ASA 5510 - cannot access or ping internal networks
Hello
I can't ping of an internal network (10.1.1.0/24) to another internal network (10.1.2.0/24 and 10.1.3.0/24 and so on).
The static route is in place and his works fine. I can ping these ASA network but not workstations.
The error I get on ASA is: refuse packet dropped due to the implicit access list.
Here is the configuration file:
:
ASA Version 8.0 (2)
!
host name asa
test.com domain name
activate the encrypted password of YLmDtv0bLkbX2VFy
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address 20x.20x.16.xxx 255.255.255.224
!
interface Ethernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 50
IP 172.16.0.254 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 100
IP 10.1.1.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
IP 172.16.200.1 255.255.255.248
management only
!
access-list acl_outside note allows outdoor ping (need to enable internal rule of ICMP n ° 3)
acl_outside list extended access permit icmp any one
acl_outside list extended access permit tcp any any eq idle ftp
acl_outside list extended access permit tcp any any object-group inactive DM_INLINE_TCP_1
Comment from inside_access_in-access list internal nodes access to the outside world (all ports)
inside_access_in list extended access allowed object-group TCPUDP any object-group everything
access-list inside_access_in note allows ping within the network to the external network (internet).
inside_access_in access list extended icmp permitted any any inactive echo
access-list inside_access_in note allow ping respond both ways - from the inside to the outside and
Note to inside_access_in list to access the outside inside (nat sound knots)
inside_access_in list extended access allow DM_INLINE_SERVICE_1 of object-group a
access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 172.16.100.0 255.255.255.192
access-list sheep extended permits all ip 172.16.100.0 255.255.255.192
standard access list group1_splitTunnelAcl allow a
pager lines 24
Within 1500 MTU
management of MTU 1500
mask IP local VPN-pool 172.16.100.0 - 172.16.100.62 255.255.255.192
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 20x.20x.16.xxx (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group acl_outside in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 20x.20x.16.xxx 1
Route inside 10.1.2.0 255.255.255.0 10.1.1.248 1
Route inside 10.1.3.0 255.255.255.0 10.1.1.248 1
Route inside 10.1.4.0 255.255.255.0 10.1.1.248 1
Route inside 10.1.7.0 255.255.255.0 10.1.1.248 1
Route inside 10.1.9.0 255.255.255.0 10.1.1.248 1
Route inside 10.1.14.0 255.255.255.0 10.1.1.248 1
Route inside 10.1.15.0 255.255.255.0 10.1.1.247 1
Route inside 192.168.1.0 255.255.255.0 10.1.1.248 1
Route inside 192.168.20.0 255.255.255.240 10.1.1.248 1
Route inside 192.168.30.0 255.255.255.240 10.1.1.248 1
Route inside 192.168.40.0 255.255.255.240 10.1.1.248 1
Route inside 192.168.50.0 255.255.255.240 10.1.1.248 1
Route inside 192.168.70.0 255.255.255.240 10.1.1.248 1
Route inside 192.168.80.0 255.255.255.240 10.1.1.248 1
-------------------------------------
Any help or advice will be appreciated.
Thank you
You need two or three statements
permit same-security-traffic intra-interface
access-list sheep extended ip 10.1.2.0 allow 255.255.255.0 10.1.1.0 255.255.255.0
10.1.3.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0
10.1.4.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0
10.1.7.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0
10.1.9.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0
10.1.14.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.1.0 255.255.255.0
and so on...
apply sheep except for inside the interface which you already have (inside) nat 0 access-list sheep
Concerning
Tags: Cisco Security
Similar Questions
-
AnyConnect ASA cannot access internet or internal network
After connecting through the client anyconnect 2.5, I can't access to my internal network or on the internet.
My host has address ip of 10.2.2.1/24 & gw:10.2.2.2
Here is the config
ASA Version 8.2 (5)
!
names of
name 172.16.1.200 EOCVLAN198 EOC VLAN 198 description
DNS-guard
!
interface Ethernet0/0
Description of the EOCATT7200-G0/2
switchport access vlan 2
!
interface Ethernet0/1
Description of EOC-Inside
switchport access vlan 198
!
