My ASA cannot ping the lan address
I use ASA built ezvpn. I can access the ASA and ping inside port address successfully. But in my ping to the address of interconnection 10.100.255.2 window7 cant. I don't know how to solve the problem. If all goes well, can help me. Thank you...
set it up
ASA5520 # sh run
: Saved
:
ASA Version 7.2 (3)
!
asa5520-host name
sxng domain name
activate the encrypted password of DOAXe2w/ilkXwCIz
names of
DNS-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 10.100.255.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
IP x.x.x.x 255.255.255.0
!
interface GigabitEthernet0/3
nameif wireless
security-level 10
IP x.x.x.x 255.255.255.0
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
Disk0: / pix723.bin starting system
passive FTP mode
DNS server-group DefaultDNS
sxng domain name
dmz_access_in of access allowed any ip an extended list
dmz_access_in list extended access permit icmp any one
tunnel of splitting allowed access list standard 10.0.0.0 255.0.0.0
inside_nat0_outbound list of allowed ip extended access all 10.100.254.0 255.255.255.0
inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.100.254.0 255.255.255.0
outside_cryptomap_dyn_20 list of allowed ip extended access all 10.100.254.0 255.255.255.0
acl_out list extended access permit icmp any one
acl_out list extended access permit tcp any host x.x.x.x eq www
acl_out list extended access permit tcp any host x.x.x.x eq 9000
acl_out list extended access permit udp any host x.x.x.x eq 9000
........
......
acl_out allowed ip extended access list any 10.1.1.0 255.255.255.0
inside_access_in list extended access permitted tcp 10.1.10.0 255.255.255.0 any eq 5000
acl_inside of access allowed any ip an extended list
acl_inside list extended access permit icmp any one
wireless_access_in of access allowed any ip an extended list
wireless_access_in list extended access permit icmp any one
pager lines 24
Enable logging
timestamp of the record
emergency list vpn-event logging level
log message 109001-109028 vpn-event list
log message 113001-113019 vpn-event list
exploitation forest-size of the buffer 5000
information recording console
debug logging in buffered memory
recording of debug trap
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
MTU 1500 wireless
management of MTU 1500
IP local pool vpnpool 10.100.254.1 - 10.100.254.250 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 507.bin
don't allow no asdm history
ARP timeout 14400
Global (outside) 1 x.x.x.x
Global (dmz) 1 10.100.253.101 - 10.100.253.200 netmask 255.255.255.0
Global (wireless) 1 172.16.255.101 - 172.16.255.200 netmask 255.255.255.0
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.1.1.14 255.255.255.255
NAT (inside) 1 10.1.13.100 255.255.255.255
NAT (wireless) 1 172.16.0.0 255.255.0.0
static (dmz, outside) tcp x.x.x.x www 10.100.253.1 www netmask 255.255.255.255
.......
.........
static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside, dmz) 10.1.1.16 10.1.1.16 netmask 255.255.255.255
static (dmz, external) 10.100.253.20 x.x.x.x 255.255.255.255 netmask
static (dmz, external) 10.100.253.32 x.x.x.x 255.255.255.255 netmask
Access-group acl_out in interface outside
acl_inside access to the interface inside group
Access-group interface inside acl_inside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Route inside 10.0.0.0 255.0.0.0 10.100.255.1 1
Route inside 10.0.0.0 255.0.0.0 10.100.255.2 1
Route wireless 172.16.0.0 255.255.0.0 172.16.255.1 1
!
router ospf 1
255.255.255.255 network 10.67.180.0 area 0
network 0.0.0.0 0.0.0.0 area 1
Journal-adj-changes
!
