nat
  Access-group rdp on interface outside-Ganja
  !
  Router eigrp 2008
  No Auto-resume
  neighbor 10.254.17.10 interface outside Baku
  neighbor 10.40.50.66 Interior-Bct interface
  Network 10.40.50.64 255.255.255.252
  Network 10.250.25.0 255.255.255.0
  Network 10.254.17.8 255.255.255.248
  Network 10.254.17.16 255.255.255.248
  redistribute static
  !
  Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
  Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
  Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
  Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
  Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
  Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
  Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server protocol Ganymede GANYMEDE +.
  AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
  key *.
  AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
  key *.
  RADIUS protocol AAA-server TACACS1
  AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
  key *.
  AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
  key *.
  authentication AAA ssh console LOCAL GANYMEDE
  Console to enable AAA authentication RADIUS LOCAL
  Console Telnet AAA authentication RADIUS LOCAL
  AAA accounting ssh console GANYMEDE
  Console Telnet accounting AAA GANYMEDE
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 Interior-Bct
  http 192.168.139.0 255.255.255.0 Interior-Bct
  http 192.168.0.0 255.255.255.0 Interior-Bct
  Survey community SNMP-server host inside-Bct 192.168.1.27
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  Crypto ipsec transform-set newset aes - esp esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
  Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
  Crypto ipsec transform-set vpnclienttrans transport mode
  life crypto ipsec security association seconds 2147483646
  Crypto ipsec kilobytes of life security-association 2147483646
  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
  correspondence address card crypto mymap 10 110
  card crypto mymap 10 peers set 10.254.17.10
  card crypto mymap 10 transform-set RIGHT
  correspondence address card crypto mymap 20 110
  card crypto mymap 20 peers set 10.254.17.11
  mymap 20 transform-set myset2 crypto card
  card crypto mymap interface outside Baku
  correspondence address card crypto ganja 10 110
  10 ganja crypto map peer set 10.254.17.18
  card crypto ganja 10 transform-set RIGHT
  card crypto interface outside-Ganja ganja
  correspondence address card crypto vpntest 20 110
  peer set card crypto vpntest 20 10.250.25.1
  newset vpntest 20 transform-set card crypto
  card crypto vpntest interface vpnswc
  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
  card crypto interface for remote access vpnclientmap
  Crypto ca trustpoint ASDM_TrustPoint0
  registration auto
  name of the object CN = gyd - asa .az .bct
  sslvpnkeypair key pair
  Configure CRL
  map of crypto DefaultCertificateMap 10 ca certificate

  crypto isakmp identity address
  ISAKMP crypto enable vpnswc
  ISAKMP crypto enable outside-Baku
  ISAKMP crypto enable outside-Ganja
  crypto ISAKMP enable remote access
  ISAKMP crypto enable Interior-Bct
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  Crypto isakmp nat-traversal 30
  No vpn-addr-assign aaa
  Telnet timeout 5
  SSH 192.168.0.0 255.255.255.0 Interior-Bct
  SSH timeout 35
  Console timeout 0
  priority queue outside Baku
  queue-limit 2046
  TX-ring-limit 254
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Server NTP 192.168.1.3
  SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
  SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
  SSL-trust ASDM_TrustPoint0 remote access point
  WebVPN
  turn on remote access
  SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
  enable SVC
  tunnel-group-list activate
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  internal group ssl policy
  attributes of group ssl policy
  banner welcome to SW value
  value of DNS-server 192.168.1.3
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  group-lock value SSL
  WebVPN
  value of the SPS URL-list
  internal vpn group policy
  attributes of vpn group policy
  value of DNS-server 192.168.1.3
  Protocol-tunnel-VPN IPSec l2tp ipsec
  disable the PFS
  BCT.AZ value by default-field
  ssl VPN-group-strategy
  WebVPN
  value of the SPS URL-list
  IPSec-attributes tunnel-group DefaultL2LGroup
  ISAKMP retry threshold 20 keepalive 5
  attributes global-tunnel-group DefaultRAGroup
  raccess address pool
  Group-RADIUS authentication server
  Group Policy - by default-vpn
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  IPSec-attributes tunnel-group DefaultWEBVPNGroup
  ISAKMP retry threshold 20 keepalive 5
  tunnel-group 10.254.17.10 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.10
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  type SSL tunnel-group remote access
  attributes global-group-tunnel SSL
  ssl address pool
  Authentication (remote access) LOCAL servers group
  Group Policy - by default-ssl
  certificate-use-set-name username
  Group-tunnel SSL webvpn-attributes
  enable SSL group-alias
  Group-url https://85. *. *. * / activate
  tunnel-group 10.254.17.18 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.18
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  tunnel-group 10.254.17.11 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.11
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  type tunnel-group DefaultSWITGroup remote access
  attributes global-tunnel-group DefaultSWITGroup
  raccess address pool
  Group-RADIUS authentication server
  Group Policy - by default-vpn
  IPSec-attributes tunnel-group DefaultSWITGroup
  pre-shared key *.
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  Review the ip options
  class flow_export_cl
  flow-export-type of event all the destination 192.168.1.27
  class class by default
  flow-export-type of event all the destination 192.168.1.27
  Policy-map Voicepolicy
  class voice
  priority
  The class data
  police release 80000000
  !
  global service-policy global_policy
  service-policy interface outside Baku Voicepolicy
  context of prompt hostname

  Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
  : end
  GYD - asa #.

  ASA remote:
  ASA Version 8.2 (3)
  !
  ciscoasa hostname
  activate the encrypted password of XeY1QWHKPK75Y48j
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  DNS-guard
  !
  interface Ethernet0/0
  nameif inside
  security-level 100
  IP 192.168.80.14 255.255.255.0
  !
  interface Ethernet0/1
  nameif outside
  security-level 0
  IP 10.254.17.11 255.255.255.248
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  nameif management
  security-level 100
  no ip address
  management only
  !
  boot system Disk0: / asa823 - k8.bin
  passive FTP mode
  access-list 110 scope ip allow a whole
  192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  management of MTU 1500
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all outside
  ICMP allow any inside
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside) 0 access-list sheep
  Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.80.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  Crypto ipsec transform-set newset aes - esp esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
  life crypto ipsec security association seconds 2147483646
  Crypto ipsec kilobytes of life security-association 2147483646
  correspondence address card crypto mymap 10 110
  card crypto mymap 10 peers set 10.254.17.9
  mymap 10 transform-set myset2 crypto card
  mymap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN

  tunnel-group 10.254.17.9 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.9
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname

  Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
  : end
  ciscoasa # $

  Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

  Would appreciate any help. Thank you in advance...

  If the tunnel is up (phase 1), but no traffic passing the best test is the following:

  Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

  inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

  The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

  Test on both directions.

  Please post the results.

  Federico.

• Backup: Problem access another network driveBackup, tips from other users

  Hello everyone. I'm trying to use my NAS backup function to copy a file .rar from a share on a different network drive - a little old Maxtor SSD - but I get an error message:

  "Can't access the remote path / / 192.168.0.13/sauvegarde/Work.rar.

  The file in question resides on a mapped share that Windows has no trouble to have access to, but NAS can't seem to. How can I get the NAS to authenticate for the SSD?

  Thanks for listening. I hope someone can help. The usual disclaimer notice for my ignorance apply.

  Them

  ReadyNAS NV +.

  Windows 7 x 64

  Maxtor Shared Storage Drive

  That seems to have been it. With a folder instead of a file as a target, it works. Thank you 1 million.

  I must say that the error message "Unable to access remote path" is not very useful...

• Cant' network with VPN card readers

  Hello!

  Here at my company in recent weeks, that some problems came with somes user not being able to access the network through the VPN connection drives.

  If I delete all network drives and try to map them in the normal way (Tools > map network drive) I get a "extended error has occurred", but if I force using the "connect using a different user name" and putting the user domain\username and password of the person using the computer, it maps the network drive without problem... until the next reboot.

  So, I repeat it, everywhere.

  There is no password stored in the password manager Windows.
  I remove from the registry, the keys to MapPointings2.

  Can someone help me?

  They are all WinXp.

  Thank you!

  Hello

  The question you have posted is related to Technet and would be better suited to the Technet community. Please visit the link below to find a community that will provide the best support.
  http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

• Can I cache of RADIUS credentials used to access the network devices?

  I would start by RADIUS to authenticate users who try to access the network through virtual private networks devices. Since we will need to access the equipment in the case of a VPN does not, I need to know if the credentials may be cached on the device.

  You mean devices are accessible once you have set up VPN. Failure VPN, you can even ping the network devices. I am assuming that they would be internal resources. In all cases, credentials may not be cached on the device. Let me know if I am missing any room in your questions. ~ Jousset

• All my iTunes music is on a disk hard Ext. connected to my home network through a router. Is it possible that devices that are part of my home network share iTunes can access the music on this disc hard Ext. without my laptop being on?

