Cannot ping sub interface from my remote site VPN gateways

I can't ping my gateways to interface my remote vpn connection sub

I can ping 192.6.1.0 network, but can't ping network 192.6.2.0 or 192.6.3.0

When I remote desktop in 192.6.1.20 I can ping all the networks, including gateways to interface sub.

I think that something in my asa is misconfigured or not added

ASA NAT rules:

Exempt NAT Interface: inside

Source 192.6.0.0/16

Destination 192.6.10.96/27

Static NAT interface: inside (it's for the local NAT of E0/0 out)

Source 192.6.1.1/16

Interface translated outside the Destination: 172.35.221.200

Dynamic NAT interface: inside

Source: no

Destination: outside

ASA access rules:

Permit outside

Source: no

Destination: out

Services: udp, tcp, tcp/http

Static routes:

Interface: Outside > network: all outdoors DSL (shows no DSL in the graph)

Some incorrect configuration:

On the ASA:

(1) directions are incorrect, the default should point to the next hop route, that is to say: the internet router: 172.35.221.x, as follows:

Route outside 0.0.0.0 0.0.0.0 172.35.221.x

---> where x must be the router internet ip address.

existing routes need to be removed:

No route outside 0.0.0.0 0.0.0.0 192.298.47.182 255

No route outside 0.0.0.0 0.0.0.0 172.35.209.81 in tunnel

(2) the following declaration of the static NAT is incorrect too and should be removed:

static (inside, outside) USSLTA01_External USSLTA01 netmask 255.255.255.255

--> You can not NAT interface on the SAA itself.

(3) for the SAA within the interface's subnet mask should be 255.255.255.0, no 255.255.0.0. It should be the same as the router interface subnet mask:

interface Ethernet0/1

nameif inside

security-level 100

IP 192.6.1.254 255.255.255.0

(4) on the way to access these sub interfaces subnet on the SAA as follows:

Route inside 192.6.2.0 255.255.255.0 192.6.1.235

Route inside 192.6.3.0 255.255.255.0 192.6.1.235

Route inside 192.6.4.0 255.255.255.0 192.6.1.235

On the router, configure it by default route as follows:

IP route 0.0.0.0 0.0.0.0 192.6.1.254

Tags: Cisco Security

Similar Questions

  • Cannot ping computers on the subnet remote site vpn while to set up

    Hi all

    I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.

    the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip

    Here is my scenario:

    LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant

    LAN1: 192.168.x.0/24

    LAN2: 172.25.88.0/24

    remote_machine_ip: 172.25.87.30

    LAN1 can ping to ASA5505 inside interface (172.25.88.1)

    but cannot ping ordinateur_distant (172.25.87.30)

    Inside of the interface ASA5505 can ping ordinateur_distant

    LAN2 can ASA5510 ping inside the machines on LAN1 and interface

    Is there something I missed?

    Thanks much for the reply

    I don't think it's something you really want to do.

    If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.

    So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1

    But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.

    If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.

    http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858

    Kind regards

  • Traffic redirect Internet from the remote site on the main site using the tunel of vpn ipsec

    Hi all

    I have a problem to redirect internet traffic from my remote to the main site by the IPSEC VPN tunnel. The remote site is a Cisco 2801 router with ios (c2800nm-advipservicesk9 - mz.124 - 22.T) and the remote site has ios (C870-ADVSECURITYK9-M, Version 12.4 (15) T12, fc3 SOFTWARE VERSION). This redirect does not work and the last jump with extended traceroute form the remote site is the ip wan of the main site.

    Is there someone who can help me with the right settings this redirection via VPN?

    the remote site config file:

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}

    crypto ISAKMP policy 8

    BA 3des

    md5 hash

    preshared authentication

    ISAKMP crypto key dgsn2010 address 41.223.X.X

    !

    !

    Crypto ipsec transform-set esp-3des vpn

    !

    vpndgsn 10 ipsec-isakmp crypto map

    Description at HQ

    set of peer 41.223.X.X

    Set transform-set vpn

    match address VPNHQ

    !

    interface FastEthernet0

    IP 41.223.X.X 255.255.255.0

    NAT outside IP

    IP virtual-reassembly

    IP tcp adjust-mss 1300

    automatic duplex

    automatic speed

    vpndgsn card crypto

    !

    interface FastEthernet 4

    192.168.11.1 IP address 255.255.255.0

    IP nat inside

    no ip virtual-reassembly

    !

