VPN Client connection - Hong Kong to the United States.
We have a PIX 515E with active VPN. In the United States, users have no problem connecting with the VPN client.
However, we have a user in Hong Kong, who has problems. It can connect to the external interface and the connection. The user is assigned an IP address from the pool of reserve, but cannot connect to our server here in the States or internal ping even one of the ip addresses.
Is there another config that needs to be done?
Yes, the do config mode:
ISAKMP nat-traversal
Save with: write mem - and your done.
Download now your username in Hong KONG to establish the connection of the VPN client and try and ping a server in-house on your side. And make sure that the MS XP firewall is disabled.
Let me know how you go and if this does not solve your problem please rate another post could seek the same solution!
Jay
Tags: Cisco Security
Similar Questions
-
Hi all
I am trying to connect to my Cisco AnyConnect VPN Client but everytime I try, I get an error (connection attempt failed because the network or pc problem cisco)
Can anyone help me please with this.
Thank you
Zia
What is the local firewall on your computer?
-
VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK
I tried to set up a simple customer vpn using this document
VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...
6.3 (5) PIX version
interface ethernet0 car
Auto interface ethernet1
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password of VmHKIhnF4Gs5AWk3
VmHKIhnF4Gs5AWk3 encrypted passwd
hostname VOIPLABPIX
domain voicelab.com
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0
access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside 208.x.x.11 255.255.255.0
IP address inside 172.10.2.2 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool voicelabpool 172.10.3.100 - 172.10.3.254
history of PDM activate
ARP timeout 14400
NAT (inside) - 0 102 access list
Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1
Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
http 172.0.0.0 255.0.0.0 inside
http 0.0.0.0 0.0.0.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac
Crypto-map dynamic map2 10 set transform-set trmset1
map map1 10 ipsec-isakmp crypto dynamic map2
client authentication card crypto LOCAL map1
map1 outside crypto map interface
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 encryption aes-256
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup address voicelabpool pool cuclab
vpngroup dns 204.x.x.10 Server cuclab
vpngroup cuclab by default-field voicelab.com
vpngroup split tunnel 101 cuclab
vpngroup idle 1800 cuclab-time
vpngroup password cuclab *.
Telnet timeout 5
SSH 208.x.x.11 255.255.255.255 outside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 172.10.1.2 255.255.255.255 inside
SSH timeout 60
Console timeout 0
username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2
Terminal width 80
Cryptochecksum:b03a349e1ac9e6022432523bbb54504b
: end
Try to turn on NAT - T
PIX (config) #isakmp nat-traversal 20
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
HTH
-
PIX: Cisco VPN Client connects but no routing
Hello
We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:
2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)
2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout
2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30
We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.
I enclose the training concerned in order to understand the problem:
interface Ethernet0
Speed 100
full duplex
nameif outside
security-level 0
IP address xx.yy.zz.tt 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
172.16.0.1 IP address 255.255.255.0
!
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248
!
access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248
!
VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0
!
IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248
!
NAT-control
Global xx.yy.zz.tt 12 (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 12 172.16.0.12 255.255.255.255
!
internal VPN_clientes group strategy
attributes of Group Policy VPN_clientes
xxyyzz.NET value by default-field
internal VPN_client_group group strategy
attributes of Group Policy VPN_client_group
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl
xxyyzz.local value by default-field
!
I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.
Thank you very much.
can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.
PIX / ASA 7.1 and earlier versions
PIX (config) #isakmp nat-traversal 20
PIX / ASA 7.2 (1) and later versions
PIX (config) #crypto isakmp nat-traversal 20
-
Cannot ping vpn client of 1721 cli on the tunnel endpoint
I have a 1721 fortunately supporting ipsec vpn client connections. With one small exception, everything works perfectly fine.
The VPN pool is 10.10.10.1 - 10.10.10.254
The interface internal f0 is attributed to 192.168.1.254/24.
In my example:
Ip address of the VPN client is 10.10.10.5
The host address of an arbitrary machine on the internal lan is 192.168.1.151
I am able to ping 192.168.1.151 10.10.10.5
I'm * not * able to ping 10.10.10.5 192.168.1.254 using the cli on the 1721.
