Residential group with VPN settings?
What's up with the homegroup? It works on a home network with one or two of the PCs connected to a remote domain through a VPN connection?
I unplugged all VPNs and then a PC sees each other on the residential group, but the other does not... Both Win7 Pro/Ulitmate. Why is it so hard to do what Citrix, I thought was owned by MS, or other third-party companies SW do it very carefully. I want just a simple home network?
Homegroup relies on IPv6 and therefore will not work over a VPN connection.
[If this post was helpful, please click the button "Vote as helpful" (green triangle). If it can help solve your problem, click on the button 'Propose as answer' or 'mark as answer '. [By proposing / marking a post as answer or useful you help others find the answer more quickly.]
Tags: Windows
Similar Questions
-
Create different group with VPN remote access
Hello world
The last time, I ve put in place a VPN for remote access to my network with ASA 5510
I ve access to all my internal LAn helped with my VPN
But I want to set up a vpn group in the CLI for a different group of the user who accesses the different server or a different network on my local network.
Example: computer group - access to 10.70.5.X network
Group consultant network - access to 10.70.10.X
I need to know how I can do this, and if you can give me some example script to complete this
Here is my configuration:
ASA Version 8.0 (2)
!
ASA-Vidrul host name
vidrul domain name - ao.com
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/1
nameif inside
security-level 100
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Description Port_Device_Management
nameif management
security-level 99
address IP X.X.X.X 255.255.255.X
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
DNS server-group DefaultDNS
vidrul domain name - ao.com
access-list 100 scope ip allow a whole
access-list extended 100 permit icmp any any echo
access-list extended 100 permit icmp any any echo response
vpn-vidrul_splitTunnelAcl permit 10.70.1.0 access list standard 255.255.255.0
vpn-vidrul_splitTunnelAcl permit 10.70.99.0 access list standard 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 10.70.255.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 management
IP local pool clientvpngroup 10.70.255.100 - 10.70.255.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.70.0.0 255.255.0.0
Access-group 100 in the interface inside
Access-group 100 interface insideTimeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Protocol RADIUS AAA-server 10.70.99.10
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
Enable http server
http 192.168.1.2 255.255.255.255 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
outside access management
dhcpd manage 192.168.1.2 - 192.168.1.5
dhcpd enable management
!
a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
block-url-class of the class-map
class-map imblock
match any
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Policy-map IM_P2P
class imblock
class P2P
!
global service-policy global_policy
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.com
test 274Y4GRAbNElaCoV of encrypted password privilege 0 username
username admin privilege 15 encrypted password bTpUzgLxalekyhxQ
attributes of user admin name
Strategy-Group-VPN-vpn-vidrul
username, password suporte zjQEaX/fm0NjEp4k encrypted privilege 15
type tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:d84e64c87cc5b263c84567e22400591c
: endWhat you need to configure is to imitate the configuration on the tunnel-group and group strategy and to configure access to specific network you need.
Currently, you have configured the following:
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.comtype tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.What you need is to create new group policy and the new tunnel-group and configure the tunnel split ACL to allow access to specific access required.
The user must then connect with the new group name and the new pre-shared key (password).
Hope that helps.
-
I just bought a new laptop with Windows 7 on it, so I decided to try the new homegroup in Windows 7 feature. I activated the homegroup on my desk and apart from the music, photos and videos. I then joined the residential group with the new portable computer using the password provided by the office shared libraries and the same 3 homegroup. All appeard to put up correctly, but I can't browse libraries shared each machine to other machine. I have the Homegroup and click on the other machine and I see 3 libraries, but when I click on any one of them does nothing. This happens on both machines. The only way I can get the residential groups to work is to first go to the other machine and provide credentials on the other machine. After doing this, the homegroup files begin to work. I was under the impression that the homegroup password was all I had to have access to all shared folders with the homegroup, but the only way I can get the homegroup to work is first authenticate itself to other machine using a user name and password.
The two machines are configured with the following:
- Network discovery is enabled
- File sharing and printer is enabled
- Public folder sharing is on
- Streaming Media is on
- File sharing connections is configured to use 128-bit encryption
- Password protected sharing is on
- Homegroup connections is set up to allow Windows to manage.
