Filtering of VPN and local access to the remote site
Hello
I set up vpn, filtering on all my VPN l2l. I have limited access to remote resources at the local level to the specified ports. It works perfectly.
But I want to have as full access from local to remote networks (but still retain the remote access to the local level). VPN filter now works as I have two-way with a simple ACL. So is it possible to open all the traffic from the local to remote and all by limiting the remote to the local traffic?
ASA 5520 8.4 (3)
Thanks in advance
Tomasz Mowinski
Hello
Well let's say you have a filtering ACL rule when you allow http local network traffic to the remote host
LAN: 10.10.10.0/24
remote host: 192.168.10.10/32
The filter ACL rule is the following:
FILTER-ACL access-list permit tcp host 192.168.10.10 eq 80 10.10.10.0 255.255.255.0
I think that this ACL rule would mean also that until the remote host has been using source port TCP/80, it may access any port on any host tcp in your local network as long as it uses the source TCP/80 port.
I guess you could add a few ranges of ports or even service groups of objects to the ACL rules so that not all well-known ports would be accessible on the LAN. But I guess that could complicate the configurations.
We are usually management customer and completely different in ASA L2L VPN that allows us to all traffic on another filtering device and do not work in this kind of problems. But of course there are some of the situations/networks where this is not only possible and it is not a feasible option for some because of the costs of having an ASA extra.
Please indicate if you have found any useful information
-Jouni
Tags: Cisco Security
Similar Questions
-
Termination of the client PIX VPN and Internet access from the same interface
Hello
VPN remote users connect to PIX (7.2) outside interface, but need to have these clients to access the Internet through the PIX outside interface as well. Need this because PIX IPs is registered and allowed access to some electronic libraries. One way would be to set up a proxy within the network and vpn users have access to the Internet through the proxy, but can it be done without proxy?
Yes, public internet on a stick
-
Hello
I'm trying to solve a problem with the VPN, and I hope that someone could give me a helping hand.
We have 3 offices, each with an ASA 5505 like the router/firewall, connected to a cable modem
(NC Office) <----IPSEC----->(office of PA) <----IPSEC----->(TC Office)
Internally, we have a full mesh VPN, so all offices can talk to each other directly.
I have people at home, by using remote access VPN into the Office of PA, and I need them to be able to connect to two other offices there.
I was able to run for the Office of CT, but I can't seem to work for the Office of the NC. (I want to say is, users can remote access VPN in the PA Office and access resources in the offices of the PA and CT, but they can't get the Office of NC).
Someone could take a look at these 2 configs and let me know if I'm missing something? I am newer to this, so some of these configs do not have better naming conventions, but I'm getting there
PA OFFICE
Output of the command: "show run".
: Saved
:
ASA Version 8.2 (5)
!
hostname WayneASAnames of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 70.91.18.205 255.255.255.252
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
75.75.75.75 server name
75.75.76.76 server name
domain 3gtms.com
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
inside_access_in of access allowed any ip an extended list
IPSec_Access to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.2.0 255.255.255.0
IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
inside_nat0 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
TunnelSplit1 list standard access allowed 192.168.10.0 255.255.255.224
TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
outside_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0
outside_2_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0
RemoteTunnel_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.1.0 255.255.255.0
RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
RemoteTunnel_splitTunnelAcl_1 list standard access allowed 192.168.5.0 255.255.255.0
out_access_in list extended access udp allowed any SIP host 70.91.18.205 EQ
out_access_in list extended access permit tcp any host 70.91.18.205 eq 5000
out_access_in list extended access permits any udp host 70.91.18.205 range 9000-9049
out_access_in list extended access permit tcp any host 70.91.18.205 EQ SIP
out_access_in list extended access allowed object-group TCPUDP any host 70.91.18.205 eq 5090
out_access_in list extended access permit udp any host 70.91.18.205 eq 5000
Note to outside-nat0 access-list NAT0 for VPNPool to Remote Sites
outside-nat0 extended ip 192.168.10.0 access list allow 255.255.255.224 192.168.2.0 255.255.255.0
outside-nat0 extended ip 192.168.10.0 access list allow 255.255.255.224 192.168.5.0 255.255.255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP mask 255.255.255.224 local pool VPNPool 192.168.10.1 - 192.168.10.30
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside-nat0
inside_access_in access to the interface inside group
Access-group out_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac VPNTransformSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto IPSec_map 1 corresponds to the address IPSec_Access
