Access lists applied inbound VPN connections

I try to configure access to homeland security lists, we have a multi site VPN services Terminal Server is the main traffic flowing on the VPN.

102 of the ACL applies to cryptographic cards

access-list 100 permit ip 10.1.5.0 255.255.255.0 10.1.6.0 255.255.255.0

access-list 102 permit ip 10.1.5.0 255.255.255.0 10.1.6.0 255.255.255.0

We need only allow traffic to domain connections and Terminal Server services only.

I tried with no luck, remote clients lose the ability to auth against the domain controller.

access-list 102 permit ip 10.1.5.20 host 10.1.6.0 255.255.255.0

(DC also DNS and WINS)

access-list 102 permit ip 10.1.5.21 host 10.1.6.0 255.255.255.0

(DC secondary also DNS and WINS)

access-list 102 permit ip 10.1.5.22 host 10.1.6.0 255.255.255.0

(terminal server 1)

access-list 102 permit ip 10.1.5.23 host 10.1.6.0 255.255.255.0

(terminal server 2)

access-list 102 permit ip 10.1.5.24 host 10.1.6.0 255.255.255.0

(terminal server 3)

If once they have connected to this topic, I've implemented these access lists it works very well, but once they log off and attempt to relog on, they are blocked. This leads me to believe there is more for field connections then meets the eye.

Anyone have any suggestions for me? Everyone knows about this problem?

Thanks in advance!

Gregg

Domain logon may require programming. It will probably be in the form of emissions e.g. directed 10.1.5.255. These emissions are going to spend your first list, but blocked by the second access list. To get around this, you can use assistance on the net 10.1.6.0 ip addresses. You can also add the following line to list 102:

access-list 102 permit ip 10.1.5.255 host 10.1.6.0 255.255.255.0.

Another thing to consider is to simplify your ACL 102. Small access lists provide better performance. In the given situation, the separate lines for 10.1.5.20 up to 10.1.5.23 IP addresses can be replaced by a oneliner: access-list 102 permit ip 10.1.5.20 255.255.255.252. Taking this one step further, you can even create a oneline for guests access list when you move the third server terminal server to the range of 16-19.

Tags: Cisco Security

Similar Questions

Different 'outside_cryptomap access-list"for each VPN?

Hello

Just for my understanding.

I have a VPN connected to my Cisco ASA 5520 when I tried to add an another VPN, the I must create a 2nd cryptomap, can I not create a group so there is only one card encryption?

Currently I have:

access-list 1 permit line outside_cryptomap_1 extended ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

I just added outside_cryptomap_2 line access-list 1 permit extended ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0

But I was wondering if I could use something like:

access-list 1 permit line outside_mycryptomap extended ip 0.0.0.0 0.0.0.0 VPN_Remote_Networks object-group

When I do this, but I guess that this will cause a problem with the address in hand?

You must use different access-list in cryptomap for each VPN.

Access-list group policy and IPSec tunnel.

I have an IPSec Site to Site VPN tunnel that ends on the external interface of the firewall. My ftp server is located in a demilitarized zone. The DMZ has an access list applied to the interface. When I created the Group of the tunnel for the Site to Site, I create a group of tunnel with group policy and manage the policy with filters. The filter looks like an access list. Are the filter and the ACL interface work together? The one replace the other? How they work together.

Once traffic ipsec, acl interface is not used until you have enabled "sysopt conn allowed-/ ipsec vpn. When you add a vpn-filter, it is what will filter the ipsec traffic.

Effect of the access lists on free access of high to low by default

I'll implement access rules list on PIX525 (V6.3) with several DMZ, but want to minimize the rules.

Scenario - 3 interfaces (inside (secuity100, average security50 outside Security0)

To allow hosts on the way to reach the inside I create an access list applied to a central interface. However, will be an implicit (or explicit) deny at the end of the access list prevents the intermediate hosts with default value to open access to the lower security outside the interface?

