AnyConnect client cannot ping gateway
I'm currently implementing anyconnect for some users in our Organization. Once the clients connect to the VPN via. AnyConnect, they cannot access anything whatsoever, including their default gateway (via ping). I'm not sure what I did wrong, but it's a quick fix, a person can report to me. It's a little frustrating because I had this lab work, but can not see the obvious errors.
Pool VPN: 192.168.200.0/24
inside the ASA interface 192.168.2.1
Grateful for any help received.
Greg
:
ASA Version 8.2 (1)
!
hostname asaoutsidedmz
activate the encrypted 123 password
123 encrypted passwd
names of
!
interface Ethernet0/0
link to the description to the ISP router / WAN
nameif outside
security-level 0
IP address x.x.x.235 255.255.255.224
!
interface Ethernet0/1
internal LAN interface Description
Shutdown
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
description of the DMZ interface
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
!
boot system Disk0: / asa821 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
cisco.com-domain name
outside_access_in list extended access permit tcp any host x.x.x.232 eq www
outside_access_in list extended access permit tcp any host x.x.x.234 eq ssh
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
management of MTU 1500
local pool SSLVPNDHCP 192.168.200.20 - 192.168.200.25 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global interface 10 (external)
Global interface (dmz) 10
NAT (inside) 10 0.0.0.0 0.0.0.0
NAT (dmz) 10 0.0.0.0 0.0.0.0
static (dmz, external) x.x.x.232 192.168.2.18 netmask 255.255.255.255
static (dmz, external) x.x.x.234 192.168.2.36 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 x.x.x.225 1
dynamic-access-policy-registration DfltAccessPolicy
RADIUS Protocol RADIUS AAA server
GANYMEDE + Protocol Ganymede + AAA-server
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
No encryption isakmp nat-traversal
Telnet timeout 5
Console timeout 5
management-access inside
!
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.3.2016-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal group SSLVPN strategy
SSLVPN group policy attributes
value of SSL VPN profile banner
VPN - connections 1
VPN-idle-timeout 30
Protocol-tunnel-VPN l2tp ipsec svc
WebVPN
SVC request no svc default
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
username password privilege 123 encrypted test11 0
attributes of test11 username
type of remote access service
type tunnel-group SSLVPNTunnel remote access
attributes global-tunnel-group SSLVPNTunnel
address SSLVPNDHCP pool
Group Policy - by default-SSLVPN
tunnel-group SSLVPNTunnel webvpn-attributes
enable AgricorpVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
: end
A few things to look at. Firstly, interface e0/1 is the stop of the config above for connecting clients will not be able to achieve the devices on the "inside" of the SAA. Second, you don't have NAT 0 rules configured to exempt the return of LAN or DMZ traffic to the client IP pool.
Tags: Cisco Security
Similar Questions
-
WAG320N - LAN clients cannot ping clients WLAN.
Hi all
I wonder if you can help. I currently have a router WAG320N, which seems to work out for a small problem.
However, the problem I am facing is that my LAN clients cannot ping my clients wireless and vice versa.
I googled this problem which has recommended that the AP isolation is off which is was by default.
Any other ideas?
Thanking in advance.
Sprite
As you are not able to ping customers wireless to wireline customers. Turn on the isolation of the AP.
See if that helps you.
-
Peer AnyConnect VPN cannot ping, RDP each other
I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1). I have a remote access VPN set up and remote access users are able to connect and access to network resources. I can ping the VPN peers between the Remote LAN. My problem counterparts VPN cannot ping (RDP, CDR) between them. Ping a VPN peer of reveals another the following error in the log of the SAA.
Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.
Here's my ASA running-config:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain dental.local
activate 9ddwXcOYB3k84G8Q encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS server-group DefaultDNS
192.168.1.128 server name
domain dental.local
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the RAVPN object
10.10.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.10.10.0_28 object
subnet 10.10.10.0 255.255.255.240
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
access-list Local_LAN_Access note VPN Customer local LAN access
Local_LAN_Access list standard access allowed host 0.0.0.0
DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
Note VpnPeers access list allow peer vpn ping on the other
permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers
pager lines 24
Enable logging
asdm of logging of information
logging of information letter
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of information
record level of 1 600 6 rate-limit
Outside 1500 MTU
Within 1500 MTU
mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source all electricity static destination RAVPN RAVPN
NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
network of the RAVPN object
dynamic NAT (all, outside) interface
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
trustpoint crypto ca-CA-SERVER ROOM
LOCAL-CA-SERVER key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
billvpnkey key pair
Proxy-loc-transmitter
Configure CRL
crypto ca server
CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl
name of the issuer CN = ciscoasa
SMTP address [email protected] / * /
crypto certificate chain ca-CA-SERVER ROOM
certificate ca 01
* hidden *.
