ASA + no local lan access

Hi all

I have an ASA 5510 configured, when I try to connect to my asa fom the VPN client

I can connect but can not reach my internal network.

I have attached the running configuration, if anyone has an idea please let know me.

Thank you

This NAT exemption does not seem to be correct, can you please indicate why there is exemption from NAT 2 configured on the inside interface and the other with the keyword 'outside '?

NAT (inside) 0-list of access inside_nat0_outbound_1
NAT (inside) 0 inside_nat0_outbound_2 list of outdoor access

I suggest you remove the second line because it's not really sense:

no nat (inside) 0 inside_nat0_outbound_2 list of outdoor access

Then 'clear xlate' to clear the existing translation.

Secondly, please configure: management-access inside, then once your vpn is connected, see if you can reach 192.0.0.40.

Finally, if it works, if you try to test with ping, please configure the following:

Policy-map global_policy
class inspection_default

inspect the icmp

and see if you can test the ip address of the router 192.0.0.187.

Hope that helps.

Tags: Cisco Security

Similar Questions

How to grant local LAN access when you are connected via a central-site

I know how to activate the local LAN access in the properties for the client connection, but I don't know how to allow access to the central site

Central site is a CISCO 1721 with module as well as IOS IPSEC VPN

tanks for any help

Hello

This feature is only supported when you connect to a VPN3K box, its not available for PIX/IOS as a vpn server, allowing it on the client-side custom has no effect when you connect to a server of PIX/IOS.

THX

AFAQ

VPN Local lan access

I have set up a cisco 861 as a vpn server. Could I help you if someone can tell what is the problem? Clients can connect, but cannot access local resources from lan for subnet 10.0.10.0

Building configuration...

Current configuration: 9770 bytes
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec localtime

Show time-zone
Log service timestamps datetime localtime show msec.

time zone
encryption password service
sequence numbers service
!
hostname RT861W
!
boot-start-marker
start the flash c860-universalk9 - mz.124 - 24.T3.bin system
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 warnings
recording console critical
enable secret 5 xxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone IS - 4
clock save interval 24
!
Crypto pki trustpoint TP-self-signed-3796206546
enrollment selfsigned
name of the object cn = IOS-Self-signed-certificate-

3796206546
revocation checking no
rsakeypair TP-self-signed-3796206546
!
!
chain pki crypto TP-self-signed certificates.

3796206546
certificate self-signed 01
30820259 308201 2 A0030201 02020101 300 D 0609

2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 31312F30

2 536967 6E65642D 43657274
69666963 33373936 32303635 6174652D 3436301E

170 3130 30363130 32323534
33395A 17 0D 323030 31303130 30303030 305A 3031

06035504 03132649 312F302D
65642 43 65727469 5369676E 656C662D 4F532D53

66696361 74652 33 37393632
3630819F 30363534 300 D 0609 2A 864886 F70D0101

01050003 818 0030 81890281
81009C 68 0509FEBA BA0D4251 52AA3F1C DBB7CACB

138D0D3D 8017AB75 04AABD97
16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6

EB32858B 4385DE6C 3ED11616
2B997D14 C6C86431 9A 956161 2D0581F4 767D60E1

82FF426A 911D503E 8995A69B
6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464

E6DA7E06 44F94B16 3EA57809
5B 710203 010001 HAS 3 8180307E 300F0603 551D 1301

01FF0405 FF302B06 30030101
11 04243022 82205254 38363157 2E636F6C 03551D

6C696E73 2E316661 6D696C79
756E6974 65642E63 6F6D301F 0603551D 23041830

1680142C 21E7314B D28AFE1A
26115A1B F53AFB03 1 060355 1D0E0416 0ED1A830

04142C 21 E7314BD2 8AFE1A26
115A1BF5 3AFB030E D1A8300D A 06092, 86 4886F70D

01010405 00038181 008CC48F
6A1BFB52 0F268B05 B977AE8E CA450936 8272 D 889

B46DE9FB 5680782C 59DA2354
04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22