Thank you

Mick

Level of security and access lists:

To grant access of lower to higher level, you need to an access list and a static.

Equal to equal level cannot talk to each other.

Higher level of security can talk to lower levels, if there is no access on this interface list and the NAT is configured correctly.

ACL will add at the end a "deny ip any any" after a statement of license. So getting back to your question: If you allow a DMZ host to connect internal host on a specific port that all other connections are blocked. You must specify all the tarffic in this access list otherwise they will be blocked.

The only exception is the traffic may be from other interface access lists to the demilitarized zone, answers etc. For example, you are allowing port 80 to a dmz host outside this traffic will not be verified again by the dmz access list.

sincerely

Patrick

Site to Site VPN connection

I have trouble getting a connection from site to site between a site that I am owner and a seller at a distance. (neither of us are experts)

Can someone tell me what Miss them us?

Ok

I hope I understood the situation correctly.

With the changes below all your LAN traffic should flow through the VPN L2L at the Remote Site connection. However, I can't say what is happening in the traffic from there in. Internet traffic should work just fine.

Your ASA Site

10.4.200.0 IP Access-list extended siteA 255.255.248.0 allow all

no extended siteA LocalNetwork 255.255.248.0 ip access list allow 10.4.0.0 255.255.0.0

Note of the access-list NAT0 for VPN L2L traffic INSIDE-NAT0

IP 10.4.200.0 allow to Access-list INTERIOR-NAT0 255.255.248.0 all

NAT (inside) 0-list of access to the INTERIOR-NAT0

crypto Outside_map2 1 game card address siteA

Supplier of ASA site

permit same-security-traffic intra-interface

access-list siteA extended permits all ip 10.4.200.0 255.255.248.0

no extended siteA 10.4.0.0 ip access list do not allow 255.255.0.0 10.4.200.0 255.255.248.0

NAT (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is nothing other than your LAN.

It should also allow your site to use the connection of remote sites ASAs since we allow traffic to make a u-turn on the interface of the ASA "outside" remote and dynamic to the ' outside ' interface IP address be also participated.

-Jouni

Access list in a PIX?

I have the access-list applied on my "external" my PIX interface and I'm trying to make it so pings coming from the 'inside' book, but those who come of the? outside? in case of failure.

access-list outside permit icmp any any echo response

list a whole outside access allowed icmp time-exceeded

access outside allowed icmp list everything all inaccessible

Using a VPN, you can create a rule/filter and apply it to the tunnel which verifies the established bit to be set. Is it possible to do this with a list of access a PIX?

I have a 6.3 (5) PIX 501

If you add (in config mode)

ICMP deny everything outside

The above will disable any ping/trace route or network scans of the internet (that is, your network will be in stealth mode), if you also add

access-list outside permit icmp any any echo response

list a whole outside access allowed icmp time-exceeded

access outside allowed icmp list everything all inaccessible

outside access-group in external interface

This will then allow icmp traffic going out to the internet, BUT don't be do not allow anyone to ping/trace route internet or analyze your network!

You can test this by visiting http://www.grc.com and using the program "shields up" to analyze your network. Try first without icmp deny out of any instruction and then with the statement added to your configuration.

Hope this helps

Jay

ICMP / ACCESS-LIST

If I access-list and statements ICMP on the same interface, which contradicts the other, who gets preference. for ex. If I refuse a package in icmp and allow the access-list package, which wins.

Access lists apply only to passing packets * by * the PIX. ICMP commands are applied to the PIX interfaces themselves (meaning premitting or deny ICMP packets to the PIX interface address). So, to answer your question, it depends on what you are trying to ping ;)

Scott

IOS VPN on 7200 12.3.1 and access-list problem

I'm in IOS 12.3 (1) a 7200 and have configured it for VPN access. I use the Cisco VPN client. Wonder if someone has encountered the following problem, and if there is a fix.

