Application VPN ping problem

I installed a vpn for access to HVAC equipment suppliers.

The profile is RCPS_Vendor

DHCP pool is RCPS_Vendor

Finished outdoor int

Here are the steps I took:

remote access, outside of the--> psk (password), RCPS_Vendors-> authentic local name-> Hoff_Vendor (password)-> RCPS_Vendors 192.168.10.2-192.168.10.128->10.1.252.101/103->3DES SHA 2-> 3DES SHA->10.0.0.0/8 en split tunnel

from: http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/rem_acc.html

The question is the seller has ping internal unit, and its program does not connect to units.

Updated the attached config.

Thanks in advance.

All receivers are a section of the ASA, so could you put this static route on each of these units. That would point to the inside interface on the ASA. The ASA would use its default route to send traffic to the VPN clients.

If the receivers are further inside your network and you are using a dynamic routing protocol, you can redistribute the static route to 192.168.10.0/24 on the next (from ASA) inside your network hop router so that the internal units default gateways to know where to send the traffic destined to 192.168.10.0/24.

Since your remote clients are sending traffic in VPN tunnels I don't think you need to add an ACL on the ASA to allow specific traffic from VPN clients for the receivers.

Tags: Cisco Security

Similar Questions

ASA 5505 VPN Ping problems

Hi all

First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.

The main problem is that when ping devices internal when you are connected to the results are very inconsistent.

Ping 192.168.15.102 with 32 bytes of data:

Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128

Request timed out.

Request timed out.

Request timed out.

We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?

Here is a dump of the configuration:

Output of the command: "show config".

: Saved

: Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013

!

ASA Version 8.2 (5)

!

hostname VPN_Test

activate the encrypted password of D37rIydCZ/bnf1uj

2KFQnbNIdI.2KYOU encrypted passwd

names of

192.168.15.0 - internal network name

DDNS update method DDNS_Update

DDNS both

maximum interval 0 4 0 0

!

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

Description VLAN internal guests

nameif inside

security-level 100

DDNS update hostname 0.0.0.0

DDNS update DDNS_Update

DHCP client updated dns server time

192.168.15.1 IP address 255.255.255.0

!

interface Vlan2

Description of VLAN external to the internet

nameif outside

security-level 0

address IP xx.xx.xx.xx 255.255.255.248

!

passive FTP mode

clock timezone CST - 6

clock to summer time recurring CDT

DNS server-group DefaultDNS

Server name 216.221.96.37

Name-Server 8.8.8.8

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

outside_access_in list extended access permit icmp any one

outside_access_in list extended access deny interface icmp outside interface inside

access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all

Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0

inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192

Note to inside_access_in to access list blocking Internet traffic

access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all

Note to inside_access_in to access list blocking Internet traffic

inside_access_in extended access list allow interface ip inside the interface inside

inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192

Note to inside_access_in to access list blocking Internet traffic

access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool

inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow any response of echo outdoors

ICMP allow all outside

don't allow no asdm history

ARP timeout 14400

NAT-control

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

NAT (inside) 1 192.168.15.192 255.255.255.192

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

inside_access_ipv6_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

255.255.255.0 inside internal network http

http yy.yy.yy.yy 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt connection timewait

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd outside auto_config

!

dhcpd address 192.168.15.200 - 192.168.15.250 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

NTP server 192.168.15.101 source inside

prefer NTP server 192.168.15.100 source inside

WebVPN

internal remote group strategy

Group remote attributes policy

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list Remote_splitTunnelAcl

username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz

username StockUser attributes

Strategy-Group-VPN remote

tunnel-group type remote access remotely

tunnel-group remote General attributes

address pool VPN_IP_Pool

Group Policy - by default-remote control

tunnel-group remote ipsec-attributes

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

Hi Graham,

My first question is do you have a site to site VPN and VPN remote access client.

After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.

And if I understand you are able to connect VPN client, but you not able to access internal resources properly.

I recommend tey and make the following changes.