    IP route 0.0.0.0 0.0.0.0 41.223.X.X

    VPNHQ extended IP access list

    ip licensing 192.168.11.0 0.0.0.255 any

    !

    the main site config file:

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}

    crypto ISAKMP policy 10

    BA 3des

    md5 hash

    preshared authentication

    ISAKMP crypto key dgsn2010 address 41.223.X.X

    !

    !

    Crypto ipsec transform-set esp-3des vpn

    !

    vpncreo 10 ipsec-isakmp crypto map

    Description FOR bastos

    set of peer 41.205.X.X

    Set transform-set vpn

    match address 110

    !

    interface FastEthernet0/0

    Description OF WAN

    IP 41.223.X.X 255.255.255.240

    NAT outside IP

    IP tcp adjust-mss 1492

    vpncreo card crypto

    !

    interface FastEthernet0/1

    Description OF LAN

    IP 192.168.10.1 255.255.255.0

    IP nat inside

    automatic duplex

    automatic speed

    !

    overload of IP nat inside source list NAT interface FastEthernet0/0

    IP route 0.0.0.0 0.0.0.0 41.223.31.241

    access-list 110 permit ip any 192.168.11.0 0.0.0.255

    NAT extended IP access list

    deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 any

    permit ip 192.168.10.0 0.0.0.255 any

    ip licensing 192.168.11.0 0.0.0.255 any

    !

    You must configure the routing policy based closure for NAT can be invoked on the main site.

    Here is an example configuration for your reference:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

    Additionally, make sure that you don't do any NATing at your remote end, IE: you must configure the NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).

    Hope that helps.

  • How to copy tftp on remote site VPN

    I know that by the definition of ASA management interface can ping or telnet/SSH to the inside interface of the ASA remote VPN. But it does not work for TFTP. Is it possible to copy config TFP server in a remote site via VPN and using the source as a local within the interface interface?

    Your home, remember messages useful rate.

    Concerning

  • Access to the remote site VPN

    Hello

    I'm trying to solve a problem with the VPN, and I hope that someone could give me a helping hand.

    We have 3 offices, each with an ASA 5505 like the router/firewall, connected to a cable modem

    (NC Office) <----IPSEC----->(office of PA) <----IPSEC----->(TC Office)

    Internally, we have a full mesh VPN, so all offices can talk to each other directly.

    I have people at home, by using remote access VPN into the Office of PA, and I need them to be able to connect to two other offices there.

    I was able to run for the Office of CT, but I can't seem to work for the Office of the NC.  (I want to say is, users can remote access VPN in the PA Office and access resources in the offices of the PA and CT, but they can't get the Office of NC).

    Someone could take a look at these 2 configs and let me know if I'm missing something?  I am newer to this, so some of these configs do not have better naming conventions, but I'm getting there

    PA OFFICE

    Output of the command: "show run".

