VPN and static
Unable to connect to the VPN, when I remove the entry satic I can connect, but if I remove entry static I can't recive email...
Help, please
6.3 (4) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable password xxxx
passwd xxx
pixfirewall hostname
domain ciscopix.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
inside_outbound_nat0_acl ip access list allow any 192.168.0.192 255.255.255.224
Note to outside_access_in to access list incoming EMAILS
outside_access_in list access permit tcp any host 192.168.1.3 eq smtp
Comment from outside_access_in-incoming access POP list
outside_access_in list access permit tcp any host 192.168.1.3 eq pop3
Comment from outside_access_in-list of remote desktop access
outside_access_in list access permit tcp any any eq 3389
pager lines 24
Outside 1500 MTU
Within 1500 MTU
outdoor IP 192.168.1.2 255.255.255.0
IP address inside 192.168.0.10 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
pool of local IP KMCBVPN 192.168.0.200 - 192.168.0.210
location of PDM 192.168.0.192 255.255.255.224 outside
location of PDM 192.168.0.1 255.255.255.255 inside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 192.168.0.0 255.255.255.0 0 0
static 192.168.1.2 (indoor, outdoor) 192.168.0.5 netmask 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 192.168.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Sysopt connection permit-pptp
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN PPTP-VPDN-group accept dialin pptp
VPDN group PPTP-VPDN-GROUP ppp authentication chap
VPDN group PPTP-VPDN-GROUP ppp mschap authentication
VPDN group PPTP-VPDN-GROUP ppp encryption mppe auto
VPDN group configuration client PPTP-VPDN-GROUP address local KMCBVPN
VPDN group VPDN GROUP-PPTP client 192.168.0.1 dns configuration
VPDN group VPDN GROUP-PPTP pptp echo 60
VPDN group VPDN GROUP-PPTP client for local authentication
VPDN username user1 password *.
VPDN username user2 password *.
VPDN username password user3 *.
VPDN username hilal password *.
VPDN allow outside
dhcpd address 192.168.0.11 - 192.168.0.42 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
Terminal width 80
Cryptochecksum:xxxx
: end
pixfirewall (config) #.
I forgot to mention, you could also do clear xlate after orders to have to clean up.
Tags: Cisco Security
Similar Questions
-
RVL200 - SSL VPN and firewall rules
Forgive my ignorance, but I have been immersed in the configuration of this device RVL200 to allow Remoting SSL VPN to a customer site, sight unseen. I have the basics of the VPN set up in config, but now move the firewall rules. We want to block all internal devices to access the Internet, but I don't want to cripple the remote clients that will be borrowed by blocking their return via the SSL VPN traffic. This leads to my questions:
(1) a rule of DENIAL of coverage for all traffic OUTBOUND will prevent the primary function of the VPN (to allow the administration away from machines on the local network)?
(2) if the answer to #1 is 'Yes', what ports/services do I need to open the side LAN?
(3) building # 2, configuring authorized outbound rules apply only for VPN clients, rather than all the hosts on LAN?
(4) as the default INCOMING traffic rule is to REFUSE EVERYTHING, do I have to create a rule to allow the VPN tunnel, or guess that in the configuration of the router?
Here are some other details:
- The LAN behind the RVL200 is also isolated LAN in a manufacturing environment
- All hosts on this network have a static IP address on a single subnet.
- The RVL200 has been configured with a static, public IP on the WAN/INTERNET side.
- DHCP has been disabled on the RVL200
- Authentication to the device will use a local database.
- There is no such thing as no DNS server on the local network
- The device upstream of the RVL200 is a modem using PPPoE DSL, and the device has been configured for this setting.
- Several database of local users accounts were created to facilitate the SSL VPN access.
I worked with other aspects of it for a long time, but limited experience with VPN and the associated firewall rules and zero with this family of aircraft. Any help will be greatly appreciated.
aponikikay, there is no port forwarding necessary to the function of the RVL200 SSL - VPN.
Topic 1. That is not proven. It shouldn't do. The router should automatically make sure that the SSL - VPN router service is functional and accessible.