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate 10bdec50
* hidden *.
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.1 255.255.255.255 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.50 - 192.168.1.99 inside
dhcpd allow inside
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image
SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml
enable SVC
tunnel-group-list activate
internal-password enable
chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Dental.local value by default-field
WebVPN
SVC value vpngina modules
internal DefaultRAGroup_1 group strategy
attributes of Group Policy DefaultRAGroup_1
Server DNS 192.168.1.128 value
Protocol-tunnel-VPN l2tp ipsec
Dental.local value by default-field
attributes of Group Policy DfltGrpPolicy
Server DNS 192.168.1.128 value
VPN - 4 concurrent connections
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
value of group-lock RAVPN
value of Split-tunnel-network-list Local_LAN_Access
Dental.local value by default-field
WebVPN
the value of the URL - list DentalMarks
SVC value vpngina modules
SVC value dellstudio type user profiles
SVC request to enable default webvpn
chip-tunnel enable SmartTunnelList
wketchel1 5c5OoeNtCiX6lGih encrypted password username
username wketchel1 attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel
username wketchel attributes
VPN-group-policy DfltGrpPolicy
WebVPN
modules of SVC no
SVC value DellStudioClientProfile type user profiles
jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username
jenniferk username attributes
VPN-group-policy DfltGrpPolicy
WebVPN
SVC value DellStudioClientProfile type user profiles
attributes global-tunnel-group DefaultRAGroup
address pool VPNPool
LOCAL authority-server-group
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address pool VPNPool
LOCAL authority-server-group
tunnel-group RAVPN webvpn-attributes
enable RAVPN group-alias
IPSec-attributes tunnel-group RAVPN
pre-shared key *.
tunnel-group RAVPN ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group WebSSLVPN remote access
tunnel-group WebSSLVPN webvpn-attributes
enable WebSSLVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
173.194.64.108 SMTP server
context of prompt hostname
HPM topN enable
Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8
: end
Hello
Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.
I suggest the following changes
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
the object of the LAN network
subnet 192.168.1.0 255.255.255.0
PAT-SOURCE network object-group
object-network 192.168.1.0 255.255.255.0
object-network 10.10.10.0 255.255.255.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
The above should allow
- Dynamic PAT for LAN and VPN users
- NAT0 for traffic between the VPN and LAN
- NAT0 for traffic between the VPN users
You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.
no static source nat (inside, everything) all electricity static destination RAVPN RAVPN
No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28
No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination
No network obj_any object
No network object RAVPN
In case you do not want to change the settings a lot you might be right by adding this
network of the VPN-POOL object
10.10.10.0 subnet 255.255.255.0
destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL
But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.
-Jouni
-
1702i AP clients cannot ping their getway where other subnets not accessible by customers
Please can someone help with this problem
I have an AP 1702i on MC 3850 catalyst, wireless clients are assigned DHCP in the pool is created on the MC 3850 catalyst.
They can not ping gateway so other subnets not accessible by clients.
Pls attach your config 3850 to check
Rasika
-
Configuration of the ASA is below!
ASA Version 9.1 (1)
!
ASA host name
domain xxx.xx
names of
local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask
!
interface GigabitEthernet0/0
nameif inside
security-level 100
192.168.11.1 IP address 255.255.255.0
!