    : Saved
    :
    ASA Version 8.2 (5)
    !
    hostname WayneASA

    names of
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 70.91.18.205 255.255.255.252
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS lookup field inside
    DNS domain-lookup outside
    DNS server-group DefaultDNS
    75.75.75.75 server name
    75.75.76.76 server name
    domain 3gtms.com
    permit same-security-traffic intra-interface
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    inside_access_in of access allowed any ip an extended list
    IPSec_Access to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
    IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.2.0 255.255.255.0
    IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0
    inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
    inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
    inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
    TunnelSplit1 list standard access allowed 192.168.10.0 255.255.255.224
    TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
    outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
    outside_2_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
    outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
    RemoteTunnel_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
    RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0
    RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
    RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.5.0 255.255.255.0
    out_access_in list extended access udp allowed any SIP host 70.91.18.205 EQ
    out_access_in list extended access permit tcp any host 70.91.18.205 eq 5000
    out_access_in list extended access permits any udp host 70.91.18.205 range 9000-9049
    out_access_in list extended access permit tcp any host 70.91.18.205 EQ SIP
    out_access_in list extended access allowed object-group TCPUDP any host 70.91.18.205 eq 5090
    out_access_in list extended access permit udp any host 70.91.18.205 eq 5000
    Note to outside-nat0 access-list NAT0 for VPNPool to Remote Sites
    outside-nat0 extended ip 192.168.10.0 access list allow 255.255.255.224 192.168.2.0 255.255.255.0
    outside-nat0 extended ip 192.168.10.0 access list allow 255.255.255.224 192.168.5.0 255.255.255.0
    pager lines 24
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP mask 255.255.255.224 local pool VPNPool 192.168.10.1 - 192.168.10.30
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (outside) 0-list of access outside-nat0
    inside_access_in access to the interface inside group
    Access-group out_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    Enable http server
    http 0.0.0.0 0.0.0.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set esp-3des esp-md5-hmac VPNTransformSet
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto IPSec_map 1 corresponds to the address IPSec_Access
    card crypto IPSec_map 1 set peer 50.199.234.229
    card crypto IPSec_map 1 the transform-set VPNTransformSet value
    card crypto IPSec_map 2 corresponds to the address outside_2_cryptomap
    card crypto IPSec_map 2 set pfs Group1
    card crypto IPSec_map 2 set peer 98.101.139.210
    card crypto IPSec_map 2 the transform-set VPNTransformSet value
    card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    IPSec_map interface card crypto outside
    card crypto outside_map 1 match address outside_1_cryptomap
    peer set card crypto outside_map 1 50.199.234.229
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 43200
    Telnet 192.168.1.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 inside
    SSH timeout 60
    Console timeout 0
    management-access inside
    dhcpd outside auto_config
    !
    dhcpd address 192.168.1.100 - 192.168.1.199 inside
    dhcpd dns 75.75.75.75 75.75.76.76 interface inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    internal RemoteTunnel group strategy
    attributes of Group Policy RemoteTunnel
    value of server DNS 75.75.75.75 75.75.76.76
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list RemoteTunnel_splitTunnelAcl_1
    dfavier vUA99P1dT3fvnDZy encrypted password username
    username dfavier attributes
    type of remote access service
    rduske vu0Zdx0n3oZWFSaX encrypted password username
    username rduske attributes
    type of remote access service
    eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
    lestofts URsSXKLozQMSeCBk username encrypted password
    username lestofts attributes
    type of remote access service
    jpwiggins 3WyoRxmI6LZjGHZE encrypted password username
    username jpwiggins attributes
    type of remote access service
    tomleonard cQXk0RJCBtxyzZ4K encrypted password username
    username tomleonard attributes
    type of remote access service
    algobel 4AjIefFXCbu7.T9v encrypted password username
    username algobel attributes
    type of remote access service
    type tunnel-group RemoteTunnel remote access
    attributes global-tunnel-group RemoteTunnel
    address pool VPNPool
    Group Policy - by default-RemoteTunnel
    IPSec-attributes tunnel-group RemoteTunnel
    pre-shared key *.
    tunnel-group 50.199.234.229 type ipsec-l2l
    IPSec-attributes tunnel-group 50.199.234.229
    pre-shared key *.
    tunnel-group 98.101.139.210 type ipsec-l2l
    IPSec-attributes tunnel-group 98.101.139.210
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the pptp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:6d1ffe8d570d467e1ea6fd60e9457ba1
    : end

    CT OFFICE

    Output of the command: "show run".

    : Saved
    :
    ASA Version 8.2 (5)
    !
    hostname RaleighASA
    activate the encrypted password of Ml95GJgphVRqpdJ7
    2KFQnbNIdI.2KYOU encrypted passwd
    names of
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    192.168.5.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP 98.101.139.210 255.0.0.0
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS lookup field inside
    DNS server-group DefaultDNS
    Server name 24.25.5.60
    Server name 24.25.5.61
    permit same-security-traffic intra-interface
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    Wayne_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
    Wayne_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
    Shelton_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.2.0 255.255.255.0
    out_access_in list extended access permit tcp any host 98.101.139.210 eq www
    out_access_in list extended access permit tcp any host 98.101.139.210 eq ftp
    out_access_in list extended access permit udp any host 98.101.139.210 eq tftp
    out_access_in list extended access udp allowed any SIP host 98.101.139.210 EQ
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 5090
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 2001
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 5080
    out_access_in list extended access permit tcp any host 98.101.139.210 eq ssh
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 81
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 56774
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 5000
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 902
    out_access_in list extended access permit tcp any host 98.101.139.210 eq netbios-ssn
    out_access_in list extended access permit tcp any host 98.101.139.210 eq 445
    out_access_in list extended access permit tcp any host 98.101.139.210 eq https
    out_access_in list extended access allowed object-group TCPUDP any host 98.101.139.210 eq 3389
    out_access_in list extended access allowed object-group TCPUDP range guest 98.101.139.210 5480 5487
    out_access_in list extended access permits any udp host 98.101.139.210 range 9000-9050
    inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
    inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.2.0 255.255.255.0
    inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
    pager lines 24
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0
    NAT (inside) 1 0.0.0.0 0.0.0.0

