Solved

EZvpn routing between subnets is one way between UC520 and 877

Posted on 2008-10-08
1
1,419 Views
Last Modified: 2012-05-05
I have a Cisco UC520 that is acting as the EZvpn Server (A). On the other side of town I have a Cisco 877, that is acting as a client in network-extension mode (B).  Currently the VPN session is up, but I am having routing issues.

A can ping hosts on B, and can access hosts on B using Remote Desktop.
B router can ping the real world, but cannot ping anything on A.
B hosts cannot ping the real world, or anything on A.
 
I need to get it to the point where A<->B can pass data back and forth, and to where B hosts can get to the real world.

Here are the relevent lines from the configs.


Router A - UC520
----------------------
Current configuration : 35111 bytes
!
version 12.4
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
service compress-config
!
hostname UC520
!
boot-start-marker
boot system flash uc500-advipservicesk9-mz.124-20.T1.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-1182958341
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1182958341
 revocation-check none
 rsakeypair TP-self-signed-1182958341
!
!
crypto pki certificate chain TP-self-signed-1182958341
 certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  5D7ED5E4 EA4CB2B5 29DA3B58 DD85D3A2 0846C61F 8DFEEF18 6A4378CE A8929E01 BC
        quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.100 192.168.1.254
!
ip dhcp pool phone
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.1.1.1
   dns-server 4.2.2.1 63.203.35.55
!
ip dhcp pool data
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 4.2.2.1 199.72.1.1 63.203.35.55
   domain-name SOUND.local
!
!
ip name-server 4.2.2.1
ip name-server 199.72.1.1
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
no ipv6 cef
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
multilink bundle-name authenticated
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 sip
  no update-callerid
!
!
voice class codec 1
 codec preference 1 g711ulaw bytes 160
 codec preference 2 g729r8 bytes 20
!
!
!
<SKIP PHONE RELATED MATERIALS>

!
voice-card 0
 no dspfarm
!
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
username remoteusername password 0 remotepassword
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
 key expertsexchange
 dns 4.2.2.1 199.72.1.1
 wins 192.168.1.160
 domain SOUND.local
 pool EZVPN_POOL_1
 acl 105
 save-password
 include-local-lan
 max-users 10
!
!
crypto ipsec transform-set ESP_AES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP_AES_SHA ESP_3DES_SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
archive
 log config
  logging enable
  logging size 600
  hidekeys
!
!
ip tftp source-interface Loopback0
!
!
!
interface Loopback0
 description $FW_INSIDE$
 ip address 10.1.10.2 255.255.255.252
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 description $ETH-WAN$
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Integrated-Service-Engine0/0
 description cue is initialized with default IMAP group
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
!
interface FastEthernet0/1/0
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/1
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/2
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/3
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/4
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/5
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/6
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/7
 switchport voice vlan 100
 macro description cisco-phone
 spanning-tree portfast
!
interface FastEthernet0/1/8
 switchport mode trunk
 macro description cisco-switch
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Vlan100
 description $FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 104 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname me@isp.net
 ppp chap password 7 XXXXXXXXXXXXX
 ppp pap sent-username me@isp.net password 7 XXXXXXXXXXXXX
 crypto map SDM_CMAP_1
!
ip local pool EZVPN_POOL_1 192.168.200.10 192.168.200.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
ip route 10.10.10.0 255.255.255.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.1.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip 10.1.1.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip 10.1.10.0 0.0.0.3 any
access-list 102 deny   ip 10.1.1.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny   ip 10.1.10.0 0.0.0.3 any
access-list 103 deny   ip 192.168.1.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip host 192.168.200.10 any
access-list 104 permit ip host 192.168.200.11 any
access-list 104 permit ip host 192.168.200.12 any
access-list 104 permit ip host 192.168.200.13 any
access-list 104 permit ip host 192.168.200.14 any
access-list 104 permit ip host 192.168.200.15 any
access-list 104 permit ip host 192.168.200.16 any
access-list 104 permit ip host 192.168.200.17 any
access-list 104 permit ip host 192.168.200.18 any
access-list 104 permit ip host 192.168.200.19 any
access-list 104 permit ip host 192.168.200.20 any
access-list 104 permit ip host 192.168.200.21 any
access-list 104 permit ip host 192.168.200.22 any
access-list 104 permit ip host 192.168.200.23 any
access-list 104 permit ip host 192.168.200.24 any
access-list 104 permit ip host 192.168.200.25 any
access-list 104 permit ip host 192.168.200.26 any
access-list 104 permit ip host 192.168.200.27 any
access-list 104 permit ip host 192.168.200.28 any
access-list 104 permit ip host 192.168.200.29 any
access-list 104 permit ip host 192.168.200.30 any
access-list 104 permit tcp any any established
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit tcp any any eq 1723
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit gre any any
access-list 104 permit udp any eq domain any
access-list 104 permit tcp any any eq www
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip any host 192.168.200.10
access-list 105 deny   ip any host 192.168.200.11
access-list 105 deny   ip any host 192.168.200.12
access-list 105 deny   ip any host 192.168.200.13
access-list 105 deny   ip any host 192.168.200.14
access-list 105 deny   ip any host 192.168.200.15
access-list 105 deny   ip any host 192.168.200.16
access-list 105 deny   ip any host 192.168.200.17
access-list 105 deny   ip any host 192.168.200.18
access-list 105 deny   ip any host 192.168.200.19
access-list 105 deny   ip any host 192.168.200.20
access-list 105 deny   ip any host 192.168.200.21
access-list 105 deny   ip any host 192.168.200.22
access-list 105 deny   ip any host 192.168.200.23
access-list 105 deny   ip any host 192.168.200.24
access-list 105 deny   ip any host 192.168.200.25
access-list 105 deny   ip any host 192.168.200.26
access-list 105 deny   ip any host 192.168.200.27
access-list 105 deny   ip any host 192.168.200.28
access-list 105 deny   ip any host 192.168.200.29
access-list 105 deny   ip any host 192.168.200.30
access-list 105 permit ip 10.1.10.0 0.0.0.3 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
!

