Help, please! Connected to the VPN, but cannot access internal servers.
Hi friends,
I'm a newbie on vpn stuff, I set up a base on a Cisco ASA 5505 vpn by using ASDM, and I was able to connect to it. However, I can't ssh or RDP to one of the servers in the House after that I connected to the vpn. Here is the configuration. Help, please!
ASA Version 8.2 (5)
!
hostname sc - asa
domain abc.com
enable the encrypted password xxxxxxxxx
xxxxxxxxx encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
DNS server-group DefaultDNS
domain OpenDNS.com
sc-pool_splitTunnelAcl-list of allowed access standard 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
interface ID client DHCP-client to the outside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
rental contract interface 86400 dhcpd inside
dhcpd abc.com domain inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
WebVPN
abc group policy - sc internal
attributes of the strategy of group abc - sc
value of server DNS 208.67.222.222 192.168.1.3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value abc-sc_splitTunnelAcl
field default value abc.com
a001 xxxxxxxxxxx encrypted password username
a002 xxxxxxxxxxx encrypted password username
username a003 encrypted password privilege 0 xxxxxxxxxxx
a003 username attributes
Strategy Group-VPN-abc-sc
a004 xxxxxxxxxxx encrypted password privilege 0 username
a004 username attributes
Strategy Group-VPN-abc-sc
a005 xxxxxxxxxxx encrypted password username
a006 xxxxxxxxxxx encrypted password username
username privilege 15 encrypted password xxxxxxxxxxx a007
remote access to tunnel-group abc - sc type
attributes global-tunnel-group-abc - sc
address sc-pool pool
Group Policy - by default-abc-sc
tunnel-group abc - sc ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:e7df4fa4b60a252d806ca5222d48883b
: end
Hello
I would suggest you start by changing the pool VPN to something else than the current LAN network and see if that helps
These should be the configuration required to achieve this goal
- First remove us pool setup VPN VPN
- Then we delete the VPN Pool and create again with an another address space
- When then attach this new Pool of VPN again to the VPN configuration
- In the last step, we add a NAT0 / exempt for this new pool VPN NAT configuration and remove the old ACL line for the former group of VPN
attributes global-tunnel-group-abc - sc
no address-sc-swimming pool
no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0
IP local pool sc-192.168.100.100 - 192.168.100.110 mask 255.255.255.0
attributes global-tunnel-group-abc - sc
address sc-pool pool
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0
No inside_nat0_outbound access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240
-Jouni
Tags: Cisco Security
Similar Questions
-
IPSec VPN: connected to the VPN but cannot access resources
Hello
I configured a VPN IPSec on two ISP with IP SLA configured, there is a redundancy on the VPN so that if address main is it connect to the VPN backup.
QUESTIONS
-Connect to the primary address and I can access resources
-backup address to connect but can not access resources for example servers
I want a way to connect to backup and access on my servers resources. Please help look in the config below
configuration below:
interface GigabitEthernet0/0
LAN description
nameif inside
security-level 100
IP 192.168.202.100 255.255.255.0
!
interface GigabitEthernet0/1
Description CONNECTION_TO_DOPC
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.248
!
interface GigabitEthernet0/2
Description CONNECTION_TO_COBRANET
nameif backup
security-level 0
IP 3.3.3.3 255.255.255.240
!
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
boot system Disk0: / asa831 - k8.bin
boot system Disk0: / asa707 - k8.bin
passive FTP mode
clock timezone WAT 1
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 4.2.2.2
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of object obj-200
192.168.200.0 subnet 255.255.255.0
Description LAN_200
network of object obj-202
192.168.202.0 subnet 255.255.255.0
Description LAN_202
network of the NETWORK_OBJ_192.168.30.0_25 object
subnet 192.168.30.0 255.255.255.128
network of the RDP_12 object
Home 192.168.202.12
Web server description
service object RDP
source eq 3389 destination eq 3389 tcp service
network obj012 object
Home 192.168.202.12
the Backup-PAT object network
192.168.202.0 subnet 255.255.255.0
NETWORK LAN UBA description
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.200.0 255.255.255.0
object-network 192.168.202.0 255.255.255.0
the DM_INLINE_NETWORK_2 object-group network
network-object object obj-200
network-object object obj-202
access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any
access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any
OUTSIDE_IN list extended access permit icmp any any idle state
OUTSIDE_IN list extended access permit tcp any object obj012 eq inactive 3389
gbnltunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0
standard access list gbnltunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0
BACKUP_IN list extended access permit icmp any any idle state
access extensive list ip 196.216.144.0 encrypt_acl allow 255.255.255.192 192.168.202.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
backup of MTU 1500
Backup2 MTU 1500
local pool GBNLVPNPOOL 192.168.30.0 - 192.168.30.100 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any backup
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25
NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 non-proxy-arp-search of route static destination
!