Re 2. No transfer necessary. In addition, never before TCP/UDP port 47 or 50 for VPN functions. The TCP 1723 port is used for PPTP. UDP 500 is used for ISAKMP. You usually also to transmit TCP/UDP 4500 port for IPSec encapsulation.
Let's not port 47. ERM is an IP protocol that is used for virtual private networks. It is a TCP or UDP protocol. GRE has 47 IP protocol number. It has nothing to do with TCP or UDP port 47. TCP and UDP are completely different protocols of free WILL.
It goes the same for 50: ESP is the payload for IPSec tunnels. ESP is the Protocol IP 50. It has nothing to do with TCP or UDP port 50.
'Transfer' of the GRE is configured with PPTP passthrough option.
'Transfer' of the ESP is configured with IPSec passthrough option.
-
site2site distance-VPN and access-PIX - no way?
I have,
I have a problem wrt site2site & VPN remote access on a PIX:
My setup is as follows: PIX (6.3) puts an end to two a site2-site VPN and also should the remote access service clients using the client VPN Cisco (4.0.x).
The problem is with remote access VPN clients, obtain an IP address on their VPN interface, but customers cannot reach anything. (Please note that the site2site VPN runs without problem)
To be precise (see config-excerpts below):
The customer, who has 212.138.109.20 as its IP address gets an IP 10.0.100.1 on his card-VPN which comes from the "vpnpool of the pool.
configured on the PIX. This customer relationships to reach servers on interface 'inside' of the PIX as 10.0.1.28.
However, the client cannot achieve * nothing *-a server on the inside or anything like that (e.g. Internet) outside!
Using Ethereal traces, I discovered that the packets arrive inside interface coming 10.0.100.1 (IP address of the)
VPN - client). I also see the response from the server (10.0.1.28) to 10.0.100.1. However for some reason any package does not thanks to
the PIX to the customer. PIX-newspapers also show packets to and from the VPN client to the inside interface - and * no. * drops. So to my knowledge the packets from server to the VPN client really should be done through the PIX.
I have attached the following as separate files:
(o) the parts of the PIX config
(o) packets showing PIX-log between the VPN client and the server (s) on the interface inside
(o) ethereal-trace done inside the watch interface also packets between VPN client and server (s)
I have really scratched my head for a while on this one, tested a lot of things, but I really don't know what could be a problem with my
config.
After all, it really should be possible to run site2site - and on the same PIX VPN remote access, shouldn't it?
Thank you very much in advance for your help,.
-ewald
I think that your problem is in your ACL and your crypto card:
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.3.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.100.0 255.255.255.0
correspondence address 1 card crypto loc2rem 101
This means that this map correspond to these addresses. But your dynamic map is one that must match 10.0.100.0, 10.0.1.0 traffic because your pool local ip is 10.0.100.x. I think what is happening is that the return traffic from the lan to vpn clients trying to get out of the static tunnel, which probably does not exist (for the netblocks - you probably have a security association for each pair of netblocks, but not for vpn clients) and so do not.
I would recommend adding these lines:
access-list 105 allow ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 105 allow ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 105 permit 10.0.3.0 ip 255.255.255.0 10.0.2.0 255.255.255.0
no correspondence address 1 card crypto loc2rem 101
correspondence address 1 card crypto loc2rem 105
Then reapply:
loc2rem interface card crypto outside
-
IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and static
Hello
My problem isn't really the IPSec connection between two devices (it is already done...) But my problem is that I have a mail server on the site of Cisco, who have a static NAT from inside to outside. Due to the static NAT, I do not see the server in the VPN tunnel. I found a document that almost describes the problem:
"Configuration of a router IPSEC Tunnel private-to-private network with NAT and static" (Document ID 14144)
NAT takes place before the encryption verification!
In this document, the solution is 'routing policy' using the loopback interface. But, how can I handle this with the Netscreen firewall. Someone has an idea?
Thanks for any help
Best regards
Heiko
Hello
Try to change your static NAT with static NAT based policy.