    Access-group out_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 98.101.139.209 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    the ssh LOCAL console AAA authentication
    Enable http server
    http 0.0.0.0 0.0.0.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-3des esp-md5-hmac WayneTransform
    Crypto ipsec transform-set esp-3des esp-md5-hmac SheltonTransform
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    card crypto IPSec_map 1 corresponds to the address Wayne_Access
    card crypto IPSec_map 1 set pfs Group1
    card crypto IPSec_map 1 set peer 70.91.18.205
    card crypto IPSec_map 1 the transform-set WayneTransform value
    card crypto IPSec_map 2 corresponds to the address Shelton_Access
    card crypto IPSec_map 2 set pfs Group1
    card crypto IPSec_map 2 set peer 50.199.234.229
    card crypto IPSec_map 2 the transform-set SheltonTransform value
    IPSec_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 43200
    Telnet timeout 5
    SSH 0.0.0.0 0.0.0.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd outside auto_config
    !
    dhcpd address 192.168.5.100 - 192.168.5.199 inside
    dhcpd dns 24.25.5.60 24.25.5.61 interface inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
    tunnel-group 50.199.234.229 type ipsec-l2l
    IPSec-attributes tunnel-group 50.199.234.229
    pre-shared key *.
    tunnel-group 70.91.18.205 type ipsec-l2l
    IPSec-attributes tunnel-group 70.91.18.205
    pre-shared key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:3d770ba9647ffdc22b3637e1e5b9a955
    : end

    Hello

    I might have found the problem.

    To be honest, I'm a little tired and concentration is difficult, especially when access between multiple device configurations. So second pair of eyes is perhaps in order.

    At the moment it seems to me that this configuration is the problem on the SITE of PA

    IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0

    This is an ACL that defines networks the and remote for a connection VPN L2L.

    Now, when we look at what connection VPN L2L this belong we see the following

    card crypto IPSec_map 1 corresponds to the address IPSec_Access

    card crypto IPSec_map 1 set peer 50.199.234.229

    card crypto IPSec_map 1 the transform-set VPNTransformSet value

    Now, we see that the peer IP address is 50.199.234.229. Is what site this? The IP address of the CT Site that works correctly?

    Now what that said the ACL line I mentioned more early basically is that when the 192.168.10.0 network 255.255.255.224 wants to connect to the network 192.168.5.0/24 should be sent to the CT Site. And of course, this should not be the case as we want traffic to go on the NC Site

    Also worth noting is that on the SITE of the above connection is configured with the '1' priority so it gets first compared a connection. If the VPN L2L configurations were in different order then the VPN Client connection can actually work. But it's just something that I wanted to point out. The actual resolution of the problem, of course, is to detach the configuration which is the cause of the real problem in which ASA attempts to route traffic to a completely wrong place.

    So can you remove this line ACL of the ASA of PA

    No IPSec_Access access list extended ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0

    Then, test the VPN Client connection NC SITE again.

    Hope that this will finally be the solution

    -Jouni

  • Cannot ping local interface after last criticism of microsoft update

    I just bought a Satellite Pro A200.
    When I upgraded to the latest critical updates from Microsoft Update, I found that I could ping is no longer my local IP address. This has happened to the card NETWORK LAN RJ45 and the wireless network card.
    I reinstalled the operating system using the recovery CD, and I could ping to the IP address of the local interfaces.
    But when I again once downloaded and installed the latest critical updates from Microsoft, I can't ping the local IP address.
    Anyone has any idea why?
    Thank you

