ESXi hosts SBS 2011, clients lose network via VPN

Similar Questions

• How to reach esxi host 5 on storage area network

  I have a Dell PS6000E on my network.  I would like to create a volume on it and use it as a shared storage for a new configuration of esxi5 with 2 hosts.  The PS6000 already contains 2 volumes in use by other servers (physical).  To access the PS6000 via my regular local network hosts.  Is this possible, and is there a documentation on how to put in place?

  Thank you

  Welcome to the community - I guess you access the PS6000E are configured for iSCSI or NAS/NFS, you will be able to access as shared storage long ESXi hosts can reach the unit. Because ESXi hosts will not be able to share the LUNS in use by other servers, you're going to create a new LUN for ESXi hosts. This storage of ESXi - http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-storage-guide.pdf - guide that has information on how to configure your ESXi servers to access the storage.

• Add ESXi hosts to vSphere Client

  We have 7 servers ESX and ESXi 8 servers.

  Six of the ESX servers are sitting in a cluster and the last of them is located in its own cluster.

  It's nice to manage all 7 ESX servers in a vSphere Client.

  8 ESXi servers, I've been managing each with their own vSphere Client connection.

  Is it possible to create a cluster of ESXi in vSphere and add each of the ESXi hosts to this cluster of '? Or even a "cluster"?

  I tried and I get the following error.

  "License not available to perform the operation. ESXi 4 for Host 192.168.1.10 Server license does not include the agent for ESX Server vCenter. Upgrade the license. »

  We don't have a budget to upgrade the more liceneses. I don't mean to make HA or DRS on the ESXi hosts. I'd just like to see servers running on them for purposes of inventory without having to have 9 vSphere customers open.

  We have a license entirely vCenter Server so I think we should be able to add these ESXi servers.

  Any help would be appreciated.

  You must have at least vSphere Standard license for each host you wish to manage with vCenter. Free ESXi cannot be connected to vCenter.

  ---

  MCSA, MCTS Hyper-V, VCP 3/4, VMware vExpert

  http://blog.vadmin.ru

• How to connect two ESXi hosts with a connection to 1Gbps via ADJUSTABLE and the transfer of files between them?

  Dear community,

  Like many of you, I am facing the problem of executing an effective backup of VMs. unfortunately I can't use standard methods: my servers are rented from the root servers and therefore haver some limits. Their main NIC is connected to the Internet on the speed of 100 MB. It's very slow, if I try to VM backup via this connection images. In addition, backup sessions running through the shared management interface are affecting the production of virtual machine performance.

  To resolve this problem, I ordered an additional network card to each server and asked the data center to connect my themwith a physical link (crossover cable). OK, between my servers 1Gbit link is established, but how do you use now?

  -I can not move the management interface of these cards, because they have no connection to the internet.

  -I can't use among the guest computers because the guest computer is unable to access the files on disk on the host computer.

  So, I've exhausted all my ideas. Maybe someone knows the trick that will let me use 1 GB link between two machines of ESXi to mutually backup disks of virtual machines from one host to another.

  Thanks in advance for your ideas.

  Who is King

  Anton

  Create a vSwitch on each host and set the NETWORK adapter that you will use with the x-over cable.

  Create a portgroup Console of service on each vSwitch and assign it an IP address on the same subnet for each server (router/gateway address does not necessary) for example 192.168.0.1 and 192.168.0.2 on each host.

  Connect the cables between the server network cards.

  You should have a link between two service consoles. I now download and deploy the device of the vMA, on the two hosts for the fault tolerance. Write a script on the VMAs on each host to a-i vmkfstools from one host to another and vice versa.

  If you have virtual machines registered pointing these VMDK on both hosts, then have your scripts remove the VMDK and re - the clone using vmfkstools whenever you back up, you should have a backup solution of rudimentary virtual machine (full copy) in place.

  Now you do not miss the service console?

  Good luck

  Alex

  www.phdvirtual.com

• The fact to unplug cable adapter HBA on the ESXI host causing VI Client to hang

  We use HP DL380 G5 with the embedded HP version (ESX 3.5i U3 + latest patch)

  This server has all of the available features available (HA, DRS etc..) The server has 2 EMC QLogic 2340 HBA with the latest EMC firmware in it.

  If I look in the VCenter in a disk storage properties it shows me 4 available for SP on our SAN paths. (all MRU settings. we have SAN active/passive)

  Now, here's the problem we have:

  As soon as I unplug the fibrecable, the Vcenter must use another active path. It looks like this, the VM Machines are continue to operate, but only after a new analysis of the hba it also shows that the 2 paths are broken

  But when I close the VI Client and run it then the problems begin:

  • Machines of VM loses connections (rattling irregular and after awhile not available)

  • Customer VI freezes and does not

  In the end, I have reconnected the fibrecable (because each time I start the VI Client it crashes) all problems disappeared and everything works again.

