506th PIX and VPN client - multiple connections connections

I have a PIX of the 506th (6.2) w/3DES license and 3.6.3 VPN client software. I'm only using group user name and password to authenticate. The first user login works fine. When the second user connects, the first is finished and the second works very well. The product turned on States I should be able to have 25 simultaneous connections or site to site or customer.

Any help will be greatly appreciated, Kyle

Are these two users on the same site, behind a device that makes PAT? If so, then this device is causing the problem, not the PIX. The device is unable to correctly translate the IPsec packets. Unfortunately nothing you can do about it on the PIX, although the next version of the software (6.3 to your calendar of March) will have NAT - T support (which the client currently supports). Once that support NAT - T both ends, they'll be able to say that there's a PAT instrument between the two and they will automatically encapsulate everything in the UDP packets, which your PAT instrument will be able to translate correctly.

Tags: Cisco Security

Similar Questions

  • VPN client - multiple connection possibilities?

    Hi people,

    My basic question is, Cisco VPN Client allows two simultaneous VPN connections at the same time?

    I would like to implement the following:

    Customer user (remote access VPN via Internet)--> Head Office c/o ASA 5520 pair--> (VPN remote access via Internet)--> pair of Branch Office ASA 5510 S + a/s

    For example, to access the Branch Office system, the user must:

    1. connect to the peer of Head Office ASA via Cisco VPN Client (the user/password authentication)

    Head Office ASA peer gives an 172.16.1.x private IP address and is configured to route all requests for public office ASA IP through its own public IP address.

    2. once Head Office VPN is established, the user establishes a SECOND VPN tunnel of the Cisco VPN client (user/password and focused on the cert auth)

    I.e. branch sees the VPN connection try from the public IP address of Headquarters and therefore allows the VPN through the ACL traffic and allows the continuation of the VPN negotiations as usual.  Customer is given another IP address private, 192.168.10.x.

    Basically, I need to limit the remote access VPN branch to make it only accessible from Headquarters public IP address, no public IP address of the user (and therefore the entire internet).


    I know this is an unusual configuration, and some will say on the sensitivity of security to allow two simultaneous VPN connections.  These are the two networks of trust, strict ACL would be at stake and there is a long history behind this requirement...

    Thanks in advance!

    Alistair,

    You can limit the access of VPN connections to branch by blocking connections on UDP ports 500, 4500 UDP and ESP and allowing him only from your home office. In this way, only the explicitly authorized public IP address of your home office would be able to connect to your remote sites by using an IPSec tunnel.

    Now, on the second tunnel I don't think it's possible. As far I am aware you cannot have two connections to VPN at the same time of the same customer. The VPN will not let you do, it's mainly because when you have a VPN Client the VPN map session comes up and you can only one card virtual VPN.

    Because I don't think it is possible I would advice to try something like this:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

    Could provide you the connectivity that you are looking for without needing a second tunnel VPN from the client side.

    I hope this helps.

    Raga

  • Router vpn site to site PIX and vpn client

    I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

    ISAKMP crypto RTR #show its
    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
    current_peer 66.x.x.x port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
    #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 40, #recv errors 0

    local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
    Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
    current outbound SPI: 0xC4BAC5E (206285918)

    SAS of the esp on arrival:
    SPI: 0xD7848FB (225986811)
    transform: aes - esp esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
    calendar of his: service life remaining (k/s) key: (4573083/78319)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xC4BAC5E (206285918)
    transform: aes - esp esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
    calendar of his: service life remaining (k/s) key: (4572001/78319)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Expand the IP NAT access list
    10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
    20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
    Expand the IP VPN_ACCESS access list
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

    I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

    is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

    If it's just ping, then activate pls what follows on the PIX:

    If it is version 6.3 and below: fixup protocol icmp

    If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

    Config complete hand and on the other could help determine if it's a configuration problem or another problem.

  • PIX: Cisco VPN Client connects but no routing

    Hello

    We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:

    2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)

    2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout

    2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30

    We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.

