Cannot access network resources - Cisco VPN client
Please see attached the network topology.
I can connect using the Cisco VPN client and access to all resources of the 192.168.3.0 network
I can't ping / access to all hosts on the network 192.168.5.0.
Any ideas?
Thanks for the help in advance
AD
Quite correct.
Please add has the access list:
CPA list standard access allowed 192.168.5.0 255.255.255.0
Tags: Cisco Security
Similar Questions
-
Cannot access remote resources - Cisco VPN Client
I'm having a problem with my Cisco VPN Client. I am new to VPN configuration, so this is probably something easy I'm missing. I have a my internet gateway for my LAN 2611XM router and my VPN server. I do all my tests of a society with a high card laptop mobile broadband. VPN connects, but anytime I ping anything in the network Cabinet, he returned with the public IP address of the external interface. I have NAT overload configured so any network can access the internet, inside which it looks like may be causing my problem. I don't know how to fix it. My config running is attatched. No one knows what might happen.
Oh, almost forgot to add. When I remove the nat overload on my interface fa0/1, the vpn will connect to any resource on the inside.
Your nat configuration seems to be the origin of the problem. If you are using an ACL to match the source for NAT, then it will be necessary to add the line 1A refuse for the local ip pool for your vpn clients to one only. try that to see how it goes.
Sent by Cisco Support technique iPhone App
-
RVL200 and Windows 2000 Server - can not access network resources via VPN
I am new to the VPN, and I feel I'm missing something very basic in my configuration. I just installed a RVL200 as the gateway for my corporate network router. The network includes a Windows 2000 Server that acts as server DHCP and several PC and a printer. I was able to "establish a SSL VPN tunnel" home connection to the router, but after recording in everything I see is the screen of virtual Passage - one with lock icons - otherwise I am inside the router. The statement shows that I am connected. Once the tunnel is established, what am I supposed to do to get computers to the computers on my network? I can ping all computers on the network using their LAN address. I'm supposed to see a choice of network resources to get to this point? I put the router as a trusted site in the server and even tried to disable all firewalls, but I see that the VPN screen with icons. I don't know how to proceed from here because I don't know what I'm supposed to see. Thanks for any help that you can give to a newbie!
The SSL connection is only for the VPN router. To access the computer, you can use Windows Remote Desktop connection. So that you can access to remote computers on the network, or you could look for 3 third-party software for remote access
Hope this helps
-
Another problem with the configuration of Cisco VPN Client access VPN Site2site
We have a Cisco ASA 5505 at our CORP. branch I configured the VPN Site2Site to our COLO with a Juniper SRX220h, to another site works well, but when users access the home Cisco VPN client, they cannot ping or SSH through the Site2Site. JTACS contacted and they said it is not on their end, so I tried to contact Cisco TAC, no support. So here I am today, after for the 3 days (including Friday of last week) of searching the Internet for more than 6 hours per day and try different examples of other users. NO LUCK. The VPN client shows the route secure 10.1.0.0
Sorry to post this, but I'm frustrated and boss breathing down my neck to complete it.
CORP netowrk 192.168.1.0
IP VPN 192.168.12.0 pool
Colo 10.1.0.0 internal ip address
Also, here's an example of my config ASA
: Saved
:
ASA Version 8.2 (1)
!
hostname lwchsasa
names of
name 10.1.0.1 colo
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
backup interface Vlan12
nameif outside_pri
security-level 0
IP 64.20.30.170 255.255.255.248
!