I came across this forum because I had the same problem today. Real quickly, I have two laptops, one running windows 7 Home premium 32-bit and the other runs windows 7 Professional 32-bit. I have comcast for my internet provider and their cable modem attached to my belkin wireless router. I don't know if my fix will work for someone else, but it worked for me, so this is.
1. unplug the router cable modem wireless2. connect the router to one of your computers using an ethernet cord3. open a web browser and type in the IP address of the router in the Web page bar (as when you type hotmail.com to go check your email). Mine is a belkin so 192.168.2.1 has worked for me.4. the control of the router page should open, and one of the options should be to reset factory settings, do this.5. DO NOT CONNECT THE ROUTER TO THE CABLE MODEM6 configure the router in the same way that you did when you first installed the router, but just to be sure, I used another name for the network7. Once you have the password set up and named network you can disconnect the ethernet cable.8. connect to the new network without wire of each computer (just like when you connect to a wireless network) choose House (rather than work or public) for the network location.9. at this stage my homegroup didn't work, if it is not there for you, you may need to set up the homegroup in Control Panel.10. once the residential group is working the way you want to connect the router wireless to the modem cable and check to see if your internet connection is working by opening a web browser and go to any old siteHope this helps!Cameron -
How to share a second hard drive with the residential group / network?
Initially, I posted this to the security and privacy but we told him it should be under the sons of the network. Here's hoping someone can help.
I have a desktop computer and a laptop both running W7 Home Professional 64 bit. On the desktop, I have 2 hard drives - C has programs, D has the data. On the laptop, I'm just a hard drive.
Each machine can see the other time under residential group and network. From the Office I can access files that are on the laptop but I can't do the reverse.
The laptop can see the desktop drive D and all folders that I shared, but when I try to dig into a folder I get a message saying I don't have permission to access the folder. In this case, if I try to access using either homegroup or the network.
On the desktop, when I look at the properties of the D drive it shows as a shared network drive. Individual records within D show shared with permissions of read/write with anyone and/or homegroup.
What did I do wrong (or failed to do) to allow me to access the files on the disk D of desktop from the laptop?
Hello
Step 1: Try to run the troubleshooter of shared folders and check.
Reference: http://windows.microsoft.com/en-us/windows7/Share-files-with-someoneStep 2: Try to give permissions to specific user through which you are trying to access these files or folders.
Reference: http://technet.microsoft.com/en-us/library/bb727008.aspxStep 3: You can also try the advanced sharing and check.
See the article provided in step 1 and the bottom of the article.
http://Windows.Microsoft.com/en-us/Windows7/file-sharing-essentials#section_3
You can also try the advanced sharing and check.
Access to files and printers on other homegroup computers
http://Windows.Microsoft.com/en-us/Windows7/access-files-and-printers-on-other-HomeGroup-computersThanks and greetings
Umesh P - Microsoft technical support.Visit our Microsoft answers feedback Forum and let us know what you think.
[If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message.] [Marking a post as answer, or relatively useful, you help others find the answer more quickly.] -
IOS router with several groups of VPN
Similar to a discussion, I read with a PIX firewall, I need to set up multiple VPN groups on IOS-based router to support different levels of security. For example, a VPN "GUESTS" group would only have access to 1 server, while the VPN "ADMIN" group would have access to the entire network.
With a PIX firewall, you can simply specify additional group names (for example "group1 vpngroup',"vpngroup group2"and so on). However, I have not been able to find how do with IOS-based router (Cisco 831 12.3 (4) T) running.
For example, I have these dynamic groups of VPN:
the crypto isakmp client configuration group of GUESTS
password1 keys
DNS 10.1.1.1
swimming POOL1-IP pool
Configuration group customer crypto isakmp ADMIN
key password2
DNS 10.1.1.1
POOL2-IP pool
! - Users get authenticated to a RADIUS server
list of card crypto CRYPTOMAP customer VPN-USER authentication
! - The problem is that line taken out. "I can only specify an allow list (a group name) for this encryption card!)
card crypto CRYPTOMAP ADMIN isakmp authorization list
I did research on this site, Google, usenet and ORC and have not found what I'm looking for. Any ideas?
Thank you.
Command 'isakmp authorization list' you do it reference does not refer to the VPN group, it refers to a whitelist of AAA name which States that the groups are configured locally. Change to the following:
AAA authorization groupauthor LAN
card crypto isakmp authorization list groupauthor CRYPTOMAP
The "groupauthor" is just a label that matches the encryption to the aaa command. Your clients VPN will be accompanied to a specific group depends on what group name, they set up in their VPN client.