C7BED922 73C35C32 54696F37
89E424C2 561FFF54 99573AC6 713E58D8 E3B67064

295 4331 845FCDEC F6CD8017 D
58006 58 F94A8771 78217788 FE63AA11 0E5DF6B1

1A8D0111 CDD87A1D CC
quit smoking
no ip source route
no ip free-arps
chip-Relay IP dhcp
ignore the IP dhcp bootp
DHCP excluded-address IP 10.0.1.1 10.0.1.10
DHCP excluded-address IP 10.0.10.1 10.0.10.10
!
dhcp VLAN_10 IP pool
Network 10.0.10.0 255.255.255.224
router by default - 10.0.10.1
Domain xxxxxx
10.0.10.1 DNS server
!
dhcp VLAN_1 IP pool
Network 10.0.1.0 255.255.255.224
default router 10.0.1.1
Domain xxxxxx
10.0.1.1 DNS server
!
!
IP cef
inspect the IP log drop-pkt
IP inspect high 1100 max-incomplete
IP inspect 1100 max-incomplete bass
IP inspect a high minute 1100
IP inspect a minute low 1100
inspect the IP udp idle time 60
inspect the IP dns-timeout 10
inspect the name firewall tcp timeout IP 3600
inspect the name firewall udp timeout 15 IP
inspect the name firewall ftp queue time 3600 IP
inspect the name firewall rcmd timeout IP 3600
IP inspect alert firewall smtp name on timeout 3600
inspect the name firewall sqlnet timeout IP 3600
inspect the IP name firewall tftp timeout 30
inspect the name firewall icmp time 15 IP
inspect the name firewall ssh timeout 15 IP
IP inspect name Connection Firewall audit trail on
inspect the name webster firewall IP
IP inspect skinny firewall name
inspect the router IP firewall name
inspect the IP firewall cifs name
inspect the name cuseeme firewall IP
IP inspect the dns name of the firewall
inspect the name realaudio firewall IP
inspect the name firewall rtsp IP
inspect the name streamworks firewall IP
inspect the name vdolive firewall IP
inspect the IP sip firewall name
inspect the name firewall pop3 alert on reset IP
inspect the name ftps firewall IP
inspect the name isakmp firewall IP
inspect the IP name of firewall ipsec-msft
inspect the name ntp FIREWALL IP
inspect the IP name firewall imap
inspect the name imaps firewall IP
inspect the name imap3 FIREWALL IP
inspect the name pop3s firewall IP
no ip bootp Server
IP domain name xxxxxxxxx
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name-server IP 208.67.222.222
IP-server names 208.67.220.220
name of the IP-server 74.128.19.102
name of the IP-server 74.128.17.114
!
!
notify licensing agent

http://10.0.10.11:9710 / clm/servlet/HttpListenServlet

dummy dummy 2.0
!
!
username privilege 15 secret 5 xxxx xxxxxx
username xxxxx xxxxx secret 5
!
!
crypto ISAKMP policy 3
BA aes 256
preshared authentication
Group 2
ISAKMP crypto nat keepalive 3600
!
ISAKMP crypto client configuration group xxxxx
key xxxxxx
DNS 10.0.10.5
domain xxxxxxxx
pool vpnpool
include-local-lan
netmask 255.255.255.224
!
!
Crypto ipsec transform-set esp esp - aes 256 RIGHT-

model of hmac-SHA-lzs
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client authentication

userauthen
card crypto clientmap isakmp authorization list

groupauthor
client configuration address map clientmap crypto

initiate
client configuration address map clientmap crypto

answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
Crypto ctcp port 6000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
Bridge IRB
!
!
!
interface Loopback0
IP 10.100.100.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
switchport mode trunk
!
interface FastEthernet4
WAN description $ FW_OUTSIDE$
address IP dhcp client id FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
stream IP output
inspect the firewall on IP
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
wlan-ap0 interface
description of the Service interface module to manage the

Embedded AP
IP unnumbered Vlan1
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP virtual-reassembly
ARP timeout 0
!
interface GigabitEthernet0 Wlan
description of the Service interface module to manage the

Embedded AP
switchport mode trunk
!
interface Vlan1
VLAN_1 description $ FW_INSIDE$
IP 10.0.1.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface Vlan10
VLAN_10 description $ FW_INSIDE$
IP 10.0.10.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface BVI1
Description $FW_INSIDE$
in the form of address IP WAPB dhcp host name
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
no ip-cache cef route
no ip route cache
!
router RIP
version 1
10.0.0.0 network
!
IP local pool vpnpool 197.0.0.1 197.0.0.5
no ip forward-Protocol nd
IP route 0.0.0.0 0.0.0.0 dhcp
IP route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
!
The dns server IP
IP nat inside source list 1 interface FastEthernet4

