Access DMZ, internal

I use a PIX 506 6.1 (1) with such a DMZ. It's our first DMZ and I need assistance to access to the web server in the DMZ. We use a 172.16.0.0 subnet for the demilitarized zone and a 192.168.40.0 internal subnet. In 12.19.xxx.xx public subnet address. I added the following to the Web server on the PIX:

static (dmz, external) 12.19.xxx.xx 172.16.0.21 netmask 255.255.255.255 0 0

Global (dmz) 1 172.16.0.100 - 172.16.0.110

NAT (dmz) 1 172.16.0.0 255.255.255.0

I need to access the Web server in the DMZ to the 192.168.40.0 subnet.

What Miss me? Thank you

This access list do anything?

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.1.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 200.171.173.178

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.5.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 64.219.15.121

192.168.31.0 IP Access-list sheep 255.255.255.0 allow 10.0.5.0 255.255.255.0

192.168.31.0 IP Access-list sheep 255.255.255.0 allow host 64.219.15.121

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.3.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 148.233.144.17

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.4.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 148.235.11.101

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.7.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 66.136.190.89

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.6.0 255.255.255.0

sheep 192.168.40.0 ip access-list allow 255.255.255.0 host 64.22.205.74

sheep 192.168.40.0 ip access-list allow 255.255.255.0 10.0.0.0 255.255.255.0

I think that's the problem.

You should use something like that;

sheep 192.168.40.0 ip access-list allow 255.255.255.0 172.16.0.0 255.255.255.0

This should take from your home to your dmz.

Tags: Cisco Security

Similar Questions

To access the internal settings of a block

Hi all

I use the LabVIEW FPGA 2015 for a project. I would like to access the internal got (data type, size, etc.) as the window scaling, FFT, blocks

or another block. Or even change the size of an external FIFO without having to open the game menu. Is this possible in LabVIEW?

Thanks in advance,

Hazem

You can right click... 'convert Subvi' to open the diagram and repeat for the inner screws.

This allows you to see the actual code. You may be able to recover fragments of code and use your own code.

BEFSX41 web access to internal pages

Lately, I have great difficulty to access the internal HTML pages to this router. I'll either get half a page or no page at all and the browser will display "Loading" or "Waiting for 192.168.1.1 ' and the page never ends. Sometimes I give him a soft or hard starting, and it will work fine for a few days and then start to slow down again.

Access to the Internet through the router is normal in all the respeces it's just internal HTML code that is messed up. I don't use DHCP, or have no open special ports.

EDIT: Version 1.52.9 as near I can tell when you see the index page.

Bill

The upgrade to 1.52.10 failed two times in a row about the point to halfway. I had the chance to get back both times to 1.52.9. I'll try once more and then go shopping for another router. Thanks for your help.

Bill

Cannot access the internal network with Cisco easy vpn client RV320

I have a cisco RV320 (firmware v1.1.1.06) and created a tunnel easy vpn (= split tunnel tunnel mode), then I installed the cisco client vpn v5.0.07.0290 in Windows 7 64 bit, I can connect to the vpn, but I do not see the other pc ping nor them, no idea?

Thank you

Hello

1. is the firewall on the active Windows 7 computer? If so, please disable it

2. can you check that you get a correct IP address in the range of the POOL of IP configured?

3. When you perform the tracert command to access an internal server, it crosses the VPN¨?

4. is the tunnel of split giving you access to internal IP subnets defined?

5. on the RV320 you see the user connected and sending and receiving bytes?

Don t forget to rate and score as correct the helpful post!

David Castro,

Kind regards

VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK

I tried to set up a simple customer vpn using this document

http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

VPN IS CONNECTED BUT CANNOT ACCESS THE INTERNAL NETWORK BEHIND "RA"...

