ASA 5505 VPN established, cannot access inside the network

Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.

After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.

Here is my config:

ASA Version 8.2 (5)
!
hostname asa01
domain kevinasa01.net
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan5
No nameif
security-level 50
IP 172.16.1.1 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
domain kevinasa01.net
permit same-security-traffic intra-interface
Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.254.0 255.255.255.0
NAT (inside) 0 access-list sheep - in
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Remote_Kevin group strategy
attributes of Group Policy Remote_Kevin
value of server DNS 192.168.1.12 192.168.1.13
VPN - connections 3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
kevinasa01.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy Remote_Kevin
type tunnel-group Remote_Kevin remote access
attributes global-tunnel-group Remote_Kevin
address-pool
Group Policy - by default-Remote_Kevin
IPSec-attributes tunnel-group Remote_Kevin
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
: end

Thank you

Hello

I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.

I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.

The acl must be:

sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

For nat (inside), you have 2 lines:

NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
NAT (inside) 1 0.0.0.0 0.0.0.0

Why are you doing this nat (outside)?

NAT (outside) 1 192.168.254.0 255.255.255.0

Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)

Thank you.

PS: Please do not forget to rate and score as good response if this solves your problem.

Tags: Cisco Security

Similar Questions

  • Cisco ASA 8.4 (3) remote access VPN - client connects but cannot access inside the network

    I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well

    Thank you

    interface Ethernet0/0

    Speed 100

    full duplex

    nameif outside

    security-level 0

    IP x.x.x.x 255.255.255.240

    !

    interface Ethernet0/1

    Speed 100

    full duplex

    nameif inside

    security-level 100

    IP 10.88.10.254 255.255.255.0

    !

    interface Management0/0

    Shutdown

    nameif management

    security-level 0

    no ip address

    !

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    network of the PAT_to_Outside_ClassA object

    10.88.0.0 subnet 255.255.0.0

    network of the PAT_to_Outside_ClassB object

    subnet 172.16.0.0 255.240.0.0

    network of the PAT_to_Outside_ClassC object

    Subnet 192.168.0.0 255.255.240.0

    network of the LocalNetwork object

    10.88.0.0 subnet 255.255.0.0

    network of the RemoteNetwork1 object

    Subnet 192.168.0.0 255.255.0.0

    network of the RemoteNetwork2 object

    172.16.10.0 subnet 255.255.255.0

    network of the RemoteNetwork3 object

    10.86.0.0 subnet 255.255.0.0

    network of the RemoteNetwork4 object

    10.250.1.0 subnet 255.255.255.0

    network of the NatExempt object

    10.88.10.0 subnet 255.255.255.0

    the Site_to_SiteVPN1 object-group network

    object-network 192.168.4.0 255.255.254.0

    object-network 172.16.10.0 255.255.255.0

    object-network 10.0.0.0 255.0.0.0

    outside_access_in deny ip extended access list a whole

    inside_access_in of access allowed any ip an extended list

    11 extended access-list allow ip 10.250.1.0 255.255.255.0 any

    outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1

    mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool

    NAT static NatExempt NatExempt of the source (indoor, outdoor)

    NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search

    NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1

    NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2

    NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3

    NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search

    !

    network of the PAT_to_Outside_ClassA object

    NAT dynamic interface (indoor, outdoor)

    network of the PAT_to_Outside_ClassB object

    NAT dynamic interface (indoor, outdoor)

    network of the PAT_to_Outside_ClassC object

    NAT dynamic interface (indoor, outdoor)

    Access-group outside_access_in in interface outside

    inside_access_in access to the interface inside group

    Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

    dynamic-access-policy-registration DfltAccessPolicy

    Sysopt connection timewait

    Service resetoutside

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto-map dynamic dynmap 10 set pfs

    Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1

    life together - the association of security crypto dynamic-map dynmap 10 28800 seconds

    Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000

    Crypto-map dynamic dynmap 10 the value reverse-road

    card crypto mymap 1 match address outside_1_cryptomap

    card crypto mymap 1 set counterpart x.x.x.x

    card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1

    card crypto mymap 86400 seconds, 1 lifetime of security association set

    map mymap 1 set security-association life crypto kilobytes 4608000

    map mymap 100-isakmp ipsec crypto dynamic dynmap

    mymap outside crypto map interface

    crypto isakmp identity address

    Crypto isakmp nat-traversal 30

    Crypto ikev1 allow outside

    IKEv1 crypto ipsec-over-tcp port 10000

    IKEv1 crypto policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 1

    life 86400

    IKEv1 crypto policy 50

    preshared authentication

    the Encryption

    md5 hash

    Group 2

    life 86400

    IKEv1 crypto policy 60

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    life 86400

    IKEv1 crypto policy 70

    preshared authentication

    aes-256 encryption

    sha hash

    Group 1

    life 86400

    IKEv1 crypto policy 90

    preshared authentication

    aes encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    Console timeout 0

    management-access inside

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal BACKDOORVPN group policy

    BACKDOORVPN group policy attributes

    value of VPN-filter 11

    Ikev1 VPN-tunnel-Protocol

    Split-tunnel-policy tunnelall

    BH.UK value by default-field

    type tunnel-group BACKDOORVPN remote access

    attributes global-tunnel-group BACKDOORVPN

    address pool Admin_Pool

    Group Policy - by default-BACKDOORVPN

    IPSec-attributes tunnel-group BACKDOORVPN

    IKEv1 pre-shared-key *.