  If I then take a look at the Machines-VM BSOD some are, some have the writeback failed

  Disconnect a fibrecable shall not give any disruption, that's why we have redundant HBA. But it does!

  Anyone have any suggestions?

  HBA QLogic VMkernel pilots understand firmware which (actually) hot-loaded on the HBA driver support.

  See http://communities.vmware.com/message/325181#325181

  So, don't bother with the HBA firmware level.

  See the latest "Fibre Channel SAN Configuration Guide.

  page 99: setting the time-out HBA to failover (value qlport_down_retry)

  Good luck.

• Cannot access remote network via VPN

  Hello

  I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
  There is also a public oriented Web server in the office which must be accessible.

  I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

  I'm quite puzzled as to why it does not work. Please could someone help.

  The results of tests and the router configuration are listed below. Please let me know if you need additional information.

  Thank you and best regards,
  Simon

  1. routing on the router table
  Router #sh ip route
  Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
  xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
  C XXX.yyy.zzz.192 is directly connected, Vlan10
  GGG.hhh.125.0/32 is divided into subnets, subnets 1
  C GGG.HHH.125.34 is directly connected, Dialer0
  172.16.0.0/32 is divided into subnets, subnets 1
  S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
  S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

  2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
  > ping 172.16.100.1
  Ping 172.16.100.1 with 32 bytes of data:
  Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

  3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
  > ping 172.16.100.10
  Ping 172.16.100.10 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  4. ping the router to the successful local server
  router #ping 172.16.100.10
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

  5 see the version
  Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
  ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
  the availability of router is 1 hour, 9 minutes
  System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
  Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
  10 FastEthernet interfaces
  1 ISDN basic rate interface
  Configuration register is 0 x 2102

  6. router Config
  AAA authentication login default local
  connection of local AAA VPN authentication.
  AAA authorization exec default local
  local authorization AAA VPN network
  !
  !
  AAA - the id of the joint session
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  Configuration group customer isakmp crypto ASI_Group
  key mykey
  DNS aaa.bbb.cccc.ddd
  domain mydomain.com
  pool VPN_Pool
  ACL VPN_ACL
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
  !
  crypto dynamic-map 10 DYNMAP
  game of transformation-TS1
  market arriere-route
  !
  !
  list of authentication of VPN client VPN crypto card
  card crypto VPN VPN isakmp authorization list
  crypto map VPN client configuration address respond
  card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
  !
  !
  !
  IP cef
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  username admin privilege 15 password mypassword
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface FastEthernet0
  WAN description
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  automatic duplex
  automatic speed
  PPPoE enable global group
  PPPoE-client dial-pool-number 1
  !
  interface FastEthernet2
  Description Public_LAN_Interface
  switchport access vlan 10
  full duplex
  Speed 100
  !
  FastEthernet6 interface
  Description Private_LAN_Interface
  switchport access vlan 100
  full duplex
  Speed 100
  !
  interface Vlan1
  no ip address
  !
  interface Vlan10
  Public description
  IP address xxx.yyy.zzz.193 255.255.255.248
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Vlan100
  172.16.100.1 IP address 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Dialer0
  IP unnumbered Vlan10
  no ip unreachable
  IP mtu 1452
  IP virtual-reassembly
  encapsulation ppp
  no ip mroute-cache
  Dialer pool 1
  Dialer-Group 1
  Authentication callin PPP chap Protocol
  PPP chap hostname myhostname
  PPP chap password mychappassword
  PPP ipcp dns request accept
  failure to track PPP ipcp
  PPP ipcp address accept
  VPN crypto card
  !
  IP pool local VPN_Pool 172.16.100.50 172.16.100.60
  !
  !
  no ip address of the http server
  no ip http secure server
  !
  VPN_ACL extended IP access list
  IP 172.16.100.0 allow 0.0.0.255 any
  !
  Dialer-list 1 ip protocol allow
  not run cdp
  !
  !

  Simon,

  Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

  Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

  Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

  IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

  Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

  I hope this helps.

  Luis Raga

• Need help to access the internal network via VPN on ASA5505 8.4 (1)

  Recently, I upgraded my ASA5055 from 8.02 to 8.4 and since I have updated to the new version I can access my home network is no longer through the VPN. I can connect to the VPN with no problems however I can no longer ping or you connect to my network of 10.0. Someone would be kind enough to look at my config and tell me what needs to be added to make it work? In my old config, I had a statement of NAT for VPN that is no longer here.

  I also wanted to configure WebVPN to work as well, and this is something that I've never been able to understand. Is it also possible that I can be on my 20.0 network and connect to the VPN and access 10.0 as well? When it is connected to my network of 20.0 I'm not received credentials to connect to the VPN. I would be grateful if someone can help out me. The major part of this is the first part of this question.