First remove the following configuration:

NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

NAT (inside) 1 192.168.15.192 255.255.255.192

You don't need the 1st one and I do not understand the reason for the second

Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.

If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.

Try the changes described above and let me know in case if you have any problem.

Thank you

Jeet Kumar

Authorware Application in CDs - problem
Hello
Can I know if someone out there have this problem before?
I have an Authorware application that uses the CallSprite - browser feature. I use this to display a MS Word document in the application window. It works very well - can access the file and displayed in the same application window: no problem. However, when I tried to burn this application and all the associated files in a CD, the application will encounter an error saying that it cannot find the .doc file! When he can do so perfectly well if the application is in the hard drive. Can you help me? Below s my codes:

testFile: = FileLocation ^ 'Content//myfile.doc '.
CallSprite (@"browserMyfile", #Navigate, testfile, 0, 0, 0, 0)

Content directory resides in the same directory as the packaged authorware (exe) application.

Thanks for help.

Rgds
MeiLian

should not return reduced to the local file system?

testFile: = FileLocation ^ 'Content\\myfile.doc '.

Mark

MeiLian wrote:
> Hi
> May I don't know if anyone out there have this problem before?
> I have an Authorware application that uses the CallSprite - browser feature.
> I use it to display a MS Word document in the application window. It works
> thin - can access the file and displayed in the same window of application: no
> problem. However, when I tried to burn this application and all the
> files on a CD, the application will encounter an error saying that it cannot find
> the .doc file! When he can do so perfectly well if the application resides
> in the hard drive. Can you help me? Below s my codes:
>
> testFile: = FileLocation ^ 'Content//myfile.doc '.
> CallSprite(@"browserMyfile", #Navigate,testfile, 0, 0, 0, 0)
>
> Content directory resides in the same directory that the authorware packaged
> application (exe).
>
> Thanks for the help.
>
> Rgds
> MeiLian
>
>
>
>

--
------------------------------------------------------

www.AuthorwareXtras.co.uk

EuroTAAC eLearning 2007
www.eurotaac.com

www.freelists.org/List/flashelearning

Multimedia synchronization command Authorware:
www.authorwarextras.co.UK--> orders

Synchronization of media with ease!

NT WS - VPN 3.6.3 Client - Ping problem

When I install the Client VPN 3.6.3 on an NT Workstation. I ping is no longer the WS NT from other devices on the internal LAN? This is when the VPN client is not yet connected. Everything is fine, but no response to pings locally on the other side of NT?

??

Thank you

Bob

You have the stateful firewall "always you" checked. This is a version of the Zonealarm firewall Runtime based on the host. It's 'on' even when you're not connected via VPN client. Great security.

VPN connection problem

Hello

We have a server to remote client, on which we need to connect via VPN. My VPN is able to connect. But any application that needs to connect via VPN does not work. I also can't ping on remote servers. While for others its works very well. I can't understand the problem, I tried to reinstall the VPN client.

I am using windows XP pro and the client VPN CISCO 4.0.3.

Hello

Your Windows XP question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the forum TechNet for assistance:

TechNet Windows XP Service Pack 3 (SP3)

Hope the helps of information.

VPN-ASA5505 problem

Hi all

I inherited this VPN and get slowly upward. At least users can connect to it now! I had a few problems. Users can connect to the VPN, but cannot ping or access shared files on the server (192.168.2.3), but the VPN users must be able to make full use of the network.

I removed the NAT rule.

#no nat (inside) 1 0.0.0.0 0.0.0.0)

And after removing that, VPN users have been able to navigate and access to internal resources. However, users in the office now had no internet. I went and added the rule of return and returned internet.

Believe it is related to the split tunneling, what can I do to activate full VPN access and still have internet at Headquarters?