That is to say the static NAT should not be applicable for VPN traffic
permissible static route map 1
corresponds to the IP 104
access-list 104 refuse host ip 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 allow the host ip 10.1.110.10 all
IP nat inside source static 10.1.110.10 81.222.33.90 map of static route
HTH
Kind regards
GE.
-
Blocking of the internal services of VPN and Proxy
Hello
I have some users with Windows 7 and MAC laptops inside my network domestic who is protected by the R7000.
I'd like know if its possible to block sessions VPN and Proxy, initiated from these internal, to communicate with Internet computers.
Thank you
Try VPN Service to block.
-
Connect to VPN and then log on to the domain by using different credentials.
I have a laptop user who will take care of various remote sites.
In XP, you had to first use DUN/VPN and then you can log in the field with different credentials that the VPN end point.
With Vista if I use the method user to switch on the logon screen and the log in the VPN it also attempts to use these credentials for the domain. The VPN device has its own separate authentication of the AD. How to restore the loss of functionality that Vista has?
I have to first connect to the VPN appliance and authenticate to that I do the network connection. Then, I need vista to propose real logon to the computer or to the domain.
I appreciate the help.
Computers in discontinuous bench
Hi StapleBench,
The question you have posted is related to the VPN and domain environment is better suited in the TECHNET forums, and as I see that you already post your query in the TECHNET forum in the following link:
I suggest you wait for a response on the TECHNET itself thread.
Halima S - Microsoft technical support.
Visit our Microsoft answers feedback Forum and let us know what you think.
-
Hello
I currently have a RV042G in my company. It works fine, but I was looking for a solution that would allow me to use VPN so that I can tunnel inside and then again connect to the internet via the tunnel. I want to have a way secure to connect to internet from my laptop while I am travelling and prefer to build my own VPN and do it myself.
If I understand correctly, the RV042G does not allow this and it only access to the local network via the tunnel. What would be the next router allowing him to fill this purpose?
Thank you!
Hi rodman
These devices work fine, you can also use third-party software not only software from Cisco to use the VPN features. On subscriptions, IAPH supports more special features such link Protect and IP addresses and you can have and buy a subscription in order to add these features to your device, however, if Don t you want what they you don t have to buy.
Cisco provide one of the best support, it has plenty of support, it is possible via chat, email or telephone, it also provide assistance free of charge for the users of this forum if you don t buy a warranty
I hope you find this answer useful,
* Please answer question mark or note the fact other users can benefit from the TI *.
Greetings,
Johnnatan Rodriguez Miranda.
Support of Cisco network engineer.
-
When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.
Right?
After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?
Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN
Thank you
Frank
Hello
Yes, by default, all traffic will be sent through the tunnel.
If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.
-
Mac, VM XP Pro, Cisco VPN and printing.
I have an end-user running a Mac with a virtual XP Pro Machine that connects to our VPN corperate machine. This part works fine. Problems happen when he tries to print to a network printer. The job is just until it disconnects from the VPN and then it prints very well. No one knows what to do to fix this? I have little or no knowledge of MAC.
Kind regards
Dan
This could be the reason why printing does not work. To print traffic really vpn tunnel as split tunnel is not configured.
-
AnyConnect vpn and a tunnel vpn Firewall even outside of the interface.
I have a (no connection) remote access vpn and ipsec tunnel connection to return to our supplier is on the same firewall outside interface.
The problem is when users remote vpn in they are not able to ping or join the provider above the tunnel network.
now, I understand that this is a Bobby pin hair or u turn due to traffic but I'm still not able to understand how the remote vpn users can reach the network of the provider on the tunnel that ends on the same interface where remote access vpn is also configured.
The firewall is asa 5510 worm 9.1
Any suggestions please.
Hello
You are on the right track. Turning U will be required to allow vpn clients access to resources in the L2L VPN tunnel.
The essence is that the split tunneling to access list must include subnets of the remote VPN to peer once the user connects they have directions pertaining to remote resources on anyconnect VPN
Please go through this post and it will guide you how to set up the u turn on the SAA.
https://supportforums.Cisco.com/document/52701/u-turninghairpinning-ASAKind regards
Dinesh MoudgilPS Please rate helpful messages.