  My configuration:

  ASA Version 8.4 (1)

  !

  ASA5505 hostname

  domain xxxxxxxx.dyndns.org

  enable encrypted password xxxxxxxxxxxx

  xxxxxxxxxxxxxxx encrypted passwd

  names of

  nameserver 192.168.10.2

  Office of name 192.168.10.3

  name Canon 192.168.10.5

  name 192.168.10.6 mvix

  name 192.168.10.7 xbox

  name 192.168.10.8 dvr

  name 192.168.10.9 bluray

  name 192.168.10.10 lcd

  name 192.168.10.11 mp620

  name 192.168.10.12 kayla

  name 192.168.1.1 asa5505

  name 192.168.1.2 ap1

  name 192.168.10.4 mvix2

  name 192.168.10.13 lcd2

  name 192.168.10.14 dvr2

  !

  interface Vlan1

  nameif management

  security-level 100

  IP address asa5505 255.255.255.248

  management only

  !

  interface Vlan2

  0050.8db6.8287 Mac address

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Vlan10

  nameif private

  security-level 100

  IP 192.168.10.1 255.255.255.224

  !

  interface Vlan20

  nameif Public

  security-level 100

  IP 192.168.20.1 255.255.255.224

  !

  interface Ethernet0/0

  Description pointing to WAN

  switchport access vlan 2

  !

  interface Ethernet0/1

  Uplink port Linksys 12 description

  switchport access vlan 10

  !

  interface Ethernet0/2

  Description Server 192.168.10.2/27

  switchport access vlan 10

  !

  interface Ethernet0/3

  Uplink Eth1 management description

  !

  interface Ethernet0/4

  switchport access vlan 30

  !

  interface Ethernet0/5

  switchport access vlan 30

  !

  interface Ethernet0/6

  switchport access vlan 30

  !

  interface Ethernet0/7

  Description of Cisco 1200 Access Point

  switchport trunk allowed vlan 1,10,20

  switchport trunk vlan 1 native

  switchport mode trunk

  !

  Banner motd users only, all others must disconnect now!

  boot system Disk0: / asa841 - k8.bin

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS server-group DefaultDNS

  domain xxxxxxx.dyndns.org

  network object obj - 192.168.50.0

  192.168.50.0 subnet 255.255.255.0

  Server network objects

  host 192.168.10.2

  network object obj - 192.168.10.0

  192.168.10.0 subnet 255.255.255.224

  network object obj - 192.168.20.0

  subnet 192.168.20.0 255.255.255.224

  network server-01 object

  host 192.168.10.2

  network server-02 object

  host 192.168.10.2

  xbox network object

  Home 192.168.10.7

  xbox-01 network object

  Home 192.168.10.7

  xbox-02 network object

  Home 192.168.10.7

  xbox-03 network object

  Home 192.168.10.7

  xbox-04 network object

  Home 192.168.10.7

  network server-03 object

  host 192.168.10.2

  network server-04 object

  host 192.168.10.2

  network server-05 object

  host 192.168.10.2

  Desktop Network object

  host 192.168.10.3

  kayla network object

  Home 192.168.10.12

  Home_VPN_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224

  outside_access_in list extended access permit tcp any any eq 3389

  outside_access_in list extended access permit tcp any any eq 2325

  outside_access_in list extended access permit tcp any eq ftp server object

  outside_access_in list extended access permit tcp any any eq 5851

  outside_access_in list extended access udp allowed any any eq 5850

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access udp allowed any any eq syslog

  outside_access_in list extended access udp allowed any any eq 88

  outside_access_in list extended access udp allowed any any eq 3074

  outside_access_in list extended access permit tcp any any eq 3074

  outside_access_in list extended access permit tcp any any eq field

  outside_access_in list extended access udp allowed any any eq field

  outside_access_in list extended access permitted tcp everything any https eq

  outside_access_in list extended access permit tcp any eq ssh server object

  outside_access_in list extended access permit tcp any any eq 2322

  outside_access_in list extended access permit tcp any any eq 5900

  outside_access_in list extended access permit icmp any any echo response

  outside_access_in list extended access permit icmp any any source-quench

  outside_access_in list extended access allow all unreachable icmp

  outside_access_in list extended access permit icmp any one time exceed

  outside_access_in list extended access udp allowed any any eq 5852

  KaileY_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224

  pager lines 24

  Enable logging

  timestamp of the record

  exploitation forest-size of the buffer of 36000

  logging warnings put in buffered memory

  recording of debug trap

  asdm of logging of information

  address record [email protected] / * /

  exploitation forest-address recipient [email protected] / * / level of errors

  Management Server host forest

  MTU 1500 management

  Outside 1500 MTU

  MTU 1500 private

  MTU 1500 Public

  local pool IPPOOL 192.168.50.2 - 192.168.50.10 255.255.255.0 IP mask

  local pool VPN_POOL 192.168.100.2 - 192.168.100.10 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow all outside

  ASDM image disk0: / asdm - 641.bin

  don't allow no asdm history

  ARP timeout 14400

  !

