Customer remote cannot access the server LAN via VPN
Hi friends,
I'm a new palyer in ASA.
My business is small. We need to the LAN via VPN remote client access server.
I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.
Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.
Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.
Who can help me?
Thank you very much.
The following configuration:
ASA Version 7.0(7)
!
hostname VPNhost
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 221.122.96.51 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.42.199 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns domain-lookup inside
access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
access-list allow_PING extended permit icmp any any inactive
access-list Internet extended permit ip host 221.122.96.51 any inactive
access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.43.10-192.168.43.20arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 access-list PAT_acl
route outside 0.0.0.0 0.0.0.0 221.122.96.49 10
username testuser password 123
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3no sysopt connection permit-ipsec
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 3600
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet timeout 5ssh timeout 10
console timeout 0: end
Topology as follows:
Hello
Configure the split for the VPN tunneling.
Create the access list that defines the network behind the ASA.
ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0
Mode of configuration of group policy for the policy you want to change.
ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#
Specify the policy to split tunnel. In this case, the policy is tunnelspecified.
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified
Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.
ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List
Type this command:
ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes
Associate the group with the tunnel group policy
ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn
Leave the two configuration modes.
ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#
Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.
Kind regards
Abhishek Purohit
CCIE-S-35269
Tags: Cisco Security
Similar Questions
-
Cannot access the server gmail via any web browser; code 105 error message cannot access server
Remember - this is a public forum so never post private information such as numbers of mail or telephone!
Ideas: have cleared cache, spilled all saved passwords and I can not even access accounts gmail via Google Chrome; Internet Explorer or Firefox... I can not access through my laptop but can access files in gmail on other public computers
- You have problems with programs
- Error messages
- Recent changes to your computer
- What you have already tried to solve the problem
http://www.Google.com/support/forum/p/chrome/thread?TID=1b6ea4f035dadc16&hl=en
-
Cannot access the AIP SSM via ASDM
CISCO recommendations below:
Cannot access the AIP SSM via ASDM
Problem:
This error message appears on the GUI.
Error connecting to sensor. Error Loading Sensor error
Solution:
Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor
----------------------------------------------------------------------------------------------------------------------------------------------
I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.
A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide. I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.
Tried everything, need help from high level.
The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.
I've been playing with it today, and so far it seems to work pretty well.
-
Cannot access the server message coming up and cannot convert files
Cannot access the server message coming up and can't convert the files. Works on my desktop, but not at home.
ER
Is it ExportPDF?
-
Cannot access the Media folder via App IOS Readycloud
I have a RN204 4.6.2 running in an OSX system which will not allow access to the Media folder via the IOS app on iPhone or iPad. I can access the media folder via the ReadyCloud portal or the finder on MAC without problem, but the IOS App shows "Access Denied" and requests user & password, which, when entered, does not. I can access all other folders via the application, just not the media folder. Permissions are set the same as the other issues so I'm not sure what the question is that if she's Readycloud app for IOS. I guess the user & password requested is for NAS, although I tried the credientals of Readycloud just for fun but no help. As a note, I don't get "Connection failed" but "Access Denied", so the network access is OK but access to the file is doesn't understand why all other folders are accessible but not the media folder. And that's on both VPN connections & local. Any ideas?
OK, get it fixed. I have changed the name of the folder, allowed full access, then he changed the name of moose. Now I can access the folder via the ios app. I'll have to rescan the actions in my media streamer, but to the East, I now access app.
-
Original title: W7 error play "Media is not available.
On W7 Ultimate, I'm having a problem in the use of "play to" media action to my Sony TV. The tv is visible as a device and it is the same for the laptop to the TV. On laptop I get the error: "themedia is not available." Similarly, when I try to access the laptop to TV, I get error "can not access the server. any solution?
What exact model Sony TV? You may need to install additional softwareSee the content if you want to browse the content on the computer from the computerthe TV. as to play to, seefor beginners.BarbMVP - Windows/entertainment and connected homePlease mark as answer if that answers your question -
Cannot access static nat address via vpn.
I have an asa5510 where I
a static nat from one interface to the other.
I also have a VPN connection to the asa...
