AnyConnect client cannot ping gateway

I'm currently implementing anyconnect for some users in our Organization. Once the clients connect to the VPN via. AnyConnect, they cannot access anything whatsoever, including their default gateway (via ping). I'm not sure what I did wrong, but it's a quick fix, a person can report to me. It's a little frustrating because I had this lab work, but can not see the obvious errors.

Pool VPN: 192.168.200.0/24

inside the ASA interface 192.168.2.1

Grateful for any help received.

Greg

:

ASA Version 8.2 (1)

!

hostname asaoutsidedmz

activate the encrypted 123 password

123 encrypted passwd

names of

!

interface Ethernet0/0

link to the description to the ISP router / WAN

nameif outside

security-level 0

IP address x.x.x.235 255.255.255.224

!

interface Ethernet0/1

internal LAN interface Description

Shutdown

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

description of the DMZ interface

nameif dmz

security-level 50

IP 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

!

boot system Disk0: / asa821 - k8.bin

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

DNS domain-lookup outside

DNS domain-lookup dmz

DNS server-group DefaultDNS

cisco.com-domain name

outside_access_in list extended access permit tcp any host x.x.x.232 eq www

outside_access_in list extended access permit tcp any host x.x.x.234 eq ssh

pager lines 24

Outside 1500 MTU

Within 1500 MTU

MTU 1500 dmz

management of MTU 1500

local pool SSLVPNDHCP 192.168.200.20 - 192.168.200.25 255.255.255.0 IP mask

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

Global interface 10 (external)

Global interface (dmz) 10

NAT (inside) 10 0.0.0.0 0.0.0.0

NAT (dmz) 10 0.0.0.0 0.0.0.0

static (dmz, external) x.x.x.232 192.168.2.18 netmask 255.255.255.255

static (dmz, external) x.x.x.234 192.168.2.36 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 x.x.x.225 1

dynamic-access-policy-registration DfltAccessPolicy

RADIUS Protocol RADIUS AAA server

GANYMEDE + Protocol Ganymede + AAA-server

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

No encryption isakmp nat-traversal

Telnet timeout 5

Console timeout 5

management-access inside

!

no statistical threat detection tcp-interception

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.3.2016-k9.pkg 1 image

enable SVC

tunnel-group-list activate

internal group SSLVPN strategy

SSLVPN group policy attributes

value of SSL VPN profile banner

VPN - connections 1

VPN-idle-timeout 30

Protocol-tunnel-VPN l2tp ipsec svc

WebVPN

SVC request no svc default

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec l2tp ipsec

username password privilege 123 encrypted test11 0

attributes of test11 username

type of remote access service

type tunnel-group SSLVPNTunnel remote access

attributes global-tunnel-group SSLVPNTunnel

address SSLVPNDHCP pool

Group Policy - by default-SSLVPN

tunnel-group SSLVPNTunnel webvpn-attributes

enable AgricorpVPN group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

: end

A few things to look at. Firstly, interface e0/1 is the stop of the config above for connecting clients will not be able to achieve the devices on the "inside" of the SAA. Second, you don't have NAT 0 rules configured to exempt the return of LAN or DMZ traffic to the client IP pool.

Tags: Cisco Security

Similar Questions

  • WAG320N - LAN clients cannot ping clients WLAN.

    Hi all

    I wonder if you can help. I currently have a router WAG320N, which seems to work out for a small problem.

    However, the problem I am facing is that my LAN clients cannot ping my clients wireless and vice versa.

    I googled this problem which has recommended that the AP isolation is off which is was by default.

    Any other ideas?

    Thanking in advance.

    Sprite

    As you are not able to ping customers wireless to wireline customers. Turn on the isolation of the AP.

    See if that helps you.

  • Peer AnyConnect VPN cannot ping, RDP each other

    I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1).  I have a remote access VPN set up and remote access users are able to connect and access to network resources.   I can ping the VPN peers between the Remote LAN.    My problem counterparts VPN cannot ping (RDP, CDR) between them.   Ping a VPN peer of reveals another the following error in the log of the SAA.

    Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.

    Here's my ASA running-config:

    ASA Version 8.3 (1)

    !

    ciscoasa hostname

    domain dental.local

    activate 9ddwXcOYB3k84G8Q encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    clock timezone CST - 6

    clock to summer time recurring CDT

    DNS lookup field inside

    DNS server-group DefaultDNS

    192.168.1.128 server name

    domain dental.local

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    network of the RAVPN object

    10.10.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_10.10.10.0_28 object

    subnet 10.10.10.0 255.255.255.240

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    access-list Local_LAN_Access note VPN Customer local LAN access

    Local_LAN_Access list standard access allowed host 0.0.0.0

    DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

    Note VpnPeers access list allow peer vpn ping on the other

    permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers

    pager lines 24

    Enable logging

    asdm of logging of information

    logging of information letter

    address record [email protected] / * /

    exploitation forest-address recipient [email protected] / * / level of information

    record level of 1 600 6 rate-limit

    Outside 1500 MTU

    Within 1500 MTU

    mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 711.bin

    don't allow no asdm history

    ARP timeout 14400

    NAT (inside, all) static source all electricity static destination RAVPN RAVPN

    NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

    NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

    !

    network obj_any object

    NAT dynamic interface (indoor, outdoor)

    network of the RAVPN object

    dynamic NAT (all, outside) interface

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Community SNMP-server

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit

    Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    trustpoint crypto ca-CA-SERVER ROOM

