Solved

Home VPN users connecting to a Cisco 1811 router cannot access workplace network resources

Posted on 2006-11-01
8
1,234 Views
Last Modified: 2008-01-09
I'm not a Cisco tech by a long shot (liberal arts major).  After researching Cisco's site and Expert's Exchange for the last month or so, I've reached the limit on what I'm able to get working on this router.  So far I've got load balancing, fail over, port forwarding, firewalls, and access lists working but I can't get this VPN to function correctly.

Users can connect successfully to the VPN server being hosted on the Cisco router, but are not able to access network shares (Windows XP network, no domain as of yet, attempting via \\IP address\folder) or the workplace LAN ftp server (attempting to connect to 192.168.1.99 once logged in to VPN).  They also can't browse the internet when connected to the VPN, not even able to ping to 4.2.2.1)

VPN users are at the very least able to ping workplace computers and vice versa, so there is at least some communication.  Below is my Cisco config.

Thanks in advance.

Building configuration...

Current configuration : 11294 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_mac1
 server 192.168.1.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods1 group rad_mac1
aaa authentication login userauthen local
aaa authorization ipmobile default group rad_pmip
aaa authorization network groupauthor local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.126 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.99
   default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 192.168.1.99
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect udp idle-time 15
ip inspect dns-timeout 2
ip inspect tcp idle-time 600
ip inspect tcp synwait-time 10
ip inspect name CBAC cuseeme
ip inspect name CBAC dns
ip inspect name CBAC h323
ip inspect name CBAC https
ip inspect name CBAC icmp
ip inspect name CBAC imap reset
ip inspect name CBAC pop3 reset
ip inspect name CBAC netshow
ip inspect name CBAC rcmd
ip inspect name CBAC realaudio
ip inspect name CBAC rtsp
ip inspect name CBAC esmtp
ip inspect name CBAC sqlnet
ip inspect name CBAC streamworks
ip inspect name CBAC tftp
ip inspect name CBAC vdolive
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC sip
ip inspect name CBAC appleqtc
!
!
crypto pki trustpoint TP-self-signed-3729953927
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3729953927
 revocation-check none
 rsakeypair TP-self-signed-3729953927
!
!
crypto pki certificate chain TP-self-signed-3729953927
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373239 39353339 3237301E 170D3036 30383234 32303131
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323939
  35333932 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BE2D D55C684A 6D041CD0 59E1EBA6 C29A21C3 A885838C 43D99AC5 983F778B
  2A0982FA 02E75FBC B69E49F1 54245B97 749D0DA0 73F7C21F CCE68A0A D8ECAF11
  81C6C187 33CD1462 7BE57DC6 8C0FF668 A19237C0 5016BEFB FE27536B DB48F683
  269EB1A8 33DA5E7A 810F6B51 1FC421FB 2CA0CA9E D3994CE9 6D0428B8 021BE899
  65250203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 144E2CFF 95E6A397 3D62F8DB 1F2E873E 261AB33E
  CC301D06 03551D0E 04160414 4E2CFF95 E6A3973D 62F8DB1F 2E873E26 1AB33ECC
  300D0609 2A864886 F70D0101 04050003 818100B1 B60F6400 690F01D2 F5A8F9BC
  2C33BB8D 80DBBE2A 9F8AB4CF 98F31322 8E9E9F6B 5B2BD92D 995FFD67 206D5125
  DD22E286 24F83CB6 27E6A163 B9AA84BB 53327FE3 D81F7E78 D12DC3DB F57A7BC5
  CCCD02D8 E79F0927 DBC0BB9C ACCFDA87 ABA333F9 5E2D73C0 1E865390 C89D04E9
  801EA77F 184625D7 33952058 90BAAA75 4EF297
  quit
username USER privilege 15 secret 5 xxxxx
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 3000client
 key xxxxx
 dns 192.168.1.99
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 65535 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 128.x.x.x 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.2.49 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 spanning-tree portfast
!
interface FastEthernet5
 spanning-tree portfast
!
interface FastEthernet6
 spanning-tree portfast
!
interface FastEthernet7
 spanning-tree portfast
!
interface FastEthernet8
 spanning-tree portfast
!
interface FastEthernet9
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip local pool ippool 192.168.3.1 192.168.3.254
ip route 0.0.0.0 0.0.0.0 128.x.x.x
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RMAP-WAN0 interface FastEthernet0 overload
ip nat inside source route-map RMAP-WAN1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.1.99 20 192.168.2.49 20 extendable
ip nat inside source static tcp 192.168.1.99 21 192.168.2.49 21 extendable
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 128.x.x.x 0.0.0.255 any
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 128.x.x.x eq isakmp log
access-list 102 permit esp any host 128.x.x.x log
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp-data
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map RMAP-WAN1 permit 10
 match ip address 120
 match interface FastEthernet1
!
route-map RMAP-WAN0 permit 10
 match ip address 120
 match interface FastEthernet0
!
!
!
radius-server local
  nas 192.168.1.1 key 7 09594C1D0B0C18
  group VPN_Users
  !
  user 0014bfd84f23 nthash 7 112B3D2346472F2D227D787379166375365534515506017C02722F214D44000C0E mac-auth-only
  user 0012f0ae1286 nthash 7 06552C03156D514121434A2A5A53720A717961600135213352250E010C02752A52 mac-auth-only
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key 7 06130D355E4706
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 100 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