interface Vlan12
nameif backup
security-level 0
IP 173.165.159.241 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group network NY
object-network 192.168.100.0 255.255.255.0
BSRO-3387 tcp service object-group
port-object eq 3387
BSRO-3388 tcp service object-group
port-object eq 3388
BSRO-3389 tcp service object-group
EQ port 3389 object
object-group service tcp OpenAtrium
port-object eq 8100
object-group service Proxy tcp
port-object eq 982
VOIP10K - 20K udp service object-group
10000 20000 object-port Beach
the clientvpn object-group network
object-network 192.168.12.0 255.255.255.0
APEX-SSL tcp service object-group
Description of Apex Dashboard Service
port-object eq 8586
object-group network CHS-Colo
object-network 10.1.0.0 255.255.255.0
the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.1.0 255.255.255.0
host of the object-Network 64.20.30.170
object-group service DM_INLINE_SERVICE_1
the purpose of the ip service
ICMP service object
service-object icmp traceroute
the purpose of the service tcp - udp eq www
the tcp eq ftp service object
the purpose of the tcp eq ftp service - data
the eq sqlnet tcp service object
EQ-ssh tcp service object
the purpose of the service udp eq www
the eq tftp udp service object
object-group service DM_INLINE_SERVICE_2
the purpose of the ip service
ICMP service object
EQ-ssh tcp service object
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 clientvpn object-group
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo
inside_nat0_outbound list of allowed ip extended access any 192.168.12.0 255.255.255.0
outside_pri_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group NY
outside_pri_access_in list extended access permit tcp any interface outside_pri eq www
outside_pri_access_in list extended access permit tcp any outside_pri eq https interface
outside_pri_access_in list extended access permit tcp any interface outside_pri eq 8100
outside_pri_access_in list extended access permit tcp any outside_pri eq idle ssh interface
outside_pri_access_in list extended access permit icmp any any echo response
outside_pri_access_in list extended access permit icmp any any source-quench
outside_pri_access_in list extended access allow all unreachable icmp
outside_pri_access_in list extended access permit icmp any one time exceed
outside_pri_access_in list extended access permit tcp any 64.20.30.168 255.255.255.248 eq 8586
levelwingVPN_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
levelwingVPN_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.255.0
outside_pri_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo
backup_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 192.168.12.0 ip 255.255.255.0
outside_pri_cryptomap_1 list extended access allow DM_INLINE_SERVICE_2 of object-group 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0
outside_19_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0
inside_nat0_outbound_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 object-group CHS-Colo
VPN-Corp-Colo extended access list permits object-group DM_INLINE_SERVICE_1 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0
Note to OUTSIDE-NAT0 NAT0 customer VPN remote site access-list
OUTSIDE-NAT0 192.168.12.0 ip extended access list allow 255.255.255.0 10.1.0.0 255.255.255.0
L2LVPN to access extended list ip 192.168.12.0 allow 255.255.255.0 10.1.0.0 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
exploitation forest asdm warnings
record of the rate-limit unlimited level 4
destination of exports flow inside 192.168.1.1 2055
timeout-rate flow-export model 1
Within 1500 MTU
outside_pri MTU 1500
backup of MTU 1500
local pool LVCHSVPN 192.168.12.100 - 192.168.12.254 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 100 burst-size 5
ICMP allow any inside
ICMP allow any outside_pri
don't allow no asdm history
ARP timeout 14400
NAT-control
interface of global (outside_pri) 1
Global 1 interface (backup)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside_pri) 0-list of access OUTSIDE-NAT0
backup_nat0_outbound (backup) NAT 0 access list
static TCP (inside outside_pri) interface https 192.168.1.45 https netmask 255.255.255.255 dns
static TCP (inside outside_pri) interface 192.168.1.45 www www netmask 255.255.255.255 dns
static TCP (inside outside_pri) interface 8586 192.168.1.45 8586 netmask 255.255.255.255 dns
static (inside, inside) tcp interface 8100 192.168.1.45 8100 netmask 255.255.255.255 dns
Access-group outside_pri_access_in in the outside_pri interface
Route 0.0.0.0 outside_pri 0.0.0.0 64.20.30.169 1 track 1
Backup route 0.0.0.0 0.0.0.0 173.165.159.246 254
Timeout xlate 03:00
Conn Timeout 0:00:00 half-closed 0:30:00 udp icmp from 01:00 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 01:00 uauth uauth absolute inactivity from 01:00
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
http server enable 981
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside_pri
http 0.0.0.0 0.0.0.0 backup
SNMP server group Authentication_Only v3 auth
SNMP-server host inside 192.168.1.47 survey community lwmedia version 2 c
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection tcpmss 1200
monitor SLA 123
type echo protocol ipIcmpEcho 216.59.44.220 interface outside_pri
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ipsec df - bit clear-df outside_pri
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_pri_map 1 match address outside_pri_1_cryptomap
card crypto outside_pri_map 1 set pfs
peer set card crypto outside_pri_map 1 50.75.217.246
card crypto outside_pri_map 1 set of transformation-ESP-AES-256-MD5
card crypto outside_pri_map 2 match address outside_pri_cryptomap
peer set card crypto outside_pri_map 2 216.59.44.220
card crypto outside_pri_map 2 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
86400 seconds, duration of life card crypto outside_pri_map 2 set security-association
card crypto outside_pri_map 3 match address outside_pri_cryptomap_1
peer set card crypto outside_pri_map 3 216.59.44.220
outside_pri_map crypto map 3 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_pri_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_pri_map interface outside_pri
crypto isakmp identity address
ISAKMP crypto enable outside_pri
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 50
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd auto_config outside_pri
!