  All my iTunes music is on a disk hard Ext. connected to my home network through a router. Is it possible that devices that are part of my home network share iTunes can access the music on this disc hard Ext. without my laptop being on?

  Additional information: the laptop is what I used to install all the music, via iTunes, which is located on the external hard drive connected through home network router.

  Is it possible that devices that are part of my home network share iTunes can access the music on this disc hard Ext. without my laptop being on?

  Laughing out loud

• help to access a pc on another network (route)

  I have the client whose the main network is on the subnet of 192.168.254.x. I need to access another pc on 192.168.250.x? can someone tell me how and where I can add a route to access this computer

  It can be done in the router or the operating system, for the router consult your user's manual.  For the operating system using the command line and specify the gateway in general:

  Pei route add 192.168.250.0 MASK 255.255.255.0 192.168.254.1

  You need the p - switch to the permanent road (or otherwise it will not survive a reboot).  You can get the address of the gateway with the ipconfig command.

  John

• Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

  Hello Cisco community support,

  I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

  ISP network gateway: 10.1.10.0/24

  ASA to the router network: 10.1.40.0/30

  Pool DHCP VPN: 10.1.30.0/24

  Network of the range: 10.1.20.0/24

  Development network: 10.1.10.0/24

  : Saved
  :
  : Serial number: FCH18477CPT
  : Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
  :
  ASA 6,0000 Version 1
  !
  hostname ctcndasa01
  activate bcn1WtX5vuf3YzS3 encrypted password
  names of
  cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 10.1.40.1 255.255.255.252
  !
  interface GigabitEthernet0/1
  nameif outside
  security-level 0
  address IP X.X.X.237 255.255.255.248
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa916-1-smp - k8.bin
  boot system Disk0: / asa912-smp - k8.bin
  passive FTP mode
  permit same-security-traffic intra-interface
  network of the NETWORK_OBJ_10.1.30.0_24 object
  10.1.30.0 subnet 255.255.255.0
  network obj_any object
  network obj_10.1.40.0 object
  10.1.40.0 subnet 255.255.255.0
  network obj_10.1.30.0 object
  10.1.30.0 subnet 255.255.255.0
  outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
  FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
  access-list 101 extended allow any4 any4-answer icmp echo
  access-list standard split allow 10.1.40.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  management of MTU 1500
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
  NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
  Access-group outside_access_in in interface outside
  !
  Router eigrp 1
  Network 10.1.10.0 255.255.255.0
  Network 10.1.20.0 255.255.255.0
  Network 10.1.30.0 255.255.255.0
  Network 10.1.40.0 255.255.255.252
  !
  Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  without activating the user identity
  identity of the user by default-domain LOCAL
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  http X.X.X.238 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec pmtu aging infinite - the security association
  Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
  registration auto
  full domain name no
  name of the object CN = 10.1.30.254, CN = ctcndasa01
  ASDM_LAUNCHER key pair
  Configure CRL
  trustpool crypto ca policy
  string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
  certificate c902a155
  308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
  0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
  0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
  170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
  64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
  0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
  9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
  705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
  4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
  3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
  06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
  42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
  fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
  59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
  d8966b50 917a88bb f4f30d82 6f8b58ba 61
  quit smoking
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  VPN-addr-assign local reuse / 360 time
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
  SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
  WebVPN
  allow outside
  AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
  AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
  AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
  AnyConnect enable
  tunnel-group-list activate
  internal GroupPolicy_cnd-vpn group policy
  GroupPolicy_cnd-vpn group policy attributes
  WINS server no
  value of server DNS 8.8.8.8
  client ssl-VPN-tunnel-Protocol
  by default no
  xxxx GCOh1bma8K1tKZHa username encrypted password
  type tunnel-group cnd - vpn remote access
  tunnel-group global cnd-vpn-attributes
  address-cnd-vpn-dhcp-pool
  strategy-group-by default GroupPolicy_cnd-vpn
  tunnel-group cnd - vpn webvpn-attributes
  activation of the alias group cnd - vpn
  !
  ICMP-class class-map
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map icmp_policy
  icmp category
  inspect the icmp
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  service-policy icmp_policy outside interface
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
  : end
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history

  Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?

• How do .1x port based authentication access network through ACS

  How .1x port based authentication access network through ACS.

