PIX 7 - several remote VPN sessions to the same public IP address
Hello
Here's my problem:
Employee A and employee B make VPN connections to the PIX even with their Cisco VPN clients. The two employees are behind the same NAT device, so have the same public IP address.
As soon as the second employee initiates the VPN connection, the first employee is disconnected.
I have a similar situation with a PIX 6.x version and it does not. Two employees can connect at the same time with the same credentials.
Here is the configuration of remote access VPN I use:
attributes of the strategy group gpolicy
DHCP-scope network 10.X.X.X
VPN - 5 concurrent connections
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splitTunnelAcl
the authentication of the user activation
the firewall client no
remoteuser password remotepass username
remoteuser attributes username
VPN-group-policy labtronix
VPN - connections 2
Protocol-tunnel-VPN IPSec
value of group-lock vpngroup
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup General attributes
address ip_pool pool
Group Policy - by default-gpolicy
Any contribution is appreciated.
Thank you.
Most likely problem of nat - t
Add "isakmp nat-traversal" in pix
Tags: Cisco Security
Similar Questions
-
A Site to remote access VPN behind the same public IP address
Got a problem quite stupid. We have a VPN from Site to Site configured for a new data center, which will be responsible for general traffic management. In addition, some users need to use use a VPN client to access certain areas. The firewall at the Office only has a public IP address, so the two will come to the Site to Site VPN for remote access from the same source.
This seems a problem with legacy Cisco VPN clients because encryption card matches the entry VPN site-to-site, even if they use VPN clients. A good/simple solution to solve this problem?
Some newspapers (198.18.85.23) is the address public IP for the office and the tom.jones is the user. 192.168.1.0/24 is the pool of the VPN client.
January 7, 2014 19:12:52 ASA5515: % 713130-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, transaction mode attribute unhandled received: 5
January 7, 2014 19:12:52 ASA5515: % 737003-5-ASA: PISG: DHCP not configured, no viable servers found for tunnel-group "Corp-VPN.
January 7, 2014 19:12:52 ASA5515: % 713119-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, PHASE 1 COMPLETED
January 7, 2014 19:12:52 ASA5515: % ASA-3-713061: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, IPSec tunnel rejecting: no entry for crypto for proxy card remote proxy 192.168.1.4/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, error QM WSF (P2 struct & 0x00007fff28dab560, mess id 0x37575f3c).
January 7, 2014 19:12:52 ASA5515: % ASA-3-713902: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, peer table correlator Removing failed, no match!
January 7, 2014 19:12:52 ASA5515: % 713259-5-ASA: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, Session is be demolished. Reason: political crypto card not found
January 7, 2014 19:12:52 ASA5515: % ASA-4-113019: Group = Corp-VPN, Username = tom.smith, IP = 198.18.85.23, disconnected Session. Session type: IKEv1, duration: 0 h: 00 m: 02s, xmt bytes: 0, RRs bytes: 0, right: not found card crypto policy
January 7, 2014 19:12:53 ASA5515: % 713904-5-ASA: IP = 198.18.85.23, encrypted packet received with any HIS correspondent, drop
Hello
Don't know if this will work, but you can try the following configuration (with the rest of the VPN configuration)
list-access CLIENT VPN ip enable any 192.168.1.0 255.255.255.0
card crypto OUTSIDE_map 4 is the VPN CLIENT address
card crypto OUTSIDE_map 4 set peer 198.18.85.23
card crypto OUTSIDE_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-3DES-SHA
The idea would be to have the ACL matches the VPN full Tunnel that the Client attempts to establish. (destination "any" from the point of view of the customer, the ASAs view source)
I tested briefly on my own SAA by connecting from an IP address to which the ASA offers free VPN in L2L. But as I don't have the operational L2L VPN, I can't really verify the VPN L2L at the moment. Thus, certain risks may be involved if you can afford it.
-Jouni
-
to run several DAQmx AO tasks at the same time
Is there a reason any cannot perform several tasks DAQmx AO at the same time?
It's a bunch of questions that you listed there. I strongly suggest that you spend some time reviewing the many tutorials available for acquisition of data here: http://www.ni.com/white-paper/5434/en. You will need to get a better understanding of the work equipment, and reading some of these articles will help you considerably.
-
There was a problem creating the destination folder. If please check the permission of folder or choose a different folder. What that means, tried to name several different folders, but still the same error message. Would be grateful for the help!
This means that the folder you want to create is blocked because of file permissions. The drive or folder you are trying to create the destination folder is set to read-only, and your username does not have write permissions.
-
I have several different cards to show the same article in a collection?
I have several different cards to show the same article in a collection?
Cause the client wants several different cards in the main browser page, but all of these cards must call or redirect to the cover or the main article intro!
Thank you very much in advance guys!
You may need to download the article several times.