+++++++++++++++++++++++++++++++++++++++++

877 - Site B
--------------



!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 877W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 XXXXXXXXXXXXX

no aaa new-model
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-3394950481
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3394950481
 revocation-check none
 rsakeypair TP-self-signed-3394950481
!
!
crypto pki certificate chain TP-self-signed-3394950481
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  EDF64CAB C36DBBF7 6DEC769B BFE4EB7F 219F4D30 72EF32FD B39E77A9 ECE58D25
  5B3411B9 EDFAB9BC 0F1C8518 AEC739
        quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 4.2.2.1 199.72.1.1
   option 150 ip 10.1.1.1
   domain-name SOUND.local
   lease 0 2
!
ip dhcp pool SALESTERM
   host 10.10.10.150 255.255.255.0
   client-identifier 0100.0f1f.4543.5a
   client-name SALESTERM
   default-router 10.10.10.1
   dns-server 4.2.2.1 199.72.1.1 4.2.2.4
   netbios-name-server 192.168.1.160
   lease infinite
!
!
ip domain name yourdomain.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password 7 XXXXXXXXXXXX
username remoteusername password 7 remotepassword
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
 connect auto
 group EZVPN_GROUP_1 key expertsexchange
 mode network-extension
 peer 20.21.22.23
 username remoteusername password remotepassword
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname them@isp.net
 ppp chap password 7 XXXXXXXXXXXXxxxxxxxxx
 ppp pap sent-username them@isp.net password 7 XXXXXXXXXXXXXX
 ppp ipcp dns request
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface BVI1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 20.21.22.23
ip route 10.1.10.0 255.255.255.0 20.21.22.23
ip route 192.168.1.0 255.255.255.0 20.21.22.23
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.150 3389 interface Dialer0 3389
ip nat inside source static udp 10.10.10.150 3389 interface Dialer0 3389
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_11##
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000)

EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp)

EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit esp host 20.21.22.23 any
access-list 101 remark Auto generated by SDM for EzVPN (esp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit ahp host 20.21.22.23 any
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any established
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any eq ntp
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any any eq 3389
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17174984
ntp server 17.151.16.23 prefer
end





--------------------------------
0
Comment
Question by:aalbert69
1 Comment
 
LVL 15

Accepted Solution

by:
wingatesl earned 500 total points
ID: 22668213
My suggestion would be to go away from the normal VPN connection and configure a DMVPN between the sites. This is a routed connection and will eliminate you problems and any potential problems if your solution grows. The DMVPN setup is almost the same as the EZVPN, the exception is you configure a tunnel interface on each side and set up a dynamic routing protocol. The SDM makes it pretty easy. Save the EZVPN for the Road Warriors.
Shawn
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now