interface GigabitEthernet0/1
Description Interface_to_VPN
nameif outside
security-level 0
IP 111.222.333.444 255.255.255.240
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
www.ww domain name
permit same-security-traffic intra-interface
the object of the LAN network
subnet 192.168.11.0 255.255.255.0
LAN description
network of the SSLVPN_POOL object
255.255.255.0 subnet 192.168.12.0
VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 711.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN
Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
WebVPN
list of URLS no
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
LOCAL AAA authorization exec
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_TrustPoint5
Terminal registration
E-mail [email protected] / * /
name of the object CN = ASA
address-IP 111.222.333.444
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint6
Terminal registration
domain name full vpn.domain.com
E-mail [email protected] / * /
name of the object CN = vpn.domain.com
address-IP 111.222.333.444
pair of keys sslvpn
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint6 certificates
Telnet timeout 5
SSH 192.168.11.0 255.255.255.0 inside
SSH timeout 30
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
192.168.5.2 management - dhcpd addresses 192.168.5.254
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint6 point
WebVPN
allow outside
CSD image disk0:/csd_3.5.2008-k9.pkg
AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
internal VPN_CLIENT_POLICY group policy
VPN_CLIENT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - 5 concurrent connections
VPN-session-timeout 480
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
myComp.local value by default-field
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 30
dpd-interval gateway AnyConnect 30
AnyConnect dtls lzs compression
AnyConnect modules value vpngina
value of customization DfltCustomization
internal IT_POLICY group policy
IT_POLICY group policy attributes
WINS server no
value of server DNS 192.168.11.198
VPN - connections 3
VPN-session-timeout 120
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_CLIENT_ACL
field default value societe.com
the address value VPN_CLIENT_POOL pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
AnyConnect ssl keepalive 20
AnyConnect dtls lzs compression
value of customization DfltCustomization
username vpnuser password PA$ encrypted $WORD
vpnuser username attributes
VPN-group-policy VPN_CLIENT_POLICY
type of remote access service
Username vpnuser2 password PA$ encrypted $W
username vpnuser2 attributes
type of remote access service
username admin password ADMINPA$ $ encrypted privilege 15
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address VPN_CLIENT_POOL pool
Group Policy - by default-VPN_CLIENT_POLICY
VPN Tunnel-group webvpn-attributes
the aaa authentication certificate
enable VPN_to_R group-alias
type tunnel-group IT_PROFILE remote access
attributes global-tunnel-group IT_PROFILE
address VPN_CLIENT_POOL pool
Group Policy - by default-IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
the aaa authentication certificate
enable IT Group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
: end
Hello
Here's what you'll need:
permit same-security-traffic intra-interface
VPN_CLIENT_ACL standard access list allow 192.168.12.0 255.255.255.0
destination NAT (outside, outside) SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL SSLVPN_POOL static static source
Patrick
-
VM management host cannot ping gateway or switch
Hello
We have a server Esx 5.0 with 3 vm on it. When I try to ping the management network of vm for my pc that I do not get an answer too trying to ping from the vmn console I can not ping to the gateway, but I can ping dns. However, I can rdp in vm servers and the ping to the gateway of each server, as well as newspapers in vsphere. We have a system with 2 voip VLAN, the other data and another for voice. Hosts and servers are all on the same cisco switch.VM management network
IP - 192.168.1.6
Sub - 255.255.255.0
GW - 192.168.1.1
DNS - 192.168.1.10
Cisco switch - 192.168.1.3
Data Vlan - 192.168.1.1
Firewall - 192.168.1.2
PC
-cannot ping 192.168.1.6
-can ping everything else
From the console network management
-cannot ping 192.168.1.1 a.3 or any pc
-can ping 192.168.1.10
It sounds like a switch problem but do not know how to fix it. The switch is a switch of cisco small business pro 8 ports
Make sure that your routing has L3 to a defined network to get traffic to your host (192.168.1.0/24) network to any network it seeks to achieve. You did not show what the subnet for the PCs are so I'm not sure that the network is.
Regarding the gateway ping, make sure that the echo ICMP message is enabled by the firewall so that ping responses can go to the host. If you still cannot ping the gateway with that on, there may be a larger problem with your connectivity.
-
Comments of the ESXi5 cannot ping gateway
Hello
Structure of the environment
Router (192.168.6.1)
-Linux
Virtual machine workstation - 8
-ESXi5 (192.168.6.220)
-srv01 ((Win2008r2) (192.168.6.221)(static pi))
-srv02 (WIn2008r2) (192.168.6.111) (DHCP)Srv01 can ping srv02
Srv01 can ping ESXi5
Srv01 cannot pingSRV02 can get the ip address of the server DHCP (192.168.6.1)
SRV02 can ping srv01
SRV02 can ping ESXi5
SRV02 cannot ping routerRouter cannot ping srv01, srv02
Router can ping ESXi5Question:
What should I do:
to get srv01 ping router
to get the router to ping srv01?See http://kb.vmware.com/kb/287 for instructions on enabling virtual for your ethernet adapters promiscuous mode.
-
AnyConnect Clients cannot communicate with each other
I have a problem that I've been pulling my hair out... my teleworkers connect to our network of Corp. via a connection AnyConnect VPN (version 3.1) to a Cisco ASA5520. I have not split tunneling enabled for this profile, so that all traffic should pass through the tunnel and all guests are in the same subnet L3... as far as their IP VPN address goes. The problem is the teleworker PCs cannot communicate with each other (pings/RDP/etc.). When I look at the newspaper I see traffic from one to another, have denied anything, but they do not communicate. My Network Corp., I can communicate with the two PCs Anyconnect very well. When I go to monitoring. ASDM itineraries I see each host that is connected to the ASA via Anyconnect, and the gateway for each is the default gateway of the SAA.