    LOCAL-CA-SERVER key pair

    Configure CRL

    Crypto ca trustpoint ASDM_TrustPoint0

    registration auto

    name of the object CN = ciscoasa

    billvpnkey key pair

    Proxy-loc-transmitter

    Configure CRL

    crypto ca server

    CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl

    name of the issuer CN = ciscoasa

    SMTP address [email protected] / * /

    crypto certificate chain ca-CA-SERVER ROOM

    certificate ca 01

    * hidden *.

    quit smoking

    string encryption ca ASDM_TrustPoint0 certificates

    certificate 10bdec50

    * hidden *.

    quit smoking

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    authentication crack

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 20

    authentication rsa - sig

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 40

    authentication crack

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 50

    authentication rsa - sig

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 60

    preshared authentication

    aes-192 encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 70

    authentication crack

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 80

    authentication rsa - sig

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 90

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 100

    authentication crack

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 110

    authentication rsa - sig

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 120

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 130

    authentication crack

    the Encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 140

    authentication rsa - sig

    the Encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 150

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 86400

    enable client-implementation to date

    Telnet 192.168.1.1 255.255.255.255 inside

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    management-access inside

    dhcpd outside auto_config

    !

    dhcpd address 192.168.1.50 - 192.168.1.99 inside

    dhcpd allow inside

    !

    a basic threat threat detection

    threat detection statistics

    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

    SSL-trust outside ASDM_TrustPoint0 point

    WebVPN

    allow outside

    SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image

    SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml

    enable SVC

    tunnel-group-list activate

    internal-password enable

    chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform

    internal DefaultRAGroup group strategy

    attributes of Group Policy DefaultRAGroup

    Server DNS 192.168.1.128 value

    Protocol-tunnel-VPN l2tp ipsec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl

    Dental.local value by default-field

    WebVPN

    SVC value vpngina modules

    internal DefaultRAGroup_1 group strategy

    attributes of Group Policy DefaultRAGroup_1

    Server DNS 192.168.1.128 value

    Protocol-tunnel-VPN l2tp ipsec

    Dental.local value by default-field

    attributes of Group Policy DfltGrpPolicy

    Server DNS 192.168.1.128 value

    VPN - 4 concurrent connections

    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

    value of group-lock RAVPN

    value of Split-tunnel-network-list Local_LAN_Access

    Dental.local value by default-field

    WebVPN

    the value of the URL - list DentalMarks

    SVC value vpngina modules

    SVC value dellstudio type user profiles

    SVC request to enable default webvpn

    chip-tunnel enable SmartTunnelList

    wketchel1 5c5OoeNtCiX6lGih encrypted password username

    username wketchel1 attributes

    VPN-group-policy DfltGrpPolicy

    WebVPN

    SVC value DellStudioClientProfile type user profiles

    username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel

    username wketchel attributes

    VPN-group-policy DfltGrpPolicy

    WebVPN

    modules of SVC no

    SVC value DellStudioClientProfile type user profiles

    jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username

    jenniferk username attributes

    VPN-group-policy DfltGrpPolicy

    WebVPN

    SVC value DellStudioClientProfile type user profiles

    attributes global-tunnel-group DefaultRAGroup

    address pool VPNPool

    LOCAL authority-server-group

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared key *.

    tunnel-group DefaultRAGroup ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    eap-proxy authentication

    type tunnel-group RAVPN remote access

    attributes global-tunnel-group RAVPN

    address pool VPNPool

    LOCAL authority-server-group

    tunnel-group RAVPN webvpn-attributes

    enable RAVPN group-alias

    IPSec-attributes tunnel-group RAVPN

    pre-shared key *.

    tunnel-group RAVPN ppp-attributes

    PAP Authentication

    ms-chap-v2 authentication

    eap-proxy authentication

    type tunnel-group WebSSLVPN remote access

    tunnel-group WebSSLVPN webvpn-attributes

    enable WebSSLVPN group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    173.194.64.108 SMTP server

    context of prompt hostname

    HPM topN enable

    Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8

    : end

    Hello

    Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.

    I suggest the following changes

    network of the VPN-POOL object

    10.10.10.0 subnet 255.255.255.0

    the object of the LAN network

    subnet 192.168.1.0 255.255.255.0

    PAT-SOURCE network object-group

    object-network 192.168.1.0 255.255.255.0

    object-network 10.10.10.0 255.255.255.0

    NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

    destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    The above should allow

    • Dynamic PAT for LAN and VPN users
    • NAT0 for traffic between the VPN and LAN
    • NAT0 for traffic between the VPN users

    You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.

    no static source nat (inside, everything) all electricity static destination RAVPN RAVPN

    No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

    No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

    No network obj_any object

    No network object RAVPN

    In case you do not want to change the settings a lot you might be right by adding this

    network of the VPN-POOL object

    10.10.10.0 subnet 255.255.255.0

    destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

    But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.

    -Jouni

  • 1702i AP clients cannot ping their getway where other subnets not accessible by customers

    Please can someone help with this problem

    I have an AP 1702i on MC 3850 catalyst, wireless clients are assigned DHCP in the pool is created on the MC 3850 catalyst.

    They can not ping gateway so other subnets not accessible by clients.

    Pls attach your config 3850 to check

    Rasika

  • Cisco ASA 5515 - Anyconnect users cannot ping other users Anyconnect. How can I allow icmp between Anyconnect users traffic?

    Configuration of the ASA is below!

    ASA Version 9.1 (1)

    !

