Can also interface with VPN remote site also for another use?
Hi all
An interface used for the remote site VPN on PIX can be used for another function, for example for the smtp server and web publishing?
Thank you!
Best regards
Teru Lei
Yes! of course you can. Just try it.
--
Alexis Fidalgo
Systems engineer
AT & T Argentina
Tags: Cisco Security
Similar Questions
-
Internet access and VPN remote site?
Hi all!
I have a remote site who want to use their own internet connection to access the internet. Just at that moment that I use their router gateway to send all their data on an IPSec tunnel to us (Cisco 831) it connects to a headquarters at 2600. is it possible to have a slot on the remote site, so that surfers IP packets are sent directly to the internet and IP private to the IPSec VPN?
I have to get more / different HW or a simple change in config?
I checked Cisco.com but just GRE tunnels where both the tunnel AND out of the interface have the Crypto Card...
Hello
You can restore the mode of connectivity with the outside world?
Also can you confirm if you use any device behind the router coz your LAN network is configured to only 2 usable/configurable ips belonging to 30 mask...
with this configuration a little you must enable natting who will do the trick for you...
just include commands in your config below...
interface Ethernet0/0
NAT outside IP
!
interface Ethernet0/1
IP nat inside
!
IP nat inside source list 1 interface ethernet 0/0 overload
!
access-list 1 permit 172.16.222.44 0.0.0.3
regds
-
DNS server search order has failed
I can't enter my system remotely (site office) from my house, but can't access websites from here (site office). When I go to "network diagnostics" it shows "Server dns search order" has failed.How can I solve this problem? Please help me.
Hello yazid.
I recommend posting your question on our TechNet site for remote desktop connection problems located here: -
All of the fonts that come with Dreamweaver CS6 are licensed for the use of the web?
All of the fonts that come with Dreamweaver CS6 are licensed for the use of the web?
I also have Creative Suite 5, which I think is delivered with a set of Adobe Fonts. These are all licensed?
A license? Yes, but not necessarily for the web. Some licenses permit use on paper or images but not the web.
For legal reasons don't assume that you can use any font you want on the web. Fonts are protected by the intellectual property laws in the same way that software is protected against illegal copy, modify or distribute. In other words, an owner of fonts can of course, saying "you can use my font, but you cannot change it, you can not reproduce and you may not distribute." On the web, which is a deal breaker, because you must be able to do all three.
These font families are common to most Windows/Mac systems.
Adobe Edge and TypeKit Web fonts are licensed for use on the web.
Nancy O.
-
2 VPN remote sites can communicate by tunnel via a mutual 3' rd PIX?
Hello
I have a client who has a PIX 515E in the P.C. of the company and s 2 PIX 501 at remote sites. As of today the distance 2 PIX have a VPN connection from site to site with the HQ PIX.
My question is... is - it possible to have the HQ PIX act as a virtual private network 'hub' for remote to communicate across sites? I mean, it is, is it possible to configure the PIX so that traffic to the site remote B can go into the tunnel at HQ, and then through the tunnel to the remote B site?
If this is possible, how? The HQ PIX would have enough information to route packets in the proper way? What should I do?
Thank you in advance to those who will answer. :-)
If the question is not too clear, please post here and tell me...
Steffen
Steffen,
Unfortunately, the answer to that is no the PIX not "redirect" return packages the same interface, where they were received. This is normal and is part of the security on the PIX algorithm. The VPN 3000 and IOS will do this, but not the PIX.
However, as a workaround, can not only create another tunnel on the 2 rays to another? In other words, Setup a 'triangle' of sorts. That's usually what we suggest in situations like this.
I hope this helps.
Scott
-
How can I monitor hyperic several remote sites with hyperic?
We have implemented a hyperic server in AWS.
We have a lot of remote sites with a server on site. Each site has its own public static IP address.
