Solved

Cisco ASA Hairpinning

Posted on 2014-07-27
41
1,047 Views
Last Modified: 2014-07-29
Hi,

I have a firewall ASA which is our default gateway but I want our users to be able to access a subnet which is hidden behind a router on our network but am having a bit of difficultly given the default gateway is the firewall.  I have tried to setup hairpinning and I could then ping both sides but when checking wire shark (after being unable to access RDP in either direction), it seems on the return path, the firewall doesn't know about the tcp session.  I have tried the below on the firewall but it would not allow me to enable the policy on the inside interface as a policy already exists.  However, when monitoring the logs on the firewall, I would see users being unable to connect via VPN and the same error I had started with but which is used for users connecting via VPN "Asymmetric NAT rules matched for forward and reverse flows; connection for icmp src inside: IP dst inside: remote IP (type 8, code 0) denied due to NAT reverse path failure.  So I restarted the firewall and didn't save the config to put all back to the way it was...any ideas what I did wrong?

same-security-traffic permit intra-interface

access-list NONAT extended permit ip any 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 any

nat (inside) 0 access-list NONAT


access-list STATEBYPASS extended permit ip any 192.168.1.0 255.255.255.0

access-list STATEBYPASS extended permit ip 192.168.1.0 255.255.255.0 any

class-map STATEBYPASS
match access-list STATEBYPASS

policy-map STATEBYPASS
class STATEBYPASS
set connection advanced-options tcp-state-bypass

service-policy STATEBYPASS interface inside
0
Comment
Question by:minniejp
  • 25
  • 16
41 Comments
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Could you post the output from the "show run service-policy" command?

Also, which ip addresses are assigned to the VPN clients, and what is the ip subnet for inside?

A sanitized config dump would of course be the optimal  :-)
0
 

Author Comment

by:minniejp
Comment Utility
below is "show run service-policy"

service-policy global_policy global
service-policy default_policy interface inside
service_policy default_policy interface outside

The IP address of the subnet inside is 10.8.5.0 and there are two VPN pools, 192.168.0.100 - 192.168.0.200 and 173.41.1.1 - 173.41.1.200

Cheers!
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Ok, looks like you have a policy configured called default_policy for the inside interface. Could you post the policy using "show run policy-map"?
0
 

Author Comment

by:minniejp
Comment Utility
Yes sure, please see below:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map priority_policy
class polycom-priority_map
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sin
inspect netbios
inspect tftp
inspect ip-options
policy-map default_policy
class class-default
shape average 100000000
service-poilcy priority_policy
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Looks like you are doing some traffic shaping (100 mbits) on the inside interface. Is that on purpose or perhaps some old config? If its an ASA 5505 it would be redundant, since it only has 100mbit interfaces. If it is an ASA 5510 or bigger with gigabit, you are limiting yourself to 10% capacity. It might be a valid configuration, but hard to tell without a complete overview.

Either way, the ASA only supports a single service-policy per interface. Either remove the existing service-policy from the interface and replace with the new one, or incorporate the stateful bypass policy settings in existing policy.
0
 

Author Comment

by:minniejp
Comment Utility
To be honest I have only just taken over this role, so not sure (it is a ASA 5505).  How do I go about incorporating the stateful bypass into the existing policy, i'm not sure reg the commands.  Also, why would what I did above cause problems to my VPN users?
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
In that case it would be safe to remove the old policy and put the new one in:

no service-policy default_policy interface inside
service-policy STATEBYPASS interface inside

Regarding VPN problems, my guess would be you replaced an existing NAT exemption-list with the one you created. Try running "show run nat" before making changes, and post what it says.
0
 

Author Comment

by:minniejp
Comment Utility
I think I would prefer to keep the existing policy (just in case it is in use) and modify it to add what I need for the TCP bypass (can you suggest the commends I need to use to modify)?  Below is the results from the show run nat cmd.

nat (inside) 0 access-list inside_nat_0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

what do you think?
0
 

Author Comment

by:minniejp
Comment Utility
If I change the command above 'nat (inside) 0 access-list NONAT ' to nat (inside) 2 access-list NONAT' instead, would that be enough to avoid having problems with VPNs as well.  Would any of what I am doing, cause problems for me DMZ?
0
 
LVL 7

Accepted Solution

by:
kellemann earned 500 total points
Comment Utility
The zero after (inside) signifies "do NOT address translate. The purpose is to tell the firewall that internal ip addresses should be retained when communicating with VPN clients. If you change the number to anything else than zero, it won't work.