The external interface has the access-list standard applied that blocks incoming traffic. One of the rules is to block the IPs private, not routable, such as the 10.0.0.0 concern, for example.

When I set my VPN connection, none of my packets get routed and I noticed that outside access list interface blocks the traffic. When I connect to the router through VPN, the router attributes to the client an IP address from a pool of the VPN as 10.1.1.0/24. But normal outside the access list denies this traffic as it should. But as soon as I have established a VPN connect, it seems that my encrypted VPN traffic must ignore the external interface access list.

If I change my external access list to allow traffic from source address 10.1.1.0/24 my VPN traffic goes through correctly, but this goes against the application to have an outdoor access list that denies such traffic and have a VPN.

Anyone else seen this problem or can recommend a software patch or version of IOS which works correctly?

Thank you

R

That's how IOS has always worked, no way around it.

The reasoning is to do with the internal routing on the router. Basically an encrypted packet inherits from the interface and initially past control of ACL as an encrypted packet. Then expelled the crypto engine and decrypted, so we now have this sitting pouch in the cryptographic engine part of the router. What do we with her now, keeping in mind users may want political route she is also, might want to exercise, qos, etc. etc. For this reason, the package is basically delivered on the external interface and running through everything, once again, this time as a decrypted packet. If the package hits the ACL twice, once encrypted and clear once.

Your external ACL shall include the non encrypted and encrypted form of the package.

Now, if you're afraid that people can then simply spoof packets to come from 10.1.1.0 and they will be allowed through your router, bzzzt, wrong. The first thing that the router checks when it receives a packet on an interface with a card encryption applied is that if the package needs to be encrypted, it is from his crypto ACL and its IP pools. If he receives a decrypted packet when it knows that it must have been encrypted, it will drop the package immediately and a flag a syslog something as "received the decrypted packet when it should have been."

You can check on the old bug on this here:

http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCdz54626&submit=search

and take note of the section of the security implications, you may need to slightly modify your configuration.

Ipv6 access list does not apply autonomous Aironet 3602I-E

As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

interface Dot11Radio0.2
guest_ingress6 filter IPv6 traffic in
guest_egress6 filter IPv6 traffic on

and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
etc.

In addition, when creating a list like this ipv6 access:

guest_egress6 IPv6 access list
refuse an entire ipv6

The other is automatically created:

IPv6-guest_egress6 role-based access list
refuse an entire ipv6

A deletion also removes the other.

What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

Please rate helpful messages... :-)

Router Access List - where it is applied?

I seem to be missing something here. I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview? Here is the result of the "Show Run":

R - H1BR1 #sh run
Building configuration...