  Server network objects

  NAT (private, foreign) static tcp ftp 5851 service interface

  network object obj - 192.168.10.0

  NAT (private, foreign) dynamic interface

  network object obj - 192.168.20.0

  NAT (outside) dynamic public interface

  network server-01 object

  NAT (private, outside) interface static 2325 2325 tcp service

  network server-02 object

  NAT (private, outside) interface static udp syslog syslog service

  xbox network object

  NAT (private, outside) interface static service udp 88 88

  xbox-01 network object

  NAT (private, outside) interface static service udp 3074-3074

  xbox-02 network object

  NAT (private, outside) interface static service tcp 3074-3074

  xbox-03 network object

  NAT (private, outside) interface static tcp domain domain service

  xbox-04 network object

  field of the udp NAT (private, foreign) of the static interface function

  network server-03 object

  NAT (private, outside) interface static tcp https https service

  network server-04 object

  Static NAT (private, outside) interface service tcp ssh 2322

  network server-05 object

  NAT (private, outside) interface static 5900 5900 tcp service

  Desktop Network object

  NAT (private, outside) interface static service tcp 3389 3389

  kayla network object

  NAT (private, outside) interface static service udp 5852 5852

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA authentication enable LOCAL console

  AAA authentication http LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication LOCAL telnet console

  Enable http server

  http 192.168.1.0 255.255.255.248 management

  redirect http outside 80

  location of SNMP server on the Office floor

  SNMP Server contact [email protected] / * /

  Community SNMP-server

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  No vpn sysopt connection permit

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map pfs set 20 Group1

  Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

  life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

  Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.248 management

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH timeout 30

  Console timeout 30

  access to administration management

  dhcpd dns 24.205.1.14 66.215.64.14

  dhcpd ping_timeout 750

  dhcpd field xxxxxxxx.dyndns.org

  dhcpd outside auto_config

  !

  dhcpd manage 192.168.1.4 - 192.168.1.5

  dhcpd enable management

  !

  dhcpd address private 192.168.10.20 - 192.168.10.30

  enable private dhcpd

  !

  dhcpd 192.168.20.2 public address - 192.168.20.30

  dhcpd enable Public

  !

  a basic threat threat detection

  statistical threat detection port

  Statistical threat detection Protocol

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  Server NTP 192.43.244.18

  Server NTP 129.6.15.28

  WebVPN

  internal Home_VPN group strategy

  attributes of Group Policy Home_VPN

  value of 8.8.8.8 DNS Server 4.2.2.2

  Ikev1 VPN-tunnel-Protocol without ssl-client

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Home_VPN_splitTunnelAcl

  value by default-field www.xxxxxx.com

  the address value IPPOOL pools

  WebVPN

  the value of the URL - list ClientlessBookmark

  political group internal kikou

  group attributes political kikou

  value of 8.8.8.8 DNS Server 4.2.2.2

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list KaileY_splitTunnelAcl

  XXXXXXX.dyndns.org value by default-field

  username scottrog encrypted password privilege 0 xxxxxxxxxxxxxx

  user_name john encrypted password privilege 0 xxxxxxxxxxxxxxx

  username joek encrypted password privilege 0 xxxxxxxxxxxx

  eostrike encrypted xxxxxxxxxxxx privilege 15 password username

  username almostsi encrypted password privilege 0 xxxxxxxxxxxxxx

  username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0

  type tunnel-group Home_VPN remote access

  attributes global-tunnel-group Home_VPN

  IPPOOL address pool

  LOCAL authority-server-group

  authorization-server-group (outside LOCAL)

  Group Policy - by default-Home_VPN

  authorization required

  IPSec-attributes tunnel-group Home_VPN

  IKEv1 pre-shared-key *.

  type tunnel-group SSLClientProfile remote access

  tunnel-group SSLClientProfile webvpn-attributes

  enable SSLVPNClient group-alias

  tunnel-group type ClientLESS remote access

  tunnel-group kanazoé type remote access

  attributes global-tunnel-group kanazoé

  address VPN_POOL pool

  by default-group-policy kikou

  tunnel-group KaileY ipsec-attributes

  IKEv1 pre-shared-key *.

  by default-group Home_VPN tunnel-Group-map

  !

  !

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86

  : end

  ASA5505 #.

  Here are the declarations of NAT for your first question:

  network object obj - 192.168.100.0

  255.255.255.0 subnet 192.168.100.0

  NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.50.0 obj - 192.168.50.0

  NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

  And 'clear xlate' after the above and that should fix your first question.