    Hey Buddy,

    WHERE´s the problem? I know that the updates are the system destroy it when they are buggy, but that's normal with microsoft. I have almost the same problems also! Thhoughts WGAnotify.exe, I was a software pirate and restricted my access to 'zero' access.
    "Yes, Sir, I bought a windows and it s stolen... well... OK... :(."
    Yes, noone except microsoft (who would be the point where I could say "you are in the wrong forum" ;)) knows why it s happening.)
    These days, you should do the following: find update is the cause of this error. You can do this by going in "Add / Remove Programs" in your "Control Panel" and click on the top of the window the button "see the updates.
    Then begin to uninstall the last installed update and check if your ping works. Otherwise, proceed to the next update and uninstall it and so on...
    I know it's a long and boring process, but since there is NO problem of toshiba, you must accept it and try my method to remove the update that is causing your error.

    Welcome them

  • Cannot copy and paste from a remote desktop

    I am running Vista Home Basic, 32-bit and trying to copy and paste at the back of my desktop remote connection to my computer at home.  When I connect, I checked the tab local resources and made sure the printer and clip board options have been selected.  I even checked them once to try to cheat the system, but has not worked.  Any suggestions?  It becomes quite complicated to just double tap!  He has worked in the past, but he just decided to stop working for some reason any.  Thank you!

    Hi given dog,

    Thanks for posting to answers.microsoft.com.

    Essentially, the information on the tab local resources should have selected Clipboard.  Since you have already have this setting enabled, let me ask you a few questions:

    1. are you remoting of this system from Vista to XP system? or vice versa? or Vista to Vista?  If Yes, what is the Service Pack for two revisions of Windows on the computers involved? and these systems are all recent Windows Upates installed?

    2. you remember to load any software or maybe a mouse intelliport before this problem?  using a keyboard and wireless mouse?

    3 do the copy and paste functions work normally on both systems outside when not involved in remote desktop?

    Please let us know any information that may be necessary to help solve this problem.

    Thank you
    Debbie
    Microsoft Answers Support Engineer
    Visit our Microsoft answers feedback Forum and let us know what you think.

  • Cannot ping my computer from one computer another different subnet so that I could do the opposite.

    subnet A(192.168.137.0/24) is equipped with computers P and Q

    subnet B(192.168.7.0/24) a Q and R computers

    P is my windows 7 computer connected to the internet via the interface 10 and connected to Q interface 25

    Q (Linux) has been set up to route packets between A and B. Its default gateway P-value

    R (Linux) default gateway has been set to Q.

    I was able to deliver packets of subnet using B

    Pei route add 192.168.7.0(B) mask 255.255.255.0 192.168.137.2 metric(Q) 1 if 25

    now I could ping (192.168.7.2) R of P (my win7 computer), but I couldn't ping P r! I could ping www.google.com R!

    C:\Windows\System32>route print
    ===========================================================================
    List of the interface
    11.. 00 1 c 23 29 25 7th... Broadcom NetXtreme 57xx Gigabit Controller
    10.. 00 1 c 9 91 38 d bf... Intel (r) PRO/Wireless 3945ABG Network Connect
    25... 00 50 56 00 01 c0... VMware Virtual Ethernet adapt for VMnet1
    26.. 00 50 56 00 08 c0... VMware Virtual Ethernet adapt for VMnet8
    1... software Loopback Interface 1
    21 00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    17.. 00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    ... 23 00 00 00 00 00 00 00 e0 Map Microsoft 6to4
    18.. 00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    22.. 00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    24.. 00 00 00 00 00 00 00 e0 Microsoft ISATAP adapter #4
    20... 00 00 00 00 00 00 00 e0 Microsoft ISATAP adapter #5
    ===========================================================================