!
interface Vlan1
Shutdown
No nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 1.21.24.23 255.255.255.248
!
interface Vlan198
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain riversideca.gov
outside_acl list extended access permit icmp any interface inside
outside_acl of access allowed any ip an extended list
inside_acl list extended access permit icmp any external interface
inside_acl extended access list allow interface icmp outside of any
inside_acl of access allowed any ip an extended list
access extensive list ip 172.16.1.0 inside_acl allow 255.255.255.0 any
inside_acl to access ip 10.0.0.0 scope list allow 255.0.0.0 all
access-list SHEEP extended ip 10.10.10.0 allow 255.255.255.0 10.2.2.0 255.255.255.0
access-list extended SHEEP allowed ip 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0
IP 10.10.86.0 allow Access - list extended SHEEP 255.255.255.0 10.2.2.0 255.255.255.0
access-list extended SHEEP allowed ip 10.2.2.0 255.255.255.0 10.10.86.0 255.255.255.0
IP 10.80.1.0 allow Access - list extended SHEEP 255.255.255.0 10.2.2.0 255.255.255.0
tunnel of splitting allowed access list standard 172.16.1.0 255.255.255.0
allow a standard split-smart access-list
mask 10.2.2.1 - 10.2.2.50 255.255.255.0 IP local pool SSLClientPool
ASDM image disk0: / asdm - 649.bin
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 172.16.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_acl in interface outside
inside_acl access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 1.21.24.23 1
Route inside 10.0.0.0 255.0.0.0 EOCVLAN198 1
Route inside 192.168.1.0 255.255.255.0 EOCVLAN198 1
Route inside 192.168.100.0 255.255.255.0 EOCVLAN198 1
Route inside 192.168.211.0 255.255.255.0 EOCVLAN198 1
WebVPN
allow outside
SVC disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal SSLCLientPolicy group strategy
attributes of Group Policy SSLCLientPolicy
value of 10.10.86.128 DNS server 10.10.86.129
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list split-smart value
yourname.tld value by default-field
the address value SSLClientPool pools
test P4ttSyrm33SV8TYp encrypted privilege 15 password username
username admin privilege 15 encrypted password fOGXfuUK21gWxwO6
type tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
Group Policy - by default-SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
enable EOCSSL group-alias
!
Global class-card class
class-map IPS
my class-map-ips-class
class-map test1
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the amp-ipsec
inspect the http
inspect the pptp
inspect the icmp
Global category
IPS inline fail-closed
class class by default
Decrement-ttl connection set
my-ips-policy policy-map
My ips-category
IPS overcrowding relief
!
global service-policy global_policy
p
ciscoasa # view the journal
Syslog logging: enabled
August 2, 2012 21:34:03: % ASA-6-302014: TCP connection disassembly 60662 for outside:10.2.2.1/62706 to outside:74.125.224.228/443 duration 0: 00:00 0 stream bytes is a loopback (test)
August 2, 2012 21:34:09: % ASA-6-302015: built connection UDP incoming 60664 for outside:10.2.2.1/49768 (10.2.2.1/49768) at inside:10.10.86.128/53 (10.10.86.128/53) (test)
August 2, 2012 21:34:09: % ASA-6-302014: TCP connection disassembly 60665 for outside:10.2.2.1/62706 to outside:74.125.224.228/443 duration 0: 00:00 0 stream bytes is a loopback (test)
August 2, 2012 21:34:10: % ASA-6-302015: built connection UDP incoming 60666 for outside:10.2.2.1/49768 (10.2.2.1/49768) at inside:10.10.86.129/53 (10.10.86.129/53) (test)
August 2, 2012 21:34:11: % 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.2.2.1/62708 dst inside:192.248.248.120/443 refused due to path failure reverse that of NAT
