RV180W PPTP: no access to clients and servers LAN remote
Hello
After searching a lot on the Internet about my problem without success, I have to start my own discussion.
I set up the PPTP server and created a PPTP user as described in the manual of the admin of the RC180W router. I can connect to the router through the construction based on PPTP VPN in Windows 7 and on my Android phone. Then I can also ping the router and access the Web administration. But I can't access my network, nor their ping servers and other clients.
My configuration is:
- 3 VLAN:
- VLAN1: 192.168.0.1 (255.255.255.0)
- VLAN2: 192.168.2.1 (255.255.255.0)
- VLAN3: 192.168.3.1 (255.255.255.0)
- no inter-VLAN-routing
- the clients and the server I would like to access, are in VLAN1 and connected to the router on port 1.
- PPTP configuration
- Start IP: 192.168.0.201
- End IP: 192.168.0.205
- The default firewall settings
- Managing remotely on port 443 is enabled
If I connect to my router with VPN, I get the following information about Windows 7:
- Athentification: MS CHA V2
- Encryption: MPPE 128
- Client IP: 192.168.0.202
- Subnet mask: 255.255.255.255
- Default gateway:
- Server IP: 192.168.0.201
Once connected, I can ping the router and access the IP 192.168.0.1 Web administration
I can't access or ping any other client or server, for example 192.168.0.96
Kind regards
Marco Spicer
Marco,
I noticed that you are in the same subnet in the subnet of the PPTP server. Connect PPTP clients should be in one different subnet other than 192.168.0.X. So an acceptable configuration of PPTP server could be the 192.168.1.x subnet, as long, is not on the 192.168.0.X subnet. If this can help you and your problem, please indicate your answer for bugs
Tags: Cisco Support
Similar Questions
-
KB970653 evolves Lotus Notes client and servers of the zone.
Installation KB970653 client Lotus Notes as well as time zone local change to + 1. Is it really nessasary for countries that are not assigned to the summer time?
tr00wa,
To quote from the Microsoft site:
Do I have to update my computer?As mentioned in this article, Microsoft recommends strongly that the DST and time zone updates be installed on all affected systems, devices and applications to ensure consistency with the current rules of the DST and time zone settings worldwide. Customers can view the updates available and displayed on this site and at http://support.microsoft.com/gp/dst_prodlist for the latest information and up to date of Microsoft products affected by time.
Updates of Microsoft products and release plan for DST changes and time zone: the underlying operating system for more information of time and time zone reference most Windows-based applications (and some services). However, some applications and services are not. Microsoft Windows has established an annual calendar of update time and time zone, as shown here. Many of our product teams also follow a similar pace put on annual day of product, with provisions for semi-annual cumulative updates as needed. For each version update, the window closes for additional updates (usually of four to six) months prior to the release date. The regular release of Windows provides a regular schedule for other product categories to follow.
As a result of the steady pace of Windows to publish recently legislated rules of summer time and updates of zone schedule, our "DST and time zone updates cumulative" are planned for each month of November - December (download and Windows Update Center respectively) for the calendar year. When necessary, the Microsoft product groups can also provide a mid-year update in August - September calendar. The product group will also release the keys to information (TZI) new or updated the time zone in an update to Microsoft article 914387 for IT and system administrators who might need this information. We hope that this offers a more predictable way for our customers to anticipate and plan our scheduled updates as they are published.
-END quote-
More information on the progress of updates is available here.
http://www.Microsoft.com/DST2007Does that answer your question?
Kind regards
DFTIM me -TWiTTer: @DFTER
-
Establish a persistent connection between client and server
My application must keep in touch with my servers, the HTTPConnection gives the ablitity to make one request per connection. Then the HttpConnection might not make persistent connections in the BB. I think I can use Socket connections. I am wonding if some body can confirm that and give some sugustions how persistent connections between clients and servers.
Thank you RexDoug and Marchywka. Your suggestions are appreciated.
-
Why my VPN clients cannot access network drives and resources?
I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!
