IPSec Tunnel upward, but not accessible from local networks
Hello
I have an ASA5520 and a Snapgear. The IPSec tunnel is in place and works very well. But I am not able to access the local LAN on both sides. Here are a few setups:
SH crypt isakmp his
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.10.10.2
Type : L2L Role : responder
Rekey : no State : AM_ACTIVE
Crypto/isakmp:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer 10.10.10.2
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA
crypto map IPSECTEST_map0 1 set nat-t-disable
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 interface IPSECTEST
crypto isakmp enable outside
crypto isakmp enable IPSECTEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
Route SH:
C 172.16.3.0 255.255.255.0 is directly connected, VLAN10
C 10.10.10.0 255.255.255.0 is directly connected, IPSECTEST
C 192.168.112.0 255.255.254.0 is directly connected, inside
access-list:
IPSECTEST_cryptomap list extended access allowed object-group DM_INLINE_PROTOCOL_1 172.16.3.0 255.255.255.0 object 172.20.20.0
and here's the scenario:
If I make a ping of the asa to the Remote LAN, I got this:
ciscoasa (config) # ping 172.20.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.172.20.20.1, wait time is 2 seconds:
No route to the host 172.20.20.1
Success rate is 0% (0/1)
No idea what I lack?
Here's how to set up NAT ASA 8.3 exemption:
network object obj - 172.16.3.0
172.16.3.0 subnet 255.255.255.0
network object obj - 172.20.20.0
172.20.20.0 subnet 255.255.255.0
NAT (inside, outside) source static obj - 172.16.3.0 obj - 172.16.3.0 destination static obj - 172.20.20.0 obj - 172.20.20.0
Here's how it looks to the ASA 8.2 and below:
Inside_nat0_outbound to access extended list ip 172.16.3.0 allow 255.255.255.0 172.20.20.0 255.255.255.0
NAT (inside) 0-list of access Inside_nat0_outbound
Tags: Cisco Security
Similar Questions
-
ASA 5505 IPSEC VPN connected but cannot access the local network
ASA: 8.2.5
ASDM: 6.4.5
LAN: 10.1.0.0/22
Pool VPN: 172.16.10.0/24
Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.
I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.
Here is my setup, wrong set up anything?
ASA Version 8.2 (5)
!
hostname asatest
domain XXX.com
activate 8Fw1QFqthX2n4uD3 encrypted password
g9NiG6oUPjkYrHNt encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.1.253 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
address IP XXX.XXX.XXX.XXX 255.255.255.240
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain vff.com
vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0
access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
logging trap warnings
asdm of logging of information
logging - the id of the device hostname
host of logging inside the 10.1.1.230
Within 1500 MTU
Outside 1500 MTU
IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt AD
AAA-server host 10.1.1.108 AD (inside)
NT-auth-domain controller 10.1.1.108
Enable http server
http 10.1.0.0 255.255.252.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.1.0.0 255.255.252.0 inside
SSH timeout 20
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group vpntest strategy
Group vpntest policy attributes
value of 10.1.1.108 WINS server
Server DNS 10.1.1.108 value
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the password-storage
disable the IP-comp
Re-xauth disable
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpntest_splitTunnelAcl
value by default-domain XXX.com
disable the split-tunnel-all dns
Dungeon-client-config backup servers
the address value vpnpool pools
admin WeiepwREwT66BhE9 encrypted privilege 15 password username
username user5 encrypted password privilege 5 yIWniWfceAUz1sUb
the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username
tunnel-group vpntest type remote access
tunnel-group vpntest General attributes
address vpnpool pool
authentication-server-group AD
authentication-server-group (inside) AD
Group Policy - by default-vpntest
band-Kingdom
vpntest group tunnel ipsec-attributes
pre-shared-key BEKey123456
NOCHECK Peer-id-validate
!
!
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see the vpnclient command exec mode
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege see the level 3 exec command mode dynamic filters
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
privilege clear level 3 exec command mode dynamic filters
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4
: end
Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.
The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.
On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.
