Search results for query: *

Does anyone have any experience running L2TP with IPSec & Cisco RAS IPsec (Cisco VPN client). I am using a ASA 5510 and I can get both of them working perfectly on their own. When I try combine the two having them both configured on the ASA neither of them work. Does anyone know if it’s possible...

Hi Bud It looks like you missing your NAT 0. You need to tell you firewall not to NAT your inside range when comunicating with your RAS VPN range. The following commands should do it. nat (inside) 0 access-list inside_nat0_outbound access-list inside_nat0_outbound extended permit ip any...

Please paste your config. thnks

Hi Brent Thanks alot, working like a dream now! I had it all apart from "same-security-traffic permit intra-interface" amazing what one command can do ;) thanks again Aisdale

sorry I am confused how your internal host can see the internet without an ACL access-group inside_access_in in interface outside <-change access-group inside_access_in in interface INSIDE

First your static nat is wrong. second you have no access-list for your inside interface copy and paste this it should sort your issue out. no static (dmz,inside) 65.xxx.xxx.123 WebServer netmask 255.255.255.255 0 0 static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 clear...

If you edit your VPN profile, click on the transport tab - there is a tickbox called "allow local LAN access" try tick this. your split tunnel looks fine

you missing a command global (outside) 1 interface

Hi people I have a 515e (hub) and 3 506's (spokes) connecting via a site-to-site VPN. Spokes -> Hub and Hub -> Spokes works perfectly. I just need the Spokes to be able to route between eachother aswell. Can someone please point me in the right direction? Thanks

Thanks guys, taking out inspect esmtp sorted it out.

can u paste some of your config ?

access-list 101 permit ip any any capture "WORD" access-list 101 interface inside show capture "WORD" That’s how you do a capture - that will basically show you everything hitting the pix denied or allowed. Obviously if you know what traffic is going through you can lock it down a bit with...

You'll need to use "nat" instead of "static". for example if your remote subnet (other side of VPN) is 10.10.1.0, and you want to nat an internal host to 10.10.2.100 when it goes across that tunnel: global (outside) 5 10.10.2.100 nat(inside) 5 access-list 101 access-l 101 permit ip [inside...

I upgraded a PIX 515e from 6.3(4) to 7.2(1) and since the upgrade there has been an issue with mail being delivered to a mail server on the inside of the PIX. The MX record is sitting at the ISP where there is a spam/virus filter then mail is pushed through to the mail server. Usually there is...

I would just grant myself telnet access to a switch or router on the inside and then telnet to the PIX from there?

If your Linux box is already a proxy server then your users would just have to have the proxy enabled in their browser for www traffic to route out that machine. This would be a simpler way of doing things without having to do a route-map.

ip access-list extended www_traffic permit tcp any any eq www permit tcp any any eq 443 route-map WWW_REDIRECT permit 10 match ip address www_traffic set interface Ethernet0 set ip next-hop linuxip interface Ethernet0 ip policy route-map WWW_REDIRECT

sorry this 2 ip access-list extended www_traffic permit tcp any any eq www permit tcp any any eq 443 permit tcp any any eq ftp-data permit tcp any any eq ftp permit udp any any eq domain permit tcp any any eq domain

If your outside interface of the PIX is connected to a Cisco router you can add a route-map on that device. You will more than likely need to have a "WAN" vlan on a switch for your 3 devices to plug into (outside of pix, routerA and routerB) Example. route-map WWW_REDIRECT permit 10 match ip...