: Saved
:
ASA Version 8.2 (5)
!
ciscoasa hostname
Cisco domain name
activate the password xxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxx
names of
name 68.191.xxx.xxx outdoors
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.201.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address outside 255.255.255.0
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
192.168.201.1 server name
Cisco domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group network obj - 192.168.201.0
FREE access-list extended ip 192.168.201.0 NAT allow 255.255.255.0 192.168.201.0 255.255.255.0
NAT-FREE 192.168.202.0 permits all ip extended access list 255.255.255.0
FREE access-list extended ip 192.168.202.0 NAT allow 255.255.255.0 any
Extended access list-NAT-FREE enabled a whole icmp
allow any scope to an entire ip access list
allow any scope to the object-group TCPUDP an entire access list
allow any scope to an entire icmp access list
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access allow TCPUDP of object-group a
inside_access_in list extended access permit icmp any one
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access allow TCPUDP of object-group a
outside_access_in list extended access permit icmp any one
Standard access list DefaultRAGroup_splitTunnelAcl allow 192.168.201.0 255.255.255.0
access extensive list ip 192.168.202.0 inside_nat0_outbound allow 255.255.255.0 192.168.201.0 255.255.255.0
inside_nat0_outbound list extended access permit icmp any one
inside_nat0_outbound_1 of access allowed any ip an extended list
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
mask 192.168.202.1 - 192.168.202.50 255.255.255.0 IP local pool KunduVPN
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.201.0 255.255.255.0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route inside 0.0.0.0 0.0.0.0 192.168.201.1 1
Route inside 0.0.0.0 255.255.255.255 outdoor 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.201.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs xxx
Proxy-loc-transmitter
Configure CRL
XXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Cisco by default field value
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
WebVPN
SVC request enable
internal KunduVPN group strategy
attributes of Group Policy KunduVPN
WINS server no
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Cisco by default field value
username xxxx
username xxxxx
VPN-group-policy DfltGrpPolicy
attributes global-tunnel-group DefaultRAGroup
address VPNIP pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
type tunnel-group KunduVPN remote access
attributes global-tunnel-group KunduVPN
address (inside) VPNIP pool
address pool KunduVPN
authentication-server-group (inside) LOCAL
Group Policy - by default-KunduVPN
tunnel-group KunduVPN webvpn-attributes
enable KunduVPN group-alias
allow group-url https://68.191.xxx.xxx/KunduVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc
: end
don't allow no asdm history
Hello
What is the IP address of the hosts/servers LAN Gateway?
If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.
For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.
- Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
- Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
- Host/server LAN sees the connection from a network other than the LAN (192.168.202.0/24) and therefore to forward traffic to the default gateway that would likely be the wireless router.
- Wireless router has no route to the network 192.168.202.0/24 (VPN Pool) and therefore uses its default route to the external network to forward traffic.
- Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP
So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network 192.168.202.0/24 to the 192.168.201.200 gateway IP address (which is the SAA)
I would like to know if the installation is as described above.
-Jouni
-
We must put in place a 2008r2 domain user account and allow it access xch2007 email and a file only decidated server. Access to the other app domain, print and file servers will be blocked. What will be the best way to do this? Can we use Group Policy?
Your Windows Server 2008 R question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please ask your question on the Windows Server. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer
-
is it possible to use a desktip mail client to access your mail and are there fees
Is it possible to use a desktop e-mail client ot access your email and are there fees
Yes, it is possible there are there a some different free clients. There are also paid for both clients (MS Outlook for example).
I hope this helps.
-
Hello
I've set up IPSec VPN remotely and it works fine. I need access to connected VPN clients, and it does not work. I have already added an entry to traffic allowing sheep ACL from inside my network to the VPN.
More information:
Inside of the net: 10.1.1.0/24
Pool VPN: 172.30.1.0/24
Is it possible to access from my internal network to the VPN users?
Thanks in advance.
Best regards.
Marcelo
VPN users have access to certain servers via the list of Tunnel from Split.
Marcelo,
Split tunnel ACLs must be an IP acl, it is not recommended and supported to set the TCP ports on the split tunnel ACL, the vpn client don't interpret this ACl as a lot are interested in IP, TCP ports, and that could cause you a problem. You can change your config to reflect this. Regarding ACL split tunnel, it must contain the server line. networks that this vpn, customers arrive, remind you this is two-way, as you know.
