ACS seems to forget IPs assigned to VPN connections

Similar Questions

• Question: how to assign the VPN IP VPN client user using 5.4 ACS?

  I'm new to ACS5.4.  What I want to achieve is to leave the ACS5.4 to assign IP addresses to users who are connecting to our ASA using the Cisco VPN client.  ASA runs as a Radius of ACS5.4 client, and we have tested successfully for Radius Authentication.  But users always get "unknown error" in the client VPN, after to be authenticated successfully.  I think I used probably incorrect RADIUS attributes to an authorization policy.  Here's what I did:

  1. in the elements of the policy-> authorization permissions->-> authorization of network access profiles, I created a new profile and this profile is called the Radius CVPN3000/ASA/PIX7.x-DHCP-Network-Scope attribute.  An IP address is entered under this attribute as a static value.

  2. then, in access policies-> services-> client VPN IPSec with RADIUS Access (it's politics that I created)-> permission, I created an authorization policy allowing RADIUS previously created profile in order to be used.

  I missed something?  Maybe I got the wrong RADIUS attribute?  Thanks in advance for any help!

  ACS 5 doesn't have the ability to provide the IP addresses between the pools of IP addresses defined in ACS.

  You must assign static users on basis by user on ACS 5. You can also create a pool on the SAA and tap the name of the ACS 5 pool

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp216411

  Jatin kone
  -Does the rate of useful messages-

• IPS management on VPN

  Have a problem with the return traffic to a management of ips across a vpn tunnel interface. The phase 1 and Phase 2 works fine

  but the return traffic does not return to the ASA (IPS, gateway). The IPS 4260 (v 7.08) was still connected directly to the ASA

  but still no return traffic (#pkts program: 0)

  
  

  #pkts decaps: increments as intended (with icmp tests) so I know that demand is getting there.

  I think that the rules are properly configured as #pkts program: increments during the test to a switch (IP address) moved over the IPS.

  Lack of debugs on the SAA, but don't see anything.

  IPS has the simple config with permit ACL 0.0.0.0/32

  Is there something that makes the IPS or a combination thereof with the ASA to no answer?

  Thank you

  Pete

  Hello

  It should be:

  0.0.0.0/0

  Kind regards

  Julio

• WRVS4400N with AG300 and VPN connections

  I bought a WRVS4400N router hoping to add wireless and VPN capability at a remote office LAN. I want to be able to establish a VPN connection from my PC to the central office to the WRVS4400N to remote desktop, access and administer systems at the remote office. Remote desktop systems is unnecessary access to systems to the central office.

  Before you deploy the WRVS4400N to remote desktop, I'm stable and by configuring it to our central office.

  Our central office is a router Linksys AG300 and ADSL service for Internet connection. It works well and I don't want to change it.

  I have connected the WRVS4400N to our central office LAN and it has an IP address on its WAN port assigned by the DHCP server on the AG300.

  What I do not understand how to establish a VPN connection to a system on the Internet at the WRVS4400N on the local network. I have a laptop with the QuickVPN software installed. If I connect my laptop to the AG300 (i.e. the same switch as the WAN port on the WRVS4400N) I can establish a VPN connection to the WRVS4400N but if I connect to my laptop to the Internet (via my ADSL service at home), I am unable to set up the VPN. I don't know how to configure the AG300 so that the VPN from my laptop reaches the WRVS4400N.

  I transfer ipsec enabled on the AG300, but this does not seem to run the VPN with the WRVS4400N.

  Can someone tell me what I need to do?

  Is there some other DSL modem I could use that facilitates the connection? There is another DSL modem (I don't know make/model until I visit the site) used in remote desktop, but I could replace it if I knew that the replacement work.

  Update: I got it to work. See https://supportforums.cisco.com/thread/2108785 for the advice that has been most useful.

  The essential steps have been before the ports indicated in this article (and UDP 500) to the WRVS4400N and I dropped a bit of the MTU (do not know if this was really necessary). Now I can establish connection QuickVPN, except when the Windows Firewall interferes.

  Hello

  Thank you for posting. In the AG300, transmit the following ports to the IP address of the WAN WRVS4400N port: 443, 500, 4500, 60443. This allows you to establish a QuickVPN for the WRVS4400N using the WAN IP of the AG300.

