Can't telnet in VPN
I have a lotus domino within the network server. When I connect with my IPSEC VPN, I can't telnet to the internal address. Because I have a nat govern together pointing upwards on the outside, I can still telnet to the external IP address with telnet x.x.x.x 1352 and connect. Why not be able to telnet to the internal address? Regarding everything else inside, I have no problem to access anything whatsoever to my VPN session I've tried.
Config:
!
AAA - the id of the joint session
!
!
dot11 syslog
IP source-route
!
!
!
!
IP cef
IP domain name xxxxx
name of the IP-server 192.168.100.102
IP inspect name by DEFAULT-INSPECT icmp
inspect the IP tcp by DEFAULT-CHECK name
IP inspect name by DEFAULT-CHECK udp
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
aes encryption password
!
!
the SOURCE_MGMT object-group network
192.168.100.0 255.255.255.0
173.160.106.40 255.255.255.248
71.63.249.0 255.255.255.0
!
object-group service SSH
TCP - udp eq 22
!
username admin privilege 15 secret 5 Iu22 $1$ $ OiNXyxdNEkJiCzf3ulYe20
username privilege 15 secret 5 greyduck MNkY $1$ $ cpYetNgs4sPtiSg/ldVD31
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto LEFxxxx
key xxxxx
DNS 192.168.100.102
win 192.168.100.102
xxxx.local field
EWL-pool
ACL 120
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
Archives
The config log
hidekeys
!
!
property intellectual ssh time 60
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
IP address x.x.x.65 255.255.255.0 secondary
IP address x.x.x.67 255.255.255.0 secondary
IP address x.x.x.68 255.255.255.0 secondary
IP address x.x.x.69 255.255.255.0 secondary
IP address 255.255.255.0 XXX1
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface Vlan1
IP 192.168.100.15 255.255.255.0
IP nat inside
IP virtual-reassembly
!
IP local pool LEF - 192.168.11.10 192.168.11.20
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 x.x.x.254
IP route 172.16.100.0 255.255.255.0 192.168.100.90
no ip address of the http server
no ip http secure server
!
!
IP nat pool XXX1 WAN XXX1-the prefix 24 length
IP nat pool WAN-65 x.x.x.65 x.x.x.65 prefix length 24
IP nat pool WAN-67 x.x.x.67 x.x.x.67 prefix length 24
IP nat pool WAN-69 x.x.x.69 x.x.x.69 prefix length 24
IP nat pool WAN-68 x.x.x.68 x.x.x.68 prefix length 24
IP nat static source 192.168.100.214 x.x.x.68
IP nat inside source list 100 pool WAN overload
overload of IP nat inside source list 101 pool WAN-65
overload of IP nat inside source list 102 pool WAN-67
overload of IP nat inside source list 103 pool WAN-68
overload of IP nat inside source list 104 pool WAN-69
IP nat inside source static tcp XXX1 25 expandable 25 192.168.100.213
IP nat inside source static tcp extensible XXX1 80 80 192.168.100.213
IP nat inside source static tcp 192.168.100.213 XXX1 110 110 extensible
IP nat inside source static tcp extensible XXX1 139 139 192.168.100.213
IP nat inside source static tcp 192.168.100.213 XXX1 extensible 143 143
IP nat inside source static tcp extensible XXX1 389 389 192.168.100.213
IP nat inside source static tcp 192.168.100.213 extensible XXX1 443 443
IP nat inside source static tcp 192.168.100.213 extensible XXX1 445 445
IP nat inside source static tcp 192.168.100.213 XXX1 extensible 1352 1352
IP nat inside source static tcp 192.168.100.213 XXX1 extensible 3101 3101
IP nat inside source static tcp 192.168.100.197 6001 XXX1 extensible 6001
IP nat inside source static tcp 192.168.100.213 7443 XXX1 extensible 7443
IP nat inside source static tcp 192.168.100.213 8080 XXX1 extensible 8080
IP nat inside source static tcp 192.168.100.213 XXX1 extensible 8085 8085
IP nat inside source static tcp 192.168.100.213 8642 XXX1 extensible 8642
IP nat inside source static tcp 192.168.100.213 8889 XXX1 extensible 8889
IP nat inside source static tcp 192.168.100.213 28315 XXX1 extensible 28315
IP nat inside source static tcp 192.168.100.213 50125 XXX1 extensible 50125
IP nat inside source static tcp 192.168.100.220 3389 XXX1 extensible 63389
IP nat inside source static tcp 192.168.100.161 x.x.x.65 21 21 expandable
IP nat inside source static tcp 192.168.100.161 extensible 3389 3389 x.x.x.65
IP nat inside source static tcp 192.168.100.161 4899 x.x.x.65 extensible 4899