6.3 (5) PIX version

interface ethernet0 car

Auto interface ethernet1

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the encrypted password of VmHKIhnF4Gs5AWk3

VmHKIhnF4Gs5AWk3 encrypted passwd

hostname VOIPLABPIX

domain voicelab.com

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

access-list 101 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

access-list 101 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

access-list 102 permit ip 172.10.2.0 255.255.255.0 172.10.3.0 255.255.255.0

access-list 102 permit ip 172.10.1.0 255.255.255.0 172.10.3.0 255.255.255.0

pager lines 24

Outside 1500 MTU

Within 1500 MTU

IP address outside 208.x.x.11 255.255.255.0

IP address inside 172.10.2.2 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool voicelabpool 172.10.3.100 - 172.10.3.254

history of PDM activate

ARP timeout 14400

NAT (inside) - 0 102 access list

Route outside 0.0.0.0 0.0.0.0 208.x.x.11 1

Route inside 172.10.1.0 255.255.255.0 172.10.2.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

AAA-server GANYMEDE + 3 max-failed-attempts

AAA-server GANYMEDE + deadtime 10

RADIUS Protocol RADIUS AAA server

AAA-server RADIUS 3 max-failed-attempts

AAA-RADIUS deadtime 10 Server

AAA-server local LOCAL Protocol

Enable http server

http 172.0.0.0 255.0.0.0 inside

http 0.0.0.0 0.0.0.0 inside

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp-aes-256 trmset1, esp-sha-hmac

Crypto-map dynamic map2 10 set transform-set trmset1

map map1 10 ipsec-isakmp crypto dynamic map2

client authentication card crypto LOCAL map1

map1 outside crypto map interface

ISAKMP allows outside

ISAKMP identity address

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 encryption aes-256

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup address voicelabpool pool cuclab

vpngroup dns 204.x.x.10 Server cuclab

vpngroup cuclab by default-field voicelab.com

vpngroup split tunnel 101 cuclab

vpngroup idle 1800 cuclab-time

vpngroup password cuclab *.

Telnet timeout 5

SSH 208.x.x.11 255.255.255.255 outside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 172.10.1.2 255.255.255.255 inside

SSH timeout 60

Console timeout 0

username labadmin jNEF0yoDIDCsaoVQ encrypted password privilege 2

Terminal width 80

Cryptochecksum:b03a349e1ac9e6022432523bbb54504b

: end

Try to turn on NAT - T

PIX (config) #isakmp nat-traversal 20

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

HTH

Cisco ASA 5505 VPN L2TP cannot access the internal network

Hello

I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

Can you jhelp me to find the problem?

I have Cisco ASA:

within the network - 192.168.1.0

VPN - 192.168.168.0 network

I have the router to 192.168.1.2 and I cannot ping or access this router.

Here is my config:

ASA Version 8.4 (3)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 198.X.X.A 255.255.255.248

!

passive FTP mode

permit same-security-traffic intra-interface

the net-all purpose network

subnet 0.0.0.0 0.0.0.0

network vpn_local object

192.168.168.0 subnet 255.255.255.0

network inside_nw object

subnet 192.168.1.0 255.255.255.0

outside_access_in list extended access permit icmp any any echo response

outside_access_in list extended access deny ip any any newspaper

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT dynamic interface of net-all source (indoor, outdoor)

NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

!

network vpn_local object

dynamic NAT interface (outdoors, outdoor)

network inside_nw object

NAT dynamic interface (indoor, outdoor)

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

card crypto 20-isakmp ipsec vpn Dynamics dyno

vpn outside crypto map interface

Crypto isakmp nat-traversal 3600

Crypto ikev1 allow outside

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH timeout 30

Console timeout 0

management-access inside

dhcpd address 192.168.1.5 - 192.168.1.132 inside

dhcpd dns 75.75.75.75 76.76.76.76 interface inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal sales_policy group policy

attributes of the strategy of group sales_policy

Server DNS 75.75.75.75 value 76.76.76.76

Protocol-tunnel-VPN l2tp ipsec

user name-

user name-

attributes global-tunnel-group DefaultRAGroup

address sales_addresses pool

Group Policy - by default-sales_policy

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

: end

Thanks for your help.

You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

Policy-map global_policy

class inspection_default

inspect the icmp

--

Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

ASA inside access DMZ and return

Hi Expert,

How configure ASA to allow access from the inside to dmz host and also back?