• Cisco AnyConnect VPN connection has not changed my public IP address on Windows 7 64 bit

  Hello

  I installed a customer Cisco AnyConnect VPN from my school, so that I can access school of my Windows 7 laptop at home network. I was able to connect, but when I used http://www.whatismyip.com/, it still shows the IP address assigned by my ISP.  The "network and sharing Center", I have my original LAN and LAN VPN upward but access to LAN VPN type is 'without Internet access. The VPN connection seems to have activities based on evolution bytes sent and received.

  I searched the Web for solutions and changed something like adding the entry door. But it did not help.

  Thanks for your help.

  Split tunnel is probably configured so that traffic destined to school networks pass through the VPN tunnel, and traffic destined to the Internet goes outward through your local ISP. That's why whatismyip show your public IP address from ISP.

• VPN connection: An unexpected error has occurred.

  I am suddenly unable to get my built-in VPN connection works on my iMac with OS X 10.11.5.  I get the VPN connection message: an unexpected error has occurred.  I have been using this VPN configuration to connect to work for several months with success.

  But last week (and I do not know if it had nothing to do with it), I went on vacation and used a free wi - fi setup of Tim Hortons.  I had a LOT of trouble getting the next login page, and I checked all playing with different settings of network without success.  When a change did not work, I put it to its original setting.  Finally, I learned to use Safari to access the free WiFi connection page of Tim.  Then once connected, everything was OK.

  But when I returned a week later and if necessary, to start my VPN connection to access the work, it wouldn't start.  I checked and recheck all my settings preferably of different network, but did not find those who were wrong.  I even deleted and re-entered my VPN service definition without solving the problem.

  Thinking that the problem could be the newly installed ISP of Bell equipment (we went from Rogers while I was away), I used my BlackBerry smartphone (issued by my employer) to create a wi - fi hotspot and accessed to the internet using this connection which completely ignored my home ISP equipment.  But still, I was unable to establish a VPN connection.

  I then tried my iPad VPN connection, and it worked!  Then, I defined a VPN service on the iMac to my wife and the iMac to my daughter and was able to successfully establish a VPN connection to my work very well, using exactly the same VPN configuration.  This led me to the conclusion, it was a problem on my iMac (and not with my new ISP or VPN system of my work that had none of the changes you made), but I still can't find what is "broken".  I run Onyx for my iMac OS X 10.11.5 and repaired permissions and clean the cache and all the rest she is doing to "solve" problems.  But the problem persisted.

  Is there a preference file corrupted somewhere (scan option is no longer on the current version of the Onyx for a reason any)?

  I still have a network setting wrong somewhere I need to go back to the system is correct value?

  Here is the attempt to VPN from the file system.log (with some hidden values in the case where they display my work VPN access):

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: NESMLegacySession [VPN works: 295091E5-xxxx-4B6A-xxxx-F7A7xxxxxxAA]: received an order to start SystemUIServer [257]

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: NESMLegacySession [VPN works: 295091E5-xxxx-4B6A-xxxx-F7A7xxxxxxAA]: changed to connecting status

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: IPSec connection to server nnn.nnn.n.n

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: phase 1 of the IPSec from.

  26 June at 16:13:48 Myrons-iMac raccoon [520]: agreed to the takeover of vpn connection.

  26 June at 16:13:48 - last message repeated 1 time-

  26 June at 16:13:48 Myrons-iMac raccoon [520]: IPSec connection to server nnn.nnn.n.n

  26 June at 16:13:48 - last message repeated 1 time-

  26 June at 16:13:48 Myrons-iMac raccoon [520]: connection.

  26 June at 16:13:48 Myrons-iMac raccoon [520]: IPSec Phase 1 started (initiated by me).

  26 June at 16:13:48 - last message repeated 1 time-

  26 June at 16:13:48 Myrons-iMac raccoon [520]: bind 1 (cannot assign requested address)

  26 June at 16:13:48 - last message repeated 1 time-

  26 June at 16:13:48 Myrons-iMac raccoon [520]: sendfromto failed

  26 June at 16:13:48 - last message repeated 1 time-

  26 June at 16:13:48 Myrons-iMac raccoon [520]: Phase 1 negotiation failed due to the error of sending. 94437eb7d5b1b6e8:0000000000000000