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Crypto outside-dyn-map Dynamics-plan 20 reverse-drive value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
Telnet 0.0.0.0 0.0.0.0 outdoors
Telnet 10.0.0.0 255.0.0.0 inside
Telnet 10.100.0.0 255.255.0.0 inside
Telnet 10.100.255.0 255.255.255.0 inside
Telnet 0.0.0.0 0.0.0.0 wireless
Telnet timeout 10
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 0
dhcpd x.x.x.x dns
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
internal sxnggroup group policy
attributes of the strategy of group sxnggroup
value of server DNS 202.99.192.68
enable IP-comp
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
username password sxtrq Y6cwK1wOhbhJ6YI / encrypted
maboai R6eu6P1iKIwFIFjS username encrypted password
winet FwZ0ghxvIpXOepvf username encrypted password
tunnel-group sxnggroup type ipsec-ra
tunnel-group sxnggroup General-attributes
address vpnpool pool
Group Policy - by default-sxnggroup
sxnggroup group of tunnel ipsec-attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:119ae137eef5ed97d38b4e2f90ed46d7
: end
ASA5520 # route sh
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is 202.97.158.177 to network 0.0.0.0
C x.x.x.x 255.255.255.248 is directly connected to the outside of the
C 172.16.255.0 255.255.255.0 is directly connected, wireless
S 172.16.0.0 255.255.0.0 [1/0] via 172.16.255.1, wireless
S 10.0.0.0 255.0.0.0 [1/0] via 10.100.255.1, inside
[1/0] via 10.100.255.2, inside
C 10.100.255.0 255.255.255.0 is directly connected to the inside
S 10.100.254.2 255.255.255.255 [1/0] via x.x.x.x, outdoor
C 10.100.253.0 255.255.255.0 is directly connected, dmz
S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor
ASA5520 # sh arp
outside 00d0.d0c6.9181 x.x.x.x
outside 00d0.d0c6.9181 x.x.x.x
outside 224.0.0.5 0100.5e00.0005
inside 224.0.0.5 0100.5e00.0005
inside the 10.100.255.1 0000.0c07.acff
inside the 10.100.255.2 001c.b0cb.5ec0
DMZ 10.100.253.20 60a4.4c23.3032
DMZ 224.0.0.5 0100.5e00.0005
DMZ 10.100.253.1 001a.6436.6df6
224.0.0.5 wireless 0100.5e00.0005
Wireless 172.16.255.1 0026.98c6.41c8
Try to use the "crypto ipsec to show his ' command to watch the program and decaps packages, I hope this isn't too fast increment. You should be able to see the two increase when you successfully and only one side increase when it fails. Check both sides of the vpn, and this should give you an idea where the problem is. If the program packages are multiplying on the ASA local to your PC Win7 and Decaps multiply on the ASA Remote and the program is not so, then the question is with packets from the remote side. I hope this will help you determine the location of the problem and then you can focus your search here.
Tags: Cisco Security
Similar Questions
-
Greetings,
-----------------------------------------------------------------------------------------------------------------------
UPDATE: we have found the solution to this problem, we, and that I posted an explanation as well as two ways to solve the problem in my 2nd post on May 5, 2015. Scroll down to it for the solution. Unfortunately, Microsoft does not allow the OP to mark one of their own messages as 'the Answer' so this thread continues to be listed as "no answer" when he actually answered me.
-----------------------------------------------------------------------------------------------------------------------
The original message follows...
We cannot sign a new Win 7 (64-bit) computer to a printer ethernet established in our local network of 'working '. We have reached the limit of our troubleshooting skills and expertise assistance.
Our Local network
------------------------
The printer is a Dell 5100cn workgroup laser that is connected via an ethernet cable to a 10/100 workgroup switch 5-port Cisco/Linksys. The switch is connected to the built-in cable Motorola modem / 4 port gigabit router / WiFi access point. There is no server between the printer and the network.Other computers on the network run also Win 7 and have no trouble seeing and using the printer. Some computers are connected via a gigabit ethernet cable to the router Motorola. Other computers connect wireless WiFi (once again, by the same Motorola device). All computers, including the new ones, are attributed to the same workgroup.
The printer has a static IP address. It also has an integrated Web page accessible within the network via a browser to view the status of the printer. All previous computers can view the status of the printer Web page by entering its IP address in a browser.
The new Win 7 computer
--------------------------------
At the Windows command prompt, we successfully ping the IP address of the printer and received a return signal. However, we are unable to connect to the IP address of the printer (and status Web page) with a browser. And we cannot find the printer when install us the printer driver. We have tried to turn off the Windows Firewall and it did not help.When we install the driver, move us as a 'local' printer and create a new "Standard TCP/IP Port" for her. We enter the static IP address of the printer and name the port. Define us the Protocol to "LPR", enter the name of the queue ("lp") and activate SNMP State with name of the 'public' community and the index "1". These settings have worked very well with our previous computers.
When the time comes to 'choose printer', we select 'have disk... '. ' and use the Dell 64-bit for this printer driver. But it does not work and do not print a test page. We even tried to install the printer as a 'network' printer driver, but it does not, either. In addition, the 'local' method always seemed to work best in the past.
The new computer has no harm to see other computers and devices on the network. For example, there is a NAS connected to the same switch Cisco/Linksys like the printer and the computer can access the NAS via its static IP address. The new computer can also access the internet. He can't use the IP address of the printer. We even tried to change the address IP of the printer, but that did not help either.
Despite the fact that the work - the network troubleshooter Windows command prompt ping indicates that the printer is not responding. What do we lack? Help, please.
Greetings,
I hope that this will be our last post on this subject. We have discovered the source of the problem and can offer two 'fixed' in case someone else runs into the same situation.