Current configuration: 3391 bytes
!
! No change since the last restart configuration
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
R-H1BR1 host name
!
boot-start-marker
boot-end-marker
!
County of logging
logging buffered 51200
no console logging
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
domain IP p911.positron name - psap.com
name of the IP-server 10.4.0.1
name of the IP-server 10.4.0.2
name of the IP-server 10.5.0.3
name of the IP-server 10.5.0.4
IP multicast routing
Authenticated MultiLink bundle-name Panel
!
!
username * secret privilege 15 5 *.
Archives
The config log
hidekeys
!
!
TFTP IP source interface FastEthernet0/0.1
!
!
!
interface Tunnel5
Description * TUNNEL to NODE B (Multicast only) *.
IP 10.250.4.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.5.15.254
!
interface Tunnel25
Description * TUNNEL at 25 SATELLITE (Multicast only) *.
IP 10.250.25.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.25.15.254
!
interface FastEthernet0/0
Description * to switch 1 last Port *.
no ip address
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY
IP pim dr-priority 255
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
no ip mroute-cache
KeepAlive 1
45 minimum waiting time charge 60
Watch 1 ip 10.4.15.254
1 1 3 sleep timers
1 standby preempt delay minimum charge 15 15 15 sync
!
interface FastEthernet0/1
Description * BETWEEN R1 and R2 *.
IP 10.252.204.1 255.255.255.252
no ip proxy-arp
IP-range of greeting 1 2604 eigrp
IP - eigrp 2604 2 hold time
no ip mroute-cache
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/0
Description * WAN to H2 connection *.
IP 172.16.215.246 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/1
Description * connection to AAU *.
IP 192.168.10.1 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
45 minimum waiting time charge 60
Watch 3 ip 192.168.10.3
sleep timers 3 1 3
3 standby preempt delay minimum charge 15 15 15 sync
!
Router eigrp 2604
redistribute static
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0/1
10.4.0.0 network 0.0.15.255
Network 10.252.0.0 0.0.255.255
network 172.16.215.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 10.119.138.0 255.255.254.0 192.168.10.13
IP route 10.121.1.0 255.255.255.0 192.168.10.13
!
!
no ip address of the http server
IP mroute 10.5.0.0 Tunnel5 255.255.240.0
IP mroute 10.25.0.0 255.255.240.0 Tunnel25
!
standard IP DENY access list
deny all
!
interface FastEthernet0/0.1 source journaling
logging server-arp
record 10.4.0.1
!
!
control plan
!
!
Line con 0
local connection
line to 0
line vty 0 4
exec-timeout 0 0
local connection
transport telnet entry
line vty 5 15
exec-timeout 0 0
opening of session
transport telnet entry
!
Scheduler allocate 20000 1000
NTP-period clock 17177530
NTP 10.4.0.1 Server
end

R H1BR1 #.

I guess you are looking for

interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY

?

Best regards

Milan

Lock the AnyConnect VPN with broader access list

I'm trying to lock my AnyConnect VPN interface. I use the split tunneling. I want only to http tunnel traffic to an external http server we have and ftp to another external server behave. I don't want anything else through the tunnel or anywhere else allowed on our network. My current setup, I can connect to the vpn and the servers ping external ip address, but not by name. I can also not navigate anywhere else while I'm connected. It is not imperative for me to navigate anywhere else, when you are connected, but I need to allow only access specified above.

Configuration:

attributes Anyconnect-group policy

VPN-tunnel-Protocol svc webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list WebAccessVPN

WebVPN

list of URLS no

SVC request to enable default webvpn

WebAccessVPN list extended access allow icmp disable any newspaper host FTP - EXT object-group Ping_and_Trace

External FTP FTP access WebAccessVPN-list comment

WebAccessVPN list extended access permitted tcp disable no matter what newspaper to host FTP - EXT object-group DM_INLINE_TCP_2

WebAccessVPN list extended access allow icmp disable any newspaper host LICENSING-EXT object-group Ping_and_Trace

WebAccessVPN list extended access allowed object-group TCPUDP any LICENSING-EXT eq www log disable host

WebAccessVPN list extended access deny ip any object-group DM_INLINE_NETWORK_1

You can use the vpn filter under the attributes of political group. In the vpn-filter, you can reference the access list you created.

IPSec VPN: connected to the VPN but cannot access resources

Hello

I configured a VPN IPSec on two ISP with IP SLA configured, there is a redundancy on the VPN so that if address main is it connect to the VPN backup.

QUESTIONS

-Connect to the primary address and I can access resources

-backup address to connect but can not access resources for example servers

I want a way to connect to backup and access on my servers resources. Please help look in the config below

configuration below:

interface GigabitEthernet0/0

LAN description

nameif inside

security-level 100

IP 192.168.202.100 255.255.255.0

!

interface GigabitEthernet0/1

Description CONNECTION_TO_DOPC

nameif outside

security-level 0

IP address 2.2.2.2 255.255.255.248

!

interface GigabitEthernet0/2

Description CONNECTION_TO_COBRANET

nameif backup

security-level 0

IP 3.3.3.3 255.255.255.240

!