  26 June at 16:13:48 - last message repeated 1 time-

  26 June at 16:13:48 Myrons-iMac raccoon [520]: can not send packets

  26 June at 16:13:48 - last message repeated 1 time-

  26 June at 16:13:48 Myrons-iMac raccoon [520]: IKE Packet: send failed. (Initiator, aggressive Mode 1 Message).

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: Controller IPSec: IKE FAILED. Phase 1, assert 0

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: NESMLegacySession [VPN works: 295091E5-xxxx-4B6A-xxxx-F7A7xxxxxxAA]: status changed by disconnecting

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: IPSec disconnection from the server 142.201.5.6

  26 June at 16:13:48 Myrons-iMac raccoon [520]: IPSec disconnection from the server nnn.nnn.n.n

  26 June at 16:13:48 - last message repeated 3 times-

  26 June at 16:13:48 Myrons-iMac nesessionmanager [439]: NESMLegacySession [VPN works: 295091E5-xxxx-4B6A-xxxx-F7A7xxxxxxAA]: status changed to offline, terminus right no

  Any help or insight would be more useful and appreciated... so that I can work from home again.

  Thank you

  Myron VanderLaan

  I finally found my VPN problem.

  There is a 'racoon' file that is generated when I connect to the VPN to my work site.

  I have created a modified version of this file so that my connection does not expire in 3600 seconds (changed in 24 hours).

  Apparently, there are some slightly different settings (such as certain IP addresses other than VPN IP of my work) in this file under our new ISP Bell from the former FAI Rogers.

  And if I connect to the WiFi Hotspot from my BlackBerry, it does not once again because these settings in the file are different again.  I must return the file generated instead of my modified file.

  Bad luck!

• VPN connections disappear, RASDIAL makes reappear

  Here is a screenshot of the connect to a network dialog box. Notice that my VPN connection is not displayed. Nothing shows the:

  http://i44.Tinypic.com/2iu3rpg.jpg

  In order to get the dialog box to regain his senses, I drop simply to an elevated command prompt and run

  rasdial [name of the VPN connection]
  You don't need credentials. You don't need it to sucessfully connect; You just push with a stick rasdial:

  http://I39.Tinypic.com/16bdd2u.jpg

  The connect to a network dialog box now works:

  http://i40.Tinypic.com/qpqd6h.jpg

  You can see screenshots of Windows Vista. I saw this bug on Windows XP.

  My question is: How can I get Microsoft repaired?

  Hi Jack,

  Well, Gack! If it happens only every several weeks to months, it will be very fun in the not so fun sort of way to track down.

  Here is my point of view.

  First of all, on a side note, I would never, ever use Windows without an antivirus package, if you go on the internet at all, which you seem to do.

  'Common sense' has worked well before the age of the car by possible viruses. Just go for a page (even supposed to known good) can give you an infection. I'm not saying it's likely, all easily possible.

  I highly recommend that you run some virus scans (these forums have several good suggestions) just to be sure, but it doesn't sound like you have a virus to me.

  Well, I'll get off my soap box now. :-)

  Then, restart is a standard "fix." If this solves the problem, then virtually all support guys in the world are going to tell you, "there is difficulty, have a nice day." I won't argue your point well, it is wrong. Just please realize that there are literally billions of combinations possible, hardware and software. There is no way that each of them could possibly work together without problem. I'll just tell you that it is a workaround and you should use if it works.

  Finally, if you want to keep looking for a better solution, I am with you on that. Solutions help all of us.

  So, here's what you can do then.

  When it happens the next time, mark the time.

  Then go into the event viewer and begin to track down any errors at the time, that happened as well as the warnings and all the events that went past just before the problem started. We don't need (or want) the full thing, just the header with the name of event ID, source, journal, and level.

  You should know what happens if anything started, stopped or tried to run or tried to brake.

  Any service which is of what precedes.

  Also, I'm looking more on Technet.

  Since you said that you work, so for now, I'd mark this thread as closed and start again when and if the problem happens again.

  Of course, I hope this helps!

  Matt Hudson
  Microsoft Answers Support Engineer
  Visit our Microsoft answers feedback Forum and let us know what you think.