ASA Version 7.2 (4)

!

ciscoasa hostname

domain default.domain.invalid

activate mI3N1CPoxB4FJhZg encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

209.124.X.X 255.255.255.252 IP address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

Server DNS 192.168.2.3 Group

DNS server-group DefaultDNS

domain default.domain.invalid

the Exchange25 object-group network

access-list standard split allow 192.168.2.0 255.255.255.0

access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list extended sheep permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0

out_in of access allowed any ip an extended list

outside_access_in list extended access permit tcp any eq smtp host 192.168.2.3 eq smtp

outside_access_in list extended access permit tcp any host 192.168.2.3 eq https

outside_access_in list extended access permit tcp any host 192.168.2.3 eq www

outside-access allowed extended access list tcp no matter what interface outside eq 7000

outside-access allowed extended access list tcp no matter what interface outside eq 3389

outside-access allowed extended access list tcp no matter what interface outside eq 587

outside-access allowed extended access list tcp no matter what interface outside eq https

LAN_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool vpnpool 192.168.2.31 - 192.168.2.60

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ASDM image disk0: / asdm - 524.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access LAN_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

public static tcp (indoor, outdoor) interface 192.168.2.3 smtp smtp netmask 255.255.255.255

public static tcp (indoor, outdoor) interface 7000 192.168.2.80 7000 netmask 255.255.255.255

public static interface 3389 192.168.2.3 (indoor, outdoor) tcp 3389 netmask 255.255.255.255

public static interface 587 587 netmask 255.255.255.255 tcp (indoor, outdoor) 192.168.2.3

public static tcp (indoor, outdoor) interface https 192.168.2.3 https netmask 255.255.255.255

Access-group out_in in interface outside

Route outside 0.0.0.0 0.0.0.0 209.124.192.45 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Enable http server

http 0.0.0.0 255.255.255.255 outside

http 192.168.2.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-SHA

map mymap 65000-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 20

Telnet 0.0.0.0 0.0.0.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd dns 192.168.2.3

!

attributes of Group Policy DfltGrpPolicy

No banner

WINS server no

value of server DNS 192.168.2.3

DHCP-network-scope no

VPN-access-hour no

VPN - 5 concurrent connections

VPN-idle-timeout 30

VPN-session-timeout no

VPN-filter no

Protocol-tunnel-VPN IPSec l2tp ipsec webvpn

allow password-storage

disable the IP-comp

Re-xauth disable

Group-lock no

disable the PFS

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelall

Split-tunnel-network-list no

TMA.local value by default-field

Split-dns no

Disable dhcp Intercept 255.255.255.255

disable secure authentication unit

disable authentication of the user

user-authentication-idle-timeout 10

disable the IP-phone-bypass

disable the leap-bypass

disable the NEM

Dungeon-client-config backup servers

MSIE proxy server no

MSIE-proxy method non - change

Internet Explorer proxy except list - no

Disable Internet Explorer-proxy local-bypass

disable the NAC

NAC-sq-period 300

NAC-reval-period 36000

NAC-by default-acl no

address pools no

enable Smartcard-Removal-disconnect

the firewall client no

rule of access-client-none

WebVPN

url-entry functions

HTML-content-filter none

Home page no

4 Keep-alive-ignore

gzip http-comp

no filter

list of URLS no

value of customization DfltCustomization

port - forward, no

port-forward-name value access to applications

SSO-Server no

value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information

SVC no

SVC Dungeon-Installer installed

SVC keepalive no

generate a new key SVC time no

method to generate a new key of SVC no

client of dpd-interval SVC no

dpd-interval SVC bridge no

deflate compression of SVC

internal TMAgroup group strategy

attributes of Group Policy TMAgroup

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split

gene AzJFyGPWta7durW9 encrypted privilege 15 password username

username admin privilege 15 encrypted password hLjunphNGLvrgsRP

username TMAen encrypted password ojCI79mnpWOehEZC

tunnel-group TMAgroup type ipsec-ra

attributes global-tunnel-group TMAgroup

address vpnpool pool

Group Policy - by default-TMAgroup

IPSec-attributes tunnel-group TMAgroup

pre-shared-key *.

!

