ASA 5505 VPN works great but can't access internet via the tunnel to customers
We have an ASA 5505 ASA 8.2.1 running and using IPSec for Remote access clients in the main office. Remote access is a lot of work, with full access to network resources in the main office and the only thing I can't get to work is access to internet through the tunnel. I don't want to use split tunneling. I use ASDM 6.2.1 for configuration. Any help is appreciated. I'm probably missing something simple and it looked so much, I'm probably looking at right beyond the error. Thanks in advance for your time and help! Jim
Add a statement of nat for your segment of customer on the external interface
NAT (outside) - access list
then allow traffic routing back on the same interface, it is entered in the
permit same-security-traffic intra-interface
*
*
* more than information can be found here:
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...
On Wednesday, 27 January 2010, at 23:12, jimcanova
Tags: Cisco Security
Similar Questions
-
Can not access internet via wireless HTTP 404
I plugged a wireless (NetGear) adapter to my PC to be able to access the internet via the card my husband Verizon Wireless. He says that I'm connected to the internet, but the only thing I get when I try to connect to any site is error 404 web page not found. It's probably something simple, I need to set up on my desktop, but I can't find a way to solve this problem.
Thank you... I actually got a response via Widgetbox.com yesterday. I had to go to the workstation, Panel, network and Internet Options, Internet connections, connections and go to LAN settings and uncheck all checked it (the checked was something to do with a proxy server). And that's all that it was him - everything has worked correctly! Hope this helps someone else.
-
It is usual to take a long time? I don't think. But who knows. If I click on activate in the application, the software asks you a serial number which I did not.
What can I do? Or ca I just wait?
Sabba it is unlikely that the computer is facing a connection failure and does not not with our activation servers. Please see Sign in, activation or connection errors. CC, CS6, CS5.5 - http://helpx.adobe.com/x-productkb/policy-pricing/activation-network-issues.html for more information on how to solve the connection failure.
-
When I enter a Web site URL and press enter nothing happens. Same thing with the green arrow next to the address bar. Only by clicking on the links or by typing the URL in the address bar of windows I can access websites.
Found the problem. Tab Mix more is to be stupid. Dev-update to the current release has not helped, but disable did the trick.
-
My wife noticed that she has received a message from McAfee (forgotten) just before that the problem has begun, and that a green McAfyestee search engine appears on his yahoo email account shortly after.
Check the McAfee settings to make sure that it is not blocking Firefox. For more information, see Configuration of McAfee Internet Security or McAfee Total Protection configuration.
-
prospects for bt infinity
I recently changed my home to infinity of BT broadband. Now I can't access my email works through outlook over a VPN. The signin VPN works ok, I can see my network co., but can not use outlook. I get the following error at startup of outlook.
Task 'Microsoft Exchange Server' reported an error (0 x 80040115): ' the connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action. »
Anyone have any ideas?
Allan M
Hello
Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Windows 7 networking forum.
Ramata Thakur
-
ASA 5505 VPN sessions maximum 25?
Hello friend´s
The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:
Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?
Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?
I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?
Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.
Kind regards!
Hi Alex,
The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.
To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.
Find the official documentation for the ASA5505 on the following link:
Rate if helps.
-Randy-
-
No Internet connectivity with ASA 5505 VPN remote access
Hello
I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?
Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.
Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?
I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.
Thank you very much for you help.
Concerning
Salman
Salman
What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.
You have at least 2 options:
-You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.
-You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command
permit same-security-traffic intra-interface
HTH
Rick
-
I have an ASA 5510 in HQ (Version 8.0 (3)) and an ASA 5505 (8.3 (1)) Version at remote end. I am using easy vpn. The vpn works fine, but when the VPN is connected the 5510 shows 17 IPSEC connections to this one device. I watch the 5505 and it says 1.
Thank you!
Yes, it will create SAs for each subnet you have an ITS twinning with the remote subnet ASA 5505 and one ITS twinning with the ip of the remote ASA 5505 peer.