• Win7 VPN connects - returns the error code 806

  I use Win7 Ultimate, and try to establish a VPN connection to a job server.  I have a XP Pro system which connects OK but cannot get W7 to.  I have install the VPN as close to the installation of XP as I can but it works always... it refers to what a "check username and password" then there are there for about 3/4 minutes, returning an error message 806.  The modem/gateway has defined passthrough VPN and port 1723 in the firewall (don't forget XP connects OK) so I guess that the basis of the network is configured OK (?).

  I need help on what to do... I am new to W7 so am struggling a bit finding my way around.

  Thank you
  Huntsmann

  See this RRAS Team Blog entry for possible help... MS - MVP Windows Desktop Experience, "when everything has failed, read the operating instructions.

• The VPN client VPN connection behind other PIX PIX

  I have the following problem:

  I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

  So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

  I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

  Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

  If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

  305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

  194.x.x.x is our customer s address IP PIX

  I understand that somewhere access list is missing, but I can not understand.

  Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

  Can you please help me?

  Thank you in advan

  The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

  I've cut and pasted here for you to read, I think that the problem mentioned below:

  Question:

  Hi Glenn,.

  Following is possible?

  I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

  The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

  My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

  Thank you very much for any help provided in advance.

  Response from Glenn:

  First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

  fixup protocol esp-ike

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

  If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

  ISAKMP nat-traversal

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

  NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

  ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

  A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

  NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

  Hope that helps.

• Dialogue of VPN connection extremely laggy

  Hello

  Recently I had some strange problems with VPN SSTP in Windows 7. For some reason, the connection process became very slow. When it is used to take a few seconds to connect, it now takes only minutes. Once it is connected, the VPN connection works as fast that there always, it it only the connection process itself which is slow.

  When I click on 'connect' from the Windows tray icon, it may take up to one minute for the dialog name of user and password to appear. Then it takes usually several seconds to react when I press on connect, and the connection process also takes less than a minute to complete. In addition, the VPN properties dialog box seems to suffer from the same problem; It takes a long time to appear and is very slow and unresponsive, even just switching between tabs.

  As far as I know, I made no changes to my PC that would have no impact on networking at all, so I am at a loss as to why this is happening. I noticed it seems to be getting progressively worse and worse if; It is much slower now than it was a week ago.

  If anyone can help shed light on the problem, I would be really grateful.

  Thank you
  Bob

  Hello

  Because the problem is related to the VPN I recommend you post this question in the forum Windows 7 TechNet networks.

• Monitoring VPN connection attempts

  I would like to be able to use the syslog messages that are detached from the ASA to monitor VPN connection attempts (successful or not). Looking at the posts system there are several codes that relate to this.

  I wonder if anyone has a good way to use syslog to do this? There are some codes that can be used for this information?

  Thank you.

  You can set the ASA to send syslog messages when the user connects and disconnects. There are a few types of 'remote access' as IPsec VPN, webvpn / without client anyconnect/ssl vpn client that you can follow.

  If you are using Clientless SSL VPN syslogs usually begin with 716xxx.  For example the syslog for connect is 716001 and disconnect is 716002.  There is a list of other Clientless VPN SSL related messages here. You can view the specific contents of each journal here:

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logmsg

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logmsgs.html#wp4776913

  If you use SSL VPN Client (SVC1.x, AnyConnect 2.x) syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other customer VPN SSL related posts here

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logmsg

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logmsgs.html#wp4778697

  If you use the IPSec VPN client, you can follow a success to connect with 713119 (indicates the phase 1 completed), 713049 (indicates the complete Phase2) and disconnect with 113019. There is a syslog ipsec additional 713049 that you can follow for ipsec.

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logmsgs.html#wp4775678

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logmsgs.html#wp4775412 http://www.Cisco.com/en/US/docs/Security/ASA/asa80/System/message/logmsg

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logmsgs.html#wp4769539

  Here are some other notes to keep in mind:

  -You can tell that the logging levels you currently have on the command line ASA with 'show log '.