On the other side of the vpn connection, I can not access this static NAT.
192.168.170.x is the vpn network.
Is it not possible to access the static NAT over vpn?
the DM_INLINE_NETWORK_16 object-group network
object-network 192.168.0.0 255.255.255.0
object-network vxtron 255.255.255.0
object-network dmz_zone 255.255.255.0
object-network 192.168.170.0 255.255.255.0MPLS_nat0_outbound list extended access deny host ip 172.26.1.5 all
Access extensive list ip 172.26.0.0 MPLS_nat0_outbound allow 255.255.252.0 object-group DM_INLINE_NETWORK_16
pnat1 list extended access permit ip host 172.26.1.5 all
static (MPLS, inside) 192.168.0.199 access list pnat1
NAT (MPLS) 0-list of access MPLS_nat0_outbound
NAT (MPLS) 1 172.26.0.0 255.255.252.0
static (MPLS, inside) 172.26.1.5 MPLS_nat_static access listRené, happy you including yourself this one! If you could, please mark the post as solved so that we know that it is not need more attention
-
Cannot access the server from vsphere client
Hi, people.
After having been very well for a few weeks, now I'm unable to access my server from vSphere client, I get an error of:
Call 'ServiceInstance.RetrieveContent' to object 'ServiceInstance' on the server '192.168.6.2' failed.
I've attached screenshots of the error message.
The pc and the server are on the same subnet, and the error comes from several PCs that try to connect.
Help, please!
NM
So I think you must restart these services as vivari said.
If you are unable to log in via ssh, you must have access to the consoles. Then, you can restart the services or enable ssh to do via ssh.
-
Cannot access the Server Workspace external URL
I am able to access everything successfully while I'm on the server, but I can't seem to access the URL of the external workspace to the server
Here are my steps/symptoms:
-All URLS are running on the server, (for this example, I'm mostly focused on FDM and workspace)
using http://localhost/hyperionfdm and http://localhost:19000/workspace/index.jsp
-Turn off the server I use correctly the URL below, FDM url functions but workspace does not have.
http://Generic.com/hyperionfdm and http://generic.com:19000/workspace/index.jsp
I also tried http://generic:19000/workspace/index.jsp and http://generic.com/workspace/index.jsp but no work
-When I try http://generic.com/hfm off the server, I get a page with just "hfm" on this subject. I understand that this isn't a road to the workspace but that he wanted to provide the information, since it came on other threads that I read while researching this.
I re - run the EPM system for web server configuration, but it doesn't seem to change anything.
Please let me know if you have any ideas on anything to check or how to solve this problem.
Thank youWhat is generic.com? What is a load balancer or a simple dns name?
If it's a load balancer might be mapping generic.com to port 80. Which means that it is mapping to IIS (80) instead of the server (19000) web of OSH. In this scenario, there would be no logic to a port after it because it would be not mapped hollow LB.
Get the IP address of the host and, also, to check the ip address of generic.com using NSlookup - are they the same ip address? If not - you have a load balancer and need to reconfigure it to point to 19000 (or reconfigure your ports)
If they are the same.
from the telnet ip 19000 host work? -If not maybe he doesn't listen on the adapter and only localhost or some IPv6 issue.
off-host telnet ip 19000 work? If this is not the case, perhaps you have a firewall in place blocking port 19000.
Check ipconfig on the host - are there multiple cards?
Thank you
Nick -
After the upgrade to 754035, cannot access the server
In Edit-preferences-shared VMs, workstation server settings is enabled, but I get the error (even when of WS running as root):
Unable to connect to the server of workstation. Please ensure that the server is running and that you are allowed to connect.
-It is true that I have not test this before the upgrade.
WS Server uses the default port 443, nothing else should be listening on it.