!

interface Management0/0

Shutdown

No nameif

no level of security

no ip address

management only

!

boot system Disk0: / asa831 - k8.bin

boot system Disk0: / asa707 - k8.bin

passive FTP mode

clock timezone WAT 1

DNS domain-lookup outside

DNS server-group DefaultDNS

Name-Server 4.2.2.2

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network of object obj-200

192.168.200.0 subnet 255.255.255.0

Description LAN_200

network of object obj-202

192.168.202.0 subnet 255.255.255.0

Description LAN_202

network of the NETWORK_OBJ_192.168.30.0_25 object

subnet 192.168.30.0 255.255.255.128

network of the RDP_12 object

Home 192.168.202.12

Web server description

service object RDP

source eq 3389 destination eq 3389 tcp service

network obj012 object

Home 192.168.202.12

the Backup-PAT object network

192.168.202.0 subnet 255.255.255.0

NETWORK LAN UBA description

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.200.0 255.255.255.0

object-network 192.168.202.0 255.255.255.0

the DM_INLINE_NETWORK_2 object-group network

network-object object obj-200

network-object object obj-202

access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

OUTSIDE_IN list extended access permit icmp any any idle state

OUTSIDE_IN list extended access permit tcp any object obj012 eq inactive 3389

gbnltunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

standard access list gbnltunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

BACKUP_IN list extended access permit icmp any any idle state

access extensive list ip 196.216.144.0 encrypt_acl allow 255.255.255.192 192.168.202.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

backup of MTU 1500

Backup2 MTU 1500

local pool GBNLVPNPOOL 192.168.30.0 - 192.168.30.100 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any backup

ASDM image disk0: / asdm-645 - 206.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, outside) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 non-proxy-arp-search of route static destination

!

network of object obj-200

NAT dynamic interface (indoor, outdoor)

network of object obj-202

dynamic NAT (all, outside) interface

network obj012 object

NAT (inside, outside) interface static service tcp 3389 3389

the Backup-PAT object network

dynamic NAT interface (inside, backup)

!

NAT source auto after (indoor, outdoor) dynamic one interface

Access-group interface inside INSIDE_OUT

Access-group OUTSIDE_IN in interface outside

Access-group BACKUP_IN in the backup of the interface

Route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 followed by 100

Backup route 0.0.0.0 0.0.0.0 3.3.3.3 254

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

value of the URL-list GBNL-SERVERS

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

AAA authentication enable LOCAL console

http server enable 441

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

http 192.168.30.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outdoors

http 0.0.0.0 0.0.0.0 backup

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

ALS 10 monitor

type echo protocol ipIcmpEcho 31.13.72.1 interface outside

NUM-package of 5

Timeout 3000

frequency 5

Annex monitor SLA 10 life never start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

card crypto IPSec_map 10 corresponds to the address encrypt_acl

card crypto IPSec_map 10 set peer 196.216.144.1

card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

inside crypto map inside_map interface

ipsec_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

ipsec_map interface card crypto outside

gbnltunnel card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

backup of crypto gbnltunnel interface card

Crypto ca trustpoint ASDM_TrustPoint0

Terminal registration

name of the object CN = GBNLVPN.greatbrandsng.com, O = GBNL, C = ng

Configure CRL

Crypto ikev1 allow inside

Crypto ikev1 allow outside

Crypto ikev1 enable backup

IKEv1 crypto policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

enable client-implementation to date

!

track 10 rtr 100 accessibility

!

Track 100 rtr 10 accessibility

Telnet 192.168.200.0 255.255.255.0 inside

Telnet 192.168.202.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.202.0 255.255.255.0 inside

SSH 192.168.200.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 backup

SSH timeout 30

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

a basic threat threat detection

threat detection statistics

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

WebVPN

allow outside

enable backup

activate backup2

internal gbnltunnel group policy

attributes of the strategy of group gbnltunnel

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

greatbrandsng.com value by default-field

Group Policy 'Group 2' internal

type of remote access service

type tunnel-group gbnltunnel remote access

tunnel-group gbnltunnel General-attributes

address GBNLVPNPOOL pool

Group Policy - by default-gbnltunnel

gbnltunnel group of tunnel ipsec-attributes

IKEv1 pre-shared-key *.

