Cannot Ping across the VPN remote access

Hello world

I hope I posted this in the right place!

I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!

We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.

When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.

I'm sure it's something stupid I've done (or not done).

I have attached my config and would be grateful if someone could take a look and point me in the right direction.

Thanks in advance for your help,

Peter.

Hi Peter,.

You must add a line to the inside_access_in access list:

Enable

conf t

access-list inside_access_in allow icmp a whole

output

write members

Kind regards

Cathy

Tags: Cisco Security

Similar Questions

Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access

Hello

I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.

So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).

The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)

I added some ACE for this in the ACL of VPN tunnel to divide.

NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54

And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.

The network INTERIOR, I can connect to the server.

Thanks in advance.

Hello

This is most likely a problem with NAT hair/U-turn hairpin.

Will need to see the configurations or you would need to check yourself

I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.

So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.

Then, you will need to check the output of this command

See the race same-security-traffic

You should see the command in the output below

permit same-security-traffic intra-interface

If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.

Then, should ensure that dynamic PAT is configured for the VPN Clients.

8.2 software (and below)

You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0

In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add

NAT (outside) 1

This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server

Software 8.3 (and above)

Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a

network of the VPN-PAT object

subnet

dynamic NAT interface (outdoors, outdoor)

Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.

Hope this helps

Let me know how it goes

-Jouni

Cannot ping via the VPN client host when static NAT translations are used

Hello, I have a SRI 3825 configured for Cisco VPN client access.

There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

Any help would be appreciated.

Concerning

!

session of crypto consignment

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpnclient

key S3Cu4Ke!

DNS 192.168.1.1 192.168.1.2

domain domain.com

pool dhcppool

ACL 198

Save-password

PFS

netmask 255.255.255.0

!

!

Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

!

Crypto-map dynamic dynmap 10

86400 seconds, life of security association set

game of transformation-3DES-SECURE

market arriere-route

!

card crypto client cryptomap of authentication list drauthen

card crypto isakmp authorization list drauthor cryptomap

client configuration address card crypto cryptomap answer

map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

!

interface GigabitEthernet0/0

NAT outside IP

IP 1.2.3.4 255.255.255.240

cryptomap card crypto

!

interface GigabitEthernet0/1

IP 192.168.1.254 255.255.255.0

IP nat inside

!

IP local pool dhcppool 192.168.2.50 192.168.2.100

!

Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

!

Sheep allowed 10 route map
corresponds to the IP 199

!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload

!

IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6

The problem seems to be that static NAT take your nat exemption.

The solution would be:

IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

HTH

Herbert

Cannot ping across the firewall

I'll put up the asa in GNS3 lab, but I can't do a ping through the firewall to the inside of the interface for the external interface. Here's my running-config... I don't know that miss me some I don't know what. If anyone can find out what it is, that would be nice.

See the race
: Saved
:
ASA Version 8.4 (2)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0
nameif inside
security-level 100
the IP 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
4.2.2.2 IP address 255.255.255.0
!
interface GigabitEthernet2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet3
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
pager lines 24
Enable logging
timestamp of the record
logging buffered information
logging trap information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Route outside 0.0.0.0 0.0.0.0 10.0.1.2 1
Route inside 172.16.0.0 255.255.254.0 10.0.0.1 1
outdoor 172.16.2.0 255.255.254.0 10.0.1.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
crashinfo record disable
Cryptochecksum:d6838a5cc1c3620ba830e7d745eaf9a1
: end

After having thought about it twice, it's clear. I wrote to change because it is a good practice, but with the ASA on the other side, it is necessary.

If you use the output as the destination of a route interface, the router must be able to arp for the IP of destination (for each that is used) L2 address of next hop. The other side (the ASA in your scenario) must have a proxy-arp enabled for this because demand is not a configured address.

If you configure an IP address as the next hop, the router must only address L2 a jump next-address IP used in the static route.

Cannot ping inside the vpn client hosts. It's a NAT problem

Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

AAA new-model

!

!

AAA authentication login default local

radius of group AAA authentication login userauthen

AAA authorization exec default local

AAA authorization groupauthor LAN

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group businessVPN

key xxxxxx

DNS 192.168.10.2

business.local field

pool vpnpool

ACL 108

Crypto isakmp VPNclient profile

businessVPN group identity match

client authentication list userauthen

ISAKMP authorization list groupauthor

client configuration address respond

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

Define VPNclient isakmp-profile

market arriere-route

!

!