See http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080095106.shtml for details, it's a HW 3002 client to a router but the router config is exactly the same thing.
-
Group Lock VPN 3000 binding users to their group
I only use a 3015 VPN with VPN Client 3.5.1 using IPSEC. Cisco ACS 3.0 is the radius, all users of the authentication server. If I use a group on the client, I can log in using a different username to groups.
It is interesting then you get the other privileges of groups for this user as you would expect.
If I select group Lock on core group settings is not any effect.
I want to restrict the access of clients to the users group in its own configured.
I use an external authentication to the Radius ACS server for groups.
Thanks for any help you can give.
Mark
Hi Mark,
You can follow the example of configuration to:
http://www.Cisco.com/warp/public/471/altigagroup.html
Thank you
Jean Marc
-
I have two problems with IPSEC VPN, using the cisco client, and a third, which I think could answer here if this isn't strictly associated with VPN.
1. cannot access the internet, while VPN is in place. This can be a problem of client as I * think * I've split tunneling to install correctly.
2. cannot access other networks except the network associated with the inside interface natively.
3. I can not ping to the internet from inside, be it on the VPN or not.
I tend to use the SMDA; Please, if possible, keep the answer to this kindof of entry.
Here is the config:
Output of the command: "sh run".
: Saved
:
ASA Version 8.4 (1)
!
hostname BVGW
domain blueVector.com
activate qWxO.XjLGf3hYkQ1 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 10
IP 5.29.79.10 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
IP 172.17.1.2 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 172.19.1.1 255.255.255.0
management only
!
passive FTP mode
DNS server-group DefaultDNS
domain blueVector.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the subject of WiFi network
172.17.100.0 subnet 255.255.255.0
WiFi description
the object to the Interior-net network
172.17.1.0 subnet 255.255.255.0
network of the NOSPAM object
Home 172.17.1.60
network of the BH2 object
Home 172.17.1.60
the EX2 object network
Home 172.17.1.61
Description internal Exchange / SMTP outgoing
the Mail2 object network
Home 5.29.79.11
Description Ext EX2
network of the NETWORK_OBJ_172.17.1.240_28 object
subnet 172.17.1.240 255.255.255.240
network of the NETWORK_OBJ_172.17.200.0_24 object
172.17.200.0 subnet 255.255.255.0
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
the DM_INLINE_NETWORK_1 object-group network
network-object BH2
network-object NOSPAM
Outside_access_in list extended access permit tcp any eq smtp DM_INLINE_NETWORK_1 object-group
Outside_access_in list extended access permit tcp any object object-group DM_INLINE_TCP_1 BH2
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
mask pool local 172.17.1.240 - 172.17.1.250 VPN IP 255.255.255.0
mask pool local 172.17.200.100 - 172.17.200.200 VPN2 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source EX2 Mail2
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.1.240_28 of NETWORK_OBJ_172.17.1.240_28 static destination
NAT (inside, outside) static source all all NETWORK_OBJ_172.17.200.0_24 of NETWORK_OBJ_172.17.200.0_24 static destination
NAT (inside, outside) static source to the Interior-NET Interior-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
!