So if IT supports the IP range is on this vpnExample ACL vpn clients will be able to reach the IT support guys and vice versa.
I advise you to change your split tunnel ACLs to specific ports to only the desired servers and the presenters what these customers need to achieve.
Remove the ports out of this Split tunnel ACLs.
If you need to restrict services for vpn rather clients use VPN filters.
-
Remote access VPN Client to PIX, DNS issue
Hi all. I searched on this, but I can't find my answer.
I set up a VPN connection to a PIX Firewall (running the version 8.0 (4)) for my business. The VPN connection works correctly, in that I can connect to it using my software (v 5.0.02.0090) Cisco VPN Client and ping servers/resources internal IP address. However, if I try to ping by host name, it does not resolve to an IP address. If I open a command prompt on my PC and type ipconfig/all, there are no DNS servers for my VPN, just for my normal Intel NIC adapter - I think I should have a DNS server listed under the map of VPN, right? Here is the relevant (I think) for the VPN config lines:
8.0 (4) version PIX
domain xx.xx
DNS lookup field inside
DNS server-group DefaultDNS
Server name 192.168.20.23
domain xx.xx
IP local pool vpnpoolIT 10.10.8.2 - 10.10.8.254 mask 255.255.255.0
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
Crypto-map dynamic dyn1 1 lifetime of security association set seconds 28800
Crypto-map dynamic dyn1 kilobytes of life 1 set security-association 4608000
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group ITGroup type remote access
tunnel-group ITGroup General attributes
address vpnpoolIT pool
Group-RADIUS authentication server
tunnel-group ITGroup ipsec-attributes
pre-shared-key *.
Am I missing? I can solve the DNS on the PIX itself requests.
All the info I can find online is for an older version of the PIX software which says that I should enter the vpngroup dns- IP address of the server command, but this command is not available in my version of the software.
Hello
To set a DNS server to be injected into the VPN clients when they connect, you can do the following:
This is the tunnel-group where lands the remote connection:
tunnel-group ITGroup type remote access
tunnel-group ITGroup General attributes
address vpnpoolIT pool
Group-RADIUS authentication server
tunnel-group ITGroup ipsec-attributes
pre-shared-key *.
For example, create a group policy:
internal VPN group policy
attributes of VPN group policyDNS value--> x.x.x.x where x.x.x.x is the IP address of the DNS server
Then, apply the group policy for the Group of tunnel:
tunnel-group ITGroup General attributes
Group Policy - by default-VPN
It will be useful.
Federico.
-
VPN client and redundant peering
Hello world
PC user's config with remote access VPN client.
Tell the client pc has the configuration of the VPN client with backup servers and if ASA primary is the stop will be the secondary question of the new IP address of the client VPN gateway
address automatically?
Here the SAA is not in any failover mode.
Concerning
The list of backup server is used when establishing a new VPN connection. If it the customer has an active connection and the VPN server is no longer available then the user will have to re-establish the connection manually.
--
Please do not forget to rate and choose a good answer
-
I have tools customer Oracle BI (11.1.1.7) installed locally (Win7 - 64-bit).
I am able to access all the web interfaces (OBIEE, EM, Weblogic) using the username/password weblogic.
When I try to log in the administration tool or Catalog Manager, I get errors.
i.e.
Admin tool = "the connection failed".
Catalog Manager = "unable to connect to the presentation server.
I have 3 servers that are running different instances of BI. I am able to access 2 of them, but can not access the third.
I tried to copy the repository of a body of work and by deploying the instance of non-working. Same question.
I tried adding a new admin user and connect with this user. Same question.
Any thoughts on what could be the problem?
Thank you
Raymond
Can you please try to avoid double counting in the future? Can't access BI client tools
Or you end up like now where you do not keep the two aligned son makes it useless...
-
access licenses client license Clarifications + Server 2012
Hi all
I need some clarification in licensing to provide the solution that is right for my customer.
One of my clients purchased Dell server with preloaded Windows Server 2012 OS (Standard Edition) us (from my company) to replace the
existing server that has windows Server 2003.Now, the thing is customer want to transfer/migrate their client access licenses Server and Terminal Server CALs for Server 2003 to 2012 server.