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

interface Loopback0

IP 10.1.10.2 255.255.255.252

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

!

Null0 interface

no ip unreachable

!

interface FastEthernet0/0

IP 111.111.111.138 255.255.255.252

IP access-group outside_in in

no ip redirection

no ip unreachable

no ip proxy-arp

NAT outside IP

inspect the outgoing IP outside

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

the integrated-Service-Engine0/0 interface

description Locator is initialized with default IMAP group

IP unnumbered Loopback0

no ip redirection

no ip unreachable

no ip proxy-arp

IP virtual-reassembly

ip address of service-module 10.1.10.1 255.255.255.252

Service-module ip default gateway - 10.1.10.2

interface BVI1

IP 192.168.10.1 255.255.255.0

no ip redirection

no ip unreachable

no ip proxy-arp

IP nat inside

IP virtual-reassembly

IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

IP nat inside source map route nat interface FastEthernet0/0 overload

nat extended IP access list

deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

sheep extended IP access list

permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

outside_in extended IP access list

permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

permit any any eq 443 tcp

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

allow any host 111.111.111.138 esp

allow any host 111.111.111.138 eq isakmp udp

allow any host 111.111.111.138 eq non500-isakmp udp

allow any host 111.111.111.138 ahp

allow accord any host 111.111.111.138

access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

!

!

!

!

route nat allowed 10 map

match ip address nat

1 channel ip bridge

In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

Kind regards

Œuvres ping for the VPN ASA5505 RDP does not work?

I have an ASA5505 VPN remote access facility

I have a server connected directly behind the ASA and I can ping the server without problem.

The reports being encrypted and decrypted packets VPN client

However when I try to RDP to the server packages encyrpted keep incrementing but the decrypted packets are not.

I also do not see all RDP traffic hit the server (checked by ethereal)

I did a packet trace and it succeeds, but ends with a parody of IP which I believe is correct as is the vpn traffic and not actually be encrypted.

This is the correction of the RDP session, I'm confused by one ICMP denied on line 2 that I am able to ping the server?

% ASA-6-302013: built of TCP connections incoming 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) at internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.146: no matching session

% ASA-609001 7: built internal local-host: 192.168.100.37

% ASA-6-302015: built connection UDP incoming 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-6-302015: built connection UDP incoming 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) at internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% ASA-4-313004: Denied ICMP type = 0, of laddr 172.16.24.4 on the external interface to 192.168.100.37: no matching session

% 302014-6-ASA: disassembly of the TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0: bytes of 00:00 0 flow closed by inspection (roger_ssl)

I have that configured NAT

NAT (internal, external) static source 192.168.100.0 192.168.100.0 static destination VPN_172 VPN_172

The only logical bit that is closed by the inspection flow? Is this to say that the server has not responded?

And decrypt packets increase not when trying to RDP

Does this mean anyting to anyone that I have arrived at the end of my knowledge of the SAA on this one!

Thank you

Roger

Answer is based on your other thread:

https://supportforums.Cisco.com/thread/2207372

VPN remote access with router 2610

Guys,

A router Cisco 2610 series with IOS Version 11.3 (2) software version XA4 (fc1) will support a VPN remote access VPN Clients using standard Windows (LT2P on IPSec or PPTP) via a connection of Remote LAN-based access to wide band.

I have bought this device and need an answer fast if possible.

Thank you 1 million.

Vito

The navigation feature is the ideal tool for this:

http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

Search by function and enter PPTP and you will see he came to 12.2 code.

Do the same for L2TP and you will see he came in 12.1 T code.

The short answer is no.

1841 as Concentrator VPN remote access with manual keying

Hi there and happy new year 2011 with best wishes!

I would use a router 1841 as VPN hub for up to 20 remote connections.

My remote (third party) clients have IPsec capacity supported by IKE and the Manual Keying, but I have not found information about simple configuration of Cisco VPN remote access (only on the easy VPN server).

I'd like to configure the VPN entry Server Manual (I think it's an easy way to start), no problem to do?

files:

-topology

-third party router Ethernet / 3G GUI IPsec with choice of algorithm auth

-third party router Ethernet / 3G GUI IPsec with choice of encryption algorithm

I feel so much better that someone help me!

Kind regards

Amaury

As the remote end is third-party routers, the only option you have will be LAN-to-LAN IPSec VPN. You can not run VPN easy because that is only supported on Cisco devices.

