Cannot access the subnet
Hello, new to ASA
On a v7.2 (4) ASA5505, trying to allow traffic between two LANs.
I have the local network 192.168.1.0 and 192.168.2.0 subnet behind another router. I also VPN IPsec on the safety device.
When I connect a computer to the internet in the first network (192.168.1.0) using the ASA, this computer lost connection to the subnet (192.168.2.0). The ASA blocks all traffic through the network.
I applied the same-security-traffic permit intra-interface command. I also applied the command
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0 and added the static route: route inside 192.168.2.0 255.255.255.0 192.168.1.254 1, but nothing works.
When I ICMP echo, the Nat is declining the package requested.
The output of packet tracer is as follows:
Flow-Lookup enabled
Authorized route search
Authorized access list
IP-Options allowed
Inspect the permit
NAT-free license
NAT enabled
NAT enabled
Home-limit
NAT denied
The package was abandoned by NAT, and the same goes for the port 3389 (remote desktop).
Thank you in advance.
If you try to ping hair traffic inside the interface?
In general, it is not advisable. If the traffic must be routed before the ASA please make sure the router RTR traffic on one subnet to another. The ASA has no need to see the traffic that goes from inside to inside.
Now if you still insist on the fact that you can try to put in the translations for the CBC and the destination. In other words you need identity convert the 192.168.1.0/24 and 192.168.2.0/24. Are you nat exempting a sense but not the back.
You can try
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
And then you can run a trace of package again to see if it fails or not.
I hope it helps.
PK
Tags: Cisco Security
Similar Questions
-
Cannot access the AIP SSM via ASDM
CISCO recommendations below:
Cannot access the AIP SSM via ASDM
Problem:
This error message appears on the GUI.
Error connecting to sensor. Error Loading Sensor error
Solution:
Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor
----------------------------------------------------------------------------------------------------------------------------------------------
I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.
A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide. I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.
Tried everything, need help from high level.
The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.
I've been playing with it today, and so far it seems to work pretty well.
-
AnyConnect VPN users cannot access remote subnets?
I googled this until blue in the face without result. I don't understand why Cisco this so difficult? When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices. What should I do to allow my anyconnect vpn clients access to my remote sites?
Cisco 5510 8.4
Hello
What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.
In addition to routing, you must have configured for each remote site and the VPN pool NAT0
Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this
object-group network to REMOTE SITES
object-network 10.10.10.0 255.255.255.0
object-network 10.10.20.0 255.255.255.0
object-network 10.10.30.0 255.255.255.0
object-network 10.10.40.0 255.255.255.0
network of the VPN-POOL object
10.10.224.0 subnet 255.255.255.0
NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL
The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.
Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.
My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)
Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?
-Jouni
-
CANNOT ACCESS THE LAN WITH THE EASY VPN CONFIGURATION
Hello
I configured easy vpn server in cisco 1905 SRI using ccp. The router is already configured with zone based firewall. With the help of vpn client I can reach only up to the internal interface of the router, but cannot access the LAN from my company. I need to change any configuration of ZBF since it is configured as "deny everything" from outside to inside? If so that all protocols should I match? Also is there any exemption of NAT for VPN clients? Please help me! Thanks in advance.
Please see my full configuration:
Router #sh run
Building configuration...Current configuration: 8150 bytes
!
! Last modification of the configuration at 05:40:32 UTC Wednesday, July 4, 2012 by
! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
Passwords security min-length 6
no set record in buffered memory
enable secret 5 xxxxxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
!
!
No ipv6 cef
IP source-route
no ip free-arps
IP cef
!
Xxxxxxxxx name server IP
IP server name yyyyyyyyy
!