dhcpd address 192.168.1.51 - 192.168.1.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
rental contract interface 86400 dhcpd inside
dhcpd field LM inside interface
dhcpd allow inside
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
a statistical threat detection host number rate 2
no statistical threat detection tcp-interception
WebVPN
port 980
allow inside
Select outside_pri
enable SVC
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal GroupPolicy2 group strategy
attributes of Group Policy GroupPolicy2
Protocol-tunnel-VPN IPSec svc
internal levelwingVPN group policy
attributes of the strategy of group levelwingVPN
Protocol-tunnel-VPN IPSec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list levelwingVPN_splitTunnelAcl
username password encrypted Z74.JN3DGMNlP0H2 privilege 0 aard
aard attribute username
VPN-group-policy levelwingVPN
type of remote access service
rcossentino 4UpCXRA6T2ysRRdE encrypted password username
username rcossentino attributes
VPN-group-policy levelwingVPN
type of remote access service
bcherok evwBWqKKwrlABAUp encrypted password username
username bcherok attributes
VPN-group-policy levelwingVPN
type of remote access service
rscott nIOnWcZCACUWjgaP encrypted password privilege 0 username
rscott username attributes
VPN-group-policy levelwingVPN
sryan 47u/nJvfm6kprQDs password encrypted username
sryan username attributes
VPN-group-policy levelwingVPN
type of nas-prompt service
username, password cbruch a8R5NwL5Cz/LFzRm encrypted privilege 0
username cbruch attributes
VPN-group-policy levelwingVPN
type of remote access service
apellegrino yy2aM21dV/11h7fR password encrypted username
username apellegrino attributes
VPN-group-policy levelwingVPN
type of remote access service
username rtuttle encrypted password privilege 0 79ROD7fRw5C4.l5
username rtuttle attributes
VPN-group-policy levelwingVPN
username privilege 15 encrypted password vJFHerTwBy8dRiyW levelwingadmin
username password nbrothers Amjc/rm5PYhoysB5 encrypted privilege 0
username nbrothers attributes
VPN-group-policy levelwingVPN
clong z.yb0Oc09oP3/mXV encrypted password username
clong attributes username
VPN-group-policy levelwingVPN
type of remote access service
username, password finance 9TxE6jWN/Di4eZ8w encrypted privilege 0
username attributes finance
VPN-group-policy levelwingVPN
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
type of remote access service
IPSec-attributes tunnel-group DefaultL2LGroup
Disable ISAKMP keepalive
tunnel-group 50.75.217.246 type ipsec-l2l
IPSec-attributes tunnel-group 50.75.217.246
pre-shared-key *.
Disable ISAKMP keepalive
type tunnel-group levelwingVPN remote access
tunnel-group levelwingVPN General-attributes
address LVCHSVPN pool
Group Policy - by default-levelwingVPN
levelwingVPN group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group 216.59.44.221 type ipsec-l2l
IPSec-attributes tunnel-group 216.59.44.221
pre-shared-key *.
tunnel-group 216.59.44.220 type ipsec-l2l
IPSec-attributes tunnel-group 216.59.44.220
pre-shared-key *.
Disable ISAKMP keepalive
!
!
!
Policy-map global_policy
!
context of prompt hostname
Cryptochecksum:ed7f4451c98151b759d24a7d4387935b
: end
Hello
It seems to me that you've covered most of the things.