If your remote end has a static external ip address that ends the VPN, you can configure card crypto static LAN-to-LAN on the 1841 router, however, if your remote end has dynamic external ip address, you must configure card crypto dynamic LAN-to-LAN on the 1841 router. All remote LAN subnets must be unique.

Create different group with VPN remote access

Hello world

The last time, I ve put in place a VPN for remote access to my network with ASA 5510

I ve access to all my internal LAn helped with my VPN

But I want to set up a vpn group in the CLI for a different group of the user who accesses the different server or a different network on my local network.

Example: computer group - access to 10.70.5.X network

Group consultant network - access to 10.70.10.X

I need to know how I can do this, and if you can give me some example script to complete this

Here is my configuration:

ASA Version 8.0 (2)
!
ASA-Vidrul host name
vidrul domain name - ao.com
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/1
nameif inside
security-level 100
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Description Port_Device_Management
nameif management
security-level 99
address IP X.X.X.X 255.255.255.X
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
DNS server-group DefaultDNS
vidrul domain name - ao.com
access-list 100 scope ip allow a whole
access-list extended 100 permit icmp any any echo
access-list extended 100 permit icmp any any echo response
vpn-vidrul_splitTunnelAcl permit 10.70.1.0 access list standard 255.255.255.0
vpn-vidrul_splitTunnelAcl permit 10.70.99.0 access list standard 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 10.70.255.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 management
IP local pool clientvpngroup 10.70.255.100 - 10.70.255.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.70.0.0 255.255.0.0
Access-group 100 in the interface inside
Access-group 100 interface inside

Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Protocol RADIUS AAA-server 10.70.99.10
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
Enable http server
http 192.168.1.2 255.255.255.255 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
outside access management
dhcpd manage 192.168.1.2 - 192.168.1.5
dhcpd enable management
!
a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
block-url-class of the class-map
class-map imblock
match any
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Policy-map IM_P2P
class imblock
class P2P
!
global service-policy global_policy
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.com
test 274Y4GRAbNElaCoV of encrypted password privilege 0 username
username admin privilege 15 encrypted password bTpUzgLxalekyhxQ
attributes of user admin name
Strategy-Group-VPN-vpn-vidrul
username, password suporte zjQEaX/fm0NjEp4k encrypted privilege 15
type tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:d84e64c87cc5b263c84567e22400591c
: end

What you need to configure is to imitate the configuration on the tunnel-group and group strategy and to configure access to specific network you need.

Currently, you have configured the following:

vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.com

type tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.

What you need is to create new group policy and the new tunnel-group and configure the tunnel split ACL to allow access to specific access required.

The user must then connect with the new group name and the new pre-shared key (password).

Hope that helps.

Windows cannot connect to the printer. Access is denied.

From: Steve

Desperately, I try to print from my laptop Windows Vista Home Premium to a shared printer on my home wireless network. The shared printer is connected to a XP Home machine. This machine is wired (via a LAN cable) to the wireless router. I can 'see' the printer that I want to use but trying to to connect to it. I get the error message "Windows cannot connect to the printer. Access is denied. "I would be grateful for any help.

Kind regards.

-Steve

From: Alan Morris [MSFT]

Since the XP machine is HOME, I don't think that the permissions dialog box is accessible.

Run the XP network sharing wizard again and see if it affects safety correctly on sharing.

Is the printer you share one that has drivers provided with Windows XP?

In the meantime we will at least get the printer works for you.

Create a local printer on Windows Vista; Creation of a Local Port in the form \\XPMACHINE\Printsharename (this will send the files by using the redirector instead of the RPC service). Install the Windows Vista driver for the device.

You can print because print$ access is required for printer drivers.

-Alan Morris

Windows printing team

Another response of the community of Windows Vista discussion groups

Add Printer__ Windows cannot connect to the printer. Access is denied

Laptops have just loaded with Windows 7 Pro on my domain. Try to load printers to a print server. Print server running Windows 2003 R2.

When I log in with a user profile, I go to devices and printers------click Add a printer-network printer select------I see a list of printers on the print server - choose the printer that I want to load------asked if I have confidence in this printer - click install drver------opens window files Coping - green bar moves as if it were loading drivers------then just before you get to the window asking if you want to make a default printer. open window that says - Connect Add Printer (X RED) for printer Windows cannot connect to the printer. Access is denied

Changes to device settings to allow the user load the drivers. Check the security access (everyone has permissions) for this printer on the print server.

Disable UAC control on the laptop. Group Policy has changed restrictions point and print.