    ASA host name

    domain xxx.xx

    names of

    local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

    !

    interface GigabitEthernet0/0

    nameif inside

    security-level 100

    192.168.11.1 IP address 255.255.255.0

    !

    interface GigabitEthernet0/1

    Description Interface_to_VPN

    nameif outside

    security-level 0

    IP 111.222.333.444 255.255.255.240

    !

    interface GigabitEthernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/4

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface GigabitEthernet0/5

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    management only

    nameif management

    security-level 100

    192.168.5.1 IP address 255.255.255.0

    !

    passive FTP mode

    DNS server-group DefaultDNS

    www.ww domain name

    permit same-security-traffic intra-interface

    the object of the LAN network

    subnet 192.168.11.0 255.255.255.0

    LAN description

    network of the SSLVPN_POOL object

    255.255.255.0 subnet 192.168.12.0

    VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    management of MTU 1500

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 711.bin

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

    Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    WebVPN

    list of URLS no

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    AAA authentication http LOCAL console

    LOCAL AAA authorization exec

    Enable http server

    http 192.168.5.0 255.255.255.0 management

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec pmtu aging infinite - the security association

    Crypto ca trustpoint ASDM_TrustPoint5

    Terminal registration

    E-mail [email protected] / * /

    name of the object CN = ASA

    address-IP 111.222.333.444

    Configure CRL

    Crypto ca trustpoint ASDM_TrustPoint6

    Terminal registration

    domain name full vpn.domain.com

    E-mail [email protected] / * /

    name of the object CN = vpn.domain.com

    address-IP 111.222.333.444

    pair of keys sslvpn

    Configure CRL

    trustpool crypto ca policy

    string encryption ca ASDM_TrustPoint6 certificates

    Telnet timeout 5

    SSH 192.168.11.0 255.255.255.0 inside

    SSH timeout 30

    Console timeout 0

    No ipv6-vpn-addr-assign aaa

    no local ipv6-vpn-addr-assign

    192.168.5.2 management - dhcpd addresses 192.168.5.254

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    SSL-trust outside ASDM_TrustPoint6 point

    WebVPN

    allow outside

    CSD image disk0:/csd_3.5.2008-k9.pkg

    AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

    AnyConnect enable

    tunnel-group-list activate

    attributes of Group Policy DfltGrpPolicy

    Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

    internal VPN_CLIENT_POLICY group policy

    VPN_CLIENT_POLICY group policy attributes

    WINS server no

    value of server DNS 192.168.11.198

    VPN - 5 concurrent connections

    VPN-session-timeout 480

    client ssl-VPN-tunnel-Protocol

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list VPN_CLIENT_ACL

    myComp.local value by default-field

    the address value VPN_CLIENT_POOL pools

    WebVPN

    activate AnyConnect ssl dtls

    AnyConnect Dungeon-Installer installed

    AnyConnect ssl keepalive 20

    time to generate a new key 30 AnyConnect ssl

    AnyConnect ssl generate a new method ssl key

    AnyConnect client of dpd-interval 30

    dpd-interval gateway AnyConnect 30

    AnyConnect dtls lzs compression

    AnyConnect modules value vpngina

    value of customization DfltCustomization

    internal IT_POLICY group policy

    IT_POLICY group policy attributes

    WINS server no

    value of server DNS 192.168.11.198

    VPN - connections 3

    VPN-session-timeout 120

    Protocol-tunnel-VPN-client ssl clientless ssl

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list VPN_CLIENT_ACL

    field default value societe.com

    the address value VPN_CLIENT_POOL pools

    WebVPN

    activate AnyConnect ssl dtls

    AnyConnect Dungeon-Installer installed

    AnyConnect ssl keepalive 20

    AnyConnect dtls lzs compression

    value of customization DfltCustomization

    username vpnuser password PA$ encrypted $WORD

    vpnuser username attributes

    VPN-group-policy VPN_CLIENT_POLICY

    type of remote access service

    Username vpnuser2 password PA$ encrypted $W

    username vpnuser2 attributes

    type of remote access service

    username admin password ADMINPA$ $ encrypted privilege 15

    VPN Tunnel-group type remote access

    General-attributes of VPN Tunnel-group

    address VPN_CLIENT_POOL pool

    Group Policy - by default-VPN_CLIENT_POLICY

    VPN Tunnel-group webvpn-attributes

    the aaa authentication certificate

    enable VPN_to_R group-alias

    type tunnel-group IT_PROFILE remote access

    attributes global-tunnel-group IT_PROFILE

    address VPN_CLIENT_POOL pool

    Group Policy - by default-IT_POLICY

    tunnel-group IT_PROFILE webvpn-attributes

    the aaa authentication certificate

    enable IT Group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    inspect the icmp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    : end

    Hello

    Here's what you'll need:

    permit same-security-traffic intra-interface

    VPN_CLIENT_ACL standard access list allow 192.168.12.0 255.255.255.0

    destination NAT (outside, outside) SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL static static source

    Patrick

  • VM management host cannot ping gateway or switch

    Hello


    We have a server Esx 5.0 with 3 vm on it. When I try to ping the management network of vm for my pc that I do not get an answer too trying to ping from the vmn console I can not ping to the gateway, but I can ping dns. However, I can rdp in vm servers and the ping to the gateway of each server, as well as newspapers in vsphere. We have a system with 2 voip VLAN, the other data and another for voice. Hosts and servers are all on the same cisco switch.