!

context of prompt hostname

Cryptochecksum:78c4838558d030ac964d2c331deed909

: end

Hello

Please add the following to your configuration:

nonat_inside ip access list allow any 192.168.2.0 255.255.255.0

NAT (inside) 0-list of access nonat_inside

You must keep the "nat (inside) 1 0.0.0.0 0.0.0.0 ' so that your users access to the Internet.

"Nat (inside) 0 nonat_inside access-list" allows to bypass the above rule only for traffic destined to the VPN pool.

In addition, it is to you if you want to use split tunneling or not.

More information on tunneling split:

ASA/PIX: Allow the tunneling split for the VPN Clients on the example of Configuration of ASA

Let me know.

Portu.

Please note all useful posts

NAT, stop communication OSX VPN configuration problem.

Hello

It is my first time posting in this forum. I have trouble getting Mac computers (my test is OSX 10.8.2) to correctly connect the VPN to the company. We have a Cisco ASA5510, who manages the VPN applications. Here are some details:

-Windows computers, Cisco VPN Client (not Anyconnect) are able to connect to the VPN and access internal/etc file server computers, just as we want to.

-Mac can establish a VPN connection, but cannot communicate with servers or internal machines. I can't connect to or ping the file server by using its IP address. Also, I can't ping my personal work computer.

-BUT, from my work computer I CAN ping the ip address of the Mac he receives after connecting via VPN. Thus, internal Windows PC can ping external VPN would be Mac, but Mac cannot ping inner Windows pc.

ASDM using I was able to run Packet Tracer. I got trace a ping of the machine address Windows 192.168.0.52 23 to address the 192.168.5.33/24 Mac VPN. This succeeded.

The use of Packet Tracer to trace a ping the address VPN for Mac 192.168.5.33/24 to 192.168.0.52 Windows address 23 is not successful. The package goes through the following phases: 'Capture', 'Access-list', 'looking for route', 'Access-List', 'Options IP', 'Inspect', 'Inspect', 'Debug ICMP","Free of NAT", until it reaches"NAT"where I get this message:

Menu - NAT Action - type

Config

NAT (inside1) 1 0.0.0.0 0.0.0.0

match ip inside1 all inside1 all

dynamic translation of hen 1 (192.168.1.1 [Interface PAT])

translate_hits = 913403, untranslate_hits = 27

The result is that the package is abandoned.

Info: flow (acl-drop) is denied by the configured rule

I'm not super familiar with ACL or NAT configuration, so I do not know what changes I need to do to make this work correctly. I find as strange as the windows pc using the customer Cisco have no problem to communicate internally after the connection, but do not have a Mac Mac built-in Cisco IPSEC VPN.

Any help would be greatly appreciated.

-Jean-Claude

P.s. I have included a screenshot of the screen of Packet Tracer.

Is your home wireless network was in the 192.168.1.0/24 subnet? If this is the case, try to change to a different subnet as you suggested earlier and see if it works.

AFTER VPN CONNECTED TO OFFICE VPN, PING TO A CERTAIN DESTINATION UNREACHABLE HOST BACK

Hello!

I have setup a connection to the vpn pptp from my home to my office.

I've successfully connected to my office vpn.

I can remote desktop to several server in my office, but there is that I can not remote to a pc desktop.

When I try to ping it will return the destination unreachable host

ping 192.168.9.50

Impossible to reach the destination response 192.168.0.1 host

it becomes instead of 192.168.9.50 192.168.0.1

Can someone help with this problem?

I really do work in this pc and I don't no how to connect there?

I'm pretty remote desktop is allowed in this pc.

Thank you

GUKGUK

The 192.168.0.1 address seems to be a gateway address. VPN gateway may have no route to that particular system, either by design or due to oversight. You should be facing this problem with your personal COMPUTER. Brian Tillman [MVP-Outlook]
--------------------------------
https://MVP.support.Microsoft.com/profile/Brian.Tillman
If a response may help, please vote it as useful. If a response to the problem, please mark it as an answer.