  -Newspapers that you send to a syslog server are controlled with the commands "Logging Trap". For example 'logging trap information' (level 6) or "trap alerts logging" (level 1)

  -You can tell what level of severity (i.e., alerts, critical, errors, warnings, notifications, informational, debug) each one connects through this link. As you can see by checking the link, those follow-up sign in or out as I've mentioned above are usually information (sev 6)):

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logsev

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/system/message/logsevp.html

  -If you want to create a specific subset of the syslogs to send to a specific device, you can do it with a class or a list of logging:

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/m

  For example (class log):

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/m

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/monitor.html#wp1065253

  class check vpnc informational FRT

  For example (list of logging):

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/monitor.html#wp1065512

  log list mylist message 722022

  log list mylist message 722023

  logging trap mylist

  Don't forget to evaluate the positions that helped you and to mark it as resolved if you question has been answered.

  -heather

• Total number of concurrent VPN connections.

  Hey guys,.

  Is it possible to display or not even connect to the total number of simultaneous in one month vpn connection?

  THX

  On the SAA, you can enter the command "Show vpn-sessiondb", it shows the info.

  Demo - asa vpn-sessiondb # HS

  Summary of the current Session

  Sessions:

  Active principles: Cumulative: simultaneous peak: inactive

  SSL VPN               :       0 :        145 :               7

  Clientless only: 0: 30: 2

  Client: 0: 0: 3: 115

  E-mail Proxy: 0: 0: 0

  IPsec LAN-to-LAN: 0: 0: 0

  IPsec remote access: 0: 0: 0

  VPN load balancing: 0: 0: 0

  Totals: 0: 145

  Information about the license:

  IPsec: 750 configured: 750 Active: 0 load: 0%

  SSL VPN: 50 configured: 50 Active: 0 load: 0%

  Active principles: Cumulative: simultaneous peak

  IPsec               :          0 :          0 :               0

  SSL VPN             :          0 :        145 :               7

  AnyConnect Mobile: 61: 61: 61

  Linksys Phone: 0: 0: 0

  Totals: 0: 145

  I'm sure that there are much better alternatives such as Cisco ACS including the quality of the production.

  But I have recently installed Microsoft IAS on my Windows 2003 server and then configured accounting for my VPN group policy. I then used a free 'IAS log viewer"software which is able to provide the use of my VPN.

  See the article below for configuring Microsoft IAS on Win2k3:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml

  The whole process took me less than an hour. Nice report generated by the IAS log viewer.

  Thank you

  Kiran

• VPN connected but no visible network

  so I have a windows 7 (VPN server) desktop computer and a windows laptop 7 (VPN client) and I have set up the incoming VPN connection on my desktop and a client VPN connection on my laptop. When I go and establish a VPN connection, it says that I'm connected on my laptop and my desktop but I can't access my network resources. Ive been cracking as a result for a few weeks now and have gotten nowhere with it, any help would be greatly appreciated. Thank you!

  I can't access something like \\ServerName\ShareName I can't do a ping them either. address ranges are not the same on the server or client networks. the funny this is that it says I am connected at both ends, the customer declares that ipv4 has no internet access on the vpn which is fine because all I want is access to the network and it shows that I have an ip address assigned on the vpn map. side server but it is said that ipv4 and ipv6 are not connected, but if I do "ipconfig/all" he shows me his ip address on the vpn.

  client side, I've disabled 'Gateway on remote network use default' so that I can still have access to the internet on the im client that is connected to the vpn. on the side server, I tried selecting "Assign addresses automatically using DHCP" as well as "specify IP addresses (with a beach which is on the client and the server ip address range).» I have also "Allow the calling computer to specify its own IP address" selected on the server.

  When I finally fell a VPN server on a Vista box I got the address assigned to the configuration of clients like that.

  http://theillustratednetwork.MVPs.org/Vista/PPTP/VPNSetup06.jpg

  The address range was the same that the server of the LAN address range, in this case, I used 192.168.10.X on the local network.

  http://theillustratednetwork.MVPs.org/Vista/PPTP/ExampleVistaVPNNetwork.PDF

  Customer recevrait.31 ou.32...

  Of course assumed that the customer was or would not be on a LAN 192.168.10.X to start. If it was so I could have problems connecting to shares on my LAN Server.

  MS - MVP Windows Desktop Experience
  "When all else fails try what the captain suggested before you started...". »

• Running the logon script after AnyConnect VPN connection

  Is it possible (such as the Launcher on the IPSec client) to run a login script after establishing a VPN connection? When a user connects to the VPN client AnyConnect I need to be able run a login script to map drives. I looked the ASDM, but see anywhere that it seems that this would be configured. I thought I would check to make sure I'm not missing something.

