In this example Head office EZVPN LAN is 10.1.1.0/24 and Remote Office LAN is 10.101.1.0/24
-----10.1.1.0/24----ASA(EZVPN server)-----internet-----Cisco 800-----10.101.1.0/24
EZVPN server : Cisco ASA 5510
group-policy EASYVPNGroupPolicy internal
group-policy EASYVPNGroupPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage enable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EASYVPN_splitTunnelAcl
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
access-list EASYVPN_splitTunnelAcl extended permit ip 10.1.1.0 0.0.0.255 any
tunnel-group EASYVPNProfile type remote-access
tunnel-group EASYVPNProfile general-attributes
default-group-policy EASYVPNGroupPolicy
tunnel-group EASYVPNProfile ipsec-attributes
pre-shared-key *
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto dynamic-map easyvpn 100 set transform-set TRANS
crypto dynamic-map easyvpn 100 set security-association lifetime seconds 28800
crypto dynamic-map easyvpn 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map easyvpn 100 set reverse-route
crypto map outside_map 100 ipsec-isakmp dynamic easyvpn
crypto map outside_map interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
EZVPN Client: Cisco 800 series router
Building configuration...
Current configuration : 4899 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router800
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
!
!
!
username abc privilege 15 secret xyz
!
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto ipsec client ezvpn ASA
connect auto
group EASYVPNProfile key ezvpn
mode network-extension
peer X.X.X.X
!!! this username and password has to be configured on ASA
username ezvpnclient1 password ezvpn
xauth userid mode local
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN Interface
ip address 10.101.1.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
!
interface Dialer0
description Connected to Internet
ip address negotiated
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password password
ppp pap sent-username username password password
crypto ipsec client ezvpn ASA
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list Nat interface Dialer0 overload
!
ip access-list extended Nat
deny ip 10.101.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.101.1.0 0.0.0.255 any
!
no cdp run
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Friday, June 19, 2009
Sunday, May 10, 2009
How to search AD for particular email address.
What you will want to do is open up Active Directory Users and Computers and right-click the domain and select Search. Select the drop-down arrow in the Find field to select Custom Search. If you have multiple domains make sure to select Entire Directory on the In field. Now just click on the Advanced tab and put the following text in the LDAP Query - proxyaddresses=smtp:. Now all you have to do is click on Find Now and if the email is in use it will show the user account that is using it.
Monday, December 1, 2008
how to restore corrupted system files
Apart from booting system in command prompt from boot cd/floppy, you have following two option to restore corrupted system file.
1. use sfc utility.
Go to command prompt in windows and type sfc /scannow . This will check all windows system files and find out which one is corrupted. At the end of the process it will ask for windows CD. Put the CD in ROM and it will restore file for you.
2. restore file thru msconfig.
Go to run and type msconfig. In msconfig windows click on expand file. From here you can restore the file.
1. use sfc utility.
Go to command prompt in windows and type sfc /scannow . This will check all windows system files and find out which one is corrupted. At the end of the process it will ask for windows CD. Put the CD in ROM and it will restore file for you.
2. restore file thru msconfig.
Go to run and type msconfig. In msconfig windows click on expand file. From here you can restore the file.
Thursday, November 20, 2008
Modem in Bridge mode - PPPOE cofiguration for router
Important Points
1. Even if your ISP has assigned you static ip address. DO NOT configure this IP address on dialer interface. Use ip address negotiate command. Once router authenticated, it will automatically get that static ip address.
2. When you configure leave in a bridge mode, leave DHCP service on the modem ON.
3. Ask your service provider for authentication method and configured same on the router. In this example I have used PAP authentication.
Troubleshooting steps.
1. Use debug PPPOE events command on routers to see the event.
2. If connection is not working, then directly connect the modem to the PC (while leaving modem is a bridge mode and DHCP service on the modem on) and setup PPPOE connection on the PC and test it by using your connection credentials.
Building configuration...
Current configuration : 2926 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username myname privilege 15 secret 5 $1$4CDH$.3D11txHCBPBAidX/CnW5.
username yourname privilege 15 secret 5 $1$NcnE$mjiu4M0YaY0uksZ5cLrKJ0
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XYZ address X.X.X.X
!
!
crypto ipsec transform-set aes-sha esp-3des esp-sha-hmac
!
crypto map VPNtoBlacktown 10 ipsec-isakmp
set peer X.X.X.X
set transform-set aes-sha
match address VPN-Traffic
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description connected to WAN
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description connected to LAN
ip address 192.168.250.30 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiate
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username XYZ password 0 ABC
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
ip nat inside source list NAT-Traffic interface Dialer0 overload
!
ip access-list extended NAT-Traffic
deny ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.26.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 any
permit ip 192.168.26.0 0.0.0.255 any
ip access-list extended VPN-Traffic
permit ip 192.168.26.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
banner motd ^C
This is the branch router for XYZ.
Access to this system is restricted solely to employees
of XYZ Personnel and authorised service personnel.
************************************************************************
* WARNING: It is a criminal offence to: *
* i. Obtain access to data without authority *
* (Penalty 2 years imprisonment) *
* ii Damage, delete, alter or insert data without authority *
* (Penalty 10 years imprisonment) *
************************************************************************^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
transport input all
!
scheduler max-task-time 5000
end
1. Even if your ISP has assigned you static ip address. DO NOT configure this IP address on dialer interface. Use ip address negotiate command. Once router authenticated, it will automatically get that static ip address.
