Cannot access internal resources

Similar Questions

• Help cannot access internal resources

  Hello I am trying to configure an ASA 5505 at home and connecting through the Cisco Secure mobility Client

  Internal network: 10.37.1.0/24

  Guest network: 10.37.2.0/24

  DHCP VPN: 10.37.3.0/24

  I am only able to connect with the local account of ASA, not LDAP as I want. After I connect I get my 10.37.1.0/24 (my internal network) secure route but I can't ping, RDP, SSH, etc. anything inside. I get the message below...

  4

  October 30, 2013

  12:08:36

  10.37.3.130

  Refuse icmp outside CBC: 10.37.3.130 dst host: SPIDERMAN (type 8, code 0) by access-group "outside_access_in" [0x0, 0x0]

  Any help would be greatly appreciated! Thank you.

  Registered

  : Written by enable_15 to the 09:09:04.925 EDT Wednesday, October 30, 2013

  !

  ASA Version 8.2 (5)

  !

  hostname aquaman

  domain batcave.local

  activate the encrypted password of O8X.8O1jZvTr6Rh3

  zHg4tACBjpuqj6q5 encrypted passwd

  names of

  name 10.37.1.99 GREEN-ARROW

  name OpenDNS1 description resolver1.opendns.com 208.67.222.222

  name OpenDNS2 description resolver2.opendns.com 208.67.220.220

  name 208.67.222.220 OpenDNS3 resolver3.opendns.com description

  name 208.67.220.222 OpenDNS4 resolver4.opendns.com description

  name 10.37.1.15 DU-HULK

  name 178.33.199.65 ComodoMX1 mxsrv1.spamgateway.comodo.com description

  name 178.33.199.66 ComodoMX2 mxsrv2.spamgateway.comodo.com description

  name 10.37.1.101 SPIDERMAN

  name 10.37.1.10 DAREDEVIL

  name 65.73.180.177 WorkIP

  name 10.37.1.254 OpenVPNAS

  name 10.37.3.0 VPN_DHCP

  name 10.37.2.10 GuestWirelessAP

  name 10.37.1.20 DU-FLASH

  name 10.37.1.200 BR_1

  name 10.37.1.201 BR_2

  name 10.37.1.30 IRONMAN

  name 10.37.1.25 WIKI

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  switchport access vlan 5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif House

  security-level 100

  IP 10.37.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Vlan5

  nameif comments

  security-level 50

  IP 10.37.2.254 255.255.255.0

  !

  !

  interval M-F_9-16

  periodical Monday to Friday 09:00 to 16:00

  !

  Banner motd

  boot system Disk0: / asa825 - k8.bin

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Server name OpenDNS1

  Server name OpenDNS2

  Server name OpenDNS3

  Server name OpenDNS4

  domain batcave.local

  permit same-security-traffic inter-interface

  object-group service RDP - tcp

  Remote Desktop Protocol Description

  EQ port 3389 object

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  the ComodoSpamFilter object-group network

  host of the object-Network ComodoMX1

  host of the object-Network ComodoMX2

  the OpenDNSServers object-group network

  host of the object-Network OpenDNS2

  host of the object-Network OpenDNS4

  host of the object-Network OpenDNS3

  host of the object-Network OpenDNS1

  VNC tcp service object-group

  EQ port 5900 object

  smartmail tcp service object-group

  object-port 9998 eq

  http2 tcp service object-group

  EQ object of port 8080

  RDP2 tcp service object-group

  port-object eq 3789

  DM_INLINE_TCP_1 tcp service object-group

  EQ port ssh object

  port-object eq telnet

  object-group network Netflix

  host of the object-Network BR_1

  the object-BR_2 Network host

  object-group service tcp MOP3

  port-object eq 3999

  outside_access_in list extended access permit tcp any interface outside of the object-group RDP log disable

  outside_access_in list extended access permit tcp any interface outside eq ftp log disable

  outside_access_in list extended access permit tcp any interface outside eq www disable journal

  outside_access_in list extended access permitted tcp object-group ComodoSpamFilter interface outside eq smtp log disable

  outside_access_in list extended access permit tcp any interface outside of the object-group smartmail disable journal

  access-list extended outside_access_in permit tcp host WorkIP log disable interface outside object-group VNC

  outside_access_in list extended access permit tcp any interface outside of the object-group http2 disable journal

  outside_access_in list extended access permit tcp any interface outside of the object-group RDP2 journal disable

  outside_access_in list extended access permit icmp any interface outside disable newspaper echo-reply

  home_access_in list extended access allowed object-group TCPUDP 10.37.1.0 255.255.255.0 OpenDNSServers eq field journal disable object-group

  home_access_in list extended access allowed host TCPUDP object-group SPIDERMAN turn off no matter what field eq journal

  home_access_in list extended access denied object-group TCPUDP 10.37.1.0 255.255.255.0 disable any log domain eq

  home_access_in allowed extended access list ip all all disable Journal

  guest_access_in list extended access allowed object-group TCPUDP 10.37.2.0 255.255.255.0 OpenDNSServers eq field journal disable object-group

  guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper ftp EQ

  guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper of DM_INLINE_TCP_1-group of objects

  guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper RDP-group of objects

  guest_access_in list extended access deny tcp 10.37.2.0 255.255.255.0 disable any newspaper VNC object-group

  guest_access_in list extended access denied object-group TCPUDP 10.37.2.0 255.255.255.0 disable any log domain eq

  guest_access_in to access extended list ip any any newspaper disable time-range allow M-F_9-16