Am I missing some setting in the VPN profile that prevents the access between these hosts? I think that something come in the newspaper...
Have you enabled crossed and also a free NAT between AnyConnect users?
permit same-security-traffic intra-interface
network of the AnyConnect_users object
subnet
public static AnyConnect_users AnyConnect_users destination NAT (outside, outside) static source AnyConnect_users AnyConnect_users
If this does not resolve your problem, please post a sanitized complete configuration of your ASA.
-
Two remote AnyConnect clients cannot get two voice via softphones?
We have a situation where two remote users of SSL VPNS cannot establish a voice call via softphones or cookie lync. They can both talk but I can't hear the other. Each user can call external or the office LAN without problems.
I'm under ASA version 9.1 (5) and v.3.1.05170 AnyConnect. Pretty basic config (purified) - any help would be appreciated!
# sh run
: Saved
:
ASA Version 9.1 (5)
!
host device name
something.com domain name
activate the encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
encrypted passwd
names of
General pool of local pool IP 10.x.x.x - 10.x.x.y
IP local pool pool-ops-TI 10.y.y.y - 10.y.y.zinterface GigabitEthernet0/0
nameif outside
security-level 0
IP x.x.x.x where x.x.x.x
!
interface GigabitEthernet0/1
description of the inside interface
nameif inside
security-level 100
IP address y.y.y.y y.y.y.y
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/6
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/7
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
Shutdown
No nameif
no level of security
no ip address
!
banner login ***********************************************************************
connection of the banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
connection of the banner is a computer network that is private and can be used only in direct
banner connection explicit owner. The owner reserves the right to
banner connection monitor use this network to ensure the security of networks and respond
banner connect on specific allegations of misuse. Use of this network must
the banner sign a consent to the monitoring of these or other purposes.
connection banner in addition, the owner reserves the right to consent to a valid
application of law banner connection to search the network for evidence of a crime
banner stored within the network connection.
banner login ***********************************************************************
banner asdm ***********************************************************************
asdm banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
asdm banner is a computer network that is private and can be used only in direct
banner asdm explicit owner. The owner reserves the right to
banner asdm monitor use this network to ensure the security of networks and respond
asdm banner of specific allegations of misuse. Use of this network must
banner asdm you consent to the monitoring of these or other purposes.
asdm banner in addition, the owner reserves the right to consent to a valid
application of law banner asdm to search the network for evidence of a crime
asdm banner stored within the network.
banner asdm ***********************************************************************
boot system Disk0: / asa915-smp - k8.bin
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT 1 Sun Mar 1 Sun Nov 02:00 02:00
DNS lookup field inside
DNS server-group DefaultDNS
Server name 192.168.0.0
Server name 192.168.0.0
something.com domain name
Local_LAN_Access list standard access allowed host 0.0.0.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer 40960
logging buffered stored notifications
logging trap notifications
record of the mistakes of history
notifications of logging asdm
logging - the id of the device hostname
logging inside 10.0.0.0 host
logging inside 10.0.0.0 host
Outside 1500 MTU
Within 1500 MTU
IP verify reverse path to the outside interface
IP verify reverse path inside interface
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
ICMP allow any inside
ASDM image disk0: / asdm - 721.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Route inside 10.0.0.0 255.0.0.0 y.y.y.y 1
Route inside 192.168.0.0 255.255.0.0 y.y.y.y 1
Route inside 0.0.0.0 0.0.0.0 y.y.y.y in tunnel
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
test_VPN card-attribute LDAP
name of the memberOf Group Policy map
map-value memberOf "CN = test VPN, OR = groups of VPN, OR = Groups, OU = company, DC =, DC =, DC = com" "test VPN".