You however not "said" Configuring VPN L2L that traffic between the pool of VPN and network camp should be in tunnel
outside_pri_cryptomap to access extended list ip 192.168.12.0 allow 255.255.255.0 object-group CHS-Colo
Although naturally the remote end must also the corresponding configurations for users of VPN clients be able to pass traffic to the site of the camp.
-Jouni
-
Unable to connect using the Cisco VPN client
Hi all. I recently configured a 5510 ASA to allow remote access using the Cisco VPN client. The problem is that everything works fine when I connect using a modem classic or on a computer with a public address that I use for testing purposes, but whenever I try to connect with on an ADSL line, I can't access to the resources. I have connection and after that nothing, I can not achieve anything.
I enclose the relevant configuration information in the attachment. Any help is welcome.
Depending on the version, add...
ISAKMP nat-traversal
or
ISAKMP nat-traversal crypto
Should be all you need.
-
SSLVPN via Cisco VPN Client (simultaneous use)
Hi, I'm working on a new show: 1) connect to the first network with Cisco VPN client. (2) to leave this connection, road to another Cisco SSLVPN device and perform a SSL - VPN connection. Has anyone tried this before? Are there problems, workarounds? Thanks in advance!
I do it all the time without any problems.
HTH >
-
Why my VPN clients cannot access network drives and resources?
I have a cisco asa 5505 configured to be a VPN gateway. I can dial using the anyconnect VPN client. The remote user is assigned an IP address to my specifications. However... The remote user cannot access network such as disks in network resources or the fax server. I've done everything I can to set the right settings NAT and ACLs, but in vain. I write my config... If someone can track down the problem. It would be appreciated!
: Saved
:
ASA Version 8.2 (5)
!
ciscoasa hostname
Cisco domain name
activate the password xxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxx
names of
name 68.191.xxx.xxx outdoors
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.201.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address outside 255.255.255.0
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
192.168.201.1 server name
Cisco domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group network obj - 192.168.201.0
FREE access-list extended ip 192.168.201.0 NAT allow 255.255.255.0 192.168.201.0 255.255.255.0
NAT-FREE 192.168.202.0 permits all ip extended access list 255.255.255.0
FREE access-list extended ip 192.168.202.0 NAT allow 255.255.255.0 any
Extended access list-NAT-FREE enabled a whole icmp
allow any scope to an entire ip access list
allow any scope to the object-group TCPUDP an entire access list
allow any scope to an entire icmp access list
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access allow TCPUDP of object-group a
inside_access_in list extended access permit icmp any one
outside_access_in of access allowed any ip an extended list
outside_access_in list extended access allow TCPUDP of object-group a
outside_access_in list extended access permit icmp any one
Standard access list DefaultRAGroup_splitTunnelAcl allow 192.168.201.0 255.255.255.0
access extensive list ip 192.168.202.0 inside_nat0_outbound allow 255.255.255.0 192.168.201.0 255.255.255.0
inside_nat0_outbound list extended access permit icmp any one
inside_nat0_outbound_1 of access allowed any ip an extended list
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
mask 192.168.202.1 - 192.168.202.50 255.255.255.0 IP local pool KunduVPN
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.201.0 255.255.255.0
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route inside 0.0.0.0 0.0.0.0 192.168.201.1 1
Route inside 0.0.0.0 255.255.255.255 outdoor 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.201.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Keypairs xxx
Proxy-loc-transmitter
Configure CRL
XXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP allow inside
crypto ISAKMP policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
allow inside
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
Cisco by default field value
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
WebVPN
SVC request enable
internal KunduVPN group strategy
attributes of Group Policy KunduVPN
WINS server no
value of 192.168.201.1 DNS server
VPN-tunnel-Protocol svc webvpn
Cisco by default field value
username xxxx
username xxxxx
VPN-group-policy DfltGrpPolicy
attributes global-tunnel-group DefaultRAGroup
address VPNIP pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
type tunnel-group KunduVPN remote access
attributes global-tunnel-group KunduVPN
address (inside) VPNIP pool
address pool KunduVPN
authentication-server-group (inside) LOCAL
Group Policy - by default-KunduVPN
tunnel-group KunduVPN webvpn-attributes
enable KunduVPN group-alias
allow group-url https://68.191.xxx.xxx/KunduVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c0e4540d4a07f2c544f0eddb653627cc
: end
don't allow no asdm history
Hello
What is the IP address of the hosts/servers LAN Gateway?