card crypto IPSec_map 1 set peer 50.199.234.229
card crypto IPSec_map 1 the transform-set VPNTransformSet value
card crypto IPSec_map 2 corresponds to the address outside_2_cryptomap
card crypto IPSec_map 2 set pfs Group1
card crypto IPSec_map 2 set peer 98.101.139.210
card crypto IPSec_map 2 the transform-set VPNTransformSet value
card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
IPSec_map interface card crypto outside
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.199.234.229
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal RemoteTunnel group strategy
attributes of Group Policy RemoteTunnel
value of server DNS 75.75.75.75 75.75.76.76
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RemoteTunnel_splitTunnelAcl_1
dfavier vUA99P1dT3fvnDZy encrypted password username
username dfavier attributes
type of remote access service
rduske vu0Zdx0n3oZWFSaX encrypted password username
username rduske attributes
type of remote access service
eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
lestofts URsSXKLozQMSeCBk username encrypted password
username lestofts attributes
type of remote access service
jpwiggins 3WyoRxmI6LZjGHZE encrypted password username
username jpwiggins attributes
type of remote access service
tomleonard cQXk0RJCBtxyzZ4K encrypted password username
username tomleonard attributes
type of remote access service
algobel 4AjIefFXCbu7.T9v encrypted password username
username algobel attributes
type of remote access service
type tunnel-group RemoteTunnel remote access
attributes global-tunnel-group RemoteTunnel
address pool VPNPool
Group Policy - by default-RemoteTunnel
IPSec-attributes tunnel-group RemoteTunnel
pre-shared key *.
tunnel-group 50.199.234.229 type ipsec-l2l
IPSec-attributes tunnel-group 50.199.234.229
pre-shared key *.
tunnel-group 98.101.139.210 type ipsec-l2l
IPSec-attributes tunnel-group 98.101.139.210
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:6d1ffe8d570d467e1ea6fd60e9457ba1
: endCT OFFICE
Output of the command: "show run".
: Saved
:
ASA Version 8.2 (5)
!
hostname RaleighASA
activate the encrypted password of Ml95GJgphVRqpdJ7
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 98.101.139.210 255.0.0.0
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS lookup field inside
DNS server-group DefaultDNS
Server name 24.25.5.60
Server name 24.25.5.61
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
Wayne_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
Wayne_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
Shelton_Access to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.2.0 255.255.255.0
out_access_in list extended access permit tcp any host 98.101.139.210 eq www
out_access_in list extended access permit tcp any host 98.101.139.210 eq ftp
out_access_in list extended access permit udp any host 98.101.139.210 eq tftp
out_access_in list extended access udp allowed any SIP host 98.101.139.210 EQ
out_access_in list extended access permit tcp any host 98.101.139.210 eq 5090
out_access_in list extended access permit tcp any host 98.101.139.210 eq 2001
out_access_in list extended access permit tcp any host 98.101.139.210 eq 5080
out_access_in list extended access permit tcp any host 98.101.139.210 eq ssh
out_access_in list extended access permit tcp any host 98.101.139.210 eq 81
out_access_in list extended access permit tcp any host 98.101.139.210 eq 56774
out_access_in list extended access permit tcp any host 98.101.139.210 eq 5000
out_access_in list extended access permit tcp any host 98.101.139.210 eq 902
out_access_in list extended access permit tcp any host 98.101.139.210 eq netbios-ssn
out_access_in list extended access permit tcp any host 98.101.139.210 eq 445
out_access_in list extended access permit tcp any host 98.101.139.210 eq https
out_access_in list extended access allowed object-group TCPUDP any host 98.101.139.210 eq 3389
out_access_in list extended access allowed object-group TCPUDP range guest 98.101.139.210 5480 5487
out_access_in list extended access permits any udp host 98.101.139.210 range 9000-9050
inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.2.0 255.255.255.0
inside_nat0 to access extended list ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0
NAT (inside) 1 0.0.0.0 0.0.0.0Access-group out_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 98.101.139.209 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac WayneTransform
Crypto ipsec transform-set esp-3des esp-md5-hmac SheltonTransform
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto IPSec_map 1 corresponds to the address Wayne_Access
card crypto IPSec_map 1 set pfs Group1
card crypto IPSec_map 1 set peer 70.91.18.205
card crypto IPSec_map 1 the transform-set WayneTransform value
card crypto IPSec_map 2 corresponds to the address Shelton_Access
card crypto IPSec_map 2 set pfs Group1
card crypto IPSec_map 2 set peer 50.199.234.229
card crypto IPSec_map 2 the transform-set SheltonTransform value
IPSec_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.5.100 - 192.168.5.199 inside
dhcpd dns 24.25.5.60 24.25.5.61 interface inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
eric 0vcSd5J/TLsFy7nU password user name encrypted privilege 15
tunnel-group 50.199.234.229 type ipsec-l2l
IPSec-attributes tunnel-group 50.199.234.229
pre-shared key *.