With the help of MSConfig and a process of elimination, we have disabled non-Microsoft services that were running on the computer until we discovered that "Qualcomm Atheros Killer Service V2" was the source of the problem.
Explanation
----------------
Our new Win 7 computer contains a communication module ethernet/WiFi/Bluetooth e2200 Qualcomm Atheros. The manufacturer provides a '' Killer Network Manager '' for this system. Its purpose is to monitor and control the flow of data over a network connection in order to optimize for. For example, the user can choose to give the program A high priority and program-B low priority. This ensures that the program-A is less lag in the network traffic.
The primary market for this function, so far, has been the online game (where the name of 'Killer'). It allows players to channel the bulk of the bandwidth available to their game and away from other programs and services that are running at the same time. A response faster online gives the player the advantage it needs to get "kill him" before someone else.
This system of control of bandwidth has interfered with data packets of return of our network, clearing communication between our computer and our printer printer.
Difficulty 1
--------------
The simplest solution for us was to disable 'Qualcomm Atheros bandwidth control' for the ethernet NIC that has been accomplished by going to: Windows Control Panel > network and Internet > Network and Sharing Center > change the settings of the card (in the sidebar). Then we clicked on our connection to the LAN (our NETWORK ethernet card) and select the 'Properties' command Finally, on the Networking tab, we have disabled 'Qualcomm Atheros control bandwidth' and clicked 'OK' button to close.
All that was needed after that was a quick restart and we were able to access our printer even with the killer Network Manager and functioning of Qualcomm Atheros Killer Service V2.
Either way, we left the control function of bandwidth enabled for wireless (our) network connection because we do not plan on using this network printer when the computer is untethered to ethernet.
Difficulty 2
--------------
If you don't want the killer running Network Manager on your computer, you may be tempted to uninstall. Do not! Uninstall will also uninstall the drivers needed for your ethernet, WiFi and possibly your Bluetooth as well. We heard that some users have communicated with Qualcomm and were able to coax, on their part, the necessary drivers comm without luggage "Killer". But you don't need to do it, either.
All you need to do is: (1) remove the 'Killer Network Manager' of the '"start up" folder of the start menu of Windows (under "programs") and (2) using MSConfig, uncheck "Qualcomm Atheros Killer Service V2" under the ' Services ' section. Then reboot and you're good to go. The killer Network Manager and his service will not work.
Moreover, the reason for which we did not chose this method, ourselves, is because we see one deserves that available Killer Network Manager so that we can block network traffic to select programs. Solution 1 converts this easy thing because the Ethernet bandwidth control can be quickly activated again if she is ever desired. And we're leaving it enabled for our WiFi.
Best regards, David-EH
-
CANNOT ACCESS THE LAN WITH THE EASY VPN CONFIGURATION
Hello
I configured easy vpn server in cisco 1905 SRI using ccp. The router is already configured with zone based firewall. With the help of vpn client I can reach only up to the internal interface of the router, but cannot access the LAN from my company. I need to change any configuration of ZBF since it is configured as "deny everything" from outside to inside? If so that all protocols should I match? Also is there any exemption of NAT for VPN clients? Please help me! Thanks in advance.
Please see my full configuration:
Router #sh run
Building configuration...Current configuration: 8150 bytes
!
! Last modification of the configuration at 05:40:32 UTC Wednesday, July 4, 2012 by
! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
Passwords security min-length 6
no set record in buffered memory
enable secret 5 xxxxxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
!
!
No ipv6 cef
IP source-route
no ip free-arps
IP cef
!
Xxxxxxxxx name server IP
IP server name yyyyyyyyy
!
Authenticated MultiLink bundle-name Panel
!parameter-map local urlfpolicy TSQ-URL-FILTER type
offshore alert
block-page message "Blocked according to policy"
parameter-card type urlf-glob FACEBOOK
model facebook.com
model *. Facebook.comparameter-card type urlf-glob YOUTUBE
mires of youtube.com
model *. YouTube.comparameter-card type urlf-glob CRICKET
model espncricinfo.com
model *. espncricinfo.comparameter-card type urlf-glob CRICKET1
webcric.com model
model *. webcric.comparameter-card type urlf-glob YAHOO
model *. Yahoo.com
model yapoparameter-card type urlf-glob PERMITTEDSITES
model *.parameter-card type urlf-glob HOTMAIL
model hotmail.com
model *. Hotmail.comCrypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-2049533683
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2049533683
revocation checking no
rsakeypair TP-self-signed-2049533683
!
Crypto pki trustpoint tti
crl revocation checking
!
Crypto pki trustpoint test_trustpoint_config_created_for_sdm
name of the object [email protected] / * /
crl revocation checking
!
!