  Standard access list Split_Tunnel_List allow 10.37.1.0 255.255.255.0

  pager lines 24

  Enable logging

  timestamp of the record

  logging trap notifications

  asdm of logging of information

  logging - the id of the device hostname

  logging host home-FLASH

  Home of MTU 1500

  Outside 1500 MTU

  Comments of MTU 1500

  local pool VPN_DHCP 10.37.3.130 - 10.37.3.139 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any home

  ICMP permitted outside the host WorkIP

  ICMP deny everything outside

  ICMP deny any guest

  ASDM image disk0: / asdm - 714.bin

  Location THE-HULK 255.255.255.255 ASDM home

  Location WIKI 255.255.255.255 ASDM home

  Location GREEN-ARROW 255.255.255.255 ASDM home

  Location OpenDNS2 255.255.255.255 ASDM home

  Location OpenDNS4 255.255.255.255 ASDM home

  Location OpenDNS3 255.255.255.255 ASDM home

  Location OpenDNS1 255.255.255.255 ASDM home

  Location ComodoMX1 255.255.255.255 ASDM home

  Location ComodoMX2 255.255.255.255 ASDM home

  Location SPIDERMAN 255.255.255.255 ASDM home

  Location DAREDEVIL 255.255.255.255 ASDM home

  Location WorkIP 255.255.255.255 ASDM home

  Location OpenVPNAS 255.255.255.255 ASDM home

  Location VPN_DHCP 255.255.255.0 ASDM home

  Location GuestWirelessAP 255.255.255.255 ASDM home

  Location LA-FLASH 255.255.255.255 ASDM home

  Location IRONMAN 255.255.255.255 ASDM home

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Overall 101 (external) interface

  NAT (House) 101 0.0.0.0 0.0.0.0

  NAT (guest) 101 0.0.0.0 0.0.0.0

  3389 GREEN ARROW 3389 netmask 255.255.255.255 interface static tcp (home, outdoor)

  public static tcp (home, outside) THE-HULK netmask 255.255.255.255 ftp ftp interface

  public static tcp (home, outside) interface www THE-HULK www netmask 255.255.255.255

  public static tcp (home, outside) interface smtp smtp netmask 255.255.255.255 IRONMAN

  9998 IRONMAN 9998 netmask 255.255.255.255 interface static tcp (home, outdoor)

  5900 5900 SPIDERMAN netmask 255.255.255.255 interface static tcp (home, outdoor)

  public static (home, outside) udp interface tftp THE tftp netmask 255.255.255.255 FLASH

  3789 THE FLASH 3789 netmask 255.255.255.255 interface static tcp (home, outdoor)

  8080 8080 WIKI netmask 255.255.255.255 interface static tcp (home, outdoor)

  Access-group home_access_in in interface House

  Access-group outside_access_in in interface outside

  Access-group guest_access_in in the comments of the interface

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA-server protocol ldap BATCAVE

  AAA-server BATCAVE (home) host DAREDEVIL

  LDAP-base-dn = Users, OR =, DC = batcave, DC = local

  LDAP-group-base-dn memberOf = CN = Cisco VPN Users, OR = Groups, OU = staff, DC = batcave, DC = local

  LDAP-naming-attribute sAMAccountName

  LDAP-login-password npYDApHrdVjOTcj8kJha

  LDAP-connection-dn CN = Cisco account LDAP, OU = Service accounts, DC = batcave, DC = local

  microsoft server type

  the ssh LOCAL console AAA authentication

  LOCAL AAA authentication serial console

  LOCAL AAA authorization exec

  http server enable 3737

  http WorkIP 255.255.255.255 outside

  http 10.37.1.0 255.255.255.0 House

  redirect http outside 80

  http redirection 80 home

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  No vpn sysopt connection permit

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  No vpn-addr-assign aaa

  VPN-addr-assign local reuse / time 5

  Telnet timeout 5

  SSH GREEN-ARROW 255.255.255.255 House

  SSH SPIDERMAN 255.255.255.255 House

  SSH daredevil 255.255.255.255 House

  SSH WorkIP 255.255.255.255 outside

  SSH timeout 10

  SSH version 2

  Console timeout 30

  dhcpd outside auto_config

  !

  dhcprelay Server DAREDEVIL home

  dhcprelay enable comments

  dhcprelay setroute comments

  time-out of 60 dhcprelay

  Host priority queue

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  NTP Server 64.90.182.55 prefer external source

  Server TFTP FLASH-home of THEftp://10.37.1.20/ t

  WebVPN

  Enable home

  allow outside

  SVC disk0:/anyconnect-win-3.1.04066-k9_3.pkg 1 image

  enable SVC

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 10.37.1.10

  VPN - connections 1

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Split_Tunnel_List

  Batcave.local value by default-field

  WebVPN

  SVC request to enable default webvpn

  aquaman encrypted KKOPGG99Bk0xyhXS privilege 15 password username

  jared YlQ4V6UbWiR/Dfov password user name encrypted privilege 15

  attributes global-tunnel-group DefaultWEBVPNGroup

  address VPN_DHCP pool

  type tunnel-group HomeVPN remote access

  attributes global-tunnel-group HomeVPN

  address VPN_DHCP pool

  authentication-server-group BATCAVE

  !

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  !

  10.37.1.30 SMTP server

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:65c8e856cde7d73200dd38f670613c2b

  : end

  Hi Jared,

  Because your configuration has the statement without sysopt connection VPN-enabled -'re missing you an exempt nat rule. This is why you must configure an access list to allow traffic between your network VPN of RA and your inside the subnet - apply rule to your house where the 10.37.1.0/24 of the interface.

