VPN you have problem with ping to a server after you configure a NAT
My VPN worked very well until the Exchange Server client has added and changed my setup.
Once the customer added the Exchange Server and edited my setup, my VPN you problem.
I've corrected some but there's always a them that I can not ping to exchange the local ip address of the server (192.168.1.2).
One thing I notice, is that I can ping this IP 192.168.1.2 if I remove ' ip nat inside source static 192.168.1.2 extensible 116.xx.xx.xx.
Someone please check the configuration below and advise me.
I would be very appreciate any kind of suggestion.
Thank you.
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
xxxxx host name
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
recording console critical
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-3333835941
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3333835941
revocation checking no
rsakeypair TP-self-signed-3333835941
!
!
TP-self-signed-3333835941 crypto pki certificate chain
certificate self-signed 01
30820240 308201A 9 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 33333333 38333539 6174652D 3431301E 170 3131 30353134 30313034
35315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 33333338 65642D
33353934 3130819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
810094A 1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A 145915 E67EF01D 350558E3
040B 6379 E6360CB3 4 D 0360DA61 184225 AAB44CA5 6BE23D05 55DAA45A 4647 5 FEB
6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
DD926D88 25 23143 11 C 66750 68267 C 61 C38B62C4 3B16E5AE AC91B2F8 ABA3546D
02 30203 010001A 3 68306630 1 130101 FF040530 030101FF 30130603 0F060355 D
551D 1104 08466172 45617374 50301F06 23 04183016 8014E95E 03551D 0C300A82
66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092 HAS 8648 86F70D01 01040500
03818100 6CA43C42 F0116A56 DD0B98B9 05C3BB3C 5B39172A DF35F9B9 12F8534A
75CB8043 60BD9E0A 832ED1A5 7034E6F6 55A522E0 14FBD1E4 16C8D186 72FBAB3E
EE4C0858 C9C9B87D 0449BE9A CB71AB29 A1B0BF18 7DA6CE07 49E40F7D C 32, 66187
310AC5B1 BF8D0D67 B024AFCD 0956FB68 BC385CC1 B6406466 1C1A8AA8 EFBA279C A 546599, 5
quit smoking
no ip source route
!
!
DHCP excluded-address 192.168.1.1 IP 192.168.1.100
DHCP excluded-address IP 192.168.1.201 192.168.1.254
!
dhcp pool IP CCP-pool1
network 192.168.1.0 255.255.255.0
domain Fareastp
DNS-server 192.168.1.2 165.21.83.88
default router 192.168.1.1
!
!
no ip cef
name-server IP 192.168.1.2
name of the IP-server 165.21.83.88
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FHK142971LH
!
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
synwait-time of tcp IP 10
!
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto group configuration of VPN client
key xxxxxxxxx
DNS 192.168.1.2 165.21.83.88
fareastp field
pool SDM_POOL_1
ACL 101
include-local-lan
max - 20 users
netmask 255.255.255.0
!
Crypto ipsec security association idle time 3600
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map DYNVPN 1
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
map clientmap client to authenticate crypto list ciscocp_vpn_xauth_ml_1
card crypto clientmap isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address map clientmap crypto answer
clientmap card crypto 65535-isakmp dynamic ipsec DYNVPN
!
!
!
!
!
interface Loopback0
IP 192.168.250.99 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
WAN description $ ES_WAN$
IP address 119.xx.xx.xx 255.255.255.252
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
interface Vlan1
LAN description
IP address 116.xx.xx.xx 255.255.255.240 secondary
IP 192.168.1.1 255.255.255.0
penetration of the IP stream
IP nat inside
IP virtual-reassembly
!
pool SDM_POOL_1 192.168.2.201 local IP 192.168.2.254
local IP POOL_2 10.10.1.2 pool 10.10.1.200
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source static tcp 192.168.1.4 16000 16000 FastEthernet4 interface
IP nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
IP nat inside source static tcp 192.168.1.4 interface FastEthernet4 591 591
IP nat inside source static tcp 192.168.1.4 2399 interface FastEthernet4 2399
IP nat inside source static tcp 192.168.1.4 3306 interface FastEthernet4 3306
IP nat inside source static tcp 192.168.1.4 1433 interface FastEthernet4 1433
IP nat inside source static tcp 192.168.1.4 5353 interface FastEthernet4 5353
IP nat inside source static udp 192.168.1.4 5003 interface FastEthernet4 5003
overload of IP nat inside source list 101 interface FastEthernet4
IP nat inside source static tcp 192.168.1.2 1723 1723 interface FastEthernet4
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP nat inside source static 192.168.1.2 extensible 116.xx.xx.xx
IP route 0.0.0.0 0.0.0.0 119.xx.xx.xx
!
