Question of P2P VPN One Way

Similar Questions

• Traffic permitted only one-way for VPN-connected computers

  Hello

  I currently have an ASA 5505.  I put up as a remote SSL VPN access. My computers can connect to the VPN very well.  They just cannot access the internal network (192.168.250.0).  They cannot ping the inside interface of the ASA, nor any of the machines.  It seems that all traffic is blocked for them.  The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN.  It seems that the traffic allows only one way.  I messed up with ACL with nothing doesn't.  Any suggestions please?

  Pool DHCP-192.168.250.20 - 50--> for LAN

  Pool VPN: 192.168.250.100 and 192.168.250.101

  Outside interface to get the modem DHCP

  The inside interface: 192.168.1.1

  Courses Running Config:

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname HardmanASA

  activate the password # encrypted

  passwd # encrypted

  names of

  !

  interface Ethernet0/0

  switchport access vlan 20

  !

  interface Ethernet0/1

  switchport access vlan 10

  !

  interface Ethernet0/2

  switchport access vlan 10

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  switchport access vlan 10

  !

  interface Vlan1

  No nameif

  no level of security

  no ip address

  !

  interface Vlan10

  nameif inside

  security-level 100

  IP 192.168.250.1 255.255.255.0

  !

  interface Vlan20

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  passive FTP mode

  DNS lookup field inside

  DNS domain-lookup outside

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 10 192.168.250.0 255.255.255.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.250.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH 192.168.250.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 0

  dhcpd dns 8.8.8.8

  !

  dhcpd address 192.168.250.20 - 192.168.250.50 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

  Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 8.8.8.8

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  tunnel-group AnyConnect type remote access

  tunnel-group AnyConnect General attributes

  address pool VPN_Pool

  tunnel-group AnyConnect webvpn-attributes

  enable AnyConnect group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:30fadff4b400e42e73e17167828e046f

  : end

  Hello

  No worries

  As we change the config I would do as well as possible.

  First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

  No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

  mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

  NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

  NAT (inside) 0-list of access NAT_0

  Then give it a try and it work note this post hehe

• How to set up a one-way IPSec-L2L tunnel

  This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.

  But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.

  Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.

  Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?

  Hello

  You can use the following command:

  defined card crypto seq - num connection-type name {only answer | only | two-way}

  This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.

  Check:

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576

  Even if the reference is to ASA8.0 I know it works for 7.2.x so

  Hope this helps

  Kind regards

  Pieter-Jan

• One-way video problem

  Hello

  We have two expressways and we have received a report of a company, call one of our sites had issues with one-way video. The appellant could not see the person they had composed, but they could see the appellant. Audio was OK. They were ordered to place a new call through our other expressway and all audio and video works just fine. So, I'm trying to understand if there is a difference between highways and why this happens. They run every two X8.1.1. The strange thing is that we only received from an enterprise report then having this problem through this "faulty" highway is us or them? Apparently, they do not have problems with one another that they make calls...

  Looks like maybe it's time to collect newspapers... but everyone else encountered this? No I well confused everyone :)

  Thank you!

  In general I really wouldn't expect things to need to a few reboots to register.

  Well sure a typical tech & response of the TAC will be "upgrading to the last" which I also recommended,.

  but your symptoms still its a bit sketchy.

  Its a good start to check if your firewall/network/dns /... are ok as well. A lot of questions

  are hidden there. It is difficult to see the full extend of here.

  Please get some internal or as a good Cisco partner or network resources.

  And Yes, look in the upgrade to CUCM!

  But the network / the environment should still be ok for that as well :-)

  Please note the messages with the stars below and define the thread if it is a response.

• LCCS P2P includes one to several institutions?

  Hello

  Just to confirm the CAC includes Stratus as one of many multicast, or only one by one.

  For example, in one of many video chat, for example a user streaming to customers 7. With LCC if P2P is available to it use the multicast for P2P or switch to hub and spoke server is streaming?

  See you soon

  Just to be clear, Stratus se not give you the multicast and/or client management. It's

  the Stratus documentation page:

  "Stratus is a beta, the meeting hosted service that helps establish communication between endpoints from Flash Player."

  Therefore, rtmfp protocol that allows, among other things, the multicast. To do this the multicast, you need a way to identify the connected clients. One way is to use a complete implementation for rtmfp, because it will be provided by future of FMS, versions is to use the Stratus, providing this feature.

  Once you have that you can write a Flash application that connect to as many clients as you want, but you will know after a certain number of customers, according to your network configuration, bandwidth, etc. of your application will become unresponsive.