0
Comment
Question by:Trublu182
  • 4
  • 3
8 Comments
 

Author Comment

by:Trublu182
Comment Utility
Anyone?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Trublu182, you might want to post a pointer question in the Routers topic area as the Cisco experts tend to congregate there:
http://www.experts-exchange.com/Hardware/Routers/

Pointer question explanation:
http://www.experts-exchange.com/help.jsp#hi262

--Rob
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
We hang out everywhere. . . <8-}

>VPN users are at the very least able to ping workplace computers and vice versa
This means that your VPN is working - sort of. Nice job getting everything to work by yourself, but I do have some suggestions:

>but are not able to access network shares
This is a pure Netbios issue. Assuming that the clients are all XP you have to enable Netbios and you have to have a hosts or preferably a LMHOSTS file on the VPN client computers that list the computers that they want to connect to.

>attempting to connect to 192.168.1.99 once logged in to VPN
This is not a netbios issue, it's something else... If VPN clients can ping the ftp server, they should be able to connect to it. Can they ping it?

>They also can't browse the internet when connected to the VPN, not even able to ping to 4.2.2.1
Enable split-tunneling:
  access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
      crypto isakmp client configuration group 3000client
         acl 199

>access-list 102 permit udp any host 128.x.x.x eq isakmp log
>access-list 102 permit esp any host 128.x.x.x log
In these acl entries, you're not allowing UDP 4500 for use by clients behind NAT routers, or the VPN tunnel traffic. Add the following:
  access-list 102 permit udp any host 128.x.x.x eq 4500
  access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

>route-map RMAP-WAN0 permit 10
> match ip address 120
> match interface FastEthernet0 <== you don't need this match condition.
 
>interface BVI1
> description $ES_LAN$$FW_INSIDE$
>   ip address 192.168.1.1 255.255.255.0  <== this could be part of the problem
I say this because the VAST majority of home users that will be using the VPN *also* have 192.168.1.x as their home network. Unless you want every potential VPN client to go home and change their network (and many hotels, hotspots, etc), you're going to continue to have muliple issues with the client having the same local LAN and remote LAN IP subnets. I *highly* recommend just biting the bullet now and changing your local LAN IP subnet to something less likely to be used by remote users - perhaps 192.168.199.0
0
 

Author Comment

by:Trublu182
Comment Utility
Many thanks for your input and my apologies for the lateness in my reply.  I had been pulled off this project to finish another one.  I'm now back to working with the Cisco router and will undertake the suggested modifications and suggestions to my config.  I'll report back the results.  Again, many thanks for your time.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Trublu182
Comment Utility
I removed as much of the firewalls as I could to make sure it wasn't blocking anything important.  Here is my current config:


Building configuration...