IP nat inside source static tcp 192.168.100.174 80 x.x.x.67 80 extensible
IP nat inside source static tcp 192.168.100.174 x.x.x.67 expandable 443 443
IP nat inside source static tcp 192.168.100.174 extensible 3389 3389 x.x.x.67
IP nat inside source static tcp 192.168.100.214 80 x.x.x.68 80 extensible
IP nat inside source static tcp 192.168.100.214 1352 x.x.x.68 1352 extensible
IP nat inside source static tcp 192.168.100.214 1533 1533 extensible x.x.x.68
IP nat inside source static tcp 192.168.100.161 8088 x.x.x.68 extensible 8088
IP nat inside source static tcp 192.168.100.202 80 x.x.x.69 80 extensible
IP nat inside source static tcp 192.168.100.202 1494 x.x.x.69 extensible 1494
IP nat inside source static tcp 192.168.100.202 2598 x.x.x.69 extensible 2598
IP nat inside source static tcp 192.168.100.202 6001 x.x.x.69 extensible 6001
IP nat inside source static 192.168.100.202 x.x.x.69
!
extended access IP MANAGEMENT list
allow a SSH object-group SOURCE_MGMT object-group
OUTSIDE extended IP access list / Interior
!
recording of debug trap
access-list 11 allow 192.168.100.161
access-list 12 allow 192.168.100.174
access-list 12 allow 192.168.100.192
access-list 13 allow 192.168.100.214
access-list 14 allow 192.168.100.202
access-list 100 deny ip 192.168.100.161 host everything
access-list 100 deny ip 192.168.100.174 host everything
access-list 100 deny ip 192.168.100.192 host everything
access-list 100 deny ip 192.168.100.202 host everything
access-list 100 deny ip 192.168.100.214 host everything
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.10
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.11
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.12
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.13
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.14
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.15
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.16
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.17
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.18
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.19
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.20
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 deny host ip 192.168.100.161 192.168.11.0 0.0.0.255
access-list 101 permit ip 192.168.100.161 host everything
access-list 102 refuse host ip 192.168.100.174 192.168.11.0 0.0.0.255
access-list 102 refuse host ip 192.168.100.192 192.168.11.0 0.0.0.255
access-list 102 permit ip 192.168.100.174 host everything
access-list 102 permit ip 192.168.100.192 host everything
access-list 103 refuse host ip 192.168.100.214 192.168.11.0 0.0.0.255
access-list 103 allow the host ip 192.168.100.214 all
access-list 104 refuse host ip 192.168.100.202 192.168.11.0 0.0.0.255
access-list 104 allow the host ip 192.168.100.202 all
access-list 120 allow ip 192.168.100.0 0.0.0.255 any
!
!
!
!
!
RADIUS-server host 192.168.100.212 auth-port 1645 acct-port 1646
RADIUS RADIUS-server key
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
The access-class MANAGEMENT in
entry ssh transport
!
max-task-time 5000 Planner
end
Lef871 (config) #.
Hello
You have got it. Conditional static NAT is the right way. You must stop the NAT translation for the address pool VPN inside. Another solution is to use the tunnel, dynamic or static for your VPN traffic. NAT outside are your physical interface, not in the tunnel. If the NAT will not do the translation if she sees that the outgoing interface has no NAT outside.
HTH,
Lei Tian
Sent by Cisco Support technique iPhone App
Tags: Cisco Security
Similar Questions
-
Hello
I set up a VPN between two sites using two cisco asa. The VPN works perfectly, but I can not telnet, ssh or run ASDM on the ASA remote, that is, if I'm on LAN 1, I can not telnet, ssh or run ASDM on ASA2 and vice versa.
Just to test, the entire networks (LAN1 and LAN2) have all-IP and ICMP authorized on VPN, but no way.
I can connect and everything else between LAN1 and LAN2.
on the ASA1, I tried both
Telnet netmask2 LAN2 inside
and
Telnet netmask2 LAN2 outdoors
What's wrong?
Thank you
You will need:
inside management interface
HTH,
John
-
Can I use two vpn set in my iPhone?