tunnel-group 70.91.18.205 type ipsec-l2l
IPSec-attributes tunnel-group 70.91.18.205
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:3d770ba9647ffdc22b3637e1e5b9a955
: endHello
I might have found the problem.
To be honest, I'm a little tired and concentration is difficult, especially when access between multiple device configurations. So second pair of eyes is perhaps in order.
At the moment it seems to me that this configuration is the problem on the SITE of PA
IPSec_Access to access extended list ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0
This is an ACL that defines networks the and remote for a connection VPN L2L.
Now, when we look at what connection VPN L2L this belong we see the following
card crypto IPSec_map 1 corresponds to the address IPSec_Access
card crypto IPSec_map 1 set peer 50.199.234.229
card crypto IPSec_map 1 the transform-set VPNTransformSet value
Now, we see that the peer IP address is 50.199.234.229. Is what site this? The IP address of the CT Site that works correctly?
Now what that said the ACL line I mentioned more early basically is that when the 192.168.10.0 network 255.255.255.224 wants to connect to the network 192.168.5.0/24 should be sent to the CT Site. And of course, this should not be the case as we want traffic to go on the NC Site
Also worth noting is that on the SITE of the above connection is configured with the '1' priority so it gets first compared a connection. If the VPN L2L configurations were in different order then the VPN Client connection can actually work. But it's just something that I wanted to point out. The actual resolution of the problem, of course, is to detach the configuration which is the cause of the real problem in which ASA attempts to route traffic to a completely wrong place.
So can you remove this line ACL of the ASA of PA
No IPSec_Access access list extended ip 192.168.10.0 allow 255.255.255.224 192.168.5.0 255.255.255.0
Then, test the VPN Client connection NC SITE again.
Hope that this will finally be the solution
-Jouni
-
PIX - ASA, allow RA VPN clients to access servers at remote sites
I got L2L tunnels set up for a couple of remote sites (PIX) for several months now. We have a VPN concentrator, which will go EOL soon, so I'm working on moving our existing customers of RA our ASA. I have a problem, allowing RA clients access to a server to one of our remote sites. PIX and ASA (main site) relevant config is shown below. The error I get on the remote PIX when you try a ping on the VPN client is:
Group = 204.14. *. *, IP = 204.14. *. * cheque card static Crypto Card = outside_map, seq = 40, ACL does not proxy IDs src:172.16.200.0 dst: 172.16.26.0
The config:
Hand ASA config
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.1.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.22.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.200.0 inside_nat0_outbound allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.200.0 255.255.255.0
access extensive list ip 172.16.0.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.1.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.22.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
access extensive list ip 172.16.200.0 outside_cryptomap_60 allow 255.255.255.0 172.16.26.0 255.255.255.0
card crypto outside_map 60 match address outside_cryptomap_60
outside_map 60 set crypto map peer 24.97. *. *
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
=========================================
Remote config PIX
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.1.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.22.0 255.255.255.0
access extensive list ip 172.16.26.0 inside_nat0_outbound allow 255.255.255.0 172.16.200.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.0.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.1.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.22.0 255.255.255.0
access extensive list ip 172.16.26.0 outside_cryptomap_60 allow 255.255.255.0 172.16.200.0 255.255.255.0
card crypto outside_map 60 match address outside_cryptomap_60
peer set card crypto outside_map 60 204.14. *. *
card crypto outside_map 60 the transform-set ESP-3DES-MD5 value
outside_map interface card crypto outside
EDIT: Guess, I might add, remote site is 172.16.26.0/24 VLAN VPN is 172.16.200.0/24...