But is it possible to transfer/migration of CALs client Server 2003 to 2012?
In the case of is not possible.
May I suggest Windows server 2003 to install as a virtual operating system in Hyper-V
to use their existing CAL?And is it as additional permit is required to use Server 2003
Hyper-V?Waiting for your valuable response/solution.
Thanks in advance.
Hello
Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
-
cannot access the icons and files in windows xp
I write on behalf of the client. Customer is unable to access his files in his computer based on Windows XP and icons.
Hello
- Did you change your computer before this problem?
- You receive an error message during the access, the icons and files?
This problem occurs when one or more of the following conditions are met:
- The registry values that are associated with the file name extension are corrupted or missing values.
- The computer is infected with a virus.
You can view these methods:
Method 1:
Let us check in SafeMode if the problem persists.
A description of the options to start in Windows XP Mode
http://support.Microsoft.com/kb/315222Method 2:
Here is an article that will guide you in the process of fixing the issue:
Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click on the number below to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
Cannot open files with extensions such as.exe, .com, and.lnk on a Windows XP-based computer
-
Access PIX using SSH when connected remotely with VPN client
Hello
I think that this should be a fairly simple for someone to sort for me - I'm new to PIX configuration If Yes please excuse my stupidity!
I changed the config on our PIX to allow only access via SSH (rather than via telnet as it was previously configured)
Now, everything works fine when I'm in the office - I can connect to the PIX using SSH without any problem.
However, if I work from home and connect to the office using my VPN client (IPSEC tunnel ends on the PIX firewall itself) I find that I can not connect to the PIX.
I have configured the PIX to access ssh on the office LAN subnet and the client pool of IP addresses used for VPN connections by using the following commands:
SSH 172.64.10.0 255.255.255.0 inside
SSH 192.28.161.0 255.255.255.0 inside
where the 1st line is reference to the office's LAN, which works very well, and the 2nd line denotes the IP address pool configured on the PIX for VPN access.
Can someone tell me how to fix this? I have the feeling that its something pressing!
Thank you
Neil
Try the command "management-access to the Interior.
-
After Anyconnect I can't access to asa and LAN
Dear all,
My office use ASA 5505 and I use anyconnect from outside (sometimes overseas), I can connect to my network and business by ASA, internet access, but I can't access ASA and LAN (network of my client). WHY?
Office 192.168.10.0/24
192.168.11.0/24 VPN
How can I solve this problem?
ASA Version 9.2 (3)
!
ciscoasa hostname
activate the encrypted password of XXXXXXXXXX
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd encrypted XXXXXXXXXX
names of
192.168.11.1 mask - 192.168.11.10 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP address 192.168.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP AAA. BBB. CCC DDD EEE. FFF. GGG. HHH
!
boot system Disk0: / asa923 - k8.bin
passive FTP mode
clock timezone 8 HKST
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic intra-interface
network of the VPN_Pool object
subnet 192.168.11.0 255.255.255.240
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
DefaultRAGroup_splitTunnelAcl_1 list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-731 - 101.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
interface NAT (outside, outside) dynamic source VPN_Pool
NAT (inside, outside) static source any any static destination VPN_Pool VPN_Pool non-proxy-arp-search to itinerary
!
!