-
Help, please... I need to know how to crop my video segments? I also need to know how to make several clips to run at the same time by dividing the screens? How to fade a clip?
I watched the video tutorials. I need to know also how to add additional video tracks to my screen. Any help please?
-
I created a PDF form with several drop downs, all with the same drop-down values. When I select a value of 1 in the drop-down list fields, it breeds in all others - which I don't want. Can I fix?
I am fairly new to this, but I think it has to do with the way you have drop them downs named. Copy you a then keep stick in each area? If so, that's the problem. You must rename each with a different number: Dropdown1, Dropdown2, etc. I think this might solve the problem.
-
Is it possible that several people can work on the same folio
Is it possible that several people can work on the same folio?
I usually work with a friend on my folios. We have been working directly for a dropbox folder, and together have created us a user with the same name on our macs. This gives the same path to the file, so we can never be reprinted when we work together for this user account. Works very well.
-
Multiple sessions to the same connection?
Hello
is it possible to create a few sessions to the same connection? How?
ARO
TomasHi, try pressing the button worksheet SQL unrequited (near restore button on the toolbar in the spreadsheet). This opens the new spreadsheet under connection window.
Petr -
can I add another license to the same e-mail address
Hello. I use creative cloud on a desktop and laptop. I could buy another computer. Can I add another license to the same account/email address? I don't see a way to do it. This is how I could use licenses on up to 4 devices.
Thank you
Andrew
Hello
In case you want to use on 4 machines, please purchase a subscription on a different Email address.
Adobe has moved to based on the identity of license with a technology that will not support multiple licenses and products, you can buy only one membership per Adobe ID. If you need two memberships creative cloud, you can buy each with a unique Adobe ID. You can also buy a creative cloud for membership of the teams, which allows you to buy and manage several places under an own account.
Also, you can read:-https://helpx.adobe.com/x-productkb/policy-pricing/error-maxium-acitvation-exceeded.html
I hope that answers your query!
-
How can I move the outlook express emails from an XP PC to an another XP PC that has the same e-mail address without overwriting existing messages on this second PC?
I need to group together all messages from e-mail in a PC and to retire the first PC.
This could be problematic. I guess or OE is over? This would make it easy.One thing you could do requires some manual work, but much less removal of dupes. For example, the Inbox. In the machine, you are going to scrap, create a new folder and move all messages in your Inbox to it. After you import on the other machine, you can drag the messages you need this folder in the Inbox, and then remove the user created the folder.And then there are tools to remove the dupes. This one for example.
-
Every day I receive a notice that someone on my computer using the same I.P. address
Title of the Moose: I. Address of P.
Every day I receive a notice that someone on my computer using the same I.P. address but yet I found nothing of canoe
Hello
(1) work on a domain network?
(2) how long have you been faced with this problem?
(3) what is you receive the exact error message?
Method 1: If it is a small network of computers on homegroup, contact the person with administrative rights system on your network.
Method 2: Make sure that the network card is configured according to the manufacturer's specifications and that the configuration is not incompatible with the other hardware configurations.
Method 3: Run Microsoft Security scanner (MSS) to any threat and try to correct
http://www.Microsoft.com/security/scanner/en-us/default.aspxNote: Infected files can be deleted from your computer; There is a chance of data loss.
Method 4: download and install all available Windows Update
Install Windows updates
http://Windows.Microsoft.com/en-us/Windows-Vista/install-Windows-updatesIf you are working on a domain network, then please post your query on the TechNet forums for more specialized help.
TechNet Forum
http://social.technet.Microsoft.com/forums/en/w7itpronetworking/threads
-
How to set up a new email account using the same e-mail address of my old computer?
How can I configure sup a new email account using the same e-mail address of my old computer?
Hi Melanie,
Are you referring to the Mail app or user login account?
If you are referring to the Mail application, you can consult the following link: Set up Mail and add contacts
If you are referring to the user login account, you can consult the following link: create a user account
It will be useful.
Keep us informed on the status of the issue.
-
There are 2 versions of Oracle.DataAccess on the system with the same public token
Hello
can someone please explain this
1 Oracle.DataAccess... x 86... 2.112.1.0... 89b483f429c47342
2 Oracle.DataAccess... x 86... 2.112.2.0... 89b483f429c47342
I have a reference in Visual Studio to one of these DLLs. My question:
(1) what are the differences?
2. what assembly is loaded by my application?
greetings and thanks
EllenHi Ellen,.
All versions of the ODP assemblies have the same public key token. The difference is your case is you two versions (2.112.1.0 and 2.112.2.0) installed, and the difference between new features, bug fixes, etc.
ODP also installs policy files by default that can come into play here, but it depends on which version you installed last. If you have installed 2.112.2.0 last, then the policy file would automatically redirect apps looking for 2.112.1.0 to use 2.112.2.0 instead.