  Example:

  access extensive list ip 10.37.1.0 nonat_rule allow 255.255.255.0 10.37.3.0 255.255.255.0
  NAT (House) access 0-list nonat_rule

  Give that a try

  Concerning

• Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

  Hello Cisco community support,

  I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

  ISP network gateway: 10.1.10.0/24

  ASA to the router network: 10.1.40.0/30

  Pool DHCP VPN: 10.1.30.0/24

  Network of the range: 10.1.20.0/24

  Development network: 10.1.10.0/24

  : Saved
  :
  : Serial number: FCH18477CPT
  : Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
  :
  ASA 6,0000 Version 1
  !
  hostname ctcndasa01
  activate bcn1WtX5vuf3YzS3 encrypted password
  names of
  cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 10.1.40.1 255.255.255.252
  !
  interface GigabitEthernet0/1
  nameif outside
  security-level 0
  address IP X.X.X.237 255.255.255.248
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa916-1-smp - k8.bin
  boot system Disk0: / asa912-smp - k8.bin
  passive FTP mode
  permit same-security-traffic intra-interface
  network of the NETWORK_OBJ_10.1.30.0_24 object
  10.1.30.0 subnet 255.255.255.0
  network obj_any object
  network obj_10.1.40.0 object
  10.1.40.0 subnet 255.255.255.0
  network obj_10.1.30.0 object
  10.1.30.0 subnet 255.255.255.0
  outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
  FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
  access-list 101 extended allow any4 any4-answer icmp echo
  access-list standard split allow 10.1.40.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  management of MTU 1500
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
  NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
  Access-group outside_access_in in interface outside
  !
  Router eigrp 1
  Network 10.1.10.0 255.255.255.0
  Network 10.1.20.0 255.255.255.0
  Network 10.1.30.0 255.255.255.0
  Network 10.1.40.0 255.255.255.252
  !
  Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  without activating the user identity
  identity of the user by default-domain LOCAL
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  http X.X.X.238 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec pmtu aging infinite - the security association
  Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
  registration auto
  full domain name no
  name of the object CN = 10.1.30.254, CN = ctcndasa01
  ASDM_LAUNCHER key pair
  Configure CRL
  trustpool crypto ca policy
  string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
  certificate c902a155
  308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
  0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
  0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
  170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
  64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
  0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
  9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
  705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
  4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
  3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
  06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
  42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
  fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
  59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
  d8966b50 917a88bb f4f30d82 6f8b58ba 61
  quit smoking
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  VPN-addr-assign local reuse / 360 time
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
  SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
  WebVPN
  allow outside
  AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
  AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
  AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
  AnyConnect enable
  tunnel-group-list activate
  internal GroupPolicy_cnd-vpn group policy
  GroupPolicy_cnd-vpn group policy attributes
  WINS server no
  value of server DNS 8.8.8.8
  client ssl-VPN-tunnel-Protocol
  by default no
  xxxx GCOh1bma8K1tKZHa username encrypted password
  type tunnel-group cnd - vpn remote access
  tunnel-group global cnd-vpn-attributes
  address-cnd-vpn-dhcp-pool
  strategy-group-by default GroupPolicy_cnd-vpn
  tunnel-group cnd - vpn webvpn-attributes
  activation of the alias group cnd - vpn
  !
  ICMP-class class-map
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map icmp_policy
  icmp category
  inspect the icmp
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  service-policy icmp_policy outside interface
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
  : end
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history

  Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?

• VPN clients are unable to access internal resources

  Hello

  I have problems with internal resources from access to the content of VPN Clients. They connect using Cisco VPN Client, they connect correctly, an IP address from the correct range is given and I ping to the internal server, but any other type of access as Server terminal server. Ping to server ip from the inside is answered by interface router public ip instead of the internal server and I don't know if it's this way. There isn't any ACL applied.

  Crypto ipsec debugging I see this error when I do the server terminal server:

  % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet. (ip) vrf/adr_dest = / public-ip, src_addr = 172.16.73.4, prot = 6

  Here is the configuration associated with vpn:

  crypto ISAKMP policy 10

  BA aes 256

  preshared authentication

  Group 2

  !

  Configuration group customer isakmp crypto VPN_Clients

  Cisco key

  DNS 4.2.2.2

  pool - vpn clients

  ACL 101

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set RIGHT aes - esp esp-sha-hmac

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  market arriere-route

  !

  !

  card crypto mymap client authentication list userlist

  Group card crypto mymap isakmp authorization list

  client configuration address map mymap crypto initiate

  client configuration address map mymap crypto answer

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  ! Gateway for the default internal resources

  interface Vlan72

  IP 172.16.72.1 255.255.255.0

  no ip proxy-arp

  IP nat inside

  IP virtual-reassembly

  !

  Kind regards.

  VPN client IP local pool 172.16.73.2 172.16.73.10

  !

  !

  interface Dialer1

  the negotiated IP address

  IP mtu 1492

  NAT outside IP

  IP virtual-reassembly

  encapsulation ppp

  Dialer pool 1

  Dialer-Group 1

  Authentication callin PPP chap Protocol

  PPP chap hostname XXXXX

  PPP chap password 7 XXXXXXXX

  accept dns ipcp PPP

  PPP ipcp address accept

  No cdp enable

  crypto mymap map

  access-list 101 permit ip 172.16.72.0 0.0.0.255 any

  !