TP-self-signed-4966226213 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02111101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43647274 31312F30
69666963 32303439 35323236 6174652D 3833301E 170 3132 30363232 30363332quit smoking
encryption pki certificate chain tti
for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn xxxxxx
licence start-up module c1900 technology-package datak9
username privilege 15 password 0 xxxxx xxxxxxx
!
redundancy
!
!
!
!
!
type of class-card inspect entire tsq-inspection-traffic game
dns protocol game
ftp protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
match Protocol l2tp
class-card type match - all BLOCKEDSITES urlfilter
Server-domain urlf-glob FACEBOOK game
Server-domain urlf-glob YOUTUBE game
CRICKET urlf-glob-domain of the server match
game server-domain urlf-glob CRICKET1
game server-domain urlf-glob HOTMAIL
class-map type urlfilter match - all PERMITTEDSITES
Server-domain urlf-glob PERMITTEDSITES match
inspect the class-map match tsq-insp-traffic type
corresponds to the class-map tsq-inspection-traffic
type of class-card inspect correspondence tsq-http
http protocol game
type of class-card inspect all match tsq-icmp
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect correspondence tsq-invalid-src
game group-access 100
type of class-card inspect correspondence tsq-icmp-access
corresponds to the class-map tsq-icmp
!
!
type of policy-card inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
Journal
reset
class type urlfilter PERMITTEDSITES
allow
Journal
type of policy-card inspect SELF - AUX-OUT-policy
class type inspect tsq-icmp-access
inspect
class class by default
Pass
policy-card type check IN and OUT - POLICIES
class type inspect tsq-invalid-src
Drop newspaper
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class by default
drop
policy-card type check OUT IN-POLICY
class class by default
drop
!
area inside security
security of the OUTSIDE area
source of security OUT-OF-IN zone-pair outside the destination inside
type of service-strategy check OUT IN-POLICY
zone-pair IN-to-OUT DOMESTIC destination outside source security
type of service-strategy inspect IN and OUT - POLICIES
security of the FREE-to-OUT source destination free outdoors pair box
type of service-strategy inspect SELF - AUX-OUT-policy
!
Crypto ctcp port 10000
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 2
Group 2
!
ISAKMP crypto client configuration group vpntunnel
XXXXXXX key
pool SDM_POOL_1
include-local-lan
10 Max-users
ISAKMP crypto ciscocp-ike-profile-1 profile
vpntunnel group identity match
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set TSQ-TRANSFORMATION des-esp esp-md5-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-TRANSFORMATION TSQ
set of isakmp - profile ciscocp-ike-profile-1
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
response to IP mask
IP directed broadcast to the
Shutdown
!
interface GigabitEthernet0/0
Description LAN INTERFACE-FW-INSIDE
IP 172.17.0.71 255.255.0.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description WAN-INTERNET-INTERNET-FW-OUTSIDE
IP address xxxxxx yyyyyyy
NAT outside IP
IP virtual-reassembly in
security of the OUTSIDE member area
automatic duplex
automatic speed
!
interface Serial0/0/0
no ip address
response to IP mask
IP directed broadcast to the
Shutdown
no fair queue
2000000 clock frequency
!
type of interface virtual-Template1 tunnel
IP unnumbered GigabitEthernet0/0
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
local IP SDM_POOL_1 172.17.0.11 pool 172.17.0.20
IP forward-Protocol ND
!
no ip address of the http server
local IP http authentication
IP http secure server
!
IP nat inside source list 1 interface GigabitEthernet0/1 overload
IP route 0.0.0.0 0.0.0.0 yyyyyyyyy
IP route 192.168.1.0 255.255.255.0 172.17.0.6
IP route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 100 permit ip 255.255.255.255 host everything
access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
access-list 100 permit ip yyyyyy yyyyyy everything
!
!
!
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
transport input ssh rlogin
!
Scheduler allocate 20000 1000
endA few things to change:
(1) pool of IP must be a single subnet, it is not the same subnet as your subnet internal.
(2) your NAT ACL 1 must be changed to ACL extended for you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 120 allow ip 172.17.0.0 0.0.255.255 everything
overload of IP nat inside source list 120 interface GigabitEthernet0/1
No inside source list 1 interface GigabitEthernet0/1 ip nat overload
(3) OUT POLICY need to include VPN traffic:
access-list 121 allow ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255
type of class-card inspect correspondence vpn-access
game group-access 121
policy-card type check OUT IN-POLICY
vpn-access class
inspect
-
Cannot ping the Virtual Machine by host
Hi all,
Please help, I use VMWare Workstation 6.5 and I have a physical operating system which is Windows XP SP2, I have a network card, but not connected to a physical switch, the IP address is 192.168.0.1. I installed a Virtual Machine using Microsoft Windows 2003 server as the operating system, promote as domain controller, install the DHCP, DNS service and assign an IP 192.168.0.2, no default gateway.