He created the pair of HIS extra with the IP peer of the ASA remote for easy vpn (it is normal in easy vpn). If you configure LAN-to-LAN between the ASAs 2, it will be just half of the SAs because there won't be ITS created for peers like in the easy vpn tunnel ip address.
Here are the SAs created matching:
local ident (addr, mask, prot, port): (64.196.6.165/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (172.30.30.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (172.30.30.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.70.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (172.30.70.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.71.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.71.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (172.30.80.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.80.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (172.30.81.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (172.30.81.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.88.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0)local ident (addr, mask, prot, port): (172.30.88.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.101.0/255.255.255.0/0/0)local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (64.196.6.180/255.255.255.255/0/0) -
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
-
LAN ASA 5505 VPN client access issue
Hello
I'm no expert in ASA and routing so I ask support the following case.
There is a (running on Windows 7) Cisco VPN client and an ASA5505.
The objectives are client can use the gateway remote on SAA for Skype and able to access devices in SAA within the interface.
The Skype works well, but I can't access devices in the interface inside through a VPN connection.
Can you please check my following config and give me any advice to fix NAT or VPN settings?
ASA Version 7.2 (4)
!
ciscoasa hostname
domain default.domain.invalid
activate wDnglsHo3Tm87.tM encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any
inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 any
outside_access_in list of allowed ip extended access entire 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
local pool VPNPOOL 10.0.0.200 - 10.0.0.220 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 10.0.0.0 255.255.255.0
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (outside) 1 10.0.0.0 255.255.255.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd dns xx.xx.xx.xx interface inside
dhcpd allow inside
!
attributes of Group Policy DfltGrpPolicy
No banner
WINS server no
value of server DNS 84.2.44.1
DHCP-network-scope no
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout 30
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
disable the password-storage
disable the IP-comp
Re-xauth disable
Group-lock no
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
by default no
Split-dns no
Disable dhcp Intercept 255.255.255.255
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout 30
disable the IP-phone-bypass
disable the leap-bypass
allow to NEM
Dungeon-client-config backup servers
MSIE proxy server no
MSIE-proxy method non - change
Internet Explorer proxy except list - no
Disable Internet Explorer-proxy local-bypass
disable the NAC
NAC-sq-period 300
NAC-reval-period 36000
NAC-by default-acl no
address pools no
enable Smartcard-Removal-disconnect
the firewall client no
rule of access-client-none
WebVPN
url-entry functions
HTML-content-filter none
Home page no
4 Keep-alive-ignore
gzip http-comp
no filter
list of URLS no
value of customization DfltCustomization
port - forward, no
port-forward-name value access to applications
SSO-Server no
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information
SVC no
SVC Dungeon-Installer installed
SVC keepalive no
generate a new key SVC time no
method to generate a new key of SVC no
client of dpd-interval SVC no
dpd-interval SVC bridge no
deflate compression of SVC
internal group XXXXXX strategy
attributes of XXXXXX group policy
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
XXXXXX G910DDfbV7mNprdR encrypted privilege 15 password username
username password encrypted XXXXXX privilege 0 5p9CbIe7WdF8GZF8
attributes of username XXXXXX
Strategy Group-VPN-XXXXXX
username privilege 15 encrypted password cRQbJhC92XjdFQvb XXXXX
tunnel-group XXXXXX type ipsec-ra
attributes global-tunnel-group XXXXXX
address VPNPOOL pool
Group Policy - by default-XXXXXX
tunnel-group ipsec-attributes XXXXXX
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
: end
ciscoasa #.
Thanks in advance!
fbela
config #no nat (inside) 1 10.0.0.0 255.255.255.0< this="" is="" not="">
Add - config #same-Security-permit intra-interface
#access - extended list allowed sheep ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
#nat (inside) 0 access-list sheep
Please add and test it.
Thank you
Ajay
-
Hello again,
can you please answer me a few questions that burned my head these days
1 can I connect ASA5505 a WRT54GL router in a VPN tunnel so that the WRT54GL is the endpoint that connects to the ASA?
2. If Yes can you tell me please which firmware should I use and the steps that will follow.
3 if not can you me say what router should I use so that the VPN tunnel can be done.