If this is not the ASA 'inside' interface IP address then I assume that the problem with VPN is simply routing.
For example, if your hosts/servers LAN wireless LAN gateway router then the following would happen to your Clients VPN connections.
- Forms of customers login VPN users through configuring wireless routers static PAT (Port Forward) to interface "inside" ASA
- Client VPN sends traffic through the VPN to ASA and again the host of the server or LAN.
- Host/server LAN sees the connection from a network other than the LAN (192.168.202.0/24) and therefore to forward traffic to the default gateway that would likely be the wireless router.
- Wireless router has no route to the network 192.168.202.0/24 (VPN Pool) and therefore uses its default route to the external network to forward traffic.
- Client VPN host never received the traffic back as transmitted sound on the external network and abandoned by the ISP
So if the above assumption is correct, then you would at least need a configuration of the road on the wireless router that tells the device to transfer traffic to the network 192.168.202.0/24 to the 192.168.201.200 gateway IP address (which is the SAA)
I would like to know if the installation is as described above.
-Jouni
-
How to allow access to a local area network behind the cisco vpn client
Hi, my question is about how to allow access to a local area network behind the cisco vpn client
With the help of:
- Cisco 5500 Series Adaptive Security Appliance (ASA) that is running version 8.2 software
- Cisco VPN Client version 5.0 software
Cisco VPN client allows to inject a local routes in the routing table Cisco ASA?
Thank you.
Hi Vladimir,.
Unfortunately this is not a supported feature if you connect through the VPN Client. With VPN Client, that the VPN Client can access the VPN Client LAN host/local machine, not host from the local network to business as customer VPN is not designed for access from the local company network, but to the local corporate network.
If you want to access from your local business to your LAN network, you need to configure LAN-to-LAN tunnel.
-
Cisco vpn client to connect but can not access to the internal network
Hi all
I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network
Any help would be much appreciated.
Hi Samir,
I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
(The link above includes split tunneling, but this is just an option.
Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.
Let me know if this can help,
See you soon,.
Christian V
-
Cisco VPN Client anything cannot access through VPN on an ASA5505 8.4
Hello
Completely new to Cisco ASA and the need to get this working ASAP.
8.4 (1) ASA 5505 is the secondary FW and I need to authorize all out and block everything coming, but for the VPN clients. Since a jerk of Cisco, I used the ASDM and it's sorcerers to make this work, which may explain my situation.
192.168.101.0/24 is the local network
192.168.101.5 is the IP of ASA
192.168.101.2 is the primary FW (and the default gateway for servers, I have to access through the VPN)
10.10.101.0/24 is the VPN IP range (this can be what you want, I'm not married to it somehow)
My Cisco VPN Client connects to the ASA and receives 10.10.101.1 IP address, but I get no connectivity to the ASA or any other 192.168.101.x or service server (tried RDP, telnet, ping, etc.)
Configuration file is attached.
Help pretty please!
Thank you.
Did you add a route for the VPN Pool on the main firewall to the ASA?
Best regards
Peer
Sent by Cisco Support technique iPad App
-
Hello
IPhone 4 s last IOS5 V 5.1.1 installed
I'm not able to make the native IPSEC VPN connection upset my company Cisco 877
Instead, all my computer laptop and netbook with Cisco VPN Client work installed fine when they connect remotely to society 877
Turn debugging 877, it seems Iphone successfully passes the 1 connection ike (actually Iphone wonder phase2 user/pass), but it hung to phase2 give me the error 'Negotiation with the VPN server has no' back
An idea or a known issue on this?
This is how I configured my VPN 877 part:
R1 (config) # aaa new-model
R1 (config) # aaa authentication default local connection
R1 (config) # aaa authentication login vpn_xauth_ml_1 local
R1 (config) # aaa authentication login local sslvpn
R1 (config) # aaa authorization network vpn_group_ml_1 local
R1 (config) # aaa - the id of the joint session
Crypto isakmp policy of R1 (config) # 1
R1(config-ISAKMP) # BA 3des
# Preshared authentication R1(config-ISAKMP)
Group R1(config-ISAKMP) # 2
R1(config-ISAKMP) #.