Current configuration : 10466 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXX
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_mac1
 server 192.168.1.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods1 group rad_mac1
aaa authentication login userauthen local
aaa authorization ipmobile default group rad_pmip
aaa authorization network groupauthor local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.126 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.99
   default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 192.168.1.99
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect udp idle-time 15
ip inspect dns-timeout 2
ip inspect tcp idle-time 600
ip inspect tcp synwait-time 10
ip inspect name CBAC cuseeme
ip inspect name CBAC dns
ip inspect name CBAC h323
ip inspect name CBAC https
ip inspect name CBAC icmp
ip inspect name CBAC imap reset
ip inspect name CBAC pop3 reset
ip inspect name CBAC netshow
ip inspect name CBAC rcmd
ip inspect name CBAC realaudio
ip inspect name CBAC rtsp
ip inspect name CBAC esmtp
ip inspect name CBAC sqlnet
ip inspect name CBAC streamworks
ip inspect name CBAC tftp
ip inspect name CBAC vdolive
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC sip
ip inspect name CBAC appleqtc
!
!
crypto pki trustpoint TP-self-signed-3729953927
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3729953927
 revocation-check none
 rsakeypair TP-self-signed-3729953927
!
!
crypto pki certificate chain TP-self-signed-3729953927
 certificate self-signed 01
  XXX
username XXX privilege 15 secret 5 XXX
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngroup
 key XXX
 dns 192.168.1.99
 pool ippool
 include-local-lan
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
 set transform-set myset
 reverse-route
!
!
crypto map dynmap client authentication list userauthen
crypto map dynmap isakmp authorization list groupauthor
crypto map dynmap client configuration address respond
crypto map dynmap 65535 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 128.95.X.X 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
 crypto map dynmap
!
interface FastEthernet1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.2.49 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 spanning-tree portfast
!
interface FastEthernet5
 spanning-tree portfast
!
interface FastEthernet6
 spanning-tree portfast
!
interface FastEthernet7
 spanning-tree portfast
!
interface FastEthernet8
 spanning-tree portfast
!
interface FastEthernet9
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip local pool ippool 192.168.3.1 192.168.3.254
ip route 0.0.0.0 0.0.0.0 128.95.X.X
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RMAP-WAN0 interface FastEthernet0 overload
ip nat inside source route-map RMAP-WAN1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.1.99 20 192.168.2.49 20 extendable
ip nat inside source static tcp 192.168.1.99 21 192.168.2.49 21 extendable
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ahp any host 128.95.X.X
access-list 102 permit esp any host 128.95.X.X
access-list 102 permit udp any host 128.95.X.X eq isakmp
access-list 102 permit udp any host 128.95.X.X eq non500-isakmp
access-list 102 permit tcp any host 128.95.X.X eq 10000
access-list 102 permit icmp any host 128.95.X.X echo-reply
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp-data
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map RMAP-WAN1 permit 10
 match ip address 120
 match interface FastEthernet1
!
route-map RMAP-WAN0 permit 10
 match ip address 120
 match interface FastEthernet0
!
!
!
radius-server local
  nas 192.168.1.1 key 7 09594C1D0B0C18
  group VPN_Users
  !
  user 0014bfd84f23 nthash 7 112B3D2346472F2D227D787379166375365534515506017C02722F214D44000C0E mac-auth-only
  user 0012f0ae1286 nthash 7 1541282E5D09737C0C676D0345504E2254070B0D70722826493201000302737105 mac-auth-only
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key 7 06130D355E4706
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 100 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

>>but are not able to access network shares
>This is a pure Netbios issue. Assuming that the clients are all XP you have to enable Netbios and you have to >have a hosts or preferably a LMHOSTS file on the VPN client computers that list the computers that they want to >connect to.

I have enabled Netbios on all the XP clients, (right click network places properties, properties for NIC, click TCP-IP , choose properties, choose advanced, tab to WINS, clicked Enable Netbios over TCP-IP (did this for all NICs on the client, including the Cisco adapter)) but still no go on accessing the shares.  Though I'm not sure if its a Netbios problem to begin with because I'm not trying to access clients via hostname, but by IP address.  My method of testing is going to start, run, and then typing \\192.168.1.99.  Also, is the function of an LMHosts file only to resolve a hostname to an IP?  So far I'll be glad if I could just access the bloody machine and worry about resolving later.