Overload
IP nat inside source list 2 interface FastEthernet4

Overload
IP nat inside source static tcp 10.0.10.3 3389

interface FastEthernet4 3389
IP nat inside source static tcp 10.0.10.3 1723

interface FastEthernet4 1723
IP nat inside source static tcp 10.0.10.3 80

interface FastEthernet4 80
!
record 10.0.10.1
access-list 1 permit 10.0.1.0 0.0.0.31
access-list 2 permit 10.0.10.0 0.0.0.31
access-list 199 permit any one
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp a whole Workbench
access-list 199 permit udp any any eq 3389
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
access-list 199 tcp refuse a whole
access-list 199 tcp 10.0.0.0 refuse 0.255.255.255 everything
access-list 199 tcp 172.16.0.0 refuse 0.15.255.255

any
access-list 199 tcp 192.168.0.0 refuse 0.0.0.255 any
access-list 199 refuse udp 10.0.0.0 0.255.255.255 everything
access-list 199 refuse udp 172.16.0.0 0.15.255.255

any
access-list 199 refuse udp 192.168.0.0 0.0.0.255 any
access-list 199 refuse icmp no echo
access-list 199 deny udp any how any eq 135
access-list 199 deny udp any any eq netbios-ns
access-list 199 deny udp any any eq netbios-ss
access-list 199 deny udp any any eq isakmp
access-list 199 tcp refuse any any eq telnet
access-list 199 tcp refuse any any eq smtp
access-list 199 tcp refuse any any eq nntp
access-list 199 tcp refuse any any eq 135
access-list 199 tcp refuse any any eq 137
access-list 199 tcp refuse any any eq 139
access-list 199 tcp refuse any any eq www
access-list 199 tcp refuse any any eq 443
access-list 199 tcp refuse any any eq 445
access-list 199 refuse an entire ip
not run cdp

!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
bridge 10 Protocol ieee
IP route 10 bridge
connection of the banner ^ CAuthorized access only!
Unplug IMMEDIATELY if you are not authorized

user! ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transportation out all
line vty 0 4
access-class 104 in
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
Server NTP 192.43.244.18
end

Hello

The problem is due to NAT configurations. Please, try the following:

no nat ip within the source list 1 interface FastEthernet4 overload

no nat ip inside the source list 2 interface FastEthernet4 overload

access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7

access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255

access-list 101 permit ip 10.0.0.0 0.0.255.31 all

Internet route map

corresponds to the IP 101

output

IP nat inside source overload map route Internet interface FastEthernet4

This will ensure that the VPN clients can access all internal

resources. However, they will not be able to access to the 10.0.10.3 Server

using its private IP address that you can not use the roadmap, when you use the

keyword "interface." If you have a static IP address assigned to your FastEthernet4

You can then use the interface by the ISP, the configuration below:

access-list 102 refuse host ip 10.0.10.3 197.0.0.0 0.0.0.7

access-list 102 refuse 10.0.10.3 ip host 10.0.0.0 0.0.255.255

access-list 102 permit ip 10.0.10.3 host everything

route server map

corresponds to the IP 101

output

no nat ip inside source static tcp 10.0.10.3 interface FastEthernet4 3389

3389

no nat ip inside the source static tcp 10.0.10.3 1723 interface FastEthernet4

1723

no nat ip inside the 80 tcp static 10.0.10.3 source FastEthernet4 80 interface

IP nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389

route server map

IP nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723

route server map

IP nat inside source static tcp 10.0.10.3 80 'FastEthernet4 ip' 80-route map

Server

I hope this helps.

Kind regards

NT

Local LAN access on peer-to-peer connection

I'll put up a laptop computer with Windows ME and VPN Client 3.6.3 who faces two remote sites that use the PIX 520 to 6.22. On the first site of the LAN (behind the PIX) uses a NT domain. Here, the laptop is able to connect properly to the domain and map shared drives. On the second site LAN is peer-to-peer (no logon of domain). On this site that the tunnel is created and the laptop can access web services (http, ftp, etc.) on the LAN hosts, but are unable to map shared drives. The WINS server setting seems correct. Are there additional routing or tunneling configuration to allow local access from LAN to LAN to peer? Thank you.

For Win2k, you will need to telnet to port 445 and no 139.

NetBEUI will not work through a VPN tunnel. VPNS are an IP-based solution. NetBEUI works only as a broadcast on the local network. Switched Native can handle NetBEUI, but not the VPN tunnel. Sure just that all the hosts that use TCP/IP instead of NetBEUI, and it should work fine.

Local Lan access through the ASA5510

I'm at my wits end trying to figure this. We are trying to replace our good ol 3030 ' with an ASA 5510 vpn purposes. I have setup the ASA as follows:

E0/0 is the public interface: xxx.xxx.199.10/24

E0/1 is the private interface: 172.20.72.0/24

Remote clients obtain an address of 10.12.27.xxx of the SAA.

The customer get the address very well, but can not access what anyone on the 172.20.72.xxx network. This piece I am missing? Some NAT type?

William, glad everything worked, remember messages useful rate.