August 2, 2012 21:34:21: % ASA-6-302015: built connection UDP incoming 60668 for outside:10.2.2.1/50715 (10.2.2.1/50715) at inside:10.10.86.128/53 (10.10.86.128/53) (test)
August 2, 2012 21:34:21: % ASA-6-302015: built connection UDP incoming 60669 for outside:10.2.2.1/64333 (10.2.2.1/64333) at inside:10.10.86.128/53 (10.10.86.128/53) (test)
August 2, 2012 21:34:22: % ASA-6-302015: built connection UDP incoming 60670 for outside:10.2.2.1/50715 (10.2.2.1/50715) at inside:10.10.86.129/53 (10.10.86.129/53) (test)
August 2, 2012 21:34:22: % ASA-6-302016: UDP connection disassembly 60474 for outside:10.2.2.1/50367 to inside:10.10.86.128/53 duration 0:02:01 40 bytes (test)
August 2, 2012 21:34:22: % ASA-6-302016: UDP connection disassembly 60475 for outside:10.2.2.1/60325 to inside:10.10.86.128/53 duration 0:02:01 46 bytes (test)
August 2, 2012 21:34:22: % ASA-6-302015: built connection UDP incoming 60671 for outside:10.2.2.1/64333 (10.2.2.1/64333) at inside:10.10.86.129/53 (10.10.86.129/53) (test)
August 2, 2012 21:34:22: % ASA-6-302014: TCP connection disassembly 60672 for outside:10.2.2.1/62713 to outside:74.125.224.228/443 duration 0: 00:00 0 stream bytes is a loopback (test)
August 2, 2012 21:34:23: % ASA-6-302016: UDP connection disassembly 60477 for outside:10.2.2.1/50367 to inside:10.10.86.129/53 duration 0:02:01 40 bytes (test)
August 2, 2012 21:34:23: % ASA-6-302016: UDP connection disassembly 60479 for outside:10.2.2.1/60325 to inside:10.10.86.129/53 duration 0:02:01 46 bytes (test)
ciscoasa # display vpn-sessiondb svc
Session type: SVC
User name: test index: 21
10.2.2.1 assigned IP: public IP address: 76.95.186.82
Protocol: Clientless SSL-Tunnel-DTLS-Tunnel
License: SSL VPN
Encryption: AES128 RC4 hash: SHA1
TX Bytes: 13486 bytes Rx: 136791
Group Policy: Group SSLCLientPolicy Tunnel: SSLClientProfile
Connect time: 21:26:21 PDT Thursday, August 2, 2012
Duration: 0: 00: 08:00
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no
Tunnel of Split ACL is incorrect, you must add the internal LAN subnets, not pool VPN subnets and also add the correct ACL SHEEP.
If you try to access the 172.16.1.0/24 subnet, and then add the following code:
access-list extended SHEEP permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Then the distribution next tunnel ACL:
list of access split-chip standard permit ip 172.16.1.0 255.255.255.0
Finally, try to see if you can ping 172.16.1.200 after adding the above.
-
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
-
ASA 5505 VPN remote cannot access with my local network
Hello guys, I have a problem with my asa 5505 remote VPN access to the local network, the VPn connection works well and connected, but the problem is that I can't reach my inside connection network of 192.168.30.x, here's my setup, please can you help me
ASA Version 8.2 (1)
!
!
interface Vlan1
nameif inside
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 155.155.155.10 255.255.255.0
!
interface Vlan5
No nameif
no level of security
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.240
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool vpn-pool 192.168.100.1 - 192.168.100.10 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
Mull strategy of Group internal
attributes of the Group mull strategy
Protocol-tunnel-VPN IPSec
username privilege 0 encrypted password eKJj9owsQwAIk6Cw xxx
VPN-group-policy Mull
type mull tunnel-group remote access
tunnel-group mull General attributes
address vpn-pool pool
Group Policy - by default-mull
Mull group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Yes, you will need to either configure split tunnel so that internet traffic goes out through your local Internet service provider, GOLD / directed by configuration current you are tunneling all traffic (internet traffic Inc.) to the ASA, then you will need to create NAT for internet traffic.