NAT source auto after (indoor, outdoor) dynamic one interface
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 AAA. BBB. CCC DDD. 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Activate Server http XXXXX
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA SHA-ESP-3DES ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-ESP ESP-3DES-SHA-TRANS TRANS-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = ciscoasa
Configure CRL
Crypto ca trustpoint Anyconnect_Self_Signed_Cert
registration auto
name of the object CN = ciscoasa
Configure CRL
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
name of the object CN = 115.160.145.114, CN = ciscoasa
Configure CRL
trustpool crypto ca policy
string encryption ca Anyconnect_Self_Signed_Cert certificates
certificate 5c7d4156
308202d 4 308201bc a0030201 0202045c 415630 0d06092a 864886f7 0d 010105 7 d
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a 8648
09021608 63697363 6f617361 31353131 31303131 31363231 301e170d 86f70d01
5a170d32 35313130 37313131 3632315a 302 c 3111 55040313 08636973 300f0603
636f6173 61311730 1506092a 864886f7 0d 010902 16086369 73636f61 73613082
0122300d 06092 has 86 01010105 00038201 0f003082 010a 0282 010100cc 4886f70d
af43a895 8c2c3f49 ad16c4b9 a855b47b 773f4245 1954c 728 7 c 568245 6ddc02ab
78 c 45473 eb4073f6 401d1dca 050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa
454ff4bb 691235ab 34e21d98 4cfecef4 204e9c95 76b1b417 b5cf746c 830788b 4
60063e89 0ffe5381 42694cf8 d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67
4ad8954f 5392790b 4ded225c c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a
d054a290 14316cc0 1670bdea f04c828b 7f9483fb 409fa707 fbe5a257 33597fed
ca790881 b1d4d3dc b0e1095e bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1
8b9421fa ee2b99ae df07fba1 0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02
03010001 300 d 0609 2a 864886 05050003 82010100 c8719770 1305bd9c f70d0101
2608f039 0dc6b058 0dfe3d88 76793 has 18 8f601dda b 8553, 893 d95e3b25 30ef7354
772f7d0b 772869d 7 372f8f5c f32992af fa2c8b6e 0f0ae4ce 4e068b8d b7916af2
affa1953 5bfd01a6 1a3c147d 75d95d8c 1122fa85 3905f27b 2474aff4 11fff24f
c305b648 b4c9d8d4 9dcf444b 9326cda3 0c4635d0 90ff8dd8 9444726c 82e002ec
be120937 0414c20a 39df72fb 76cd9c38 cde9afda 019e9230 66e5dba8 ed208eae
5faabb85 ff04f8f2 c36b724b 62ec52cc f967ee1d 1a6458fc 507a 2377 45 c 20635
2c14c431 baac678a dcc20329 4db7aa51 02c 36904 75b5f307 f1cc056d 726bc436
597a 3814 4ccd421d cb77d8f5 46a8ae69 2d617ac8 2160d7af
quit smoking
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 5d7d4156
308201f0 30820308 a0030201 0202045d 415630 0d06092a 864886f7 0d 010105 7 d
05003046 06035504 03130863 61736131 18301606 03550403 6973636f 3111300f
130f3131 352e3136 302e3134 352e3131 1506092a 34311730 864886f7 0d 010902
73636f61 16086369 7361301e 170d 0d 323531 3135 31313130 31323136 35395a 17
3111300f 06035504 03130863 6973636f 61736131 a 31303731 32313635 395, 3046
18301606 03550403 130f3131 352e3136 302e3134 352e3131 1506092's 34311730
864886f7 0d 010902 16086369 73636f61 73613082 0122300d 06092 has 86 4886f70d
01010105 00038201 0f003082 010 has 0282 010100cc af43a895 8c2c3f49 ad16c4b9
a855b47b 773f4245 1954c 728 7 c 78 45473 eb4073f6 401d1dca 568245 6ddc02ab
050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa 454ff4bb 691235ab 34e21d98
b 830788 4 4cfecef4 204e9c95 76b1b417 b5cf746c 60063e89 0ffe5381 42694cf8
d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67 4ad8954f 5392790b 4ded225c
c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a d054a290 14316cc0 1670bdea
f04c828b 7f9483fb 409fa707 fbe5a257 33597fed ca790881 b1d4d3dc b0e1095e
bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1 8b9421fa ee2b99ae df07fba1
0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02 03010001 300 d 0609 2a 864886
05050003 82010100 00089cd 3 d0f65c5e 91f7ee15 bbd98446 35639ef9 f70d0101
45b 64956 f146234c 472b52e6 f2647ced a109cb6b 52bf5f5d 92471cb7 a3a30b63
052ac212 c6027535 16e42908 ea37c39a 4d203be9 8c4ed8cd 40935057 3fe8a537
a837c75c feff4dcc 1b2fd276 257f0b46 8fcd2a5c cbdcacec cd14ee46 be136ae7
7cd4ae0d aace54fe 5187ea57 40d2af87 cded3085 27d6f5d8 1c15ef98 f95cc90e
a 485049 4 805efa8f 63406609 a663db53 06b94e53 07c1c808 61eadcdb 2c952bee
74a0b3dd ae262d84 40b85ec5 a89179b2 7e41648e 93f0e419 3c482b29 e482d344
d756d450 8f0d9302 d023ac43 a31469a4 105c8a0c b1418907 693c558c 08f499ef
364bc8ba 4543297a a17735a0
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint Anyconnect_Self_Signed_Cert
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assigndhcpd 192.168.10.254 dns 8.8.8.8
dhcpd rental 43200
!