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group ipsec-attributes x.x.x.x

    IKEv1 pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    Excellent.

    Evaluate the useful ticket.

    Thank you

    Rizwan James

  • Cisco ASA 5505 VPN L2TP cannot access the internal network

    Hello

    I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

    Can you jhelp me to find the problem?

    I have Cisco ASA:

    within the network - 192.168.1.0

    VPN - 192.168.168.0 network

    I have the router to 192.168.1.2 and I cannot ping or access this router.

    Here is my config:

    ASA Version 8.4 (3)

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 198.X.X.A 255.255.255.248

    !

    passive FTP mode

    permit same-security-traffic intra-interface

    the net-all purpose network

    subnet 0.0.0.0 0.0.0.0

    network vpn_local object

    192.168.168.0 subnet 255.255.255.0

    network inside_nw object

    subnet 192.168.1.0 255.255.255.0

    outside_access_in list extended access permit icmp any any echo response

    outside_access_in list extended access deny ip any any newspaper

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    NAT dynamic interface of net-all source (indoor, outdoor)

    NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

    NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

    !

    network vpn_local object

    dynamic NAT interface (outdoors, outdoor)

    network inside_nw object

    NAT dynamic interface (indoor, outdoor)

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    AAA authentication enable LOCAL console

    the ssh LOCAL console AAA authentication

    AAA authentication http LOCAL console

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

    transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

    Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

    card crypto 20-isakmp ipsec vpn Dynamics dyno

    vpn outside crypto map interface

    Crypto isakmp nat-traversal 3600

    Crypto ikev1 allow outside

    IKEv1 crypto policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.0 inside

    SSH timeout 30

    Console timeout 0

    management-access inside

    dhcpd address 192.168.1.5 - 192.168.1.132 inside

    dhcpd dns 75.75.75.75 76.76.76.76 interface inside

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal sales_policy group policy

    attributes of the strategy of group sales_policy

    Server DNS 75.75.75.75 value 76.76.76.76

    Protocol-tunnel-VPN l2tp ipsec

    user name-

    user name-

    attributes global-tunnel-group DefaultRAGroup

    address sales_addresses pool

    Group Policy - by default-sales_policy

    IPSec-attributes tunnel-group DefaultRAGroup

    IKEv1 pre-shared-key *.

    tunnel-group DefaultRAGroup ppp-attributes

    ms-chap-v2 authentication

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

    : end

    Thanks for your help.

    You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

    Policy-map global_policy

    class inspection_default

    inspect the icmp

    --

    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • PIX501 customer VPN - cannot access inside the network with VPN Session

    What follows is based on the config on the attached link:

    http://www.Cisco.com/en/us/Partner/Tech/tk583/TK372/technologies_configuration_example09186a008009442e.shtml

    PIX Ver 6.2 (3) - VPN Client 3.3.6(A) - Windows XP Client PC

    We can establish the VPN to the PIX501 session, but we cannot access the network private behind the pix.

    Here is the config - I can't determine why it does not work, we are desperate to get there as soon as POSSIBLE!

    We have the same problem with the customer 4.0.3(c)

    Thanks in advance for any help!

    =======================================

    AKCPIX00 # sh run

    : Saved

    :

    6.2 (3) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    hostname AKCPIX00

    domain.com domain name

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    fixup protocol sip udp 5060

    names of

    access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

    pager lines 24

    interface ethernet0 10baset

    interface ethernet1 10full

    Outside 1500 MTU

    Within 1500 MTU

    external IP address #. #. #. # 255.255.240.0

    IP address inside 192.168.1.5 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool akcpool 10.0.0.1 - 10.0.0.10

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    (Inside) NAT 0-list of access 101

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    Route outside 0.0.0.0 0.0.0.0 #. #. #. # 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    the ssh LOCAL console AAA authentication

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

    Crypto-map dynamic dynmap 10 transform-set RIGHT

    map mymap 10-isakmp ipsec crypto dynamic dynmap

    mymap outside crypto map interface

    ISAKMP allows outside

    part of pre authentication ISAKMP policy 10

    encryption of ISAKMP policy 10

    ISAKMP policy 10 md5 hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    vpngroup address akcpool pool akcgroup

    vpngroup dns 192.168.1.10 Server akcgroup

    vpngroup akcgroup by default-domain domain.com

    vpngroup split tunnel 101 akcgroup

    vpngroup idle 1800 akcgroup-time

    vpngroup password akcgroup *.

    vpngroup idle 1800 akc-time

    Telnet timeout 5

    SSH #. #. #. # 255.255.255.255 outside

    SSH timeout 15

    dhcpd address 192.168.1.100 - 192.168.1.130 inside

    dhcpd dns 192.168.1.10

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd allow inside

    Terminal width 80

    Cryptochecksum:XXXXX

    : end

    AKCPIX00 #.

    Config looks good - just as domestic mine to my local network. The only thing I can think is that you may have entered commands in the wrong order - which means, you could have isakmp or encryption before the config map was complete. Write memory, then reloading the pix is a way to reset everything. If you do not want downtime:

    mymap outside crypto map interface

    ISAKMP allows outside

    Enter these two commands should be enough to reset the ipsec and isakmp.

  • ASA 5505 VPN remote cannot access with my local network

    Hello guys, I have a problem with my asa 5505 remote VPN access to the local network, the VPn connection works well and connected, but the problem is that I can't reach my inside connection network of 192.168.30.x, here's my setup, please can you help me

    ASA Version 8.2 (1)

    !