  Hi Anotino,

  Problem seems to be with the NAT configuration on the router. The NAT config is now below:

  access-list 1 permit 172.16.72.0 0.0.0.255

  NAT_WAN1 allowed 10 route map

  corresponds to the ip address 1

  match interface Dialer1

  IP nat inside source overload map route NAT_WAN1 interface Dialer1

  We need to change it to look like this:

  access-list 100 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255

  access-list 100 permit ip 172.16.72.0 0.0.0.255 any
  

  NAT_WAN1 allowed 10 route map

  corresponds to the IP 100

  IP nat inside source overload map route NAT_WAN1 interface Dialer1

  This should make sure to go to the pool of clients VPN traffic United Nations concerns and therefore, you should be able to access the network using the private IP (172.16.72.2 for example).

  Try this and tell me if this solves your problem.

  Kind regards

  Assia

  Post edited by: Assia Ramamoorthy small correction in the post!

• Win 7 VPN client cannot access remote resources beyond the VPN server

  I have a Win 7 laptop with work and customer Win 7 VPN set up, and through it that I can access everything allowed resources on the remote network.

  I built a new computer, set up the Win 7 client with the exact same parameters everywhere, connected to the VPN with success, but can not access any of the resources on the remote network that I can on my laptop.

  Win 7 64 bit SP 1

  I did research online and suggestions have already had reason of my new set up.  In addition, I have a second computer that I've set up the VPN client, and I'm having the same problem.  VPN connects successfully, but is unable to access the resources.

  Tested with firewall off the coast.

  Troubleshooting Diagnostic reports: your computer seems to be configured correctly, distance resources detected, but not answered do not.

  I created another VPN client on the new computer to another remote network and everything works perfectly.

  Remember the old VPN connection to the remote network that does not work on the new computer works perfectly on Win 7 64 bit laptop computer.

  So, what do I find also different between identical configurations "should be" where we work and two new machines is not?

  It must be something stupid.

  Hello

  This question is more suited for a TechNet audience. I suggest you send the query to the Microsoft TechNet forum. See the link below to do so:
  https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking

  Please let us know if you have more queries on Windows.

• N600 ea2700 cannot access internal Web sites

  I have a new router, n600 ea2700, replace a wrt54g2 for this.

  I have an internal Web server configuration, with port 80 redirection http to my iis7 Web with a server static ip address

  I can access my areas outside my internal network (IE my cell phone), but when I type in www.mydomain(s).com (one of them) in my browser on a wired computer or internal wireless I get "cannot display this page".

  I can ping the www.my... and get an answer to my router static ip (internet provider)

  I can type in my static ip of the Web server and get my splash screen for iis7

  I of the wrong with linksys phone and they could not understand, basically saying take the router at staples and get a different model.

  I think I'll ask here before I do it.  I would add that if I put the old wrt back I can't access no problem.

  Any ideas?

  Thank you!

  Sorry I misunderstood your OP.

  This is called "NAT Loopback" and is not available on the Smart Wifi routers.

  Honestly the firmware of the Wifi chip is not designed for custom networks from servers or DNS requirements.

• EZ - VPN Cisco cannot access internal network

  Hello

  I configured an EZ - VPN on my router, but after a login successful in the VPN, I can't ping my internal network or access all the resources. Also, I can't ping my router VPN Client IP address.

  Can someone take a look at my Config?

  Here is my config:

  Current configuration: 7730 bytes

  !

  ! Last configuration change at 16:24:55 UTC Tuesday, June 14, 2011 by suncci

  ! NVRAM config update at 20:21:30 UTC Friday, June 10, 2011 by suncci

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  router host name

  !

  boot-start-marker

  boot-end-marker

  !

  no set record in buffered memory

  no console logging

  !

  AAA new-model

  !

  !

  AAA authentication login default local

  local AUTH_VPN AAA authentication login

  AAA authorization exec default local

  local AUTHORIZE_VPN AAA authorization network

  !

  !

  AAA - the id of the joint session

  IP cef

  !

  !

  !

  !

  name-server IP 208.67.222.222

  name of the IP-server 205.188.146.145

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  Crypto pki trustpoint TP-self-signed-1861908046

  enrollment selfsigned

  name of the object cn = IOS - Self - signed - certificate - 1861908046

  revocation checking no

  rsakeypair TP-self-signed-1861908046

  !

  !

  TP-self-signed-1861908046 crypto pki certificate chain

  certificate self-signed 01

  3082023E 308201A 7 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

  69666963 31383631 39303830 6174652D 3436301E 170 3032 30333031 30313431

  30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 38363139 65642D

  30383034 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

  8100AD30 FB88278D F9010218 AD58E479 21C00A39 76974 HAS 87 DF43C948 D56E65CC

  98F484A1 1F5BA429 449E416F B3C5729C 78598186 8873 HAS 168 DB9EEAAA B0521523

  C8011877 14888C9A 193E43E3 C3575491 74A940A2 B2970549 FE436E4A 4DA6FB23

  C 21, 20110 0CD3A8F6 32EAD292 648F9E32 7EE6C86F 181FC3C2 8F91DA66 A3886F5C

  0203 010001A 3 66306430 1 130101 FF040530 030101FF 30110603 0F060355 467D

  1104 A 0, 300882 06526F75 74657230 551D 1 230418 30168014 FD800727 1F060355

  5FA9AD41 6EAE99B0 1EDA2735 C0DBBBCC 301D 0603 551D0E04 160414FD 8007275F

  A9AD416E AE99B01E DA2735C0 DBBBCC30 0D06092A 864886F7 0D 010104 05000381

  810076CE E5030E51 5BD6FE9F A8A42483 53E7D250 CDE09E87 6AD77195 09D225AF

  25858304 034D146B C4970C31 F6EF496B 7F57C772 7A1F0DFE 8A06B878 919AFD58

  212E475A 0346ADA6 D629BDFC AE58C42A 36D971D1 3BAB8541 EAC0AA10 919816A 1

  E22F5015 52086757 2171A4C7 6832C2BC 89ADEF72 95A81A51 0B888B1C 9EE9EE58 8E65

  quit smoking

  !