Can I use two vpn set in my iPhone?
Yes, you can use but not at the same time. You can add more than one vpn on your iPhone but can only use one at a time. Another way to use the two VPN at the same time, is that you can have an extra router to connect the two VPN at the same time. For more information on this, you can take a look at these answers https://www.quora.com/Why-cant-I-use-two-VPN-at-the-same-time hope this will solve your problem to his subject.
-
MDS 9216, I can't telnet remote MDS
I configured two MDS 9216 and interconnected through FCIP and WAN IP. I telneted to local MDS through the interface of management and able to ping to the MDS remotely but I can't telnet I can't same self telnet into local MDS.
If I telnet to local MDS remotely, watch it connected but I can't get the login prompt, and it ends with "Ctrl + C". No idea why I can't telnet in the MDS remotely?
Thank you
It is clear from your diagram you have not a separate path for the mgmt the FCIP link port. Try to telnet to the IP address of the IPS? An SPI of IP port management can be done. You can just telnet to port of mgmt. However, ports IPS will respond to ICMP. Looks like your path and/or your telnet session does not go on a different path from the IP address of mgmt on the other side.
-
Inside the server can't ping remote vpn client
My simple vpn client can accumulate the tunnel vpn with my Office ASA5510 success and my vpn client can ping the internal server. But my internal server cannot ping the remote vpn client. Even the firewall vpn client windows is disable.
1. in-house server can ping Internet through ASA.
2 internal server cannot ping vpn client.
3 Vpn client can ping the internal server.
Why interal Server ping vpn client? ASA only does support vpn in direction to go?
Thank you.
Hello
Enable inspect ICMP, this should work for you.
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the icmp
inspect the icmp errorinspect the icmp
To configure the ICMP inspection engine, use the command of icmp inspection in class configuration mode. Class configuration mode is accessible from policy map configuration mode.
inspect the icmp
HTH
Sandy
-
Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!
Hello
I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.
Config
ciscoasa # sh run
: Saved
:
ASA Version 8.0 (3)
!
ciscoasa hostname
activate the 5QB4svsHoIHxXpF password / encrypted
names of
xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name
xxx.xxx.xxx.xxx ISA_Server_second_external_IP name
xxx.xxx.xxx.xxx name Mail_Server
xxx.xxx.xxx.xxx IncomingIP name
xxx.xxx.xxx.xxx SAP name
xxx.xxx.xxx.xxx Web server name
xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name
isa_server_outside name 192.168.2.2
!
interface Ethernet0/0
nameif outside
security-level 0
address IP IncomingIP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.253 255.255.255.0
management only
!
passwd 123
passive FTP mode
clock timezone IS 2
clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00
TCP_8081 tcp service object-group
EQ port 8081 object
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq ftp
port-object eq www
EQ object of the https port
EQ smtp port object
EQ Port pop3 object
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
EQ port 50000 object
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
EQ port 587 object
port-object eq 993
port-object eq 8000
EQ port 8443 object
port-object eq telnet
port-object eq 3901
purpose of group TCP_8081
EQ port 1433 object
port-object eq 3391
port-object eq 3399
EQ object of port 8080
EQ port 3128 object
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
Equalizer object port 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
EQ port 8181 object
object-port 7778 eq
port-object eq 8180
port-object 22222 eq
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP - tcp
EQ port 3389 object
3901 tcp service object-group
3901 description
port-object eq 3901
object-group service tcp 50000
50000 description
EQ port 50000 object
Enable_Transparent_Tunneling_UDP udp service object-group
port-object eq 4500
access-list connection to SAP Note inside_access_in
inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in note outgoing VPN - PPTP
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in note outgoing VPN - GRE
inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any
Comment from inside_access_in-list of access VPN - GRE
inside_access_in list extended access will permit a full
access-list inside_access_in note outgoing VPN - Client IKE
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq
Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access udp allowed any any eq field
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access permit tcp any any eq field
Note to inside_access_in to access list carried forward Ports
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
outside_access_in list extended access allowed grateful if any host Mail_Server
outside_access_in list extended access permit tcp any host Mail_Server eq pptp
outside_access_in list extended access allow esp a whole
outside_access_in ah allowed extended access list a whole
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group
list of access allowed standard VPN 192.168.2.0 255.255.255.0
corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 603.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 2 Mail_Server netmask 255.0.0.0
Global 1 interface (outside)
Global interface (2 inside)
NAT (inside) 0-list of access corp_vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside
public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet
static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server
static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside
static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp
static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside
public static 192.168.2.0 (inside, outside) - corp_vpn access list
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac transet
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet
cryptomap 10 card crypto ipsec-isakmp dynamic dynmap
cryptomap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.2.0 255.255.255.0 inside
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain.local domain inside interface
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
Management Server TFTP 192.168.1.123.