The solution is simple: Rename the access-list you use in your original post to the existing NAT 0 list. Like so:

access-list NONAT extended permit ip any 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 any

becomes:

access-list inside_nat_0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat_0_outbound extended permit ip 192.168.1.0 255.255.255.0 any

The entries are simply added to the existing exemption-list.

Lose the "nat (inside) 0 access-list NONAT" statement, and you should be up and running.

I feel I should mention that bypassing the stateful inspection is a bit of a dirty workaround. It still won't handle UDP traffic correctly and other issues may arise. The proper solution would be to use a different box for the internal default gateway, optimal would be a layer 3 switch (like Cisco's 3000 series).
0
 

Author Comment

by:minniejp
Comment Utility
Thanks very much I will give this a go.  Final question, what about the service policy? how do I edit the existing one?  I agree this isn't the ideal setup but I can work on getting it changed in the background.
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
You do not need to edit the existing one. Just remove the existing one from the interface as described earlier, and attach the new one:

no service-policy default_policy interface inside
service-policy STATEBYPASS interface inside
0
 

Author Comment

by:minniejp
Comment Utility
but it may be used? no?
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
In my opinion you can safely remove and replace it. The shaping parameters do no make sense since we are limiting speed to 100 mbit which is full speed anyway for the 5505. The other part of the policy pertains to priority queing some traffic for Polycom equipment, but in that case the policy is on the wrong interface. It should be on the outside, not inside. Right now it is on both.
Based on the weird shaping parameters and the wrong interface, I would say your predecessor wasn't quite sure of what he or her was doing, and just went full hog on applying the policy everywhere :-)
0
 

Author Comment

by:minniejp
Comment Utility
Hi, I tried the above this morning but I am now getting this in the logs when I try to ping:

Asymmetric NAT rules matched for forward and reverse flows; connection for tcp src inside: 10.8.5.0/515 dst inside: 192.168.1.4/748 denied due to NAT reverse path failure...

Any idea? cheers
0
 

Author Comment

by:minniejp
Comment Utility
I also for some reason see this in the logs each time I apply the above:

login denied from ip/5505 to outside: ip/ssh for user "root"
user authentication failed: uname: root
User authentication failed: uname:root
AAA User authentication rejected: reason=invalid password: local database: user=root

what is this about?
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Please post the output from this command:

pack in inside tcp 10.8.5.20 8888 192.168.1.4 80

As for your last question (and we are going slightly off the path here), it would seem you allow login attempts from any ip address. What you are seeing is an attempted automated attack from somewhere on the globe. It is generally nothing to worry about as long as you use strong passwords.
Unless you need to be able to login from anywhere to administer the firewall, I would recommend narrowing the allowed ip addresses to a minimum.

"sh run ssh" gives you the current allowed addresses, and it probably looks like this:

ssh 0.0.0.0 0.0.0.0 outside

remove that line and replace it with whatever addresses (if any) you need to administer it from, e.g. "ssh 1.2.3.4 255.255.255.255 outside".

On a similar note also check if ASDM logins are generally allowed from anywhere:

show run http
0
 

Author Comment

by:minniejp
Comment Utility
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   A-192.168.1.0   255.255.255.0   inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 10.8.5.0 10.8.5.0 netmask 255.255.255.0
  match ip inside 10.8.5.0 255.255.255.0 dmz any
    static translation to 10.8.5.0
    translate_hits = 5, untranslate_hits = 20
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (10.8.5.1 [Interface PAT])
    translate_hits = 316, untranslate_hits = 0
Additional Information:
Dynamic translate 10.8.5.20/8888 to 10.8.5.1/23128 using netmask 255.255.255.255

Phase: 9
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (10.8.5.1 [Interface PAT])
    translate_hits = 316, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#
0
 