  !

  username privilege 15 password 0 xxxxx xxxxxx

  Archives

  The config log

  hidekeys

  !

  !

  crypto ISAKMP policy 1

  BA aes

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto nat keepalive 5

  !

  crypto ISAKMP client VPN-Sun-group configuration group

  key to 12345

  DNS 208.67.222.222

  pool VPN_Pool

  ACL VPN_Test

  Crypto isakmp ISAKMP_Profile_EZVPN profile

  Group of Sun-VPN-Group identity match

  list of authentication of client AUTH_VPN

  AUTHORIZE_VPN of ISAKMP authorization list.

  client configuration address respond

  Client configuration group Sun-VPN-Group

  virtual-model 1

  !

  !

  Crypto ipsec transform-set Sun-VPN aes - esp esp-sha-hmac

  !

  Profile of crypto ipsec IPSEC_Profile_EZVPN

  game of transformation-Sun-VPN

  ISAKMP_Profile_EZVPN Set isakmp-profile

  !

  !

  !

  !

  !

  !

  !

  !

  type of class-card inspect all internal match

  tcp protocol match

  udp Protocol game

  dns protocol game

  http protocol game

  https protocol game

  match icmp Protocol

  type of class-card inspect entire game Internet

  tcp protocol match

  udp Protocol game

  match icmp Protocol

  type of class-card inspect match, all the traffic-IntraNet-InterNet

  tcp protocol match

  udp Protocol game

  match icmp Protocol

  match the group-access InterNet-to-IntraNet-ACL name

  type of class-card inspect match, all the traffic-InterNet-IntraNet

  tcp protocol match

  udp Protocol game

  match icmp Protocol

  !

  !

  type of policy-card inspect InterNet-IntraNet-policy

  class type inspect traffic-IntraNet-InterNet

  inspect

  class class by default

  drop

  type of policy-card inspect IntraNet-InterNet-policy

  class type inspect traffic-InterNet-IntraNet

  inspect

  class class by default

  drop

  type of policy-card inspect sdm-policy-Internet

  class type inspect Internet

  inspect

  class class by default

  type of policy-card inspect internal sdm-policy

  class type inspect internal

  inspect

  class class by default

  drop

  !

  Security for the Internet zone

  security of the inner area

  the IntraNet zone security

  Description Interfaces all connected to the Intranet

  Security for the InterNet zone

  Description of all Interfaces connected to the Internet

  destination inner security zone-pair source sdm-zp-internal-self self

  type of service-strategy inspect sdm-policy-Internet

  zone-pair security IntraNet - InterNet source IntraNet InterNet destination

  type of service-strategy inspect IntraNet-InterNet-policy

  InterNet - IntraNet source InterNet destination IntraNet security zone-pair

  inspect the type of service-strategy InterNet-IntraNet-policy

  !

  !

  !

  !

  interface Loopback0

  IP 192.168.1.1 255.255.255.0

  !

  interface FastEthernet0/0

  Description external PPPOE Interface ETH - WAN$

  no ip address

  response to IP mask

  NAT outside IP

  IP virtual-reassembly

  automatic speed

  PPPoE enable global group

  PPPoE-client dial-pool-number 1

  No cdp enable

  !

  interface FastEthernet0/1

  switchport access vlan 10

  !

  interface FastEthernet0/2

  switchport access vlan 10

  !

  interface FastEthernet0/3

  switchport access vlan 10

  !

  interface FastEthernet0/4

  switchport access vlan 10

  !

  type of interface virtual-Template1 tunnel

  IP unnumbered Loopback0

  members of the IntraNet zone security

  source of Dialer1 tunnel

  ipv4 ipsec tunnel mode

  Tunnel IPSEC_Profile_EZVPN ipsec protection profile

  !

  interface Vlan10

  Description $FW_INSIDE$

  IP 192.168.0.3 255.255.255.0

  response to IP mask

  no ip redirection

  no ip unreachable

  IP nat inside

  IP virtual-reassembly

  members of the IntraNet zone security

  route IP cache flow

  !

  interface Dialer1

  Description $FW_OUTSIDE$

  the negotiated IP address

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP mtu 1492

  NAT outside IP

  IP virtual-reassembly

  the Member's area InterNet security

  encapsulation ppp

  IP tcp adjust-mss 1452

  Dialer pool 1

  Dialer-Group 1

  No cdp enable

  PPP authentication chap callin pap

  PPP chap hostname pty/69733

  password PPP chap 0 DSLconnect

  PPP pap sent-username pty/69733 password 0 DSLconnect

  !

  IP pool local VPN_Pool 192.168.1.30 192.168.1.40

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 Dialer1

  IP route 192.168.1.0 255.255.255.0 Dialer1

  !

  !

  IP http server

  local IP http authentication

  IP http secure server

  IP nat inside source overload map route NAT interface Dialer1

  !