    VM management network

    IP - 192.168.1.6

    Sub - 255.255.255.0

    GW - 192.168.1.1

    DNS - 192.168.1.10

    Cisco switch - 192.168.1.3

    Data Vlan - 192.168.1.1

    Firewall - 192.168.1.2

    PC

    -cannot ping 192.168.1.6

    -can ping everything else

    From the console network management

    -cannot ping 192.168.1.1 a.3 or any pc

    -can ping 192.168.1.10

    It sounds like a switch problem but do not know how to fix it. The switch is a switch of cisco small business pro 8 ports

    Make sure that your routing has L3 to a defined network to get traffic to your host (192.168.1.0/24) network to any network it seeks to achieve. You did not show what the subnet for the PCs are so I'm not sure that the network is.

    Regarding the gateway ping, make sure that the echo ICMP message is enabled by the firewall so that ping responses can go to the host. If you still cannot ping the gateway with that on, there may be a larger problem with your connectivity.

  • Comments of the ESXi5 cannot ping gateway

    Hello

    Structure of the environment


    Router (192.168.6.1)
    -Linux
    Virtual machine workstation - 8
    -ESXi5 (192.168.6.220)
    -srv01 ((Win2008r2) (192.168.6.221)(static pi))
    -srv02 (WIn2008r2) (192.168.6.111) (DHCP)

    Srv01 can ping srv02
    Srv01 can ping ESXi5
    Srv01 cannot ping

    SRV02 can get the ip address of the server DHCP (192.168.6.1)
    SRV02 can ping srv01
    SRV02 can ping ESXi5
    SRV02 cannot ping router

    Router cannot ping srv01, srv02
    Router can ping ESXi5

    Question:
    What should I do:
    to get srv01 ping router
    to get the router to ping srv01?

    See http://kb.vmware.com/kb/287 for instructions on enabling virtual for your ethernet adapters promiscuous mode.

  • AnyConnect Clients cannot communicate with each other

    I have a problem that I've been pulling my hair out... my teleworkers connect to our network of Corp. via a connection AnyConnect VPN (version 3.1) to a Cisco ASA5520. I have not split tunneling enabled for this profile, so that all traffic should pass through the tunnel and all guests are in the same subnet L3... as far as their IP VPN address goes. The problem is the teleworker PCs cannot communicate with each other (pings/RDP/etc.). When I look at the newspaper I see traffic from one to another, have denied anything, but they do not communicate. My Network Corp., I can communicate with the two PCs Anyconnect very well. When I go to monitoring. ASDM itineraries I see each host that is connected to the ASA via Anyconnect, and the gateway for each is the default gateway of the SAA.

    Am I missing some setting in the VPN profile that prevents the access between these hosts? I think that something come in the newspaper...

    Have you enabled crossed and also a free NAT between AnyConnect users?

    permit same-security-traffic intra-interface

    network of the AnyConnect_users object

    subnet

    public static AnyConnect_users AnyConnect_users destination NAT (outside, outside) static source AnyConnect_users AnyConnect_users

    If this does not resolve your problem, please post a sanitized complete configuration of your ASA.

  • Two remote AnyConnect clients cannot get two voice via softphones?

    We have a situation where two remote users of SSL VPNS cannot establish a voice call via softphones or cookie lync. They can both talk but I can't hear the other. Each user can call external or the office LAN without problems.

    I'm under ASA version 9.1 (5) and v.3.1.05170 AnyConnect. Pretty basic config (purified) - any help would be appreciated!

    # sh run
    : Saved
    :
    ASA Version 9.1 (5)
    !
    host device name
    something.com domain name
    activate the encrypted password
    volatile xlate deny tcp any4 any4
    volatile xlate deny tcp any4 any6
    volatile xlate deny tcp any6 any4
    volatile xlate deny tcp any6 any6
    volatile xlate deny udp any4 any4 eq field
    volatile xlate deny udp any4 any6 eq field
    volatile xlate deny udp any6 any4 eq field
    volatile xlate deny udp any6 any6 eq field
    encrypted passwd
    names of
    General pool of local pool IP 10.x.x.x - 10.x.x.y
    IP local pool pool-ops-TI 10.y.y.y - 10.y.y.z