network of object obj-200
NAT dynamic interface (indoor, outdoor)
network of object obj-202
dynamic NAT (all, outside) interface
network obj012 object
NAT (inside, outside) interface static service tcp 3389 3389
the Backup-PAT object network
dynamic NAT interface (inside, backup)
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group interface inside INSIDE_OUT
Access-group OUTSIDE_IN in interface outside
Access-group BACKUP_IN in the backup of the interface
Route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 followed by 100
Backup route 0.0.0.0 0.0.0.0 3.3.3.3 254
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
value of the URL-list GBNL-SERVERS
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
http server enable 441
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 0.0.0.0 backup
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
ALS 10 monitor
type echo protocol ipIcmpEcho 31.13.72.1 interface outside
NUM-package of 5
Timeout 3000
frequency 5
Annex monitor SLA 10 life never start-time now
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto IPSec_map 10 corresponds to the address encrypt_acl
card crypto IPSec_map 10 set peer 196.216.144.1
card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
ipsec_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
ipsec_map interface card crypto outside
gbnltunnel card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
backup of crypto gbnltunnel interface card
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = GBNLVPN.greatbrandsng.com, O = GBNL, C = ng
Configure CRL
Crypto ikev1 allow inside
Crypto ikev1 allow outside
Crypto ikev1 enable backup
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
enable client-implementation to date
!
track 10 rtr 100 accessibility
!
Track 100 rtr 10 accessibility
Telnet 192.168.200.0 255.255.255.0 inside
Telnet 192.168.202.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.202.0 255.255.255.0 inside
SSH 192.168.200.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 backup
SSH timeout 30
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
allow outside
enable backup
activate backup2
internal gbnltunnel group policy
attributes of the strategy of group gbnltunnel
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
greatbrandsng.com value by default-field
Group Policy 'Group 2' internal
type of remote access service
type tunnel-group gbnltunnel remote access
tunnel-group gbnltunnel General-attributes
address GBNLVPNPOOL pool
Group Policy - by default-gbnltunnel
gbnltunnel group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
type tunnel-group GBNLSSL remote access
type tunnel-group GBNL_WEBVPN remote access
attributes global-tunnel-group GBNL_WEBVPN
Group Policy - by default-gbnltunnel
tunnel-group 196.216.144.1 type ipsec-l2l
IPSec-attributes tunnel-group 196.216.144.1
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
Cryptochecksum:6004bf457c9c0bc1babbdbf1cd8aeba5
: end
When you say that "the external interface is downwards using failover techniques" you mean this failover occurred because the ASA is no longer able to reach the 31.13.72.1? Not that the actual interface is broken?
If this is the case, then the NATing is your problem. Since you're using the same VPN pool for VPN connections the ASA cannot distinguish between the two streams of traffic if the external interface is still in place. The SLA tracking only removes a route in the routing table, but does not affect what happens in the NAT process.
try to change the NAT statement follows him and the test (don't forget to remove the other statements to exempt of NAT for this traffic during the test):
NAT (inside,any) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25
If this does not work, I would either turn off the external interface when a failover occurs, or create a second connection profile that contains a separate mass of IP for the VPN connection and ask users to connect using this profile when a failover takes place. Don't forget to create Nat exempt instructions for this traffic also.
--
Please note all useful posts
-
I can connect to the WLan, but cannot access the internet on Tecra A8
There is no problem when I use the LAN port.
When I use the WiFi (wifi adapter Tecra A8), I can connect to the network, but the status is local, I can't access the internet.I've updated my access point with the latest firmware (D-link DWL-2000AP +).
I do not get a new IP address.My OS is Vista.
Hello
You have set up the WLan router with the right data from your ISP (internet service provider)?
Further, I would recommend to disable all security on the router option and try to access the internet.
I mean, you must disable the encryption (WEP, WPA), Mac filtering address, etc.
In addition, check if, in settings TCP/IP, the option as "obtain an IP address automatically' has been set.Have you tried the WiFi connection using the customer like Intel ProSet utility or Atheros configuration tool?
These tools can be used instead of own WLan connection option of Windows.Reset you the WLan router? This!
Pleas check al these proposals
-
Computer seems to be connected to the internet but cannot access web pages
It says its connected to the internet and it can download the automatic updates, but when I open internet explore or mozilla or browser accesses a web page.
The problem does not change if it connected to a hard line or wireless.
The computer is a Latitude D620 on windows xp, if that helps.
