Remote access to the site to site VPN
We currently have a VPN site-to-site set up on a direct line between our two data centers. Hosts on site one can speak to guests at site B, and talk to the hosts to site A to site B guests.
I've recently implemented a site A. VPN VPN remote access clients can access all of the resources behind the ASA at A site without problem. However, strange things happen when they try to contact the site B.
I have set up corresponding exemptions of NAT on each side of the connection. The remote site reported no abnormalities. When you attempt to connect to a remote VPN client to site B, the only errors that appear are on the SAA to site A. When a remote client attempts to connect to a host at site B, the following errors appear in the log:
% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
I have the exemption following NAT set up on site A:
access-list sheep; 3 items
access-list 1 permit line sheep extended ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt = 0)
allowed to Access-list sheep lengthened 2 ip line 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt = 0)
allowed to Access-list sheep line 3 extended ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt = 0)
I work on it for a few days now and hesitate to open a ticket of TAC. I've seen a few similar questions on the forums, but have found zero with a working solution. I tried to follow the technical notes on Cisco's Web site for a configuration similar to, but had no luck.
Also, I enabled same-security-traffic on intra and inter-interface interface.
Any help would be appreciated.
HUB of the ASA, is this your topology? If so try below suggestions.
Inside 10.1.1.0/16 Net
Net 172.16.0.0/28 - net through Tunnel L2L 10.0.0.0/16 end DS3
VPN RA Net 10.3.0.0/24
To RA to access the L2L tunnel end hosting you will need to exempt sheep rule applied to the ds3 interface.
based on the journal
% ASA-3-305005: no group of translation not found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
Try this
no scope list ip 10.3.0.0 access test allow 255.255.255.0 10.0.0.0 255.255.0.0
test the ip 10.0.0.0 allowed extended access list 255.255.0.0 10.3.0.0 255.255.255.0
test access list 0 Tan (ds3)
on the end of the tunnel (spoke), to allow the network of RA from the FOCUS of the ASA in the interesting traffic.
Let us know how it works
Concerning
Tags: Cisco Security
Similar Questions
-
AppPortal error: remote access to the server is not enabled
I'm lost on this one.
Using the full client of AppPortal on a Win7 64 bit machine (version 8.0 of the customer)
Double-click the icon, download authenticated - published applications show, then double click a published application, the end user receives:
Remote access to the server is not enabled.
This happens only on a single computer
From this profile of users on the given computer I can MSTSC on the same server without problem
The error also follows the profiles on the given computer.
I have closed the Antivirus and Windows Firewall and still can not get this to work.
Even uninstalled and reinstalled the client.
From my computer, I can easily log in as this user.
Customers get automatically configured through an XML file.
After installation, I tested this laptop and he always gave the same error.
I ended up him to give me the phone for a few hours.
Uninstalled the version that was there (build 8.0.0.forget) and scoured the Windows Explorer for all left overs (a little here and there in user profiles and delete).
Then scoured the registry for expressions; vWorkspace, Quest Software and Provision Networks and remove all instances
Reinstalled all THE SUCCESS with the new connector to our servers (8.0.306.1427)
Thanks for the help Dave
-
Internal access to the site at the remote location via wifi
We have an internal site to A location and we have a 2 layer hose B location. When you use the ethernet connection, site B can access the site. What we want to do, is allow them to access via wifi with the VPN site to site (who currently works) hosted by of our Sonicwall.
How this is a problem is our network is separate; wifi at site B is on the DMZ. We added access rules to allow the DMZ-> VPN traffic on the site, which did not work; No ping, no traffic, no communication. We've also added policy NAT, same story.
My theory on why it does not work is because the VPN tunnel to one SW to another is related to X 0, but even after enabling access, it's the same result.
Any help would be appreciated. Thank you all!
Hello
Is DMZ subnet to site B added under 'Local networks' VPN B Site and under 'Remote Networks' policy in Site A VPN policy? If you have then SonicWALL auto-créera access rules to allow WiFi traffic. Basically, you need to add the DMZ subnet in site B the VPN policy.
You can also see the article: https://support.software.dell.com/kb/sw7725
-
RV180 restrict access to the Site to Site VPN
Hello
I'm trying to set up my network so that VPN traffic is routed only to a physical single on the RV180 port or to a certain subset of devices on a network.
I have a site to site vpn configuration in a Home Office and connect to the corporate network. The user has a couple of devices on the home network who need to access the corporate network.
We hope to leave his PC accessible to its home network and the corporate network, but limit other devices to access the vpn.
I think that I could do playing with the subnet, but I just can't get my head around it.
It must be something simpleish to do this, isn't there?
I'd appreciate any help you have.
Thank you
Gary
Hi boys, here's a hypothetical situation.
VLAN 1 is port 1
VLAN 2 is port 2
VLAN 1 has a switch connected to your local network of services
VLAN 2 has a switch to maintain your VPN.
The configuration of the port for each port would be the vlan respective unidentified.