-
remote VPN and vpn site to site vpn remote users unable to access the local network
As per below config remote vpn and vpn site to site vpn remote users unable to access the local network please suggest me a required config
The local 192.168.215.4 not able ping server IP this server connectivity remote vpn works fine but not able to ping to the local network vpn users.
ASA Version 8.2 (2)
!
host name
domain kunchevrolet
activate r8xwsBuKsSP7kABz encrypted password
r8xwsBuKsSP7kABz encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group dataone
IP address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
IP 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
IP address dhcp setroute
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
management only
!
passive FTP mode
clock timezone IST 5 30
DNS server-group DefaultDNS
domain kunchevrolet
permit same-security-traffic intra-interface
object-group network GM-DC-VPN-Gateway
object-group, net-LAN
access extensive list ip 192.168.215.0 sptnl allow 255.255.255.0 192.168.2.0 255.255.255.0
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.215.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 Internet
IP local pool VPN_Users 192.168.2.1 - 192.168.2.250 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
Enable http server
x.x.x.x 255.255.255.252 out http
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 65500 transform-set RIGHT
card crypto 10 VPN ipsec-isakmp dynamic dynmap
card crypto VPN outside interface
card crypto 10 ASA-01 set peer 221.135.138.130
card crypto 10 ASA - 01 the transform-set RIGHT value
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
lifetime 28800
Telnet 192.168.215.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
management-access inside
VPDN group dataone request dialout pppoe
VPDN group dataone localname bb4027654187_scdrid
VPDN group dataone ppp authentication chap
VPDN username bb4027654187_scdrid password * local store
interface for identifying DHCP-client Internet customer
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11 - 192.168.215.254 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Des-sha1 encryption SSL
WebVPN
allow outside
tunnel-group-list activate
internal kun group policy
kun group policy attributes
VPN - connections 8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
kunchevrolet value by default-field
test P4ttSyrm33SV8TYp encrypted password username
username kunauto password bSHrKTGl8PUbvus / encrypted privilege 15
username kunauto attributes
Strategy Group-VPN-kun
Protocol-tunnel-VPN IPSec
tunnel-group vpngroup type remote access
tunnel-group vpngroup General attributes
address pool VPN_Users
Group Policy - by default-kun
tunnel-group vpngroup webvpn-attributes
the vpngroup group alias activation
vpngroup group tunnel ipsec-attributes
pre-shared key *.
type tunnel-group test remote access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto #.Hello
Looking at the configuration, there is an access list this nat exemption: -.
192.168.215.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.2.0 255.255.255.0
But it is not applied in the States of nat.
Send the following command to the nat exemption to apply: -.
NAT (inside) 0 access-list sheep
Kind regards
Dinesh Moudgil
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
I have an ASA 5510 with active VPN for remote access service. Users can log in and access inside resources without problem. the question is the servers in the DMZ, as the web server, they cannot access. Is there an easy way to allow access for users of VPN and?
Thank you
That will allow you to reach your dmz servers. For example if the demilitarized zone is 192.168.1.0, you can press their DMZ address 192.168.1.x etc. servers.
Your other option is to use split tunneling, which would allow you to access the servers through their public ip addresses that are translated in the SAA.
-
PIX - PIX VPN and Client VPN - cannot access core network
I hub and spoke PIX and a VPN Client that connects to speak it PIX, much the same as the example configuration here: -.
This example shows the client VPN access to the network behind PIX RADIUS. I want the client to also be able to access the central network, i.e. the client connects to the pix speaks via vpn, and traffic is routed through the vpn to PIX - PIX to the central site.
How this would change the configuration contained in the example?
See you soon,.
Jon
You can not do this, the PIX cannot route a package back on the same interface, it is entered in the. The only way to do that is to have the client connect to the hub PIX, but then they would not be able to get to the network behind PIX distance either.
Or that the customer would connect on a different interface in the PIX of distance, but this would mean another connection ISP on this PIX. Example of config is here: http://www.cisco.com/warp/public/110/client-pixhub.html
-
ASA 5500 and static NAT 1-to-1
We currently have a pair of s ASA 5500 failover providing firewall & nat with inside, outside and the dmz interfaces. We do PAT interface for most of the internal to the external and static connections 1-to-1 NAT for specific hosts that need to accept connections from the outside inside. The space of the static nat is a 27 which includes the address of the external interface. It's that everything is working properly.