    !

    interface Vlan1

    nameif inside

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 155.155.155.10 255.255.255.0

    !

    interface Vlan5

    No nameif

    no level of security

    no ip address

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.240

    pager lines 24

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool vpn-pool 192.168.100.1 - 192.168.100.10 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    Mull strategy of Group internal

    attributes of the Group mull strategy

    Protocol-tunnel-VPN IPSec

    username privilege 0 encrypted password eKJj9owsQwAIk6Cw xxx

    VPN-group-policy Mull

    type mull tunnel-group remote access

    tunnel-group mull General attributes

    address vpn-pool pool

    Group Policy - by default-mull

    Mull group tunnel ipsec-attributes

    pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Yes, you will need to either configure split tunnel so that internet traffic goes out through your local Internet service provider, GOLD / directed by configuration current you are tunneling all traffic (internet traffic Inc.) to the ASA, then you will need to create NAT for internet traffic.

    To set up a tunnel from split:

    split-acl access-list allowed 192.168.30.0 255.255.255.0

    attributes of the Group mull strategy

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split-acl

    I hope this helps.

  • ASA 5505 VPN cannot access inside the host

    I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.

    framework for configuration below

    interface Vlan1

    nameif inside

    security-level 100

    10.1.1.1 IP address 255.255.255.0

    IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map 20 set pfs

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    PFS set 40 crypto dynamic-map outside_dyn_map

    Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

    Crypto-map dynamic inside_dyn_map 20 set pfs

    Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map

    inside crypto map inside_map interface

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    global service-policy global_policy

    XXXXXXX strategy of Group internal

    attributes of the strategy group xxxxxxx

    banner value xxxxx Site Recovery

    WINS server no

    24.xxx.xxx.xx value of DNS server

    VPN-access-hour no

    VPN - connections 3

    VPN-idle-timeout 30

    VPN-session-timeout no

    VPN-filter no

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelall

    by default no

    disable secure authentication unit

    disable authentication of the user

    user-authentication-idle-timeout no

    disable the IP-phone-bypass

    disable the leap-bypass

    disable the NEM

    disable the NAC

    NAC-sq-period 300

    NAC-reval-period 36000

    NAC-by default-acl no

    the address value xxxxxx pools

    enable Smartcard-Removal-disconnect

    the firewall client no

    WebVPN

    url-entry functions

    Free VPN of CNA no

    No vpn-addr-assign aaa

    No dhcp vpn-addr-assign

    tunnel-group xxxx type ipsec-ra

    tunnel-group xxxx general attributes

    xxxx address pool

    Group Policy - by default-xxxx

    blountdr group of tunnel ipsec-attributes

    pre-shared-key *.

    Missing nat exemption for vpn clients. Add the following and you should be good to go.

    inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

    NAT (inside) 0-list of access inside_nat0_outbound

  • ASA 5512 Anyconnect VPN cannot connect inside the network 9.1 x

    Hello

    I'm new to ASA, can I please help with this. I managed to connect to the vpn through the mobility cisco anyconnect client, but I am unable to connect to the Internet. the allocated ip address was 172.16.1.60 and it seems OK, I thought my acl and nat is configured to allow and translate the given vpn ip pool but I'm not able to ping anything on the inside.

    If anyone can share some light... There's got to be something escapes me...