    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    IP x.x.x.x where x.x.x.x
    !
    interface GigabitEthernet0/1
    description of the inside interface
    nameif inside
    security-level 100
    IP address y.y.y.y y.y.y.y
    !
    interface GigabitEthernet0/2
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/6
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/7
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    management only
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    banner login ***********************************************************************
    connection of the banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
    connection of the banner is a computer network that is private and can be used only in direct
    banner connection explicit owner. The owner reserves the right to
    banner connection monitor use this network to ensure the security of networks and respond
    banner connect on specific allegations of misuse. Use of this network must
    the banner sign a consent to the monitoring of these or other purposes.
    connection banner in addition, the owner reserves the right to consent to a valid
    application of law banner connection to search the network for evidence of a crime
    banner stored within the network connection.
    banner login ***********************************************************************
    banner asdm ***********************************************************************
    asdm banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
    asdm banner is a computer network that is private and can be used only in direct
    banner asdm explicit owner. The owner reserves the right to
    banner asdm monitor use this network to ensure the security of networks and respond
    asdm banner of specific allegations of misuse. Use of this network must
    banner asdm you consent to the monitoring of these or other purposes.
    asdm banner in addition, the owner reserves the right to consent to a valid
    application of law banner asdm to search the network for evidence of a crime
    asdm banner stored within the network.
    banner asdm ***********************************************************************
    boot system Disk0: / asa915-smp - k8.bin
    passive FTP mode
    clock timezone CST - 6
    clock to summer time recurring CDT 1 Sun Mar 1 Sun Nov 02:00 02:00
    DNS lookup field inside
    DNS server-group DefaultDNS
    Server name 192.168.0.0
    Server name 192.168.0.0
    something.com domain name
    Local_LAN_Access list standard access allowed host 0.0.0.0
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer 40960
    logging buffered stored notifications
    logging trap notifications
    record of the mistakes of history
    notifications of logging asdm
    logging - the id of the device hostname
    logging inside 10.0.0.0 host
    logging inside 10.0.0.0 host
    Outside 1500 MTU
    Within 1500 MTU
    IP verify reverse path to the outside interface
    IP verify reverse path inside interface
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any echo outdoors
    ICMP allow any inaccessible outside
    ICMP allow any inside
    ASDM image disk0: / asdm - 721.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    Route inside 10.0.0.0 255.0.0.0 y.y.y.y 1
    Route inside 192.168.0.0 255.255.0.0 y.y.y.y 1
    Route inside 0.0.0.0 0.0.0.0 y.y.y.y in tunnel
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    test_VPN card-attribute LDAP
    name of the memberOf Group Policy map
    map-value memberOf "CN = test VPN, OR = groups of VPN, OR = Groups, OU = company, DC =, DC =, DC = com" "test VPN".
    dynamic-access-policy-registration DfltAccessPolicy
    AAA-server test-deviceauth protocol ldap
    Max - a attempts failed 5
    AAA-server baird-deviceauth (inside) host 192.x.x.x
    Server-port 636
    LDAP-base-dn DC = x, DC =, DC = z
    LDAP-scope subtree
    LDAP-login-password
    LDAP-connection-dn cn = b, OU = Service accounts, DC = x, DC =, DC = z
    enable LDAP over ssl
    microsoft server type
    AAA-server test-rsa Protocol sdi
    AAA-server test-rsa (inside) host
    interval before attempt-3 new
    AAA-server auth-ldap-tes ldap Protocol
    AAA-server test-ldap-auth (inside) host
    Server-port 636
    LDAP-base-dn DC = country, DC = a, DC = com
    LDAP-scope subtree
    LDAP-login-password
    LDAP-connection-dn CN = b, OU = Service accounts, DC = x, DC =, DC = z
    enable LDAP over ssl
    microsoft server type
    LDAP-attribute-map test_VPN
    identity of the user by default-domain LOCAL
    the ssh LOCAL of baird-deviceauth console AAA authentication
    HTTP authentication AAA console LOCAL baird-deviceauth
    serial baird-deviceauth LOCAL console AAA authentication
    Enable http server
    http inside x.x.x.x y.y.y.y
    HTTP 1.1.1.1 255.255.255.0 inside
    redirect http outside 80
    SNMP-server host inside x.x.x.x trap community version 2 c
    SNMP server location
    contact SNMP Server
    SNMP-server community
    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
    Server enable SNMP traps entity power cpu-temperature
    Crypto ipsec pmtu aging infinite - the security association
    Crypto ca trustpoint trustpoint-selfsigned-vpncso
    registration auto
    FQDN
    name of the object CN =, O =, C =, St =, =.
    key pair
    Configure CRL
    Crypto ca trustpoint
    Terminal registration
    Configure CRL
    Crypto ca trustpoint
    Terminal registration
    FQDN
    name of the object CN = OR =, O =, C = St =, =.
    key pair
    Configure CRL
    Crypto ca trustpoint
    Terminal registration
    Configure CRL
    Crypto ca trustpoint
    Terminal registration
    Configure CRL
    Crypto ca trustpoint
    Terminal registration
    Configure CRL
    trustpool crypto ca policy

    Telnet timeout 5
    SSH enable ibou
    SSH stricthostkeycheck
    x.x.x.x inside SSH
    SSH timeout 30
    SSH version 2
    SSH group dh-Group1-sha1 key exchange
    Console timeout 15
    No vpn-addr-assign aaa
    No dhcp vpn-addr-assign
    No ipv6-vpn-addr-assign aaa
    no local ipv6-vpn-addr-assign
    no statistical access list - a threat detection
    no statistical threat detection tcp-interception
    NTP server 1.1.1.1 source inside
    NTP server 2.2.2.2 source inside
    SSL-trust outside ASDM_TrustPoint0 point
    WebVPN
    allow outside
    AnyConnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
    AnyConnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 2
    AnyConnect profiles baird-client-profile disk0: / customer-baird - profile .xml
    AnyConnect enable
    attributes of Group Policy DfltGrpPolicy
    value of banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
    value of banner is a computer network that is private and can be used only in direct
    banner value explicit owner. The owner reserves the right to
    banner value monitor use this network to ensure the security of networks and respond
    the value of the banner of the specific allegations of misuse. Use of this network must
    value of the banner a consent to the monitoring of these or other purposes.
    value of server DNS 1.1.1.1 2.2.2.2
    VPN - connections 2
    client ssl-VPN-tunnel-Protocol
    Split-tunnel-policy excludespecified
    value of Split-tunnel-network-list Local_LAN_Access
    something.com value by default-field
    Split-dns value something.com, us.something.com
    activate dns split-tunnel-all
    the address value general-pool pools
    WebVPN
    use-smart-tunnel homepage
    AnyConnect value dart modules, nam
    AnyConnect value profiles baird-client-profile user type
    AnyConnect ask flawless anyconnect
    Group Policy 'test' internal
    Group Policy attributes 'test '.
    Split-tunnel-policy excludespecified
    value of Split-tunnel-network-list Local_LAN_Access
    activate dns split-tunnel-all
    the address value it-ops-pool pools
    internal testMacs group policy
    attributes of the strategy of group testMacs
    WINS server no
    value of server DNS 1.1.1.1 2.2.2.2
    client ssl-VPN-tunnel-Protocol
    field default value xyz.com
    username admin privilege 15 encrypted password
    attributes global-tunnel-group DefaultRAGroup
    test-rsa authentication-server-group
    test-ldap-auth authorization-server-group
    management of the password password-expire-to-days 10
    tunnel-group DefaultRAGroup webvpn-attributes
    the aaa authentication certificate
    attributes global-tunnel-group DefaultWEBVPNGroup
    test-rsa authentication-server-group
    test-ldap-auth authorization-server-group
    management of the password password-expire-to-days 10
    tunnel-group DefaultWEBVPNGroup webvpn-attributes
    the aaa authentication certificate
    tunnel-group test remote access connection type
    tunnel-group test-Connect General attributes
    test-rsa authentication-server-group
    test-ldap-auth authorization-server-group
    management of the password password-expire-to-days 10
    tunnel-group test connection webvpn-attributes
    the aaa authentication certificate
    allow group-url http://abc.xyz.com
    allow group-url https://abc.xyz.rwbaird.com
    type tunnel-group testMacs remote access
    tunnel-group testMacs General-attributes
    test-rsa authentication-server-group
    test-ldap-auth authorization-server-group
    Group Policy - by default-testMacs
    management of the password password-expire-to-days 10
    use-set-name of the secondary-username-of-certificate
    tunnel-group testMacs webvpn-attributes
    allow group-url http://abc.xyz.com/macs
    allow group-url https://abc.xyz.com/macs
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory 26
    Subscribe to alert-group configuration periodic monthly 26
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:aa675139dc84529791f9aaba46eb17f9
    : end