My VMnet1 on physical operating system has an IP 192.168.204.1 and VMNet8 has an IP 192.168.126.1.
The host, I cannot ping the 192.168.0.2 which is the IP address of the Virtual Machine. Even in the Virtual Machine, I can not ping 192.168.0.1 is the IP address of the host. From what I read, the physical and the virtual machine were connected with a virtual switch. Am I wrong?
Any advice?
Thanks in advance.
They SEEM to be in different networks, you need search routing between them,... since they differnet networks...
on the other
they do host and the virtual machine on the same subnet / network for EXAMPLE: class C class network 192.168.200.0/24
granting of points if my answer was helpful... Thank you > > > > > > > >
concerning
Joe
-
5110 printer wireless but the software cannot see the IP address
Hello. I have a new printer Photosmart 5110. I turned on and it found my wireless network. I entered the key wireless and got an IP 192.168.1.68 and connected is displayed.
I have an ASUS Netbook. It doesn't have a CD player, so I had to download the HP Photosmart installation software. I am running XP. When I run the installer, it asks if I have a printer connected wireless network. I enter the IP address and the message says printer not found.
I use a BT Home Hub. When I log on the hub I see the printer and IP address.
I can ping the IP address of the laptop.
I can access the printer directly using Internet Explorer and entering the printer IP address - and I can print a test page with success.
I have Norton Security and I turned off the firewall.
I can't get the installation software to see the IP address of the printer.
Don't you think that there is a problem with Norton blocking the IP (if so, how unlock) or something to the BT Hub?
Can you help or give ideas I can try before I bring her to the store.
Steve
Hello Steveargy,
you have the tray to run the network diagnostic utility? If this is not the case, can you please do?
I hope this helps
Best regards
F. -
ESX host cannot ping the default gateway.
Hi Experts,
I have connected ESX hosts to switch cisco as well by the ILO and other ports.
Cisco switch configuration;
int gig 1/0/21 and 1/0/13 gig and gig 1/0/14 are configured as access ports because they are carriers/tagging vLan as a 306.
Cisco switch, I can ping the ip address of the ILO, but I can't ping the IP address management and vice versa.
IP Managment
10.197.204.10
255.255.255.0
10.197.204.1
VLAN 306
Attached the screenshot shown in the diagram.
your help will be appreciated.
Concerning
Don't know what it is, but there must be something simple that you miss
Let's go through each step of configuration for both ESXi network connections (ILO work already, so we do not touch).
Check the configuration of switch port physical interface GigabitEthernet1/0/13 and 1/0/14.
switchport access vlan 306
switchport mode access
spanning tree portfast
Only connect the cable network for vmnic0 to host and make sure what vmnic0 presents itself as 'connected' in the DCUI
Make sure the VLAN ID is empty.
Make sure you then the IP settings are correct (IE without typos,...) and restart the management network from the main menu.
André
-
Hi gurus,
I installed VMware workstation 7.1.3 on my Windows 7 laptop professional x64bit and I can run my old VM (XP) without any problems in this regard. And I tried to install a new client (Windows 2008 R2 Standard x 64) on this subject, when I put the NETWORK card in the deck, he cannot get the IP address from my DHCP, always show me error "Windows has detected an IP address conflict...". ", I tried the IP static installation for her also, same result.
I tried to install a new windows Server 2003 as a guest (also defined as a network bridge), it works very well, can get the IP address from my DHCP or can set a static IP address with no problems. Does anyone have a similar experience on this combination? Any solution to this issue?
Best regards
BUGBUG
I recently managed to get bridge network work with a Windows Server 2003 R2 SP2 guest in VMW Workstation 7.1.4.385536 on a host Windows 7 SP1 Ultimate.
VirtualBox 4.0.4.70112 is installed on the host and disabling the 'VMware Bridge Protocol' in the 'VirtualBox in Ethernet Adapter"on the host was necessary.
Outpost Firewall Pro 7.1.0.3415.520.1247 is also installed on the host computer and I used some information from the link below to add some necessary firewall rules.
-
After that host on vSHere 4.0 strightly connected to iSCSI (initiator) host cannot ping the server iSCSI (target), but target can. And iSCSI works well. I mean I can create and use the iSCSI disk, why? It makes me confused.
Thank you!
Geoarge,
iSCSI traffic uses a VMkernel port, instead of using the command 'ping', use 'vmkping '.
André
-
Cannot renew the IP address...
Hello, last night my Dimension 8200 has lost the ability to use the Internet; It is connected to a router that is connected to the cable modem. My Dell laptop works very well. When I look at network connections, he says "Comcast Hi-speed limited connectivity or none. When I right click on it and try to 'fix', it cannot renew the IP address. I put off the power to the modem cable as well as the router. no help. Again, my laptop works very well. I've run Mcaffee and it found no viruses?