Thank you!
Hi Svetoslav,
I understand that you ask if you can establish a VPN site to site between an ASA 5505 and Linksys WRT54GL. Unfortunately, the WRT54GL doesn't support VPN endpoint. If you don't want to spend money on another ASA 5505 (which I recommend), you can watch the line Cisco Small Business firewall-lights/roads, like the RV320.
http://www.Cisco.com/en/us/products/ps11997/index.html
Kind regards
Mike
-
I have a slide show full frame, which works great, but is there a way to keep "next" arrows "prev" aligned vertically when the browser size changes?
Or a way to pin things generally vertically centered?
Also is there is way to add a border to a slide show full frame as well?
Thank you
Hello. For the problem of alignment, of the research this window https://helpx.adobe.com/muse/using/objects.html#Pinning%20objects%20to%20the%20browser%20w
For once, click once on the slide show, and then click New. In this way you access the first image. Determine the race it and view it in the browser. It should work.
-
share external hard drive
I am able to access my desktop to my laptop as part of a homegroup, but can not access the external hard drive that is attached to my office. I want to be able to back up my laptop hard disk external. Advice please.
geraintjo
I do not use homegroups, but 'true' to share, so I don't know how this is supposed to work with homegroups. But usually he should share a drive or folder, first before you can access it from another machine. (for example, click on the drive/folder properties and go to the sharing tab)
-
I have photos I want to decrease the dpi on but can not understand how with the Gallery Windows. I have Windows Vista operating system.
I have photos I want to decrease the dpi on but can not understand how with the Gallery Windows. I have Windows Vista operating system.
===============================================
You can resize a picture in WLPG but if you want to change the .dpi you
need a different application.Information about resizing...
Right-click on one or more selected inches... Choose... "Resize" in the menu.
Choose a format, access a folder to save in the left click the ' resize and
Save "button. (I suggest that you save the photos resized in a new folder
to prevent the replacement (replacement) the originals)Take a look at the following link:
Resizing Photos in Windows Live Photo Gallery
http://blogs.msdn.com/PIX/archive/2007/11/30/resizing-photos-in-Windows-Live-Photo-Gallery.aspxIn addition, the free software IrfanView can change dpi. Simply open a photo in IrfanView
and go... Image / information. Enter the resolution you want in the resolution
fields and on the left, click change. Then go to... File / save as... and save
your photo altered with a new name.IrfanView
http://www.software.com/IrfanView
(Download plugins too)
http://www.software.com/IrfanView-pluginJohn Inzer - MS - MVP - Digital Media Experience - Notice_This is not tech support_I'm volunteer - Solutions that work for me may not work for you - * proceed at your own risk *.
Maybe you are looking for
-
Not able to run standalone LabVIEW RT application cRIO (works well in development mode)
Strange question. I'm trying to deploy an application of RT to a controller for cRIO-9074. I developed the application in development mode and everything works and seems to be being debugged. However, when I try to build and to deploy the applicati
-
T510 disabling client screensaver
Hello I'm having a little problem, I have a T510 client that is supposed to display certain information, but without being interaction with users. However, it continues to go into screen saver mode. I tried to disable the screensaver via the Admin ac
-
Hello Sir I recently brought lenovo s20 nootbook laptop with win8.1. now I want to change it for win 7 but at the start of the process, I am faced with the question IE a required cd/dvd drive device driver is missing error.
-
Can not find the drivers for digital camera Polaroid PDC 3030 3.2 Mpx.
Original title: Polaroid PDC 3030 3.2MP digital camera. I always ghislaine obad this software. What is the answer? The photo above is supposed to be compatible with Windows 7. I have nothing wrong with trying to download. I can't find a driver either
-
His record game - I hear myself and it makes a ringing sound sharp, unless I have mute
Unless I turn my speakers off I hear a high pitched ringing noise and I can hear an echo of myself. I tried to disable the echo but it has not changed what I meant. I need help to find how to stop these things and how to do it where I can't hear the