Concerning

No Local Lan access

Hello

I set up a VPN of RA for cisco router 871, I am able to connect, but I don't seem to

to have any network local access and I am not able to connect to the internet.

Also, I have configured the router as dmvpn sticks, it works as desired.

If someone has an idea, let know me please, I have attached the running configuration.

Thank you

Hello

I suggest you consult the following configuration guide that describes the split tunneling

http://www.Cisco.com/en/us/products/HW/routers/ps274/products_configuration_example09186a0080819289.shtml

What is the single subnet you want to encrypt?

splitremote extended IP access list
IP 192.168.254.0 allow 0.0.0.255 any

If Yes this LCA has not been applied in crypto isakmp client configuration group configuration. See the guide for more details.

Also your NAT config is incomplete:

NAT extended IP access list

The guide also explains how to exclude only the VPN pool using a NAT.

See the Guide below:
```
    !--- Enables Network Address Translation (NAT)

    !--- of the inside source address that matches access list 111

    !--- and gets PATed with the FastEthernet IP address.

ip nat inside source list 111 interface FastEthernet1/0 overload

    !

    

    !--- The access list is used to specify which traffic

    !--- is to be translated for the outside Internet.


    

    access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 111 permit ip any any


    Please remember to rate all posts that are helpful.

    
```

Cisco ASA Anyconnect LAN access problem

I have very simple network at home with the WAN IP address, ASA uses DHCP and gateway. plain of network of all no complications.

X.X.X.X like a WAN

192.168.1.0/24 as a LAN

IP Pool 192.168.6.0/24 (VPN Pool)

I am trying to configure AnyConnect (AC) so that I can connect remotely and get my resources on the LAN while out. I am to connect with AC and when you use split tunnel I'm browsing the web very well, but I have no access to the local network (without ICMP or TCP/UDP)

Route looks good in customer AC

unsecured network 0.0.0.0/0
secure network 192.168.1.0/24

What I'm missing for LAN access?, nat statement, list of access...?

_____________________________

Output of the command: "show run".

: Saved
:
ASA Version 9.1 (5)
!
hostname asa01
domain name asa

names of
192.168.6.2 mask - 192.168.6.100 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Outside description
nameif outside
security-level 0
IP address XXXX
!
interface Vlan5
nameif dmz
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
boot system Disk0: / asa915 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
domain naisus.local
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.6.0_25 object
subnet 192.168.6.0 255.255.255.128
object-group Protocol DM_INLINE_PROTOCOL_1
icmp protocol object
icmp6 protocol-object
outside_access_in list extended access permit icmp any any idle state
outside_access_in extended access list allow icmp6 all all idle state
outside_access_in_1 list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
list of access allowed standard LAN 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside 192.168.1.99
forest-hostdown operating permits
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.6.0_25 NETWORK_OBJ_192.168.6.0_25 non-proxy-arp-search of route static destination
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 X > X > X >
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = asa01, CN = 192.168.1.1
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 8b541b55
308201c 3 c 3082012 a0030201 0202048b 0d06092a 864886f7 0d 010105 541b 5530
XXXX
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 access remote trustpoint ASDM_Launcher_Access_TrustPoint_0
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 8.8.8.8 75.75.75.75 interface inside
dhcpd naisus.home area inside interface
dhcpd allow inside
!
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 50.116.56.17 source outdoors
NTP server 108.61.73.243 source outdoors
NTP server 208.75.89.4 prefer external source
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
Trust ASDM_Launcher_Access_TrustPoint_0 inside the vpnlb-ip SSL-point
SSL-trust ASDM_Launcher_Access_TrustPoint_0 inside point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1 regex 'Windows NT'
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2 regex "Intel Mac OS X.
AnyConnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3 regex "Linux".
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 30
VPN-idle-timeout 5
internal GroupPolicy_AC_Profile group strategy
attributes of Group Policy GroupPolicy_AC_Profile
WINS server no
4.2.2.2 DNS server value
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value LAN
naisus.local value by default-field
XX XX encrypted privilege 15 password username
name of user XX attributes
WebVPN
chip-tunnel tunnel-policy tunnelall
type tunnel-group AC_Profile remote access
attributes global-tunnel-group AC_Profile
address pool VPN-pool
Group Policy - by default-GroupPolicy_AC_Profile
tunnel-group AC_Profile webvpn-attributes
enable AC_Profile group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:xxx
: end

I'm not positive that's causing the problem, but I noticed that you have defined incoherent poolside VPN as a 24 (in the command name and that name is associated with the tunnel group) and 25 (in the command object on the network that is also referenced in the statement of NAT exempting NAT to that object). True your pool assigns addresses from the lower half of the 24, but still...