There is a very good reason to want to solve this problem. I would like to be able to access a tftp server on the client vpn directly from the router in order to download the new startup-config files. Is it possible to get the traffic of vpn-/ tunnel-point endpoint client tftp to travel through the tunnel?
When you ping from the CLI on the router, the packet will be from the external interface, not the IP address fa0 interface. The VPN client and the router only built a tunnel from the 10.10.10.5 address the 192.168.1.0 network, then the router not cryptera a package that her origin is outside the IP address.
Try to ping extended to 10.10.10.5 and source of 192.168.1.254 package and see if it works. If it does, you will have also to the source of your TFTP packets from inside interface, you can do with:
IP tftp source interface fa0
-
In the United States I have the dish as a TV provider. I can connect flat with my 4 Apple TV version and look at Apps like CBS, CNN, go, etc... When I try to do the same thing in Mexico with my 3 Apple TV version these same apps do not work. In Mexico, I have tried resetting everything and through other steps proposed in this forum. Nothing has worked.
Hello. I think they can tell where you are by your IP address. Their servers can block content if they are not allowed to provide at your location. You can try to contact the dish.
-
Can I use my iPhone 6 bought in Hong Kong in the Canada?
Can I use my iPhone 6s bought in Hong Kong in the Canada?
Your question can mean two things:
- Can I use my iPhone to the Canada? I'll be there for a short period of time and wish to use there, but continue to keep my current (based in Hong Kong) cellular service provider. I know I'm paying expensive roaming charges for my use of telephone and cellular data.
- Can I use my iPhone to the Canada? I bought it in Hong Kong, but will live in the Canada and wish to use a Canadian cell phone company, once I am there.
The answer to (1) is certainly!
The answer to (2) is I'm not sure, but I do not. To have any hope of answer (2) 'Yes', you at least should:
- Have the cellular carrier based in Hong Kong to unlock iPhone (I don't think that they do so at all - I know that they would not be if the iPhone has begun on the Japan.)
- Have the cellular company Canadian base to use methods of transmission and/or frequencies (e.g. GSM) accepts the iPhone from Hong Kong.
-
My browser is blocked for security reasons. Code error-QFR5000RT11C. My incoming connections in open State distance. Then I got the call from the United States 1 (866)986-3669, I picked up the phone, but they put the phone down. No matter what? Help, please.
It's probably a SCAM. Do not call these numbers. Force Quit Safari and reopen it by holding down the SHIFT key.
Ciao.
-
If I buy the air ipad 2 in the United States on thanks giving day and if I use the ipad in India will get a guarantee assistance in India.
also is there any problems if I use, ipad, made in the USA, in India
There should be no problem, as long as you use a single wireless device. If you want a connection wi - fi and cellular iPad, the guarantee would be specific to the United States. A wi - fi connection must have the guarantee honoured in India. This question may be better providers allowed in India.
-
With the help of uk buy Apple TV in the United States
I brought our Apple TV on vacation in Orlando, but none of the applications are available at this time. Have reset and set up in the United States according to the market through but not yet available and also invisible to broadcast on airplay.
The Apple TV is connected to a Wifi network with an active internet connection?
-
AirPort Extreme and airport express bought in Europe will work in the United States?
AirPort Extreme and airport express bought in Europe will work in the United States?
Airports will work on 100-240 Volts and 50/60 Hz, so they'll work wise power, about anywhere in the world, assuming that you have a power adapter to change the European plug to a US plug. A voltage converter is not necessary.
European wireless operated from 1-13 and the United States channels 1-11, so you will need to make sure that you use 1-11 If you want other users to be able to connect to the wireless signal.
-
My family will travel to the United States to the Mexico. Do I need to change anything on my phone about my temporary location when I reached my destination so my map app will work properly in MX or the GPS automatically adjusts? I ask because I don't want to go & have my battery to grind to stop as he tries to understand my new location. I have an IPhone5, iOS 9.2. How to make the change if the change is necessary?