>>attempting to connect to 192.168.1.99 once logged in to VPN
>This is not a netbios issue, it's something else... If VPN clients can ping the ftp server, they should be able to >connect to it. Can they ping it?

Yes VPN clients can ping the FTP server, however I discovered something interesting.  When I removed the lines
ip nat inside source static tcp 192.168.1.99 20 192.168.2.49 20 extendable
ip nat inside source static tcp 192.168.1.99 21 192.168.2.49 21 extendable
VPN clients were able to finally connect to the FTP server.  Unfortunately, my server won't be able to receive connections from the 192.168.2.0 network if I remove those lines.  Once I put those lines back, then the FTP server can receive connections again from the 192.168.2.0 network, but VPN clients (192.168.3.0) simply time out again.  Clients on the internal 192.168.1.0 network are able to connect to the FTP server just fine.

I'm guessing with Cisco I can have either one way or the other, but not both.

>>They also can't browse the internet when connected to the VPN, not even able to ping to 4.2.2.1
>Enable split-tunneling:
>  access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>      crypto isakmp client configuration group 3000client
>         acl 199

When I enable split tunneling, clients are able to browse the internet again.  However I've read here that enabling split-tunneling is a major security risk.  Would it be possible to have clients browse the internet through the VPN, as opposed to the clients using their internet connections.  Though it would be slower, at the very least it would not necessitate having to enable split-tunneling.

>>route-map RMAP-WAN0 permit 10
>> match ip address 120
>> match interface FastEthernet0 <== you don't need this match condition.

When I removed that line (match interface FastEthernet0), my router completely lost access to the internet.  Did I do something wrong?

>>access-list 102 permit udp any host 128.x.x.x eq isakmp log
>>access-list 102 permit esp any host 128.x.x.x log
>In these acl entries, you're not allowing UDP 4500 for use by clients behind NAT routers, or the VPN tunnel >traffic. Add the following:
>  access-list 102 permit udp any host 128.x.x.x eq 4500
>  access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

When I added the line (access-list 102 permit udp any host 128.x.x.x eq 4500), cisco replaced it with this line
access-list 102 permit udp any host 128.95.X.X eq non500-isakmp
Is this correct?

>>interface BVI1
>> description $ES_LAN$$FW_INSIDE$
>>   ip address 192.168.1.1 255.255.255.0  <== this could be part of the problem
>I say this because the VAST majority of home users that will be using the VPN *also* have 192.168.1.x as their >home network. Unless you want every potential VPN client to go home and change their network (and many >hotels, hotspots, etc), you're going to continue to have muliple issues with the client having the same local LAN >and remote LAN IP subnets. I *highly* recommend just biting the bullet now and changing your local LAN IP >subnet to something less likely to be used by remote users - perhaps 192.168.199.0

Many thanks for the heads up.  I too was baffled when I first arrived at my job to see that the internal network here uses such a common subnet.  I'll make sure to change the subnet once I get this router working, for now though it shouldn't be a problem.  I've made sure that my test VPN clients all are connecting from outside IPs (128.X. etc etc) not internal IPs that match the internal network (192.168.1.0) of the router.

Again, many many thanks for your time.  Most, if not all of the suggestions I've taken from this site in getting this router to work came from posts your originally made.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Easy ones first...
>access-list 102 permit udp any host 128.95.X.X eq non500-isakmp
Yes, udp4500 = non500-isakmp

>When I enable split tunneling, clients are able to browse the internet again.  
That's what split-tunneling is all about

>However I've read here that enabling split-tunneling is a major security risk.
Not so much using Cisco VPN client. The VPN client has a built in firewall and the end user cannot muck with it or change its behavior in any way. This is one where you have to weigh the risks vs rewards for your particular implementation.

> Would it be possible to have clients browse the internet through the VPN, as opposed to the clients using their internet connections.
Only if you set up an internal Proxy server and force end users to set their IE to use the proxy. It could be a killer for your own internet connection. If you think about it, Client connects to the VPN through your Internet connection. Client maps a drive and connects to Exchange - both major bandwidth hogs. Client browses the Internet to pull down some MP3 files. That download has to traverse YOUR internet 2x. Get 2 or 3 clients doing this at once and your local Internet becomes almost unusable and your business grinds to a halt, but your VPN home users got their music and are happy.