Here is how we have implemented hyperic right now:
agent.setup.camIP = static public IP of the server in AWS
agent.setup.camPort = 7080
agent.setup.camSSLPort = 7443
agent.setup.camSecure = yes
agent.setup.camLogin = login
agent.setup.camPword = pass
IP #agent.setup.agentIP = public site
agent.setup.agentPort = 2144
#agent.setup.resetupTokens = no
agent.setup.acceptUnverifiedCertificate = yes
At each site, we have a router that port forwarding on the server. If each server is behind a router and has private static IP such as 192.168.30.101
We have no problem setting up hyperic on the local server, the problem is that Hyperic HQ is overwhelming the servers. He takes the static private ip address and keep overwriting the latest version of the server.
Even if we have different server names and the public IP address different when we put in place the agent, once we have put in place the agent and he start shooting the metrics, hyperic just replaces the last installed server monitoring.
any way to disable the IP address local hyperic traction?
This could be referred as "PIN to a specific IP address" that is required when a platform has multiple NICs or IP address addresses and is accomplished by adding additional guidance to the agent.properties file. Because you specified a specific port of installation, it is better to pin which as well.
agent.listenIp =
agent.listenPort = 2144I suggest that you also uncomment:
#agent.setup.agentIP =
as well as (properly defined):
#agent.setup.unidirectional = no
The setting is described in the header section of the agent.properties file.
# Agent configuration file
#
# The following is the properties of the Agent recognizes:
#
# agent.listenPort
# Default: "2144.
#
# Description: Port that listens to the agent.
#
# agent.listenIp
# Default: «*»
#
# Description: Address that the agent to listen. If the value "*",
# the agent will listen on all available interfaces.1.), you now have:
agent.setup.camIP = static public IP of the server in AWS
agent.setup.camPort = 7080
agent.setup.camSSLPort = 7443
agent.setup.camSecure = yes
agent.setup.camLogin = login
agent.setup.camPword = pass
IP #agent.setup.agentIP = public site
agent.setup.agentPort = 2144
#agent.setup.resetupTokens = no
agent.setup.acceptUnverifiedCertificate = yes2.) stop of the agent:
3.) change this option and add the additional guidance.
agent.setup.camIP = static public IP of the server in AWS
agent.setup.camPort = 7080
agent.setup.camSSLPort = 7443
agent.setup.camSecure = yes
agent.setup.camLogin = login
agent.setup.camPword = pass
IP agent.setup.agentIP = public site
agent.setup.agentPort = 2144
agent.setup.resetupTokens = no
agent.setup.acceptUnverifiedCertificate = yes
IP agent.listenIp = public site
agent.listenPort = 21444.) remove the agent data directory (it is re-created later start)
5.) restart the agent (this will trigger a reconfigure)
6.) I accept agent inventory
-
Yahoo mail is normally empty. One can type mail in the blank part of . In my case the Compose page has rail logo. because I can't type my mail. Even if there is no problem in gmail-INBO isn't the case with Gmail site "A Google approach to email" or make up may site.
For this reason, it is difficult to compose mail on yahoo mail. I need your help to clear advertising logo so that I can compose mail on a white page, cordially. eldiablo kumarYou can also try to install Adblock Plus with Easylist subscription and check
-
WLC centralized with several remote Sites
Hi people,
I read the documentation of design for wireless devices, and I can't find a definitive answer to the following:
Is it possible to have a WLC centrally (in a DMZ), who controls several remote sites? Each site must have the same SSID, however the IP subnet will be different at each site.
I have attached a base PDF showing what we are trying to achieve.
Thanks for your help.
Kris
Of course, you could put either the AP mode H-REAP so that the data of the customer traffic is enabled locally to the AP or you can use groups of AP. With groups AP customer traffic be dug to the controller and group AP policy would determine which interface / VLAN, traffic should be poured in.
-
Create different group with VPN remote access
Hello world
The last time, I ve put in place a VPN for remote access to my network with ASA 5510
I ve access to all my internal LAn helped with my VPN
But I want to set up a vpn group in the CLI for a different group of the user who accesses the different server or a different network on my local network.
Example: computer group - access to 10.70.5.X network
Group consultant network - access to 10.70.10.X
I need to know how I can do this, and if you can give me some example script to complete this
Here is my configuration:
ASA Version 8.0 (2)
!