  I would check your second question and get back to you shortly.

• Cannot print to a network via vpn printer

  Installed an EnGenius ESR750H router and configure the L2TP VPN server and Win 7 SP1 VPN client.   The client connects and implements the VPN.

  I can access the drives mapped to WHS v1 (Windows Home Server) and NAS (Network attached storage() and I can access the NAS login screen.

  I can't access screen for the old DLink DIR-655 Router now used as a WAP only [wireless access point] connection.

  I can't print the two printers on network at the office. LaserJets HP4000 & HP4050 with SNMP disabled in the configuration of printer Win7 - if on, they show offline.

  And I can't RDC (Remote Desktop connection) the ESM.

  A computer on the LAN Office can do anything, so everything works.

  Some time back, I have all work by the VPN ESR750H - all this - and I was so happy to finally access.  At that time there I had not yet removed on the WHS VPN configuration.

  Then the next day, a fool to UNRWA [the boss] decided to move things on a network segment and everything, including internet access, went to-well, you know where.  During the frenetic fray next I took the VPN of the WHS, but left the remote control to connect to.  More I have him help locate the bad wiring and bad switch causing the problem.

  I could not even get it all back to what I had it one evening.  There must be something stupid.

  The DRC to the WHS says the server error is not on, not available on the network, or is not remote connect lit, but the boss can rdc to the MSS on the local network.

  Printers and the DIR-655 all come with the same message of troubleshooting when I go to IP addresses through the browser with the connected VPN.

  (device) is detected and online but does not - does not not to connections on port 80, possibly firewall or do security policy issues - no problems with the firewall on my computer.

  I tried port forwarding 80 printing - no joy.

  Thanks in advance.

  Bob

  Hello Rafisher,

  Thanks for posting the question on the Microsoft Community.

  The question you posted would be better suited in TechNet community support. I suggest you to check with TechNet support to solve the problem.

  http://social.technet.Microsoft.com/forums/en-us/newThread

  I hope that helps you find the solution for your problem. If you have other problems with Windows in the future, please post in the Windows community. We would be happy to help you.

• Cannot ping inner network via VPN site-2-site

  I have the following Setup of the site 2 site VPN.

  

  The pain I feel is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and vice versa. Think I've added static routes and lists ACLs correctly on 3560 switches (acting as an access point) and the two PIX to access internal networks. 172.168.9.3 host can ping 172.168.200.3 very well. All advice is appreciated.

  Thank you very much.

  My configs are as follows:

  PIX HAS

  8.0 (3) version PIX

  !

  PIX - A host name

  activate u18hqwudty78klk9s encrypted password

  names of

  !

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address x.x.x.250 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  IP 172.168.9.1 255.255.255.0

  !

  uh78mklh78yMs encrypted passwd

  connection of the banner it is a private network. Unauthorized access is prohibited!

  Banner motd this is a private network. Unauthorized access is prohibited!

  passive FTP mode

  clock timezone GMT/UTC 0

  summer time clock GMT/BST recurring 1 Sun Mar 01:00 last Sun Oct 02:00

  DNS domain-lookup outside

  DNS server-group Ext_DNS

  Server name 82.72.6.57

  Server name 63.73.82.242

  the LOCAL_LAN object-group network

  object-network 172.168.9.0 255.255.255.0

  object-network 172.168.88.0 255.255.255.0

  Internet_Services tcp service object-group

  port-object eq www

  area of port-object eq

  EQ object of the https port

  port-object eq ftp

  EQ object of port 8080

  EQ port ssh object

  port-object eq telnet

  the WAN_Network object-group network

  object-network 172.168.200.0 255.255.255.0

  ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq log field

  ACLOUT list extended access allow icmp object-group LOCAL_LAN no matter what paper

  ACLOUT list extended access permitted tcp object-group LOCAL_LAN connect to any object-group Internet_Services

  Access extensive list ip 172.168.88.0 ACLOUT allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  access-list extended ACLIN all permit icmp any what newspaper echo-reply

  access-list extended ACLIN all permit icmp any how inaccessible journal

  access-list extended ACLIN allowed icmp no matter what newspaper has exceeded the time

  IP 172.168.200.0 allow Access - list extended ACLIN 255.255.255.0 172.168.9.0 255.255.255.0 connect

  standard access list split_tunnel_list allow 172.168.9.0 255.255.255.0

  Access log list split_tunnel_list note LOCAL_LAN

  access-list extended SHEEP allowed ip object-group LOCAL_LAN 172.168.100.0 255.255.255.0 connect

  access extensive list ip 172.168.9.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  pager lines 24

  Enable logging

  logging buffered information

  logging trap information

  host of logging inside the 172.168.88.3

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool testvpn 172.168.100.1 - 192.168.100.99

