Stuck in troubleshooting (VPN's UP, ping the ethernet router (side lan) works but OTHER SERVERS...)
I have simple installation of remote access with 2 database accounts local to the router running IOS secure.
I divided the active tunnel also and it seems to work very well also for users remote vpn vpn users are able to connect and get respective IPs also under their vpn adapter (if we check them thru ipconfig in cmd, windows 7 or any other windows box)...
Pool VPN: 197.x.x.x (see the config of the pool)
Inside (Network): 192.168.0.X/24, where 192.168.0.99 is rear facing LAN VPN router's ethernet. LAN segment is L2 and has only 1 vlan, no other subnet is present, the switch of CE500.
Simply access resouces LAN VPN users and have access to internet through VPN...
Here is the config: (please EXPERTS,.. .without me know in this case, if necessary...)
2-router-Internet host name
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 10 log
Passwords security min-length 6
logging buffered debugging 4096
enable secret 5 $1$ W/jA$ bkFGswtK1q5hs.iRvPgZR0
enable password 7 12170114190A01162B25
!
AAA new-model
!
!
AAA authentication login local_auth local
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
AAA - the id of the joint session
no ip source route
no ip free-arps
!
!
IP cef
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
no ip bootp Server
domain IP KAMRAN.com
name of the IP-server 212.72.1.186
name of the IP-server 198.6.1.1
connection-for 60 block tries 5 less than 5
!
!
!
!
username privilege 15 password 7 game123 050C07022443580C0B544541
Dracula username password 7 00051F13075A1902
Kamran username password 7 01110707500F090033
Archives
The config log
Enable logging
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh version 2
!
!
crypto ISAKMP policy 3
md5 hash
preshared authentication
Group 2
!
ISAKMP crypto client configuration group omanpost
Kobayashi key
pool ippool
ACL 108
!
!
Crypto ipsec transform-set esp - esp-md5-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap throwing crypto
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
!
!
interface FastEthernet0/0
The description connected to Internet OMANTEL ~.
IP 82.178.20.36 255.255.255.248
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface FastEthernet0/1
Connected to the LAN - servers - description
192.168.0.99 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
IP local pool ippool 197.0.0.3 197.0.0.5
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 82.178.20.35
IP route 10.25.50.12 255.255.255.252 192.168.0.100
IP route 10.26.10.0 255.255.255.0 192.168.0.100
!
no ip address of the http server
no ip http secure server
IP nat inside source map route sheep interface FastEthernet0/0 overload
IP nat inside source 192.168.0.10 static 82.178.20.37
!
!
recording of debug trap
recording ease Committee.2
access-list 1 permit one
access-list 108 allow ip 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 108 allow icmp 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 deny ip 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 permit ip 192.168.0.0 0.0.0.255 any
sheep allowed 10 route map
corresponds to the IP 199
!
!
!
control plan
!
!
Banner motd ^ C this is a box of production for OmanPost to NDC Muscat. Please check you personal authrozied
^ C
Line con 0
exec-timeout 0 0
connection of authentication local_auth
telnet output transport
line to 0
exec-timeout 15 0
connection of authentication local_auth
No exec
telnet output transport
line vty 0 4
password 7 000F1C0405420A1507280C
connection of authentication local_auth
THANKS, waiting with FINGERS CROSSED! « X »
kAmRan ShAkIL
Great, looks like a firewall strategy problem windows Server 2008 if you can test of other IPs in the same subnet.
Please kindly marks the message as answered if you have any other questions. Thank you.
Tags: Cisco Security
Similar Questions
-
I have 3 servers: server and 2 servers to files in another country.
My main server can only ping the 2nd file server.
But both of our servers in 2 files from another country can ping on the principal server.
In short, I can not away to the first file server.
The settings on both servers of files are the same. And I don't have access to the 2nd file server issues using the main server.
If someone has the patience to help me understand the question?
This issue is beyond the scope of this site and must be placed on Technet or MSDN
-
I just installed an airport extreme router and WiFi works, but the status light still flashes.
Open airport utility... Click EI... and see what the cause of the problem. It will give the list of questions on the summary page. Click on each of them and he will offer you even solutions.
for example the firmware needs to be updated... nothing major... or DNS is wrong or double NAT...
Without our crystal ball, we do not know what is the issue.
-
all the site went "not found HTTP 404 error. The requested resource is not found. "and the"Firefox cannot load Web sites but other programs can"page is not help somehow
One possible cause is security software (firewall, antivirus) that prevents or limits Firefox or plugin-container process without informing you, possibly after the detection of changes (update) for the Firefox program.
Delete all rules for Firefox and the plugin-container in the permissions list in the firewall and leave your firewall again ask permission to get full unlimited access to the internet for Firefox and the plugin-container and the update process.