  InterNet-to-IntraNet-ACL extended IP access list

  permit tcp any 192.168.0.0 0.0.0.255

  allow udp all 192.168.0.0 0.0.0.255

  allow icmp any 192.168.0.0 0.0.0.255

  refuse an entire ip

  Internet extended IP access list

  Note Internet

  Remark SDM_ACL = 2 category

  Notice all THE

  allow a full tcp

  allow a udp

  allow icmp a whole

  allow an ip

  NAT extended IP access list

  Licensing ip 192.168.0.0 0.0.0.255 any

  deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  VPN_Test extended IP access list

  Licensing ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  !

  Remark SDM_ACL category of access list 1 = 2

  access-list 1 permit 192.168.0.0 0.0.0.255

  access-list 1 permit 192.168.1.0 0.0.0.255

  Note access-list 2 = 2 SDM_ACL category

  access-list 2 allow to 192.168.1.0 0.0.0.255

  access-list 5 permit one

  access-list 10 permit 192.168.0.0 0.0.0.255

  access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 102 permit ip 192.168.0.0 0.0.0.255 any

  not run cdp

  !

  !

  !

  route NAT allowed 10 map

  corresponds to the IP NAT

  !

  !

  !

  control plan

  !

  !

  !

  !

  !

  !

  !

  !

  !

  Line con 0

  line to 0

  line vty 0 4

  exec-timeout 30 12

  privilege level 15

  Synchronous recording

  transport input telnet ssh

  !

  NTP-period clock 17208070

  NTP 17.151.16.21 Server

  end

  As I've mentioned earlier, you can of course ping from router to 192.168.0.2 because they are in the same subnet. It uses ARP instead of routing to the device when you are pinging on the same subnet.

  The switch is configured with the correct default gateway? The switch must be configured with the default gateway 192.168.0.3.

  You also mention that you can ping 192.168.0.30 which is beyond the router. This means that it is not the router VPN configuration error, but rather the terminal that you are trying to ping since you can ping 192.168.0.30.

• WebVPN cannot access internal network on 2821

  Hello, I'm trying to configure WebVPN to my internal network. The client is connected to the router, but I can't ping from my internal network. Also, I've lost ping between hosts on the internal network. I can ping only gateway (192.168.162.0)

  IOS Version 15.1 (4) M9

  webvpn-pool IP local pool 192.168.162.212 192.168.162.218

  IP nat inside source list 1 interface GigabitEthernet0/0 overload

  access-list 1 permit 192.168.162.0 0.0.0.255

  Gateway Gateway-WebVPN-Cisco WebVPN
  address IP X.X.X.X port 1025
  SSL rc4 - md5 encryption
  SSL trustpoint trustpoint-my
  development
  !
  WebVPN context Cisco WebVPN
  Easy VPN title. "
  SSL authentication check all
  !
  list of URLS "rewrite".
  !
  ACL "ssl - acl.
  allow IP 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0
  !
  login message "Cisco Secure WebVPN"
  !
  webvpnpolicy political group
  functions compatible svc
  functions required svc
  filter tunnel ssl - acl
  SVC-pool of addresses 'webvpn-pool' netmask 255.255.255.0
  generate a new key SVC new-tunnel method
  SVC split include 192.168.162.0 255.255.255.0
  Group Policy - by default-webvpnpolicy
  AAA authentication list sslvpn
  Gateway Cisco WebVPN bridge
  Max-users 2
  development
  !

  Hello

  I saw the VPN configuration:

  webvpnpolicy political group
  functions compatible svc
  functions required svc
  filter tunnel ssl - acl
  SVC-pool of addresses 'webvpn-pool' netmask 255.255.255.0
  generate a new key SVC new-tunnel method
  SVC split include 192.168.162.0 255.255.255.0
  Group Policy - by default-webvpnpolicy
  AAA authentication list sslvpn
  Gateway Cisco WebVPN bridge
  Max-users 2
  development

  ACL "ssl - acl.
  allow IP 192.168.162.0 255.255.255.0 192.168.162.0 255.255.255.0

  webvpn-pool IP local pool 192.168.162.212 192.168.162.218

  IP nat inside source list 1 interface GigabitEthernet0/0 overload

  access-list 1 permit 192.168.162.0 0.0.0.255

  I recommend the following:

  1 use a local IP pool with a different range that is used in the internal network (routing wise issues)

  2. removed the VPN filter, it is completely useless, since it's the same for which the (Split tunnel is):

  webvpnpolicy political group

  no tunnel ssl - acl filter

  3 use an ACL on the NAT and create the NAT exemption for the network to the IP pool inside local outdoors:

  NAT extended IP access list

  deny ip 192.168.162.0 0.0.0.255 XXXX XXXXX--> network IP of the IP pool

  Licensing ip 192.168.0.0 0.0.0.255 any

  IOverload nat inside source list NAT interface GigabitEthernet0/0 p

  What are the appropriate changes, I recommend you to apply.

  Please don't forget to rate and score as correct the helpful post!

  David Castro,

• Cannot access network resources - Cisco VPN client

  Please see attached the network topology.

  I can connect using the Cisco VPN client and access to all resources of the 192.168.3.0 network

  I can't ping / access to all hosts on the network 192.168.5.0.

  Any ideas?

  Thanks for the help in advance

  AD

  Quite correct.

  Please add has the access list:

  CPA list standard access allowed 192.168.5.0 255.255.255.0

• Help, please! Connected to the VPN, but cannot access internal servers.

  Hi friends,

  I'm a newbie on vpn stuff, I set up a base on a Cisco ASA 5505 vpn by using ASDM, and I was able to connect to it.  However, I can't ssh or RDP to one of the servers in the House after that I connected to the vpn.  Here is the configuration.  Help, please!