    I enclose the training concerned in order to understand the problem:

    interface Ethernet0

    Speed 100

    full duplex

    nameif outside

    security-level 0

    IP address xx.yy.zz.tt 255.255.255.240

    !

    interface Ethernet1

    nameif inside

    security-level 100

    172.16.0.1 IP address 255.255.255.0

    !

    access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248

    !

    access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248

    !

    VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0

    !

    IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248

    !

    NAT-control

    Global xx.yy.zz.tt 12 (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 12 172.16.0.12 255.255.255.255

    !

    internal VPN_clientes group strategy

    attributes of Group Policy VPN_clientes

    xxyyzz.NET value by default-field

    internal VPN_client_group group strategy

    attributes of Group Policy VPN_client_group

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl

    xxyyzz.local value by default-field

    !

    I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.

    Thank you very much.

    can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.

    PIX / ASA 7.1 and earlier versions

    PIX (config) #isakmp nat-traversal 20

    PIX / ASA 7.2 (1) and later versions

    PIX (config) #crypto isakmp nat-traversal 20

  • VPN client, lost connection

    Hello

    I pix506e here... and vpn clients connected.

    But suddenly lost connection vpn client 40 minutes and then try to reconnect again but fail. If the vpn client restarts their pc/notebook...yes it can connected to vpn again... but the interruption of the connection again... then restart... and so on... What is the cause of this problem?

    Thanks for the help

    Tonny

    All remote VPN clients are having the same problem or is it limited to just a few. If the problem is seen with only a few, it is quiet possible that the problem is not with the PIX of the customer. In addition, the DPO is enabled or not. DPD will cause tips to know an IPSec connection over, where the SAs flusing, allowing new being negotiate quickly.

  • VPN Client TCP connection to router IOS

    Hello

    I try to get a VPN client to connect via TCP to a router. I currently have the router put in place (and work) in using a VPN - UDP. Unfortunately one of the sites I visit will not allow VPN traffic outside of their firewall. I have searched all over the site of Cisco and can't find any information on the IOS configuration to accept TCP - VPN connections. I would like to change the TCP port 80, so my VPN traffic looks like just standard internet browsing my client firewall. Any links/pointer would be greatly appreciated.

    Thanks in advance!

    -Joe

    Take a look at this:

    http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1310210

    http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1305478

    http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t8/feature/guide/ftunity.html#wp1315635

    Please rate if useful.

    Concerning

    Farrukh

  • Cisco vpn client to connect but can not access to the internal network

    Hi all

    I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network

    Any help would be much appreciated.

    Hi Samir,

    I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    (The link above includes split tunneling, but this is just an option.

    Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.

    Let me know if this can help,

    See you soon,.

    Christian V

  • Get VPN client to connect, but request timed out when ping

    Hi, I use the router Cisco 837 as my VPN server. I am connected using Cisco VPN Client Version 5. But when I ping the ip of the router, I have request timed out. Here is my configuration:

    Building configuration... Current configuration : 3704 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname michael ! boot-start-marker boot-end-marker ! memory-size iomem 5 no logging console enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0 ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! ip subnet-zero no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 ! ip dhcp pool michael    network 192.168.1.0 255.255.255.0    default-router 192.168.1.1    dns-server 202.134.0.155 ! ip dhcp pool excluded-address    host 192.168.1.4 255.255.255.0    hardware-address 01c8.d719.957a.b9 ! ! ip cef ip name-server 202.134.0.155 ip name-server 203.130.193.74 vpdn enable ! ! ! ! username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f. username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/ ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group michaelvpn key vpnpassword pool SDM_POOL_1 acl 199 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/35   pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Virtual-PPP1 no ip address ! interface Dialer1 description $FW_OUTSIDE$ mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp chap hostname ispusername ppp chap password 0 isppassword ppp pap sent-username ispusername password 0 isppassword crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723 ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ! access-list 1 remark SDM_ACL Category=16 access-list 1 permit 192.0.0.0 0.255.255.255 access-list 102 remark SDM_ACL Category=2 access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! control-plane ! banner motd ^C Authorized Access Only UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. ^C ! line con 0 no modem enable line aux 0 line vty 0 4 ! scheduler max-task-time 5000 end
    

    Thank you, anny help will be appreciated.
    			 