recording of debug trap
Note access list 101 = 22 category CCP_ACL
access-list 101 deny tcp 116.xx.xx.81 eq smtp host everything
access-list 101 deny tcp 116.xx.xx.82 eq smtp host everything
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.63
access-list 101 permit ip 192.168.2.192 0.0.0.63 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.192 0.0.0.63 host 116.12.248.82
access-list 111 allow ip 192.168.1.0 0.0.0.255 any
!
!
!
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
!
control plan
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
end
Hello
NATting is done before the encryption.
So if you want to access the server via its private IP address you must make sure you exclude the traffic to and from users VPN to be translated (route-map on the instruction of NAT is a typical way).
Otherwise move to DVTI database solution that should not be affected by this problem.
Marcin
Tags: Cisco Security
Similar Questions
-
Problems with outgoing mail / STMP server after has worked for a LONG time...
Recently I started having trouble with sending an outgoing message. Beyond out lickety split with no problem. Now, once I click on SEND, I get window to send the Message reading "status: connected to stmp.primus.ca...» "but the progress bar continues just to go and go and... rather than a telling me the message has been sent."
Sometimes the email finally gets sent, after taking in "shipping time E-mail" what's FOREVER, sometimes by that email is not to all and I get the message "send message failed. The message could not be sent using SMTP server smtp.primus.ca for some unknown reason. Check your SMTP server settings are correct and try again or contact your network administrator. »
I looked in my SMTP settings and noticed that, in aid of Primus, he said the outgoing server port is 465 while mine has been implemented (and worked for ever) 25. I have also noticed that help Primus said connectivity should be set to SSL/TLS, while that mine has been set (and has worked forever) to zero. I made these changes (first simply by changing the port #, then both) but this does not solve the problem.
I've recently updated Thunderbird to 31.7.0 and I think that these questions CAN coincide with this update, but I am not sure of the time. If this is the case, is it possible that I could get back to the old version of Thunderbird... or move in this way another? ID of the update was not the questions, someone has an idea or an idea on why this would suddenly be a problem with Thunderbird?
Or should I contact Primus technical support and try to sort it out with them?
Thanks a lot for listening.
Your anti virus got an update. We get a rash of these every time updates to Thunderbird. The cause is always an anti virus program. usually, Norton or Alvira, but they all get a mention.
-
Problem with ping VPN cisco 877
Hi all!
I have a working VPN between a fortigate and a Cisco.
I have a problem with ping network behind the cisco of the network behind the forti.
When I ping to vlan2 cisco without problem (192.168.252.1) interface, but I can't ping a server in the vlan2 (192.168.252.2) behind the cisco.
However the Cisco I can ping the server. In the forti, I see that ping to the interface vlan2 and server in vlan2 take in the same way, and I can see package.
I post my config could see it it as blocking the ping from 10.41.2.36 to 192.168.252.2 while 192.168.252.1 ping is OK?
IPSEC #show run
Building configuration...Current configuration: 3302 bytes
!
! Last modification of the configuration at 14:42:17 CEDT Friday, June 25, 2010
! NVRAM config update at 14:42:23 CEDT Friday, June 25, 2010
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-time zone
encryption password service
!
IPSEC host name
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 abdellah
!
No aaa new-model
clock timezone GMT 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
!
!
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.254.0 192.168.254.99
DHCP excluded-address IP 192.168.254.128 192.168.254.255
!
IP dhcp DHCP pool
network 192.168.254.0 255.255.255.0
router by default - 192.168.254.254
Server DNS A.A.A.A B.B.B.B
!
!
no ip domain search
name of the IP-server A.A.A.A
name of the IP-server B.B.B.B
!
!
!
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto key ciscokey address IP_forti
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpntest
!
myvpn 10 ipsec-isakmp crypto map
defined by peer IP_forti
Set transform-set vpntest
match address 101
!
Archives
The config log
hidekeys
!
!
!
!
!
interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card crypto
!