Author Comment

by:minniejp
Comment Utility
Apologies, I will stick to the question at hand.  Thank you
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Please add this command and post the output from the "packet-tracer" command again:

static (inside,inside) 10.8.5.0 10.8.5.0 netmask 255.255.255.0
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:minniejp
Comment Utility
When I applied that command, I got the following warning:

WARNING: real-address conflict with existing static
TCP inside: 10.8.5.3/143 TO INSIDE: external IP/143 netmask 255.255.255.255

WARNING: real-address conflict with existing static
TCP inside: 10.8.5.3/25 to inside: external IP/25 netmask 255..255.255.255

WARNING: real-address conflict with existing static
TCP inside: 10.8.5.3/443 to inside: external IP/443 netmask 255.255.255.255
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Ah, you probably have an existing static as a (bit dirty) workaround for accessing Outlook Web Access or something like that with the public ip address.

We'll do it another way:

access-list inside_nat_0_outbound extended permit ip 10.8.5.0 255.255.255.0 192.168.1.0 255.255.255.0

remove the static we just put in.
0
 

Author Comment

by:minniejp
Comment Utility
Done, please see below:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   A-192.168.1.0   255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 10.8.5.0 10.8.5.0 netmask 255.255.255.0
  match ip inside 10.8.5.0 255.255.255.0 dmz any
    static translation to 10.8.5.0
    translate_hits = 5, untranslate_hits = 31
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (10.8.5.1 [Interface PAT])
    translate_hits = 593, untranslate_hits = 0
Additional Information:
Dynamic translate 10.8.5.20/8888 to 10.8.5.1/32468 using netmask 255.255.255.255

Phase: 8
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (10.8.5.1 [Interface PAT])
    translate_hits = 594, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#
0
 

Author Comment

by:minniejp
Comment Utility
Getting this in the logs:

Asymmetric NAT rules matched for forward and revers flows; connection for tcp src inside: 10.8.5.29/515 dst inside: 192.168.1.4/690 denied due to NAT reverse path failure

Asymmetric NAT rules matched for forward and reverse flows; connection for icmp src inside: 10.8.5.13 dst inside: 192.168.1.4 (type 8, code 0) denied due to NAT reverse path failure

should this give you a hand.
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Weird, the NAT exemption doesn't seem to get hit. Please post the following (redact information as needed):

sh run access-list inside_nat_0_outbound
sh run nat
sh run global
sh run static
0
 

Author Comment

by:minniejp
Comment Utility
Sh run access-list inside_nat_0_outbound (results)

access-list inside_nat_0_outbound extended permit ip any A-192.168.1.0 255.255.255.0
access-list inside_nat_0_outbound extended permit ip A-192.168.1.0 255.255.255.0
access-list inside_nat_0_outbound extended permit ip 10.8.5.0 255.255.255.0 A-192.168.1.0 255.255.255.0

sh run nat

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

sh run global

global (inside) 1 interface
global (outside) 1 interface

sh run static

static (inside,outside) tcp external IP 3389 10.8.5.4 3389 netmask 255.255.25.255
static (inside,outside) tcp interface imap4 10.8.5.2 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.8.5.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 10.8.5.2 https netmask 255.255.255.255
static (inside,inside) tcp external IP imap4 10.8.5.2 imap4 netmask 255.255.25.255
static (inside,inside) tcp external IP smtp 10.8.5.2 smtp netmask 255.255.255255
static (inside,inside) tcp external IP https 10.8.5.2 https netmask 255.255.25.255
static (dmz,outside) external IP 10.30.30.1 netmask 255.255.255.255
static (dmz,outside) 10.30.30.1 external IP netmask 255.255.255.255
static (inside,dmz) 10.8.5.0 10.8.5.0 netmask 255.255.255.0
static (inside,dmz) 10.30.30.0 10.30.30.0 netmask 255.255.255.0
static (inside,outside) external IP 10.8.5.46 netmask 255.255.255.255
static (inside,inside) 173.41.1.0 173.41.1.0 netmask 255.255.255.0
0
 