dynamic-access-policy-registration DfltAccessPolicy
AAA-server test-deviceauth protocol ldap
Max - a attempts failed 5
AAA-server baird-deviceauth (inside) host 192.x.x.x
Server-port 636
LDAP-base-dn DC = x, DC =, DC = z
LDAP-scope subtree
LDAP-login-password
LDAP-connection-dn cn = b, OU = Service accounts, DC = x, DC =, DC = z
enable LDAP over ssl
microsoft server type
AAA-server test-rsa Protocol sdi
AAA-server test-rsa (inside) host
interval before attempt-3 new
AAA-server auth-ldap-tes ldap Protocol
AAA-server test-ldap-auth (inside) host
Server-port 636
LDAP-base-dn DC = country, DC = a, DC = com
LDAP-scope subtree
LDAP-login-password
LDAP-connection-dn CN = b, OU = Service accounts, DC = x, DC =, DC = z
enable LDAP over ssl
microsoft server type
LDAP-attribute-map test_VPN
identity of the user by default-domain LOCAL
the ssh LOCAL of baird-deviceauth console AAA authentication
HTTP authentication AAA console LOCAL baird-deviceauth
serial baird-deviceauth LOCAL console AAA authentication
Enable http server
http inside x.x.x.x y.y.y.y
HTTP 1.1.1.1 255.255.255.0 inside
redirect http outside 80
SNMP-server host inside x.x.x.x trap community version 2 c
SNMP server location
contact SNMP Server
SNMP-server community
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Server enable SNMP traps entity power cpu-temperature
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint trustpoint-selfsigned-vpncso
registration auto
FQDN
name of the object CN =, O =, C =, St =, =.
key pair
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint
Terminal registration
FQDN
name of the object CN = OR =, O =, C = St =, =.
key pair
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint
Terminal registration
Configure CRL
trustpool crypto ca policyTelnet timeout 5
SSH enable ibou
SSH stricthostkeycheck
x.x.x.x inside SSH
SSH timeout 30
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 15
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
no statistical access list - a threat detection
no statistical threat detection tcp-interception
NTP server 1.1.1.1 source inside
NTP server 2.2.2.2 source inside
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 2
AnyConnect profiles baird-client-profile disk0: / customer-baird - profile .xml
AnyConnect enable
attributes of Group Policy DfltGrpPolicy
value of banner! ONLY AUTHORIZED USERS ARE ALLOWED TO CONNECT UNDER PENALTY OF LAW.
value of banner is a computer network that is private and can be used only in direct
banner value explicit owner. The owner reserves the right to
banner value monitor use this network to ensure the security of networks and respond
the value of the banner of the specific allegations of misuse. Use of this network must
value of the banner a consent to the monitoring of these or other purposes.
value of server DNS 1.1.1.1 2.2.2.2
VPN - connections 2
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy excludespecified
value of Split-tunnel-network-list Local_LAN_Access
something.com value by default-field
Split-dns value something.com, us.something.com
activate dns split-tunnel-all
the address value general-pool pools
WebVPN
use-smart-tunnel homepage
AnyConnect value dart modules, nam
AnyConnect value profiles baird-client-profile user type
AnyConnect ask flawless anyconnect
Group Policy 'test' internal
Group Policy attributes 'test '.
Split-tunnel-policy excludespecified
value of Split-tunnel-network-list Local_LAN_Access
activate dns split-tunnel-all
the address value it-ops-pool pools
internal testMacs group policy
attributes of the strategy of group testMacs
WINS server no
value of server DNS 1.1.1.1 2.2.2.2
client ssl-VPN-tunnel-Protocol
field default value xyz.com
username admin privilege 15 encrypted password
attributes global-tunnel-group DefaultRAGroup
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
management of the password password-expire-to-days 10
tunnel-group DefaultRAGroup webvpn-attributes
the aaa authentication certificate
attributes global-tunnel-group DefaultWEBVPNGroup
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
management of the password password-expire-to-days 10
tunnel-group DefaultWEBVPNGroup webvpn-attributes
the aaa authentication certificate
tunnel-group test remote access connection type
tunnel-group test-Connect General attributes
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
management of the password password-expire-to-days 10
tunnel-group test connection webvpn-attributes
the aaa authentication certificate
allow group-url http://abc.xyz.com
allow group-url https://abc.xyz.rwbaird.com
type tunnel-group testMacs remote access
tunnel-group testMacs General-attributes
test-rsa authentication-server-group
test-ldap-auth authorization-server-group
Group Policy - by default-testMacs
management of the password password-expire-to-days 10
use-set-name of the secondary-username-of-certificate
tunnel-group testMacs webvpn-attributes
allow group-url http://abc.xyz.com/macs
allow group-url https://abc.xyz.com/macs
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory 26
Subscribe to alert-group configuration periodic monthly 26
daily periodic subscribe to alert-group telemetry
Cryptochecksum:aa675139dc84529791f9aaba46eb17f9
: endI confess that I have not read your config in detail, but a few tips:
-If you do split tunnel, don't forget to push a route for the entire pool VPN subnet or subnets of VPN clients
-Make sure you have the same-security-traffic permitted intra-interface
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa81/command/ref/refg...