I try to simplify things by using a single object for something like that, which is used in several places. With the help of objects the way they are intended, and which allows to avoid any discrepancies.

ASA 5505 IPSec client-to-site any LAN access?

Hello

Like many others, I have problems get ipsec vpn clients can communicate with my LAN.

I have configure ipsec with the wizard, I have also to add an ACL to allow the network to pool for the vpn client to connect to the local network, but with little success.

Many of the responses I've seen includes changes in the NAT table, I tried a lot of them, but without success.

There must be something really simple, that it's so frustrating because I guess it is supposed to be a relatively simple thing to get running.

VPN client (Linux, iptables rules no) get 10.80.80.100 address, but cannot connect to a TCP service on a machine of LAN (no firewall on computer LAN) and can not ping LAN.

The VPN client routing table:

Kernel IP routing table
Destination Gateway Genmask Flags metric Ref use Iface
85.24.249.35 212.112.31.254 UGH 255.255.255.255 0 0 0 eth0
10.80.80.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
212.112.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list tictac_splitTunnelAcl remark allow vpn tunnel users to LAN
access-list tictac_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.80.80.0 255.255.255.0
access-list inside_access_in extended permit ip any any log disable
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.80.80.100-10.80.80.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.33 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd enable inside
!

group-policy tictac internal
group-policy tictac attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
username mattiasb password SVCZv/HMkykG.ikA encrypted privilege 0
username mattiasb attributes
vpn-group-policy tictac
tunnel-group tictac type ipsec-ra
tunnel-group tictac general-attributes
address-pool vpnpool
default-group-policy tictac
tunnel-group tictac ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6e456ab21d08182ca41ed0f1be031797
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

The list of split tunnel network was put on 'none' in your configuration:

group-policy tictac attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none

Please configure the tunnel list to reference the split tunnel ACL as follows:

group-policy tictac attributes
split-tunnel-network-list value tictac_splitTunnelAcl

Hope that helps.

AnyConnect VPN connected but not in LAN access

Hello

I just connfigured an ASA to remote VPN. I think everything works but I do not have access

for customers in the Local LAN behind the ASA.

PC <==internet==>outside of the SAA inside<=LAN=> PC

After AnyConnect has established the connection I can ping inside the Interface of the ASA

but I can't Ping the PC behind the inside Interface.

Here is the config of the ASA5505:

: Saved

:

ASA Version 8.2 (1)

!

asa5505 hostname

activate 8Ry2YjIyt7RRXU24 encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 192.168.178.254 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

Shutdown

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

Shutdown

!

passive FTP mode

Inside_ICMP list extended access permit icmp any any echo response

Inside_ICMP list extended access permit icmp any any source-quench

Inside_ICMP list extended access allow all unreachable icmp

Inside_ICMP list extended access permit icmp any one time exceed

access-list outside_cryptomap_2 note ACL traffic von ASA5505 zur ASA5510

outside_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0

no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.178.0 255.255.255.0

tunnel of splitting allowed access list standard 192.168.1.0 255.255.255.0

pager lines 24

Within 1500 MTU

Outside 1500 MTU

mask 192.168.1.10 - 192.168.1.15 255.255.255.0 IP local pool SSLClientPool

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access no_NAT

NAT (inside) 1 192.168.1.0 255.255.255.0

Access-group Inside_ICMP in interface outside

Route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

Route outside 192.168.10.0 255.255.255.0 192.168.178.230 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication http LOCAL console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set-3DESSHA FRA esp-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 2 match address outside_cryptomap_2