  We lack ASA IOS v8.2 (2), ASDM 6.2 (5).

  Thank you.

  You can learn more about the AnyConnect script capabilities on the link below...

  http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect25/Administration/Guide/ac03features.html#wp1068902

• IPSec VPN: connected to the VPN but cannot access resources

  Hello

  I configured a VPN IPSec on two ISP with IP SLA configured, there is a redundancy on the VPN so that if address main is it connect to the VPN backup.

  QUESTIONS

  -Connect to the primary address and I can access resources

  -backup address to connect but can not access resources for example servers

  I want a way to connect to backup and access on my servers resources. Please help look in the config below

  configuration below:

  interface GigabitEthernet0/0

  LAN description

  nameif inside

  security-level 100

  IP 192.168.202.100 255.255.255.0

  !

  interface GigabitEthernet0/1

  Description CONNECTION_TO_DOPC

  nameif outside

  security-level 0

  IP address 2.2.2.2 255.255.255.248

  !

  interface GigabitEthernet0/2

  Description CONNECTION_TO_COBRANET

  nameif backup

  security-level 0

  IP 3.3.3.3 255.255.255.240

  !

  !

  interface Management0/0

  Shutdown

  No nameif

  no level of security

  no ip address

  management only

  !

  boot system Disk0: / asa831 - k8.bin

  boot system Disk0: / asa707 - k8.bin

  passive FTP mode

  clock timezone WAT 1

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Name-Server 4.2.2.2

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  network of object obj-200

  192.168.200.0 subnet 255.255.255.0

  Description LAN_200

  network of object obj-202

  192.168.202.0 subnet 255.255.255.0

  Description LAN_202

  network of the NETWORK_OBJ_192.168.30.0_25 object

  subnet 192.168.30.0 255.255.255.128

  network of the RDP_12 object

  Home 192.168.202.12

  Web server description

  service object RDP

  source eq 3389 destination eq 3389 tcp service

  network obj012 object

  Home 192.168.202.12

  the Backup-PAT object network

  192.168.202.0 subnet 255.255.255.0

  NETWORK LAN UBA description

  the DM_INLINE_NETWORK_1 object-group network

  object-network 192.168.200.0 255.255.255.0

  object-network 192.168.202.0 255.255.255.0

  the DM_INLINE_NETWORK_2 object-group network

  network-object object obj-200

  network-object object obj-202

  access-list extended INSIDE_OUT allow ip 192.168.200.0 255.255.255.0 any

  access-list extended INSIDE_OUT allow ip 192.168.202.0 255.255.255.0 any

  OUTSIDE_IN list extended access permit icmp any any idle state

  OUTSIDE_IN list extended access permit tcp any object obj012 eq inactive 3389

  gbnltunnel_splitTunnelAcl standard access list allow 192.168.200.0 255.255.255.0

  standard access list gbnltunnel_splitTunnelAcl allow 192.168.202.0 255.255.255.0

  BACKUP_IN list extended access permit icmp any any idle state

  access extensive list ip 196.216.144.0 encrypt_acl allow 255.255.255.192 192.168.202.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  backup of MTU 1500

  Backup2 MTU 1500

  local pool GBNLVPNPOOL 192.168.30.0 - 192.168.30.100 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any backup

  ASDM image disk0: / asdm-645 - 206.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

  NAT (inside, outside) static source DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 NETWORK_OBJ_192.168.30.0_25 NETWORK_OBJ_192.168.30.0_25 non-proxy-arp-search of route static destination

  !

  network of object obj-200

  NAT dynamic interface (indoor, outdoor)

  network of object obj-202

  dynamic NAT (all, outside) interface

  network obj012 object

  NAT (inside, outside) interface static service tcp 3389 3389

  the Backup-PAT object network

  dynamic NAT interface (inside, backup)

  !