type tunnel-group GBNLSSL remote access

type tunnel-group GBNL_WEBVPN remote access

attributes global-tunnel-group GBNL_WEBVPN

Group Policy - by default-gbnltunnel

tunnel-group 196.216.144.1 type ipsec-l2l

IPSec-attributes tunnel-group 196.216.144.1

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

HPM topN enable

Cryptochecksum:6004bf457c9c0bc1babbdbf1cd8aeba5

: end

When you say that "the external interface is downwards using failover techniques" you mean this failover occurred because the ASA is no longer able to reach the 31.13.72.1? Not that the actual interface is broken?

If this is the case, then the NATing is your problem. Since you're using the same VPN pool for VPN connections the ASA cannot distinguish between the two streams of traffic if the external interface is still in place. The SLA tracking only removes a route in the routing table, but does not affect what happens in the NAT process.

try to change the NAT statement follows him and the test (don't forget to remove the other statements to exempt of NAT for this traffic during the test):

NAT (inside,any) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

If this does not work, I would either turn off the external interface when a failover occurs, or create a second connection profile that contains a separate mass of IP for the VPN connection and ask users to connect using this profile when a failover takes place. Don't forget to create Nat exempt instructions for this traffic also.

--

Please note all useful posts

VPN connects but no remote LAN access

Hello

I'll put up on a PIX 501 VPN remote access.

When I try to connect via VPN software, I am able to connect but I am unable to access LAN resources.

I have pasted below part of which seems relevant to my setup. I'm stuck on this issue, could someone help me? Thanks in advance.

ethernet0 nameif outside security0
nameif ethernet1 inside the security100
test.local domain name
name 10.0.2.0 inside
name 10.0.2.13 MSExchange-en
2.2.2.2 the MSExchange-out name

outside_access_in tcp allowed access list all gt 1023 host 2.2.2.2 eq smtp
outside_access_in list access permit tcp any host 2.2.2.2 eq https
outside_access_in list access permit tcp any host 2.2.2.2 eq www
inside_outbound_nat0_acl 10.0.2.0 ip access list allow 255.255.255.0 192.168.235.0 255.255.255.192
access-list 101 permit icmp any one

3.3.3.3 exterior IP address 255.255.255.0
IP address inside 10.0.2.254 255.255.255.0
IP local pool vpn_pool 192.168.235.1 - 192.168.235.15
IP local pool vpn_pool_2 192.168.235.16 - 192.168.235.40

1 3.3.3.4 (outside) global
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) 2.2.2.2 10.0.2.13 netmask 255.255.255.255 1000 1000
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 3.3.3.1 1

RADIUS Protocol RADIUS AAA server
AAA-server RADIUS (inside) host 10.0.2.3 * timeout 10
AAA-server local LOCAL Protocol

Permitted connection ipsec sysopt
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-MD5
map outside_map 90-isakmp ipsec crypto dynamic dynmap
card crypto outside_map the LOCAL RADIUS client authentication
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup signal address vpn_pool pool
vpngroup dns-server 10.0.2.3 signal
vpngroup default-field test.local signal
vpngroup idle time 1800 signal
vpngroup max-time 14400 signal
signal vpngroup password *.
vpngroup TF vpn_pool_2 address pool
vpngroup dns-server 10.0.2.3 TF
TF vpngroup default-domain test.local
vpngroup TF 1800 idle time
vpngroup max-time 14400 TF
TF vpngroup password *.

Kind regards

Joana

Very similar to the question of the configuration of the switch. You should check if there is no specific roads on the switch outside the default gateway. The switch should route the subnet pool ip to the firewall (10.0.2.254).