the object to the Interior-net network
NAT (inside, outside) dynamic interface
network of the NOSPAM object
NAT (inside, outside) static 5.29.79.12
Access-group Outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 5.29.79.9 1
Route inside 10.2.0.0 255.255.255.0 172.17.1.1 1
Route inside 10.3.0.0 255.255.255.128 172.17.1.1 1
Route inside 10.10.10.0 255.255.255.0 172.17.1.1 1
Route inside 172.17.100.0 255.255.255.0 172.17.1.3 1
Route inside 172.18.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.1.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.11.0 255.255.255.0 172.17.1.1 1
Route inside 192.168.30.0 255.255.255.0 172.17.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server blueVec protocol ldap
blueVec AAA-server (inside) host 172.17.1.41
LDAP-base-dn DC = adrs1, DC = net
LDAP-group-base-dn DC = EIM, DC = net
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = Hanna\, Roger, OU = human, or = WPLAdministrator, DC = adrs1, DC = net
microsoft server type
Enable http server
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 inside
http 24.32.208.223 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
authentication crack
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 172.17.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 172.17.1.100 - 172.17.1.200 inside
dhcpd 4.2.2.2 dns 8.8.8.8 interface inside
dhcpd lease interface 100000 inside
dhcpd adrs1.net area inside interface
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
WebVPN
internal blueV group policy
attributes of the strategy of group blueV
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
value by default-field ADRS1.NET
internal blueV_1 group policy
attributes of the strategy of group blueV_1
value of server WINS 172.17.1.41
value of 172.17.1.41 DNS server 172.17.1.42
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
adrs1.NET value by default-field
username gwhitten encrypted password privilege 0 8fLfC1TTV35zytjA
username gwhitten attributes
VPN-group-policy blueV
rparker encrypted FnbvAdOZxk4r40E5 privilege 15 password username
attributes of username rparker
VPN-group-policy blueV
username mhale encrypted password privilege 0 2reWKpsLC5em3o1P
username mhale attributes
VPN-group-policy blueV
VpnUser2 SlHbkDWqPQLgylxJ encrypted privilege 0 username password
username VpnUser2 attributes
VPN-group-policy blueV
Vpnuser3 R6zHxBM9chjqBPHl encrypted privilege 0 username password
username Vpnuser3 attributes
VPN-group-policy blueV
username VpnUser1 encrypted password privilege 0 mLHXwxsjJEIziFgb
username VpnUser1 attributes
VPN-group-policy blueV
username dcoletto encrypted password privilege 0 g53yRiEqpcYkSyYS
username dcoletto attributes
VPN-group-policy blueV
username, password jmcleod aSV6RHsq7Wn/YJ7X encrypted privilege 0
username jmcleod attributes
VPN-group-policy blueV
rhanna encrypted Pd3E3vqnGmV84Ds2 privilege 15 password username
rhanna attributes username
VPN-group-policy blueV
username rheimann encrypted password privilege 0 tHH5ZYDXJ0qKyxnk
username rheimann attributes
VPN-group-policy blueV
username jwoosley encrypted password privilege 0 yBOc8ubzzbeBXmuo
username jwoosley attributes
VPN-group-policy blueV
2DBQVSUbfTBuxC8u encrypted password privilege 0 kdavis username
kdavis username attributes
VPN-group-policy blueV
username mbell encrypted password privilege 0 adskOOsnVPnw6eJD
username mbell attributes
VPN-group-policy blueV
bmiller dpqK9cKk50J7TuPN encrypted password privilege 0 username
bmiller username attributes
VPN-group-policy blueV
type tunnel-group blueV remote access
tunnel-group blueV General-attributes
address VPN2 pool
authentication-server-group blueVec
Group Policy - by default-blueV_1
blueV group of tunnel ipsec-attributes
IKEv1 pre-shablue-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:2491a825fb8a81439a6c80288f33818e
: end
Any help is appreciated!
-Roger
Hey,.
Unfortunately, I do not use ASDM myself but will always mention things that could be done.
You do not split tunneling. All traffic either tunnel to the ASA, while VPN is active
You have the following line under the "group policy"
Split-tunnel-policy tunnelspecified
You will also need this line
Split-tunnel-network-list value
Defines the destination for the VPN Client networks. If you go in on the side of the ASDM group policy settings, you should see that no ACL is selected. You don't really seem to have an ACL in the configuration above, for the split tunneling?
To activate access Internet via the VPN Client now in the current configuration, I would say the following configuration of NAT
VPN-CLIENT-PAT-SOURCE network object-group
object-network 172.17.200.0 255.255.255.0
NAT (outside, outdoor) automatic interface after dynamic source VPN-CLIENT-PAT-SOURCE
In regards to the traffic does not for other networks, I'm not really sure. I guess they aren't hitting the rule NAT that are configured. I think they should, but I guess they aren't because its does not work
I could myself try the following configuration of NAT
object-group, network LAN-NETWORKS
object-network 10.2.0.0 255.255.255.0
object-network 10.3.0.0 255.255.255.128
object-network 10.10.10.0 255.255.255.0
object-network 172.17.100.0 255.255.255.0
object-network 172.18.1.0 255.255.255.0
object-network 192.168.1.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.30.0 255.255.255.0
object-group, network VPN-POOL
object-network 172.17.200.0 255.255.255.0
NAT (inside, outside) static static source of destination LAN-LAN-NETWORK VPN-VPN-POOL
Add ICMP ICMP Inspection
Policy-map global_policy
class inspection_default
inspect the icmp
or alternatively
fixup protocol icmp
This will allow automatically response to ICMP echo messages pass through the firewall. I assume that they are is blocked by the firewall now since you did not previously enable ICMP Inspection.