    IPv4 routing table
    ===========================================================================
    Active routes:
    Network Destination gateway metric Interface subnet mask
    0.0.0.0 0.0.0.0 124.123.192.1 124.123.199.79 20
    124.123.192.0 255.255.192.0 on a 124.123.199.79 route 276
    124.123.199.79 255.255.255.255 on a 124.123.199.79 route 276
    124.123.255.255 255.255.255.255 on a 124.123.199.79 route 276
    127.0.0.0 255.0.0.0 127.0.0.1 on route 306
    127.0.0.1 255.255.255.255 127.0.0.1 on route 306
    127.255.255.255 255.255.255.255 on-link 127.0.0.1 306
    192.168.7.0 255.255.255.0 192.168.137.2 192.168.137.1 21
    192.168.18.0 on route 192.168.18.1 255.255.255.0 276
    192.168.18.1 on route 192.168.18.1 255.255.255.255 276
    192.168.18.255 on route 192.168.18.1 255.255.255.255 276
    192.168.137.0 on route 192.168.137.1 255.255.255.0 276
    192.168.137.1 on route 192.168.137.1 255.255.255.255 276
    192.168.137.255 on route 192.168.137.1 255.255.255.255 276
    224.0.0.0 240.0.0.0 on-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 on a 124.123.199.79 route 276
    224.0.0.0 240.0.0.0 on binding 192.168.137.1 276
    224.0.0.0 240.0.0.0 on binding 192.168.18.1 276
    255.255.255.255 255.255.255.255 on-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 on a 124.123.199.79 route 276
    255.255.255.255 255.255.255.255 on binding 192.168.137.1 276
    255.255.255.255 255.255.255.255 on binding 192.168.18.1 276
    ===========================================================================
    Persistent routes:
    Network gateway address mask network address metric
    192.168.7.0 255.255.255.0 192.168.137.2 1
    ===========================================================================

    IPv6 routing table
    ===========================================================================
    Active routes:
    If metric network Destination Gateway
    1275 23: / 0 2002:c058:6301:c058:6301
    23 1274: / 0 2002:c058:6301:1
    1 306: 1/128 liaison
    23 1025 2002: / 16 over a link
    2002:7c7b:c74f:7c7b:c74f 23 281 / 128
    Over a link
    11 276 fe80: / 64 On-link
    25 276 fe80: / 64 On-link
    26 276 fe80: / 64 On-link
    FE80::7456:AB7F:70fa:3029 11 276 / 128
    Over a link
    FE80::7c8a:b566:2 has 17: RDFN 25 276 / 128
    Over a link
    FE80::e12e:9f18:a010:B07B 26 276 / 128
    Over a link
    1 306 ff00: / 8 On-link
    11 276 ff00: / 8 On-link
    25 276 ff00: / 8 On-link
    26 276 ff00: / 8 On-link
    ===========================================================================
    Persistent routes:
    None

    Hello Satya,

    Thanks for posting your question on the forum of the Microsoft community.

    The question will be better suited to the audience of professionals on the TechNet forums.

    I would recommend posting your query in the TechNet forums.
     
    TechNet Forum
    http://social.technet.Microsoft.com/forums/en-us/home?category=w7itpro

    Thank you

  • Do not do a ping ASA inside IP port of the remote site VPN L2L with her

    The established VPN L2L OK between ASA-1/ASA-2:

    ASA-2# see the crypto isakmp his

    KEv1 SAs:

    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: 207.140.28.102

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    There are no SAs IKEv2

    QUESTION: 3750-2, we ping 3750-1 (10.10.2.253) are OK, but not ASA-1 inside port (10.10.2.254).

    Debug icmp ASA-1 data:

    ASA-1 debug icmp trace #.

    trace of icmp debug enabled at level 1

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 0 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 0 len = 72

    Echo ICMP Internet request: 10.100.2.252 server: 10.10.2.253 ID = 400 seq = 1 len = 72

    ICMP echo response from the server: 10.10.2.253 Internet: 10.100.2.252 ID = 400 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 0 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 1 len = 72

    Echo request ICMP 10.100.2.252 to 10.10.2.254 ID = 401 seq = 2 len = 72

    Make sure you have access to the administration # inside

    lt me know f This allows.

  • Dynamically loading the interface from a remote source implementation class

    Hello guys,.

    I'm kind new to AS3, please bear with me.

    I'm working on a project were I want to implement some sort of MVC. The idea is this: have an application Viewer that connects to a database and reads the object to display (based on some ID); have an app Setter that connects to the database and sets the object to display for a particular ID.

    What I'm trying to do is to have an interface that declares the common methods for the object class (like the draw, etc.) and have implementations of this interface be dynamically loaded from the database in the Viewer.

    Is this possible? I still think about it in the right way?

    I'd appreciate any suggestions really.
    Thank you

    If you check the book by peldi et al., u would have found what you're talking about. The principle u want to talk is easy to do. This might get u started (it is FMS but the idea is the same): http://help.adobe.com/en_US/FlashMediaServer/3.5_SS_ASD/flashmediaserver_3.5_sslr.pdf - p.28 - application.registerClass () method.