-If you use NAT, you must exclude such NAT inter-VPN-device traffic
-If you have ACLs (not shown) do not forget to leave your pool VPN subnet is talking to himself. Generally, it would be in the ACL entering the external interface.
at the end of the packet - trace is your friend.
NGP
-
ASA 5520: Remote VPN Clients cannot ping LAN, Internet
I've set up a few of them in my time, but I am confused with this one. Can I establish connect via VPN tunnel but I can't ping or go on the internet. I searched the forum for similar and found a little issues, but none of the fixes seem to match. I noticed a strange thing is when I run ipconfig/all of the vpn client, the IP address that has been leased over the Pool of the VPN is also the default gateway!
I have attached the config. Help, please.
Thank you!
Exemption of NAT ACL has not yet been applied.
NAT (inside) 0-list of access Inside_nat0_outbound
In addition, you have not split tunnel, not sure you were using internet ASA for the vpn client internet browsing.
You can also enable icmp inspection if you test in scathing:
Policy-map global_policy
class inspection_defaultinspect the icmp
Hope that helps.
-
The VPN Clients cannot Ping hosts
I'll include a post my config. I have clients that connect through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the main network for the office.
I can connect to the VPN, and I received a correct address assignment. I belive tunneling can be configured correctly in the aspect that I can always connect to the internet then on the VPN, but I can't ping all hosts on the 192.168.1.0 network. In the journal of the ASDM debugging, I see pings to the ASA, but no response is received on the client.
6 February 21, 2013 21:54:26 180.0.0.1 53508 192.168.1.1 0 Built of ICMP incoming connections for faddr gaddr laddr 192.168.1.1/0 (christopher) 192.168.1.1/0 180.0.0.1/53508 Any help would be greatly appreciated, I'm currently presuring my CCNP so I would get a deeper understanding of how to resolve these issues.
-Chris
hostname RegencyRE - ASA
domain regencyrealestate.info
activate 2/VA7dRFkv6fjd1X of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 180.0.0.0 Regency
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
link to the description of REGENCYSERVER
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
link to the description of RegencyRE-AP
!
interface Vlan1
nameif inside
security-level 100
192.168.1.120 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 208.67.220.220
name-server 208.67.222.222
domain regencyrealestate.info
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 Regency 255.255.255.224
RegencyRE_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
outside_access_in list extended access permit icmp any one
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask Regency 180.0.0.1 - 180.0.0.20 255.255.255.0 IP local pool
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM 255.255.255.0 inside Regency location
ASDM location 192.168.0.0 255.255.0.0 inside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 12.186.110.2 1
Route inside 192.0.0.0 255.0.0.0 192.168.1.102 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
LOCAL AAA authentication serial console
http server enable 8443
http 0.0.0.0 0.0.0.0 outdoors
http 0.0.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 15
SSH version 2
Console timeout 0
dhcprelay Server 192.168.1.102 inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 69.25.96.13 prefer external source
NTP server 216.171.124.36 prefer external source
WebVPN
internal RegencyRE group strategy
attributes of Group Policy RegencyRE
value of server DNS 208.67.220.220 208.67.222.222
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RegencyRE_splitTunnelAcl
username password encrypted adriana privilege 0
christopher encrypted privilege 15 password username
irene encrypted password privilege 0 username
type tunnel-group RegencyRE remote access
attributes global-tunnel-group RegencyRE
Regency address pool
Group Policy - by default-RegencyRE
IPSec-attributes tunnel-group RegencyRE
pre-shared key R3 & eNcY1.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d
: end
Hello
-be sure that the destination host 192.168.1.x has a route towards 180.0.0.0 by the ASA gateway.
-Configure the following figure:
capture capin interface inside match icmp 192.168.1.x host 180.0.0.x
capture ASP asp type - drop all
then make a continuous ping and get 'show capin cap' and 'asp cap.
-then check the ping, the 'encrypted' counter is increasing in the VPN client statistics
I would like to know about it, hope this helps
----
Mashal
-
Cisco VPN Client cannot ping from LAN internal IP
Hello
I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.
If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.
Thanks in advance.