# netstat - nalp | grep 443
TCP 0 0 0.0.0.0:443 0.0.0.0: * LISTEN 16082/vmware-pass
TCP 0 0 127.0.0.1:41675 127.0.0.1:443 ESTABLISHED 16130/vmware
TCP 0 0 127.0.0.1:443 ESTABLISHED 16082/vmware-pass 127.0.0.1:41675
TCP 0 0 192.168.2.54:33662 74.125.227.117:443 ESTABLISHED 15280/firefox
tcp6 0 0: 443: * LISTEN 16082/vmware-passThe host is running a new installation of Linux Mint 13, core 3.2.0 - 23-generic #36 - Ubuntu SMP Linux 64-bit
Note: I use the session X as user "dave" and vmware workstation will be started as "dave2":
Dave ~ $ "sudo knew dave2 vmware."
Hello
are there updates after your last post?
-
Cannot access the internal network of VPN with PIX 506th
Hello
I seem to have a problem with the configuration of my PIX. I ping the VPN client from the network in-house, but cannot cannot access all the resources of the vpn client. My running configuration is the following:
Building configuration...
: Saved
:
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of N/JZnmeC2l5j3YTN
2KFQnbNIdI.2KYOU encrypted passwd
hostname SwantonFw2
domain name * *.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list outside_access_in allow icmp a whole
allow_ping list access permit icmp any any echo response
allow_ping list all permitted access all unreachable icmp
access-list allow_ping allow icmp all once exceed
the INSIDE-IN access list allow inside the interface tcp interface outside
list access to the INSIDE-IN permit udp any any eq field
list access to the INSIDE-IN permit tcp any any eq www
list access to the INSIDE-IN permit tcp any any eq ftp
list access to the INSIDE-IN permit icmp any any echo
the INSIDE-IN permit tcp access list everything all https eq
permit access ip 192.168.0.0 list inside_outbound_nat0_acl 255.255.255.0 192.168.240.0 255.255.255.0
swanton_splitTunnelAcl ip access list allow a whole
outside_cryptomap_dyn_20 ip access list allow any 192.168.240.0 255.255.255.0
no pager
Outside 1500 MTU
Within 1500 MTU
192.168.1.150 outside IP address 255.255.255.0
IP address inside 192.168.0.35 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP pool local VPN_Pool 192.168.240.1 - 192.168.240.254
location of PDM 0.0.0.0 255.255.255.0 outside
location of PDM 192.168.1.26 255.255.255.255 outside
location of PDM 192.168.240.0 255.255.255.0 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 192.168.0.0 255.255.255.0 0 0
Access-group outside_access_in in interface outside
group-access INTERIOR-IN in the interface inside
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
client authentication card crypto outside_map LOCAL
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 20
encryption of ISAKMP policy 20
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
Swanton vpngroup address pool VPN_Pool
vpngroup swanton 192.168.1.1 dns server
vpngroup swanton splitting swanton_splitTunnelAcl tunnel
vpngroup idle 1800 swanton-time
swanton vpngroup password *.
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.0.36 - 192.168.0.254 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
scott hwDnqhIenLiwIr9B of encrypted privilege 15 password username
username password encrypted ET3skotcnISwb3MV privilege 2 norm
username password tarmbrecht Zre8euXN6HxXaSdE encrypted privilege 2
username, password jlillevik 9JMTvNZm3dLhQM/W encrypted privilege 2
username privilege 15 encrypted password 49ikl05C8VE6k1jG ruralogic
username bzeiter 1XjpdpkwnSENzfQ0 encrypted password privilege 2
name of user mwalla encrypted password privilege 2 l5frk9obrNMGOiOD
username heavyfab1 6.yy0ys7BifWsa9k encrypted password privilege 2
username heavyfab3 6.yy0ys7BifWsa9k encrypted password privilege 2
username heavyfab2 6.yy0ys7BifWsa9k encrypted password privilege 2
username djet encrypted password privilege 2 wj13fSF4BPQzUzB8
username, password cmorgan y/NeUfNKehh/Vzj6 encrypted privilege 2
username password cmayfield Pe/felGx7VQ3I7ls encrypted privilege 2
username privilege 2 encrypted password zQEQceRITRrO4wJa jeffg
Terminal width 80
Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
: end
[OK]
Any help will be greatly appreciated
BJ,
You try to access resources behind the inside interface network?