>VPN clients can ping the FTP server . .  but can't FTP with those static xlates
OK... this one "should" be taken care of by using the route-map on the nat process and deny entry. However, statics take precedence over dynamic. Another question for you: Which public interface do you use for your VPN? Since 192.168.2.49 is a private IP, can I assume that something in front of it has a public IP and is passing all traffic to that single private IP?  We may have to get creative on this one...

>LMHOSTS does more than just name to IP. Do you have a domain? Is the VPN client joined to the domain? If the answers are yes and no, then you also have a permissions issue where the VPN client is viewed as "Guest" and the Guest account in the domain is disabled (I hope so, anyway). You can either use LMHOSTS to identify the domain controller to the client to allow use of domain credentials, or you can join the client PC to the domain, use the VPN option 'start before logon' and have clients log in to the PC using their domain credentials.




 
0
 

Author Comment

by:Trublu182
Comment Utility
So after getting increasingly frustrated trying to get vpn clients and lan clients to talk to each other, I just gave up and threw on a pptp vpn server on the cisco router.  Since bossman wants to keep the VPN authentication separate from 2003 domain authentication, this is a good route.  I'll clarify a few things though in case someone else might read this post in setting up their router.  God knows my router config has been pieced together from posts all over this site.

I had two XP pro clients, non-domain workgroup mode sitting on the same network.  I just wanted them to be able to talk to each other for further testing with the VPN, just to make sure it wasn't anything on their end.  Additionally, my Cisco router, VPN, local network, remote network were all test networks, no domains, just workgroup computers.  I discovered that the client that had the Cisco VPN client installed would not communicate at all with other clients.  Upon uninstallation of the offending program, the client was able to communicate again.  I immediately had nightmares of people calling me at all hours wondering why after installing the Cisco client, their shared printers stopped working, etc etc.  So I opted to use the Windows XP built in VPN client.  To do this required setting up the Cisco router VPN server with PPTP.

Low and behold, once I got that running and vpn clients began connecting in, they were able to share and browse folders with other corporate clients and vice versa no problem.  They're even now able to access the FTP server, a huge plus.

In researching the Cisco VPN client, it seems to come with its own firewall, possibly by Zone Alarm.  Since Zone Alarm is notorious for breaking network functionality, Cisco's VPN client just went out the window.  I wouldn't mind the Cisco vpn client as much if it allowed you to modify its settings but the fact that it would block the browsing of share folders and printers even when it wasn't even running is completely unacceptable.  I guess I'm the sort that favors functionality and ease of use over security.

Many thanks for your time Lrmoore.  Your guidance in this got me going in the right direction.  Also my apologies for the long replies; I like to be thorough in my explanations.  It drives me up the wall when people post with very little description, making it hard for me to follow how they fixed the problem.

Anyway, here's my latest config in case anyone else might find it useful.  Oh yeah, anyone wanting to set up a PPTP VPN server on a cisco router, make sure to enable proxy-arp on the cloned interfaces!  That took me awhile to figure out.

Building configuration...