However, we are out of space for the static NAT to this/27. I would like to be able to add a different network, probably another 27, for the more static NAT but I'm a hard time to find the best way to do it. Is this possible with a network that does not include the external interface on the ASA?
Here are some of our current NAT config:
Global interface 10 (external)
NAT (inside) 10 0.0.0.0 0.0.0.0
(dmz1, outside) static dmz1-net-net dmz1 netmask 255.255.255.224
static (inside, dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside, dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside, outside) xx.yy.164.15 192.168.98.46 netmask 255.255.255.255
static (inside, outside) xx.yy.164.8 192.168.98.47 netmask 255.255.255.255
static (inside, outside) xx.yy.164.14 192.168.98.48 netmask 255.255.255.255
static (inside, outside) xx.yy.164.13 192.168.101.50 netmask 255.255.255.255
Thank you very much...
Hello
The correct syntax for the proxyarp activation will be
No outside sysopt noproxyarp
-
Hi all
I have a strange architecture including VPN and I have a few problems that I am not able to solve:
-J' use the ssl vpn gateway to allocate internal IP addresses of the local network described in the schema (8.8.2.0 or 8.8.3.0 according to the tunnel-group network.
-The purpose is for vpn clients directly access the internal network.
This works very well if there are strictly internal communications within the network. But recently, we have installed an application that needs to access both networks. No problem, I thought, but I was wrong, there seems to be a problem of routing inherent in the architecture in place.
Let me explain the problem:
-When I access the VPN, for example I will gave the 8.8.3.5 ip address.
-Im running the application that needs to open a page on the web server, located at 8.8.2.120
-l'asa receive my tcp syn datagram and forward it directly to the directly connected interface fa0/1 (based on the routing table)
-the web server returns the response, but he sends on its default gateway which is the cisco 6509.
-6509 it sends its vlan svi 2000
- and finally the ASA it receives on its interface fa0/2 but seems he falls as she opened a tcp on fa0/1 connection and receives the response on fa0/2.
I want it's traffic by tunnel to bypass the connected roads and transmit it to a default gateway of tunnel. This would ensure that the path for the request and the response would be the same.
I would like to know if there are orders of debugging for routing decisions validate my theory?
Do you know of any response to solve this problem?
Thanks a lot for your help.
When you configure the TCP State derivation always think ' which way is the SYN package coming?
Routing failed messages always have source and destination, are of course copied the entire message?
BTW, instead of letting clients SSL addresses attributed to vlan2000? Why not give them a separate subnet and the road back via correct interface?
I would also check your config and the routing :-) table
Marcin
Maybe you are looking for
-
IPhone crashed the Middle updated and now stuck on the setting of the screen!
My Iphone has been unusually slow. So I tried to update my phone I thought it's maybe the old version of the IOS that makes my phone lag (I think I downloaded the latest version, 10. something). While trying to update my phone, it crashed at halfway.
-
ALERTING ME UPGRADE - BUT IMPOSSIBLE - STAYS ON 'connection '.
I think I automatically get the latest version - however - I get these alertsto updated, but will in connection mode - and that's
-
Hello: I have iOS 3 devices: iPhone 6, iPhone 5, iPad Air all with the latest iOS 9.2.1. I bought a Netatmo Thermostat, with the HomeKit technology. In the iPhone 6 there in 'Settings' under the Safari icon HomeKit (configure) icon. BUT in the iPhon
-
Unable to connect to MacBook from other computers on the network
original title: I can access all windows for the PC and macbook computers, but I can't access the macbook on the PC. How can I access the macbook via the PC? I have windows xp laptop and a macbook. Computers portable windows communicate with each o
-
Aspire 4330 maintains close without reason
just bought a used laptop. its windows vista is origional but he got with windows 7! It keeps closing after 2 hours running, without no reason. It is not restart or anything. I ran troubleshooting and just don't know what's the problem with him.