  LCCS uses FMS as a mechanism for communication, and when it is configured for Protocol "rtmfp" a pre-release version of FMS rtmfp-activated. When working in mode p2p, LCC handles all the stuff of 'management' to some customers to speak, keep alive connection, reconnect if necessary and swtich in non - p2p mode if network conditions worsen or if you have too many clients for a session reliable p2p.

  Currently, we limit the number of clients connected to the session of p2p, and the maximum number is currently not configurable. Not sure what the number (I don't have handy source code), but we asked the engineers rtmfp a reasonable number.

  Still, if you implement your own on top of Stratus p2p messaging you can experiment and see what the actual limit for your particular configuration is (and know which may or may not be higher than what we use). You can probably use one of the Stratus examples to see what you get and then decide which product is best suited to your use case.

• One way or another on my email print size has decreased to the point I can hardly read it.

  One way or another on my email print size has decreased to the point I can hardly read it.  Can any of you tell me please what keys hold and scroll to get the largest print size. Thank you very much.

  original title: Email printing size

  Sorry, but being the Webmail of Yahoo leaves me without a clue. Maybe Internet Explorer forum or Yahoo support might be more useful.

  Internet Explorer forums
  http://answers.Microsoft.com/en-us/IE

  Yahoo help
  http://help.Yahoo.com/l/us/Yahoo/helpcentral/

• ASA 5505 IPA ALS with P2P VPN

  Hello support,

  I would like to just confirm that an ASA 5505 with two providers of Internet services on this subject, can build a P2P VPN off the coast of the backup ISP automatically once the main ISP goes down. It has only a single P2P VPN necessary, but if the main ISP goes down, and IP SLA detects failover, can the P2P VPn stand on the backup ISP?

  Hi Anthony,.

  Indeed, if the ISP main goes down the backup ISP will be used based on the configured IP SLA. Many customers have usually the SPLM in the primary and the secondary of a site. However, it is also supported.

  You can find information about the backup of a site here.

  Also a simple set up for the Site to site with backup here

  Please note and mark it as correct this Post!

  David Castro,

  Kind regards

• Problems with P2P VPN with interface DHCP

  I have properly configured a P2P VPN with two Cisco 888 using the static IP address. If I put a single interface to DHCP and the unit is power cycling it won't ask an IP address, until I have don't deliver "no card crypto

  Any ideas on how I can leave the card encryption in place and have the interface to get an IP address?

  Thanks in advance.

  With config like this:

  access ip-list 100 permit a whole

  You are due ALL traffic is encrypted and expect to have to decrypt all traffic. That is traffic that is recived on the interface will be deleted unless they are encrypted.

• Is there one way other than to_char to get the month of the date field

  Is there one way other than to_char to get the month of the date field

  Hello

  raj4tech wrote:

  Is there one way other than to_char to get the month of the date field

  EXTRACT is one:

  SELECT INTERESTED (SYSDATE MONTHS) AS curr_month

  DOUBLE;

• So my question was the only one who has not responded to our days, nice...

  I asked a question this morning and he is now 23:13 and I noticed that my question was the only one who has not received a response. My first time here, so I guess I'll have to continue to look elsewhere. My client site is screwed on all cell phones touch using the Chrome browser, so if anyone knows the answer, it would be very appreciated to receive an answer:

  Hello

  I created desktop, Tablet and mobile versions of a Web site. I looked at the site on my Surface Pro 3 and half left of the screen shows the site, the right half is empty. What happens on other touchscreen tablets as well. After searching through a large number of forums, I realized that the problem is with Chrome. I looked on the Surface Pro 3 with I.E. site and it fills the screen and looks like it should. I have not found a solution to this on the forums, I see responses by Adobe on some forums saying "it is a matter of Chrome. Chrome is used by about 70% of users, then it is a big problem. Is there a fix for this yet? By releasing sensitive Muse I can redo this site but meanwhile I need a fix, the site is unacceptable to my client when saw touch-screen computers laptop thank you.

  Go to the properties of the Site. Select the tablet. Uncheck the box "redirect office" and re - publish.

• Is it only a one-way sync?

  It does not appear the changes I do either Illustrator or Indesign gets returned to the application?  It would be really great.  Maybe I'm not saving correctly?  In any case, looks very promising!

  J.

  It is one-way. The application of the model is to make a model, a "global," sketching a layout.

  The file is sent to InDesign/Illustrator/Photoshop for the realization of the project.

  He actually quite brilliantly designed and implemented, especially for a 1.0 release.

• In the bpel process one-way transaction management

  Hello
  
  I created a one-way bpel process with oneWayDeliveryPolicy property - property Sync and transaction - required. When I exposed this service as a SOAP service, I see well The Participation of Transaction in the Web Service adapter in the way of exposed Services configured as EVER. Is this to say that BPELCallee would not participate in the same transaction as the appellant BPEL?
  