    I confess that I have not read your config in detail, but a few tips:

    -If you do split tunnel, don't forget to push a route for the entire pool VPN subnet or subnets of VPN clients

    -Make sure you have the same-security-traffic permitted intra-interface

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa81/command/ref/refg...

    -If you use NAT, you must exclude such NAT inter-VPN-device traffic

    -If you have ACLs (not shown) do not forget to leave your pool VPN subnet is talking to himself.  Generally, it would be in the ACL entering the external interface.

    at the end of the packet - trace is your friend.

    NGP

  • ASA 5520: Remote VPN Clients cannot ping LAN, Internet

    I've set up a few of them in my time, but I am confused with this one.  Can I establish connect via VPN tunnel but I can't ping or go on the internet.  I searched the forum for similar and found a little issues, but none of the fixes seem to match.  I noticed a strange thing is when I run ipconfig/all of the vpn client, the IP address that has been leased over the Pool of the VPN is also the default gateway!

    I have attached the config.  Help, please.

    Thank you!

    Exemption of NAT ACL has not yet been applied.

    NAT (inside) 0-list of access Inside_nat0_outbound

    In addition, you have not split tunnel, not sure you were using internet ASA for the vpn client internet browsing.

    You can also enable icmp inspection if you test in scathing:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    Hope that helps.

  • The VPN Clients cannot Ping hosts

    I'll include a post my config. I have clients that connect through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the main network for the office.

    I can connect to the VPN, and I received a correct address assignment. I belive tunneling can be configured correctly in the aspect that I can always connect to the internet then on the VPN, but I can't ping all hosts on the 192.168.1.0 network. In the journal of the ASDM debugging, I see pings to the ASA, but no response is received on the client.

    6 February 21, 2013 21:54:26 180.0.0.1 53508 192.168.1.1 0 Built of ICMP incoming connections for faddr gaddr laddr 192.168.1.1/0 (christopher) 192.168.1.1/0 180.0.0.1/53508

    Any help would be greatly appreciated, I'm currently presuring my CCNP so I would get a deeper understanding of how to resolve these issues.

    -Chris

    hostname RegencyRE - ASA

    domain regencyrealestate.info

    activate 2/VA7dRFkv6fjd1X of encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    name 180.0.0.0 Regency

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    link to the description of REGENCYSERVER

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    link to the description of RegencyRE-AP

    !

    interface Vlan1

    nameif inside

    security-level 100

    192.168.1.120 IP address 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP x.x.x.x 255.255.255.248

    !

    passive FTP mode

    clock timezone PST - 8

    clock summer-time recurring PDT

    DNS lookup field inside

    DNS domain-lookup outside

    DNS server-group DefaultDNS

    Server name 208.67.220.220

    name-server 208.67.222.222

    domain regencyrealestate.info

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 Regency 255.255.255.224

    RegencyRE_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

    outside_access_in list extended access permit icmp any one

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    mask Regency 180.0.0.1 - 180.0.0.20 255.255.255.0 IP local pool

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ICMP allow all outside

    ASDM 255.255.255.0 inside Regency location

    ASDM location 192.168.0.0 255.255.0.0 inside

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 12.186.110.2 1

    Route inside 192.0.0.0 255.0.0.0 192.168.1.102 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication

    LOCAL AAA authentication serial console

    http server enable 8443

    http 0.0.0.0 0.0.0.0 outdoors

    http 0.0.0.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 inside

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH timeout 15

    SSH version 2

    Console timeout 0

    dhcprelay Server 192.168.1.102 inside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    NTP server 69.25.96.13 prefer external source

    NTP server 216.171.124.36 prefer external source

    WebVPN

    internal RegencyRE group strategy

    attributes of Group Policy RegencyRE

    value of server DNS 208.67.220.220 208.67.222.222

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list RegencyRE_splitTunnelAcl

    username password encrypted adriana privilege 0

    christopher encrypted privilege 15 password username

    irene encrypted password privilege 0 username

    type tunnel-group RegencyRE remote access

    attributes global-tunnel-group RegencyRE

    Regency address pool

    Group Policy - by default-RegencyRE

    IPSec-attributes tunnel-group RegencyRE

    pre-shared key R3 & eNcY1.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    Review the ip options

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d

    : end

    Hello

    -be sure that the destination host 192.168.1.x has a route towards 180.0.0.0 by the ASA gateway.