Your phone gets your location by connecting to the GPS satellites. Using location services works with battery. However, it will not use more independently connect to the Mexico it makes when it finds your place here.
When you do need to make sure to do is to contact your cellular carrier and make sure that your account is enabled for international roaming and you understand what can be the cost.
-
Customer service does not meet the United States relative to the Compact Z3 repair
Hello and happy new year! I was wondering if anyone has experience with sending in a Compact Z3 for repair/replacement under warranty in the United States. I live chatted and called several times and I can't get any information on the status of my repair or when I get my phone back. I wonder if you guys could get some advice on what to do next.
My Z3 Compact suddenly started having battery problems (first similar to this: http://talk.sonymobile.com/t5/Xperia-Z3-Compact/Battery-levels-jumping-randomly-and-not-charging/td-... and then it stuck at 50% and no loading or unloading). My phone is under warranty until 2017, so I called, got an RMA number and sent him into their repair center in Laredo, Texas. He arrived on 12/14, and here's the problem: no one can give me an update as to what is happening. Many cats live and e-mail gave no information. After a week, I called their customer service line and they said he was being sent to a Manager, who was supposed to send me an email in the next 24 to 48 hours, but didn't. After the second week, I called again, and it's the same thing (promised an email of a Manager, who I have not received).
I was told at the beginning that since my phone is an international model, they may have to order parts and could not give me an ETA, but they said that most of the repairs are completed within 14 working days. They had my phone for at least 10 working days now (and 2.5 weeks in total), and I really should hear a kind of update now. I'm trying to be patient because it's the holidays and I'm sure their technicians to repair a bit of time off the coast, but some communication would be the bare minimum of acceptable customer service. At the very least, if Sony does not include automatic updates, I should be able to get some info by calling, instead of this ridiculous evasive.
What else can I do to get information on the status of my claim?
I feel your pain. I had a similar lack of information when the screen back of my cracked Z3C randomly after 3 days of property. He was sent to Laredo. I never had an update... called at least twice to get an update and told me I would soon receive a response and how if yes or no the repair would be covered by the warranty.
Two weeks past, and all of a sudden I get a box from Sony with my phone repaired on the inside. No updates, no notification, no nothing.
TL, DR: expecting anything near decent service communication or client with this Sony repair center is little more dreaming.
We wish you the best of luck...
-Evan
-
Re: W700 - purchased at the Service of the United States in Germany
Dear Lenovo Service:
This mail is a customer very disappointed and angry of lenovo who owned several "ThinkPad" produced by the past both at work and at home.
Well, this is my story - I ordered originally my W700 on 26 Nov 09. After of many calls/emails to Lenovo customer, the machine finally arrived on December 22, two weeks after the original delivery date (Oakland, CA, USA) not to mention that I had to cancel my flight/lodging the 17 in Germany which I had arranged before hand a tolerance of 9 days of delivery time would be appropriate. It turns out it was a bad management and cost me US $350 to reschedule my flight itinerary;
On 31 December, I was on a flight to Germany for training of technique of 8 months. The third day after my arrival in Germany, the laptop screen is suddenly cleared and restart/connect to an external monitor both ended up a failure.
So the next day (4 January), I called Lenovo in Germany Customer Service line and explained my situation and literally supplies to speed up the process (I had badly need for modeling 3D CAD to work); Guess what, the representative was told that he did not know if my warranty can be carried over to Germany since the original purchase was made in the United States. Including, I told her that I bought an additional 3 years international warranty and they should be able to verify with a small "click" with the mouse. on the contrary, it took them 5 days to get back to me telling me that the guarantee has been verified and MOST UNACCEPTABLE, they asked me to send the computer laptop for the filing of repair on my sense of the part I find time at the post office and have to pay for shipping... it is not how the company was performed in ancient times with IBM. In the old days, I would get an empty box delivered to my door the next day and everything I need to do is put my laptop in and picked up by the local courier. IT IS RIDICULOUS; This isn't how Lenovo should treat its customers; as a loyal customer of IBM/Lenovo for years, this isn't how you pay me back with...
aside from the default screen/graphics card.