Authenticated MultiLink bundle-name Panel
!parameter-map local urlfpolicy TSQ-URL-FILTER type
offshore alert
block-page message "Blocked according to policy"
parameter-card type urlf-glob FACEBOOK
model facebook.com
model *. Facebook.comparameter-card type urlf-glob YOUTUBE
mires of youtube.com
model *. YouTube.comparameter-card type urlf-glob CRICKET
model espncricinfo.com
model *. espncricinfo.comparameter-card type urlf-glob CRICKET1
webcric.com model
model *. webcric.comparameter-card type urlf-glob YAHOO
model *. Yahoo.com
model yapoparameter-card type urlf-glob PERMITTEDSITES
model *.parameter-card type urlf-glob HOTMAIL
model hotmail.com
model *. Hotmail.comCrypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-2049533683
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2049533683
revocation checking no
rsakeypair TP-self-signed-2049533683
!
Crypto pki trustpoint tti
crl revocation checking
!
Crypto pki trustpoint test_trustpoint_config_created_for_sdm
name of the object [email protected] / * /
crl revocation checking
!
!
TP-self-signed-4966226213 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02111101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43647274 31312F30
69666963 32303439 35323236 6174652D 3833301E 170 3132 30363232 30363332quit smoking
encryption pki certificate chain tti
for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn xxxxxx
licence start-up module c1900 technology-package datak9
username privilege 15 password 0 xxxxx xxxxxxx
!
redundancy
!
!
!
!
!
type of class-card inspect entire tsq-inspection-traffic game
dns protocol game
ftp protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
match Protocol l2tp
class-card type match - all BLOCKEDSITES urlfilter
Server-domain urlf-glob FACEBOOK game
Server-domain urlf-glob YOUTUBE game
CRICKET urlf-glob-domain of the server match
game server-domain urlf-glob CRICKET1
game server-domain urlf-glob HOTMAIL
class-map type urlfilter match - all PERMITTEDSITES
Server-domain urlf-glob PERMITTEDSITES match
inspect the class-map match tsq-insp-traffic type
corresponds to the class-map tsq-inspection-traffic
type of class-card inspect correspondence tsq-http
http protocol game
type of class-card inspect all match tsq-icmp
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect correspondence tsq-invalid-src
game group-access 100
type of class-card inspect correspondence tsq-icmp-access
corresponds to the class-map tsq-icmp
!
!
type of policy-card inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
Journal
reset
class type urlfilter PERMITTEDSITES
allow
Journal
type of policy-card inspect SELF - AUX-OUT-policy
class type inspect tsq-icmp-access
inspect
class class by default
Pass
policy-card type check IN and OUT - POLICIES
class type inspect tsq-invalid-src
Drop newspaper
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class by default
drop
policy-card type check OUT IN-POLICY
class class by default
drop
!
area inside security
security of the OUTSIDE area
source of security OUT-OF-IN zone-pair outside the destination inside
type of service-strategy check OUT IN-POLICY
zone-pair IN-to-OUT DOMESTIC destination outside source security
type of service-strategy inspect IN and OUT - POLICIES
security of the FREE-to-OUT source destination free outdoors pair box
type of service-strategy inspect SELF - AUX-OUT-policy
!
Crypto ctcp port 10000
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 2
Group 2
!
ISAKMP crypto client configuration group vpntunnel
XXXXXXX key
pool SDM_POOL_1
include-local-lan
10 Max-users
ISAKMP crypto ciscocp-ike-profile-1 profile
vpntunnel group identity match
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set TSQ-TRANSFORMATION des-esp esp-md5-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-TRANSFORMATION TSQ
set of isakmp - profile ciscocp-ike-profile-1
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
response to IP mask
IP directed broadcast to the
Shutdown
!
interface GigabitEthernet0/0
Description LAN INTERFACE-FW-INSIDE
IP 172.17.0.71 255.255.0.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description WAN-INTERNET-INTERNET-FW-OUTSIDE
IP address xxxxxx yyyyyyy
NAT outside IP
IP virtual-reassembly in
security of the OUTSIDE member area
automatic duplex
automatic speed
!
interface Serial0/0/0
no ip address
response to IP mask
IP directed broadcast to the
Shutdown
no fair queue
2000000 clock frequency
!
type of interface virtual-Template1 tunnel
IP unnumbered GigabitEthernet0/0
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
local IP SDM_POOL_1 172.17.0.11 pool 172.17.0.20
IP forward-Protocol ND
!
no ip address of the http server
local IP http authentication
IP http secure server
!