    -Configure the following figure:

    capture capin interface inside match icmp 192.168.1.x host 180.0.0.x

    capture ASP asp type - drop all

    then make a continuous ping and get 'show capin cap' and 'asp cap.

    -then check the ping, the 'encrypted' counter is increasing in the VPN client statistics

    I would like to know about it, hope this helps

    ----

    Mashal

  • Cisco VPN Client cannot ping from LAN internal IP

    Hello

    I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.

    If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.

    Thanks in advance.

    : Saved

    :

    ASA Version 7.2 (2)

    !

    hostname ciscoasa5510

    domain.local domain name

    activate the password. 123456789 / encrypted

    names of

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    PPPoE client vpdn group ISP

    12.34.56.789 255.255.255.255 IP address pppoe setroute

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    IP 192.168.10.1 255.255.255.0

    !

    interface Ethernet0/2

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.1.1 255.255.255.0

    management only

    !

    passwd encrypted 123456789

    passive FTP mode

    clock timezone GMT/UTC 0

    summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS server-group DefaultDNS

    domain.local domain name

    permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

    permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

    access-list Split_Tunnel_List note the network of the company behind the ASA

    Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0

    pager lines 24

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    management of MTU 1500

    IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 522.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout, uauth 0:05:00 absolute

    internal domain_vpn group policy

    attributes of the strategy of group domain_vpn

    value of 212.23.3.100 DNS server 212.23.6.100

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list Split_Tunnel_List

    username domain_ra_vpn password 123456789 encrypted

    username domain_ra_vpn attributes

    VPN-group-policy domain_vpn

    encrypted utilisateur.123456789 password username

    encrypted utilisateur.123456789 password username

    privilege of username user password encrypted passe.123456789 15

    encrypted utilisateur.123456789 password username

    the ssh LOCAL console AAA authentication

    AAA authentication enable LOCAL console

    Enable http server

    http 192.168.1.0 255.255.255.0 management

    http 192.168.10.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map 20 set pfs

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    card crypto outside_map 20 match address outside_20_cryptomap

    peer set card crypto outside_map 20 987.65.43.21

    outside_map crypto 20 card value transform-set ESP-3DES-SHA

    3600 seconds, duration of life card crypto outside_map 20 set - the security association

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    aes-256 encryption

    sha hash

    Group 5

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    tunnel-group 987.65.43.21 type ipsec-l2l

    IPSec-attributes tunnel-group 987.65.43.21

    pre-shared-key *.

    tunnel-group domain_vpn type ipsec-ra

    tunnel-group domain_vpn General-attributes

    address domain_vpn_pool pool

    Group Policy - by default-domain_vpn

    domain_vpn group of tunnel ipsec-attributes

    pre-shared-key *.

    Telnet 192.168.10.0 255.255.255.0 inside

    Telnet timeout 5

    Console timeout 0

    VPDN group ISP request dialout pppoe

    VPDN group ISP localname [email protected] / * /

    VPDN group ISP ppp authentication chap

    VPDN username [email protected] / * / password *.

    dhcpd dns 212.23.3.100 212.23.6.100

    dhcpd lease 691200

    dhcpd ping_timeout 500

    domain.local domain dhcpd

    !

    dhcpd address 192.168.10.10 - 192.168.10.200 inside

    dhcpd allow inside

    !

    management of 192.168.1.2 - dhcpd address 192.168.1.254

    enable dhcpd management

    !

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:1234567890987654321

    : end

    Hello

    Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.

    This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.

    You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next

    Add this

    permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

    Hope this helps

    Let me know how it goes

    -Jouni

  • AnyConnect client cannot access external sites

    I am installing AnyConnect VPN with no split tunneling. ASA 5505 v8.2. It seems that it should be really easy. I must be missing something.

    I can get AnyConnect users to connect very well and they can access internal sites and on other sites in IPSec tunnel. But no access to internet.

    Internal 10.1.1.x pool VPN is 10.1.1.251 - 253 (list of Temp for the test). I have published the following plotter:

    packet-tracer input outside tcp 10.1.1.253 12345 69.147.125.65 80 detailed

    The last reported point (where it fails) is:

    Phase: 7

    Type: WEBVPN-SVC

    Subtype: in

    Result: DROP

    Config:

    Additional Information:

    Forward Flow based lookup yields rule:

    in  id=0xda7e9808, priority=70, domain=svc-ib-tunnel-flow, deny=false

    hits=364, user_data=0xcb000, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=TempVPNPool3, mask=255.255.255.255, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    Which means by SVC-WEBVPN?

    A relevant config:

    No ACLs, filters or limitations of policy group on HQ customers.

    Security-same permit intra-interface

    Global 1 interface (outside)

    On advice, I've added: nat (outside) 1 10.1.1.0 255.255.255.0, then I can get no tunnel guests outside guests, but then no IPSec.