-
VM IP not accessible from outside network
Hi guys
This may be a matter of complete newbe, but I have been messing round with ESXi host and encountered a problem that I spent the last 2 days of troubleshooting. I have a box of ESXi running in my room which is connected to my network... what I'm trying to do, is to ensure that the virtual machines running on this computer is available to my PC outside the area of ESXi... the problem is I can't RDP all VMs from outside as they are being ADMINISTRATED by the VMswitch...
I used wireshark to determine the source Ip when I ping my PC from the machine virtual and found that he was given the ESXI server static ip address...
Does anyone know of a work around? I would like to assign a static ip address on the virtual computer for I can use it as FTP server for my network outside of the box of ESXI
Thanks in advance!
Once you have assigned the additional card on the movement of the virtual machine, you should be good to go.
I use RDP among other modes, to manage different servers on my local network. If you want to have the accessible FTP server from outside the local network (for example, from a different location), then you will want to use the port forwarding on your router and the IP address of this virtual machine. Watch the free services of www.dyndns.com occurring via a url instead of having to worry about your public IP address change. I use their services (those that are free for the time being) to access my ftp server and web server (two different Linux servers that are virtual machines on my ESXi host). I put RDP in place for my DC and especially vCenter servers so that I can connect to them even if the other methods do not work properly.
Feel free to reach out to me by PM if you need additional assistance, gets results online. Please keep in mind that the extra NIC you pick up is on the HCL. If I were you, I'd go with at least one card dual port. I support the Intel NETWORK card inside my ESX hosts. Right now, I use a port dual and quad port NIC inside my host. Adding that to the embedded (Broadcom NIC) gives me a total of seven NIC to play with.
VCP4
-
tunnel upward but not ping of the asa inside interface
Dear all
I am establishing a tunnel vpn between cisco asa 5510 and a cisco router. The tunnel is up, and I can ping both cryptographic interfaces. Also, from the console of the asa I can ping to the router lan interface but the router I can not ping the lan interface of the asa, this message appears in the log
% ASA-3-713042: unable to find political initiator IKE: Intf liaison_BLR, Src: 128.2
23.125.232, DST: 129.223.123.234
Here is the config of the equipment.
I was able to successfully establish an ipsec with an another ROUTER 1841 tunnel. I have 1 hub site and 3 remotes sites with asa as a hub.
Help, please.
Your crypto that ACLs are not matching. They must be exact mirror of the other.
In addition, you can consider setting the levels of security for the interfaces. They are all at 0. The value internal/private those a higher value.
Let me know how it goes.
PS. If you find this article useful, please note it.
-
I think this are problems, but here is the separately questions, first of all - the basics:
4 PC network using the working group with two Windows 7 (ultimate) and two xp. Everything worked fine with the a previous vista / xp 3 network. All except the Windows 7 Desktop behave well. The network is connected with a modem cable to a 5XT netscreen NS (firewall hardware to the outside and the inside hub), a netgear wireless access point and Windows workgroup use (as mentioned above). Name all is correct on all machines, all the discovery settings are in place and each has Norton Internet security for its local protection services. Upgrades of Windows 7 have been computer vista laptop connected wireless and wired desktop previously running XP Professional sp3. XP conversion was assisted on the desktop of the wizard upgrade Laplink PC Mover. Applications executed in appearance on the two level computers.
On the desktop - I can't share printers. When I use "networks and printers" in the start menu to share on a printer I get code 0x000006d9 error saying something like the configuration cannot be saved. All local jobs printing works well.
On the desktop - the name of the computer records also of all as on the network (it is discovered and mapped by each PC) but when I try to access it from any other machine I get a general error says something like "check your spelling of the name mannequin." This desktop computer Win 7 can browse shared folders on the network of and write about everything. Somewhat added data - this device can ping all others in the network sucessfully but none get a ping successfully into the offending machine either with ip address or computer name (times out waiting for a response or said the name is not found). He himself can ping successfully. It accesses the internet very high hand.