To set up a tunnel from split:
split-acl access-list allowed 192.168.30.0 255.255.255.0
attributes of the Group mull strategy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split-acl
I hope this helps.
-
Cannot access files between local network PC
I have 2 computers ethernet under XP Home SP3. They are of type ethernet connected behind a router wireless Airllink 101 a Vista laptop is connected on the wireless (the Vista laptop cannot access files either). At the same time as I had a third ethernet PC connected without SP and I was able to access his files for at least one of the other PCs. I tired remove firewalls (temp) and Virus check without success. In the network section, I can see the computers and shared files on the PC but when I try to open directories is said I can't have permission to use this network resource. Memory: server to process this command. Server? Here is the esentiallly peer computers back-to-back. I have 50 + GB on each PC. I believe that this has happened after that I installed SP2 or SP3.
See the article in the Knowledge Base Microsoft Antivirus software may Cause Event ID 2011 for a likely solution.
-
Cannot access my home Wifi network
* - Original title - access a network
Host running Windows 7. Cannot access to my home Wifi network. Said an internet access, but then not access available. Access to the internet with an ethernet cable. Thank you
Hi Gerard,.
To provide a proper resolution, I would need more information on your side.
1. that you get any code to error message while trying to access the wifi network?
2. don't you make changes to the computer before this problem?
3. What is the brand and model of the router?
Follow these methods.
Method 1.
You can use the network troubleshooter and check if that helps.
Using the troubleshooter from network in Windows 7: http://windows.microsoft.com/en-US/windows7/Using-the-Network-troubleshooter-in-Windows-7
Method 2.
We can refer to this article and check if that helps.
Wireless and wired network problems: http://windows.microsoft.com/en-us/windows/network-connection-problem-help#network-problems=windows-7&v1h=win8tab1&v2h=win7tab4&v3h=winvistatab1&v4h=winxptab1
Additional information.
Wireless network card: frequently asked questions: http://windows.microsoft.com/en-in/windows7/wireless-networking-frequently-asked-questions
Let us know if you need assistance with any Windows problem. We will be happy to help you.
-
VPN client without access to the internal network
Hi all
I try to get IPsec VPN clients talk to my internal network. Can ping the IP address of internal port, but not the bridge beyond the period of INVESTIGATION, or all the resources on the internal network.
Thoughts?
Hello Tony
You need to check on the following things
1. Split tunnel network
2. "no nat" split tunnel network
What is a network or production test (I hope that the customer have the right configuration of bridge)
Also, if possible please post your config for a better understanding
concerning
Harish
-
Problems of networking - cannot access other computers via network
Help, please! About six months ago, I had Internet from Time Warner. They provided a wireless router. I set up the network with my desktop and laptop. Both computers have XP and two of them access to the wireless network. Everything worked well. I was able to print with the laptop through the desktop computer. I could also access files shared from one to the other. One day it just stopped working. I'm guessing after a windows update. In any case I spent a LOT of time to sift through here looking for answers. One thing I discovered is there is a lot of those who are experiencing the same thing, but nobody seems to have an answer to the problem. I found an article that told me to increase the IRP stack size. I tried and it worked for a few days and then it is right to give me this message, "you might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permission. I'm about to lose my mind. I don't understand how he could have worked for two months and then stops. The only firewall I run on each one is Windows. Help, please!
Jack,
After typing this long email discuss my problem and I did some internet research and found this post that said they have solved the problem. He said ' I solved the problem by adding the "Protocol of Transport compatible NWLink IPX/SPX/NetBIOS" to my list of properties of network on every computer on my network.» I tried it and it worked. Only problem I've noticed so far is that it takes time to move a folder to. To back up a folder, he thinks for a minute before moving. Any thoughts?
Jerry
-
I'm trying to uninstall older versions of java, but keep Error 1606 could access the location %APPDATA%\ network I tried everything but not java support says go
Hello
I suggest that you run the Fixit in the following Microsoft article and check if it helps.
You receive an "Error 1606" error message when you try to install or remove a program from Microsoft:
http://support.Microsoft.com/kb/886549
Note: If fixit is not enough, then try the steps outlined in Let me fxit muself.