Client VPN connectivity problems

I use the cisco VPN client to connect to our network, located behind a 515E. The client is authenticated and gets an ip address but cannot ping or connect with one of the hosts. The connection is to a network of customers that is also behind a 515E. I have successfully connected using the same policy to other places and have had no problem. What confuses me, is that we have used to have a Netscreen firewall before and he had a netscreen vpn client which connected since their network with a problem. Is that something they need for their firewall so that we can get through the traffic?

Try to turn on NAT - T on your pix, by setting up:

ISAKMP nat-traversal 20

and configure the client vpn accordingly:

http://www.Cisco.com/warp/public/471/cvpn_3k_nat.html#conf_client

I think these discussions are useful:

http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7dda4

http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7fe80

VPN Client problem

A remote user on our network has problems with the Cisco VPN. They are using Win XP, Cisco Client 3.5.2 and connect via a router of Compaq Ipaq into a modem cable. When they VPN in our 3000 VPN concentrator works very well. When they try to VPN in the PIX on our network, it indicates that the client is no longer. If they use a Microsoft VPN to connect to the network with the 3000 (we run both MS and Cisco VPN) with it set to use the remote control, the default gateway, the Cisco VPN will connect to the PIX, see the network behind PIX, ping stuff behind the PIX, but not map a drive. The remote user can ping the PIX of their unVPNed in the remote location. No other user is a problem connecting to the PIX (except those with the bad remote access or broadband satellite which cannot VPN into anything anyway). We have even a few AOLer connect to it. Help me please.

If the compaq ipaq router makes a PAT, that might be the problem. PIX is unable to manage the ipsec clients who crossed pat. The vpn3000 has some mechanism to deal with this. PPTP is different to ipsec.

You must ensure that the ipsec client has its own public routable ip address.

Kind regards

AnyConnect VPN setup problem

Hi all, I'm going to have bad configure anyconnect VPN on my router. I'm CCENT pre level and especially followed a tutorial, but feel I'm missing something simple here.

It's a fairly simple installation on a Cisco No. 2851 - faces of a single interface my LAN 192.168.1.0/24, the other has a public IP address.

I created a network 192.168.2.0/24 VPN users, mainly to have phones Android connection of their mobile phone networks, and have access to the servers/security cameras/etc by using their local IP addresses. When my phone connects, it gets an IP address and is connected, but is not communicating with my LAN correctly.

The VPN client can ping 192.168.1.254 (the router's LAN IP) - but not the other devices on the network. However, the devices on my LAN can ping the VPN clients to their address 192.168.2.x.

Here's a copy of my current config, I have reorganized some elements with #s. Also pasted my ip sh road under him. Do not forget that I am a novice, please forgive the hack :)

Router (config) #do sh run
Building configuration...

Current configuration: 5782 bytes
!
! Last modification of the configuration at 02:24:24 UTC Sat Sep 5 2015 by #.
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
host name #.
!
boot-start-marker
boot-end-marker
!
!
enable secret $5 1$ 0 #.
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login local sslvpn
AAA authorization exec default local
!
!
!
!
!
AAA - the id of the joint session
!
!
dot11 syslog
no ip source route
!
!
IP cef
!
DHCP excluded-address 192.168.1.200 IP 192.168.1.254
DHCP excluded-address 192.168.1.1 IP 192.168.1.10
!
pool of dhcp IP LAN
network 192.168.1.0 255.255.255.0
Server DNS 192.168.1.254
by default-router 192.168.1.254
!
!
IP domain name # '.com'
host IP Switch 192.168.1.253
8.8.8.8 IP name-server
block connection-for 2000 tent 4 within 60
connection access silencer-class SSH_MGMT
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TRUSTPOINT-MY
enrollment selfsigned
Serial number
name of the object CN = 117-certificate
crl revocation checking
rsakeypair my-rsa-keys
!
!
MY-TRUSTPOINT crypto pki certificate chain
certificate self-signed 01
##########################