  NAT source auto after (indoor, outdoor) dynamic one interface

  Access-group interface inside INSIDE_OUT

  Access-group OUTSIDE_IN in interface outside

  Access-group BACKUP_IN in the backup of the interface

  Route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 followed by 100

  Backup route 0.0.0.0 0.0.0.0 3.3.3.3 254

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  value of the URL-list GBNL-SERVERS

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  AAA authentication enable LOCAL console

  http server enable 441

  http 192.168.200.0 255.255.255.0 inside

  http 192.168.202.0 255.255.255.0 inside

  http 192.168.2.0 255.255.255.0 inside

  http 192.168.30.0 255.255.255.0 inside

  http 0.0.0.0 0.0.0.0 outdoors

  http 0.0.0.0 0.0.0.0 backup

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  ALS 10 monitor

  type echo protocol ipIcmpEcho 31.13.72.1 interface outside

  NUM-package of 5

  Timeout 3000

  frequency 5

  Annex monitor SLA 10 life never start-time now

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto IPSec_map 10 corresponds to the address encrypt_acl

  card crypto IPSec_map 10 set peer 196.216.144.1

  card crypto IPSec_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside crypto map inside_map interface

  ipsec_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  ipsec_map interface card crypto outside

  gbnltunnel card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  backup of crypto gbnltunnel interface card

  Crypto ca trustpoint ASDM_TrustPoint0

  Terminal registration

  name of the object CN = GBNLVPN.greatbrandsng.com, O = GBNL, C = ng

  Configure CRL

  Crypto ikev1 allow inside

  Crypto ikev1 allow outside

  Crypto ikev1 enable backup

  IKEv1 crypto policy 10

  authentication crack

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 20

  authentication rsa - sig

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 40

  authentication crack

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 50

  authentication rsa - sig

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 60

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 70

  authentication crack

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 80

  authentication rsa - sig

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 100

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 110

  authentication rsa - sig

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 120

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 130

  authentication crack

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 140

  authentication rsa - sig

  the Encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 150

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  enable client-implementation to date

  !

  track 10 rtr 100 accessibility

  !

  Track 100 rtr 10 accessibility

  Telnet 192.168.200.0 255.255.255.0 inside

  Telnet 192.168.202.0 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.202.0 255.255.255.0 inside

  SSH 192.168.200.0 255.255.255.0 inside

  SSH 0.0.0.0 0.0.0.0 inside

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH 0.0.0.0 0.0.0.0 backup

  SSH timeout 30

  SSH group dh-Group1-sha1 key exchange

  Console timeout 0

  management-access inside

  a basic threat threat detection

  threat detection statistics

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  WebVPN

  allow outside

  enable backup

  activate backup2

  internal gbnltunnel group policy

  attributes of the strategy of group gbnltunnel

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  greatbrandsng.com value by default-field

  Group Policy 'Group 2' internal

  type of remote access service

  type tunnel-group gbnltunnel remote access

  tunnel-group gbnltunnel General-attributes

  address GBNLVPNPOOL pool

  Group Policy - by default-gbnltunnel

  gbnltunnel group of tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  type tunnel-group GBNLSSL remote access

  type tunnel-group GBNL_WEBVPN remote access

  attributes global-tunnel-group GBNL_WEBVPN

  Group Policy - by default-gbnltunnel

  tunnel-group 196.216.144.1 type ipsec-l2l

  IPSec-attributes tunnel-group 196.216.144.1

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  HPM topN enable

  Cryptochecksum:6004bf457c9c0bc1babbdbf1cd8aeba5

  : end

  When you say that "the external interface is downwards using failover techniques" you mean this failover occurred because the ASA is no longer able to reach the 31.13.72.1?  Not that the actual interface is broken?

  If this is the case, then the NATing is your problem.  Since you're using the same VPN pool for VPN connections the ASA cannot distinguish between the two streams of traffic if the external interface is still in place.  The SLA tracking only removes a route in the routing table, but does not affect what happens in the NAT process.

  try to change the NAT statement follows him and the test (don't forget to remove the other statements to exempt of NAT for this traffic during the test):

  NAT (inside,any) static static source NETWORK_OBJ_192.168.30.0_25 destination DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_192.168.30.0_25

  If this does not work, I would either turn off the external interface when a failover occurs, or create a second connection profile that contains a separate mass of IP for the VPN connection and ask users to connect using this profile when a failover takes place.  Don't forget to create Nat exempt instructions for this traffic also.

  --

  Please note all useful posts