    Hi Michael,
    

    I have been through the newspapers, they are not conclusive and only detrmine that Phase 1 is coming. However according to this error message % SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr = 81B50AD8, count = 0 we are hiiting a bug on ios. The id of the bug is CSCsl24693 and the solution is to switch to 12.4 (11) XJ.
    

    Can you re-execute him debugs and send me the detailed results.
    

    Kind regards
    

    Aman

  • Binds two ISP ASA to remote VPN Client to connect to instead of creating two profiles on the remote client

    Hello

    just a quick,

    TOPOLOGY

    ASA isps1 - 197.1.1.1 - outside

    ASA ISP2 - 196.1.1.1 - backup

    LAN IP - 192.168.202.100 - inside

    I have configured Tunnel on the interfaces (external and backup), but is to link both legs public to serve a thare as redundancy for vpn users and users of the vpn tunnel leave pointing inside IP whenever they want to establish vpn sssion, we want it to be one, so if an interface fails vpn users will not know , but he will try the second for the connection. instead of creating the profile for the two outside of the leg on the vpn client.

    is this possible?

    Hi Rammany.

    In your case, you have only an ASA that connects with 2 ISP in another segment IP... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your condition is you want to have the VPN client who must be consulted with backup. If 196.x.x.x link fails, it should automatically take 197.x.x.x link. That too we should not have the config set in the VPN client backup server. You don have the possibility of having standby active also in asa single.

    I think n so it will work with your current design.

    This option is if your VPN client supports host name resolution (DNS). You can have the VPN created for both the public IP address share the same host name keeping the bond as the primary address 1 and 2 a secondary address. It will work alone.

    Hope someother experts in our forum can help you with that.

  • WAG-120N and static ip - wireless and wired clients cannot connect to the internet

    Greetings,

    I use the N WAG-120 AP and switch for 3 computers laptops and 2 Office. Our Department is assigned only a what IP static of our server, as well as a pc can connect to the server and the internet. I use the first lan port of the 120N Wag as a WAN port and I attribute the static IP address, and the subnet, default gateway, and DNS addresses. Connected clients receive an ip address from the DHCP (192.168.1.10x) router, but cannot connect to the internet. How can I configure my router to allow clients to connect?

    Thank you in advance!

    The default LAN IP of the WAG subnet is 192.168.1.0/255.255.255.0 belongs to 192.168.0.0/255.255.0.0. This means that 192.168.1.0 IP addresses exist side WAN and LAN of the WAG. What makes this configuration completely cannot be routed.

    Change the address LAN IP of the WAG to an IP outside the corporate network, for example using IP addresses private 172.16/12, for example to set the address LAN IP 172.16.1.1 with 255.255.255.0 subnet mask.

    The alternative would be to use the WAG as a point of easy access only, and not as a router. However, due to the 255.255.0.0 subnet in your network company you will not be able to access the web interface except from an IP address corresponding to the LAN IP address subnet of the WAG. Of course, this does not affect the wireless or wireline customers connected to the WAG...

  • VSphere Client multiple connections to a single server vCenter Server?

    I have a vCenter Server that manages a few hosts. I know it's a bad habit to manage guests individually using vSphere Client, but I was wondering if I can have multiple connections to the same server vCenter Server vSphere client using the same Windows credentials?

    It seems counterproductive to only allow a connection to the server vCenter Server...

    Yes - by default, a connection up to 25 to vCenter

  • ASA VPN server and vpn client router 871

    Hi all

    I have ASA 5510 as simple VPN server and 871 router as simple VPN client. I want to have the user ID and permanent password on 871 and not to re - enter username and password since 871 uses dynamic IP address and every time I have to ' cry ipsec client ezvpn xauth "and type user name and password.

    any suggestions would be much appreciated.

    Thank you

    Alex

    Do "crypto ipsec client ezvpn show ' on 871, does say:

    ...

    Save password: refused

    ...

    ezVPN server dictates the client if it can automatically connect with saved password.

    Set "enable password storage" under the group policy on the ASA.