#########################
quit smoking
!
!
license udi pid CISCO2851 sn FTX1026A54Y
# 5 secret username $1$ yv # E9.
# 5 secret username $1$ X0nL ###kO.
!
redundancy
!
!
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
LAN description
IP 192.168.1.254 255.255.255.0
IP nat inside
No virtual-reassembly in ip
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
WAN description
No dhcp client ip asks tftp-server-address
No dhcp ip client application-domain name
DHCP IP address
IP access-group ACL-WAN_INTERFACE in
no ip redirection
no ip proxy-arp
NAT outside IP
No virtual-reassembly in ip
automatic duplex
automatic speed
No cdp enable
!
interface Serial0/0/0
no ip address
Shutdown
!
interface virtual-Template1
!
local IP 192.168.2.100 WEBVPN-POOL pool 192.168.2.110
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
The dns server IP
IP nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload
!
IP access-list standard INSIDE_NAT_ADDRESSES
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
IP access-list standard SSH_MGMT
permit 192.168.1.0 0.0.0.255
permit 207.210.0.0 0.0.255.255
!
IP extended ACL-WAN_INTERFACE access list
deny udp any any eq snmp
TCP refuse any any eq field
TCP refuse any any eq echo
TCP refuse any any day eq
TCP refuse any any eq chargen
TCP refuse any any eq telnet
TCP refuse any any eq finger
deny udp any any eq field
deny ip 127.0.0.0 0.255.255.255 everything
deny ip 192.168.0.0 0.0.255.255 everything
permit any any eq 443 tcp
allow an ip
!
exploitation forest esm config
NLS RESP-timeout 1
CPD cr id 1
!
!
!
!
!
!
!
control plan
!
!
!
!
profile MGCP default
!
!
!
!
!
access controller
Shutdown
!
!
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
exec-timeout 0 0
Synchronous recording
line vty 0 4
exec-timeout 0 0
Synchronous recording
entry ssh transport
line vty 5 15
exec-timeout 0 0
Synchronous recording
entry ssh transport
!
Scheduler allocate 20000 1000
!
Gateway Gateway-WebVPN-Cisco WebVPN
IP interface GigabitEthernet0/1 port 443
SSL rc4 - md5 encryption
SSL trustpoint TRUSTPOINT-MY
development
!
WebVPN install svc flash:/webvpn/anyconnect-linux-3.1.03103-k9.pkg sequence 1
!
WebVPN context Cisco WebVPN
title "Firewall.cx WebVPN - powered by Cisco"
SSL authentication check all
!
list of URLS "rewrite".
!
ACL "ssl - acl.
ip permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Licensing ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
!
login message "Cisco Secure WebVPN"
!
webvpnpolicy political group
functions required svc
filter tunnel ssl - acl
SVC-pool of addresses 'WEBVPN-POOL' netmask 255.255.255.0
generate a new key SVC new-tunnel method
SVC split include 192.168.1.0 255.255.255.0
Group Policy - by default-webvpnpolicy
AAA authentication list sslvpn
Gateway Cisco WebVPN bridge
Max-users 5
development
!
end

Gateway of last resort is #. ###. ###. # network 0.0.0.0

S * 0.0.0.0/0 [254/0] via #. ###. ###.1
(###ISP))) is divided into subnets, subnets 1
S (# #ISP #) [254/0] via (# publicgateway #) GigabitEthernet0/1
###.###.0.0/16 is variably divided into subnets, 2 subnets, 2 masks
C ###.###.###.0/23 is directly connected, GigabitEthernet0/1
The ###.###.###.###/32 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is variably divided into subnets, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
The 192.168.1.254/32 is directly connected, GigabitEthernet0/0
192.168.2.0/32 is divided into subnets, subnets 1
S 192.168.2.100 [0/0] via 0.0.0.0, Virtual Network1

can you try to disable the FW on your internal lan hosts and then try and ping from users of vpn client

ACS ping problem

Hey guys!

Need your help!