Solutions have been attempted without a firewall (Firewall Norton Smart Internet - 2010), with the firewall and various changes to authorization. A final discovery was that Windows Firewall will not allow because BFE is not able to start - error 5 - access denied (this was discovered by train to allow a possible solution because of some internet chatter that the Windows Firewall must be running to implement shared printers). All other dependencies are running to get a break on why BFE is not (it turns on the Win 7 laptop as well as the firewall). Authorizations have been verified in the registry for settings of firewall and BFE (ports, permits, etc.) have also been looked at with a very critical eye. SFC has been run with no problem. All ports for net drivers, Win 7 networking and other actions are open in the firewall.
Then people - I did some internet research and I tried a lot of suggested solutions nothing doesn't. My apologies in advance if a person provides a solution and I say "tried". Any help is very appreciated
You can mark this as resolved problem!
The program involved, causing this error is firewall Windows, here is what you need to do to fix this...
If like me you have disabled windows firewall, I use Security Suite of ZoneAlarm, you will need to re-enable the firewall to share the printer.If you have disabled or turned off the Windows Firewall. (and in my case this error was caused by exactly that)
Step #1 - disable any other firewall can be installed. Stop to load at startup and restart your PC.Step #2 - go to the tools of Admin folder > Services > Windows Firewall > double click and is it set to manual or automatic and keep it.
Step #3 - open Control Panel > system & security > Windows Firewall > enable or disable the Windows Firewall > (Enable) turn on the Windows Firewall > save
Then go to Restore Defaults > click on restore default button > save
(you only do this IF you have changed the settings of the firewall, but it is always a good idea and will ensure that there are no problems during the proceeding)Step #4 - click Control Panel Home > view devices & Printers > Select / click on your printer > screen printer properties > share > share this printer > OK
Step #5 - go back to firewall Windows and the tower he walks back > save
Step #6 - go back to Services > and the Manual value Windows Firewall (or turn it off if you want, I recommend the manual)
Step #7 - reboot and re-enable your firewall preferred to start at startup > Reboot
Step #8 - take a deep breath and sigh of relief! :)
-
Hi all
First time poster here.
My uncle died in November and he had this NAS device in his office. On the back it says RND4210 ReadyNAS but do not know what version or model or something else.
I got to download RAIDar, but now I have done that and it detects that the NAS very well on my network, it comes up with the following message appears:
"Your NETGEAR storage space is not accessible from this computer. Please check your network settings. »
Any help would be appreciated.
Everything is now resolved.
Although it is on the same network, it took my PC to also have a wired connection. I moved closer to my hub and plugged here rather than steal my PC ethernet and putting my PC into a Wi - Fi.
-
Capsule of the airport is not accessible from the internet
Capsule of the airport is not accessible from the internet
He could be reached at any time and has now stopped working?
How have you tried?
Three common methods... that you use?
-
How to restore pictures that have been deleted from Lightroom, but not removed from the 'drive '? Also, how can I restore photos after saving Lightroom. I started to remove some files and it removed ALL of them! I chose the option "cancel delete files" and them brought back, she says they are all "missing or offline. I tried to 'find' a different folder and it deleted the folder all together and now I don't know where he is. Help, please!
How to restore pictures that have been deleted from Lightroom, but not removed from the 'drive '?
You need a backup of your Lightroom catalog file before deleting the photos made. You have such a backup? If so, find the backup catalog, open it (double click on it) and then search for the photos you want and select them and then file-> export catalogue; Then go to your original catalog file, open it and select file-> import from another catalog and points to the catalog that you just exported.
If you do not have a backup of your catalog file, then the only thing you can do is to import the photos again, and Lightroom will treat them as totally new photos with no editing and no metadata provided by the user.
Moreover, the idea of importing photos into Lightroom and then later removing them to Lightroom should is limited to photos you will EVER want such a photos that are so overexposed or underexposed or blurred that they are essentially useless. The photos that you care enough to run a task on (including editing) should never be removed from Lightroom.
Also, how can I restore photos after saving Lightroom.
Is this the same problem as above, or another?
I chose the option "cancel delete files" and them brought back, she says they are all "missing or offline.