IP address inside 192.168.0.35 255.255.255.0
If so, please make the following changes:
1 SWANTON_VPN_SPLIT permit access ip 192.168.0.0 list 255.255.255.0 192.168.240.0 255.255.255.0
2-no vpngroup swanton splitting swanton_splitTunnelAcl tunnel
Swanton vpngroup split tunnel SWANTON_VPN_SPLIT
outside_cryptomap_dyn_20 3-no-list of ip access allowing any 192.168.240.0 255.255.255.0
4 - isakmp nat-traversal 30
Let me know how it goes.
Portu.
Please note all useful posts
-
HP ENVY 750-170se: cannot access the RAID configuration via Ctrl + i on startup
I activated the RAID in BIOS > Storage Options > SATA emulations.
There are 2 drives HARD correspondents attached to the SATA 2 ports & 3.
At startup the Intel Rapid Storage screen shows the two discs. It shows the prompt to hit "Ctrl + I" to enter setup.
However: when I hit, stand or mash Ctrl + I, before, during and after the screen from the IRS, it never penetrates RAID installation.
What keeps me to enter RAID configuration menu?
Is there some SATA ports I need the HARD drive to be attached to the?
Motherboard is the model 2B4B, verson A0.11 BIOS
Based on this post I tried to use Intel Rapid Storage to make the RAID. TSRI was not installed/available in Windows so I donwloaded it... during the installation I was told there was a newer version already installed (which is weird because I couldn't access it).
TSRI in Windows made the RAID volume. No need to enter during POST/boot.
-
Need help to access the internal network via VPN on ASA5505 8.4 (1)
Recently, I upgraded my ASA5055 from 8.02 to 8.4 and since I have updated to the new version I can access my home network is no longer through the VPN. I can connect to the VPN with no problems however I can no longer ping or you connect to my network of 10.0. Someone would be kind enough to look at my config and tell me what needs to be added to make it work? In my old config, I had a statement of NAT for VPN that is no longer here.
I also wanted to configure WebVPN to work as well, and this is something that I've never been able to understand. Is it also possible that I can be on my 20.0 network and connect to the VPN and access 10.0 as well? When it is connected to my network of 20.0 I'm not received credentials to connect to the VPN. I would be grateful if someone can help out me. The major part of this is the first part of this question.
My configuration:
ASA Version 8.4 (1)
!
ASA5505 hostname
domain xxxxxxxx.dyndns.org
enable encrypted password xxxxxxxxxxxx
xxxxxxxxxxxxxxx encrypted passwd
names of
nameserver 192.168.10.2
Office of name 192.168.10.3
name Canon 192.168.10.5
name 192.168.10.6 mvix
name 192.168.10.7 xbox
name 192.168.10.8 dvr
name 192.168.10.9 bluray
name 192.168.10.10 lcd
name 192.168.10.11 mp620
name 192.168.10.12 kayla
name 192.168.1.1 asa5505
name 192.168.1.2 ap1
name 192.168.10.4 mvix2
name 192.168.10.13 lcd2
name 192.168.10.14 dvr2
!
interface Vlan1
nameif management
security-level 100
IP address asa5505 255.255.255.248
management only
!
interface Vlan2
0050.8db6.8287 Mac address
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan10
nameif private
security-level 100
IP 192.168.10.1 255.255.255.224
!
interface Vlan20
nameif Public
security-level 100
IP 192.168.20.1 255.255.255.224
!
interface Ethernet0/0
Description pointing to WAN
switchport access vlan 2
!
interface Ethernet0/1
Uplink port Linksys 12 description
switchport access vlan 10
!
interface Ethernet0/2
Description Server 192.168.10.2/27
switchport access vlan 10
!
interface Ethernet0/3
Uplink Eth1 management description
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
switchport access vlan 30
!
interface Ethernet0/6
switchport access vlan 30
!
interface Ethernet0/7
Description of Cisco 1200 Access Point
switchport trunk allowed vlan 1,10,20
switchport trunk vlan 1 native
switchport mode trunk
!