See:
You can try to reset (power off / on) of the router.
-
Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2
I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.
I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.
I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================Here is a skeleton of the FWa configuration:
name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interfaceinterface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-objectoutside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outboundcard crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.=========================================================
FWb:
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-networkinterface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-objectthe DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-objectinside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip hostoutside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outsidetunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.Ping Successul FWa inside the interface on FWb
FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWbFWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72===========================
Unsuccessful ping of FWa to inside2 on FWb interfaceFWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....==================================================================================
Unsuccessful ping of Fwa to a host of related UI inside2 on FWb
FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72=======================
Thank you
Hi odelaporte2,
Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.
This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.
It may be useful
-Randy-
-
Hi all!
I have weird problem and I hope some of you can enlighten us if necessary.
The background:
My OS is Windows Vista Home Premium SP 2. One day, I installed an application proxy - ProxyCap - as a free trial for 30 days. The application installed a few dll Winsock provider. After the 30 day trial, I uninstalled the app. Then the problems started. Even if the application proxy has been disabled, regular internet links have been completely normal and not affected. It was only after uninstalling the app that I have problems.
The problem:
- The computer is unable to connect one more to any website using the browser.
- My local network seems to be fully functional, which involves a problem of setting the software. I say that my LAN is functional if I am going to sign--> Network and Sharing Center--> view status and look under the "Activity" section, I see the link send and receive packets without problem.
- If I go into control panel of--> Network and Sharing Center--> view status of--> diagnosis, I get the message: "cannot communicate with DNS Server (xxx.xx.xxx.xxx) Network Diagnostics ping to the remote host, but has not received a response."
- Indeed, if go to start--> cmd and ping my DNS server, I get a general failure for all 4 packets sent.
- However, I am able to ping my localhost to 127.0.0.1
My settings:
- My ipconfig/all output: http://pastebin.com/Ksn2k2ja
- DHCP is enabled.
- For the properties of connection LAN--> Internet Protocol Version 4 (TCP/IPv4)--> properties, I 'IP automatically get an address' and "Obtain DNS server address automatically" selected.
- The same goes for--> Internet Protocol Version 6 (TCP/IPv6)--> properties.
- The Sysinternal autoruns--> tab providers Winsock application, tells me that I have the "Hello Namespace Provider' active as a WinSock2 registry entry. It is mdnsNSP.dll and published by Apple Inc.. Who was present before installation of the proxy, and this is for iTunes. Screenshot: http://i1300.photobucket.com/albums/ag86/applemeetworm/winsock_zpsb41ca872.jpg
What I tried:
- I tried to reset Winsock for Vista by clicking Start--> cmd and type netsh winsock reset , and restart the computer.
- I tried to reset the TCP/IP stack by clicking Start--> cmd and type netsh int ip reset c:\resetlog.txt and restart the computer.
- Restart my router.
- Deactivation and activation then my connection to the local network.
Thank you all for helping me with my problem. I would be happy to provide more information as needed. Thanks for the research and thanks offering solutions.
See you soon!
Hi all!
I contacted ProxyCap and support staff has been able to solve the problem.
Apparently, one of my entries in registry Winsock2 (Winsock2, Namespace Catalog5, 5 catalog entries) has been disabled somehow, uninstalling or in my first attempts to address issues after uninstall.
Thanks to ProxyCap and for other people who have tried to help.
~ Congratulations ~.
-
starting yesterday I can't decline to the bottom of the box open to send gifts to my friends. Fish world told me a few weeks ago, it was because of some updates on Facebook, but now that has been set and I can't get the inFB game to work. It works with other browsers - Chrome and IE9. Is there something I have to do on my end to fix this? Other facebook games works perfectly with drop-down boxes, it is only in fish world.
problem solved
-
Firefox 6 is a disaster, not only the google toolbar does not work but also yahoo toolbar
I've updated to firefox 6 and now my yahoo toolbar does not work. It was first the google toolbar is not compatible with firefox 5 now the yahoo toolbar does not work HELP?
Check and tell if you are able to solve the problem.
-
This solution worked, but when the computer is restarted, it disconnects and I need to run the fix it reconnects. How to make the correction permanent?
Hello
Check the startup folder and make sure utility wireless a provider is not "kicking" and disable the Utility (WZC) Windows each time you start the computer.
-
My computer crashed while I couldn't remove my CS5 Master Collection. I used my disk to load the program on my new computer. It worked but updates don't work nor bridge will recognize the raw files from my Canon 5 d Mark111. He acknowledged previously. Now, he says to convert to DNG, so I tried this but bridge is not to convert photos (even if it does not convert the raw files from my previous cameras).
Try direct updates
https://www.Adobe.com/downloads/updates/ -
I can't get the original disc work on resettlement. I get the message
AdobeColorCommonSetRGB
Error:
Error 2.