If you have installed 2.112.1.0 last, then the file 2.112 strategy would only redirect apps more 2.112.1.0 to use 2.112.1.0.
If you're wondering how to determine what your application assembly IS actually responsible, the best way is via a tool like Process Explorer, which will allow that see you what libraries are loaded into a process.
Greg
-
Did anyone see anything that would prevent a remote VPN to work? My L2L runs like a champ. I can connect via the remote VPN client end, but I can't talk about anything on the network. I see not the routes appear under my client software under the statistics section. Help!
domain default.domain.invalid
activate the password
passwd
names of
interface Ethernet0
nameif outside
security-level 0
IP xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
address 192.168.3.1 IP 255.255.255.0
!
interface Ethernet2
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
90 extended access-list allow ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 extended permit ip any 10.10.10.0 255.255.255.0
acl_inside list extended access deny tcp 192.168.3.0 255.255.255.0 any eq smtp
acl_inside of access allowed any ip an extended list
access-list Split_tunnel_list note SPlit tunnel list
Standard access list Split_tunnel_list allow a
local pool YW #vpn 10.10.10.1 - 10.10.10.32 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0-90 access list
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group acl_outside in interface outside
acl_inside access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 69.57.59.137 1
Timeout xlate 03:00
Timeout conn 04:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
http 192.168.3.0 255.255.255.0 inside
Crypto ipsec transform-set strong esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
Marina 20 crypto card matches the address 90
card crypto Marina 20 set peer 69.57.51.194
card crypto Marina 20 set strong transform-set ESP-3DES-MD5 SHA-ESP-3DES
map Marina 65535-isakmp ipsec crypto dynamic outside_dyn_map
Marina crypto map interface outside
crypto ISAKMP allow outside
crypto ISAKMP policy 9
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
VPN-sessiondb max-session-limit 30
Telnet 192.168.3.0 255.255.255.0 inside
Telnet timeout 5
SSH 69.85.192.0 255.255.192.0 outside
SSH 67.177.64.0 255.255.255.0 outside
SSH timeout 5
SSH version 2
Console timeout 0
internal group YW #vpn policy
YW #vpn group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_tunnel_list
Group Policy - 69.57.51.194 internal
attributes of Group Policy - 69.57.51.194
Protocol-tunnel-VPN IPSec
admin RqwfSgGaHexJEm4c encrypted privilege 15 password username
attributes of user admin name
Group-VPN-YW #vpn strategy
tunnel-group 69.57.51.194 type ipsec-l2l
IPSec-attributes tunnel-group 69.57.51.194
pre-shared-key *.
tunnel-group YW #vpn type ipsec-ra
tunnel-group YW #vpn General-attributes
YW #vpn address pool
LOCAL authority-server-group
authorization-server-group (outside LOCAL)
Group Policy - by default-YW #vpn
tunnel-group YW #vpn ipsec-attributes
pre-shared-key *.
!
Policy-map global_policy
class class by default
Well, your main problem is your definition of correspondence address:
Marina 20 crypto card matches the address 90
It is the access list used for the sheep which includes access time S2S and remote, traffic used on correspondence address for the remote access connection, then go ahead and change it to avoid:
Marina 192.168.3.0 ip access list allow 255.255.255.0 192.168.2.0 255.255.255.0
No crypto Marina 20 card matches the address 90
Marina 20 crypto card matches the address Marina
and the other problem that is not afecting, but is badly configured is your policy of Split tunnel, you set the network as part of the split tunnel which is just as if you did nto have divided the active tunnel (where the reason why road shows 0.0.0.0 on the client)
Go ahead and change it to be:
Split_tunnel_list list standard access allowed 192.168.3.0 255.255.255.0
Maybe you are looking for
-
How to transfer an iTunes account from a computer broke to a new computer, currently 192 lost songs and iTunes says that they are on the other account iTunes, why isn't apple pretty smart for all the songs to transfer to the new iTunes account, thoug
-
Keyboard presses records does not correctly - NB100
I was in possession of my NB100 since the new topic about a month ago. This afternoon, I discovered that when you press the keys as the i, the number 5 is given on the screen instead of waiting for him I. Other keys affected are the letter u, o, p, j
-
"Microsoft.MDX.DemoScheduler has stopped working".
Starting my new laptop (ex IE display Toshiba) a message box "Microsoft.MDX.DemoScheduler has stopped working" "Windows is checking for a solution to the problem." Then she disappears after 20-30 seconds. Any ideas? Stu
-
Serscan.sys was not found - windows xp on a network with the hp printer wireless
I am trying to install printer HP6500A more (e710n-z) in home network that has the two cables and wireless PC connected to the router of network When installing, I wonder for serscan.sys file for Windows XP * with service pack 3 update I can not find
-
Why emails stay in Outbox?
Hello Why e-mail messages stay in the Outbox?