- the keyboard is terrible. Flexible, noisy and feels like a piece of cheap plastic
- the program kept sends me errors when I tried to burn the "Recovery DVD" (of course, it was until the system broke down and became completely devoid);
To a valued customer of Lenovo (if you really want to say so), I would make the following requests:
- have the laptop fixed as soon as possible;
- replace the original keyboard with keyboard FRU42T3143;
- provide a DVD of Win7/WinXP original;
- reimbursement of my port (I'll include the receipt in the box of the future)
- HAVE SOMEONE ACTUALLY ACKNOWLEDGE THIS MESSAGE AND RESPOND. (not too much to ask, isn't it?)
Note of the moderator; subject edited for relevance
senw, welcome to the forum,
I'm sorry to hear that you have encountered problems. I'm not able to help you directly, but would like to offer the following as documents of information for you, if all goes well, he could ease your pain a little / or not, you will have to be the judge.
- have the laptop fixed as soon as possible;
You are invited to send your W700 to Geodis to Heppenheim; I have sent customers ThinkPad for them for almost 10 years and have never been disappointed by the level of service systems received, IMHO, they are excellent at what they do. The rule of thumb is 5 working days, including shipping to and back again.
- replace the original keyboard with keyboard FRU42T3143
I don't know if they will be able to grant this wish, but it is certainly worth asking explaining them your concerns. It's something that is unknown territory for me because the situation is, in my experience, never came.
- provide original DVD of Win7/WinXP
You can certainly order a set of recovery discs for your system that you have been unable to create your own. It may take some time because they don't have them in Germany and will be sent from abroad.
- reimbursement of expenses of Harbour
At least that an additional servicepak was purchased for "collect Courier' standard warranty in Germany called 'bring-in '; the customer is responsible for getting the system to the repair center. It of unfortunate for you in this case, but has been the standard procedure even when IBM ran the show. It is a zone where levels of service may differ from one country to the other.
- HAVE SOMEONE ACTUALLY ACKNOWLEDGE THIS MESSAGE AND RESPOND. (not too much to ask, isn't it?)
It is a peer to peer forum, where members try to help others. There are a few employees of Lenovo who help you here in their free time, but unfortunately, there is no guarantee that you will receive an official response.
Concerning
-
How to upgrade time zones to include in the United States?
I restored my computer once a hard disk cleanup and now time zones include only countries than the United States, which is where I live. How can I fix to add to the USA?
Hi Michael,
Thanks for posting in the Microsoft Community.
Have you tried connecting to your PC in safe mode with networking to see if the problem persists in mode safe
To start the system in safe mode , please perform the steps mentioned in the link below.
I suggest you follow the steps below and check it, if it helps.
Right-click on the clock, at the far right of the taskbar, and click Adjust Date/time
Left click on the clock, on the far right of the taskbar and click change date and time settings
Click on the change of time zone button.
Click on the drop-zone, and then select your time zone
Check the adjust automatically
Click OK
You can also refer to the article below and check if it helps.
http://Windows.Microsoft.com/en-my/Windows/set-clock#1TC=Windows-7
Just reply to us with the State of the question.
Thank you.
Maybe you are looking for
-
I deleted my icon of recycle bin by accident where is the file so I can get it back? It will not conclude it in research
-
I'm trying to work on a very old 5430CA Presario and the cover will not come off. I tried to find all the right buttons to push to detach, but it does not work. I need a manual that shows in fact the place and direction to push to get silly before
-
HP Officejet 6500, Windows XP: nothing prints on paper
Print fades so added necessary yellow toner, now nothing prints.
-
Hello, I made a theme today (with Messages, SMS and calendar on the House) and sometimes it is impossible to go to the top of the calendar to Message. It goes directly from calendar to profile. I have check the navigation path and everything seems to
-
BlackBerry Smartphones move all Contacts from the SIM?
I'm changing to a 9700 for a 9790. I have a ton of contacts in the internal memory of the old phone and need to move all the way to the SIM card so I can pass the info on the new phone. Is there a way to copy all the contacts at once on the SIM card?