VPN Client connection - Hong Kong to the United States.

We have a PIX 515E with active VPN. In the United States, users have no problem connecting with the VPN client.

However, we have a user in Hong Kong, who has problems. It can connect to the external interface and the connection. The user is assigned an IP address from the pool of reserve, but cannot connect to our server here in the States or internal ping even one of the ip addresses.

Is there another config that needs to be done?

Yes, the do config mode:

ISAKMP nat-traversal

Save with: write mem - and your done.

Download now your username in Hong KONG to establish the connection of the VPN client and try and ping a server in-house on your side. And make sure that the MS XP firewall is disabled.

Let me know how you go and if this does not solve your problem please rate another post could seek the same solution!

Jay

Tags: Cisco Security

Similar Questions

  • Cisco AnyConnect VPN Client (connection attempt failed because the network or pc problem cisco)

    Hi all

    I am trying to connect to my Cisco AnyConnect VPN Client but everytime I try, I get an error (connection attempt failed because the network or pc problem cisco)

    Can anyone help me please with this.

    Thank you

    Zia

    What is the local firewall on your computer?

  • VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

    I tried to set up a simple customer vpn using this document

    http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

    VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

    6.3 (5) PIX version

    interface ethernet0 car

    Auto interface ethernet1

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    activate the encrypted password of VmHKIhnF4Gs5AWk3

    VmHKIhnF4Gs5AWk3 encrypted passwd

    hostname VOIPLABPIX

    domain voicelab.com

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

    access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

    pager lines 24

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside 208.x.x.11 255.255.255.0

    IP address inside 172.10.2.2 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

    history of PDM activate

    ARP timeout 14400

    NAT (inside) - 0 102 access list

    Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

    Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    RADIUS Protocol RADIUS AAA server

    AAA-server RADIUS 3 max-failed-attempts

    AAA-RADIUS deadtime 10 Server

    AAA-server local LOCAL Protocol

    Enable http server

    http 172.0.0.0 255.0.0.0 inside

    http 0.0.0.0 0.0.0.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

    Crypto-map dynamic map2 10 set transform-set trmset1

    map map1 10 ipsec-isakmp crypto dynamic map2

    client authentication card crypto LOCAL map1

    map1 outside crypto map interface

    ISAKMP allows outside

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 encryption aes-256

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address voicelabpool pool cuclab

    vpngroup dns 204.x.x.10 Server cuclab

    vpngroup cuclab by default-field voicelab.com

    vpngroup split tunnel 101 cuclab

    vpngroup idle 1800 cuclab-time

    vpngroup password cuclab *.

    Telnet timeout 5

    SSH 208.x.x.11 255.255.255.255 outside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 172.10.1.2 255.255.255.255 inside

    SSH timeout 60

    Console timeout 0

    username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

    Terminal width 80

    Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

    : end

    Try to turn on NAT - T

    PIX (config) #isakmp nat-traversal 20

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

    HTH

  • PIX: Cisco VPN Client connects but no routing

    Hello

    We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:

    2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)

    2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout

    2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30

    We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.

    I enclose the training concerned in order to understand the problem:

    interface Ethernet0

    Speed 100

    full duplex

    nameif outside

    security-level 0

    IP address xx.yy.zz.tt 255.255.255.240

    !

    interface Ethernet1

    nameif inside

    security-level 100

    172.16.0.1 IP address 255.255.255.0

    !

    access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248

    !

    access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248

    !

    VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0

    !

    IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248

    !

    NAT-control

    Global xx.yy.zz.tt 12 (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 12 172.16.0.12 255.255.255.255

    !

    internal VPN_clientes group strategy

    attributes of Group Policy VPN_clientes

    xxyyzz.NET value by default-field

    internal VPN_client_group group strategy

    attributes of Group Policy VPN_client_group

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl

    xxyyzz.local value by default-field

    !

    I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.

    Thank you very much.

    can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.

    PIX / ASA 7.1 and earlier versions

    PIX (config) #isakmp nat-traversal 20

    PIX / ASA 7.2 (1) and later versions

    PIX (config) #crypto isakmp nat-traversal 20

  • Cannot ping vpn client of 1721 cli on the tunnel endpoint

    I have a 1721 fortunately supporting ipsec vpn client connections. With one small exception, everything works perfectly fine.

    The VPN pool is 10.10.10.1 - 10.10.10.254

    The interface internal f0 is attributed to 192.168.1.254/24.