Is it possible that you actually deleted pictures from the hard disk, as well as from Lightroom? Anyway, Lightroom cannot find the photos and you first need to find photos on your hard drives and then direct Lightroom to the location of the photo on your hard drive, using these instructions Adobe Lightroom - find folders and files moved or missing
-
Windows Vista Home Edition not accessible PC in network
Hello
I have Windows Vista Home edition installed on a PC. I shared a few folders on the network. I gave all security and permission to everyone to read and share share the contents of the folder.
But when someone from the network wishes to access a shared folder on this computer by writing (\\abc-PC) in the Run dialog box, system gives an error "network path was not found".
I disabled the firewall and anti-virus to this PC.
Network is configured by a network of professionals expert. So no question of network.
Some people said that this is a limitation of Vista Home, but I do not.
Please help me.
Thanks in advance.
Thanks Krish
Hi Krish,
Work on a domain network?
Make sure that the computer is turned on and that you have enabled file sharing and printers on your network
Follow the steps mentioned in the link below
Solve the problems - and printer-sharing files
http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-file-and-printer-sharing
Make sure network discovery is on
1. open the network and sharing Center by clicking the Start button, clicking Control Panel, clicking Network and Internet, and then click Network and sharing Center.
2. If network discovery is off, click the arrow to expand the section, click turn on network discovery, and then click on apply. If you are prompted for an administrator password or a confirmation, type the password or provide confirmation.
For more information, see the link below
Network connection problems
http://Windows.Microsoft.com/en-us/Windows-Vista/troubleshoot-network-connection-problems
Networking of computers running different versions of Windows
Thank you, and in what concerns:
Ajay K
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think.
-
Ipad Cisco ipsec VPN connects but not access to the local network
Hi guys,.
I am trying to connect our ipads to vpn to access network resources. IPSec cisco ipad connects but not lan access and cannot ping anything not even not the interfaces of the router.
If I configure the vpn from cisco on a laptop, it works perfectly, I can ping all and can access resources on the local network if my guess is that the traffic is not going in the tunnel vpn between ipad and desktop.
Cisco 877.
My config is attached.
Any ideas?
Thank you
Build-in iPad-client is not useful to your configuration.
You have three options:
(1) remove the ACL of your vpn group. Without split tunneling client will work.
2) migrate legacy config crypto-map style. Here, you can use split tunneling
3) migrate AnyConnect.
The root of the problem is that the iPad Gets the split tunneling-information. But instead of control with routing traffic should pass through the window / the tunnel and which traffic is allowed without the VPN of the iPad tries to build a set of SAs for each line in your split-tunnel-ACL. But with the model-virtual, SA only is allowed.
-
New virtual local network not accessible from the vpn
Cisco ASA 5510 helps static routes. I created a new vlan internal and added the path correct for the ASA. Internally the vlan is fully accessible, but when I connect to the VPN I can't communicate with the systems in this regard.
The access policy dynamics and associated ACLs are fine. A system related to this policy, but not on the new VLAN is accessible through this policy.
What Miss me?
Hello
Please let us know what kind of tunnel are you talking about:
1 lan to lan tunnel
2. site of tunnel site
You must ensure that the new VLAN is part of the interesting traffic and nat is free.
Add the new vlan interesting traffic will ensure that the tunnel is trigged for the new VLAN.
Do the new vlan a part of nat exemption ensures that traffic is through the tunnel and natted not routed to internet and so lost.
Also you can check if the program and for the tunnel decaps multiply or not when you try to move traffic from the new VLAN. You can check which form the "sh cry counterpart his ips."
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered, if you feel that your query is resolved. Note the useful messages.
-
Local database not accessible from the console of the enterprize Manager
Hi all.. I have a strange problem, please help
I have installed hv oracle 9i on my pc. It is related to a db server and a local database (for scott schema) is also installed on the pc. with console of oracle enterprise manager, I was and want to access the two databasses. (db server and local)
I can access the database server of db as sys: attributes are...