    Here's my sh run

    Thank you

    Raul

    -------------------------------------------------------------------------------

    DLSYD - ASA # sh run

    : Saved
    :
    ASA 9.1 Version 2
    !
    hostname DLSYD - ASA
    domain delo.local
    activate the encrypted password of UszxwHyGcg.e6o4z
    names of
    mask 172.16.1.60 - 172.16.1.70 255.255.255.0 IP local pool DLVPN_Pool
    !
    interface GigabitEthernet0/0
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/1
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/2
    Post description
    10 speed
    full duplex
    nameif Ext
    security-level 0
    IP 125.255.160.54 255.255.255.252
    !
    interface GigabitEthernet0/3
    Description Int
    10 speed
    full duplex
    nameif Int
    security-level 100
    IP 192.168.255.2 255.255.255.252
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    boot system Disk0: / asa912-smp - k8.bin
    passive FTP mode
    clock timezone IS 10
    clock daylight saving time EDT recurring last Sun Oct 02:00 last Sun Mar 03:00
    DNS lookup field inside
    DNS domain-lookup Int
    DNS server-group DefaultDNS
    192.168.1.90 server name
    192.168.1.202 server name
    domain delo.local
    permit same-security-traffic intra-interface
    network dlau40 object
    Home 192.168.1.209
    network dlausyd02 object
    host 192.168.1.202
    network of the object 192.168.1.42
    host 192.168.1.42
    dlau-utm network object
    host 192.168.1.50
    network dlauxa6 object
    Home 192.168.1.62
    network of the 192.168.1.93 object
    host 192.168.1.93
    network dlau-ftp01 object
    Home 192.168.1.112
    dlau-dlau-ftp01 network object
    network dlvpn_network object
    subnet 172.16.1.0 255.255.255.0
    the object-group Good-ICMP ICMP-type
    echo ICMP-object
    response to echo ICMP-object
    ICMP-object has exceeded the time
    Object-ICMP traceroute
    ICMP-unreachable object
    DLVPN_STAcl list standard access allowed 192.168.0.0 255.255.0.0
    Standard access list DLVPN_STAcl allow 196.1.1.0 255.255.255.0
    DLVPN_STAcl list standard access allowed 126.0.0.0 255.255.0.0
    Ext_access_in access list extended icmp permitted any object-group Good-ICMP
    Ext_access_in list extended access permitted tcp dlau-ftp01 eq ftp objects
    Ext_access_in list extended access permit tcp any object dlausyd02 eq https
    Ext_access_in list extended access permit tcp any object dlau-utm eq smtp
    Ext_access_in list extended access permit tcp any object dlauxa6 eq 444
    Ext_access_in access-list extended permitted ip object annete-home everything
    pager lines 24
    Enable logging
    asdm of logging of information
    MTU 1500 Ext
    MTU 1500 Int
    management of MTU 1500
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 713.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (Int, Ext) static source any any destination static dlvpn_network dlvpn_network non-proxy-arp
    !
    network dlausyd02 object
    NAT (Int, Ext) interface static tcp https https service
    dlau-utm network object
    NAT (Int, Ext) interface static tcp smtp smtp service
    network dlauxa6 object
    NAT (Int, Ext) interface static tcp 444 444 service
    network dlau-ftp01 object
    NAT (Int, Ext) interface static tcp ftp ftp service
    Access-group Ext_access_in in Ext interface
    Route Ext 0.0.0.0 0.0.0.0 125.255.160.53 1
    Route Int 192.168.0.0 255.255.0.0 192.168.255.1 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication enable LOCAL console
    AAA authentication LOCAL telnet console
    AAA authentication http LOCAL console
    LOCAL AAA authentication serial console
    the ssh LOCAL console AAA authentication
    http server enable 44310
    http server idle-timeout 30
    http 192.168.0.0 255.255.0.0 Int
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
    Crypto ipsec pmtu aging infinite - the security association
    trustpool crypto ca policy
    Telnet 192.168.1.0 255.255.255.0 management
    Telnet timeout 30
    SSH 192.168.0.0 255.255.0.0 Int
    SSH timeout 30
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    No ipv6-vpn-addr-assign aaa
    no local ipv6-vpn-addr-assign
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 61.8.0.89 prefer external source
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    WebVPN
    port 44320
    allow outside
    Select Ext
    AnyConnect essentials
    AnyConnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
    AnyConnect enable
    tunnel-group-list activate
    internal GroupPolicy_DLVPN group strategy
    attributes of Group Policy GroupPolicy_DLVPN
    WINS server no
    value of server DNS 192.168.1.90 192.168.1.202
    client ssl-VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list DLVPN_STAcl
    delonghi.local value by default-field
    WebVPN
    AnyConnect Dungeon-Installer installed
    time to generate a new key 30 AnyConnect ssl
    AnyConnect ssl generate a new method ssl key
    AnyConnect ask flawless anyconnect
    encrypted vendor_ipfx pb6/6ZHhaPgDKSHn password username
    vendor_pacnet mIHuYi1jcf9OqVN9 encrypted password username
    username admin password encrypted tFU2y7Uo15ahFyt4
    type tunnel-group DLVPN remote access
    attributes global-tunnel-group DLVPN
    address pool DLVPN_Pool
    Group Policy - by default-GroupPolicy_DLVPN
    tunnel-group DLVPN webvpn-attributes
    enable DLVPN group-alias
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the netbios
    Review the ip options
    inspect the ftp
    inspect the tftp
    !
    global service-policy global_policy
    SMTPS
    Server 192.168.1.50
    Group Policy - by default-DfltGrpPolicy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:67aa840d5cfff989bc045172b2d06212
    : end
    DLSYD - ASA #.

    Hello

    Add just to be sure, the following configurations related to ICMP traffic

    Policy-map global_policy
    class inspection_default
    inspect the icmp
    inspect the icmp error

    Your NAT0 configurations for traffic between LAN and VPN users seem to. Your Split Tunnel ACL seems fine too because it has included 192.168.0.0/16. I don't know what are the other.

    I wonder if this is a test installation since you don't seem to have a dynamic PAT configured for your local network at all. Just a few static PAT and the NAT0 for VPN configurations. If it is a test configuration yet then confirmed that the device behind the ASA in the internal network has a default route pointing to the ASAs interface and if so is it properly configured?

    Can you same ICMP the directly behind the ASA which is the gateway to LANs?

    If you want to try ICMP interface internal to the VPN ASA then you can add this command and then try ICMP to the internal interface of the ASA

    Int Management-access

    As the post is a little confusing in the sense that the subject talk on the traffic doesn't work not internal to the network, while the message mentions the traffic to the Internet? I guess you meant only traffic to the local network because you use Split Tunnel VPN, which means that Internet traffic should use the VPN local Internet users while traffic to the networks specified in the ACL Tunnel Split list should be sent to the VPN.

    -Jouni

  • VPN: Fulltunnel cannot access on the internet

    Hi group!

    We have an Asa 5505 in our basket.

    I want to connect our office via vpn to our Asa. It should be a fulltunnel, because in our office many ports are blocked by our provider and I want to use our rack-public interface and therethore a split tunnel is not really good.

    But if I accumulate a fulltunnel I have no connection to the gateway. (Inside) rack servers can access outside.

    I have attached our config. Thanks in advantage!

    Gerd

    Could not properly read your config, pourrait you reattach config in a readable format, but I see that your vpn pool is 192.168.0.0/24.