    In my example:

    Ip address of the VPN client is 10.10.10.5

    The host address of an arbitrary machine on the internal lan is 192.168.1.151

    I am able to ping 192.168.1.151 10.10.10.5

    I'm * not * able to ping 10.10.10.5 192.168.1.254 using the cli on the 1721.

    There is a very good reason to want to solve this problem. I would like to be able to access a tftp server on the client vpn directly from the router in order to download the new startup-config files. Is it possible to get the traffic of vpn-/ tunnel-point endpoint client tftp to travel through the tunnel?

    When you ping from the CLI on the router, the packet will be from the external interface, not the IP address fa0 interface. The VPN client and the router only built a tunnel from the 10.10.10.5 address the 192.168.1.0 network, then the router not cryptera a package that her origin is outside the IP address.

    Try to ping extended to 10.10.10.5 and source of 192.168.1.254 package and see if it works. If it does, you will have also to the source of your TFTP packets from inside interface, you can do with:

    IP tftp source interface fa0

  • We have dish as a TV provider in the United States.  We have an Apple TV 3rd generation that we use in the Mexico.  Even if I connect to my account of dish, I can't Apps to work on the Mexico.  Applications such as CNN GO.

    In the United States I have the dish as a TV provider.  I can connect flat with my 4 Apple TV version and look at Apps like CBS, CNN, go, etc...  When I try to do the same thing in Mexico with my 3 Apple TV version these same apps do not work.  In Mexico, I have tried resetting everything and through other steps proposed in this forum.  Nothing has worked.

    Hello. I think they can tell where you are by your IP address. Their servers can block content if they are not allowed to provide at your location. You can try to contact the dish.

  • Can I use my iPhone 6 bought in Hong Kong in the Canada?

    Can I use my iPhone 6s bought in Hong Kong in the Canada?

    Your question can mean two things:

    1. Can I use my iPhone to the Canada?  I'll be there for a short period of time and wish to use there, but continue to keep my current (based in Hong Kong) cellular service provider.  I know I'm paying expensive roaming charges for my use of telephone and cellular data.
    2. Can I use my iPhone to the Canada?  I bought it in Hong Kong, but will live in the Canada and wish to use a Canadian cell phone company, once I am there.

    The answer to (1) is certainly!

    The answer to (2) is I'm not sure, but I do not.  To have any hope of answer (2) 'Yes', you at least should:

    • Have the cellular carrier based in Hong Kong to unlock iPhone (I don't think that they do so at all - I know that they would not be if the iPhone has begun on the Japan.)
    • Have the cellular company Canadian base to use methods of transmission and/or frequencies (e.g. GSM) accepts the iPhone from Hong Kong.

  • My browser is blocked for security reasons. Code error-QFR5000RT11C. My incoming connections in open State distance. Then I got the call from the United States 1 (866)986-3669, I picked up the phone, but they put the phone down. No matter what? Help, plea

    My browser is blocked for security reasons. Code error-QFR5000RT11C. My incoming connections in open State distance. Then I got the call from the United States 1 (866)986-3669, I picked up the phone, but they put the phone down. No matter what? Help, please.

    It's probably a SCAM.  Do not call these numbers.  Force Quit Safari and reopen it by holding down the SHIFT key.

    Ciao.

  • I want to buy ipad in the United States to use in India.   will be guaranteed will be honoured in India for ipad bought in the usa

    If I buy the air ipad 2 in the United States on thanks giving day and if I use the ipad in India will get a guarantee assistance in India.

    also is there any problems if I use, ipad, made in the USA, in India

    There should be no problem, as long as you use a single wireless device. If you want a connection wi - fi and cellular iPad, the guarantee would be specific to the United States. A wi - fi connection must have the guarantee honoured in India. This question may be better providers allowed in India.

  • With the help of uk buy Apple TV in the United States

    I brought our Apple TV on vacation in Orlando, but none of the applications are available at this time. Have reset and set up in the United States according to the market through but not yet available and also invisible to broadcast on airplay.

    The Apple TV is connected to a Wifi network with an active internet connection?

  • AirPort Extreme and airport express bought in Europe will work in the United States?

    AirPort Extreme and airport express bought in Europe will work in the United States?

    Airports will work on 100-240 Volts and 50/60 Hz, so they'll work wise power, about anywhere in the world, assuming that you have a power adapter to change the European plug to a US plug.  A voltage converter is not necessary.

    European wireless operated from 1-13 and the United States channels 1-11, so you will need to make sure that you use 1-11 If you want other users to be able to connect to the wireless signal.