Thank you.

Rgds,

To the Shaw feel Yeong

Hello

By default, access from inside the DMZ is permitted this access is through higher security level to lower the level of security.

Return to inside host traffic is automatically granted by ASA/firewall if the connection / translation is valid / exists.

Example:

Inside of the intellectual property: 192.168.1.1/24

DMZ: 172.16.1.1/24

2 two ways to do:

a. use nat & global command:

Global (dmz) 1 172.16.1.10 - 172.16.1.20--> help de.10 a.20 will be used inside hosts to access dmz

Global (dmz) 1 172.16.1.21--> all inside will use this IP like PAT, if the above range is fully used.

NAT (inside) 1 192.168.1.0 255.255.255.0

Note:

-Use the ACL if you need to control the type of service to pass through and apply on the inside of the interface.

b. static use of translation between inside and DMZ subnets:

static (inside, dmz) 192.168.1 192.168.1.0 netmask 255.0.0.0

Note:

-This will allow inside the host to initiate & access dmz and dmz to initiate & access to the inside (initiate connection to dmz host). When DMZ accessing inside the host, DMZ use inside physics/assigned host IP.

-Use the ACL if you need to control the type of service for cross and apply on time interfaces dmz & Interior.

Example of configuration:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

* Watch under command "static (inside the dmz).

Rgds,

AK

disk access error internal and SD T5 after bad disconnection from PC

Hello

yesterday I accidentally disconnect the cable my T5 when it was connected to my PC via drive Mode. Now I can't access the internal card and the SD to my PDA. Drive Mode circuit without problem. The application of "Files" poster only empty 'internal disc' and 'Card' without a proper label. I see the map, internal disc labels and its ability to 'Info card. Resco Explorer sees only ROM and RAM and may not display the content of BuiltIn, disk internal or SD card. When I try to open the card or int. drive Resco Explorer says: "memory: invalid parameter." (0 x 0103): SD2GB (H:/) "

I tried to do a soft reset a reset hot, but without success. It does not help when I probably have to 'remove' the drives in windows. It's always the same.

Please help, if you know what to do. Thank you.

If you are done doing reset soft and warm. then the last option is to restore the device to its factory settings.

Please perform hard reset and see if that can help solve the problem.

Message is about: Treo 680 (unlocked GSM)

No NAT DMZ web server when you access by internal users

How can I create an exception to allow users to access a web server on port 80 in the demilitarized zone inside? They cannot do that now because, in my view, the server goes through a NAT the public address, so how can I set up where a request from inside on port 80 on this server will not translate the IP of the server to a public IP address (via NAT)?

static (i, dmz) internal_net internal_net /xx

The CCIE Security

The VPN Clients cannot access any internal address

Without a doubt need help from an expert on this one...

Attempting to define a client access on an ASA 5520 VPN that was used only as a

Firewall so far. The ASA has been recently updated to Version 7.2 (4).

Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot

ping any address on internal networks, or even the inside interface of the ASA.

(I hope) Relevant details:

(1) the tunnel seems to be upward. Customers are the authenticated by the SAA and

are able to connect.

(2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it

appears that the packets are décapsulés and decrypted, but NOT encapsulated or

encrypted (see the output of "sh crypto ipsec his ' home).

(3) by the other related posts, we've added commands associated with inversion of NAT (crypto

ISAKMP nat-traversal 20

crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our

Configuration.

(4) we tried encapsulation TCP and UDP encapsulation with experimental client

profiles: same result in both cases.

(5) if I (attempt) ping to an internal IP address of the connected customer, the

real-time log entries ASA show the installation and dismantling of the ICMP requests to the

the inner target customer.

(6) the capture of packets to the internal address (one that we try to do a ping of the)

VPN client) shows that the ICMP request has been received and answered. (See attachment

shooting).

(7) our goal is to create about 10 VPN client of different profiles, each with

different combinations of access to the internal VLAN or DMZ VLAN. We do not have

preferences for the type of encryption or method, as long as it is safe and it works: that

said, do not hesitate to recommend a different approach altogether.