    Kind of a weird, that with this, the tracer of package does not change. Continue to deny shows, but the site is accessible.

    When you say tunnel IPsec sites... is that the tunnels IPsec Site to Site on the SAA?

    The command:

    NAT (outside) 1 10.1.1.0 255.255.255.0

    It should allow the AnyConnect customer pool for PATed to Internet.

    If you need clients AnyConnect to access the Internet and the access to remote IPsec tunnels as well, you can do it with policy NAT:

    access-list anyconnect deny ip 10.1.1.0 255.255.255.0 x.x.x.x

    access-list anyconnect deny ip 10.1.1.0 255.255.255.0 y.y.y.y

    access-list allowed anyconnect ip 10.1.1.0 255.255.255.0 any

    NAT (outside) 1 access list anyconnect

    Global 1 interface (outside)

    With the above configuration, you are bypassing NAT for AnyConnect customers when they want to access remote sites through the IPsec tunnels (assuming that x.x.x.x and y.y.y.y for remote networks through these tunnels).

    And the rest of the AnyConnect (10.1.1.0/24) pool will be PATed to Internet.

    Federico.

  • No internet in guest Linux bridge - cannot ping gateway

    Hi all

    I searched high and low, but I can't understand this. I am running VMware Player 5 with Debian 7 64-bit Windows 7 64 - bit host and guest OS.

    I can access the internet using NAT, but I would like to have connect like bridge.

    I see only one network adapter in adapters to set up and it's the right one, one I use to connect to the internet. I confirmed that the adapter has protocol active bridge. I tried ticking the "Physical replicate network connection", but he did nothing.

    What I can do:

    I can see my router's virtual machine and assign a local ip address without problems.

    I can't SSH into the guest OS (Debian).

    I can ping the host (my Win 7 machine) and the router (gateway/DNS)

    I do nslookup (e.g. nslookup google.com)

    What I can not do:

    I can't access the internet. I can't ping google.com (by name or IP address) or download the packages.

    Help, please.

    It turns out it was my antivirus, Bitdefender Internet Security 2013, which was blocking the connection of the virtual machine.

    VMware Player was to solve what I had to put the network adapter address as Trusted and Stealth mode disabled.

  • ESXi cannot ping uplink gateway

    I have ESXi that connect to 2 and Cisco 3750 port1.

    3750 port47 connect to WAN1, 48 connected to WAN2

    WAN1 gateway 10.0.10.1

    WAN2 gateway 192.168.88.1

    PROBLEMS:

    1. I have WIN7 with vnic WAN1 subnet, but cannot ping gateway WAN1

    QUESTIONS RELATING TO THE:

    1. where is my mistake

    INFO

    3750:

    #sh run

    version 12.2

    POC VTP domain

    VTP transparent mode

    IP routing

    IP - poc.com domain name

    VLAN 10

    name WAN1

    !

    VLAN 15

    name DMZ

    !

    VLAN 20

    name SVR

    !

    VLAN 30

    name USR

    !

    VLAN 40

    name HA

    !

    VLAN 50

    name STR

    !

    VLAN 88

    name WAN2

    !

    VLAN 100

    name of MGMT

    !

    Interface Port - Channel 1

    switchport trunk encapsulation dot1q

    switchport trunk allowed vlan 10,15,20,30,40,50,88,100

    switchport mode trunk

    switchport nonegotiate

    spanning tree portfast trunk

    !

    FastEthernet2/0/1 interface

    switchport trunk encapsulation dot1q

    switchport mode trunk

    Speed 100

    full duplex

    !

    interface FastEthernet2/0/2

    switchport trunk encapsulation dot1q

    switchport mode trunk

    Speed 100

    full duplex

    !

    interface FastEthernet2/0/47

    No switchport

    IP 10.0.10.251 255.255.255.0

    !

    interface FastEthernet2/0/48

    No switchport

    IP 192.168.88.251 255.255.255.0

    !

    interface Vlan10

    no ip address

    !

    interface Vlan15

    IP 10.0.15.1 255.255.255.0

    !

    interface Vlan20

    IP 10.0.20.1 255.255.255.0

    !

    Vlan30 interface

    IP 10.0.30.1 255.255.255.0

    !

    interface Vlan40

    IP 10.0.40.1 255.255.255.0

    !

    interface Vlan50

    IP 10.0.50.1 255.255.255.0

    !

    interface Vlan88

    no ip address

    !

    interface Vlan100

    10.0.100.1 IP address 255.255.255.0

    !

    IP classless

    IP route 0.0.0.0 0.0.0.0 10.0.10.1

    IP route 0.0.0.0 0.0.0.0 192.168.88.1

    ESXi 6.0

    #esxcfg - vswitch - l

    Switch name Num used Ports configured Ports MTU rising ports

    vSwitch0 3072 10 128 1500 vmnic0, vmnic1

    Name PortGroup VLAN ID used rising Ports

    MGMT 100 0 vmnic0, vmnic1

    STR 50 0 vmnic0, vmnic1

    40 0 vmnic0, vmnic1 HA

    USR 30 0 vmnic0, vmnic1

    DMZ 15 0 vmnic0, vmnic1

    WAN1 10 2 vmnic0, vmnic1

    SVR 20 1 vmnic0, vmnic1

    WAN2 88 1 vmnic0, vmnic1

    Management network 100 1 vmnic0, vmnic1

    If you set the IP 10.0.10.251 255.255.255.0 on interface Vlan10 instead of the interface FastEthernet2/0/47 you can ping?

Maybe you are looking for