  • My family will travel to the United States to the Mexico.  I have to update my position when I reached my destination, so my map app will work here?

    My family will travel to the United States to the Mexico.  Do I need to change anything on my phone about my temporary location when I reached my destination so my map app will work properly in MX or the GPS automatically adjusts?  I ask because I don't want to go & have my battery to grind to stop as he tries to understand my new location.  I have an IPhone5, iOS 9.2.  How to make the change if the change is necessary?

    Your phone gets your location by connecting to the GPS satellites. Using location services works with battery. However, it will not use more independently connect to the Mexico it makes when it finds your place here.

    When you do need to make sure to do is to contact your cellular carrier and make sure that your account is enabled for international roaming and you understand what can be the cost.

  • Customer service does not meet the United States relative to the Compact Z3 repair

    Hello and happy new year!  I was wondering if anyone has experience with sending in a Compact Z3 for repair/replacement under warranty in the United States.  I live chatted and called several times and I can't get any information on the status of my repair or when I get my phone back.  I wonder if you guys could get some advice on what to do next.

    My Z3 Compact suddenly started having battery problems (first similar to this: http://talk.sonymobile.com/t5/Xperia-Z3-Compact/Battery-levels-jumping-randomly-and-not-charging/td-... and then it stuck at 50% and no loading or unloading).  My phone is under warranty until 2017, so I called, got an RMA number and sent him into their repair center in Laredo, Texas.  He arrived on 12/14, and here's the problem: no one can give me an update as to what is happening.  Many cats live and e-mail gave no information.  After a week, I called their customer service line and they said he was being sent to a Manager, who was supposed to send me an email in the next 24 to 48 hours, but didn't.  After the second week, I called again, and it's the same thing (promised an email of a Manager, who I have not received).

    I was told at the beginning that since my phone is an international model, they may have to order parts and could not give me an ETA, but they said that most of the repairs are completed within 14 working days.  They had my phone for at least 10 working days now (and 2.5 weeks in total), and I really should hear a kind of update now.  I'm trying to be patient because it's the holidays and I'm sure their technicians to repair a bit of time off the coast, but some communication would be the bare minimum of acceptable customer service.  At the very least, if Sony does not include automatic updates, I should be able to get some info by calling, instead of this ridiculous evasive.

    What else can I do to get information on the status of my claim?

    I feel your pain. I had a similar lack of information when the screen back of my cracked Z3C randomly after 3 days of property. He was sent to Laredo. I never had an update... called at least twice to get an update and told me I would soon receive a response and how if yes or no the repair would be covered by the warranty.

    Two weeks past, and all of a sudden I get a box from Sony with my phone repaired on the inside. No updates, no notification, no nothing.

    TL, DR: expecting anything near decent service communication or client with this Sony repair center is little more dreaming.

    We wish you the best of luck...

    -Evan

  • Re: W700 - purchased at the Service of the United States in Germany

    Dear Lenovo Service:

    This mail is a customer very disappointed and angry of lenovo who owned several "ThinkPad" produced by the past both at work and at home.

    Well, this is my story - I ordered originally my W700 on 26 Nov 09. After of many calls/emails to Lenovo customer, the machine finally arrived on December 22, two weeks after the original delivery date (Oakland, CA, USA) not to mention that I had to cancel my flight/lodging the 17 in Germany which I had arranged before hand a tolerance of 9 days of delivery time would be appropriate. It turns out it was a bad management and cost me US $350 to reschedule my flight itinerary;

    On 31 December, I was on a flight to Germany for training of technique of 8 months. The third day after my arrival in Germany, the laptop screen is suddenly cleared and restart/connect to an external monitor both ended up a failure.

    So the next day (4 January), I called Lenovo in Germany Customer Service line and explained my situation and literally supplies to speed up the process (I had badly need for modeling 3D CAD to work); Guess what, the representative was told that he did not know if my warranty can be carried over to Germany since the original purchase was made in the United States. Including, I told her that I bought an additional 3 years international warranty and they should be able to verify with a small "click" with the mouse. on the contrary, it took them 5 days to get back to me telling me that the guarantee has been verified and MOST UNACCEPTABLE, they asked me to send the computer laptop for the filing of repair on my sense of the part I find time at the post office and have to pay for shipping... it is not how the company was performed in ancient times with IBM. In the old days, I would get an empty box delivered to my door the next day and everything I need to do is put my laptop in and picked up by the local courier. IT IS RIDICULOUS; This isn't how Lenovo should treat its customers; as a loyal customer of IBM/Lenovo for years, this isn't how you pay me back with...

    aside from the default screen/graphics card.