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image Flash: / pdm

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group ACLIN in interface outside

  ACLOUT access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 x.x.x.45 1

  Route inside 172.168.88.0 255.255.255.0 172.168.88.254 1

  Route inside 172.168.199.0 255.255.255.0 172.168.199.254 1

  Route outside 172.168.200.0 255.255.255.0 172.168.9.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 172.168.9.1 255.255.255.255 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-md5-hmac Set_1

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto dynamic-map outside_dyn_map 1 set of transformation-Set_1

  Crypto dynamic-map outside_dyn_map 1 the value reverse-road

  outside_map 1 card crypto ipsec-isakmp dynamic outside_dyn_map

  card crypto outside_map 20 match address outside_cryptomap_20

  card crypto outside_map 20 peers set x.x.x.253

  outside_map crypto 20 card value transform-set ESP-AES-256-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  No encryption isakmp nat-traversal

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  NTP server 130.88.203.12 prefer external source

  internal testvpn group policy

  attributes of the strategy of group testvpn

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list split_tunnel_list

  Viv ZdlkjGlOTGf7dqdb encrypted user name password

  type tunnel-group testvpn remote access

  tunnel-group testvpn General-attributes

  address testvpn pool

  Group Policy - by default-testvpn

  testvpn group of tunnel ipsec-attributes

  pre-shared-key *.

  tunnel-group x.x.x.253 type ipsec-l2l

  x.x.x.253 group of tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:bb6ead3350227b3745c14b9ba340b84a

  : end

  B PIX

  8.0 (3) version PIX

  !

  hostname PIX - B

  enable password ul; encrypted jk89A89hNC0Ms

  names of

  !

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address x.x.x.253 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  IP 172.168.200.1 255.255.255.0

  !

  interface Ethernet2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  2ljio897hFB.88fU encrypted passwd

  Banner motd this is a private network. Unauthorized access is prohibited!

  passive FTP mode

  DNS domain-lookup outside

  DNS server-group Ext_DNS

  Server name x.x.x.57

  Server name x.x.x.242

  the LOCAL_LAN object-group network

  object-network 172.168.200.0 255.255.255.0

  Internet_Services tcp service object-group

  port-object eq www

  area of port-object eq

  EQ object of the https port

  port-object eq ftp

  EQ object of port 8080

  the WAN_Network object-group network

  networks WAN Description

  object-network 172.168.88.0 255.255.255.0

  ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq field

  ACLOUT list extended access allow icmp object-group LOCAL_LAN all

  ACLOUT list extended access permitted tcp object-group LOCAL_LAN any Internet_Services object-group

  access-list extended ACLIN allow all unreachable icmp

  access-list extended ACLIN permit icmp any one time exceed

  access-list extended ACLIN permit icmp any any echo response

  IP 172.168.88.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0

  IP 172.168.9.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0

  IP 172.168.199.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0

  access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.9.0 255.255.255.0

  access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0

  pager lines 24

  Enable logging

  monitor debug logging

  debug logging in buffered memory

  logging trap information

  Outside 1500 MTU

  Within 1500 MTU

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group ACLIN in interface outside

  ACLOUT access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 x.x.x.253 1

  Route outside 172.168.88.0 255.255.255.0 172.168.200.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  card crypto outside_map 20 match address outside_cryptomap_20

  card crypto outside_map 20 peers set x.x.x.250

  outside_map crypto 20 card value transform-set ESP-AES-256-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  No encryption isakmp nat-traversal

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  a basic threat threat detection

  Statistics-list of access threat detection

  tunnel-group x.x.x.250 type ipsec-l2l

  x.x.x.250 Group of tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:ccb8392ce529a21c071b85d9afcfdb30

  : end

  3560 G/W

  version 12.2

  no service button

  horodateurs service debug uptime

  Log service timestamps uptime

  no password encryption service

  !

  hostname 3560_GW

  !

  enable secret 5 $1$ cOB4$ Uklj8978/jgWv? TSSP

  !

  No aaa new-model

  mtu 1500 routing system

  IP subnet zero

  IP routing

  !

  !

  !

  !

  No file verify auto

  pvst spanning-tree mode

  spanning tree extend id-system

  !

  internal allocation policy of VLAN ascendant

  !

  interface GigabitEthernet0/1

  !

  interface GigabitEthernet0/2

  uplink Description to Cisco_ASA

  switchport access vlan 9

  !

  interface GigabitEthernet0/3

  !

  interface GigabitEthernet0/4

  !

  interface GigabitEthernet0/5

  !

  interface GigabitEthernet0/6

  !

  interface GigabitEthernet0/7

  !

  interface GigabitEthernet0/8

  !

  interface GigabitEthernet0/9

  !

  interface GigabitEthernet0/10

  !

  interface GigabitEthernet0/11

  !

  interface GigabitEthernet0/12

  !