internal group mypolicy strategy
mypolicy group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN
Pseudo vpdn password 123
vpdn username attributes
VPN-group-policy mypolicy
type of remote access service
type mypolicy tunnel-group remote access
tunnel-group mypolicy General attributes
address-pool
strategy-group-by default mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.
Hello
You probably need
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp error
Your Tunnel of Split and NAT0 configurations seem to.
-Jouni
-
Can't access secondary VPN client subnet
Please can someone help with the following: I have an ASA 5510 performer v8.4 9 (3) and setup a remote user VPN using the v5.0.07.0410 of customer Cisco VPN which is working apart from the fact that I can not access resources on secondary subnet.
The configuration is the following:
ASA inside the interface on 192.168.10.240
VPN clients on 192.168.254.x
I can access reources on the 192.168.10 subnet but not no matter what other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do advise please, the config is lower to: -.
Output from the command: 'show startup-config '.
!
ASA 3,0000 Version 9
!
blank host name
domain nameactivate the encrypted password
encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.10.240 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
IP 10.10.10.253 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa843-9 - k8.bin
boot system Disk0: / asa823 - k8.bin
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 194.168.4.123
Server name 194.168.8.123
domain nifcoeu.com
network object obj - 192.168.0.0
192.168.0.0 subnet 255.255.255.0
network object obj - 192.168.5.0
192.168.5.0 subnet 255.255.255.0
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.0
network object obj - 192.168.100.0
255.255.255.0 subnet 192.168.100.0
network object obj - 192.168.254.0
192.168.254.0 subnet 255.255.255.0
network object obj - 192.168.20.1
Host 192.168.20.1
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
network object obj - 0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
network object obj - 10.10.10.1
host 10.10.10.1
obj_any-03 network object
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
network of the NS1000_EXT object
Home 80.4.146.133
network of the NS1000_INT object
Host 192.168.20.1
network of the SIP_REGISTRAR object
Home 83.245.6.81
service of the SIP_INIT_TCP object
SIP, service tcp destination eq
service of the SIP_INIT_UDP object
SIP, service udp destination eq
network of the NS1000_DSP object
192.168.20.2 home
network of the SIP_VOICE_CHANNEL object
Home 83.245.6.82
service of the DSP_UDP object
destination udp 6000 40000 service range
service of the DSP_TCP object
destination tcp 6000 40000 service range
network 20_range_subnet object
subnet 192.168.20.0 255.255.255.0
subnet of voice Description
network 25_range_Subnet object
255.255.255.0 subnet 192.168.25.0
PC devices customer Description VLAN 25
the ISP_NAT object-group network
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service SIP_INIT tcp - udp
port-object eq sip
object-group service DSP_TCP_UDP tcp - udp
6000-40000 object-port Beach
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
inside_nat0_outbound list extended access allowed object 20_range_subnet 192.168.254.0 ip 255.255.255.0
standard VPN_splitTunnelAcl-Remote Access-list allowed 192.168.10.0 255.255.255.0
standard VPN_splitTunnelAcl-Remote Access-list allowed 192.168.20.0 255.255.255.0
access-list 100 extended allow object object-group TCPUDP object SIP_REGISTRAR NS1000_INT SIP_INIT object-group
access-list 100 extended allow object object-group TCPUDP object SIP_VOICE_CHANNEL NS1000_DSP DSP_TCP_UDP object-group
access-list extended 100 permit ip 62.255.171.0 255.255.255.224 all
access-list 100 extended allow icmp from any echo-answer idle
access-list extended 100 permit icmp any one has exceeded the idle time
access-list extended 100 allow all unreachable icmp inactive
access-list extended 100 permit tcp any host 10.10.10.1 eq ftp
access-list extended 100 permit tcp any host 10.10.10.1 eq ftp - data
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
192.168.254.1 mask - local 192.168.254.254 pool Pool VPN IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 647.bin
enable ASDM history
ARP timeout 14400
NAT (inside, all) source static obj - 192.168.0.0 obj - 192.168.0.0 destination static obj - 192.168.5.0 obj - 192.168.5.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (exterior, Interior) static source SIP_REGISTRAR destination interface static NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP SIP_REGISTRAR
NAT (exterior, Interior) static source SIP_REGISTRAR destination interface static NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP SIP_REGISTRAR