Hope the information is useful.
-
Cannot access the NSLU2 on network - HELP!
Hello, recently hooked the NSLU2 again after a few years of storage. It fine to the connected router (WRT54GS running tomato 1.25), but for the life of me I can't get to be recognized by the network. 192.168.1.77 ping fails, I have reset the default router without success.
The Ethernet on the NSLU2 light is on and sometimes flashes. The light of the port on the router is on. It just will not be displayed in the list of devices in the tomato.
Running Windows 7 Pro 64 bit.
Any help would be GREATLY appreciated. Thank you!
-Paul
Hi, use a port scanner to find out that the HTTP port on the slug has been yet defined a former high port number, could access and reset once I got it. I thought that the hardware reset would put this back to 80!
Thanks for your help
-
Client VPN cannot access the different internal subnet
Hi all
I use pix 7.0 and 4,8 vpn client
When I connect with the vpn client, I see the subnet behind the pix (10.61.1.0)
However, there is a router on that subnet that connects to two other sites (10.61.2.0 and 10.72.2.0)
I can ping from the pix to these subnets command line.
When I connect using the vpn client I only see the subnet behind the pix and not the other two subnets?
I have a command-line 10.0.0.0 255.0.0.0 10.61.1.250 (the ip address of the router) on the pix, but this doesn't seem to help?
The response from the ping is request timed out one or the other subnets.
Any suggestions on what route, I need to add or is there an ACL to be added?
Current and ACL routes is:
0.0.0.0 0.0.0. The ISP router address
10.0.0.0 255.0.0.0 10.61.1.250
Outside_access_in list extended access permit icmp any one
access extensive list ip 10.61.1.0 inside_nat0 allow 255.255.255.0 10.61.1.224 255.255.255.240
NAT (inside) 0-list of access inside_nat0
NAT (inside) 10 0.0.0.0 0.0.0.0
Access-group Outside_access_in in interface outside
All responses appreciated.
first of all and above all, the pool of the vpn client should not overlap with the asa inside the subnet, or any connected subnet.
<-->Asa <-->(10.61.1.250) Internet router <-->10.61.2.0 and 10.72.2.0
allow inside_nat0 to access extended list ip 10.61.1.0 255.255.255.0
allow inside_nat0 to access extended list ip 10.61.2.0 255.255.255.0
allow inside_nat0 to access extended list ip 10.72.2.0 255.255.255.0
Allow Outside_cryptomap_dyn_20 to access extended list ip 10.61.1.0 255.255.255.0
Allow Outside_cryptomap_dyn_20 to access extended list ip 10.61.2.0 255.255.255.0
Allow Outside_cryptomap_dyn_20 to access extended list ip 10.72.2.0 255.255.255.0
In addition, a static route must be configured on the 10.61.1.250 router:
IP route
-->-->--> -
Lost remote access to the internal network after upgarding PIX to 7.0
I improved our box of PIX 515E Cisco to release 6.3 7.0 (5) and lost connectivity outside of the internal servers through a VPN connection. Any ideas as to why or how this happened?
If you use the split tunneling, this is probably the question.
Is the bug id: CSCeh69389
This Bug says:
When you upgrade a PIX 6.x to 7.0, if split tunneling is underway
used for remote access clients, then the conversion of config
process will not convert the list of split tunnel command, because
the ACL of splitting 6.x tunnel was allowed to be of type 'expanded '.
whereas in 7.0 the ACL must be ' standard '.
To solve the problem, take the extended ACL and manually convert it to a
Standard ACL, specifying the networks you want encrypted. Times
the new ACL is in the config, it must be applied under the
Group Policy.
EX:
SplitTunnel list standard access allowed 10.1.1.0 255.255.255.0
internal RemoteAccess group strategy
Group Policy attributes RemoteAccess
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SplitTunnel
-
Cannot access ESXi server via network
Hello world!