  interface GigabitEthernet0/13

  !

  interface GigabitEthernet0/14

  !

  interface GigabitEthernet0/15

  !

  interface GigabitEthernet0/6

  !

  interface GigabitEthernet0/7

  !

  interface GigabitEthernet0/8

  !

  interface GigabitEthernet0/9

  !

  interface GigabitEthernet0/10

  !

  interface GigabitEthernet0/11

  !

  interface GigabitEthernet0/12

  !

  interface GigabitEthernet0/13

  !

  interface GigabitEthernet0/14

  !

  interface GigabitEthernet0/15

  !

  interface GigabitEthernet0/16

  !

  interface GigabitEthernet0/17

  !

  interface GigabitEthernet0/18

  !

  interface GigabitEthernet0/19

  !

  interface GigabitEthernet0/20

  !

  interface GigabitEthernet0/21

  !

  interface GigabitEthernet0/22

  !

  interface GigabitEthernet0/23

  switchport access vlan 88

  switchport mode access

  spanning tree portfast

  !

  interface GigabitEthernet0/24

  switchport access vlan 9

  switchport mode access

  spanning tree portfast

  !

  interface GigabitEthernet0/25

  trunk of the description and the port of A_2950_88 1

  switchport trunk encapsulation dot1q

  !

  interface GigabitEthernet0/26

  !

  interface GigabitEthernet0/27

  trunk of the description and the port of A_2950_112 1

  switchport trunk encapsulation dot1q

  Shutdown

  !

  interface GigabitEthernet0/28

  !

  interface Vlan1

  no ip address

  Shutdown

  !

  interface Vlan9

  IP 172.168.9.2 255.255.255.0

  !

  interface Vlan88

  IP 172.168.88.254 255.255.255.0

  !

  interface Vlan199

  IP 172.168.199.254 255.255.255.0

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 172.168.9.1

  IP route 172.168.88.0 255.255.255.0 172.168.9.1

  IP route 172.168.100.0 255.255.255.0 172.168.9.1

  IP route 172.168.200.0 255.255.255.0 172.168.9.1

  IP http server

  !

  !

  control plan

  !

  Banner motd ^ C is a private network. ^ C

  !

  Line con 0

  line vty 0 4

  opening of session

  line vty 5 15

  opening of session

  !

  end

  Hi Robert,.

  I went through the configuration on both the PIX firewall and see that trafficking is not defined for 172.168.88.0/24-->172.168.200.0/24.

  If you check the card crypto a PIX configuration, it says:

  address for correspondence outside_map 20 card crypto outside_cryptomap_20<--This acl="" defines="" interesting="">

  and the outside_cryptomap_20 of the acl says:

  access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  Is the same on the PIX B:

  address for correspondence outside_map 20 card crypto outside_cryptomap_20

  access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0

  To allow users to talk to each other, apply to these commands:

  On the PIX:

  access extensive list ip 172.168.88.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0

  access extensive list ip 172.168.88.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0

  and PIX B:

  IP 172.168.200.0 allow access-list extended outside_cryptomap_20 255.255.255.0 172.168.88.0 255.255.255.0

  access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.88.0 255.255.255.0

  Let me know if it helps.

  Thank you

  Vishnu Sharma

• Unable to connect to esxi using the vsphere client

  Hello friends,

  I need a little help.

  a 2 5.0 esxi host and a vcenter than VM.

  My laboratory worked well for days, but all of a sudden do not know why I am not able to connect to ESXi hosts with vSphere Client.

  Error: The request failed because the remote server has taken too long to respond.

  Call "ServiceInstance.RetrieveContent" to "ServiceInstance' server '192.168.1.101' object failed.

  Yes, I am able to connect to vCenter server, when it is connected to vCenter and open the console of the virtual computer, nothing shows up, it's a black screen, as if the virtual machine is turned off. It is with all the virtual machines on both hosts.

  1. I thought that it might have to do something with vCenter and I tried connecting to Host individually which I wasn't able to.

  After completing a few KBs on vmware and some articles, I checked the status of the firewall on both hosts. (attached screenshot)

  

  Checked if my computer can talk to esxi host on port 80, 443, 902. all ports are accessible.

  Disabled the Symantec endpoint protection and checked. no positive results.

  Finally, I tried the ESXi web navigation browser host http://ESXi-IP-address which redirects me to HTTPS connection with Certificate error, when I continue with the cert error, loading of the URL guard and the host page doesn't appear as it should.

  This questions are on both hosts. :-(

  You guys can point me in the right direction to solve this problem.

  Thank you.

  Finally things started working now.

  The problem was with the configuration of the workstation's NETWORK adapter.

  The link on the NETWORK adapter speed was set to Auto negotiate (default), but the speed was detected as 100 Mbps instead of 1 Gbps and MTU has been set at 9014 which I defined manually long back.