    To access internet of RA in fulltunnel you need two statements, try adding these two declarations, and let us know how it works.

    permit same-security-traffic intra-interface

    NAT (outsisde) 1 192.168.0.0 255.255.255.0

    Rgds

    -Jorge

  • VPN clients cannot access to the vlan

    Hello

    I just changed my flat lan to a virtual LAN environment multi, but now I need help to get to my VPN back working again as the VPN user can access servers that are not on the vlan 'door '.  I've read enough to know that it is probably associated with NAT, but I'm not sure where to put this information.

    Does go in the NAT, associated with the E0 interface (outgoing internet gateway), to the vlan10 (vlan router is actually on) or can I create a new one and apply it to the crypto ipsec and isakmp side of things that use VPN users?

    My network is configured as such...

    VPN client - Router1811 - split trunk - C3550 - 12G - shared - resources multiple C3550s - servers/Wstns

    The router subnet 192.168.10.0 as all switches, VLAN is set up through the 12 G and all other switches as vtp "vtp clients", including the router.  The user can get to the 10 subnet and any server on it, but not to the"farm" on the subnet 192.168.11.0.

    I noticed Federico has been working on something very similar to this... but any help would be appreciated.

    Thank you, Don

    Hi Don,

    Please mark this discussion as resolved if there is no other problem with this VPN.

    See you soon,.

    Nash.

  • Client VPN cannot get inside the network

    The VPN client connects to the 2600 on the serial interface, should be able to get to the 10.10.0.0 network beyond 192.168.1.14. The customer ping responds failure of external serial interface address.

    If you still have problems... can you check that there is a static route BOF 192.168.100.0/24 on router 192.168.1.14 and initiate a tracert to a host on the network of 10.10.x.x at 192.168.100.7 and see where it goes... your tests show that the VPN client knows how to get to this subnet, but it seems that there is a problem of routing between 10.X.X.X going 192.168.100.0

    I hope that helps!

  • ASA 5505 VPN Site to site with several networks

    Hello

    I have a Cisco ASA 5505 configuration problem and hope you can help me.

    Our company created a second facility, which must be connected using VPN to our headquarters.

    I used the ASDM "Wizard of Site to site VPN" to create a connection, which works very well with our main network.

    Following structure:

    Headquarters:

    Cisco ASA 5505, firmware 9.1, ASDM version 7.1

    Outside: Fixed IP

    Inside: IP address of the interface is 192.168.0.1/24 (data network)

    Now I have a second network 192.168.1.0/24 (VoIP network), PBX address is 192.168.1.10.

    The two networks should be accessible through the VPN.

    New installation:

    Cisco ASA 5505, firmware 9.1, ASDM version 7.1

    Outside: Fixed IP

    Inside: IP address of the interface is 192.168.2.1/24

    I have already created a connection until a PC of the new plant reaches the data network. For example, a ping from 192.168.2.100 to 192.168.0.100 is possible.

    Now, I want to add some VoIP phones to the new facility, which can reach the PBX on 192.168.1.10.

    In the link, I have already added the two networks as remote network:

    object-group network Testgroup network-object 192.168.0.0 255.255.255.0 network-object 192.168.1.0 255.255.255.0 access-list outside_cryptomap extended permit ip object-group Testgroup object Remote-Network 

    My problem now is, I don't know what to define as 'Bridge' on my PBX.

    I can't use 192.168.0.1 because it's a different subnet. Also, I can not put a second IP 192.168.1.1 to the interface of the ASA.

    You have any ideas, how can I accomplish this, so that the two subnets are accessed through the VPN and all devices have a defined gateway?

    Could a "Easy VPN Remote" in "Network Mode" you help me?

    What is the difference between 'Site-to-site' and 'extended network '?

    Kind regards

    Daniel condition, look for the solution GmbH

    You can optionally configure a new LAN VIRTUAL (VLAN PBX) on the SAA and connect this interface to the voice network.

    If you do not have a spare on the ASA port, then Yes, you have a router to route traffic from the PBX to the ASA via the data network.

  • Cannot access inside the ASDM on PIX

    Hi all:

    I can't access the ASDM on the PIX when I type in

    Any advice would be appreciated.

    Hold on, I'm reading a release on bail of ADMS, which may have a fix for this problem.

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv12681

    [edit]

    CSCsv12681 Details of bug

    Symptom:

    During the loading of ASDM, a dialog box appears that says:

    "Failed to load ASDM. Click OK to exit ASDM.

    Sockets without link not implemented. "

    This happens when you use Java 6 Update 10 or later.

    Conditions:

    ASDM version 5.0 or later running on ASA, PIX or FWSM and using Java 6

    Update 10 or later.

    Workaround solution:

    Use Java 6 Update 7.

    1 found-In

    5.0 (8)

    5.1 (2)

    5.2 (4)

    6.1 (5)

    4,0000 F

    1.0000 F

    Fixed in

    6.2 (0.70)

    6.2 (0.71)

    6.1 (1.55) F

    5.2 (4.51)

    6.1 (5.51)

    You can use this version based on report above.

    ASDM - 61551.bin

  • The VPN Clients cannot access any internal address

    Without a doubt need help from an expert on this one...

    Attempting to define a client access on an ASA 5520 VPN that was used only as a

    Firewall so far. The ASA has been recently updated to Version 7.2 (4).

    Problem: Once connected, VPN client cannot access anything whatsoever. Client VPN cannot

    ping any address on internal networks, or even the inside interface of the ASA.