dhcpd address 192.168.10.1 - 192.168.10.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP AAA server. BBB. CCC. Source DDD outside prefer
SSL-point of approval ASDM_Launcher_Access_TrustPoint_0 outside vpnlb-ip
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
AnyConnect profiles Anyconnect_client_profile disk0: / Anyconnect_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal DefaultRAGroup_2 group strategy
attributes of Group Policy DefaultRAGroup_2
DNS-server AAA value. BBB. CCC AAA DDD. BBB. CCC DDD.
Ikev2 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
internal GroupPolicy_Anyconnect group strategy
attributes of Group Policy GroupPolicy_Anyconnect
WINS server no
value of server DNS 8.8.8.8 8.8.4.4
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
Split-tunnel-policy tunnelall
IPv6-split-tunnel-policy excludespecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl_1
by default no
activate dns split-tunnel-all
IPv6 address pools no
WebVPN
AnyConnect value Anyconnect_client_profile type user profiles
username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
attributes of username XXXXXXX
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
attributes global-tunnel-group DefaultRAGroup
address pool VPN-pool
Group Policy - by default-DefaultRAGroup_2
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared key XXXXXXXXX
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
tunnel-group Anyconnect type remote access
tunnel-group Anyconnect General attributes
address pool VPN-pool
Group Policy - by default-GroupPolicy_Anyconnect
NAT - to-public-ip assigned inside
tunnel-group Anyconnect webvpn-attributes
enable Anyconnect group-alias
tunnel-group Anyconnect ppp-attributes
ms-chap-v2 authentication
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
Review the ip options
!
service-policy-international policy global
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:24991680b66624113beb31d230c593bb
: endHi cwhlaw2009,
You must configure a policy Split-tunnel, if you want to be able to access the internal and local network at the same time.
It may be useful
-Randy-
-
Access VPN ASA and cisco ISE Admin
Hello
Currently I'm deployment anyconnect VPN Solution for my client on ASA 9.2 (3). We use the ISE 1.3 to authenticate remote users.
In the policy stipulates the conditions, I put the condition as below.
Policy name: Anyconnect
Condition: DEVICE: Device Type Device Type #All Device Types #Dial - in access EQUALS AND
RADIUS: NAS-Port-Type is equal to virtualI'm authenticating users against the AD.
I am also restrict users based on group membership in authorization policies by using the OU attributes.
This works as expected for remote users.
We also use the ISE to authenticate administrators to connect to the firewall. Now what happens is, Cisco ASA valid also against policy, administrators and their default name Anyconnect.
Now the question is, how to set up different political requirement for access network admin and users the same Firewall VPN.
Any suggestions on this would be a great help.
See you soon,.
Sri
You can get some ideas from this article of mine:
http://ltlnetworker.WordPress.com/2014/08/31/using-Cisco-ISE-as-a-generic-RADIUS-server/
Maybe you are looking for
-
Backups Time Machine missing after model clean install
For a Mac using Time Machine to back up, is there a way to clean install OS X for a new internal SSD and keeps backups Time Machine historical which have been made using the previous internal SSD? While as I use it to back up the new internal SSD TM
-
the system fan to run at hi speed
CPU cooling fan is constamtly "limit" Hi spped then slows down then sppeds upward again. It's very loud and annoying. Help, please
-
I wonder constantly to turn my Windows Firewall and change its settings.
I wonder constantly to turn my Windows Firewall and change its settings.
-
Interface user tuner and the percentage of battery missing
Hi, I turned on tuner UI on Marshmallow and after for its navigation tools and reaching their functions, I decided to turn it off at the time once again, to my surprise the battery % icon disappear in the battery bar. any solucions? I can't find to a
-
get the error code 80048821 when connecting to windows live messenger connection