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT (inside, outside) dynamic obj - 0.0.0.0
object network obj_any-02
NAT (inside DMZ) dynamic obj - 0.0.0.0
network object obj - 10.10.10.1
NAT (DMZ, outside) static 80.4.146.134
obj_any-03 network object
NAT (DMZ, outside) dynamic obj - 0.0.0.0
object network obj_any-04
NAT (management, outside) dynamic obj - 0.0.0.0
object network obj_any-05
NAT (management, DMZ) dynamic obj - 0.0.0.0
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
Route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
Route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.25.0 255.255.255.0 inside
http 62.255.171.0 255.255.255.224 outside
http 192.168.254.0 255.255.255.0 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN =Configure CRL
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates
certificate 2f0e024dquit smoking
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491quit smoking
crypto isakmp identity address
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH 62.255.171.0 255.255.255.224 outside
SSH 192.168.254.0 255.255.255.0 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.25.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
VPN-sessiondb max-other-vpn-limit 250
VPN-sessiondb 2 max-anyconnect-premium-or-essentials-limit
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
prefer NTP server 192.168.10.6 source inside
WebVPN
internal group to distance-VPN strategy
attributes of group to VPN remote policy
value of server WINS 192.168.10.21 192.168.10.22
value of server DNS 192.168.10.21 192.168.10.22
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value Remote-VPN_splitTunnelAcl
value by default-field
username empty empty encrypted password privilege 0
user name empty attributes
VPN-VPN-remote group policy
username empty encrypted password privilege 0
user name empty attributes
VPN-VPN-remote group policy
type tunnel-group to distance-VPN remote access
global-tunnel-group attributes to remote VPN
address pool VPN-pool
strategy of group - by default - remote-VPN
remote VPN-ipsec-attributes tunnel-group
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
Review the ip options
inspect the sip
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
contact-email-addrProfile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236Hi Simon,.
Please try this and let me know.
NAT (inside, all) source 20_range_subnet destination 20_range_subnet static static obj - 192.168.254.0 obj - 192.168.254.0
Let me know, if this can help.
Thank you
Rizwan James
-
Can connect via the VPN, but cannot see the files
I can connect via VPN to my company network, but the files do not arise under Vista. I have no problem to see them on my old Windows PC, so this is a specific problem of Vista. On my old system, just click on computer and it shows me my company on the network's records. No Vista - cannot find anywhere, even if I am connected via VPN. Where are they?
Hello
Since it is the network of the company, there is no way to know hwo security is configured, unless you are a computer scientist in society.
Not "mess up" your computer, first talking to the person in charge of VPN connections.
Jack - Microsoft MVP, Windows networking. WWW.EZLAN.NET
-
SRA 4600 - users to limit who can connect to the VPN
We have a SRA 4600 and wishes to restrict access to the VPN to only a handful of our users active directory. that is when they visit the Web page for the SRA and try to logon, once that they connection they told you they have VPN access. That, or else they are simply limited to be able to open a session.
How we would accomplish this?
Since you are using AD, you can create local groups on your device and then restrict access to specific ad groups. The way I work is that a domain has several groups assigned to him, and whenever someone logs in, they show some bookmarks are in the group that they have access to (Yes, it works if you are in more than one group).
If you don't want people to connect at all, make sure that they are not member of the ad groups that access.
You can find the setting under user-> groups-> Edit-> ad groups. This tab appears only if the group is assigned to an AD domain (under portals-> fields).
NetExtender may be restricted in the same way - just make it is available only for groups you want to have.
-
I can NAT before the VPN Tunnel?
Hello
I want to add servers in a configuration in ipsec tunnel site to another for transportation.
However, I have to NAT these machines for the presentation of the other side.
For a Cisco 1760 (vpn termination point) running on 12.3 code, is it possible?
If it's possible, could I get a link to a config? Or maybe an excerpt here?
We use two interfaces ethernet for this:
Ethernet1/0 is inside
ethernet0/0 is outside
Can't seem to find any documentation for it.