What you want to do is 'tunnelall', which is not split tunneling. This will still allow customers to join the main and remote site, but not allow them to access internet... unless you have expressly authorized to make a 'nat (outside)"or something. Your journey on the client will be, Secured route 0.0.0.0 0.0.0.0
attributes of group policy
Split-tunnel-policy tunnelall
Who is your current config, I don't see where the acl of walton is attributed to what to split tunnel?
-
Dreamweaver CS5 on PC with Windows 7 will not access (or sign in) to my remote or the Adobe called FTP server. Dreamweaver CS4 on the same machine will be. I exported the information on the site of CS4 and imported into CS5 as well as to look at a new site in CS5 everything with no success. It's probably not a firewall for access to the site problem CS4 works very well.
> It's probably not a firewall for access to the site problem CS4 works very well.
CS4 and CS5 are two different applications and have different, right firewall rules? Have you checked the firewall?
-
Site Web is updated online, but seem to update the remote site pane?
I use Dreamweaver 8.
I am updating a website I have created initially. I did this summer with success, until I did a major synchronization in order to cleanse the body of some really old files and make the site easier to manage for everyone. Sync seems fine, but got it wrong in the end and ended up with the 'old' mainwebsite file and a mainwebsite file 'new '. I then synced and it deleted the 'old' main site file (which is what I wanted to do).
Now, when I do updates and put them on the remote site... they do not appear online. Update the side "remote" site of the box of files.
I tried to remove the site and then re - get the whole thing as if I've ever been in, but it is not yet published on the web.
When I "re-" the site, he came with the old main site file, so I'm not sure what the field is SEO. The old site file could be hiding somewhere on the FTP?
Any ideas I could try?
Sorry if I don't am not worded this correctly, I am new to Dreamweaver and use this site to learn the basics. Thanks in advance!
You need to be sure the site definitions are contained properly, if we're wrong, local or remote, you will have problems that you have.
http://TV.Adobe.com/#VI+f1592v1760 Watch this video for a better explanation I can give.
Brad Lawryk
Adobe, Dreamweaver community expert
Northern British Columbia Adobe User Group, Adobe user group manager -
Why can't I preview the changes before putting them live on the remote site in a browser?
Help, please! I have inherited a website for editing and can't seem to get a preview of my changes without them going to live first. When I click on 'Live', the program hangs and I have to reopen. When I click on 'Preview in browser' he asks me to save the file or not and puts them on the remote site as well. I'm not particularly web savvy and learn on the way. I use CS6 on a Macbook OS X Yosemite.
Your test server (Mamp) works? If this isn't the case, you must start it.
Nancy O.
-
SUN grant writing back and allows access to the GL
Hello
SUN grant writing back and allows access to the GL
SravanIf ODI can do it then you can assume generally that SUN will not.
It seems that everyone forgets to press the useful buttons, correct these days.See you soon
John
http://John-Goodwin.blogspot.com/ -
Traffic redirect Internet from the remote site on the main site using the tunel of vpn ipsec
Hi all
I have a problem to redirect internet traffic from my remote to the main site by the IPSEC VPN tunnel. The remote site is a Cisco 2801 router with ios (c2800nm-advipservicesk9 - mz.124 - 22.T) and the remote site has ios (C870-ADVSECURITYK9-M, Version 12.4 (15) T12, fc3 SOFTWARE VERSION). This redirect does not work and the last jump with extended traceroute form the remote site is the ip wan of the main site.
Is there someone who can help me with the right settings this redirection via VPN?
the remote site config file:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}
crypto ISAKMP policy 8
BA 3des
md5 hash
preshared authentication
ISAKMP crypto key dgsn2010 address 41.223.X.X
!
!
Crypto ipsec transform-set esp-3des vpn
!
vpndgsn 10 ipsec-isakmp crypto map
Description at HQ
set of peer 41.223.X.X
Set transform-set vpn
match address VPNHQ
!
interface FastEthernet0
IP 41.223.X.X 255.255.255.0
NAT outside IP
IP virtual-reassembly
IP tcp adjust-mss 1300
automatic duplex
automatic speed
vpndgsn card crypto
!
interface FastEthernet 4
192.168.11.1 IP address 255.255.255.0
IP nat inside
no ip virtual-reassembly
!