We have a HP C7000 Encolosure with 4 BL460c Gen 8 blades in front size of it. Back size of the C7000, we have 2 SAN Switch, 2 switch HP BLc GbE2c layer 2/3 and 2 Onboard Administrator Module.
Everything is working fine with IP addresses like this:
OA active:
IP address: 172.16.0.253
STANBY OA:
IP address: 172.16.0.254
Server Blade BL460c Bay 1:
The IP address of the ILO: 172.16.0.10
Server Blade BL460c Bay 2:
The ILO IP address: 172.16.0.11
BL460c blade Bay 9:
The ILO IP address: 172.16.0.19
Server Blade BL460c Bay 10:
The ILO IP address: 172.16.0.20
We can ping pc that connected to the port of ILO on Onboard Administrator (OA) IP addresses above. (I can it call PC MANAGE?)
Continue, we access OA via Web https://172.16.0.253 use of , then Console integrated to control 4 Server blades. We have mounted image ESXi 5.1 U1 and successfully installed on 4 servers blade.
We manually config IP address on each ESXi Server (like this):
BL460c Server Blade on Bay 1 as server ESXi 1:
IP address: 10.0.0.11
BL460c Server Blade on Bay 2 as server ESXi 2:
IP address: 10.0.0.12
BL460c Server Blade on Bay 9 as a server ESXi 9:
IP address: 10.0.0.19
BL460c Server Blade on 10 Bay as a server ESXi 10:
IP address: 10.0.0.20
Now we can ping server to another server ESXi ESXi 1. I mean 4 Blade Server can ping together.
BUT:
-We can not ping servers to blade PC of manage (that PC connect to the port of ILO on OSTEOARTHRITIS. In this scene, MANAGE PCs has the IP 172.16.0.100/16)
-We unplug the network cable from the port of iLO, then connect it to the port number 24 on HP BLc GbE2c LY 2/3 switch, then address IP of the PC to MANAGE the 10.0.0.100/24 value. Always the same, can only access servers
Can someone explain to me how to access this server (ping, http, etc...). Do we have to config switch HP BLc GbE2c LY 2/3? We read many many guide on the HP website, but they have not mentioned about routing or switch to configure
Thanks in advance!
It's my mistake!
My servers have 2 connections FlexLOM. That a connection has been enabled for 'network management' in ESXi. I do not understand, then I activated 2 connections. That cause outside the network can not access them.
I just disabled a single connection and everything works perfectly.
I thank everyone!
-
PC XP sees but cannot access Vista PC on network. Access is denied!
I have 4 computers on a network. The network is set up in a private capacity. 3 computers XP Home can meet and 1 PC Vista Home Premium and can share files between the computers XP 3. The Vista PC can see other computers and can send files to them quite happy.
However, when one of the XP computers trying to access the Vista computer I immediately get an error "\\VistaPC is not accessible. You might not have permission to use this resource network etc etc. Access is denied. "
I turned on the discovery of the network, public folder sharing, file sharing and printer.
Protected by password sharing and multimedia file sharing are turned off, but all shared folders on the Vista PC all have their set of permissions for everyone because I don't want to have to enter the username and password whenever I need access.
LLTD is installed and Vista network map shows all devices and their correct connection; all wired through a Netgear router except 1 wireless XP.
Help, please. It drives me crazy!
I only use the Windows Firewall and AVG Free anti-virus.
Well, I finally solved my problem, but don't know what action it reached or if it was a combination of actions. If anyone is interested, here's what I did.
On the Vista machine, I edited sharing the folder Public, all subfolders and files to share fully.
Checked the security settings for all of the public folders, subfolders and files, and then assign full control to all users.
'Everybody' added as a user and allowed full control for this user.
Restarted after each step but when even could not access shared folders on the Vista machine.
In desperation I edited the registry; went to HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa
Change the value of a key called "restrictanonymous" to 0 instead of 1Quick restart and Hey Presto my network to work properly
My network is secure and so I didn't bother reduce some apparent security settings. Don't know if it's appropriate for everyone but it might give some clues.