IP nat inside source list 1 interface GigabitEthernet0/1 overload
IP route 0.0.0.0 0.0.0.0 yyyyyyyyy
IP route 192.168.1.0 255.255.255.0 172.17.0.6
IP route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 100 permit ip 255.255.255.255 host everything
access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
access-list 100 permit ip yyyyyy yyyyyy everything
!
!
!
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
transport input ssh rlogin
!
Scheduler allocate 20000 1000
endA few things to change:
(1) pool of IP must be a single subnet, it is not the same subnet as your subnet internal.
(2) your NAT ACL 1 must be changed to ACL extended for you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 120 allow ip 172.17.0.0 0.0.255.255 everything
overload of IP nat inside source list 120 interface GigabitEthernet0/1
No inside source list 1 interface GigabitEthernet0/1 ip nat overload
(3) OUT POLICY need to include VPN traffic:
access-list 121 allow ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255
type of class-card inspect correspondence vpn-access
game group-access 121
policy-card type check OUT IN-POLICY
vpn-access class
inspect
-
cannot access the internet after upgrading to firefox 30.0 on windows 7
After the upgrade to firefox 30.0 on windows 7, cannot access the internet. FF 30.0 works OK under Vista
Sometimes it's because of your security software thinking that the upgrade may not be legitimate. You can consult this article: problems connecting to websites after Firefox update.
-
Just upgraded to El Capitan and cannot access the calendar. It opens with a message 'Moving calendars to the server.
I cannot access all features and can be closed only by using force quit.
Please stop calendar and also the application of reminders, runs. Force quit if necessary.
Back up all data.
If you synchronize some of your calendars, or reminders with iCloud, then in the iCloud preferences window, uncheck that marked calendars and reminders. You will be prompted to confirm that you want to remove your iCloud calendars and reminders of the computer. They will always be in iCloud. Re-check the boxes.
If you synchronize agendas or reminders with another network such as Google service, please open the preferences panel Internet accounts. Make a note of the settings for calendar accounts, then delete and recreate.
Launch schedule and see if there is an improvement.
-
I disabled the toolbar > > Menu button (via a right click on a PC, Windows 7) and cannot access the toolbar to add items to the sail back in. Any ideas?
Don't see the menu bar not (File, Edit, View, history, Favorites, tools, help)?
Turn on/off the menu bar is a new feature in version 3.6.
(Linux and OSX see: what happened to the file, edit and view menus? )
Windows Method 1. Press and hold the key and press the letters of the following in this exact order: V T M
Windows method 2 Press and release the button. The Menu bar is displayed; then choose ~ ~ red: V ~ ~ iew > ~ ~ red: T ~ ~ oolbars and click on ~ ~ Red: M ~ ~ enu Bar.
The menu bar should now be displayed permanently, unless you turn it off again using view > toolbars. Check = not displayed, NO check mark is not displayed.
See: http://support.mozilla.com/en-US/kb/Menu+bar+is+missingNavigation, bar toolbar bookmarks and other toolbars under view > toolbars. By clicking on one of them will place a check mark (display) or remove the check mark (not shown).
To display the status bar, view, and then click status bar to place a check mark (display) or remove the check mark (not shown).
Mode full screen
http://KB.mozillazine.org/netbooks#Full_screenSee also:
Back and front toolbar buttons or others are missing
Customize controls, buttons, and Firefox toolbars -
42RL833 - latest Firmware installed and cannot access the YouTube app
I have 42RL833 Toshiba which is updated to the latest firmware, however I still cannot access the application on my YouTube. I get an error saying that Youtube XL is no longer supported.