We have tried everything we can think of, so any help or advice would be greatly

Sanitized the ASA configuration is also attached.

appreciated!

Thank you!

It should be the last step :)

on 6509

IP route 172.16.100.0 255.255.255.0 172.16.20.2

and ASA

no road inside 172.16.40.0 255.255.255.0 172.16.20.2

Unable to access an internal network while being connected with VPN

Hello

We have a PIX 515E with a remote access vpn.

Our internal network has an address network 192.168.1.0/24, and addresses we assign to vpn clients are 192.168.1.49 - 192.168.1.62, or 192.168.1.48/28.

When I connect to the vpn, I cannot ping none of my hosts internal. The error I get is "no group of translation not found for icmp src:...» »

It is quite clear that I would need a NAT rule, but why? Addresses are in the same network...

Could someone enlighten me on how I should proceed to nat traffic between vpn clients and the internal network?

Thank you.

Here is my current setup:

6.3 (1) version PIX

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

nameif dmz security50 ethernet2

activate the password * encrypted

passwd * encrypted

hostname pix

domain callio.com

outside_inbound list access permit tcp any host 66 *. **. * eq www

outside_inbound list access permit tcp any host 66 *. **. * eq https

outside_inbound list of access permit udp any host 66 *. **. * Log domain eq

outside_inbound list access permit tcp any host 66 *. **. * Log domain eq

outside_inbound list access permit tcp any host 66 *. **. * object-group mailserver

outside_inbound list access permit tcp any host 66 *. **. * Newspaper ftp object-group 5

outside_inbound list access permit tcp any host 66 *. **. * eq 9999 journal 5

outside_inbound list access permit tcp any host 66 *. **. * eq www

outside_inbound list access permit tcp any host 66 *. **. * eq www

access-list outside_inbound udp host 66 license *. **. * Welcome 66 *. **. * eq syslog

outside_inbound deny ip access list a whole

pager lines 24

IP address outside 66 *. **. * 255.255.255.240

IP address inside 192.168.1.1 255.255.255.0

IP dmz 192.168.2.1 255.255.255.0

IP verify reverse path to the outside interface

local pool IP VPN-RemoteAccess 192.168.1.49 - 192.168.1.62

ARP timeout 14400

Global (outside) 10 66 *. **. * netmask 255.255.255.0

NAT (inside) 0-list of access no_nat_dmz

NAT (inside) 10 192.168.1.0 255.255.255.0 0 0

static (dmz, outside) 66 *. **. * c4 netmask 255.255.255.255 0 0

static (dmz, outside) 66 *. **. * 192.168.2.3 netmask 255.255.255.255 0 0

static (dmz, outside) 66 *. **. * 192.168.2.5 netmask 255.255.255.255 0 0

static (dmz, outside) 66 *. **. * 192.168.2.6 netmask 255.255.255.255 0 0

static (dmz, outside) 66 *. **. * 192.168.2.100 netmask 255.255.255.255 0 0

static (inside, dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

Access-group outside_inbound in interface outside

Route outside 0.0.0.0 0.0.0.0 66 *. **. * 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

NTP server 199.212.17.15 source outdoors

Enable http server

http 192.168.1.101 255.255.255.255 inside

http 192.168.1.105 255.255.255.255 inside

SNMP-server host inside 192.168.1.105

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Sysopt connection permit-pptp

Telnet timeout 5

SSH 192.168.1.105 255.255.255.255 inside

SSH timeout 5

Console timeout 0

VPDN PPTP VPN group accept dialin pptp

VPDN group VPN-PPTP ppp mschap authentication

VPDN group VPN-PPTP ppp mppe auto encryption required

the client configuration address local VPN-RemoteAccess VPDN group PPTP VPN

VPDN group VPN-PPTP client configuration dns 192.168.1.2

VPDN group VPN-PPTP pptp echo 60

authentication of VPN-PPTP client to the Group local VPDN

VPDN username someuser password *.