Author Comment

by:minniejp
Comment Utility
Did I do a typo?  

access-list inside_nat_0_outbound extended permit ip any A-192.168.1.0 255.255.255.0
access-list inside_nat_0_outbound extended permit ip A-192.168.1.0 255.255.255.0
access-list inside_nat_0_outbound extended permit ip 10.8.5.0 255.255.255.0 A-192.168.1.0 255.255.255.0

should this be

access-list inside_nat0_outbound extended permit ip any A-192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip A-192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.8.5.0 255.255.255.0 A-192.168.1.0 255.255.255.0
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
This definitely looks wrong :

global (inside) 1 interface

It tells the firewall to replace internal ip addresses with the firewalls own when routing to the inside net. Please remove with:

no global (inside) 1 interface

Do a "clear xlate" command for good measure, and post the output from packet-tracer again.
0
 

Author Comment

by:minniejp
Comment Utility
Will removing this cause any other problems?
0
 

Author Comment

by:minniejp
Comment Utility
here you go:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   A-192.168.1.0   255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 10.8.5.0 10.8.5.0 netmask 255.255.255.0
  match ip inside 10.8.5.0 255.255.255.0 dmz any
    static translation to 10.8.5.0
    translate_hits = 5, untranslate_hits = 77
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 2479, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I also see if this in the logs:

Portmap translation creation failed for tcp src inside: 10.8.5.30/515 dst inside: 192.168.1.4/570
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
I'm 99,9% sure it won't. I can't think of a valid reason for that configuration, but without the whole picture, it is hard to tell. Either way it is easy to put back in.
I think we also need an additional line in the access-list:

access-list inside_nat_0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.8.5.0 255.255.255.0
0
 

Author Comment

by:minniejp
Comment Utility
Unfortunately I'm still not able to ping anything....firewall is still logging this error

Portmap translation creation failed for tcp src inside: 10.8.5.30/515 dst inside: 192.168.1.4/570
Portmap translation creation failed for icmp src inside: 10.8.5.30/515 dst inside: 192.168.1.4/570
0
 

Author Comment

by:minniejp
Comment Utility
I ran a trace again for you:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   A-192.168.1.0   255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) 10.8.5.0 10.8.5.0 netmask 255.255.255.0
  match ip inside 10.8.5.0 255.255.255.0 dmz any
    static translation to 10.8.5.0
    translate_hits = 17, untranslate_hits = 93
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 3665, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 

Author Comment

by:minniejp
Comment Utility
Can you double check I didn't do a typo on this one?

Did I do a typo?  

access-list inside_nat_0_outbound extended permit ip any A-192.168.1.0 255.255.255.0
access-list inside_nat_0_outbound extended permit ip A-192.168.1.0 255.255.255.0
access-list inside_nat_0_outbound extended permit ip 10.8.5.0 255.255.255.0 A-192.168.1.0 255.255.255.0

should it be this:

access-list inside_nat0_outbound extended permit ip any A-192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip A-192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.8.5.0 255.255.255.0 A-192.168.1.0 255.255.255.0
0
 

Author Comment

by:minniejp
Comment Utility
What do you think?
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Good catch, I missed the extra underscore. You are right.
0
 

Author Comment

by:minniejp
Comment Utility
So this is correct?

no access-list inside_nat_0_outbound extended permit ip any A-192.168.1.0 255.255.255.0
no access-list inside_nat_0_outbound extended permit ip A-192.168.1.0 255.255.255.0
no access-list inside_nat_0_outbound extended permit ip 10.8.5.0 255.255.255.0 A-192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any A-192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip A-192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.8.5.0 255.255.255.0 A-192.168.1.0 255.255.255.0
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
I think this line is redundant, but otherwise yes

access-list inside_nat0_outbound extended permit ip A-192.168.1.0 255.255.255.0
0
 

Author Comment

by:minniejp
Comment Utility
You are great that is now working!!
0
 
LVL 7

Expert Comment

by:kellemann
Comment Utility
Good to hear. Cheers!
0
 

Author Closing Comment

by:minniejp
Comment Utility
Excellent assistance! Cheers kellemann
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now