2. When you configure leave in a bridge mode, leave DHCP service on the modem ON.
3. Ask your service provider for authentication method and configured same on the router. In this example I have used PAP authentication.
Troubleshooting steps.
1. Use debug PPPOE events command on routers to see the event.
2. If connection is not working, then directly connect the modem to the PC (while leaving modem is a bridge mode and DHCP service on the modem on) and setup PPPOE connection on the PC and test it by using your connection credentials.
Building configuration...
Current configuration : 2926 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username myname privilege 15 secret 5 $1$4CDH$.3D11txHCBPBAidX/CnW5.
username yourname privilege 15 secret 5 $1$NcnE$mjiu4M0YaY0uksZ5cLrKJ0
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XYZ address X.X.X.X
!
!
crypto ipsec transform-set aes-sha esp-3des esp-sha-hmac
!
crypto map VPNtoBlacktown 10 ipsec-isakmp
set peer X.X.X.X
set transform-set aes-sha
match address VPN-Traffic
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description connected to WAN
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description connected to LAN
ip address 192.168.250.30 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiate
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username XYZ password 0 ABC
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
ip nat inside source list NAT-Traffic interface Dialer0 overload
!
ip access-list extended NAT-Traffic
deny ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.26.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 any
permit ip 192.168.26.0 0.0.0.255 any
ip access-list extended VPN-Traffic
permit ip 192.168.26.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.250.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
banner motd ^C
This is the branch router for XYZ.
Access to this system is restricted solely to employees
of XYZ Personnel and authorised service personnel.
************************************************************************
* WARNING: It is a criminal offence to: *
* i. Obtain access to data without authority *
* (Penalty 2 years imprisonment) *
* ii Damage, delete, alter or insert data without authority *
* (Penalty 10 years imprisonment) *
************************************************************************^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
transport input all
!
scheduler max-task-time 5000
end
Tuesday, July 8, 2008
Security logs full - cannot logon
The security log on this system is full. Only administrators can log on to fix the problem.
An attempt to log on remotely is greeted with:
The security log on this system is full.
Only members of the Administrators group can log on when the Security event log cannot be written.
To resolve this issue for the user:
1. Log on to the computer as a member of the Administrators group.
2. Start / Run / eventvwr.msc / OK.
3. Right-click Security and press Properties.
4. Either clear the event log, make it bigger, or check Overwrite events as needed.
5. Press OK.
6. Close the Event Viewer.
An attempt to log on remotely is greeted with:
The security log on this system is full.
Only members of the Administrators group can log on when the Security event log cannot be written.
To resolve this issue for the user:
1. Log on to the computer as a member of the Administrators group.
2. Start / Run / eventvwr.msc / OK.
3. Right-click Security and press Properties.
4. Either clear the event log, make it bigger, or check Overwrite events as needed.
5. Press OK.
6. Close the Event Viewer.
Sunday, July 6, 2008
POP3 service stuck in starting state
When POP3 service stuck in starting state, check task manager and look for inetinfo.exe.
End this process manually and POP3 service should be fine now.
Note: inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. So start this process once POP service is in started state.
End this process manually and POP3 service should be fine now.
Note: inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. So start this process once POP service is in started state.
Sunday, May 4, 2008
How to configure notification and reporting in Data Protector
1. Create an account in active directory called dpadmin. This account should be mail enable and IMAP enable.
2. Start data protector CRS service using this account. Stop and start CRS service.
3. Login to the server using dpadmin account and setup outlook express for dpadmin account. Check you can send and receive emails using outlook express now.
4. If sending and receiving of emails is successful then add dpadmin username in admin list in data protector console.
5. Open following file in notepad.
\config\server\options\global
Change following things.
SMTPSERVER=out going server
smtpsenderaddress= dpadmin@domainname i.e email address
6. Stop and start DP services.
7. Open outlook express ant go to tools -> accounts and delete all accounts other then dpadmin mail account.
8. In outlook express go to tools -> options -> security and uncheck the option warn me when other application try to send email as me.
9. Take backup of\omnirc.tmpl and rename this file to omnirc (without any extension). Add following line in the file
OB2_MAPIPROFILE=dpadmin
10. Search for mapi32.dll and check the path of the file. It would be C:\windows\system32. Check path variable and if this path is not there then add this path C:\windows\system32.
11. Stop and start DP services.
12. Testing – open command prompt and use following command
Omnirpt -report cell-info –email ravi.parmar@indicium.com.au –exec
13. If it works then open DP GUI and configure notification and reports.
2. Start data protector CRS service using this account. Stop and start CRS service.
3. Login to the server using dpadmin account and setup outlook express for dpadmin account. Check you can send and receive emails using outlook express now.
4. If sending and receiving of emails is successful then add dpadmin username in admin list in data protector console.
5. Open following file in notepad.
Change following things.
SMTPSERVER=out going server
smtpsenderaddress= dpadmin@domainname i.e email address
6. Stop and start DP services.
7. Open outlook express ant go to tools -> accounts and delete all accounts other then dpadmin mail account.
8. In outlook express go to tools -> options -> security and uncheck the option warn me when other application try to send email as me.
9. Take backup of
OB2_MAPIPROFILE=dpadmin
10. Search for mapi32.dll and check the path of the file. It would be C:\windows\system32. Check path variable and if this path is not there then add this path C:\windows\system32.
11. Stop and start DP services.
12. Testing – open command prompt and use following command
Omnirpt -report cell-info –email ravi.parmar@indicium.com.au –exec
13. If it works then open DP GUI and configure notification and reports.
Subscribe to:
Posts (Atom)