    (I hope) Relevant details:

    (1) the tunnel seems to be upward. Customers are the authenticated by the SAA and

    are able to connect.

    (2) by many other related posts, I ran a ' sh crypto ipsec her "to see the output: it

    appears that the packets are décapsulés and decrypted, but NOT encapsulated or

    encrypted (see the output of "sh crypto ipsec his ' home).

    (3) by the other related posts, we've added commands associated with inversion of NAT (crypto

    ISAKMP nat-traversal 20

    crypto ISAKMP ipsec-over-port tcp 10000). These were in fact absent from our

    Configuration.

    (4) we tried encapsulation TCP and UDP encapsulation with experimental client

    profiles: same result in both cases.

    (5) if I (attempt) ping to an internal IP address of the connected customer, the

    real-time log entries ASA show the installation and dismantling of the ICMP requests to the

    the inner target customer.

    (6) the capture of packets to the internal address (one that we try to do a ping of the)

    VPN client) shows that the ICMP request has been received and answered. (See attachment

    shooting).

    (7) our goal is to create about 10 VPN client of different profiles, each with

    different combinations of access to the internal VLAN or DMZ VLAN. We do not have

    preferences for the type of encryption or method, as long as it is safe and it works: that

    said, do not hesitate to recommend a different approach altogether.

    We have tried everything we can think of, so any help or advice would be greatly

    Sanitized the ASA configuration is also attached.

    appreciated!

    Thank you!

    It should be the last step :)

    on 6509

    IP route 172.16.100.0 255.255.255.0 172.16.20.2

    and ASA

    no road inside 172.16.40.0 255.255.255.0 172.16.20.2

  • Help, please! Connected to the VPN, but cannot access internal servers.

    Hi friends,

    I'm a newbie on vpn stuff, I set up a base on a Cisco ASA 5505 vpn by using ASDM, and I was able to connect to it.  However, I can't ssh or RDP to one of the servers in the House after that I connected to the vpn.  Here is the configuration.  Help, please!

    ASA Version 8.2 (5)

    !

    hostname sc - asa

    domain abc.com

    enable the encrypted password xxxxxxxxx

    xxxxxxxxx encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    passive FTP mode

    DNS server-group DefaultDNS

    domain OpenDNS.com

    sc-pool_splitTunnelAcl-list of allowed access standard 192.168.1.0 255.255.255.0

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

    pager lines 24

    Enable logging

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    interface ID client DHCP-client to the outside

    dhcpd outside auto_config

    !

    dhcpd address 192.168.1.5 - 192.168.1.36 inside

    dhcpd dns 208.67.222.222 208.67.220.220 interface inside

    rental contract interface 86400 dhcpd inside

    dhcpd abc.com domain inside interface

    dhcpd allow inside

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1

    WebVPN

    abc group policy - sc internal

    attributes of the strategy of group abc - sc

    value of server DNS 208.67.222.222 192.168.1.3

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value abc-sc_splitTunnelAcl

    field default value abc.com

    a001 xxxxxxxxxxx encrypted password username

    a002 xxxxxxxxxxx encrypted password username

    username a003 encrypted password privilege 0 xxxxxxxxxxx

    a003 username attributes

    Strategy Group-VPN-abc-sc

    a004 xxxxxxxxxxx encrypted password privilege 0 username

    a004 username attributes

    Strategy Group-VPN-abc-sc

    a005 xxxxxxxxxxx encrypted password username

    a006 xxxxxxxxxxx encrypted password username

    username privilege 15 encrypted password xxxxxxxxxxx a007

    remote access to tunnel-group abc - sc type

    attributes global-tunnel-group-abc - sc

    address sc-pool pool

    Group Policy - by default-abc-sc

    tunnel-group abc - sc ipsec-attributes

    pre-shared key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    Review the ip options

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    Cryptochecksum:e7df4fa4b60a252d806ca5222d48883b

    : end

    Hello

    I would suggest you start by changing the pool VPN to something else than the current LAN network and see if that helps

    These should be the configuration required to achieve this goal

    • First remove us pool setup VPN VPN
    • Then we delete the VPN Pool and create again with an another address space
    • When then attach this new Pool of VPN again to the VPN configuration
    • In the last step, we add a NAT0 / exempt for this new pool VPN NAT configuration and remove the old ACL line for the former group of VPN

    attributes global-tunnel-group-abc - sc

    no address-sc-swimming pool

    no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0

    IP local pool sc-192.168.100.100 - 192.168.100.110 mask 255.255.255.0

    attributes global-tunnel-group-abc - sc

    address sc-pool pool

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0

    No inside_nat0_outbound access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

    -Jouni

  • AnyConnect to ASA 5505 ver 8.4 unable to ping/access within the network

    My AnyConnect VPN to connect to the ASA, but I can not access my home network hosts (tried Split Tunnel and it didn't work either). I intend to use a Split Tunnel configuration, but I thought I would get this job until I've set up this configuration. My inside hosts are on a 10.0.1.0/24 network and networks 10.1.0.0/16. My AnyConnect hosts use 192.168.60.0/24 addresses.

    I saw the messages of others who seem similar, but none of these solutions have worked for me.  I also tried several configurations NAT and ACLs to allow my internal network to the ANYConnect hosts and return traffic shaping, but apparently I did it incorrectly.  I undestand what this worm 8.4 is supposed to be easier to achieve, NAT and others, but I now have in the IOS router it is much simpler.