  Things use to operate in this configuration that I have configured hosts with MTU 9000 and cisco SMB switch default Jumbo.

  the LinkSpeed of 100 Mbps is bugging me, after changing to 1 Gbps (manual setting) the card NETWORK has deactivated, and it reminded me to switch!

  So I put the LinkSpeed Auto negotiation, MTU 9014, stop the two hosts, restart the switch. restarted my computer.

  Since it uses for things were in a normal state.

  Even the question of the console (black screen) disappeared. :-)

• How to remove ESXi host of Distributed Switch

  3 Cluster DRS - 1 x physical, 2 nested nodes in a LAB environment

  I need to downgrade a 6.0 U2 ESXi host and replace it (from ESXi nested in Physics). I am trying to remove the host from a distributed switch, but it seems that I can't do that until I remove it from the Distributed Switch. I can't remove the VMkernel group management ports that prevents me to remove the host from the Distributed Switch. Any suggestions? I guess that I need that migrate to a Standard switch first?

  I am connected to the ESXi host through vSphere Client, migrated the group management to a Standard switch ports, then I was able to clear the host of the distributed switch. I could then remove the host from the Cluster.

• ESXi host running 6 VCSA disconnected from the vCenter

  Hi guys,.

  I have a weird problem with my vCenter build 6. Single cluster of ESXi hosts. Running VCSA 6.0 and 6.0 ESXI. Making a storage of the vCenter vMotion initially got stuck at 77% and the ESXi host running the disconnected from vCenter vCenter. But I can connect directly to the ESXi host with vsphere client and see the vCenter VM works perfectly well. If I try to manually connect host ESXi and vCenter, I get the error "Failed to contact the host specified") both are in the same subnet and VLAN. I can migrate to other virtual machines without problem. I even restarted the host and yet I am not able to connect to vCenter. The host connects to vCenter if I reboot vCenter, but after a few minutes, disconnects again (even if no task does run on this topic.) I have no HA or DRS enabled at this point that I build this new environment and only presented a single LUN as a store of test data to the cluster.

  Any ideas?

  OK, I think I fixed that or have at least a work around. So the underlying question was hiding ID mode/CPU EVC. I'm under the cluster to a level of EVC to reduce until I have migrate workloads from old environment and I think that this created a problem for the unit vCenter. To resolve this problem, I turned off the unit, directly connected to the ESXi host that had the camera running, edited the virtual machine and reset the masking of CPUID. Also, I've hidden the flag NX/XD of the guest. It's temporary (I hope) as once I increase the EVC to the Haswell, I will expose the NX/XD comments and test. For the moment, it is of the workaround I did. It may be of some use to someone.

• As part of the SAR cert is to have a NW separated between ESXi host required for VMotion or is it OK to use IP for VMotion management, in the execution of Certification tests.

  As part of the SAR cert is "have a NW/dedicated separate between hosts ESXi (on which we GOS) mandatory for VMotion or is - OK to use IP for VMotion management in the execution of Certification tests.»

  Note that the verification passed Test when you use management IP for Vmotion and without a dedicated connection to NW between ESXi hosts.

  Separate dedicated network interface cards preferred. No problem with the test after this change case.

• If a PC with a DHCP server is connected via VPN, with her serve IP addresses on the tunnel?

  Situation: we have a few portable computers test Ubuntu running DHCP servers.  We need get the updates and other changes in corporate network sometimes.  Today, we turn off the DHCP server, set up to get an IP via DHCP (besides) and make our updates.

  Problem: we do not want someone accidentally connect the laptop to the corporate network, while its DHCP server is running.

  Question: so, if we go via wifi using a Cisco VPN client, the DHCP server IP addresses above the tunnel?

  Thanks for reading.

  N ° DHCP uses layer 2 broadcasts to disseminate IP addresses.  Because your clients are connected via VPN, there is no contiguity of layer 2.  The only way he would accidentally do it is if you have configured an address to support IP dhcp as one of your VPN clients on the network, which I imagine you wouldn't.

• Help blocking smart devices of via VPN

  Hello

  I am looking for a solution block smart devices to connect to our network via VPN. Our VPN solution today is ASA5520, and we use Cisco ACS to authenticate the user. We use Cisco VPN client only, no anyconnect or SSL VPN.

  Managment is looking for a way that we can stop the smart devices of using VPN clients to connect and allow only desktop computers laptops to connect.

  Someone at - there a way we can do this through association or another method?

  Worring - I block iPhones & iPad around my overall networkwith 100% accuracy with a few simple lines of config: -.

  Group Policy <> attributes

  client-access-rule 1 deny version of type 'iPhone OS. "

  2-client-access rule allow type * version *.

  As it actually works on the OS - not the version of the Cisco VPN Client device.