ATM0 interface
bandwidth 320
no ip address
load-interval 30
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
MTU 1492
bandwidth 160
PVC 8/35
VBR - nrt 160 160
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
IP 192.168.20.253 255.255.255.0
IP nat inside
no ip virtual-reassembly
!
interface Vlan2
IP 192.168.252.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Dialer0
bandwidth 128
the negotiated IP address
NAT outside IP
no ip virtual-reassembly
encapsulation ppp
load-interval 30
Dialer pool 1
Dialer-Group 1
KeepAlive 1 2
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap password 7 abdelkrim
myvpn card crypto
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
IP route 10.41.2.32 Tunnel0 255.255.255.240
!
no ip address of the http server
no ip http secure server
The dns server IP
translation of nat IP tcp-timeout 5400
no ip nat service sip 5060 udp port
overload of IP nat inside source list NAT interface Dialer0
!
IP access-list standard BROADCAST
permit of 0.0.0.0
deny all
!
NAT extended IP access list
IP enable any host IP_cisco
deny ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
public RO SNMP-server community
3 RW 99 SNMP-server community
SNMP-server community a RO
SNMP-Server RO community oneCommunityRead
not run cdp
!
!
!
control plan
!
!
Line con 0
password 7 abdelkrim
opening of session
no activation of the modem
line to 0
line vty 0 4
password 7 aaaaa
opening of session
escape character 5
!
max-task-time 5000 Planner
NTP-period clock 17175037
Server NTP B.B.B.B
Server NTP A.A.A.Aend
Alex,
It's your GRE tunnel:
interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card cryptoYou also have routing set by it.
You don't need a GRE tunnel, nor do you need the road to tunnel if you want just IPsec tunnel.
-
I have problems with my Apple ID when you download applications, that it is said that your ID Apple has not yet been used in the iTunes Store
What exactly is the problem? You are also being invited to review the account and enter payment details? If you did you are your details accepted - if they are, you should be able to remove them then.
-
I have problems with setting up my Gmail in my room light 6 mL, where do you think I could get help for this?
Hi kikikilala,
Please explain the problem you are oriented connect Gmail with Lightroom
Try reauthorizing your Gmail account once in Lightroom and see if that helps.
Refer to Validation of Gmail failure
Kind regards
Assani
-
I have problem with my account. I did uptade my assinature to 27/08/2015 and my photoshop is blocked, because the date for uptade is with 22/09/2015. I need urgently. What do I do? Thank you
Hi Camila,
You will need to contact support by calling/chat for this request.
* Be sure to stay connected with your Adobe ID before accessing the link above *.
Kind regards
Sheena
-
I have problem with Muse files when you work at home with my laptop and when I open the files again in my work with my IMac.
I do: when I am uncomfortable with the laptop I save the files on the laptop, then on my external hard drive. Then, when I'm at work, I opened the drive, but the Muse says every time, that so many links in the 'active' is missing. And it takes a lot of time to get all the missing link. Like today I had to open a file of Muse from the external hard drive, and there are about 100 links that are missing.
How can I solve this problem
the best thing if you are a user of creative cloud is to store the files in a folder in your account of cloud instead of transferring the files from one computer to another.
If you are not a Subscriber cc then Dropbox or iCloud will work as well.
-
I have problem with my lphone6s when I want to download or go online or on wifi error come (code 1009) Please help I don't know what to do?
1009 error means that you are trying to download on the app store in a
country other than the one you are located in or from one another AppStore
that you have an account. That error can also mean that you
are in a country that is blocked.
In which country are you physically located? In which country is youriTunes account? Which store AppStore/iTunes to the country you are
try to download from? What VPN do you use?
-
Hello I have problem with my site, and mozilla. Google chrome, safari, explorer, opera work ok. I have Sobipro for both the company and the logos and images without work!
When I try to open the url is this:http://www.athens-dayandnight.gr/images/sobipro/entries/288/587_img.jpgwhith mozilla is the following: /images/sobipro/entries\288\587_img.jpg when ichange it------with this / work.
any idea?
Thank you
Hello, the URLS that contain-in their path are not valid. Firefox is less tolerant to errors in this respect than other browsers.
Correct the path to http://www.athens-dayandnight.gr/images/sobipro/entries/288/587_img.jpg in the source code of this site or if you don't control the contact of the site their webadmin to do... -
have problems with hardware acceleration of rendering: fonts looks terrible
have problems with hardware acceleration of rendering (integrated gpu: amd 760 g) of one of the latest nightly updates - police seem terrible http://i.imgur.com/kWnySVv.png
Note that the gfx.content.azure.enabled pref has more effect and you can try to disable Direct2D by setting the pref gfx.direct2d.disabled true on the subject: config page and leave hardware acceleration enabled otherwise.