: Saved
:
ASA Version 7.2 (2)
!
hostname ciscoasa5510
domain.local domain name
activate the password. 123456789 / encrypted
names of
!
interface Ethernet0/0
nameif outside
security-level 0
PPPoE client vpdn group ISP
12.34.56.789 255.255.255.255 IP address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passwd encrypted 123456789
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS server-group DefaultDNS
domain.local domain name
permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124
access-list Split_Tunnel_List note the network of the company behind the ASA
Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 522.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
internal domain_vpn group policy
attributes of the strategy of group domain_vpn
value of 212.23.3.100 DNS server 212.23.6.100
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_Tunnel_List
username domain_ra_vpn password 123456789 encrypted
username domain_ra_vpn attributes
VPN-group-policy domain_vpn
encrypted utilisateur.123456789 password username
encrypted utilisateur.123456789 password username
privilege of username user password encrypted passe.123456789 15
encrypted utilisateur.123456789 password username
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card crypto outside_map 20 match address outside_20_cryptomap
peer set card crypto outside_map 20 987.65.43.21
outside_map crypto 20 card value transform-set ESP-3DES-SHA
3600 seconds, duration of life card crypto outside_map 20 set - the security association
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
tunnel-group 987.65.43.21 type ipsec-l2l
IPSec-attributes tunnel-group 987.65.43.21
pre-shared-key *.
tunnel-group domain_vpn type ipsec-ra
tunnel-group domain_vpn General-attributes
address domain_vpn_pool pool
Group Policy - by default-domain_vpn
domain_vpn group of tunnel ipsec-attributes
pre-shared-key *.
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 5
Console timeout 0
VPDN group ISP request dialout pppoe
VPDN group ISP localname [email protected] / * /
VPDN group ISP ppp authentication chap
VPDN username [email protected] / * / password *.
dhcpd dns 212.23.3.100 212.23.6.100
dhcpd lease 691200
dhcpd ping_timeout 500
domain.local domain dhcpd
!
dhcpd address 192.168.10.10 - 192.168.10.200 inside
dhcpd allow inside
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:1234567890987654321
: end
Hello
Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.
This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.
You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next
Add this
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Hope this helps
Let me know how it goes
-Jouni
-
AnyConnect client cannot access external sites
I am installing AnyConnect VPN with no split tunneling. ASA 5505 v8.2. It seems that it should be really easy. I must be missing something.
I can get AnyConnect users to connect very well and they can access internal sites and on other sites in IPSec tunnel. But no access to internet.
Internal 10.1.1.x pool VPN is 10.1.1.251 - 253 (list of Temp for the test). I have published the following plotter:
packet-tracer input outside tcp 10.1.1.253 12345 69.147.125.65 80 detailed
The last reported point (where it fails) is:
Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xda7e9808, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=364, user_data=0xcb000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=TempVPNPool3, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Which means by SVC-WEBVPN?
A relevant config:
No ACLs, filters or limitations of policy group on HQ customers.
Security-same permit intra-interface
Global 1 interface (outside)On advice, I've added: nat (outside) 1 10.1.1.0 255.255.255.0, then I can get no tunnel guests outside guests, but then no IPSec.
Kind of a weird, that with this, the tracer of package does not change. Continue to deny shows, but the site is accessible.
When you say tunnel IPsec sites... is that the tunnels IPsec Site to Site on the SAA?
The command:
NAT (outside) 1 10.1.1.0 255.255.255.0
It should allow the AnyConnect customer pool for PATed to Internet.
If you need clients AnyConnect to access the Internet and the access to remote IPsec tunnels as well, you can do it with policy NAT:
access-list anyconnect deny ip 10.1.1.0 255.255.255.0 x.x.x.x
access-list anyconnect deny ip 10.1.1.0 255.255.255.0 y.y.y.y
access-list allowed anyconnect ip 10.1.1.0 255.255.255.0 any
NAT (outside) 1 access list anyconnect
Global 1 interface (outside)
With the above configuration, you are bypassing NAT for AnyConnect customers when they want to access remote sites through the IPsec tunnels (assuming that x.x.x.x and y.y.y.y for remote networks through these tunnels).
And the rest of the AnyConnect (10.1.1.0/24) pool will be PATed to Internet.
Federico.
-
No internet in guest Linux bridge - cannot ping gateway
Hi all
I searched high and low, but I can't understand this. I am running VMware Player 5 with Debian 7 64-bit Windows 7 64 - bit host and guest OS.
I can access the internet using NAT, but I would like to have connect like bridge.
I see only one network adapter in adapters to set up and it's the right one, one I use to connect to the internet. I confirmed that the adapter has protocol active bridge. I tried ticking the "Physical replicate network connection", but he did nothing.
What I can do:
I can see my router's virtual machine and assign a local ip address without problems.