I'm setting up an ACS 1113 and I had a weird problem, I turned off the CSA to enable pings ok, it works on my PC for ACS but GBA cannot ping my PC!

I also have another problem, I can access the ACS and all configured but when I put it on the network I can't access it, then I put it directly connected to my PC I can access the web interface normally.

I don't know what happened... I saw a post that says that I should set up directly connected to the network... but I did not I have connected my laptop and composes the tests before putting on the network...

Someone knows why? and what is the job for her arround?

I have attached the ping information and my Ipconfig for my laptop and one following the 'show' connected to the console

Quote

Cisco Secure ACS: 4.2.0.124
The application management software: 4.2.0.124
Ask tiBase Image: 4.2.0.107
The session timeout: 10
Last reset to zero hour: Fri 27 Aug 13:06:44 2010

NTP servers: 10.21.4.1

Free CPU on the free physical memory disk load
Memory of MBhysical 749 109 GB 0.00%

IP of the server configuration
DHCP active...: No.
... The IP address: 10.21.4.61
... Subnet mask: 255.255.255.0
... Default gateway. : 10.21.4.155.0.
DNS servers...: 10.21.4.11
10.21.4.21

CSAuth race
CSDbSync race
Case running
CSMon race
CSRadius race
CSTacacs race

CSAgent stopped
End of quote

Console ping tests

gavprdrjlacs01 > ping 10.21.4.62

Ping 10.21.4.62 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.21.4.62:
Packets: Sent = 4, received = 0, lost = 4 (100% loss)

gavprdrjlacs01 >

gavprdrjlacs01 > ping 10.21.4.61

Ping 10.21.4.61 with 32 bytes of data:

Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">
Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">
Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">
Reply from 10.21.4.61: bytes = 32 time<1ms ttl="">

Ping statistics for 10.21.4.61:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 0ms, Maximum = 0ms, average = 0ms

Thanks mates!

Your default gateway is listed as 10.21.4.155.0, which means that the 1113 will not be able to reach something outside the local network.

You can fix this by issuing a "set ip" on the CLI and guests.

PIX of VPN Contivity problem

I have a vpn between a firewall Cisco PIX 525 and a Nortel Contivity 1700. VPN stands up without problem, but through this application, connectivity is established only in a sense, IE, there is no two-way connectivity.

Contivity to PIX, there is connectivity to the application.

PIX to Contivity, there is no connection of the application.

Sound to me that you forgot to put in a nat (inside) 0 on the PIX for traffic that must be encrypted. Remember the order to operate within the PIX. First the Routing and translation takes place and later, encryption (search for "operation order" on CCO and you can find documents about this).

But why I say this?

Well, that is your internal network 10.0.0.0/8, and you have the following config:

NAT (inside) 1 10.0.0.0 255.0.0.0

Global 1 interface (outside)

Then you have a configured encryption card and within the crypto map command points "address" to the access list 101. If the server you are trying to achieve through the VPN has IP 192.168.1.1 (it's just an example), the access list 101 would look like:

access-list 101 permit 10.0.0.0 255.0.0.0 host 192.168.1.1

What will happen if you configure it only in this way. Well, obvious, your tunnel is configured correctly, cause you receive traffic from the other peer. But the problem is on your site. Looking at the example: traffic is received on the inside interface is going to be translated first because of the nat and global declarations, so your source addresses are translated to your address of interfaces. This translated traffic then hit 101 access list to see if this traffic must be encrypted or not. The PIX sees traffic with the source of your interface and destination 192.168.1.1 address and that is NOT 101 access list so the PIX don't crypt not traffic, but just forward them to the external interface (assuming that routing is correctly configured)

The traffic that comes the VPN is first put in the encryption engine, where is is decrypted in de-sealed, so it's to send within interfaces.

If this is the case, then the solution is very simple. Just put in the following:

(Inside) NAT 0-list of access 101

Note1: the access list bound to nat (inside) 0 must be the same as that which defines your VPN traffic

NOTE2: If you are already using a nat (inside) command 0 for other reasons then, then you must change it on the existing access list.