What can I do to fix this?
> I get an error saying that Youtube XL is no longer supported.
Google has stopped the YouTube XL service and, therefore, this service isn't available anymore.
http://www.Toshiba.EU/innovation/generic/YouTube-XL/You can read details here:
https://support.Google.com/YouTube/answer/3123170?hl=enIt also seems that YouTube XL has been replaced by YouTube Leanback Lite:
http://www.YouTube.com/leanbacklite
See also:
https://support.Google.com/YouTube/answer/3153576#There is also a note that if you can connect your computer to your TV, you can continue to use the YouTube TV-optimized experience by visiting youtube.com/tv.
-
Hello
My problem is my WiFi says its connected but I can't browse or access the internet.it just tells me "unable to connect to internet computer is not connected to the internet", but my wifi says 'connected'.i tried to go to the cmd prompt and typed in "netsh int ip reset resetlog.txt c:\" goal it shows me "reset failed.access is denied .he don't s no user specified settings to be reset to zero." please "» What can I do?
Thanks in advance.
Hello @jerome256,
Welcome to the HP Forums, I hope you enjoy your experience! To help you get the most out of the HP Forums, I would like to draw your attention to the HP Forums Guide first time here? Learn how to publish and more.
I understand that you are having a problem with your WiFi and wanted to help you!
You are trying to access WiFi through router? If you are connected to your wireless network, but cannot access the internet, then the problem may be with the router. Check that the router is connected to the internet. If you have more than one router, then you can ensure that you are connected to the correct router. You can also try unplugging the router for about 30 seconds, and then reconnecting it. Please consult the following document, as it can help solve the problem for you:
HP PC - Troubleshooting wireless network and Internet (Windows 10)
Please let me know if this information has been helpful by clicking the thumbs up below.
Have a great day!
-
Hello
I have a Windows 2003 X 64 server and since a week ago everything works fine.For a week or two when I try to run an X 86 application, I always get this error:"Windows cannot access the specified device, path or file.If I run a x 64 apps everything works fine.What made a mistake?Thank youHello
Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for Windows Server on TechNet. Please post your question in the TechNet forums. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en/category/WindowsServer/
-
Original title: problems cannot do anything
Windows cannot access the specified device, path or file. You can't have__appropriate the permissions to access the item. I get it all the time can not download anything
Hi birdylod,
· What version of the operating system is installed on the computer?
· You did changes to the computer before the show?
· You use Internet Explorer? If so, what version are you using?
· What files you download?
Follow these methods.
Method 1: Performs a search using the Microsoft safety scanner.
http://www.Microsoft.com/security/scanner/en-us/default.aspx
Note: The data files that are infected must be cleaned only by removing the file completely, which means that there is a risk of data loss.
Method 2: Follow these steps:
Step 1: Start the computer in safe mode with network and check if the problem persists.
Startup options (including safe mode)
http://Windows.Microsoft.com/en-us/Windows7/advanced-startup-options-including-safe-mode
Step 2: If the problem does not persist in safe mode with networking, perform a clean boot to see if there is a software conflict as the clean boot helps eliminate software conflicts.
Note: After completing the steps in the clean boot troubleshooting, follow the link step 7 to return the computer to a Normal startupmode.
Method 3: Scan the file system (CFS) auditor to repair corrupted files.
How to use the System File Checker tool to fix the system files missing or corrupted on Windows Vista or Windows 7
http://support.Microsoft.com/kb/929833
For reference:
What to know before applying permissions to a file or folder
-
I cannot access the application 'contact me' when a web site and receive the answer "Default Mail Client not properly installed" instead of going on the requested site.
How can I fix this problem?
Separated from the:
CrystalBall © SEZ...
Unlike Windows XP & Vista, Windows 7 does not include a default email Client. [What were thinking?]