IP route 0.0.0.0 0.0.0.0 41.223.X.X
VPNHQ extended IP access list
ip licensing 192.168.11.0 0.0.0.255 any
!
the main site config file:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}
crypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
ISAKMP crypto key dgsn2010 address 41.223.X.X
!
!
Crypto ipsec transform-set esp-3des vpn
!
vpncreo 10 ipsec-isakmp crypto map
Description FOR bastos
set of peer 41.205.X.X
Set transform-set vpn
match address 110
!
interface FastEthernet0/0
Description OF WAN
IP 41.223.X.X 255.255.255.240
NAT outside IP
IP tcp adjust-mss 1492
vpncreo card crypto
!
interface FastEthernet0/1
Description OF LAN
IP 192.168.10.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
overload of IP nat inside source list NAT interface FastEthernet0/0
IP route 0.0.0.0 0.0.0.0 41.223.31.241
access-list 110 permit ip any 192.168.11.0 0.0.0.255
NAT extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
ip licensing 192.168.11.0 0.0.0.255 any
!
You must configure the routing policy based closure for NAT can be invoked on the main site.
Here is an example configuration for your reference:
Additionally, make sure that you don't do any NATing at your remote end, IE: you must configure the NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).
Hope that helps.
-
Expand the production VLAN behind ASA5510 to the remote site and 2821
I have a 5510 ASA and here to contact one of the subnets behind this ASA out to my house which has a modem cable, a switch/router wireless and then behind that I have a router 2821. I have read and it seems that L2TP can be the way to go, but can not find config examples. Yet once again, I'd extend an and nail a permanent connection of one of VLAN in the production network to the bottom of my house using my cable modem and the 2821. Examples of configuration would be very appreciated! In addition, any recommendations for the IOS 2821 would be very appreciated. Finally, the L2TP looks like how I need to go? I enclose a very basic Visio diagram of what I'm trying to do. Thank you, john
You must L2TPv3.
ASA does not support but will pass L2TPv3 borrowing.
At work, you will need to add another router. L3 switches does not support it.
The configuration of a router would be:
Pseudowire-class test
L2TPv3 encapsulation
IP local interface loopback0 (this will be the source of the tunnel, can use any interface with the IP address access remote xconnect)
!
int fas0/0.30
(do not put an ip address here)
encapsulation dot1q 30
pw-class xconnect X.X.X.X 1000 test
X.X.X.X is the IP the remote router interface, it serves to "interface local ip" in the remote configuration
Make sure that corresponds to 1000 (VC ID) on both sides
-
Adobe flash player 11.0 blocks access to the Web site home pages
Why is Adobe flash player 11.0, allowed to block access to the Web site home pages, until their trash is installed? They should be prosecuted for punishment of the loss of time by Internet users, who spend countless hours trying to fix their garbage, which takes control of the web and blocks PCs access to their program settings, unless it is done according to their specific updates. N ' ILS OWN INTERNET and everything on it, or what?
Are you sure he blocked it, or the web page requires Flash Player to see this?
Most web pages require an element of Adobe Flash Player.
First of all, try to enable Active Scripting in the areas of Sites Internet Options, security settings, trust.
You should also add a corrupted on.
Click Start, type: Internet Options
Press enter
Select the "Advanced" tab
Under reset Internet Explorer settings, click "reset".
This should restore the Internet Explorer default settings.
Then reinstall Flash Player
http://get.Adobe.com/flashplayer/
----------
Flash Player
Troubleshoot installation of Flash Player for Windows
http://kb2.Adobe.com/CPS/191/tn_19166.html
Troubleshooting player stability and performance
http://blogs.Adobe.com/JD/2010/02/troubleshooting_player_stabili.html
Uninstaller
http://kb2.Adobe.com/CPS/141/tn_14157.html
Flash Player Support Forum
-
If script running locally-make, if the remote control-do that
Hi all
need some advice on the best way to do it, don't know if it takes even a logic like that, I can be more thinking than he.