peer set card crypto outside_map 2 192.168.178.230

card crypto outside_map 2 game of transformation-FRA-3DESSHA

outside_map interface card crypto outside

Crypto ca trustpoint localtrust

registration auto

domain name full cisco - asa5505.fritz.box

name of the object CN = cisco - asa5505.fritz.box

sslvpnkeypair key pair

Configure CRL

Crypto ca certificate chain localtrust

certificate fa647850

3082020b a0030201 30820174 020204fa 0d06092a 64785030 864886f7 0d 010104

0500304 06035504 03131763 6973636f 617361 35353035 2e667269 2d 3120301e a

747a2e62 6f783126 30240609 2a 864886 f70d0109 02161763 6973636f 2d 617361

2e667269 35353035 747a2e62 6f78301e 170d 3132 31303132 31383434 31305a 17

323231 30313031 38343431 06035504 03131763 6973636f 3120301e 305a304a 0d

617361 35353035 2e667269 747a2e62 6f783126 2a 864886 30240609 f70d0109 2D

6973636f 02161763 2d 617361 35353035 2e667269 747a2e62 6f783081 9f300d06

d6279e1c 8181009f 092a 8648 86f70d01 01010500 03818d 30818902 00 38454fc 9

705e1e58 762edc35 e64262fb ee55f47b 8d62dda2 102c8a22 c97e395f 2a9c0ebb

f2881528 beb6e9c3 89d91dda f7fe77a4 2a1fda55 f8d930b8 3310a05f 622dfc8f

d48ea749 7bbc4520 68 has 06392 d65d3b87 0270e41b 512a4e89 94e60167 e2fa854a

87ec04fa e95df04f 3ff3336e c7437e30 ffbd90b5 47308502 03010001 300 d 0609

2a 864886 04050003 81810065 cc9e6414 3c322d1d b191983c 97b474a8 f70d0101

2e5c7774 9d54d3ec fc4ee92d c72eef27 a79ce95a da83424f b05721c0 9119e7ea

c5431998 e6cd8272 de17b5ff 5b1839b5 795fb2a0 2d10b479 056478fa 041555dd

bfe3960a 4fe596ec de54d58b a5fa187e 5967789a a26872ef a33b73ec 7d7673b9

c8af6eb0 46425cd 2 765f667d 4022c 6

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 65535

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

localtrust point of trust SSL outdoors

WebVPN

allow outside

SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image

SVC disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 image

enable SVC

tunnel-group-list activate

internal SSLClientPolicy group strategy

attributes of Group Policy SSLClientPolicy

VPN-tunnel-Protocol svc

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split tunnel

the address value SSLClientPool pools

WebVPN

SVC Dungeon-Installer installed

time to generate a new key of SVC 30

SVC generate a new method ssl key

SVC request no svc default

username password asdm privilege Yvx83jxa2WCRAZ/m number 15

hajo 2w8CnP1hHKVozsC1 encrypted password username

hajo attributes username

type of remote access service

tunnel-group 192.168.178.230 type ipsec-l2l

IPSec-attributes tunnel-group 192.168.178.230

pre-shared-key *.

type tunnel-group SSLClientProfile remote access

attributes global-tunnel-group SSLClientProfile

Group Policy - by default-SSLClientPolicy

tunnel-group SSLClientProfile webvpn-attributes

enable SSLVPNClient group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:0008564b545500650840cf27eb06b957

: end

What wrong with my setup.

Concerning

Hans-Jürgen Guenter

Hello Hans,.

You should change your VPN pool to be a different subnet within the network, for example: 192.168.5.0/24

Then configure NAT exemption for traffic between the Interior and the pool of vpn.

Based on your current configuration, the following changes:

mask 192.168.5.10 - 192.168.5.15 255.255.255.0 IP local pool SSLClientPool

no_NAT to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.5.0 255.255.255.0

And then also to enable icmp inspection:

Policy-map global_policy

class inspection_default

inspect the icmp

VPN problem when local lan IP is IP LAN Corp.

Hello

I'm having a problem to access corporate services when an example of one of our servers IP address matches an IP address of a local host from the local network, accessed from.

Is there a way to bypass and or solve this problem?

I use split tunnel, I send you all DNS requests through the tunnel and assigning the DNS name.

I inherited this network which is a 192.168.0.0/23 with many services on 192.168.1.x that match easily private local lans.

Hello Michael,

To resolve the overlap, you need hide the remote with a NAT rule network, so that VPN clients point to an address using a NAT on the SAA.

Can I know the version of your ASA?

Thank you.

Portu.

How can I get Vista "Windows Mail" to check mail using my connection local (LAN) internet?

How can I get Vista "Windows Mail" to check mail using my connection local (LAN) internet?

It allows only wants to "connect" using dial-up, wireless or wired ISP (type PPP) requiring a UID and password, of which none seem to allow me to select a LAN (ISP) simple (without a password).

I know that the Ethernet connection works Ok, because I can use it with a standard Web browser; only the mail tool can't seem to see or use.

Whenever I tell the Windows Mail email 'Send and receive', he wants to 'connect' for remote access or one of his three choices (listed above and direct exclusion of any connection to the local network). It works with remote access, so once I have spend that I should be Ok. but I can't make it work directly.

Help.

In Windows Mail, go to select Tools, accounts, your account email, properties, connection. It shows for the connection? You

should leave this setting not selected, in which case Windows Mail will use the IE connection uses.

In addition, under Tools, Options, connection, the first checkbox must be checked, and the second box unchecked.

If everything which withdraws, but you still have the problem, the account may be damaged. Remove account, restart Windows Mail,.

then recreate the account.