Banner motd users only, all others must disconnect now!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain xxxxxxx.dyndns.org
network object obj - 192.168.50.0
192.168.50.0 subnet 255.255.255.0
Server network objects
host 192.168.10.2
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.224
network object obj - 192.168.20.0
subnet 192.168.20.0 255.255.255.224
network server-01 object
host 192.168.10.2
network server-02 object
host 192.168.10.2
xbox network object
Home 192.168.10.7
xbox-01 network object
Home 192.168.10.7
xbox-02 network object
Home 192.168.10.7
xbox-03 network object
Home 192.168.10.7
xbox-04 network object
Home 192.168.10.7
network server-03 object
host 192.168.10.2
network server-04 object
host 192.168.10.2
network server-05 object
host 192.168.10.2
Desktop Network object
host 192.168.10.3
kayla network object
Home 192.168.10.12
Home_VPN_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
outside_access_in list extended access permit tcp any any eq 3389
outside_access_in list extended access permit tcp any any eq 2325
outside_access_in list extended access permit tcp any eq ftp server object
outside_access_in list extended access permit tcp any any eq 5851
outside_access_in list extended access udp allowed any any eq 5850
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access udp allowed any any eq syslog
outside_access_in list extended access udp allowed any any eq 88
outside_access_in list extended access udp allowed any any eq 3074
outside_access_in list extended access permit tcp any any eq 3074
outside_access_in list extended access permit tcp any any eq field
outside_access_in list extended access udp allowed any any eq field
outside_access_in list extended access permitted tcp everything any https eq
outside_access_in list extended access permit tcp any eq ssh server object
outside_access_in list extended access permit tcp any any eq 2322
outside_access_in list extended access permit tcp any any eq 5900
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access permit icmp any any source-quench
outside_access_in list extended access allow all unreachable icmp
outside_access_in list extended access permit icmp any one time exceed
outside_access_in list extended access udp allowed any any eq 5852
KaileY_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 36000
logging warnings put in buffered memory
recording of debug trap
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
Management Server host forest
MTU 1500 management
Outside 1500 MTU
MTU 1500 private
MTU 1500 Public
local pool IPPOOL 192.168.50.2 - 192.168.50.10 255.255.255.0 IP mask
local pool VPN_POOL 192.168.100.2 - 192.168.100.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ASDM image disk0: / asdm - 641.bin
don't allow no asdm history
ARP timeout 14400
!
Server network objects
NAT (private, foreign) static tcp ftp 5851 service interface
network object obj - 192.168.10.0
NAT (private, foreign) dynamic interface
network object obj - 192.168.20.0
NAT (outside) dynamic public interface
network server-01 object
NAT (private, outside) interface static 2325 2325 tcp service
network server-02 object
NAT (private, outside) interface static udp syslog syslog service
xbox network object
NAT (private, outside) interface static service udp 88 88
xbox-01 network object
NAT (private, outside) interface static service udp 3074-3074
xbox-02 network object
NAT (private, outside) interface static service tcp 3074-3074
xbox-03 network object
NAT (private, outside) interface static tcp domain domain service
xbox-04 network object
field of the udp NAT (private, foreign) of the static interface function
network server-03 object
NAT (private, outside) interface static tcp https https service
network server-04 object
Static NAT (private, outside) interface service tcp ssh 2322
network server-05 object
NAT (private, outside) interface static 5900 5900 tcp service
Desktop Network object
NAT (private, outside) interface static service tcp 3389 3389
kayla network object
NAT (private, outside) interface static service udp 5852 5852
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.248 management
redirect http outside 80
location of SNMP server on the Office floor
SNMP Server contact [email protected] / * /
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.248 management
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 30
access to administration management
dhcpd dns 24.205.1.14 66.215.64.14
dhcpd ping_timeout 750
dhcpd field xxxxxxxx.dyndns.org
dhcpd outside auto_config
!
dhcpd manage 192.168.1.4 - 192.168.1.5
dhcpd enable management
!
dhcpd address private 192.168.10.20 - 192.168.10.30
enable private dhcpd
!