Firstly a bit of background:
I have a site clipbucket 2.6. works very well on the remote control. When I install with xampp on my personal computer errors being lifted from
Call to undefined method ADODB_mysql::select()
now, I found a fix for this on their site, it is to change a line in the code:
need to 'adodb/adodb.inc.php ';
something that will make reference to the file correctly in a local environment. Some people suggest
require ' / FULL PATH TO/adodb/adodb.inc.php ";
but this does not work for me, I get an error of not being able to find the file, it turns out that this works only on wamp or XAMPP, I use xampp
This is what works on my test server local xampp:
need to 'C:\xampp\htdocs\videoz\includes\adodb\adodb.inc.php ';
NOW MY QUESTION:
need to 'C:\xampp\htdocs\videoz\includes\adodb\adodb.inc.php ';
will not work on the remote control to reference the file correctly.
How can I make a logic to decide if a script is running on local or remote and include a filepath as a result?
If the file exist?
the root of the server?
suggestions?'
ideas?
is it still the right way to go on this subject? I can't find a way for scructure include working with both, I disabled it to use variables in the include statements (regardless of its name), ha
any suggestions on how to do this effectively and above all safely?
Thanks a ton for your attention!
You can do something like this:
If ($_SERVER ['SERVER_NAME'] == 'mylittlehost') {}
to do this
} else {}
do this
}
.. and Yes, to answer your question, it's a good way to go about it.
Another way is to have an include with a set of functions, etc., which is for your local site and an inclusion of the same name which contains comparable functions for the remote site, but the day may come when you accidentally download your local version of the remote control, causing the remote site to break.
-
Loggin to the administrator of the remote site redirects to localhost on the local server.
This is certainly news to me. I created a Wordpress site locally and then uploaded to the remote server. For some reason when I connect I get redirected to the local host and the version installed locally in XAMPP. I tried to clear the cache in Firefox, but nothing helped. When Apache and MySQL are disabled in the XAMPP Control Panel, he always tries to redirect to the local server and I get the error "problem loading page".
Also, strangely, when I disable XAMPP the CSS for the site on the REMOTE server is not displayed! Any ideas short of clear and start over? I can't even to the admin of the site to change the password.
The fixed. Had to manually change the siteurl value in the table options in the remote database. Thank God...
-
Error step 7, creation of WebCenter, and schemas content using the remote control
Hi all
I have the installation of the portal WebCenter using JSK, but the failure of the process when it tries to create patterns using the remote, it shows "Time out when connecting to the database. The current values expires 30 seconds. "UCR-6090: jump main operation: validation stage of connection failure.
This is the content of install_setup.log
Thu Aug 14 10:12:32 CLT 2014: END STEP 6 22: Configurion of the database Instance
Thu Aug 14 10:12:32 CLT 2014: START STEP 7 22: creation of the WebCenter and patterns content using the remote control. Estimated time is 1 minute. Please wait..
localhost.localdomain:1521:ORCL
Installation of patterns Begin spaces
Please enter the password(User:sys) of the database:
Processing of command line...
Timeout connecting to the database. Current timeout value is 30 seconds.
UCR-6090: jump main operation: validation step connection failure
And the rcu.log
14-08-2014 10:14:38.925 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.RCUCommandLineParser::process: processing command line...
14-08-2014 10:14:38.927 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.SilentRCUModel::performOperation: from validations...
14-08-2014 10:14:38.934 NOTIFICATION rcu: oracle.sysman.assistants.common.dbutil.jdbc.JDBCEngine::connect: the connection to the database: user: sys, role: sysdba, connectString: (description = (address = (host = localhost.localdomain)(protocol=tcp) (port = 1521)) (connect_data = (service_name = ORCL) (server = dedicated)))
14-08-2014 10:15:39.250 rcu ERROR: oracle.sysman.assistants.rcu.backend.validation.StepValidator::isConnectionStepValidated: unable to connect to database: timeout when connecting to the database. Current timeout value is 30 seconds.
14-08-2014 10:15:39.250 NOTIFICATION rcu: oracle.sysman.assistants.common.dbutil.jdbc.JDBCEngine::connect: the connection to the database: user: sys, role: sysdba, connectString: (description = (address = (host = localhost.localdomain)(protocol=tcp) (port = 1521)) (connect_data = (sid = ORCL) (server = dedicated)))
14-08-2014 10:16:39.192 NOTIFICATION rcu: oracle.sysman.assistants.common.util.SilentMessageHandler::writeToLog: timeout when connecting to the database. Current timeout value is 30 seconds.