Host: 10.4.34.59
Port: 1526
SID: grid59
attributes for local db
---------------------
Host: e5687g7665
Port: 1523
SID: ora123
the two dbs are accessible from sql plus, but when I write scott, tiger on the console, it says 'no listener'... on the net manager oracle I HAV already added the address for pc local db.
Thanks in advance, please helpHello
It's very strange, using tnsping you get the listener, so I don't understand why sqlplus returns 'no listener '.
You have run the tnsping and sqlplus from the same computer and same ORACLE_HOME, right?
You have several installed Oracle customers?Liron Amitzi
Consultant senior s/n
[www.dbsnaps.com]
[www.orbiumsoftware.com] -
Hello
I'll put up a tunnel vpn site-to-site between two locations. Both have cisco ASA 5505 running a different version, I'll explain in more detail below. so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic. Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand. I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.
An IP address of 0.0.0.0 = site
Site B IP = 1.1.1.1A Version of the site = 8.3.1
Version of the site B = 9.2.3__________________________
_________A RACE OF THE SITE CONFIGURATION
Output of the command: "sh run".
: Saved
:
ASA Version 8.3 (1)
!
hostname SDMCLNASA01
SDMCLNASA01 domain name. LOCAL
Select 5E8js/Fs7qxjxWdp of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 0.0.0.0 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
SDMCLNASA01 domain name. LOCAL
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network lan_internal object
192.168.0.0 subnet 255.255.255.0
purpose of the smtp network
Home 192.168.0.245
Network http object
Home 192.168.0.245
rdp network object
Home 192.168.0.245
network ssl object
Home 192.168.0.245
network camera_1 object
host 192.168.0.13
network camerahttp object
host 192.168.0.13
service object 8081
source eq 8081 destination eq 8081 tcp service
Dvr description
network camera-http object
host 192.168.0.13
network dvr-http object
host 192.168.0.13
network dvr-mediaport object
host 192.168.0.13
object-group Protocol DM_INLINE_PROTOCOL_1
object-protocol udp
object-tcp protocol
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq www
EQ object of the https port
EQ smtp port object
DM_INLINE_TCP_2 tcp service object-group
port-object eq 34567
port-object eq 34599
EQ port 8081 object
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
!
network lan_internal object
NAT dynamic interface (indoor, outdoor)
purpose of the smtp network
NAT (all, outside) interface static tcp smtp smtp service
Network http object
NAT (all, outside) interface static tcp www www service
rdp network object
NAT (all, outside) interface static service tcp 3389 3389
network ssl object
NAT (all, outside) interface static tcp https https service
network dvr-http object
NAT (all, outside) interface static 8081 8081 tcp service
network dvr-mediaport object
NAT (all, outside) interface static 34567 34567 tcp service
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 8080
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
http 71.40.221.136 255.255.255.252 inside
http 71.40.221.136 255.255.255.252 outside
http 192.168.0.0 255.255.255.0 outside
http 97.79.197.42 255.255.255.255 inside
http 97.79.197.42 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.0.50 - 192.168.0.150 inside
dhcpd dns 192.168.0.245 209.18.47.62 interface inside
dhcpd SDMCLNASA01 field. LOCAL inside interface
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:462428c25e9748896e98863f2d8aeee7
: end________________________________
SITE B RUNNING CONFIG
Output of the command: "sh run".
: Saved
:
: Serial number: JMX1635Z1BV
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (3)
!
ciscoasa hostname
activate qddbwnZVxqYXToV9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.252
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network camera_http object
host 192.168.1.13
network camera_media object
host 192.168.1.13
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq 9000
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit icmp any one
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 732.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
!
network camera_http object
NAT (all, outside) interface static tcp www www service
network camera_media object
NAT (all, outside) interface static 9000 9000 tcp service
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 peer set 0.0.0.0
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.150 inside
dhcpd dns 192.168.0.245 209.18.47.61 interface inside
dhcpd SDPHARR field. LOCAL inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_0.0.0.0 group strategy
attributes of Group Policy GroupPolicy_0.0.0.0
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
: endSorry my mistake.