VPDN allow outside

Terminal width 80

Please use the following URL to check your config:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

I hope this helps.

Jay

No access storage internal

Trying to copy files from my old RAZR to the new HD and it appears to the internal memory is no longer available for access via the USB connection to the computer. Am I missing a setting or is it a permanent change in the system?

Stuart

How to access the internal memory of Blackberry?

Hello
I am currently to access the file operation in the SD card. I want to access the file operation in the internal memory of Blackberry?

To access the file on the internal memory operation use file:///store/home/user/filename

Client VPN on PIX needs to access DMZ

VPN clients 3.5 ending PIX 6.X cannot access hosts on a PIX DMZ interface. Journal reports of error that there is no 'translation group available outside' for the subnet of the VPN Client (from the vpngroup pool).

I should add the VPN client subnet to a nat (outside) device?

Can I add it to the nat inside?

Can I just add static to the DMZ hosts within the subnet interface because VPN clients can access the inside hosts?

(I have the subnets in the nat 0 sheep ACL)

Thanks and greetings

JT

You'll need to add is nat 0. You say in your () you have an acl sheep, for the perimeter network or the inside interface? You use the same access list to the sheep inside and dmz? You should separate if you use separate access list. Is your pool of client on a different subnet than your home network and dmz? It must be something like this:

Customer IP local pool 192.168.1.1 - 192.168.1.254

IP, add inside 10.10.10.1 255.255.255.0

Add 10.10.20.1 dmz IP 255.255.255.0

access-list sheep by 10.10.10.0 ip 255.255.255.0 192.168.1.0 255.255.255.0

nonatdmz list of access by IP 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

NAT (inside) 0 access-list sheep

NAT (dmz) 0-list of access nonatdmz

If this is correct then clear x, wr mem, reload. I hope this helps.

Kurtis Durrett

PS

If he did not, only can recommend the upgrade your client and pix because that is exactly how it should look, and if its does not work you are facing an additional feature you want.

Cannot access any internal IPs when you are connected by VPN to ASA5505

Hello

I was able to configure VPN to work a bit on my ASA 5505. I can connect to the VPN and ping some IP addresses within the network. But some IPs don't react, I get "Request Timed Out"

For example:

10.10.0.4 - it works
10.10.0.5 - is not word
10.10.0.10 - it works
10.10.0.11 - it works
10.10.0.13 - does not work

If I ping from the network internally, all works well.

Does anyone have recommendations on how to address the issue?

VPN is the marking of the packages in a way that would trigger a firewall block?

It is the configuration of my ASA:

VPN with the name 'VPN-Remote' is the one I use.