  • routing of multiple site-2-site VPN gateways

    I have a strange configuration and need help.

    We have and ISP with a 29 network. We have connected the Ethernet transfer to a 2 layer equipment and connected one end to a Calyptix firewall and the other to our Cisco 2811.

    the router has a default route that points to the Calyptix firewall.

    Currently, the router also has a P2P T1 line at the corp office.

    We would like to install a VPN site-to site of this router in the corp office and use P2P as the backup to local traffic, but everything else goes out the ASA.

    I feel like I should be able to configure a tunnel between the two (branch and corp) public IP addresses, but I can't ping the public IP address of Corp. branch because it passes to the firewall (default route).

    What Miss me?

    I have attached a PDF file of the configuration of the network.

    I tried to configure static routes

    IP route 50.199.17.17 255.255.255.255 72.34.95.209

    &

    IP route 72.34.95.210 255.255.255.255 50.199.17.22

    But this does not work, any ideas or suggestions?

    Hi James,

    1. Please check the traffic from 50.199.17.17 to 72.34.95.210 where he's going. Make an itinerary of track of 72.34.95.210 and check if it goes to 210 OR a.211 (capture the firewall), then to 210

    Note: Maybe traffic flow return of 50.199.17.16--> Firewall (72.34.95.211)--> router based on your current configuration (maybe ISP force to go in this direction)

    (2 Please check that you do not receive this route(50.199.17.16/29) P2P T1 somehow by a trace of 72.34.95.210 to 50.199.17.17.

    3. check that you don't have any inbound ACL on both routers.

    Please mark this message as correct if it works.

  • ASA Site, Remote Site cannot access DMZ to the Hub site

    So I've been scratching my head and I just can't visualize what I what and how I want to do.

    Here is the overview of my network:

    Headquarters: ASA 5505

    Site1: ASA 5505

    Site2: ASA 5505

    Training3: ASA 5505

    All Sites are connected L2L to the location of the Headquarters with VPN Site to Site.

    Since the HQ site I can ping each location by satellite, and each satellite location I can ping the HQ site. I will also mention that all other traffic is also correctly.

    Here's my number: HQ site, I have a DMZ set up with a web/mail server. This mail/web server is accessible from my HQ LAN, but not from the satellite location. I need allow that.

    What should I do?

    My second question is that I want for satellite sites to see networks of eachother. I should create a VPN network between sites, or can this be solved in the same way that the question of the DMZ?

    I enclose the show run from my ASA HQ

    See the race HQ ASA

    For the mail/web server that requires access on the remote site VPN tunnels, you must add the servers to the acl crypto, similar to the way you have it for network access. Make sure that both parties have the ACL in mirror. If you're natting from the DMZ to the outside, make sure you create an exemption from nat from the dmz to the outside for VPN traffic.

    For the second question, because you have only three sites, I would recommend creating a tunnel from site to site between two satellite sites.

    HTH

    PS. If you found this post useful, please note it.

  • Can also interface with VPN remote site also for another use?

    Hi all

    An interface used for the remote site VPN on PIX can be used for another function, for example for the smtp server and web publishing?

    Thank you!

    Best regards

    Teru Lei

    Yes! of course you can. Just try it.

    --

    Alexis Fidalgo

    Systems engineer

    AT & T Argentina

  • PIX515E: Cannot ping interfaces

    Hi all

    I ' v has just got a new PIX 515E, 6 interfaces, Version 6.3 (5).

    I can't focus on any task with my PIX because the simplest operation is impossible: I cannot ping inside interface or PIX any host belonging to e same subnet. Interface is up and running, connected directly to a switch, icmp is to allow the inside...

    Please, could someone of you give me a help?

    Concerning

    Alberto Brivio

    Make sure the PIX is not a license to "failover". You will not be able to ping to this type of box until you activate failover.

  • PIX 515E for VPN remote site

    Hello

    7.0 (1) version pix

    ASDM version 5.0 (1)

    I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site

    who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success

    The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.

    where can I see the vpn pix for error log?

    is there a manual for the solution of site to site VPN using the wizard

    Help, please.

    Thanks in advance

    http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml#ASDM

    the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm

    Newspaper to go to the section "check".

Maybe you are looking for