-Jouni
-
Unable to manage residential groups
Wow, this forum can be useless sometimes. Ask you a question and it shows completely devoid of meaning and unrelated responses. Anyway, I digress.
-J' have 2 laptops, one is Win 7, the other is Win 8.1
-Apparently, when 2 computers with or the other of these BONES are connected to the same router, a homegroup is created automatically.
-I don't see this anywhere homegroup
-When I try to join the Win 8.1 machine, he asks me a password
-on the Win 7 machine, if I click on see the password, nothing happens
-If I click on change password and enter a pw, it shows "Windows cannot configure a homegroup on this computer.
-If I don't change the PW and click Next, it shows the same message.
-J' read on this forum that I can remove the homegroup, and then by restarting automatically recreates the homegroup
-Apparently, if I go into control panel > all items > homegroup, I can remove the homegroup
-According to the responses on this forum, the instructions for the removal of the homegroup are in BOLD.
- But as you can see, there is nothing on this page about any of this:
-This screenshot is the laptop under Win 8.1; in Win 7, there is an option to leave the homegroup, but clicking on that does not work and displays an error message: Windows could not remove this computer from homegroup. No other options or explanations... Aargh!
-If I try to use the resolution of the problems of the residential group, on both machines it is said there is a network problem, and which should be resolved first. So I try troubleshooting.
-on Win mobile, 8, it says can not identify the problem.
-on the portable Win 7, it is said be name resolution Protocol Service (PNRPsvc) or peer network (p2ppsvc) Identity Manager service does not work.
-This message is a link that should allow the service for Peer-to-Peer grouping. When you click on it, it switches back to "Failed", without explanations or other options... aargh!
Good God, it can't be that complicated to do this job! These two laptops running their OS straight out of the box; I have never modified all the network settings, etc. Shouldn't this work automatically, as shown in Microsoft?
I just got this new laptop with 8.1 on it, and a lot of things does not work as it should (could not get the printer to work, etc.). So far, all efforts to solving the problems were completely useless: always ends with 'cannot identify the problem'. I am dreading setting to the top of my email and imported all my story.
In any case, just a dump now. Anyone with experience with homegroups, please let me know what I need to do.
Fish
Hello fish,.
Thank you for your response.
I'm sorry for the late reply.
I appreciate your time.
Please refer to the suggestions of Stephanie Podder replied on 22 July 2013 and check the issue.
http://answers.Microsoft.com/en-us/Windows/Forum/windows_8-networking/Windows-8-HomeGroup-problem/f67e2ce3-153D-4516-B67D-a27672a469c9I hope this helps.
Thank you
-
Assign the radius server to specific groups of VPN 3000
Last week, I assigned a test Cisco ACS server to be used for authentication and device of accounting for a specific group on a Cisco VPN concentrator 3060. When I looked at ACS, it appears that not only the Group was to go there but others through this way and using the default values on the Cisco Secure ACS. Is it possible that I can make sure only the traffic assigned to this specific group of VPN using the ACS server defined?
Thank you
Hello
Not sure about your implementation. But you must configure the group for this specific ad group map can only authentication.
In the external group map db, map
Group ACS VPN---> with<---- ad="" vpn="">---->
Any other combination should point to any access group.
Kind regards
~ JG
Note the useful messages
-
Two residential groups on one computer? How to remove a?
I am trying to connect two laptops to the office after replacing the hard drive in Windows 7. I get a message sayiing there are two residential groups on my compluter. How can I find the info for a second HG, so it can be deleted?
Hello
I suggest you to consult the following link:
Leave a homegroup
http://Windows.Microsoft.com/en-in/Windows7/leave-a-HomeGroup
See also:
http://Windows.Microsoft.com/en-in/Windows7/add-computers-to-a-HomeGroup
http://Windows.Microsoft.com/en-in/Windows7/change-HomeGroup-settings
http://Windows.Microsoft.com/en-in/Windows7/join-a-HomeGroup
http://Windows.Microsoft.com/en-in/Windows7/HomeGroup-frequently-asked-questions
http://Windows.Microsoft.com/en-in/Windows7/HomeGroup-recommended-links
It will be useful.