    1. the keyboard is terrible. Flexible, noisy and feels like a piece of cheap plastic
    2. the program kept sends me errors when I tried to burn the "Recovery DVD" (of course, it was until the system broke down and became completely devoid);

    To a valued customer of Lenovo (if you really want to say so), I would make the following requests:

    • have the laptop fixed as soon as possible;
    • replace the original keyboard with keyboard FRU42T3143;
    • provide a DVD of Win7/WinXP original;
    • reimbursement of my port (I'll include the receipt in the box of the future)
    • HAVE SOMEONE ACTUALLY ACKNOWLEDGE THIS MESSAGE AND RESPOND. (not too much to ask, isn't it?)

    Note of the moderator; subject edited for relevance

    senw, welcome to the forum,

    I'm sorry to hear that you have encountered problems. I'm not able to help you directly, but would like to offer the following as documents of information for you, if all goes well, he could ease your pain a little / or not, you will have to be the judge.

    • have the laptop fixed as soon as possible;

    You are invited to send your W700 to Geodis to Heppenheim; I have sent customers ThinkPad for them for almost 10 years and have never been disappointed by the level of service systems received, IMHO, they are excellent at what they do. The rule of thumb is 5 working days, including shipping to and back again.

    • replace the original keyboard with keyboard FRU42T3143

    I don't know if they will be able to grant this wish, but it is certainly worth asking explaining them your concerns. It's something that is unknown territory for me because the situation is, in my experience, never came.

    • provide original DVD of Win7/WinXP

    You can certainly order a set of recovery discs for your system that you have been unable to create your own. It may take some time because they don't have them in Germany and will be sent from abroad.

    • reimbursement of expenses of Harbour

    At least that an additional servicepak was purchased for "collect Courier' standard warranty in Germany called 'bring-in '; the customer is responsible for getting the system to the repair center. It of unfortunate for you in this case, but has been the standard procedure even when IBM ran the show. It is a zone where levels of service may differ from one country to the other.

    • HAVE SOMEONE ACTUALLY ACKNOWLEDGE THIS MESSAGE AND RESPOND. (not too much to ask, isn't it?)

    It is a peer to peer forum, where members try to help others. There are a few employees of Lenovo who help you here in their free time, but unfortunately, there is no guarantee that you will receive an official response.

    Concerning

  • How to upgrade time zones to include in the United States?

    I restored my computer once a hard disk cleanup and now time zones include only countries than the United States, which is where I live. How can I fix to add to the USA?

    Hi Michael,

    Thanks for posting in the Microsoft Community.

    Have you tried connecting to your PC in safe mode with networking to see if the problem persists in mode safe

    To start the system in safe mode , please perform the steps mentioned in the link below.

    http://Windows.Microsoft.com/en-us/Windows/Start-computer-safe-mode#start-computer-safe-mode=Windows-7

    I suggest you follow the steps below and check it, if it helps.

    1. Right-click on the clock, at the far right of the taskbar, and click Adjust Date/time

    2. Left click on the clock, on the far right of the taskbar and click change date and time settings

    3. Click on the change of time zone button.

    4. Click on the drop-zone, and then select your time zone

    5. Check the adjust automatically

    6. Click OK

    You can also refer to the article below and check if it helps.

    http://Windows.Microsoft.com/en-my/Windows/set-clock#1TC=Windows-7

    Just reply to us with the State of the question.

    Thank you.

Maybe you are looking for

  • get deleated recycle bin icon

    I deleted my icon of recycle bin by accident where is the file so I can get it back? It will not conclude it in research

  • Presario 5430CA

    I'm trying to work on a very old 5430CA Presario and the cover will not come off.  I tried to find all the right buttons to push to detach, but it does not work.  I need a manual that shows in fact the place and direction to push to get silly before

  • HP Officejet 6500, Windows XP: nothing prints on paper

    Print fades so added necessary yellow toner, now nothing prints.

  • Problem with a theme today

    Hello, I made a theme today (with Messages, SMS and calendar on the House) and sometimes it is impossible to go to the top of the calendar to Message. It goes directly from calendar to profile. I have check the navigation path and everything seems to

  • BlackBerry Smartphones move all Contacts from the SIM?

    I'm changing to a 9700 for a 9790. I have a ton of contacts in the internal memory of the old phone and need to move all the way to the SIM card so I can pass the info on the new phone. Is there a way to copy all the contacts at once on the SIM card?