  ASA Version 8.2 (5)

  !

  hostname sc - asa

  domain abc.com

  enable the encrypted password xxxxxxxxx

  xxxxxxxxx encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain OpenDNS.com

  sc-pool_splitTunnelAcl-list of allowed access standard 192.168.1.0 255.255.255.0

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool sc-192.168.1.100 - 192.168.1.110 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  interface ID client DHCP-client to the outside

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd dns 208.67.222.222 208.67.220.220 interface inside

  rental contract interface 86400 dhcpd inside

  dhcpd abc.com domain inside interface

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL encryption rc4 - md5, rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1

  WebVPN

  abc group policy - sc internal

  attributes of the strategy of group abc - sc

  value of server DNS 208.67.222.222 192.168.1.3

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value abc-sc_splitTunnelAcl

  field default value abc.com

  a001 xxxxxxxxxxx encrypted password username

  a002 xxxxxxxxxxx encrypted password username

  username a003 encrypted password privilege 0 xxxxxxxxxxx

  a003 username attributes

  Strategy Group-VPN-abc-sc

  a004 xxxxxxxxxxx encrypted password privilege 0 username

  a004 username attributes

  Strategy Group-VPN-abc-sc

  a005 xxxxxxxxxxx encrypted password username

  a006 xxxxxxxxxxx encrypted password username

  username privilege 15 encrypted password xxxxxxxxxxx a007

  remote access to tunnel-group abc - sc type

  attributes global-tunnel-group-abc - sc

  address sc-pool pool

  Group Policy - by default-abc-sc

  tunnel-group abc - sc ipsec-attributes

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:e7df4fa4b60a252d806ca5222d48883b

  : end

  Hello

  I would suggest you start by changing the pool VPN to something else than the current LAN network and see if that helps

  These should be the configuration required to achieve this goal

  • First remove us pool setup VPN VPN
  • Then we delete the VPN Pool and create again with an another address space
  • When then attach this new Pool of VPN again to the VPN configuration
  • In the last step, we add a NAT0 / exempt for this new pool VPN NAT configuration and remove the old ACL line for the former group of VPN

  attributes global-tunnel-group-abc - sc

  no address-sc-swimming pool

  no ip local pool sc 192.168.1.100 - 192.168.1.110 mask 255.255.255.0

  IP local pool sc-192.168.100.100 - 192.168.100.110 mask 255.255.255.0

  attributes global-tunnel-group-abc - sc

  address sc-pool pool

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.100.0 255.255.255.0

  No inside_nat0_outbound access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.1.96 255.255.255.240

  -Jouni

• Cannot access remote resources - Cisco VPN Client

  I'm having a problem with my Cisco VPN Client. I am new to VPN configuration, so this is probably something easy I'm missing. I have a my internet gateway for my LAN 2611XM router and my VPN server. I do all my tests of a society with a high card laptop mobile broadband. VPN connects, but anytime I ping anything in the network Cabinet, he returned with the public IP address of the external interface. I have NAT overload configured so any network can access the internet, inside which it looks like may be causing my problem. I don't know how to fix it. My config running is attatched. No one knows what might happen.

  Oh, almost forgot to add. When I remove the nat overload on my interface fa0/1, the vpn will connect to any resource on the inside.

  Your nat configuration seems to be the origin of the problem. If you are using an ACL to match the source for NAT, then it will be necessary to add the line 1A refuse for the local ip pool for your vpn clients to one only. try that to see how it goes.

  Sent by Cisco Support technique iPhone App

• VPN users cannot access all resources

  User is able to connect, get's assigned an IP, we can see them connected
  
      via ASDM, they can't access anything in our network.
  
      

  Hello

  Check the following:

  When you try to send the traffic check the output of "sh cry ips her" to make sure packages encrypted/decrypted by slices.

  If it isn't...

  May be that NAT - T is not configured.

  Check the configuration of:

  ISAKMP crypto nat - t

  SH run all sysopt--> should show sysopt connection permit VPN

  Test:

  Add the command

  management-access inside

  And try to PING IP address of the VPN client ASA inside.

  We will consider here...

  Federico.

• Cannot access the internal resources for VPN site-to-site

  We have two ASA.  We set up just VPN site-to-site.  For some reason, we are not able to access internal resources at the main office of the remote office.  Do you have any suggestions?  Thank you.

  as wu suggested, please first confirm that the tunnel is mounted correctly

  "sh cry isa his '-> will tell u if the phase 1 is in place

  "sh cry ips its '-> say if phase 2 is in place

  now once they r upward, when you ping from site to site b

  program in the site, you should see one and decaps site b for traffic from a to b and vice versa for return transportation

  Now we have to see where it is a failure

  could be tht package is coming up to the asa but not getting is not encrypted or that the package does not come to the asa itself

  You can run tracer package to see if it's getting wrapped, or in other words hits vpn tunnel

  It might be a nat problem, and sometimes if it is a new configuration probably ISP may have blocked the esp traffic in one direction or in the other direction

  the best approach, that it is turn on "management of access to the inside" on the firewall and make a ping of source of asa

  inside ping

• AnyConnect VPN users cannot access remote subnets?

  I googled this until blue in the face without result.  I don't understand why Cisco this so difficult?  When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices.  What should I do to allow my anyconnect vpn clients access to my remote sites?