I can't SSH into the guest OS (Debian).
I can ping the host (my Win 7 machine) and the router (gateway/DNS)
I do nslookup (e.g. nslookup google.com)
What I can not do:
I can't access the internet. I can't ping google.com (by name or IP address) or download the packages.
Help, please.
It turns out it was my antivirus, Bitdefender Internet Security 2013, which was blocking the connection of the virtual machine.
VMware Player was to solve what I had to put the network adapter address as Trusted and Stealth mode disabled.
-
ESXi cannot ping uplink gateway
I have ESXi that connect to 2 and Cisco 3750 port1.
3750 port47 connect to WAN1, 48 connected to WAN2
WAN1 gateway 10.0.10.1
WAN2 gateway 192.168.88.1
PROBLEMS:
1. I have WIN7 with vnic WAN1 subnet, but cannot ping gateway WAN1
QUESTIONS RELATING TO THE:
1. where is my mistake
INFO
3750:
#sh run
version 12.2
POC VTP domain
VTP transparent mode
IP routing
IP - poc.com domain name
VLAN 10
name WAN1
!
VLAN 15
name DMZ
!
VLAN 20
name SVR
!
VLAN 30
name USR
!
VLAN 40
name HA
!
VLAN 50
name STR
!
VLAN 88
name WAN2
!
VLAN 100
name of MGMT
!
Interface Port - Channel 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,15,20,30,40,50,88,100
switchport mode trunk
switchport nonegotiate
spanning tree portfast trunk
!
FastEthernet2/0/1 interface
switchport trunk encapsulation dot1q
switchport mode trunk
Speed 100
full duplex
!
interface FastEthernet2/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
Speed 100
full duplex
!
interface FastEthernet2/0/47
No switchport
IP 10.0.10.251 255.255.255.0
!
interface FastEthernet2/0/48
No switchport
IP 192.168.88.251 255.255.255.0
!
interface Vlan10
no ip address
!
interface Vlan15
IP 10.0.15.1 255.255.255.0
!
interface Vlan20
IP 10.0.20.1 255.255.255.0
!
Vlan30 interface
IP 10.0.30.1 255.255.255.0
!
interface Vlan40
IP 10.0.40.1 255.255.255.0
!
interface Vlan50
IP 10.0.50.1 255.255.255.0
!
interface Vlan88
no ip address
!
interface Vlan100
10.0.100.1 IP address 255.255.255.0
!
IP classless
IP route 0.0.0.0 0.0.0.0 10.0.10.1
IP route 0.0.0.0 0.0.0.0 192.168.88.1
ESXi 6.0
#esxcfg - vswitch - l
Switch name Num used Ports configured Ports MTU rising ports
vSwitch0 3072 10 128 1500 vmnic0, vmnic1
Name PortGroup VLAN ID used rising Ports
MGMT 100 0 vmnic0, vmnic1
STR 50 0 vmnic0, vmnic1
40 0 vmnic0, vmnic1 HA
USR 30 0 vmnic0, vmnic1
DMZ 15 0 vmnic0, vmnic1
WAN1 10 2 vmnic0, vmnic1
SVR 20 1 vmnic0, vmnic1
WAN2 88 1 vmnic0, vmnic1
Management network 100 1 vmnic0, vmnic1
If you set the IP 10.0.10.251 255.255.255.0 on interface Vlan10 instead of the interface FastEthernet2/0/47 you can ping?
Maybe you are looking for
-
I had to reset Firefox as some of my online banking applications were not meet.
-
Time Machine error message wants to delete all backups
Is there a way to delete older backups? I am able to see them in my time Machine, but I get this error when I try to save "Time Machine has conducted an audit of your backups on"PersonalCloud". To improve reliability, Time Machine must create a new b
-
ThinkPad A30p Type 2653, how much memory can it really take?
My Thinkpad A30p Type 2653 has two memory slots with one of the modules of 512 and 256 installed. I use Windows XP Pro now and see that when using a web browser and scroll up and down to its very slow and moves in small increments. I suspect a memory
-
HP Designjet 5500: Random Error Messages
This image occurs in the course of employment. We see very briefly (2-3 seconds) at random times. Then, this image occurs after the machine beeps. Sometimes (about 25% of the time) this will disappear and the print job will resume after a minute or t
-
BlackBerry 10 Confusion with the OS versions
Good evening where can I find which version number is the latest version of the BB OS? I couldn't find the number on the BB site, but found one in the English Wikipedia: 10.3.2.2789. My phone (Q10) says he has the version of the 10.3.2.2474 software