Gary van, Microsoft MVP (Mail)

------------------------------------------------------

"W6NCT" wrote in the new message: * e-mail address is removed from the privacy... *

How can I get Vista "Windows Mail" to check mail using my connection local (LAN) internet?

They don't allow that wants to "connect" using dial-up, wireless or wired ISP (type PPP) requiring a UID and password.

which none seems to allow me to select a LAN (ISP) simple (without a password).

I know that the Ethernet connection works Ok, because I can use it with a standard Web browser; is not only the messaging tool

to see or use.

Whenever I tell the Windows Mail email 'Send and receive', he wants to "connect" to remote access or one of his three choices (listed

above and to the exclusion of any direct connection to the local network). It works with remote access, so once I have spend that I should be Ok. but I just

cannot operate directly.

Help.

Gary van, Microsoft MVP (Mail)

AnyConnect VPN and LAN access

When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.

Right?

After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?

Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN

Thank you

Frank

Hello

Yes, by default, all traffic will be sent through the tunnel.

If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.

ASA 5505 VPN cannot access inside the host

I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.

framework for configuration below

interface Vlan1

nameif inside

security-level 100

10.1.1.1 IP address 255.255.255.0

IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic outside_dyn_map 20 set pfs

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

PFS set 40 crypto dynamic-map outside_dyn_map

Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA

Crypto-map dynamic inside_dyn_map 20 set pfs

Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map

inside crypto map inside_map interface

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

global service-policy global_policy

XXXXXXX strategy of Group internal

attributes of the strategy group xxxxxxx

banner value xxxxx Site Recovery

WINS server no

24.xxx.xxx.xx value of DNS server

VPN-access-hour no

VPN - connections 3

VPN-idle-timeout 30

VPN-session-timeout no

VPN-filter no

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelall

by default no

disable secure authentication unit

disable authentication of the user

user-authentication-idle-timeout no

disable the IP-phone-bypass

disable the leap-bypass

disable the NEM

disable the NAC

NAC-sq-period 300

NAC-reval-period 36000

NAC-by default-acl no

the address value xxxxxx pools

enable Smartcard-Removal-disconnect

the firewall client no

WebVPN

url-entry functions

Free VPN of CNA no

No vpn-addr-assign aaa

No dhcp vpn-addr-assign

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general attributes

xxxx address pool

Group Policy - by default-xxxx

blountdr group of tunnel ipsec-attributes

pre-shared-key *.

Missing nat exemption for vpn clients. Add the following and you should be good to go.

inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0

NAT (inside) 0-list of access inside_nat0_outbound

No Internet connectivity with ASA 5505 VPN remote access

Hello

I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?

Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.

Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?

I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.

Thank you very much for you help.

Concerning

Salman

Salman

What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.

You have at least 2 options:

-You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.

-You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command

permit same-security-traffic intra-interface

HTH

Rick

IPSec VPN pix 501 no LAN access

I'm trying to set up an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet, but I am unable to ping or you connect to all devices in the Remote LAN. Here is my config:

: Saved

:

6.3 (3) version PIX

interface ethernet0 car

interface ethernet1 100full

nameif ethernet0 WAN security0

nameif ethernet1 LAN security99

enable encrypted password xxxxxxxxxxxxx

xxxxxxxxxxxxxxxxx encrypted passwd

host name snowball

domain xxxxxxxxxxxx.local

clock timezone PST - 8

fixup protocol dns-length maximum 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol 2000 skinny