Good luck
-
Cannot access Admin Console Internal Server Error
Hello
I installed the server weblogic 10.3.6 on Red Hat EL 6,7 64-bit, x 64 processor.
Able to access console Em and all the servervicess work fine, but when trying to connect to the administration Console
After entering the user name and the password are page like below
"Server encountered an unexpected condition that prevented him from meeting the demand.
The best thing to do is start to the homepage or try the back button of the browser. »
When I check the logs the error below was given help to solve this problem
# < 4 February 2016 09:19:06 EET > < opinion > < Diagnostics > < fi100idmdev01.ddc.teliasonera.net > < AdminServer > < ExecuteThread [pending]: '3' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <>< 48eeba3244cb2662:-2ec07938:152a18f47a2: - 8000-0000000000004111 > < 1454570346095 > < BEA-320068 > < Watch "UncheckedException" with severity "Notice" on the server "AdminServer" released February 4 2016 09:19:06 EET. Details of the notification:
WatchRuleType: Journal
WatchRule: (SEVERITY = "Error") AND ((MSGID = ' WL-101020') OR (MSGID = "WL-101017'") OR (MSGID = "WL-000802'") OR (MSGID = "BEA-101020'") OR (MSGID = "BEA-101017'") OR (MSGID = "BEA-000802'"))
[WatchData: DATE = February 4, 2016 09:19:06 EET SERVER = AdminServer MESSAGE = [path of module: ServletContext@485939269[app:consoleapp console: / console spec-version: 2.5]] Servlet failed with Exception
java.lang.NoSuchMethodError: weblogic.servlet.internal.session.SessionInternal.setAttribute (Ljava/lang/String; Ljava/lang/object; V Z)
to weblogic.servlet.internal.ServletRequestImpl$ SessionHelper.updateSessionId (ServletRequestImpl.java:3048)
at weblogic.servlet.security.internal.SecurityModule.login(SecurityModule.java:308)
at weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:300)
at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:211)
at weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:94)
at weblogic.servlet.security.internal.ChainedSecurityModule.checkAccess(ChainedSecurityModule.java:79)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:82)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2219)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1485)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Subsystem = HTTP USERID < WLS Kernel > = SEVERITY = error THREAD = ExecuteThread [ASSET]: '2' for the queue: MSGID 'weblogic.kernel.Default (self-adjusting)' = BEA - 101020 MACHINE TXID the CONTEXTID = 48eeba3244cb2662 = fi100idmdev01.ddc.teliasonera.net =:-2ec07938:152a18f47a2:-8000 - 000000000000410f TIMESTAMP = 1454570346094
WatchAlarmType: AutomaticReset
WatchAlarmResetPeriod: 30000
Thank you
Shaik
Finally, I am able to access the console
Thank you guys question solved, but to do a few tests more.
After removing all the patches, I have an error of config.xml file and errors that I started to comment on these tags and it worked
once more thanks for the suggestions and you help fast
Shaik
Maybe you are looking for
-
How to disable the "click to play" Bar warning
Hello I would like to know how to change the behavior of the "Click to play" warning, or how turn it off. I have Firefox 27 (beta update channel, the version prior to RC1).I configured the plugin Flash to "ask every time", and "plugins.click_to_play"
-
Using OE 6 and XP cannot remove or click and drag the messages of OE. Response of Hal has tried to delete the Inbox.dbx and restart, didn't work.
-
Hello Greetings of the day... I published the query with small correction below. (Sony Vaio) & (32 bits) is given correction. I'm in the research for the information on how to change Window Vista Home Basic in my laptop Sony Vaio (32 bit) to Windows
-
Error publishing an update of my application for BBOS
Hi all I'm trying to publish a new update of my BBOS (7.1) application, but I can't download the .zip file. Everytime I try I get this "error in downloading files. Please try again. ». I do what I've done several times before, so... i don't know what
-
My pc speakers cannot play is no longer
My pc speakers can play is no longer, and he shows no sign of error. I can click on its icon and bring it to 100 or any other percent, but not of any sound. What could be wrong and an exit door. Help, please