    Kind regards

    Roman

  • Please help router and vpn client

    Hi all

    I want to make a vpn between my PC (with version 4.8.02.0010 of the VPN Client) and a remote router (Cisco 2811) version of the software IOS 12.4 (9) T7 and the following configuration

    AAA new-model

    !

    local VPNCLIENT from AAA authentication login.

    local AAA VPNGROUP authorization network

    Hello test user name password

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    ISAKMP crypto client configuration group 3000client

    key cisco123

    DNS 62.42.230.24

    domain cisco.com

    pool ippool

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    !

    Crypto-map dynamic dynmap 10

    transformation-RIGHT game

    !

    map clientmap client authentication list of crypto list

    crypto isakmp authorization list grupo clientmap map

    client configuration address map clientmap crypto answer

    10 ipsec-isakmp crypto map clientmap Dynamics dynmap

    !

    interface FastEthernet0/0

    DHCP IP address

    NAT outside IP

    IP virtual-reassembly

    load-interval 30

    automatic duplex

    automatic speed

    clientmap card crypto

    !

    interface FastEthernet0/0/0

    !

    interface FastEthernet0/0/1

    !

    interface FastEthernet0/0/2

    !

    interface FastEthernet0/0/3

    !

    interface Vlan1

    192.168.4.1 IP address 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    load-interval 30

    !

    IP local pool ippool 192.168.4.100 192.168.4.200

    no ip classless

    IP route 0.0.0.0 0.0.0.0 62.43.195.100

    !

    IP http server

    local IP http authentication

    no ip http secure server

    IP http timeout policy inactive 600 life 86400 request 10000

    overload of IP nat inside source list 102 interface FastEthernet0/0

    access-list 102 permit ip 192.168.4.0 0.0.0.255 any

    !

    Line con 0

    line to 0

    line vty 0 4

    privilege level 15

    transport telnet entry

    line vty 5 15

    privilege level 15

    transport telnet entry

    !

    When I connect to the public IP address of the router, that everything is fine and status is connected. But I do not have connectivity to the internet and I can only ping 192.168.4.1, but no other IP address of this beach.

    I would be grateful any sort of kelp.

    Thank you

    You must make sure that your internal traffic goes to the VPN client is NOT be NATT would be.

    You need to re - write acl 102 to something like: -.

    access-list 102 deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255

    access-list 102 permit ip 192.168.4.0 0.0.0.255 any

    HTH >

  • Firewall and VPN client

    What is the problem with the built-in firewall in which accompanies the VPN client? Is it good enuff to use with split tunneling, and it is always the same if the tunnel is not mounted?

    Nick

    The built-in firewall is a basic zone alarm firewall. No options to set it up, there you turn on or off. Default rule is rejecting all incoming traffic, it does not all outbound traffic. It is on the tunnel is up or not until you have it turned off. If you connect to a hub, you can configure the hub to push down her rules and require that its to connect. Yes its pretty good to use with the split in my opinion, tunneling but depend on your security policies.

    Kurtis Durrett

  • 1710 VPN and VPN Client - routing problem '' maybe. ''

    Hello

    I was able to get with 3DES and CISCO VPN Client 3.6.1 1710. with permission of local aaa.

    When I am connected to the VPN I can ping to the IP address of the VPN router

    (24.x.x.x.) and I can ping to the router's internal interface (192.168.x.x).

    The problem is that I can't ping anything else - for example: hosts in the enterprise network (192.168.x.x).

    Configuration:

    The router's internal IP address: 192.168.x.x

    The router's external IP address: 24.x.x.x

    ippool for customers: 10.10.10.x

    The IP address of the Client after the connection is correct: 10.0.0.x (from pool)

    Maybe I'm missing something in 1710 confg? I have NAT interface internal? The default gateway of the net is FreeBSD, not the router of 1710 system.

    All ideas are welcome.

    Miro Pendev

    TI Administrstor

    Quite often, you will lose the first ping because an ARP must be sent and responded to, but if you get the subsequent pings, then it's OK.

    For what is able to browse the Internet while the tunnel is up, you must enable split tunneling. Add the following:

    > access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

    > isakmp crypto client configuration group my_usergroup

    > acl 110

    This means that the client will only encrypt the traffic to the 192.168.1.0 network, all other traffic shuts down in the clear on the Internet.

Maybe you are looking for