ASA-Vidrul host name
vidrul domain name - ao.com
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/1
nameif inside
security-level 100
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Description Port_Device_Management
nameif management
security-level 99
address IP X.X.X.X 255.255.255.X
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
DNS server-group DefaultDNS
vidrul domain name - ao.com
access-list 100 scope ip allow a whole
access-list extended 100 permit icmp any any echo
access-list extended 100 permit icmp any any echo response
vpn-vidrul_splitTunnelAcl permit 10.70.1.0 access list standard 255.255.255.0
vpn-vidrul_splitTunnelAcl permit 10.70.99.0 access list standard 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 10.70.255.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 management
IP local pool clientvpngroup 10.70.255.100 - 10.70.255.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.70.0.0 255.255.0.0
Access-group 100 in the interface inside
Access-group 100 interface insideTimeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Protocol RADIUS AAA-server 10.70.99.10
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
Enable http server
http 192.168.1.2 255.255.255.255 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
outside access management
dhcpd manage 192.168.1.2 - 192.168.1.5
dhcpd enable management
!
a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
block-url-class of the class-map
class-map imblock
match any
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Policy-map IM_P2P
class imblock
class P2P
!
global service-policy global_policy
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.com
test 274Y4GRAbNElaCoV of encrypted password privilege 0 username
username admin privilege 15 encrypted password bTpUzgLxalekyhxQ
attributes of user admin name
Strategy-Group-VPN-vpn-vidrul
username, password suporte zjQEaX/fm0NjEp4k encrypted privilege 15
type tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:d84e64c87cc5b263c84567e22400591c
: endWhat you need to configure is to imitate the configuration on the tunnel-group and group strategy and to configure access to specific network you need.
Currently, you have configured the following:
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.comtype tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.What you need is to create new group policy and the new tunnel-group and configure the tunnel split ACL to allow access to specific access required.
The user must then connect with the new group name and the new pre-shared key (password).
Hope that helps.
-
Hello
7.0 (1) version pix
ASDM version 5.0 (1)
I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site
who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success
The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.
where can I see the vpn pix for error log?
is there a manual for the solution of site to site VPN using the wizard
Help, please.
Thanks in advance
the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm
Newspaper to go to the section "check".
-
Client Vpn Cisco vpn remote site inaccessible (one site to another)
Hello
I configured two vpn with pix 515 cisco connection. One using a cisco vpn client and another another site to site vpn connectin with other pix.
I have my local network with 192.168.149.0 network, vpn clinet pool with 192.168.17.0 network and a remote site with 192.168.145.0.
Client vpn local network accessible and always remote site, but 192.168.17.0 (vpn client) 192.168.145.0 not accessible (remote site).
Plese help me!
Thank you
This scenario is possible with no v6.x, v7.x
the link below is an example of configuration:
-
How can I block a VPN from site to Site traffic
I configured a VPN from Site to Site, the wizard on a
ASA 5510 and it works.
However, I want to restrict http traffic only.
I tried to change the ACL entry that allows ip traffic to allow only http traffic, but that seems to block all traffic and translates into a journal entry:
Inbound TCP connection doesn't deny x to Y/80 SYN flags on the incoming interface.
I managed to block pings by entering an ACL rule to specifically deny icmp, but I would like to deny all except http.
Any advice on how to achieve this appreciated.
William.
Hello
Guess that's what you're looking for. See the Bidirectional VPN filter configuration section.
-
How do you restrict web browsing to show only sites specified for commercial use?
Hello, I need to restrict the use of Firefox and Internet Explorer only specified websites that we use for professional use.
I have a problem with a number of employees who use Web sites not authorized and dangerous who put my computers of the company at risk.
Since it is impossible for employees to real-time listening habits of the police, I need to restrict the view. How can I set up a list of only authorized sites that can only be substituted by despite user accounts admin privileges?You will need to block these unwanted sites in a firewall or router, or proxy and only allow access via this proxy.
All other means can easily bypassed, starting Firefox in Firefox to troubleshoot in Safe Mode if it is an extension or by using a portable version of Firefox.Your above posted the details of the system tampon() obsolete show with known risks of security and stability.
- Shockwave Flash 10.0 r45
Update the Flash plugin to the latest version.