Any suggestion would be appreciated.
Pat
-
Cannot ping the Anyconnect client IP address to LAN
Hi guys,.
I have an old ASA5520 running 9.1 (6) 8 where I installed Anyconnect SSL split tunneling access:
See establishing group policy enforcement
attributes of Group Policy DfltGrpPolicy
VPN-tunnel-Protocol ikev1, ikev2 clientless ssllanwan-gp group policy internal
gp-lanwan group policy attributes
WINS server no
DNS server no
VPN - connections 1
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value lanwan-acl
by default no
WebVPN
AnyConnect value lanwan-profile user type profilespermit for line lanwan-acl access-list 1 standard 172.16.0.0 255.254.0.0 (hitcnt = 48) 0xb5bbee32
Now I can ping, RDP, etc. of any VPN host connected to any destination within 172.16.0.0 255.254.0.0 range.
Here is my routing information:
See the road race
Route outside 0.0.0.0 0.0.0.0 69.77.43.1 1
Route inside 172.16.0.0 255.254.0.0 172.25.8.1 1interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.25.8.4 255.255.254.0But I can't ping any Anyconnect VPN client connected from my LAN.
See the establishment of performance ip local pool
mask IP local pool lanwan-pool 172.25.9.8 - 172.25.9.15 255.255.254.0
Here's the traceroute of LAN:
C:\Users\Florin>tracert d 172.25.9.10
Determination of the route to 172.25.9.10 with a maximum of 30 hops
1 1 ms<1 ms="" 1="" ms="">1>
2<1 ms="" *="">1><1 ms="">1>
3 * the request exceeded.
4 * request timed out.While the ASA routing table has good info:
show route | I have 69.77.43.1
S 172.25.9.10 255.255.255.255 [1/0] via 69.77.43.1, outdoors
Other things to mention:
-There is no other FW between LAN and the ASA
-There is no FW or NAT configured or enabled on this ASA(see her running nat and see the race group-access they return all two virgins).
-FW Windows on the Anyconnect workstation is disabled (the service is running). I also tested and able to ping to my workstation Anyconnect House of another device on the same network.
So, I'm left with two questions:
1. first a I do not understand: after reading some threads here, I added this line standard lanwan-acl access-list allowed 69.77.43.0 255.255.255.0
out of ping and tracert commands remains the same, but now I can RDP to the docking station VPN connected to any workstation LAN;
What happens here?
2. how can I do ICMP work after all? I also tried fixup protocol icmp and icmp Protocol Error Correction, still no luck
Thanks in advance,
Florin.
Hi Florin,
The entire production is clear enough for me
in debugging, you can see that traffic is constituent of the ASA
"Inside ICMP echo request: 172.17.35.71 outside: 172.25.9.9 ID = 22 seq = 14024 len = 32.
the SAA can be transferred on or can be a downfall for some reason unknow
can we have a wireshark capture on the vpn client to see if the icmp request is to reach the customer? I want to just isolate the problem of fw so that we can concentrate on the ASA rather than silly windows ;) fw
made the RDP Protocol for VPN client for you inside the LAN work?
run logging on ASA and ping and then inside to VPN client and the Coachman connects on the firewall, if ASA comes down the pkt it will appear in the log.
loggon en
debug logging in buffered memory#sh logging buffere | in icmp
#Rohan
-
VPN Site-to-Site - cannot ping the router's internal IP address
Hi guys,.
I configured a VPN site-to site between two routers, everything works well except ping the internal (LAN) IP of a router.
Everything works fine: ping the hosts through the tunnel in both feel.
Routers that I use:
-IOS 1841: M3 15.0 (1)
-2811 IOS: 15.0 (1) M5-> here is the problem. I can't ping the inside interface of the router.
I checked its ipsec counters and it seems that it does not send packets through the tunnel when I ping from the LAN interface.
#pkts program is not incrementing.
Anyone had this problem before?
Thank you very much.
Best regards
I think that happens because when the router responds to icmp request he gets is outside interface IP (not the IP Address of the inside interface, wich you are trying to ping) as the source of a package. If icmp-response does not go in the tunnel, because the IP address in the router's external interface is not included in the crypto-acl.
Solution to this, if it's correct guess, is to add the router's external IP to the crypto-acl.
-
Cisco VPN Client cannot ping from LAN internal IP
Hello
I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.
If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.
Thanks in advance.