No fixup not protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names of

acl_in list of access permit udp any any eq field

acl_in list of access permit udp any eq field all

acl_in list access permit tcp any any eq field

acl_in tcp allowed access list any domain eq everything

acl_in list access permit icmp any any echo response

access-list acl_in allow icmp all once exceed

acl_in list all permitted access all unreachable icmp

acl_in list access permit tcp any any eq ssh

acl_in list access permit tcp any any eq www

acl_in tcp allowed access list everything all https eq

acl_in list access permit tcp any host 192.168.5.30 eq 81

acl_in list access permit tcp any host 192.168.5.30 eq 8081

acl_in list access permit tcp any host 192.168.5.22 eq 8081

acl_in list access permit icmp any any echo

access-list acl_in permit tcp host 76.248.x.x a

access-list acl_in permit tcp host 76.248.x.x a

allow udp host 76.248.x.x one Access-list acl_in

access-list acl_out permit icmp any one

ip access list acl_out permit a whole

acl_out list access permit icmp any any echo response

acl_out list access permit icmp any any source-quench

allowed any access list acl_out all unreachable icmp

access-list acl_out permit icmp any once exceed

acl_out list access permit icmp any any echo

Allow Access-list no. - nat icmp a whole

access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

access-list no. - nat ip 172.16.0.0 allow 255.255.0.0 any

access-list no. - nat permit icmp any any echo response

access-list no. - nat permit icmp any any source-quench

access-list no. - nat icmp permitted all all inaccessible

access-list no. - nat allow icmp all once exceed

access-list no. - nat permit icmp any any echo

pager lines 24

MTU 1500 WAN

MTU 1500 LAN

IP address WAN 65.74.x.x 255.255.255.240

address 192.168.5.1 LAN IP 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

IP local pool pptppool 172.16.0.2 - 172.16.0.13

PDM logging 100 information

history of PDM activate

ARP timeout 14400

Global (WAN) 1 interface

NAT (LAN) - access list 0 no - nat

NAT (LAN) 1 0.0.0.0 0.0.0.0 0 0

static (LAN, WAN) 65.x.x.37 192.168.5.10 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.36 192.168.5.20 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.38 192.168.5.30 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.39 192.168.5.40 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.42 192.168.5.22 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.43 192.168.5.45 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.44 192.168.5.41 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.45 192.168.5.42 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.46 192.168.5.44 netmask 255.255.255.255 0 0

static (LAN, WAN) 65.x.x.41 192.168.5.21 netmask 255.255.255.255 0 0

acl_in access to the WAN interface group

access to the LAN interface group acl_out

Route WAN 0.0.0.0 0.0.0.0 65.x.x.34 1

Timeout xlate 0:05:00

Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

NTP server 72.14.188.195 source WAN

survey of 76.248.x.x WAN host SNMP Server

location of Server SNMP Sacramento

SNMP Server contact [email protected] / * /

SNMP-Server Community xxxxxxxxxxxxx

SNMP-Server enable traps

enable floodguard

the string 1 WAN fragment

Permitted connection ipsec sysopt

Sysopt connection permit-pptp

Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

Crypto-map dynamic dynmap 10 transform-set RIGHT

map mymap 10-isakmp ipsec crypto dynamic dynmap

client configuration address map mymap crypto initiate

client configuration address map mymap crypto answer

card crypto mymap WAN interface

ISAKMP enable WAN

ISAKMP nat-traversal 20

part of pre authentication ISAKMP policy 10

encryption of ISAKMP policy 10

ISAKMP policy 10 md5 hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

vpngroup myvpn address pptppool pool

vpngroup myvpn Server dns 192.168.5.44

vpngroup myvpn by default-field xxxxxxxxx.local

vpngroup split myvpn No. - nat tunnel

vpngroup idle 1800 myvpn-time

vpngroup myvpn password *.

Telnet 192.168.5.0 255.255.255.0 LAN

Telnet timeout 5

SSH 192.168.5.0 255.255.255.0 LAN

SSH timeout 30

Console timeout 0

VPDN group pptpusers accept dialin pptp

VPDN group ppp authentication pap pptpusers

VPDN group ppp authentication chap pptpusers

VPDN group ppp mschap authentication pptpusers

VPDN group ppp encryption mppe 128 pptpusers

VPDN group pptpusers client configuration address local pptppool

VPDN group pptpusers customer 192.168.5.44 dns configuration

VPDN group pptpusers pptp echo 60

VPDN group customer pptpusers of local authentication

VPDN username password xxx *.

VPDN username password xxx *.

VPDN enable WAN

dhcpd address 192.168.5.200 - 192.168.5.220 LAN

dhcpd 192.168.5.44 dns 8.8.8.8

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable LAN

username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

username privilege 0 encrypted password xxxxxxxxxx xxxxxxxxxxx

Terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxx

: end

I'm sure it has something to do with NAT or an access list, but I can't understand it at all. I know it's a basic question, but I would really appreaciate help!

Thank you very much

Trevor

"No. - nat' ACL doesn't seem correct, please make sure you want to remove the following text:

do not allow any No. - nat icmp access list a whole

No No. - nat ip 172.16.0.0 access list allow 255.255.0.0 any

No No. - nat access list permit icmp any any echo response

No No. - nat access list permit icmp any any source-quench

No No. - nat access list permit all all unreachable icmp

No No. - nat access list do not allow icmp all once exceed

No No. - nat access list only allowed icmp no echo

You must have 1 line as follows:

access-list no. - nat ip 192.168.5.0 allow 255.255.255.0 172.16.0.0 255.255.0.0

Please 'clear xlate' after the changes described above.

In addition, if you have a personal firewall enabled on the host you are trying to connect from the Client VPN, please turn it off and try again. Personal firewall of Windows normally blocks the traffic of different subnets.

Hope that helps.

ASA + no local lan access

Similar Questions

Maybe you are looking for