  Cisco 5510 8.4

  Hello

  What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

  In addition to routing, you must have configured for each remote site and the VPN pool NAT0

  Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

  object-group network to REMOTE SITES

  object-network 10.10.10.0 255.255.255.0

  object-network 10.10.20.0 255.255.255.0

  object-network 10.10.30.0 255.255.255.0

  object-network 10.10.40.0 255.255.255.0

  network of the VPN-POOL object

  10.10.224.0 subnet 255.255.255.0

  NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

  The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

  Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

  My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

  Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

  -Jouni

• Why my VPN clients cannot access network drives and resources?

  I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!

  : Saved

  :

  ASA Version 8.2 (5)

  !

  ciscoasa hostname

  Cisco domain name

  activate the password xxxxxxxxxxxxx

  passwd xxxxxxxxxxxxxxxxx

  names of

  name 68.191.xxx.xxx outdoors

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.201.200 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address outside 255.255.255.0

  !

  passive FTP mode

  DNS domain-lookup outside

  DNS lookup field inside

  DNS server-group DefaultDNS

  192.168.201.1 server name

  Cisco domain name

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  object-group Protocol TCPUDP

  object-protocol udp

  object-tcp protocol

  object-group network obj - 192.168.201.0

  FREE access-list extended ip 192.168.201.0 NAT allow 255.255.255.0 192.168.201.0 255.255.255.0

  NAT-FREE 192.168.202.0 permits all ip extended access list 255.255.255.0

  FREE access-list extended ip 192.168.202.0 NAT allow 255.255.255.0 any

  Extended access list-NAT-FREE enabled a whole icmp

  allow any scope to an entire ip access list

  allow any scope to the object-group TCPUDP an entire access list

  allow any scope to an entire icmp access list

  inside_access_in of access allowed any ip an extended list

  inside_access_in list extended access allow TCPUDP of object-group a

  inside_access_in list extended access permit icmp any one

  outside_access_in of access allowed any ip an extended list

  outside_access_in list extended access allow TCPUDP of object-group a

  outside_access_in list extended access permit icmp any one

  Standard access list DefaultRAGroup_splitTunnelAcl allow 192.168.201.0 255.255.255.0

  access extensive list ip 192.168.202.0 inside_nat0_outbound allow 255.255.255.0 192.168.201.0 255.255.255.0

  inside_nat0_outbound list extended access permit icmp any one

  inside_nat0_outbound_1 of access allowed any ip an extended list

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  mask 192.168.202.1 - 192.168.202.50 255.255.255.0 IP local pool KunduVPN

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global 1 interface (outside)

  NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

  NAT (inside) 1 192.168.201.0 255.255.255.0

  Access-group outside_access_in in interface outside

  inside_access_in access to the interface inside group

  Route inside 0.0.0.0 0.0.0.0 192.168.201.1 1

  Route inside 0.0.0.0 255.255.255.255 outdoor 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.201.0 255.255.255.0 inside

  http 0.0.0.0 0.0.0.0 outdoors

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  Crypto ca trustpoint ASDM_TrustPoint0

  registration auto

  name of the object CN = ciscoasa

  Keypairs xxx

  Proxy-loc-transmitter

  Configure CRL

  XXXXXXXXXXXXXXXXXXXXXXXX

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP allow inside

  crypto ISAKMP policy 10

  authentication crack

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 20

  authentication rsa - sig

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 40

  authentication crack

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 50

  authentication rsa - sig

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 60

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 70

  authentication crack

  aes encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 80

  authentication rsa - sig

  aes encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 90

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 100

  authentication crack

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 110

  authentication rsa - sig

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 120

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 130

  authentication crack

  the Encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 140

  authentication rsa - sig

  the Encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 150

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL-trust outside ASDM_TrustPoint0 point

  WebVPN

  allow outside

  allow inside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  enable SVC

  tunnel-group-list activate

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  value of 192.168.201.1 DNS server

  VPN-tunnel-Protocol svc webvpn

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl

  Cisco by default field value

  attributes of Group Policy DfltGrpPolicy

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  WebVPN

  SVC request enable

  internal KunduVPN group strategy

  attributes of Group Policy KunduVPN

  WINS server no

  value of 192.168.201.1 DNS server

  VPN-tunnel-Protocol svc webvpn

  Cisco by default field value

  username xxxx

  username xxxxx

  VPN-group-policy DfltGrpPolicy

  attributes global-tunnel-group DefaultRAGroup

  address VPNIP pool

  Group Policy - by default-DefaultRAGroup

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared key *.

  tunnel-group DefaultRAGroup ppp-attributes

  ms-chap-v2 authentication

  type tunnel-group KunduVPN remote access

  attributes global-tunnel-group KunduVPN

  address (inside) VPNIP pool

  address pool KunduVPN

  authentication-server-group (inside) LOCAL

  Group Policy - by default-KunduVPN

  tunnel-group KunduVPN webvpn-attributes

  enable KunduVPN group-alias

  allow group-url https://68.191.xxx.xxx/KunduVPN

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc

  : end

  don't allow no asdm history

  Hello

  What is the IP address of the hosts/servers LAN Gateway?

  If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.

  For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.

  • Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
  • Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
  • Host/server LAN sees the connection from a network other than the LAN (192.168.202.0/24) and therefore to forward traffic to the default gateway that would likely be the wireless router.
  • Wireless router has no route to the network 192.168.202.0/24 (VPN Pool) and therefore uses its default route to the external network to forward traffic.
  • Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP

  So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network 192.168.202.0/24 to the 192.168.201.200 gateway IP address (which is the SAA)

  I would like to know if the installation is as described above.

  -Jouni