You can disable the router in order to prohibit intervlan communication. But also, and especially, the vpn is a specific meaning, subnet, you specify the specific ip subnet on the config of the tunnel because the config include not a second subnet will not work it's traffic in the tunnel.
-Tom
Please mark replied messages useful -
I tried to access the site to blainroe golf club and although I repeatedly gave the right username and password, it continues to tell me that it's a mistake and I therefore can't access. Could you please help me solve this problem
You will need to contact the golf club blainroe for connection of help to their Web site.
I forgot the password:
http://blainroe.com/mysitecaddy/site3/members.htm?login=0&type=zone&blockErrors=trueThe above page also has their phone number and email to contact them.
-
Problem blackBerry Smartphones with access to the site of mobile.blackberry of my 8900
Hello
I'm new to this forum, and I have a problem. I can access is no longer the site http://mobile.blackberry.com from my Blackberry curve 8900 for two weeks. Everytime I try to log in, from the bb browser or Opera mini browser, a message is displayed indicating that this is a non-blackberry page. the text of the page indicates that "Unfortunately, your current device and/or browser is not compatible for this site." What should I do to access the site from my Blackberry to download stuff. I have the latest version of the software that I installed today thinking it solve my problem, but to no avail. Can someone help me?
Hello
I use mobile.blackberry.com
I suggest you open the browser, the functioning of the menu key cache, clear all categories.
I would go to the configuration of the browser and select browser Blackberry emulation.
I suggest a battery pull to set options and completely clear the queues.
Let us know how it goes!
Thank you
Bifocals
No data will be lost when you do the following: remove the battery while the device is activated.
Remplacer replace after one minute, let the device reboot 1-3 min, see if the problem is corrected. -
Allow remote access to the VPN Cisco ASDM
Hello
I am trying to access asdm Setup for the user remote vpn. Our ASA running version 9.1 (1). ASDM is running version 7.1 (1) 52
I have apart from the interface within the interface enabled for vpn tunnel and I use 3rd interface (asdm_inf) dedicated to this purpose.
In the asdm, I enabled the management to asdm_inf interface. In the section ASDM, HTTPS, Telnet, SSH, I also add ASDM/HTTPS(port 444) for asdm_inf, ip_address 0.0.0.0 mask 0.0.0.0.
However, when I connect to the vpn client and try https://asdm_inf:444, the connection is broken with timeout.
Where could I go wrong? Any help would be appreciated.
Thank you
Hello
Well, split tunnel is incorrect, you are tunneling to 172.16.66.0/24, while your BFD which you want to manage the ASDM to is 192.168.244.0/24, so the ACL split tunnel should also 192.168.244.0/24 network.
-
How do you restrict access to the site visitors to certain geographic locations?
I wonder if Business Catalyst has developed a way to prevent visitors from some countries to access my Web site? I found this old thread: the specified item was not found., but surely in the last 12:00 has developed a better option to add code to the Adobe Muse pages?
recently, we have developed an Intranet in British Colombia site for a multinational company.
Their requirement was to force the connection if outside their many firewall
but inside they have full access.
So, we built a webapp that they could use to control which IP addresses have been approved. Then, we used liquid to do queries on the front-end server.
Yyou could use this same princopal to approve and reject all ip address ranges (IE countries)
restriction by IP is not infallible, but it is possible
Brett stockley
www.prettydigital.com.au
+ 612 9212 4485
-
Access to the site from the Office on a mobile device
Users want access to my site with a mobile device while it is connected to an external monitor or TV. To do this, they need a way to access the version of office site, but even the option of 'Request' site Office of the browser does not work for my web site. Is there something I can do in RoboHelp HTML 11 (Win7 OS) to solve this problem?
Receptive HTML? (Skin Nivida? Send me an email.) In this case, media queries must be updated to account for the devices. For example, see: media CSS queries - the Web Developer's guide | DND
-
If I replace my hard drive, what should I do to maintain access to my site built in Muse CC, once installed my new hard drive?
You just need the original. Muse of file and the assets you used in the site.
-
question of remote server in the site Configuration dialog box.
Hello
I received client ftp information so that I can connect to its server to download files.
The new CS5 box installation site is a bit different (hard)...
I set up the folder on my desktop to download and set up the site (directions).
Problem: under the "Servers" tab, there name address remote connection and tests... mine has two lines of info.
The top one is my ftp from my personal site.
Below, it is the only one that I created just to get the download and I gave her a false name.
I have to remove the top? Because when I go to download it downloads files in my personal site - not customers. Or, should I uncheck "remote" from the top and activate at the bottom.
I don't want to affect my site at all. Please explain how this new method works... How can I control + choose what server I want content to download from.
I mean, if I had to remove this dialog box mine, then switch back to the my site dialog box, my connection to the remote server are deleted as well?
Thank you!
Too bad. I have it.
I hesitated to experiment, but it seems that you can select a "remote" at the same time, so all I had to do was click on the customer.