What happens when you try?
Have you tried resetting IE? (Tools |) Internet Options | Advanced...)
-B-
http://www.officeforlawyers.com | http://www.OneNote-tips.com
Author: Guide to counsel for Microsoft Outlook -
Can connect via the VPN, but cannot see the files
I can connect via VPN to my company network, but the files do not arise under Vista. I have no problem to see them on my old Windows PC, so this is a specific problem of Vista. On my old system, just click on computer and it shows me my company on the network's records. No Vista - cannot find anywhere, even if I am connected via VPN. Where are they?
Hello
Since it is the network of the company, there is no way to know hwo security is configured, unless you are a computer scientist in society.
Not "mess up" your computer, first talking to the person in charge of VPN connections.
Jack - Microsoft MVP, Windows networking. WWW.EZLAN.NET
-
Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!
Hello
I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.
Config
ciscoasa # sh run
: Saved
:
ASA Version 8.0 (3)
!
ciscoasa hostname
activate the 5QB4svsHoIHxXpF password / encrypted
names of
xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name
xxx.xxx.xxx.xxx ISA_Server_second_external_IP name
xxx.xxx.xxx.xxx name Mail_Server
xxx.xxx.xxx.xxx IncomingIP name
xxx.xxx.xxx.xxx SAP name
xxx.xxx.xxx.xxx Web server name
xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name
isa_server_outside name 192.168.2.2
!
interface Ethernet0/0
nameif outside
security-level 0
address IP IncomingIP 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.253 255.255.255.0
management only
!
passwd 123
passive FTP mode
clock timezone IS 2
clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00
TCP_8081 tcp service object-group
EQ port 8081 object
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq ftp
port-object eq www
EQ object of the https port
EQ smtp port object
EQ Port pop3 object
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
EQ port 50000 object
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
EQ port 587 object
port-object eq 993
port-object eq 8000
EQ port 8443 object
port-object eq telnet
port-object eq 3901
purpose of group TCP_8081
EQ port 1433 object
port-object eq 3391
port-object eq 3399
EQ object of port 8080
EQ port 3128 object
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
Equalizer object port 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
EQ port 8181 object
object-port 7778 eq
port-object eq 8180
port-object 22222 eq
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP - tcp
EQ port 3389 object
3901 tcp service object-group
3901 description
port-object eq 3901
object-group service tcp 50000
50000 description
EQ port 50000 object
Enable_Transparent_Tunneling_UDP udp service object-group
port-object eq 4500
access-list connection to SAP Note inside_access_in
inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in note outgoing VPN - PPTP
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in note outgoing VPN - GRE
inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any
Comment from inside_access_in-list of access VPN - GRE
inside_access_in list extended access will permit a full
access-list inside_access_in note outgoing VPN - Client IKE
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq
Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T
inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access udp allowed any any eq field
Note to inside_access_in of outgoing DNS list access
inside_access_in list extended access permit tcp any any eq field
Note to inside_access_in to access list carried forward Ports
inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group
access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access will permit a full
outside_access_in list extended access allowed grateful if any host Mail_Server
outside_access_in list extended access permit tcp any host Mail_Server eq pptp
outside_access_in list extended access allow esp a whole
outside_access_in ah allowed extended access list a whole
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group
list of access allowed standard VPN 192.168.2.0 255.255.255.0
corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 603.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global (outside) 2 Mail_Server netmask 255.0.0.0
Global 1 interface (outside)
Global interface (2 inside)
NAT (inside) 0-list of access corp_vpn
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside
public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet
static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255
static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server
static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside
static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp
static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside
static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside
public static 192.168.2.0 (inside, outside) - corp_vpn access list
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp - esp-md5-hmac transet
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet
cryptomap 10 card crypto ipsec-isakmp dynamic dynmap
cryptomap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 192.168.2.0 255.255.255.0 inside
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain.local domain inside interface
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
Management Server TFTP 192.168.1.123.
internal group mypolicy strategy
mypolicy group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN
Pseudo vpdn password 123
vpdn username attributes
VPN-group-policy mypolicy
type of remote access service
type mypolicy tunnel-group remote access
tunnel-group mypolicy General attributes
address-pool
strategy-group-by default mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.
Hello
You probably need
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp error
Your Tunnel of Split and NAT0 configurations seem to.
-Jouni
-
Cannot open email in Hotmail via Firefox. I have Vista installed on the pc and Windows 7 on the laptop, but cannot access all the features of Hotmail. I tried to clear the cache and restart Firefox, but I still cannot use Hotmail.
Not this problem when I go to Internet Explorer.