Delete this if it's still there
card crypto external_map 1 the value reverse-road
Add this to both sides
card crypto outside_map 1 the value reverse-road
Sorry about that.
Mike
-
vmware site is not accessible from other hosts
The host is Windows 7, and the guest is CentOS. I managed to put in
openSSH and apache on the rise and the site is visible to the host, but I can't
access it from outside my LAN (I have a router) or inside my local network (since one
another computer of course). How to configure Vmware & window7 then I have
can access my virtual server on the internet?
If you did what I said in my reply to you the other day this subject, you should be able to access by other computers on your local network, but not in itself for WAN connections and you will need to set up your router correctly to enable connectivity on the Internet virtual computer.
You did as I suggested and read Chapter 14 you have a knowledge of virtual networks and then bridged Network Adapter to the virtual machine value and disable auto fill in the virtual network Editor?
If this is not the case, go back and read: Re: vmware is accessible from the host machine, but not on other computers
BTW, in the future do not start a second thread for discussion of the matter.
-
If I right click 'open with' open with other programs like IE but not "Windows Photo Gallery". It is not a specific .jpg file, this is all .jpg files. For example... I have a .jpg file in a folder on my desktop, open folder double click, it will open in the "Windows Photo Gallery". Copy and paste the SAME file on the desktop, double-click on, nothing happens. I tried to restart, change the default value of IE, open the file, it opens, by default change to "Windows Photo Gallery" doesn't work... I am confused?
Hello
Welcome to the community of Windows Vista answers.
Method 1:
This can happen in the database that keeps track of all the photos and videos in your collection is damaged. You can rebuild your database by:
(1) close Windows Live Photo Gallery
(2) · Click Start
(3) · Click on my computer
(4) · Paste this address into the address field %userprofile%\Local Settings\Application Data\Microsoft\Windows Live Photo Gallery
(5) · Right-click Pictures.pd5
(6) click on rename
(7) · Change the name of the file to OLD_Pictures.pd5
(8) · Restart the computer and then try to open the Windows Photo Gallery.
Method 2:
Try using the tool (SFC.exe) System File Checker to check and repair corrupt system files. To do this, follow these steps:How to run scan SFC
1. click on the Start button
2. on the Start Menu, click all programs followed by accessories
3. in the menu accessories, right-click on command line option
4. in the drop-down menu that appears, click the "Run as Administrator" option
5 If you have the enabled User Account Control (UAC) you will be asked to consent to the opening of the command line. You simply press the button continue if you are the administrator or insert password etc.
6. in the command prompt window, type: sfc/scannow then press enter
7. a message is displayed to indicate that "the analysis of the system will start.
8. be patient because the analysis may take some time
9. If all of the necessary files any replacement SFC will replace them. You may be asked to insert your Vista DVD for this process to continue
10. If all goes although you should, after the analysis, see the following message "Windows resource protection not found any breach of integrity.
11 after the scan finished, close the command prompt window reboot the computer and check.
For more information, see the link below.
http://support.Microsoft.com/kb/936212Let us know if this helps
Concerning
Anthony.
Maybe you are looking for
-
Given that I spend a few days in 3.6, I realized that I can hardly see my statusbar on FF. There is no way in options where I can change this. Can you please advise as soon as possible. Thank you
-
Satellite A660 - 17 M - need drivers for Windows 7 32 bit
Dear all I just brought a new Toshiba Satellite A660 - 17 M in Egypt and I installed windows 7 32-bit on it to support my company work, but I could find the drivers for it on the website and many material options does not specially the extra package,
-
I think that my Windows Live Hotmail account has been compromised by a third party.
I think that my hotmail account has been compromised by a third party. Please help restore my access that I use every day. Thank you. * E-mail address is removed from the privacy * My home phone is 406-857-2362 call at any time. I can't work without
-
Hello I just bought a SW2 and I try to use it with my LG P880. After starting it up while try I noticed quickly that it didn't work as expected. After some googling I found that there are other people out there with the same problem. I synced once up
-
my internet works fine, but I can't hotmail!
I can access all my internet Favorites, but not hotmail... internet is obviouslyworks great!