Thank you
Paul
It is "NAT order of operation" used by Cisco devices, it seems that NAT is anyway before the crypto control
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Concerning
Farrukh
-
Can also interface with VPN remote site also for another use?
Hi all
An interface used for the remote site VPN on PIX can be used for another function, for example for the smtp server and web publishing?
Thank you!
Best regards
Teru Lei
Yes! of course you can. Just try it.
--
Alexis Fidalgo
Systems engineer
AT & T Argentina
-
Can I cross two VPN on two interfaces?
Please see the diagram attached pdf.
I can successfully 192.168.60.0 to the DMZ and internal network traffic.
I can pass traffic to DMZ and internal network 192.168.20.0.
Problem I can not pass traffic to a network through two virtual private networks. For example, I can not go 192.168.60.0 to 192.168.20.0, or vice versa.
Any ideas as to why it doesn't work?
Thanks in advance.
I was wondering if the router 1751 both pix 501 No. - nat and crypto ACLs include the other subnet. In addition, on the pix 515, two subnets should be included for the two lan - lan vpn.
for example
on router 1751.
access-list no_nat 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255
access-list no_nat 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list no_nat 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 172.24.0.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list lan2lan 192.168.20.0 0.0.0.255 192.168.60.0 0.0.0.255
on pix 501.
access-list no_nat 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0
access-list no_nat 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 172.24.0.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list lan2lan 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
for pix 515.
access-list allowed vpn1_1751 172.24.0.0 255.255.255.0 192.168.20.0 255.255.255.0
vpn1_1751 list of permitted access 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list allowed vpn1_1751 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list allowed vpn2_501 172.24.0.0 255.255.255.0 192.168.60.0 255.255.255.0
vpn2_501 list of permitted access 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
vpn2_501 list of permitted access 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
the only bit I don't know is the No. - nat on pix 515. I guess we should give it a go first, then find the No. - nat troubleshooting.
-
How can I start a VPN site-to-site connection
How can I set up a site to establish a vpn connection.
Thank you
Ok.. If the other end is a router, here is the link to ASA <-->router L2L tunnel.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805e8c80.shtml
HTH
MS
-
A PIX 501 can connect to a VPN service?
Can a PIX 501 6.3 (4) establish a VPN to a supplier like www.privateinternetaccess.com? They claim to support PPTP and L2TP/IPSEC. If so, how the PIX should be configured?
Thank you.
No, none of the networking gear (Inc. ASA) can be configured as PPTP and L2TP over IPSec client client.
Both are PC or MAC software.
-
How can I block a VPN user ' ing in while AD is used for authentication
We currently use Active Directory to authenticate via IPsec VPN.
Employee was let go... then his account AD has been disabled
However, there an other AD username and password which cannot be disabled because it
is used under other services
Our entire society is in a group policy
My is.how question I would block her access to the network. ?
No, you will not have to configure a new group strategy. Everything you have to do is to create a create a saying political dap that if a user comes with this attribute radius or ldap (username in your case) apply to a certain policy (complete) for her. Rest all users, since they do not match this criterion, they'll hit the dap default policy which you alow them normally without applying any policy for them.
Maybe you are looking for
-
Programmatically insert step of ActiveX/COM using LabVIEW
Hello I would like to be able to create sequences like the one set using LabVIEW. This sequence has only 2 steps, a LabVIEW VI call and an adapter of ActiveX/COM call. I was able to do using an adaptation of the code here: https://decibel.ni.com/cont
-
HP ENVY m6 (m6-1205dx): unknown device on PCI Express Root Complex
After improving to a fresh 10 windowns a unknown device apeared in the Device Manager. What could be? General Type of device: other devices Manufacuturer: unknown Location: on PCI Express Root Complex No driver (Code 28) Device instance path ACPI\HPQ
-
Could not create constants/controls/indicators from the XML parser
Is there a reason I can't create a constant/control/indicator of the XML parser function ref (by right clicking)? I need to make the Subvi in build/read xml files, and it's really impossible without this ability. LabVIEW 2012 f3
-
view the settings for windows?
My Windows screen changed by me, I'm sure. However, it is not fair! Could you tell me the default settings if I change it back? Restoring to the previous... does not work.
-
XP fails: Security Update for Windows XP (KB2686509)
Hello. I keep harassing to install the update for Windows XP (KB2686509) security, but the keeps installation not. No information about the reason. I ran the 'Fix It' program. Had no effect whatsoever. My Windows XP looks ok in all other respects, ex