Current configuration : 9897 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXX
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_mac1
 server 192.168.1.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods1 group rad_mac1
aaa authentication ppp login local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.141 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.99
   default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 192.168.1.99
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect udp idle-time 15
ip inspect dns-timeout 2
ip inspect tcp idle-time 600
ip inspect tcp synwait-time 10
ip inspect name CBAC cuseeme
ip inspect name CBAC dns
ip inspect name CBAC h323
ip inspect name CBAC https
ip inspect name CBAC icmp
ip inspect name CBAC imap reset
ip inspect name CBAC pop3 reset
ip inspect name CBAC netshow
ip inspect name CBAC rcmd
ip inspect name CBAC realaudio
ip inspect name CBAC rtsp
ip inspect name CBAC esmtp
ip inspect name CBAC sqlnet
ip inspect name CBAC streamworks
ip inspect name CBAC tftp
ip inspect name CBAC vdolive
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC sip
ip inspect name CBAC appleqtc
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-3729953927
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3729953927
 revocation-check none
 rsakeypair TP-self-signed-3729953927
!
!
crypto pki certificate chain TP-self-signed-3729953927
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373239 39353339 3237301E 170D3036 30383234 32303131
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323939
  35333932 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BE2D D55C684A 6D041CD0 59E1EBA6 C29A21C3 A885838C 43D99AC5 983F778B
  2A0982FA 02E75FBC B69E49F1 54245B97 749D0DA0 73F7C21F CCE68A0A D8ECAF11
  81C6C187 33CD1462 7BE57DC6 8C0FF668 A19237C0 5016BEFB FE27536B DB48F683
  269EB1A8 33DA5E7A 810F6B51 1FC421FB 2CA0CA9E D3994CE9 6D0428B8 021BE899
  65250203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 144E2CFF 95E6A397 3D62F8DB 1F2E873E 261AB33E
  CC301D06 03551D0E 04160414 4E2CFF95 E6A3973D 62F8DB1F 2E873E26 1AB33ECC
  300D0609 2A864886 F70D0101 04050003 818100B1 B60F6400 690F01D2 F5A8F9BC
  2C33BB8D 80DBBE2A 9F8AB4CF 98F31322 8E9E9F6B 5B2BD92D 995FFD67 206D5125
  DD22E286 24F83CB6 27E6A163 B9AA84BB 53327FE3 D81F7E78 D12DC3DB F57A7BC5
  CCCD02D8 E79F0927 DBC0BB9C ACCFDA87 ABA333F9 5E2D73C0 1E865390 C89D04E9
  801EA77F 184625D7 33952058 90BAAA75 4EF297
  quit
username 580Schmitz privilege 15 secret 5 XXX
username vpntest password 7 XXX
!
!
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 128.95.X.X 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.2.49 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1415
 duplex auto
 speed auto
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 spanning-tree portfast
!
interface FastEthernet5
 spanning-tree portfast
!
interface FastEthernet6
 spanning-tree portfast
!
interface FastEthernet7
 spanning-tree portfast
!
interface FastEthernet8
 spanning-tree portfast
!
interface FastEthernet9
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 ssid ubtrio
    authentication open mac-address mac_methods1
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Virtual-Template1
 description $FW_INSIDE$
 ip unnumbered BVI1
 no ip redirects
 no ip unreachables
 ip route-cache flow
 ip mroute-cache
 peer default ip address pool pptp
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip local pool pptp 192.168.1.225 192.168.1.235
ip route 0.0.0.0 0.0.0.0 128.95.X.X
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RMAP-WAN0 interface FastEthernet0 overload
ip nat inside source route-map RMAP-WAN1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.1.99 20 192.168.2.49 20 extendable
ip nat inside source static tcp 192.168.1.99 21 192.168.2.49 21 extendable
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 102 permit tcp any host 128.95.X.X eq 1723
access-list 102 permit gre any host 128.95.X.X
access-list 102 deny   ip any any log
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp-data
access-list 103 deny   ip any any log
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map RMAP-WAN1 permit 10
 match ip address 120
 match interface FastEthernet1
!
route-map RMAP-WAN0 permit 10
 match ip address 120
 match interface FastEthernet0
!
!
!
radius-server local
  nas 192.168.1.1 key 7 09594C1D0B0C18
  group VPN_Users
  !
  user 0014bfd84f23 nthash 7 123B2131435E28250C7C777F6210744422442153020900770528223A430B01030A mac-auth-only
  user 0012f0ae1286 nthash 7 1444312955277273007C6B1474445F375650040C7B75722B523C4E010C06727604 mac-auth-only
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key 7 06130D355E4706
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 100 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 100 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Many thanks for the update. Sorry you couldn't make the Cisco VPN client work as you needed it to. It was really designed to be a companion to the VPN3000 series concentrator. Using the concentrator, you can control the firewall rules that get pushed to the client. It's only an add-on feature to IOS that does not have the full functionality of the VPN concentrator.

Good luck!

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now