: Saved
:
ASA Version 7.2 (2)
!
hostname ciscoasa5510
domain.local domain name
activate the password. 123456789 / encrypted
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group ISP
12.34.56.789 255.255.255.255 IP address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passwd encrypted 123456789
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS server-group DefaultDNS
domain.local domain name
permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
access-list Split_Tunnel_List note the network of the company behind the ASA
Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
internal domain_vpn group policy
attributes of the strategy of group domain_vpn
value of 212.23.3.100 DNS server 212.23.6.100
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
username domain_ra_vpn password 123456789 encrypted
username domain_ra_vpn attributes
VPN-group-policy domain_vpn
encrypted utilisateur.123456789 password username
encrypted utilisateur.123456789 password username
privilege of username user password encrypted passe.123456789 15
encrypted utilisateur.123456789 password username
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card crypto outside_map 20 match address outside_20_cryptomap
peer set card crypto outside_map 20 987.65.43.21
outside_map crypto 20 card value transform-set ESP-3DES-SHA
3600 seconds, duration of life card crypto outside_map 20 set - the security association
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
tunnel-group 987.65.43.21 type ipsec-l2l
IPSec-attributes tunnel-group 987.65.43.21
pre-shared-key *.
tunnel-group domain_vpn type ipsec-ra
tunnel-group domain_vpn General-attributes
address domain_vpn_pool pool
Group Policy - by default-domain_vpn
domain_vpn group of tunnel ipsec-attributes
pre-shared-key *.
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 5
Console timeout 0
VPDN group ISP request dialout pppoe
VPDN group ISP localname [email protected] / * /
VPDN group ISP ppp authentication chap
VPDN username [email protected] / * / password *.
dhcpd dns 212.23.3.100 212.23.6.100
dhcpd lease 691200
dhcpd ping_timeout 500
domain.local domain dhcpd
!
dhcpd address 192.168.10.10 - 192.168.10.200 inside
dhcpd allow inside
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:1234567890987654321
: end
Hello
Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.
This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.
You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next
Add this
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Hope this helps
Let me know how it goes
-Jouni
-
Hello
5505 Cisco's internal IP: 10.10.0.1 static, securty level 100
External IP of Cisco 5505: 36.X.X.23 Dhcp, 0 security level
of within peut all host external example ping by host 10.10.0.3 to google.com
inside peut ping all domestic example of the host, host 10.10.0.3 to 10.10.0.5 included the internal IP of Cisco 10.10.0.1
inside peut ping ip network address different on the same network from my router external example the host 36.x.x.25
cannot ping inside the IP 36.X.X.23?
from outside peuvent ping the IP 36.X.X.23
outside peuvent ping different extenal network 36.X.X.X network ip
How can I ping the 36.X.X.23 of the Interior, any suggestions?It's called background management which is not supported in the ASA
https://Tools.Cisco.com/bugsearch/bug/CSCtd86651
That's why is not and this will never work the ASA design does not
It will be useful.
-
Localhost unreachable destination to the LAN address
Windows Vista Home Prem / 2.1 Ghz/3 GB RAM AMD
I'm having this problem where I am unable to access certain local IP on my LAN addresses. I have what I think are routes in the routing table, so I'm completely puzzled as to why I get inaccessible Destination. They seem to be generated by the output interface and I get only the message for some hosts. Any thoughts would be IMMENSELY appreciated.
routing table:
===========================================================================
List of the interface
16... 02 00 4 c 4f 4f 50... Microsoft Loopback adapter
11.. 00 24 d2 06 5 b 4 b... Atheros AR5007EG Wireless Network adapt
10... 1st 00 33 9 c 92 b5... Realtek RTL8102E Family PCI - E Fast Ethernet OR
1 ........................... Software Loopback Interface 1
18.. 00 00 00 00 00 00 00 e0 isatap.gateway.2wire.net
12... 02 00 54 55 4th 01... Teredo Tunneling Pseudo-Interface
19 00 00 00 00 00 00 00 e0 isatap. {1B026F0F-03DE-4F71-BFF6-DD768DB11D48}
20... 00 00 00 00 00 00 00 e0 isatap. {B0F31E43-512B-499E-AAA1-E7828F7C5D43}
===========================================================================IPv4 routing table
===========================================================================
Active routes:
Network Destination gateway metric Interface subnet mask
0.0.0.0 0.0.0.0 172.30.255.254 172.30.255.1 80
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.101 25
127.0.0.0 255.0.0.0 127.0.0.1 on route 306
127.0.0.1 255.255.255.255 127.0.0.1 on route 306
127.255.255.255 255.255.255.255 on-link 127.0.0.1 306
172.30.255.0 255.255.255.0 on a 172.30.255.1 route 286