But this same user can log on to another computer on the network, which has loaded XP Pro and can load the same printers that are denied with windows 7 pro

As a network administrator, I can log on to laptop computers and load A B and C printers.

So I can log on as a user and then I can load A B and C printers, but as a user I want printer D I get the same message as above.

Thank you in advace for your help

This is the solution I received and seems to work.

You have to go into the local group policy on Windows 7 computers, and not on the server.

Go to the Group Policy:

Computer Configuration\Administrative Templates\Printers\Point and printing Restrictions ss SET TO OFF

User Configuration\Administrative Templates\Printers\Point and printing Restrictions ss SET TO OFF

ASA 5540 - cannot ping inside the interface

Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

In the ASDM, I see messages like this:

ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

interface Vlanx

IP x.x.x.x 255.255.255.0

IP broadcast directed to 199

IP accounting output-packets

IP pim sparse - dense mode

route IP cache flow

load-interval 30

Has anyone experiences the problem like this before? Thanks in advance for any help.

Can you post the output of the following on the ASA:-

display the route

And the output of your base layer diverter: -.

show ip route<>

HTH >

Remote access VPN client to connect but cannot ping inside the host, after that split tunnel is activated (config-joint)

Hello

I don't know what could be held, vpn users can ping to the outside and inside of the Cisco ASA interface but can not connect to servers or servers within the LAN ping.

is hell config please kindly and I would like to know what might happen.

hostname horse

domain evergreen.com

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

ins-guard

!

interface GigabitEthernet0/0

LAN description

nameif inside

security-level 100

192.168.200.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description CONNECTION_TO_FREEMAN

nameif outside

security-level 0

IP 196.1.1.1 255.255.255.248

!

interface GigabitEthernet0/2

Description CONNECTION_TO_TIGHTMAN

nameif backup

security-level 0

IP 197.1.1.1 255.255.255.248

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

management only

!

boot system Disk0: / asa844-1 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain green.com

network of the NETWORK_OBJ_192.168.2.0_25 object

Subnet 192.168.2.0 255.255.255.128

network of the NETWORK_OBJ_192.168.202.0_24 object

192.168.202.0 subnet 255.255.255.0

network obj_any object

subnet 0.0.0.0 0.0.0.0

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

Access extensive list permits all ip a OUTSIDE_IN

gbnlvpntunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

gbnlvpntunnell_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnlvpntunnell_splitTunnelAcl allow 192.168.202.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

backup of MTU 1500

mask of local pool VPNPOOL 192.168.2.0 - 192.168.2.100 IP 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-645 - 206.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

NAT (inside, backup) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 non-proxy-arp-search of route static destination

!

network obj_any object

dynamic NAT interface (inside, backup)

Access-group interface inside INSIDE_OUT

Access-group OUTSIDE_IN in interface outside

Route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10

Route outside 0.0.0.0 0.0.0.0 197.1.1.2 254

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 100

type echo protocol ipIcmpEcho 212.58.244.71 interface outside

Timeout 3000

frequency 5

monitor als 100 calendar life never start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

backup_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

backup of crypto backup_map interface card

Crypto ikev1 allow outside

Crypto ikev1 enable backup

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

!

track 10 rtr 100 accessibility

Telnet 192.168.200.0 255.255.255.0 inside

Telnet 192.168.202.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.202.0 255.255.255.0 inside

SSH 192.168.200.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 15

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntunnel strategy

Group vpntunnel policy attributes

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntunnel_splitTunnelAcl

field default value green.com

internal vpntunnell group policy

attributes of the strategy of group vpntunnell

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list gbnlvpntunnell_splitTunnelAcl

field default value green.com

Green user name encrypted BoEFKkDtbnX5Uy1Q privilege 15 password

attributes of user name THE

VPN-group-policy gbnlvpn

tunnel-group vpntunnel type remote access

tunnel-group vpntunnel General attributes

address VPNPOOL pool

strategy-group-by default vpntunnel

tunnel-group vpntunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group vpntunnell remote access

tunnel-group vpntunnell General-attributes

address VPNPOOL2 pool

Group Policy - by default-vpntunnell

vpntunnell group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565

Hello

1 - Please run these commands:

"crypto isakmp nat-traversal 30.

"crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 Road opposite value.

The main issue here is that you have two roads floating and outside it has a better than backup metric, that's why I added the command 'reverse-road '.

Please let me know.

Thank you.

Remote VPN cannot ping any host on remote site

Hi all!

I tried to deploy remote vpn on my asa 5515-x. And my VPN client properly connected, but I can't ping any host on a remote network.