You will need to install a (e.g. MS Outlook;) Windows Live Mail; Thunderbird) , and then set it as a default for mail in CUSTOM (<>) article in Set Program Access and defaults of the computer , then restart your computer before any function send to or MailTo will become available.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In these forums, you will find support for Windows Live Mail: http://windowslivehelp.com/forums.aspx?productid=15
-
Broadband went down for several days but was back on property that still cannot access the internet
Went away for two weeks and return to find internet and landline phone at the bottom, contacted bt which were going out but it all came back to the top, light on bnroadband but still cannot access the internet! Any answers please...
Contact your ISP to solve problems.
-
Cannot access the windows installer
try to install itunes and other windows updates and I get error 643 on updates and cannot access the windows with itunes installation programs. Is there something blocking these files that they do not work
try to install itunes and other windows updates and I get error 643 on updates and cannot access the windows with itunes installation programs. Is there something blocking these files that they do not work
RE: Windows updates :
You should be psoting in section updates from Windows:
http://social.answers.Microsoft.com/forums/en-us/vistawu/threadsHere's the tutorial for number 643.
Have a look while you wait for answers from the section updates to Windows.Windows Update error 80070643
http://Windows.Microsoft.com/en-us/Windows-Vista/Windows-Update-error-80070643Re: Itunes
You wrote. .. Cannot access windows with itunes installation programs.
The Windows Installer Service could not be accessed
http://www.Winhelponline.com/blog/Vista-the-Windows-Installer-service-could-not-be-accessed/Questions about Apple products will be better displayed on the Apple forums.
It is where are the experts itunes and quicktime.
Apple Discussion: Category: itunes
http://discussions.Apple.com/category.jspa?categoryID=149Discussion of Apple - installation abd update itunes for Windows
http://discussions.Apple.com/forum.jspa?forumid=792Problem installing itunes or quicktime for Windows
http://support.Apple.com/kb/HT1926Uninstall and reinstall itunes and quicktime
http://support.Apple.com/kb/HT1923For the benefits of others looking for answers, please mark as answer suggestion if it solves your problem.
-
Since update of last nights, I get now launching explorer.exe "windows cannot access the specified device, file, or the path?
Hi Jemd3,
I suggest you to completely remove Norton of the system using Norton Removal Tool and check if the problem persists.
Method 1:
Maybe it's that your computer is affected by virus and malware. I suggest you run an online anti-virus scan and a scan for Malware. See the links below.
Microsoft OneCare:
http://OneCare.live.com/standard/EN-US/3/default.htm
Malicious software removal tool
http://www.Microsoft.com/security/malwareremove/default.aspx
Get a free PC safety scan
http://OneCare.live.com/site/en-us/default.htm
Hope this information is useful.
Thanks and regards.
Thahaseena M
Microsoft Answers Support Engineer.
Visit our Microsoft answers feedback Forum and let us know what you think.
Maybe you are looking for
-
In Contacts, I can search for names, but there are no maps on the contacts. So, I need to restore my contacts so that I can restore the cards.
-
Can someone tell me if I can add a wifi adapter to my uk t760 tour and if so what part I need to buy.
-
How can I get edition gold painkiller on windows 7 rc to work
How can I get the gold edition of painkiller to work on 7rc I confirm to run the .exe as administrator but it's all the disc turns, but nothing happens and how do the xp to work mode
-
Unable to play all games on Inspiron 15 3251
This week, I brought my lappy... is his 3251.It Inspiron 15 with 4GB ram, 500 GB drive HARD and integrated graphic card memory... But although he had this feature, I can't play any game like GTA vice city, moto GP, Halo etc... Then... Is there anyone
-
DW1705 card (wifi + bluetooth) will work with laptop Studio 1749?
I wanted to add the bluetooth on my laptop Studio 1749 feature. I don't want to add a bluetooth dongle and occupy a USB port at all times. I thought can I Exchange my current card wifi with wifi DW1705 + card bluetooth. Can someone let me know if it