14-08-2014 10:16:39.192 rcu ERROR: oracle.sysman.assistants.rcu.backend.validation.StepValidator::isConnectionStepValidated: SQLFatalErrorException:
oracle.sysman.assistants.common.dbutil.SQLFatalErrorException: timeout when connecting to the database. Current timeout value is 30 seconds.
at oracle.sysman.assistants.common.dbutil.jdbc.JDBCEngine.connect(JDBCEngine.java:585)
at oracle.sysman.assistants.rcu.backend.validation.StepValidator.connectDatabase(StepValidator.java:358)
at oracle.sysman.assistants.rcu.backend.validation.StepValidator.connectDatabase(StepValidator.java:253)
at oracle.sysman.assistants.rcu.backend.validation.StepValidator.isConnectionStepValidated(StepValidator.java:1366)
at oracle.sysman.assistants.rcu.backend.SilentRCUModel.performOperation(SilentRCUModel.java:140)
at oracle.sysman.assistants.rcu.backend.RCUModel.startOperation(RCUModel.java:346)
at oracle.sysman.assistants.rcu.Rcu.execute(Rcu.java:339)
at oracle.sysman.assistants.rcu.Rcu.main(Rcu.java:363)
2014-08-14 10:16:39.193 rcu ERROR: oracle.sysman.assistants.rcu.backend.SilentRCUModel::performOperation: UCR-6090: operation hand jump: validation step connection failure
2014-08-14 10:16:39.193 NOTIFICATION rcu: oracle.sysman.assistants.common.util.SilentMessageHandler::writeToLog: UCR-6090: operation hand jump: validation step connection failure
Any suggestions?
Best regards!
Hello
(1) you see no error on the Setup screen? If Yes please download the screenshot?
(2) the UCR is a failure because it is not able to connect to the database. Please make sure that you have entered the correct database details.
Also, can you please try the following and check the box.
Go to
the location / / rcu/config / Take backup for the file rcu.properties, and then change the below
JDBC_LOGIN_TIMEOUT = 30
TO
JDBC_LOGIN_TIMEOUT = 300
and try again.
Concerning
Françoise
-
Just tried to download patches for the iOS version 2.3.2 Revel and got directed to the Apple site to re - pay $79. -? WTF? You try to download on Mac, iPhone and iPad? Fees once paid? Help? Also as a shooter, I love Nikon LM program, but Apple Mac, it blocks, the Adobe LM works better? If so what kind of discount can give a shooting game?
Bill
With regard to Revel:
You can install free revel if you are a paid subscriber or not. I don't know why or how you got to pay apple site. Maybe you clicked on a link.
On your ipad and iphone, you can go to the app store, search for revel and press "install". There is not a new version for mac, but you can go on the mac app store and install version 1.10.
Guinot
Maybe you are looking for
-
Can what new operating system I use with old Tecra 8100?
I want to use this old laptop that had originally win98. I managed to put the win xp on it, but it is unworkable slow. Today, I tried Lubuntu (a linux distribution specific for oldies) but it is too slow. I want just a simple OS to go.
-
Need to install order for Portege R830-10 q WXP
SOMEONE HAS THE ORDER OF INSTALLATION OF THE DRIVERS / SOFTWARE FOR WINDOWS XP FOR TOSHIBA PORTEGE R830-10 Q PLEASE?
-
Pavilion 17-e111nr memory is expandable to 16 GB
I would buy the 17-e111nr and upgrade the memory up to 16 GB. In the specs, it says not supported even though it has 2 banks that can hold 8 GB each. Is at the edge of the memory controlled by the Bios and HP just turn it on not or only the AMD proce
-
BlackBerry® Q10 Q10 email does not
I got my Blackberry Q10 for a few months and was in love with it... until recently when I started having issues by e-mail. Currently, I'm completely unable to send mail from my POP3 e-mail address business - which completely defeats the purpose of h
-
BBM No. BBM Notification when running in the background, apps WP8.1
Hi all Since this weekend, I don't have any notification on my 8.1 Windows phone. I checked on my battery saver, and everything is enabled for BBM. My friend has the same problem on WP. I do not see the application of Notification + Actions, but I do