Routing VPN access list

Hello

I have a PIX 525 to my main site and a 1721 router at a remote location. I used the PDM and the SDM to configure site-to-site IPSec VPN connection. In my private network, I use 10.1.0.0/16 for the main site and 10.x.0.0/16 (where x = 2-47) to remote sites.

The remote site with the VPN connection uses 10.19.0.0/16. When I originally created this VPN, I configured the traffic to flow from the remote site to 10.1.0.0/16 only. This means that the remote site cannot speak to any other remote sites, just the main site.

I need to modify the access list to solve this problem. The relevant part of the remote site access list is now:

access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

Can I change the subnet mask in the first line and put the second line first?

access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

access-list 103 allow ip 10.0.0.0 0.255.255.255 10.19.0.0 0.0.255.255

Or should I let the deny at the end statement, and add a line for each of the other remote sites:

access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

access-list 103 allow ip 10.2.0.0 0.0.255.255 10.19.0.0 0.0.255.255

access-list 103 allow ip 10.3.0.0 0.0.255.255 10.19.0.0 0.0.255.255

access-list 103 allow ip 10.4.0.0 0.0.255.255 10.19.0.0 0.0.255.255

... (others)

access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

Thank you.

John

John

Help the additional configuration information that you have posted. There are still a few things which I hope could be clarified. It seems that you have 46 remote sites and only is connected via a VPN. How have the other connectivity? It is all over the links within your private network? Is there than any NAT involved in these other connections?

In my previous answer, I assumed that there will be multiple VPN connections, revealing your additional information is not the case. So my comment about limitations in PIX for talk of talks is true but not applicable to your situation.

Other remote sites are also coming via the VPN? If yes access list 100 which the 1721 uses to identify the IPSec traffic (and that was not in your posted material) will probably have to be changed.

According to access list 103 is concerned, I guess that the deny ip 10.19.0.0 0.0.255.255 is an anti-spoofing measure? If so, I would probably advocate put it as the first entry in the access list. What about if you want to use ip 10.0.0.0 allow 0.255.255.255 10.19.0.0 0.0.255.255 or a series of individual licenses, according to me, a point to consider is that allowed 10.0.0.0 0.255.255.255 will allow any space of 10 addresses. It seems that you use 1 to 47. What happens if something came through 10.122.x.x? I suggest a compromise approach. You can use this:

IP 10.0.0.0 allow 0.31.255.255 10.19.0.0 0.0.255.255

ip licensing 10.32.0.0 0.15.255.255 10.19.0.0 0.0.255.255

This would allow 1 to 47 but not others.

HTH

Rick

ASA 5505 IPSEC VPN connected but cannot access the local network

ASA: 8.2.5

ASDM: 6.4.5

LAN: 10.1.0.0/22

Pool VPN: 172.16.10.0/24

Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

Here is my setup, wrong set up anything?

ASA Version 8.2 (5)

!

hostname asatest

domain XXX.com

activate 8Fw1QFqthX2n4uD3 encrypted password

g9NiG6oUPjkYrHNt encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 10.1.1.253 255.255.252.0

!

interface Vlan2

nameif outside

security-level 0

address IP XXX.XXX.XXX.XXX 255.255.255.240

!

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS server-group DefaultDNS

domain vff.com

vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

pager lines 24

Enable logging

timestamp of the record

logging trap warnings

asdm of logging of information

logging - the id of the device hostname

host of logging inside the 10.1.1.230

Within 1500 MTU

Outside 1500 MTU

IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA-server protocol nt AD

AAA-server host 10.1.1.108 AD (inside)

NT-auth-domain controller 10.1.1.108

Enable http server

http 10.1.0.0 255.255.252.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 10.1.0.0 255.255.252.0 inside