  Aditya

  Hello

  Properties refer to the support of different transactions "contexts", as you can see in the documents below. The bpel.config.transaction refers to the semantics of Transaction BPEL Process Manager, while the 'Participation of the operation' refers to WS-AT , which provides interoperability of transaction between Oracle WebLogic Server and transaction of other providers services... I've never tested it myself, but I guess that if you process BPEL transactions, the bpel.config.transaction will prevail...

  http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/soa_transactions.htm#CHDEHCFE
  http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/sca_bindingcomps.htm#SOASE86071

  See you soon,.
  Vlad

• Configuration very base one-way Golden Gate

  Version of DB: Oracle 11.2.0.3
  Golden Gate version: 11.2 (last one dated September 22, 2012)
  Platform: Solaris x 86 64-bit
  
  Currently learning Golden Gate by googling and I'll install Golden Gate for the first time.
  That's what I'm planning.

  Source DB : fncdev
  Target DB : sgntgt
  What needs to be replicated : SCOTT and HR schemas from source has to be replicated to Target ( Unidirectional )

  I intend to set up a very basic one-way GG, where in SCOTT and HR in source DB schemas is replicated in the target DB.
  
  I would like to know 2 things.
  
  1. what should be the content of the parameter file?
  
  2. after have I properly configure GG, what would be the output of command all THE INFO in the source and target database

  -- Source database
  GGSCI > info all
  
  -- Target database
  GGSCI > info all

  Basic extract and replicat content parameter of the file.

  Extract E_TEST1
  SETENV (ORACLE_SID = OGGTEST)

  GGADMIN username password *.
  Exttrail/goldengate/gg_trail/trail/test/and

  -Add below lines only if DDL replication is configured.
  -The DOF ARE MAPPED
  DDLOPTIONS - ADDTRANDATA, REPORT

  TABLE HR.*;
  TABLE SCOTT.*;
  -------------------------------------------------------------------------------------------------

  REPLICAT R_TEST1
  SETENV (ORACLE_SID = OGGTEST)

  GGADMIN username password *.
  ASSUMETARGETDEFS

  DISCARDFILE oragg/11.1/dirrpt/R_TEST1.dsc, APPEND, 1024 MEGABYTES

  MAP HR.*, TARGET HR.*;
  MAP SCOTT.*, TARGET SCOTT.*;

  I hope that these samples help!

  Kind regards
  RB

• VPN site to Site from one-way data (need help)

  Hello

  Scenario:

  VPN site to Site with Cisco 837 routers:

  Place: Clients and printers

  Site B: server queues and Print

  Site A can communicate via VPN using RDP to site B, very well.

  Question:

  Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.

  Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?

  I tried change ip tcp adjust 1452 but not good...

  Attached configs.

  An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site

  SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin

  Any help would be appreciated.

  Thank you very much...

  Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.

  I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.

• Audio intermittent one-way via VPN NEM

  I have a user who uses an ASA 5505 in NEM to have access to his laptop and home IP Cisco phone. The ASA 5505 establishes a tunnel to an ASA 5510, which is connected and speaking of EIGRP to our main switch. Off the main switch, we have our CCM cluster.

  The problem occurs during the first call, after a long period of no appeal. After, if happening during the first call, he or she can continue to make calls without the question. I that it was a matter of time-out, but its ASA configuration is exactly the same. In addition, it uses the same group policy, the tunnel-group etc. that everyone with the same configuration.

  When the problem occurs, it can not hear the other party but they can hear him/herself.

  This problem occurs without worrying whether or not it has a PC behind the phone.

  External and internal calls are affected.

  I am aware that more one-audio questions are questions of RTP connectivity between two end points. I see clearly in the routing table of all our routers, that the path to the subnet his phone is on has not changed for days, and she got the question within this period.

  I'm looking for a good place to begin troubleshooting that doesn't require me to a pcap. If all else fails, I'll do a pcap, but trying to be what some judicious with my time.

  I am certainly able to accept that maybe it's his router at home since it is one of the unique things only on access at its facilities, compared to other people the 20 I only did this.

  Thanks in advance.

  Cisco IP Phone 7941

  CCM 7.1.5.32900 - 2

  ASA 5505 8.2 (5)

  ASA 5510 8.2 (5)

  Edit: Moved to the VPN

  Hello

  I suggest you ask if the number of packets increases during an ongoing call. (press on '?' twice).

  Also, I think you asked this question in wrong discussion group, it must be under the lead of security instead of the voice.