172.30.255.1 255.255.255.255 on a 172.30.255.1 route 286
172.30.255.255 255.255.255.255 on a 172.30.255.1 route 286
192.168.43.0 255.255.255.0 on a 192.168.43.101 route 281
192.168.43.101 255.255.255.255 on a 192.168.43.101 route 281
192.168.43.255 255.255.255.255 on a 192.168.43.101 route 281
224.0.0.0 240.0.0.0 on-link 127.0.0.1 306
224.0.0.0 240.0.0.0 on a 172.30.255.1 route 286
224.0.0.0 240.0.0.0 on a 192.168.43.101 route 281
255.255.255.255 255.255.255.255 on-link 127.0.0.1 306
255.255.255.255 255.255.255.255 on a 172.30.255.1 route 286
255.255.255.255 255.255.255.255 on a 192.168.43.101 route 281
===========================================================================
Persistent routes:
Network gateway address mask network address metric
0.0.0.0 0.0.0.0 172.30.255.254 50
===========================================================================IPv6 routing table
===========================================================================
Active routes:
If metric network Destination Gateway
1 306: 1/128 liaison
1 306 ff00: / 8 On-link
===========================================================================out of ping (work / does not):
Ping 192.168.43.11 with 32 bytes of data:
Reply from 192.168.43.11: bytes = 32 time = 4 ms TTL = 255
Reply from 192.168.43.11: bytes = 32 time = 2ms TTL = 255inging 192.168.43.20 with 32 bytes of data:
eply to 192.168.43.101: impossible to reach the Destination host.ipconfig for the relevant interfaces:
NIC Loopback0 (172.30.255.1):The connection-specific DNS suffix. :
... Description: Microsoft Loopback adapter
Physical address.... : 02-00-4C-4F-4F-50
DHCP active...: No.
Autoconfiguration enabled...: Yes
IPv4 address...: 172.30.255.1 (Preferred)
... Subnet mask: 255.255.255.0.
... Default gateway. : 172.30.255.254
NetBIOS over TCP/IP...: enabledWireless network connection Wireless LAN adapter:
The connection-specific DNS suffix. : gateway.2wire.net
... Description: Atheros AR5007EG Wireless Network adapt
Physical address.... : 00-24-D2-06-5B-4B
DHCP active...: Yes
Autoconfiguration enabled...: Yes
IPv4 address...: 192.168.43.101 (Preferred)
... Subnet mask: 255.255.255.0.
Lease obtained...: Wednesday, February 10, 2010 10:03:57
End of the lease...: Thursday, February 11, 2010 10:03:57
... Default gateway. : 192.168.43.1.
DHCP server...: 192.168.43.1.
DNS servers...: 192.168.1.254
NetBIOS over TCP/IP...: enabledThe loopback adapter is one that I use for an emulation program, and I've assigned a metric higher to the default gateway for the network. I tried to remove the route persistent this default GW (172.30.255.254), no change. I don't understand why Windows reports no road, when there is clearly a in the routing table. When I disable the loopback interface, there is no change.
I deleted IPv6 on both interfaces, I disabled the firewall, both networks are on private networks. I'm out of ideas.
Well as annoying as it is, my two old days, the countless curse-word problem has been resolved. No matter how much you (think you) know, and no matter how much experience you have, always always ALWAYS check layer 1.
I was sure that the server is connected to the network, but alas it was not. What is real interesting here is that windows vista will report an inaccessible local address, even if it's a road. Maybe it has to do with an ARP request failed?
Feel stupid now.
-
Cisco ezvpn ASAs cannot ping each other inside interfaces
I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA.
I found the following links that describes a scenario similar to mine, but nothing on one of them helped me.
http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-pingI joined sanitized versions of these two configs. Any help is appreciated.
Hi Adam
The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem.
Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'.
something like:
nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same. Cordially Véronique
Maybe you are looking for
-
upgrading to the windows xp family of sp1 to sp2
After the upgrade from sp1 to sp2, the pc starts in the start window opening, and then just it recharges in a warm start. does not start in windows continues to reboot back to warm start.
-
my computer is not let me finish my system recovery it says windows does not start because the followingfile is missing or damaged \system32\hal.dll. of and re - install a copy of it
-
the dell photo printer 720 32-bit vista driver work with xp?
the dell photo printer 720 32-bit vista driver work with xp?
-
application error look at files on the xbox extender
Xbox360 application error/vidio I have the new xbox 360 and I try to play movies that are on my computer (XP media center). The xbox will open media center, see the video option, view the video file and the individual films & home made videos. When I
-
Server error: 0x80072EFE cannot receive email
Cannot receive email in one of my Windows Live Mail accounts in. Server error: 0x80072EFE; Server: http//mail.services.live.com/DeltaSync_v2.0/Sync.aspx; Windows Live Mail error ID: 0x80072EFE. Cannot find answer\support. Tried to download "Files Gua