Hello, it was noted that the foxit pdf plugin is causing this issue. You can disable this plugin in firefox > addons > plugin until what foxit offers a patch/update for the plugin.
-
Connects to the router, but cannot send or receive data
I have a WRT54G. I can find the network and connect to the router, but I can't send or receive data. I tried to connect directly to the router and I still not able to send or receive data. Both computers on the router has the same problem. I did a reset the router back to the settings by default and still no luck. Any thoughts? Thanks in advance for the help.
The first thing you can try is when you the Modem and the router is connected to the other, disconnect the power from the router and Modem, wait 30 seconds and then plug in the power to the Modem and once all the lights are solid, then connect the power supply to the Linksys router, now check if you are able to go online. If still no then...
Who is your ISP. So I think you need to re - configure all settings of your router again.
If your Internet Service is cable follow this link
If your Internet Service is DSL follow this link
-
The VPN Clients cannot access any internal address
Without a doubt need help from an expert on this one...
Attempting to define a client access on an ASA 5520 VPN that was used only as a
Firewall so far. The ASA has been recently updated to Version 7.2 (4).
Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot
ping any address on internal networks, or even the inside interface of the ASA.
(I hope) Relevant details:
(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and
are able to connect.
(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it
appears that the packets are décapsulés and decrypted, but NOT encapsulated or
encrypted (see the output of "sh crypto ipsec his ' home).
(3) by the other related posts, we've added commands associated with inversion of NAT (crypto
ISAKMP nat-traversal 20
crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our
Configuration.
(4) we tried encapsulation TCP and UDP encapsulation with experimental client
profiles: same result in both cases.
(5) if I (attempt) ping to an internal IP address of the connected customer, the
real-time log entries ASA show the installation and dismantling of the ICMP requests to the
the inner target customer.
(6) the capture of packets to the internal address (one that we try to do a ping of the)
VPN client) shows that the ICMP request has been received and answered. (See attachment
shooting).
(7) our goal is to create about 10 VPN client of different profiles, each with
different combinations of access to the internal VLAN or DMZ VLAN. We do not have
preferences for the type of encryption or method, as long as it is safe and it works: that
said, do not hesitate to recommend a different approach altogether.
We have tried everything we can think of, so any help or advice would be greatly
Sanitized the ASA configuration is also attached.
appreciated!
Thank you!
It should be the last step :)
on 6509
IP route 172.16.100.0 255.255.255.0 172.16.20.2
and ASA
no road inside 172.16.40.0 255.255.255.0 172.16.20.2
-
Access remote vpn connects to the 5505 but cannot ping servers
I have a cisco 5505 and trying to set it up with 6.4 AMPS.
My vpn client connects ok to the network but I'm unable to reach one of the servers.
I'm sure it's a simple configuration issue, as I don't have much experience with Cisco Configuration.
Any suggestions on where to find would be very appreciated.
Thanks in advance
Graham
Hi Graham,
Please, add the following command:
Inside_nat0_outbound to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.100.0 255.255.255.0
Thank you.
Portu.
-
My Blackberry Bold 9900 connects to internet with wi - fi and 3 G/edge connection (w / caps) and receive emails, but cannot open the web browser, facebook, twitter, bbm, app world... for the last two days (I think that I have improved some applications). Everyone knows the same?
Can someone help me pls? Thank you!!OK, at least you get the signal necessary for many applications work.
Please remove your battery while your phone is on, and then replace it.
Let us know if that helps you.
-
I can connect to the internet, but cannot stay connected to thn over 10 to 15 minutes.
After I changed my MiFi for a Verizon 890 L 4 G LTE Verizon internet access I can access the internet for about 10 to 15 minutes. He stops abruptly, but when looking at the network and sharing Center to watch I am always connected. When I run the troubleshooting it says that there is no problem. When I look in the detail section of the troubleshooting it is said that there may be a problem, but there is no additional information available. The thing really strange is that my wife and I have exactly the same computers and the OS and his computer has no problem to stay connected. I found a update for my card driver and it made no difference. I am at a loss now other solutions. I also put the hotspot in WPS mode hoping it would reconfigure the communication between it and my laptop, it made no difference. Help please.
Hi kodibear333.
Thanks for posting your query in Microsoft Community.I understand from your description, that you have a problem with connecting to the Internet.Could you please answer the following questions so that I can help you better.
1. don't you get an error message when you are disconnected from the internet?
2 have you made changes on the computer before this problem?