  Hello

  802. 1 x can authenticate the host or by the name of username/password, or either through the MAC address of the clients (PC, printers etc.). This process is called agentless network access that can be done via Mac Auth Bypass.

  In this process, the switchport 802.1 x would send the address MAC PC's connected to the server radius for authentication. If the radius server has the MAC address in its database, authentication will be successful and the PC would be granted network access.

  To check the configuration on GBA 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser...

  To check the configuration on a CBS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro...

  Kind regards

  Kush

• PIX501 customer VPN - cannot access inside the network with VPN Session

  What follows is based on the config on the attached link:

  http://www.Cisco.com/en/us/Partner/Tech/tk583/TK372/technologies_configuration_example09186a008009442e.shtml

  PIX Ver 6.2 (3) - VPN Client 3.3.6(A) - Windows XP Client PC

  We can establish the VPN to the PIX501 session, but we cannot access the network private behind the pix.

  Here is the config - I can't determine why it does not work, we are desperate to get there as soon as POSSIBLE!

  We have the same problem with the customer 4.0.3(c)

  Thanks in advance for any help!

  =======================================

  AKCPIX00 # sh run

  : Saved

  :

  6.2 (3) version PIX

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  hostname AKCPIX00

  domain.com domain name

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol sip 5060

  fixup protocol 2000 skinny

  fixup protocol sip udp 5060

  names of

  access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

  pager lines 24

  interface ethernet0 10baset

  interface ethernet1 10full

  Outside 1500 MTU

  Within 1500 MTU

  external IP address #. #. #. # 255.255.240.0

  IP address inside 192.168.1.5 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool akcpool 10.0.0.1 - 10.0.0.10

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  (Inside) NAT 0-list of access 101

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 #. #. #. # 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  the ssh LOCAL console AAA authentication

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  ISAKMP allows outside

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup address akcpool pool akcgroup

  vpngroup dns 192.168.1.10 Server akcgroup

  vpngroup akcgroup by default-domain domain.com

  vpngroup split tunnel 101 akcgroup

  vpngroup idle 1800 akcgroup-time

  vpngroup password akcgroup *.

  vpngroup idle 1800 akc-time

  Telnet timeout 5

  SSH #. #. #. # 255.255.255.255 outside

  SSH timeout 15

  dhcpd address 192.168.1.100 - 192.168.1.130 inside

  dhcpd dns 192.168.1.10

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:XXXXX

  : end

  AKCPIX00 #.

  Config looks good - just as domestic mine to my local network. The only thing I can think is that you may have entered commands in the wrong order - which means, you could have isakmp or encryption before the config map was complete. Write memory, then reloading the pix is a way to reset everything. If you do not want downtime:

  mymap outside crypto map interface

  ISAKMP allows outside

  Enter these two commands should be enough to reset the ipsec and isakmp.

• Network Concentrator VPN access.

  We have a 3000 Concentrator and is configured with a remote vpn on it. All inside network is allowed once a connceted to the vpn user. It is quite behind firewalls. I can access an external IP.

  But I can't log in to the vpn from the inside network. I can ping the public interface; but when I try to log in from the client, the server report displays no records to my IP.

  Why can't I connect from the inside?

  Thank you

  = Internal network = Concentrator VPN = FW = off-grid

  Why try you to VPN from the inside? The purpose of the VPN is to encrypt the traffic between your PC over the internet to the VPN concentrator, once traffic arrives to your VPN concentrator, it is decrypted, and he'll be in the clear to your internal network.

  So, what's the purpose of attempting to connect from the network Cabinet?

  The reason why it does not work is because of the delivery. You are on the internal network, while traffic will exit to the firewall and return by the same firewall to connect to the public interface of the VPN concentrator, which is why it does not work and if the goal is access to the internal network, you are already inside the network which complicates things as your ip pool must then be routed to the inside.

  Hope that makes sense.

• No access to the network through VMWare Player

  Hello

  I currently have ESXi as a guest on VMWare Player 3.1.3 on a Ubuntu 10.10 system.

  The ESXi system can access the network very well, but all guests accommodated on ESXi is unable to access the network.

  The guests are usually able to receive DHCP information, but cannot ping (or undertake any other connection) outside. In addition, the ESXi host cannot ping these guests running.

  Is this just a limitation of the software curiously layered? Or is there something I can do to fix this?

  Thank you

  Joe

  Maybe http://planetvm.net/blog/?p=1390 can help. This message points to http://kb.vmware.com/kb/287

  André