See also commentary 414 in bug 812695:
This way you still have the advantage of hardware acceleration, but can not suffer rendering problems.
-
HP 470 G3 laptop: I have problem with multimedia Audio Controller
I have instaled Windows 7 ultimate 64bite on my laptop and instaled all the driver I have can not install for sound and can't find it. I have problem with Multimedia Audio Contorller I try to auto update, but it does not work. Please help me guys.
Thank you
I recommend that you contact HP technical support and submit a case of covered by the guarantee.
-
I have problem with my iphone 5 has no 4g 3g only. in Sweden in the works of 4g Malmö... can someone help me please...
Where did you buy this phone? 4G has already worked on this phone? Whatever the carrier said when contacting you? Have what troubleshooting you tried?
-
Satellite Pro A120: I have problems with the installation of the graphics driver for W2k
I installed windows 2000 on an A120, the system is fully packed and service updated before I even start to install the necessary drivers, I am unable to restart the system. I once, install as recommended drivers that I have problems with the graphics driver because it will not be installed because it requires a reboot and then I can't install new programs that require a restart that the driver has not been installed correctly.
The laptop is a Pro A120, age of 1 week and came with XP home, because of this toshiba will not offer me support I changed the o/s even though they obviously support 2000 on this laptop, because they provide the drivers.
Any ideas would be greatly appreciated.
Hello
Did you use and install the drivers from the Toshiba driver page right?
The drivers of Toshiba W2k for Satellite Pro A120 have been published and are ready!But please pay attention to the Toshiba drivers.
There are two different sets of Satellite Pro A120, with different drivers W2k!
After choosing the good laptop and download the drivers please follow the proper installation order that is indicated in the document "installation instructions"! Check it!I think that if you follow this guide line everything works and runs correctly. Good luck
-
I have problems with the mail (El Capitan)
I have problems with the mail
See writing an effective communities of Apple support question.
Without knowing what are these problems there is no way we can really help you.
Try this:
Start the computer in Safe Mode, and then restart normally. It will be slower than a normal startup.
MacIntel: Reset of the controller (SMC) system management
Reset the PRAM and NVRAM on your Mac.
Repair the hard drive and permissions - El Capitan
HD recovery start:
Restart the computer and after the buzzer, press on and hold down the COMMAND and R until the menu screen appears.
Repair
When the recovery menu appears, select disk utility and press the continue button. Disk utility charges and select Macintosh HD entry indented from the list on the left. Click the first aid tab in the toolbar... If disk utility reports any errors that have been corrected, then re-run first aid until no errors are reported. Wait until the operation is complete, then quit disk utility and return to the main menu. Select restart from the Apple menu.
Now, download and reinstall OS X El Capitan 10.11.3 Combo Update.
-
Skype have problems with recognition of Japanese characters.
Good afternoon
My Skype client have problems with recognition of Japanese characters in all the client except the menu bar. I tried to change the fonts in the options IM appearance, but without effect. It's strange for me, because after installation, these characters were correctly identified by the customer.
Thank you in advance for help.
may be regional settings are not correctly configured in your Windows.
Maybe you are looking for
-
Trying to help a friend. Their return from holiday. When she tried to start FireFox, the only thing it shows is a black screen. I updated the version and tried. Same result. FireFox ininstalled 'workstation. Downloaded FireFox and installed. Once aga
-
WLAN driver for Satellite L300-11V
Just bought a Satellite L300-11V of curries and can t it to connect wireless in the House. My old laptop does it perfectly. I just searched in Google and it seems Toshiba were portable computers shipping without the appropriate drivers installed.Can
-
I personally found that Chrome Beta is one of the best browsers for Droid Turbo. Chrome regularly kept crashing and thus would be Firefox, as they would not allow you to zoom in. Beta chrome still has this problem, but it isn't on all Web sites.
-
OfficeJet 8500 Fax ring master line on 2 telephone lines ringing not fax
AT & T has added a line master ring for my fax, but it continues to ring at my line at home and fax it will not pick up. I plugged the line to the 2 line on the fax option, changed the fax number in the fax machine, AT & T does not know why it won't
-
update the operating system to xp
upgrde the operating system path to, let say victory 8.1. I don't know I have not enough memory RAm BUT can u buy Ram to download a better POS system