 ASA Version 9.2(2)4 ! hostname ciscoasa enable password NuLKvvWGg.x9HEKO encrypted passwd NuLKvvWGg.x9HEKO encrypted names ip local pool RA_VPN 10.10.1.1-10.10.1.255 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.10.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ipv6 enable ! boot system disk0:/asa922-4-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network INSIDE-SUBNET object network sb-service-80 host 10.10.0.143 object network sbservicetest object network sb-service-443 host 10.10.0.143 object network dvr_web host 10.10.0.30 object service DVR-Tomcat_port service tcp source eq 8080 destination eq 8080 object network NETWORK_OBJ_10.10.1.0_24 subnet 10.10.1.0 255.255.255.0 object network dvr_mobile host 10.10.0.30 object service DVR-Mobile_port service tcp source eq 18004 destination eq 18004 object network WAN host 98.195.48.88 object service Web80 service tcp source eq www destination eq www object network NETWORK_OBJ_10.10.2.0_24 subnet 10.10.2.0 255.255.255.0 object network NETWORK_OBJ_10.10.0.0_24 subnet 10.10.0.0 255.255.255.0 object-group network sb-service network-object object sb-service-443 network-object object sb-service-80 object-group network DVR-service network-object object dvr_web network-object object dvr_mobile object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any inactive access-list Outside_access_in extended permit tcp any object sb-service-80 eq www access-list Outside_access_in extended permit tcp any object sb-service-443 eq https log disable access-list Outside_access_in extended permit tcp any object dvr_web eq 8080 log disable access-list Outside_access_in extended permit tcp any object dvr_mobile eq 18004 log disable access-list Outside_access_in extended permit icmp any any time-exceeded access-list Outside_access_in extended permit icmp any any unreachable log warnings access-list Outside_access_in extended permit icmp any any echo-reply access-list Outside_access_in extended permit icmp any any source-quench access-list global_mpc extended permit ip any any access-list RA_VPN-ACL extended permit ip object NETWORK_OBJ_10.10.2.0_24 any access-list Remote-VPN_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0 access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 logging enable logging asdm notifications no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 flow-export destination inside 10.10.0.111 2055 mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-731.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (any,any) source static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 ! object network obj_any nat (inside,outside) dynamic interface object network sb-service-80 nat (inside,outside) static interface no-proxy-arp service tcp www www object network sb-service-443 nat (inside,outside) static interface no-proxy-arp service tcp https https object network dvr_web nat (inside,outside) static interface no-proxy-arp service tcp 8080 8080 object network dvr_mobile nat (inside,outside) static interface no-proxy-arp service tcp 18004 18004 ! nat (inside,outside) after-auto source dynamic any interface inactive access-group inside_access_in in interface inside access-group Outside_access_in in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.10.0.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside snmp-server group snmp_g v3 auth snmp-server user snmp_u snmp_g v3 encrypted auth md5 1d:1b:67:96:29:9b:5c:49:42:d5:a4:10:13:e0:b2:ee snmp-server host inside 10.10.0.111 community ***** version 2c no snmp-server location no snmp-server contact snmp-server community ***** crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self subject-name CN=10.10.0.1,CN=ciscoasa crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate aa711054 308201af 30820159 a0030201 020204aa 71105430 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 31353035 32303230 34353137 5a170d32 35303531 37323034 3531375a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 7361305c 300d0609 2a864886 f70d0101 01050003 4b003048 024100bc 4278aeda 26601456 0e035bb5 6021adc5 0ac9149a 11d95e72 c5a8509b 514fd50d 7a86bdb3 a00bda84 4e6bda8d 50124c64 1179acc4 b2869092 9a742b52 f97c2302 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014d86a b4f1585d 7d93a0c7 7a1df9dd b37b0051 18aa301d 0603551d 0e041604 14d86ab4 f1585d7d 93a0c77a 1df9ddb3 7b005118 aa300d06 092a8648 86f70d01 01050500 034100a3 f0441214 1add483b 286fa44e 3844acce 27a68b2e 54f21dce 9a917783 1ab394f7 2d87e4d4 bcfcc7ef 6b26d604 bd0ea56f 05a72d0d 6c37413a b60216f3 612e0a quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 10.10.0.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 no vpn-addr-assign dhcp dhcpd auto_config outside ! dhcpd address 10.10.0.5-10.10.0.254 inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 166.70.136.41 source outside ntp server 108.166.189.70 source outside ntp server 63.245.214.136 source outside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip webvpn enable outside group-policy DfltGrpPolicy attributes group-policy Remote-VPN internal group-policy Remote-VPN attributes dns-server value 10.10.0.201 8.8.8.8 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value Remote-VPN_splitTunnelAcl default-domain value local.prv username snmp_test password Ocwq862v84DTwooX encrypted username VPN_User password KgHsdRdYP0lAyeqPIXn51g== nt-encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool RA_VPN tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group Remote-VPN type remote-access tunnel-group Remote-VPN general-attributes address-pool RA_VPN default-group-policy Remote-VPN tunnel-group Remote-VPN ipsec-attributes ikev1 pre-shared-key ***** ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect pptp inspect icmp inspect icmp error class global-class flow-export event-type all destination 10.10.0.111 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:f249b6940d463cc987b9aa828d8d8282 : end

Hello

If please check windows or any of application firewall PC side. It's less likely the issue VPN or ASA.

HTH

Averroès.

Access DMZ, internal

Similar Questions

Maybe you are looking for