Here is my configuration:

ASA 1.0000 Version 2

!

names of

!

interface GigabitEthernet0/0

nameif inside

security-level 100

IP 192.168.10.252 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

IP x.x.x.x 255.255.255.252

!

interface GigabitEthernet0/2

DMZ description

nameif dmz

security-level 50

IP 192.168.20.252 255.255.255.0

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.2.40 255.255.255.0

management only

!

boot system Disk0: / asa861-2-smp - k8.bin

passive FTP mode

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

internal subnet object-

192.168.10.0 subnet 255.255.255.0

network dmz subnet object

subnet 192.168.20.0 255.255.255.0

Note to access-list LAN_VLAN_10 split_tunnel

split_tunnel list standard access allowed 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

management of MTU 1500

MTU 1500 dmz

IP local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ASDM image disk0: / asdm - 714.bin

don't allow no asdm history

ARP timeout 14400

!

internal subnet object-

NAT dynamic interface (indoor, outdoor)

network dmz subnet object

NAT (dmz, outside) dynamic interface

Route outside 0.0.0.0 0.0.0.0 93.174.55.181 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

AAA authentication LOCAL telnet console

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.0.0 255.255.0.0 management

http 192.168.10.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set esp - esp-md5-hmac ikev1 firstset

Crypto-map dynamic dyn1 ikev1 transform-set firstset 1 set

dynamic mymap 1 dyn1 ipsec-isakmp crypto map

mymap outside crypto map interface

Crypto ikev1 allow outside

IKEv1 crypto policy 1

preshared authentication

the Encryption

md5 hash

Group 2

life 43200

Telnet 0.0.0.0 0.0.0.0 inside

Telnet 0.0.0.0 0.0.0.0 management

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 management

SSH timeout 5

Console timeout 0

interface ID client DHCP-client to the outside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group testgroup strategy

testgroup group policy attributes

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list split_tunnel

user1 fvosA8L1anfyxTw3 encrypted password username

tunnel-group testgroup type remote access

tunnel-group testgroup General attributes

address testpool pool

strategy-group-by default testgroup

testgroup group tunnel ipsec-attributes

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

What's wrong?

TNX!

Hello

I would like to change the current reserve of VPN to something overlapping to the LAN.

You're also missing NAT0 for the VPN Client connection that is your problem more likely.

You can try these changes

mask of 192.168.100.1 - local 192.168.100.254 pool POOL VPN IP 255.255.255.0

tunnel-group testgroup General attributes

No address testpool pool

address VPN-POOL pool

no ip local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

the object of the LAN network

192.168.10.0 subnet 255.255.255.0

network of the VPN-POOL object

255.255.255.0 subnet 192.168.100.0

NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

You can also change your settings for encryption for anything other than a. You can use AES.

Hope this helps

Let us know if this helped.

Don't forget to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

How to configure VPN remote access to use a specific Interface and the road

I add a second external connection to an existing system on a 5510 ASA ASA V8.2 with 6.4 AMPS

I added the new WAN using another interface (newwan).

The intention is to bring more internet traffic on the new road/interface (newwan), but keep our existing VPN using the old interface (outside).

I used the ASDM GUI to make changes and most of it works.

That is to say. The default route goes via (newwan)

Coming out of a VPN using a site to character the way previous (out) as they now have static routes to achieve this.

The only problem is that remote incomming VPN access Anyconnect do not work.

I put the default static route to use the new interface (newwan) and the default tunnel road be (outside), but that's the point is will not...

I can either ping external IP address from an external location.

It seems that the external interface doesn't send traffic to the - external interface (or at least that's where I think the problem lies). How can I force responses to remote VPN entering IPS unknown traffic to go back on the external interface?

The only change I have to do to make it work again on the external interface is to make the default static route to use external interface. Calling all internet traffic to the (external connection) original

Pointers appreciated.

William

William,

As it is right now that you will not use the same interface you have road to terminate remote access unless you know their IP addresses by default.

In one of the designs that I saw that we did something like that.

(ISP cloud) - edge router - ASA.

The edge router, you can make PAT within the interface for incoming traffic on port udp/500 and UDP/4500 (you may need to add exceptions to your L2L static) of the router. It's dirty, I would not say, it is recommended, but apparently it worked.

On routers, this kind of situation is easily solved using VRF-lite with crypto.

M.

Cannot Ping across the VPN remote access

Similar Questions

Maybe you are looking for