-
HP mini computer with win 7 - Message = "preparing for first use." A loop.
It is a HP mini 110 with win 7. and original Label and number below
Start-up display "preparing for first use."
Then "could not complete the installation.
Then disconnects and reboots.
Tried to access the drive with a usb stick and "rufus" s/w. can enter the machine but I can only see c:\ drive with access to BACK of rufus. Tried several ways to see the internal drive of the machine to correct the problem without success.
Tried MS 'diskpart', no other player found.
I need commands to work on the machine of my bootable usb key. 5 hours in this now.
Thank you for your attention, Rich
The machine is now out of my hands and the owner had supported for $40. by someone who is a little more knowledge than I have.
Thank you for your response.
-
Cannot ping sub interface from my remote site VPN gateways
I can't ping my gateways to interface my remote vpn connection sub
I can ping 192.6.1.0 network, but can't ping network 192.6.2.0 or 192.6.3.0
When I remote desktop in 192.6.1.20 I can ping all the networks, including gateways to interface sub.
I think that something in my asa is misconfigured or not added
ASA NAT rules:
Exempt NAT Interface: inside
Source 192.6.0.0/16
Destination 192.6.10.96/27
Static NAT interface: inside (it's for the local NAT of E0/0 out)
Source 192.6.1.1/16
Interface translated outside the Destination: 172.35.221.200
Dynamic NAT interface: inside
Source: no
Destination: outside
ASA access rules:
Permit outside
Source: no
Destination: out
Services: udp, tcp, tcp/http
Static routes:
Interface: Outside > network: all outdoors DSL (shows no DSL in the graph)
Some incorrect configuration:
On the ASA:
(1) directions are incorrect, the default should point to the next hop route, that is to say: the internet router: 172.35.221.x, as follows:
Route outside 0.0.0.0 0.0.0.0 172.35.221.x
---> where x must be the router internet ip address.
existing routes need to be removed:
No route outside 0.0.0.0 0.0.0.0 192.298.47.182 255
No route outside 0.0.0.0 0.0.0.0 172.35.209.81 in tunnel
(2) the following declaration of the static NAT is incorrect too and should be removed:
static (inside, outside) USSLTA01_External USSLTA01 netmask 255.255.255.255
--> You can not NAT interface on the SAA itself.
(3) for the SAA within the interface's subnet mask should be 255.255.255.0, no 255.255.0.0. It should be the same as the router interface subnet mask:
interface Ethernet0/1
nameif inside
security-level 100
IP 192.6.1.254 255.255.255.0
(4) on the way to access these sub interfaces subnet on the SAA as follows:
Route inside 192.6.2.0 255.255.255.0 192.6.1.235
Route inside 192.6.3.0 255.255.255.0 192.6.1.235
Route inside 192.6.4.0 255.255.255.0 192.6.1.235
On the router, configure it by default route as follows:
IP route 0.0.0.0 0.0.0.0 192.6.1.254
Maybe you are looking for
-
Error: the print spooler isn't runining.
Original title: THE print SPOOLER SERVICE is NOT RUNNING I have trouble with my printer. my printer has disappeared from the folder and if I try to add more once the system says: THE PRINT SPOOLER SERVICE IS NOT running
-
Original title: how to install ASCTray.exe Whenever I open my computer, I get a window saying the ASCTray.exe doesn't work because rtl120.bpl is not found and recommended relocation. How do this reinstall.
-
Compaq Evo Notebook - hard drive problem
Hi eveyone, I bought a Compaq Evo Notebook online on eBay two years ago. Yesterday, I went to use it on and got an error of the controller. So I moved the computer and noticed the my cat peeded and he went under the computer and go to some of them in
-
How to change the label of the button by clicking on it. ?
Hello I'm changing the label of a button by clicking on it. and want that persist until another click. How can I do it. Please help and give detailed information. Thank you and best regards, Narendra shekhawat.
-
I have a Windows 7 Home premium 64 bit license that I installed and tried to activate it on my PC. He asked me to validate through automated phone system, as usual, but after entering the nine sets of codes, it says "Please wait while we retrieve you