-
3 RVS 4000 with VPN connection
Hello
I want to connect in a triangle 3 RVS 4000 router with VPN
I configured 3 routers, which can connect to the Internet. Each of them are configured as the gateway.
I created 2 tunnels on each router. But the vpn connection cannot be established.
Here is the configuration of ROUTER1 another are configured in the same way, only the remote group configuration is different
What I also open some ports for VPN, if yes which and were
Thanks fpr your help and your response
HP. Meyer
Hi hanspetermeyer,
Thank you for posting. You don't need to open all the ports for VPN. I noticed that your screenshot shows two routers have a common LAN subnet of 192.168.100.x. You will need a different local subnet for each router:
- 1 router: 192.168.1.1
- Router 2: 192.168.2.1
- Router 3: 192.168.3.1
I think that you will find the tunnels only connect once you change the LAN IP of the routers so that they are on different subnets. Please let us know if it works.
-
Internet access with VPN Client to ASA and full effect tunnel
I'm trying to migrate our concentrator at our new 5520 s ASA. The concentrator has been used only for VPN Client connections, and I have not the easiest road. However, I, for some reason, can't access to internet through our business network when I've got profiles with lots of tunneling.
I've included the configuration file, with many public IP information and omitted site-to-site tunnels. I left all the relevant stuff on tunnel-groups and group strategies concerning connectivity of VPN clients. The range of addresses that I use for VPN clients is 172.16.254.0/24. The group, with what I'm trying to access the internet "adsmgt" and the complete tunnel to our network part is fine.
As always, any help is appreciated. Thank you!
Hüseyin... good to see you come back.. bud, yes try these Hüseyin sugesstiong... If we looked to be ok, we'll try a different approach...
IM thinking too, because complete tunnel is (no separation) Jim ASA has to go back for the outbound traffic from the internet, a permit same-security-traffic intra-interface, instruction should be able to do it... but Jim start by Hüseyin suggestions.
Rgds
Jorge
-
IPSec remote VPN with VPN client in error
Hello
ASA 5505 configuration is: (installation using ASDM)
output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (5)
!
hostname TESTSelect _ from encrypted password
_ encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
sap_vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool test_pool 192.168.10.0 - 192.168.10.20 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.132 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal sap_vpn group policy
attributes of the strategy of group sap_vpn
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list sap_vpn_splitTunnelAcl
username password encrypted _ privilege 0 test
username test attributes
VPN-group-policy sap_vpn
Username password encrypted _ privilege 15 TEST
type tunnel-group sap_vpn remote access
tunnel-group sap_vpn General-attributes
address test_pool pool
Group Policy - by default-sap_vpn
sap_vpn group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:b67cdffbb9567f754052e72f69ef95f1
: endI use customer VPN authentication with IP 192.168.2.20 host group with username:sap_vpn and key pre-shared password but not able to connect to the vpn and the error message attached.
ASA, set up with the initial wizard ASDM: inside the interface IP 192.168.1.1 (VLAN1) and outside (VLAN2) IP 192.168.2.20 assigned by using DHCP. I use outside interface IP 192.168.2.20 to HOST IP to the VPN client for the remote connection? is it good?
Please advise for this.
Hello
What train a static IP outside? We need a static IP address to connect, please try again and let us know how it works?
Kind regards
-
Problem with "vpn sysopt connection permit.
Hi all
I would like to ask you for advice with "vpn sysopt connection permit". I have a problem with by-pass-access list (acl) in the INSIDE interface. As I understand it and I'm going to use this command, there is no need to especialy allow traffic in the access list for the INSIDE and I can control the filter-vpn traffic. But in my case it's quite the opposite, I want particularly to this INTERIOR acl traffi. When I allow this traffic inside acl L2L tunnel rises, hollow traffic flow vpn-fltr ane acl that everything is OK. But when I do not allow that this traffic is inside of the rule with Deny statement in acl INSIDE block traffic and tunnel goes ever upward. Part of the configuraciton which you can view below.
Please let me know if I'm wrong, or what I did wrong?