dhcpd 192.168.20.2 public address - 192.168.20.30
dhcpd enable Public
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.43.244.18
Server NTP 129.6.15.28
WebVPN
internal Home_VPN group strategy
attributes of Group Policy Home_VPN
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol without ssl-client
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Home_VPN_splitTunnelAcl
value by default-field www.xxxxxx.com
the address value IPPOOL pools
WebVPN
the value of the URL - list ClientlessBookmark
political group internal kikou
group attributes political kikou
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list KaileY_splitTunnelAcl
XXXXXXX.dyndns.org value by default-field
username scottrog encrypted password privilege 0 xxxxxxxxxxxxxx
user_name john encrypted password privilege 0 xxxxxxxxxxxxxxx
username joek encrypted password privilege 0 xxxxxxxxxxxx
eostrike encrypted xxxxxxxxxxxx privilege 15 password username
username almostsi encrypted password privilege 0 xxxxxxxxxxxxxx
username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0
type tunnel-group Home_VPN remote access
attributes global-tunnel-group Home_VPN
IPPOOL address pool
LOCAL authority-server-group
authorization-server-group (outside LOCAL)
Group Policy - by default-Home_VPN
authorization required
IPSec-attributes tunnel-group Home_VPN
IKEv1 pre-shared-key *.
type tunnel-group SSLClientProfile remote access
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-alias
tunnel-group type ClientLESS remote access
tunnel-group kanazoé type remote access
attributes global-tunnel-group kanazoé
address VPN_POOL pool
by default-group-policy kikou
tunnel-group KaileY ipsec-attributes
IKEv1 pre-shared-key *.
by default-group Home_VPN tunnel-Group-map
!
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86
: end
ASA5505 #.
Here are the declarations of NAT for your first question:
network object obj - 192.168.100.0
255.255.255.0 subnet 192.168.100.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.50.0 obj - 192.168.50.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
And 'clear xlate' after the above and that should fix your first question.
I would check your second question and get back to you shortly.
-
Cannot access the internal resources for VPN site-to-site
We have two ASA. We set up just VPN site-to-site. For some reason, we are not able to access internal resources at the main office of the remote office. Do you have any suggestions? Thank you.
as wu suggested, please first confirm that the tunnel is mounted correctly
"sh cry isa his '-> will tell u if the phase 1 is in place
"sh cry ips its '-> say if phase 2 is in place
now once they r upward, when you ping from site to site b
program in the site, you should see one and decaps site b for traffic from a to b and vice versa for return transportation
Now we have to see where it is a failure
could be tht package is coming up to the asa but not getting is not encrypted or that the package does not come to the asa itself
You can run tracer package to see if it's getting wrapped, or in other words hits vpn tunnel
It might be a nat problem, and sometimes if it is a new configuration probably ISP may have blocked the esp traffic in one direction or in the other direction
the best approach, that it is turn on "management of access to the inside" on the firewall and make a ping of source of asa
inside ping
-
We are struggling to print on my local printer when you use remote desktop to access the server (Server 2008). Cannot make it work. Any suggestions?
Hi EverettBurton,
The issue of Windows XP, you have posted is related to Windows XP in a domain environment. It is better suited for the IT Pro TechNet public. Please ask your question in the TechNet forums for assistance.
Hope the helps of information.
Maybe you are looking for
-
iCloud drive with Sierra problems
When I upgraded to Sierra, during the implementation, I registered inadvertently to the top enable My Documents & Desk Top to synchronize without realizing account. Everything was going well in the Finder, until I realized that I was looking for to i
-
Satellite Pro M10 keyboard symbol Transposition in MS products
I just had my hard drive replaced and now a lot of symbols e.g. physical keyboard @£ ' # are converted when I type in MS Word and other MS products, BUT this IS NOT the case when I type here.» Any ideas on how I can fix this?
-
Synch series AO DAQmx with DIO
There are not many examples DAQmx for AO series. Can someone give me an example of how do I synchronize using outputs analog DAQmx on the digital master with exit/entry table on a Board of the slave? I have an AO Series PCI-6723 (Dev1) and a DIO PCIe
-
XP SP3 help & problem of taking in charge
For some reason, I've lost "Help and Support" and it does not open. I got this message: "Windows cannot find"helpctr.exe"make sure you typed the name correctly...» » I worked with this problem for a while. I finally got "Help and Support" in Servic
-
Restart the programaticaly application
HelloI have a button and click the how can I restart the application programmatically or is there any code to restart the application