-
It only happens with some sites (www.dumpert.nl) when I want to open a video/film. With explore I have no problem with the loading of the same site. On another pc, the site opens properly with firefox.
I made a few changes on the site, the problem should be solved now.
-
Failover of VPN client for remote access with the .pcf file
Hi all
It is possible to give 2 remote peer ip address to connect customer VPN cisco in FCP file, is possible to achieve failover.
I have my firewall HO and DR configured for VPN remoteaccess. I need to specify two firewall ips in FCP file in PC client, incase HO firewall is not a customer VPN avialable will automatically connect to the firewall DR. I tried like below his does not work I think
appreicaite any help...
[main]
Description =
Host = 172.18.4.22
Host = 172.18.4.10
AuthType = 1
GroupName = xxxxxx
GroupPwd =
enc_GroupPwd = DDBC400B7B3D1AEA1A5E6DEB5874CC057F759A6EED78B281F28D68F6A65380506D7E6CBA173B854C6ADC53FC49C1595B
EnableISPConnect = 0
ISPConnectType = 0 [main]
Description =
Host = 172.18.4.22
Host = 172.18.4.10
AuthType = 1
GroupName = xxxxxx
GroupPwd =
enc_GroupPwd = DDBC400B7B3D1AEA1A5E6DEB5874CC057F759A6EED78B281F28D68F6A65380506D7E6CBA173B854C6ADC53FC49C1595B
EnableISPConnect = 0
ISPConnectType = 0Thanks in advance
Mikael
You must configure the server "backup":
http://www.Cisco.com/en/us/docs/security/vpn_client/cisco_vpn_client/VPN...The easiest way is to do it with the GUI.
Sent by Cisco Support technique iPad App
-
Access to the site of a new HD
I just added a new internal HD to replace my default apparently one and cloned the old drive to the new. All my sites in Dreamweaver MX point to the old Mac HD (eg., read files in the Site: Site - schreiberHSA (Macintosh HD:Schreiber Web site).)
How can I get the new drive to the location of the site and not lose files?You haven't lost the files. They are still there on the new drive. Just
Change your site definitions to point to the location of the site of the new drive.How many sites?
Have you updated to 6.1 DMX6.0? Please hurry.
--
Murray - ICQ 71997575
Adobe Community Expert
(If you * MUST * write me, don't don't LAUGH when you do!)
==================
http://www.projectseven.com/go - DW FAQs, tutorials & resources
http://www.dwfaq.com - DW FAQs, tutorials & resources
=================="joe.b.
News:gqgaem$EP9$1@forums. Macromedia.com...
> I just added a new internal HD to replace my default apparently one and
> cloned
> the old drive to the new. All my sites in Dreamweaver MX pointing
> the old
> Mac HD (eg., read files in the Site: Site - schreiberHSA (Mac HD:Schreiber)
(> Web site).
>
> How can I get the new drive to the location of the site and not lose files?
> -
block access to the local asa firewall vpn accounts
I'm looking for the local accounts on the firewall and would like to make sure that users who have local accounts for vpn do not have for the firewall itself through asdm, telnet, ssh to the management.
Is the only aaa on the firewall command
the ssh LOCAL console AAA authentication
With this command, if I change the local account setting to 'NO ASDM, SSH, Telnet or access Console' (see attached screenshot) will that still allow users to vpn in and access the network because they have to take off but any what potential access to the firewall?
Thank you
Hello
Yes, if you select the option "No., ASDM, SSH, TELNET or Console access" allows to block only the admin access to the firewall. Here's the equivalent CLI for this option:
myASA(config-username) # type of service?
the user mode options/controls:
Admin user is authorized to access the configuration prompt.
NAS-prompt user is allowed access to the exec prompt.
remote user has access to the network.If you use this option you will be on the third option in the above list that is remote access. Users will have the option of VPN in but no admin (asdm, ssh, telnet or console)
Thank you
Waris Hussain.
Maybe you are looking for
-
I always use Google as my search engine of firefox.However, I must have accidentally downloaded a file that has implemented the GOL research as my search engine and I want to get rid of it.Info to do this strangely is not anywhere on google searches.
-
Fire fox starts today. Worked fine last night. Error Msg... "Alert message. "... says:Could not initialize the safety component of the application. The most likely cause is problems with the files in the directory of the profile of your application.
-
Is there a choice of 64-bit or 32-bit on Toshiba Recovery?
Hi everyone, I have I just got myself a nice new Toshiba (now my 3rd) and have the delights of Windows 7 to play with... Model is Satellite Pro L670-18E Genuine Windows® 7 Home Premium 64-bit (pre-installed, Toshiba-HDD recovery) 64-bit has been pre-
-
Hello where can I download the Simulation Interface Toolkit (version 5.0.1)? Version 5.0.0 is installed on the system, but I can't find the 5.0.1 patch in MAX, or on the Web site. What about Michael
-
blocking server spooler print when give print from domain account
When a domain gives impression then the print server spooler user hang from person able to print in order to restart the print server address