Thank you
Karel
PHA-FW01 # view worm | Worm Inc
Cisco Adaptive Security Appliance Software Version 4,0000 1
PHA-FW01 # display ru all sys
No timewait sysopt connection
Sysopt connection tcpmss 1380
Sysopt connection tcpmss minimum 0
Sysopt connection permit VPN
Sysopt connection VPN-reclassify
No sysopt preserve-vpn-stream connection
no RADIUS secret ignore sysopt
No inside sysopt noproxyarp
No EXT-VLAN20 sysopt noproxyarp
No EXT-WIFI-VLAN30 sysopt noproxyarp
No OUTSIDE sysopt noproxyarp
PHA-FW01 # display the id of the object-group ALGOTECH
object-group network ALGOTECH
object-network 10.10.22.0 255.255.255.0
host of the object-Network 172.16.15.11
PHA-FW01 # show running-config id of the object VLAN20
network of the VLAN20 object
subnet 10.1.2.0 255.255.255.0
L2L_to_ALGOTECH list extended access permitted ip object object-group VLAN20 ALGOTECH
extended access list ACL-ALGOTECH allow ip object-group object VLAN20 ALGOTECH
Note EXT-VLAN20 of access list =.
access list EXT-VLAN20 allowed extended ip object VLAN20 ALGOTECH #why object-group must be the rule here?
access list EXT-VLAN20 extended permitted udp object VLAN20 object-group OUT-DNS-SERVERS eq field
EXT-VLAN20 allowed extended VLAN20 object VPN-USERS ip access list
EXT-VLAN20 extended access list permit ip object VLAN20 OPENVPN-SASPO object-group
EXT-VLAN20 allowed extended object VLAN10 VLAN20 ip access list
deny access list extended VLAN20 EXT ip no matter what LOCAL NETS of object-group paper
EXT-VLAN20 allowed extended icmp access list no echo
access list EXT-VLAN20 allowed extended object-group SERVICE VLAN20 object VLAN20 everything
EXT-VLAN20 extended access list deny ip any any newspaper
extended access list ACL-ALGOTECH allow ip object-group object VLAN20 ALGOTECH
GROUP_POLICY-91 group policy. X 41. X.12 internal
GROUP_POLICY-91 group policy. X 41. X.12 attributes
value of VPN-filter ACL-ALGOTECH
Ikev1 VPN-tunnel-Protocol
tunnel-group 91.X41. X.12 type ipsec-l2l
tunnel-group 91.X41. X.12 General attributes
Group Policy - by default-GROUP_POLICY-91. X 41. X.12
tunnel-group 91.X41. X.12 ipsec-attributes
IKEv1 pre-shared-key *.
PHA-FW01 # show running-config nat
NAT (EXT-VLAN20, outdoors) static source VLAN20 VLAN20 static destination ALGOTECH ALGOTECH non-proxy-arp-search to itinerary
network of the VLAN20 object
dynamic NAT interface (EXT-VLAN20, outdoors)
group-access to the INTERIOR in the interface inside
Access-group interface VLAN20 EXT EXT-VLAN20
Hello
The command "sysopt connection permit-vpn" is the default setting and it applies only to bypass ACL interface to the interface that ends the VPN. It would be connected to the external network interface. This custom has no effect on the other interfaces ACL interface.
So if you initiate or need to open connections from your local network to remote network through the VPN L2L connection then you will need to allow this traffic on your LAN interface ACL networks.
If the situation was that only the remote end has launched connections to your network then 'sysopt permit vpn connection' would allow their connections around the external interfaces ACL. If If you have a VPN configured ACL filter, I think that the traffic will always accompany against this ACL.
Here are the ASA reference section to order custom "sysopt"
http://www.Cisco.com/en/us/docs/security/ASA/command-reference/S21.html#wp1567918
-Jouni
-
Unable to access an internal network while being connected with VPN
Hello
We have a PIX 515E with a remote access vpn.
Our internal network has an address network 192.168.1.0/24, and addresses we assign to vpn clients are 192.168.1.49 - 192.168.1.62, or 192.168.1.48/28.
When I connect to the vpn, I cannot ping none of my hosts internal. The error I get is "no group of translation not found for icmp src:...» »
It is quite clear that I would need a NAT rule, but why? Addresses are in the same network...
Could someone enlighten me on how I should proceed to nat traffic between vpn clients and the internal network?
Thank you.