I want you to try the following methods to resolve the problem.Method 1: Network connectivity problems
Check out the link and follow the steps in the link.
http://support.Microsoft.com/kb/936211#appliesToMethod 2: Wi - Fi and network problems.See the link and the steps mentioned in the link.
http://windows.microsoft.com/en-US/windows/network-connection-problem-help#network-problems=windows-7&v1h=win8tab1&v2h=win7tab1&v3h=winvistatab1&v4h=winxptab1.Get back to us and let me know the status of the question so that I can fix it as soon as possible. -
I can connect to wifi networks but cannot access the internet
As the title says, I have no problem connecting to all types of wireless (password protected or not), but once I plugged in, there is always a message saying that I have limited access, and I will not be able to access internet since. It is not a problem specific to any router, it's just my laptop wireless. Direct connections (with an ethernet cable) work quite well. When I tried to solve the problems through windows I got the message error "wireless network connection is not a valid IP configuration.
I have honestly tried most of the solutions out there but stuck on what I can do nextHello
Thanks for posting in the Microsoft community. I understand that you are able to connect to a wireless network, however you are unable to access the Internet when it is connected to the wireless network.
It would help if you could let us know about any changes made to the computer before the show.
I suggest that you try the following steps and check.
Method 1:
Check out the link and follow the steps.
Windows wireless and wired network connection problems
Method 2:
Visit the link and try the troubleshooting provided steps.
Why can't I connect to the Internet?
http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-connect-to-the-Internet
Let us know if these methods on the other will respond and we can provide several methods.
-
Is connected to the Internet, but cannot use the Compaq Presario SR5123WM desktop PC
Product name & #: Compaq Presario SR5123WM desktop PC (GC660AA-ABA)
Operating system: Windows Vista Home Premium 32
No only error message when Internet Explorer does not display the page or iTunes can't find any connection network (any application that requires an Internet connection).No changes were made to the system.
I have the dial-up connection. The Bureau uses the Modem - PCI Soft Data Fax Modem with SmartCP (COM3).
Once I start the computer, log in to my user and connect to the Internet, I click on Internet Explorer and type in Google to see if it would work. It is said that "Internet Explorer cannot display the webpage". For iTunes, he would say "iTunes has not to connect to the iTunes Store." Make sure your network connection is active and try again. »
I tried all solutions online and by phone. I reset netsh int ip / winsock. I reset Internet Explorer options. Nothing works.
What is strange, is that the Internet connection works well on my laptop (using Conexant D110 MDC V.92 Modem (COM3)).
It would be GREAT if you could help me find a solution to this problem, because this has happened for months, and I'm tired of waiting. I put all my hopes on you.
You may be able to do a system restore if the original HP partition is always on the computer.
Here is a document detailing the steps:
-
Have client with the latest Lenovo laptop, running Windows 7 Pro, part of a Windows 2008 domain. User never had problems earlier but takes off mobile out of office last week that he had then only on vacation. The user has Verizon Wireless for Internet access so that resign. User returned, connected area through the configuration of a connection without error, but was unable to access resources in any domain. No applications have been installed on the laptop so that it is on vacation. In windows Explorer, the user can see as other NAS PC's, printers, other devices on the network and able to access the Internet, but the doman and the server are missing from the list. The connection of the user from another PC to check the profile is ok, the user was able to resources in the domain from another PC. Had a different network user trying to connect on the laptop and had the same problem so I am confident that the problem is with the laptop itself and not domain or server. Also tried to disable the firewall on the computer laptop but did not help, empty DNS and other entries in cache but nothing helped. There were a few normal .net updates on laptop while resign but that was about it. Laptop is running Microsoft's Security Essentials for virus protection.
Any ideas on how to resolve the additional or possible causes?
Hi Jack,
The problem you are having is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public.Please post your question in the Technet Forum.You can follow this link to ask your question:Forum TechNet Windows 7:For any other corresponding Windows help, do not hesitate to contact us and we will be happy to help you.
Maybe you are looking for
-
iOS 10.0.2 Lockscreen
How can I cancel the lockscreen changes in ios 10.0.2 on my mini iPad 2?
-
I know how to take Windows 7 bookmarks (firefox) and put them in another windows machine. I know that for import into Ubuntu, I open firefox on Ubuntu (already pre-installed). I can't find any list of bookmarks in the list Ubuntu firefox I can access
-
HP Media Center M7370: HP Media Center M7370 no boot
My computer tries to start but doesn't she get further than the HP Blue and white screen. I can't go in the options (Start menu, etc. system recovery) because it does not meet a key entry. It started a few days ago. Since then, I have tried to reboot
-
HP pavilion g6: System disabled code
system is disabled got code 51815728
-
Is it possible to restore or rebuild a corrupted database?
I'm trying to get information from a database, but it is corrupt and not allowing not to see any traces of availbable. If there is a way to restore or rebuild a corrupted database?