I'm teaching a class using this program on Macintoshes running 10.9.5 and action script does not work. It will work on any program designed by using the 10.8, but if you create an animation on 10.9.5 the action script will not work for buttons
You must manually remove the color in question profiles... Run the cleanup tool and see if it's to help you get started.
http://www.Adobe.com/support/contact/cscleanertool.html
Mylenium
-
Java script not working not not in 1 pdf, but the same script does NOT work in other
Dear Experts,
I have a problem with java script.
I created 2 PDF files with the same name under the names of form and shape.
I wrote a javascript script and the script seems to work in a (Demand2.pdf) and DOES not work in others (exemple.pdf).
The link for Demand2.pdf is
https://Acrobat.com/#d=XIydWx1RIU4oNdTySHtHfgand the link for exemple.pdf is
https://Acrobat.com/#d=sKPRs2dtDY57RSvMVtnh3wCan you please guide me on this.
Thank you very much
BookFans
Hello
The second file (exemple.pdf) is saved as Static. The script changes the visual appearance of the form (show and hide objects). This requires the file to save dynamic PDF format. This option is available for registration - as the dialog under the file name.
Good luck
Niall
-
a way vpn with asa to the 800 router
people
I have a site to site vpn set up between a asa 5540 and a 800 router
I want only the vpn to be initiated from the asa with the 800 remote listen incoming connections
I know that I can define the type of connection on the asa as only come but I can find an equivalent command to answer only for the 800 remote
can anyone point me in the right direction or is it enough to simply configure the asa as are created only for this encryption card
Thanks to anyone who takes the time to answer
Hello
I recommend you configure the tunnel as a dynamic to static tunnel VPN, the ASA will be the static counterpart, so it will be the initiator and the router will never be able to establish the connection.
The ASA will be a common L2L configuration, but the router will use a dynamic encryption card.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008051a69a.shtml
The PIX in the example is old, then you can simply adjust the controls to your current version, the important thing is to understand the concept.
Please let me know if that answers your question,
Thank you.
-
Command to check the tunnel VPN S2S awhile in the cisco router
Dear all,
Please share the command check S2S tunnel of time that is configured on the router.
There are commands that define the lifetimes of (his) IPSec Security Associations, ISAKMP.
For example:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600life 3599 seconds crypto ipsec security association
... and you can determine the remaining lifetime for these SAs with the following commands:
SH detail session crypto
SH in detail its crypto isakmp
SH crypto ipsec his
The delta between the lifetime (s) configured and remaining life will tell you how much time has passed since the last regeneration, but that is as close you are likely to have to determine when the tunnel came first.
You could use other means as States of syslog for you say when a Tunnel is a transitioning upwards or downwards.
Best regards
Mike
-
How can you make Firefox the default browser when the normal route does not work?
Im trying entirely chrome once a friend showed how my firefox got his act together. However I can't for the life of me set it as default browser. I tried the 'make firefox the default browser' button in firefox, making that opens the windows default programs Panel. Whenever I try to use the Panel she simply sets the Protocol http for every night, which is not yet installed! ( http://puu.sh/2vJHM ) I think that a possible solution would be to change the registry manually, but I don't know where to start.
Thank you for your help, but I managed to fix it by myself. The registry key for the associations of html and URLs of firefox have been corrupted so I scoured their in regedit (at HKEY_CLASSES_ROOT\FirefoxHTML and HKEY_CLASSES_ROOT\FirefoxURL) and them deleted entirely, then redid them by clicking on the make default firefox button in the options.
Maybe you are looking for
-
My LCD and touchscreen is damaged. How can I back up my phone?
Recently, my LCD screen and touch were damaged. The upper left quadrant of the LCD works but the touch screen is completely non-functional. The lockscreen happens so I can't unlock the phone and use iTunes. Is it possible to back up my phone before h
-
Satellite A300 - very slow meeting of the Windows operating system
HelloI have a Toshiba a300.I am facing a lot of problems with it.First of all, very slow sound at startup... I ' v read read this post -remove all unnecessary software system-remove the preinstalled application antivir and installing Avira Antivir so
-
I remember seeing references and the screen capture on the "thumb controls" in the browser. However, I don't seem to be able to determine whether they are there yet, or how to access. Is this something he does in this nest construction, bee, and if s
-
How to burn a CD that will play in a car stereo
original title: burn CD problem I'm having a big problem, try to burn CDs while they play in my car cd player and fadio. After I burn a cd, put it in may bed silent screen and ejects the cd. Please someone please HELP me..
-
Every time new programs are installed, I lose my windows sound
I bought a computer a few months ago, I noticed each time that the computer is an upgrade or install a program for my daughter, the sound system goes.so when I do a recovery all come back normal. which need to be fix, I don't need to do more.original