Here is my current setup:
6.3 (1) version PIX
interface ethernet0 car
Auto interface ethernet1
Auto interface ethernet2
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif dmz security50 ethernet2
activate the password * encrypted
passwd * encrypted
hostname pix
domain callio.com
outside_inbound list access permit tcp any host 66 *. **. * eq www
outside_inbound list access permit tcp any host 66 *. **. * eq https
outside_inbound list of access permit udp any host 66 *. **. * Log domain eq
outside_inbound list access permit tcp any host 66 *. **. * Log domain eq
outside_inbound list access permit tcp any host 66 *. **. * object-group mailserver
outside_inbound list access permit tcp any host 66 *. **. * Newspaper ftp object-group 5
outside_inbound list access permit tcp any host 66 *. **. * eq 9999 journal 5
outside_inbound list access permit tcp any host 66 *. **. * eq www
outside_inbound list access permit tcp any host 66 *. **. * eq www
access-list outside_inbound udp host 66 license *. **. * Welcome 66 *. **. * eq syslog
outside_inbound deny ip access list a whole
pager lines 24
IP address outside 66 *. **. * 255.255.255.240
IP address inside 192.168.1.1 255.255.255.0
IP dmz 192.168.2.1 255.255.255.0
IP verify reverse path to the outside interface
local pool IP VPN-RemoteAccess 192.168.1.49 - 192.168.1.62
ARP timeout 14400
Global (outside) 10 66 *. **. * netmask 255.255.255.0
NAT (inside) 0-list of access no_nat_dmz
NAT (inside) 10 192.168.1.0 255.255.255.0 0 0
static (dmz, outside) 66 *. **. * c4 netmask 255.255.255.255 0 0
static (dmz, outside) 66 *. **. * 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz, outside) 66 *. **. * 192.168.2.5 netmask 255.255.255.255 0 0
static (dmz, outside) 66 *. **. * 192.168.2.6 netmask 255.255.255.255 0 0
static (dmz, outside) 66 *. **. * 192.168.2.100 netmask 255.255.255.255 0 0
static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
Access-group outside_inbound in interface outside
Route outside 0.0.0.0 0.0.0.0 66 *. **. * 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
NTP server 199.212.17.15 source outdoors
Enable http server
http 192.168.1.101 255.255.255.255 inside
http 192.168.1.105 255.255.255.255 inside
SNMP-server host inside 192.168.1.105
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Sysopt connection permit-pptp
Telnet timeout 5
SSH 192.168.1.105 255.255.255.255 inside
SSH timeout 5
Console timeout 0
VPDN PPTP VPN group accept dialin pptp
VPDN group VPN-PPTP ppp mschap authentication
VPDN group VPN-PPTP ppp mppe auto encryption required
the client configuration address local VPN-RemoteAccess VPDN group PPTP VPN
VPDN group VPN-PPTP client configuration dns 192.168.1.2
VPDN group VPN-PPTP pptp echo 60
authentication of VPN-PPTP client to the Group local VPDN
VPDN username someuser password *.
VPDN allow outside
Terminal width 80
Please use the following URL to check your config:
I hope this helps.
Jay
Maybe you are looking for
-
To update to OS Sierra, I need to enter a valid credit card, even if it's free?
I have moved countries and not to use a credit card. To update to OS Sierra, I need to enter a valid credit card, even if it's free?What is happening with this? I'm more a person worthy enough to upgrade? I upset the bank accounts of the billionaires
-
Tecra R950 - Windows update does not work
I can't update windows: 1. run windows update2 updates installed3.I restarted4. in the configuration phase to 20% seems to be the option screen restart or reinstall5.I to restore the computer to a previous restore point someone at - it the same probl
-
Satellite P750-12 t - new installation of Windows 7
I have a P750 Satellite that has been used by my children for the game - Windows 7 is pre-installed. Now, I want to install Windows 7 again to have a new and good system. I don't have any Windows installation media has been pre-installed, and I don't
-
How to get rid of the Couponarific ads
Please can someone help, I picked up a virus/malware on my laptop. Each page I'll on that I get "Couponorific announcements" and lines double words if you click you take to the pages of spam. Oh, I'm so tired of yo the pages covered with these pop up
-
Hi there, having some problems with my current ADSL line and planned on the secondary use of the am200 as a dsl modem to check if she behaves better under the adsl2 +. But when I go to enter the desired local IP (94.30.x.x), subnet mask (255.255.255