    My setup is included below.

    Thanks in advance for your help.

    Jerry

    *************************************************************

    ASA Version 8.4 (4)

    !

    hostname mxfw

    domain moxiefl.com

    activate the (deleted) password

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    Shutdown

    !

    interface Ethernet0/4

    Shutdown

    !

    interface Ethernet0/5

    switchport trunk allowed vlan 20.22

    switchport mode trunk

    !

    interface Ethernet0/6

    Shutdown

    !

    interface Ethernet0/7

    Shutdown

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 10.0.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address dhcp setroute

    !

    interface Vlan20

    nameif dmz

    security-level 50

    IP 172.26.20.1 255.255.255.0

    !

    interface Vlan22

    nameif dmz2

    security-level 50

    IP 172.26.22.1 255.255.255.0

    !

    passive FTP mode

    DNS lookup field inside

    DNS domain-lookup outside

    DNS server-group DefaultDNS

    name-server 208.67.222.222

    Server name 208.67.220.220

    domain moxiefl.com

    permit same-security-traffic inter-interface

    network of the Generic_All_Network object

    subnet 0.0.0.0 0.0.0.0

    network of the INSIDE_Hosts object

    10.1.0.0 subnet 255.255.0.0

    network of the AnyConnect_Hosts object

    192.168.60.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.60.0_26 object

    255.255.255.192 subnet 192.168.60.0

    network of the DMZ_Network object

    172.26.20.0 subnet 255.255.255.0

    network of the DMZ2_Network object

    172.26.22.0 subnet 255.255.255.0

    pager lines 24

    Within 1500 MTU

    Outside 1500 MTU

    MTU 1500 dmz

    dmz2 MTU 1500

    local pool VPN_POOL 192.168.60.20 - 192.168.60.40 255.255.255.0 IP mask

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    NAT dynamic interface of Generic_All_Network source (indoor, outdoor)

    NAT (inside, outside) static source INSIDE_Hosts INSIDE_Hosts static destination AnyConnect_Hosts AnyConnect_Hosts-route search

    NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 non-proxy-arp-search to itinerary

    NAT (dmz, outside) dynamic interface of Generic_All_Network source

    NAT (dmz2, outside) dynamic interface of Generic_All_Network source

    Route inside 10.1.0.0 255.255.0.0 10.0.1.2 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    AAA authentication http LOCAL console

    Enable http server

    http 10.0.0.0 255.0.0.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec ikev2 AES256 ipsec-proposal

    Protocol esp encryption aes-256

    Esp integrity sha - 1, md5 Protocol

    Crypto ipsec ikev2 ipsec-proposal AES192

    Protocol esp encryption aes-192

    Esp integrity sha - 1, md5 Protocol

    Crypto ipsec ikev2 ipsec-proposal AES

    Esp aes encryption protocol

    Esp integrity sha - 1, md5 Protocol

    Crypto ipsec ikev2 proposal ipsec 3DES

    Esp 3des encryption protocol

    Esp integrity sha - 1, md5 Protocol

    Crypto ipsec ikev2 ipsec-proposal OF

    encryption protocol esp

    Esp integrity sha - 1, md5 Protocol

    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    Crypto ca trustpoint ASDM_TrustPoint0