I hope this helps. In case we need more help, you can always send me a message if you wish. You could also post your complete config (first remove the passwords) and we could have a look.

Kind regards

Leo

VPN access with VPN client problem. Help, please

I have a PIX 520 as VPN tunnels endpoint device. I was able to establish an IPsec connection. I checked that I have gave me an address in the IP pool that I set up but I can't to any resource on the internal network. I could only ping myself. When I run ' ipconfig/all' I see my address on the correct vpn with DNS interface, but my front door is set to my own address. I think that's the problem. Please help me solve this problem. Let me know if you need more information.

Here are some suggestions you might try to get this working:

1.) change your "taken" to access-list. The lines are no longer supported by Cisco even if they still work. This will help you in debugging your access list because there will be some hitcounts.

There is a tool from cisco for conduits of concert on access lists:

http://www.Cisco.com/cgi-bin/tablebuild.pl/PIX?sort=release

Download the: occ - 121.zip

PIX Firewall Outbound leads binary converter for Windows, version 1.2.1

2.) change your pool of VPN.

IP local pool techvpn 10.x.x.100 - 10.x.x.120

With this, it's already you have a 10.x.x.x subnet in your internal network. The ip pool automatically assigns a 255.0.0.0 for the VPN Clients subnet mask. This may cause routing problems. You can use a subnet used anywhere 172.16.100.x.

example:

No vpngroup address techvpn pool lsdvpn

no ip local pool techvpn

IP local pool techvpn 172.16.100.1 - 172.16.100.254

vpngroup address techvpn pool lsdvpn

No inside_outbound_nat0_acl access list

No outside_cryptomap_dyn_20 access list

inside_outbound_nat0_acl ip access list allow any 172.16.100.0 255.255.255.0

outside_cryptomap_dyn_20 ip access list allow any 172.16.100.0 255.255.255.0

Claire ipsec his

Claire isakmp his

sincerely

Patrick

Easy VPN server problem

I have a Cisco 881 router and try to connect to a customer (customer VPN Cisco 5.xxx) to this router.

Here is a diagram of my network:

LAN (192.168.252.0/24)--- router Cisco 881 - router N ° 2 - Internet - router N ° 3 - Client (192.168.1.10))

Router Cisco 881:

-@IP lan: 192.168.252.1

-@IP wan: 192.168.0.2

-Gateway: 192.168.0.1

-DNS: 192.168.0.1

Router N ° 2:

-@IP lan: 192.168.0.1

-@IP wan: xx.xx.xx.xx

-Port forwarding: 500UDP to 192.168.0.2

-Port forwarding: 4500UDP to 192.168.0.2

I have create this VPN profile:

-IP address of the virtual Tunnel Interface: FastEthernet4

-Configuration mode: REACT

-Address pool (the VPN client): 192.168.254.10-> 192.168.254.149

-Split tunneling: 192.168.252.0/24

-Authentication: local

-No firewall (for testing only)

When I connect my VPN client for the first time, everything is OK: VPN connection is Ok, and I can ping any computer on the local network (192.168.252.0/24)

If I disconnect/reconnect, the connection works, but I can't access all the resources on the local network.

Once again, the computers on the lan ping, I have:

-reboot the Cisco router

-enable/disable RIP (in the dynamic routing of the CCP section): strange isn't it?

But who works for the connection of a customer: if I disconnect/reconnect the client once again, I cannot ping all resources on the local network.

I'm getting crazy!

I used a sniffer tool on a machine on my LAN, and I see ICMP trap (ICMP request).

If ping may come from VPN of LAN, but not for VPN LAN.

Any help would be appreciated.

Thank you

Nicolas

Yes, you forgot to apply the plan crypto on the external interface.

interface FastEthernet4

card crypto VPN_Policy

Hope that solves the problem.

Application VPN ping problem

Similar Questions

Maybe you are looking for