SSH timeout 20

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntest strategy

Group vpntest policy attributes

value of 10.1.1.108 WINS server

Server DNS 10.1.1.108 value

Protocol-tunnel-VPN IPSec l2tp ipsec

disable the password-storage

disable the IP-comp

Re-xauth disable

disable the PFS

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntest_splitTunnelAcl

value by default-domain XXX.com

disable the split-tunnel-all dns

Dungeon-client-config backup servers

the address value vpnpool pools

admin WeiepwREwT66BhE9 encrypted privilege 15 password username

username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

tunnel-group vpntest type remote access

tunnel-group vpntest General attributes

address vpnpool pool

authentication-server-group AD

authentication-server-group (inside) AD

Group Policy - by default-vpntest

band-Kingdom

vpntest group tunnel ipsec-attributes

pre-shared-key BEKey123456

NOCHECK Peer-id-validate

!

!

privilege level 3 mode exec cmd command perfmon

privilege level 3 mode exec cmd ping command

mode privileged exec command cmd level 3

logging of the privilege level 3 mode exec cmd commands

privilege level 3 exec command failover mode cmd

privilege level 3 mode exec command packet cmd - draw

privilege show import at the level 5 exec mode command

privilege level 5 see fashion exec running-config command

order of privilege show level 3 exec mode reload

privilege level 3 exec mode control fashion show

privilege see the level 3 exec firewall command mode

privilege see the level 3 exec mode command ASP.

processor mode privileged exec command to see the level 3

privilege command shell see the level 3 exec mode

privilege show level 3 exec command clock mode

privilege exec mode level 3 dns-hosts command show

privilege see the level 3 exec command access-list mode

logging of orders privilege see the level 3 exec mode

privilege, level 3 see the exec command mode vlan

privilege show level 3 exec command ip mode

privilege, level 3 see fashion exec command ipv6

privilege, level 3 see the exec command failover mode

privilege, level 3 see fashion exec command asdm

exec mode privilege see the level 3 command arp

command routing privilege see the level 3 exec mode

privilege, level 3 see fashion exec command ospf

privilege, level 3 see the exec command in aaa-server mode

AAA mode privileged exec command to see the level 3

privilege, level 3 see fashion exec command eigrp

privilege see the level 3 exec mode command crypto

privilege, level 3 see fashion exec command vpn-sessiondb

privilege level 3 exec mode command ssh show

privilege, level 3 see fashion exec command dhcpd

privilege, level 3 see the vpnclient command exec mode

privilege, level 3 see fashion exec command vpn

privilege level see the 3 blocks from exec mode command

privilege, level 3 see fashion exec command wccp

privilege see the level 3 exec command mode dynamic filters

privilege, level 3 see the exec command in webvpn mode

privilege control module see the level 3 exec mode

privilege, level 3 see fashion exec command uauth

privilege see the level 3 exec command compression mode

level 3 for the show privilege mode configure the command interface

level 3 for the show privilege mode set clock command

level 3 for the show privilege mode configure the access-list command

level 3 for the show privilege mode set up the registration of the order

level 3 for the show privilege mode configure ip command

level 3 for the show privilege mode configure command failover

level 5 mode see the privilege set up command asdm

level 3 for the show privilege mode configure arp command

level 3 for the show privilege mode configure the command routing

level 3 for the show privilege mode configure aaa-order server

level mode 3 privilege see the command configure aaa

level 3 for the show privilege mode configure command crypto

level 3 for the show privilege mode configure ssh command

level 3 for the show privilege mode configure command dhcpd

level 5 mode see the privilege set privilege to command

privilege level clear 3 mode exec command dns host

logging of the privilege clear level 3 exec mode commands

clear level 3 arp command mode privileged exec

AAA-server of privilege clear level 3 exec mode command

privilege clear level 3 exec mode command crypto

privilege clear level 3 exec command mode dynamic filters

level 3 for the privilege cmd mode configure command failover

clear level 3 privilege mode set the logging of command

privilege mode clear level 3 Configure arp command

clear level 3 privilege mode configure command crypto

clear level 3 privilege mode configure aaa-order server

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

: end

Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

Access lists applied inbound VPN connections

Similar Questions

Maybe you are looking for