    registration auto

    domain name full anyconnect.moxiefl.com

    name of the object CN = AnyConnect.moxiefl.com

    Keypairs AnyConnect

    Proxy-loc-transmitter

    Configure CRL

    string encryption ca ASDM_TrustPoint0 certificates

    certificate 439 has 4452

    3082026c 308201d 5 a0030201 9a 445230 02020443 0d06092a 864886f7 0d 010105

    05003048 06035504 03131641 6e79436f 6e6e6563 742e6d6f 78696566 311f301d

    6c2e636f 312530 2306092a 864886f7 0d 010902 1616616e 79636f6e 6e656374 6 d

    2e6d6f78 6965666c 2e636f6d 31333039 32373037 32353331 5a170d32 301e170d

    33303932 35303732 3533315a 3048311f 301D 0603 55040313 16416e79 436f6e6e

    6563742e 6d6f7869 65666c2e 636f6d31 86f70d01 09021616 25302306 092a 8648

    616e7963 6f6e6e65 63742e6d 6f786965 666c2e63 6f6d3081 9f300d06 092 has 8648

    86f70d01 01010500 03818d 00 30818902 8181009a d9f320ff e93d4fdd cb707a4c

    b4664c47 6d2cc639 4dc45fed bfbc2150 7109fd81 5d6a5252 3d40dc43 696360d 5

    fbf92bcc 477d19b8 5301085c daf40de5 87d7e4aa f81b8d7f 8d364dfa 0a6f07d7

    6a7c3e9b 56e69152 aa5492d8 e35537bd 567ccf29 7afbeae8 13da9936 9f890d76

    1d56d11d da3d039a 0e714849 e6841ff2 a3633061 03010001 300f0603 b 5483, 102

    1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 86301f06 04030201 551d

    23 04183016 80142f27 7096c4c5 e396e691 e07ef737 af61b71f 64f1301d 03551d

    0603551d 0e041604 142f2770 96c4c5e3 96e691e0 7ef737af 61b71f64 f1300d06

    092a 8648 86f70d01 01050500 03818100 8f777196 bbe6a5e4 8af9eb9a 514a 8348

    5e62d6cd e430a758 47257243 2b 367543 065d4ceb 582bf666 08ff7be1 f89287a2

    ac527824 b11c2048 7fd2b50d 6aa00675 e4df7859 f3590596 b1d52426 ca 35, 3902

    226 dec 09 713f7ba9 80bdf7bb b52a7da2 4a68b91b 455cabba 4e77f4b0 1e97a52c

    0cc4c6f3 f244f7d9 0a6e32fb 31ce7e35

    quit smoking

    IKEv2 crypto policy 1

    aes-256 encryption

    integrity sha

    Group 2 of 5

    FRP sha

    second life 86400

    IKEv2 crypto policy 10

    aes-192 encryption

    integrity sha

    Group 2 of 5

    FRP sha

    second life 86400

    IKEv2 crypto policy 20

    aes encryption

    integrity sha

    Group 2 of 5

    FRP sha

    second life 86400

    IKEv2 crypto policy 30

    3des encryption

    integrity sha

    Group 2 of 5

    FRP sha

    second life 86400

    IKEv2 crypto policy 40

    the Encryption

    integrity sha

    Group 2 of 5

    FRP sha

    second life 86400

    Crypto ikev2 activate out of service the customer port 443

    Crypto ikev2 access remote trustpoint ASDM_TrustPoint0

    Telnet timeout 5

    SSH 10.0.0.0 255.0.0.0 inside

    SSH timeout 5

    SSH group dh-Group1-sha1 key exchange

    Console timeout 0

    dhcpd dns 208.67.222.222 208.67.220.220

    dhcpd outside auto_config

    !

    dhcpd addresses 10.0.1.20 - 10.0.1.40 inside

    dhcpd dns 208.67.222.222 208.67.220.220 interface inside

    dhcpd allow inside

    !

    dhcpd address dmz 172.26.20.21 - 172.26.20.60

    dhcpd dns 208.67.222.222 208.67.220.220 dmz interface

    dhcpd enable dmz

    !

    dhcpd address 172.26.22.21 - dmz2 172.26.22.200

    dhcpd dns 208.67.222.222 208.67.220.220 dmz2 interface

    dmz2 enable dhcpd

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    SSL-trust outside ASDM_TrustPoint0 point

    WebVPN

    allow outside

    AnyConnect essentials

    AnyConnect image disk0:/anyconnect-win-3.0.2052-k9.pkg 1

    AnyConnect profiles AnyConnect_client_profile disk0: / AnyConnect_client_profile.xml

    AnyConnect enable

    tunnel-group-list activate

    internal GroupPolicy_AnyConnect group strategy

    attributes of Group Policy GroupPolicy_AnyConnect

    WINS server no

    value of server DNS 208.67.222.222 208.67.220.220

    client ssl-VPN-tunnel-Protocol ikev2

    moxiefl.com value by default-field

    WebVPN

    AnyConnect value AnyConnect_client_profile type user profiles

    password username user1 $ $ encrypted privilege 15

    password username user2 $ $ encrypted privilege 15

    tunnel-group AnyConnect type remote access

    tunnel-group AnyConnect General attributes

    address VPN_POOL pool

    Group Policy - by default-GroupPolicy_AnyConnect

    tunnel-group AnyConnect webvpn-attributes

    enable AnyConnect group-alias

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    maximum message length automatic of customer

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    Review the ip options

    inspect the netbios

    inspect the rsh

    inspect the rtsp

    inspect the skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect the tftp

    inspect the sip

    inspect xdmcp

    inspect the icmp

    !

    global service-policy global_policy

    context of prompt hostname

    no remote anonymous reporting call

    call-home

    Profile of CiscoTAC-1

    no active account

    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

    email address of destination [email protected] / * /

    destination-mode http transport

    Subscribe to alert-group diagnosis

    Subscribe to alert-group environment

    Subscribe to alert-group monthly periodic inventory

    monthly periodicals to subscribe to alert-group configuration

    daily periodic subscribe to alert-group telemetry

    Cryptochecksum:f2c7362097b71bcada023c6bbfc45121

    : end

    Hello

    You may have problems with the NAT configurations

    Look at these 2 high page configurations

    NAT dynamic interface of Generic_All_Network source (indoor, outdoor)

    NAT (inside, outside) static source INSIDE_Hosts INSIDE_Hosts static destination AnyConnect_Hosts AnyConnect_Hosts-route search

    The solution is either to reconfigure the dynamic PAT with the lowest priority (goes tearing down the current normal outbound connections) OR reposition the exempt NAT / configurations NAT0

    Dynamic change of PAT could be done with

    no nat dynamic interface of Generic_All_Network source (indoor, outdoor)

    NAT automatic interface after (indoor, outdoor) dynamic source Generic_All_Network

    NAT0 configuration change could be done with

    no nat source (indoor, outdoor) public static INSIDE_Hosts static destination INSIDE_Hosts AnyConnect_Hosts AnyConnect_Hosts-route search

    NAT (inside, outside) 1 static source INSIDE_Hosts INSIDE_Hosts static destination AnyConnect_Hosts AnyConnect_Hosts-route search

    Changing the order of the NAT0 configurations as described above is probably the simplest solution and does not cause a teardown of connections for users. Of course change the dynamic configuration PAT would avoid future problems if it can generate. For example, it could overide static PAT (Port Forward) configured with Auto NAT configurations.

    Try option suites you best and let know us if it solved the problem

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

Maybe you are looking for