R1(config-ISAKMP) #crypto isakmp policy 2
R1(config-ISAKMP) # BA 3des
Md5 hash of R1(config-ISAKMP) #.
# Preshared authentication R1(config-ISAKMP)
Group R1(config-ISAKMP) # 2
Output R1(config-ISAKMP) #.
R1 (config) # CUSTOMER - VPN crypto isakmp client configuration group
R1(config-ISAKMP-Group) # key xxxxxxxx
R1(config-ISAKMP-Group) # 192.168.0.1 dns
R1(config-ISAKMP-Group) # VPN - pool
ACL R1(config-ISAKMP-Group) # 120
R1(config-ISAKMP-Group) max-users # 5
Output R1(config-ISAKMP-Group) #.
R1 (config) # ip local pool VPN-pool 192.168.0.20 192.168.0.25
R1 (config) # crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
R1 (config) # crypto ipsec VPN-profile-1 profile
R1(IPSec-Profile) # set the transform-set encrypt method 1
Tunnel type interface virtual-Template2 R1 (config) #.
R1(Config-if) # ip unnumbered FastEthernet0/0
R1(Config-if) # tunnel mode ipsec ipv4
Ipsec protection tunnel R1(Config-if) # VPN - profile - 1 profile
Profile of R1 (config) # isakmp crypto vpn-ike-profile-1
R1(conf-ISA-Prof) # match group identity CUSTOMER VPN
R1(conf-ISA-Prof) # vpn_xauth_ml_1 list client authentication
R1(conf-ISA-Prof) # isakmp authorization list vpn_group_ml_1
R1(conf-ISA-Prof) # client configuration address respond
R1(conf-ISA-Prof) virtual-model # 2
Then run AccessList 120 for desired traffic ("access-list 120 now allows ip any any")
I have configured my VPN Cisco "CUSTOMER-VPN" clients and relative password
Whenever they connect, they are prompted for the password and username phase2 then they join the VPN with an IP address from local subnet released.
With the same parameters required and confirmed in section ipsec VPN Iphone it does not work.
It's 877 isakmp debug output after that Iphone wonder name of user and password (then I suppose that phase 1 completed):
* 14:29:30.731 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH
* 14:29:30.735 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-1427983983
* 14:29:30.735 May 19: ISAKMP: Config payload RESPONSE
* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_NAME_V2 attribute
* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_PASSWORD_V2 attribute
* 14:29:30.735 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason "made with Exchange of request/response xauth.
* 14:29:30.735 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
* 14:29:30.735 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_REQ_SENT = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
* 14:29:30.743 May 19: ISAKMP: node set 1322685842 to CONF_XAUTH
* 19 May 14:29:30.747: ISAKMP: (2081): launch peer 151.38.197.143 config. ID = 1322685842
* 19 May 14:29:30.747: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_XAUTH
* 14:29:30.747 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:30.747 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
* 14:29:30.747 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_AAA_CONT_LOGIN_AWAIT = IKE_XAUTH_SET_SENT
* 14:29:31.299 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH
* 14:29:31.299 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID = 1322685842
* 14:29:31.299 May 19: ISAKMP: Config payload ACK
* 19 May 14:29:31.303: ISAKMP: (2081): XAUTH ACK processed
* 14:29:31.303 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE basis "Mode of Transaction.
* 14:29:31.303 May 19: ISAKMP: (2081): talking to a customer of the unit
* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_ACK
* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_SET_SENT = IKE_P1_COMPLETE
* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
* 19 May 14:29:31.303: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
* 14:29:31.315 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.315 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
* 14:29:31.623 may 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE
* 14:29:31.623 may 19: ISAKMP: node set-851463821 to QM_IDLE
* 14:29:31.623 may 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-851463821
* 14:29:31.623 may 19: ISAKMP: Config payload REQUEST
* 14:29:31.623 may 19: ISAKMP: (2081): verification of claim:
* 14:29:31.623 may 19: ISAKMP: IP4_ADDRESS
* 14:29:31.623 may 19: ISAKMP: IP4_NETMASK
* 14:29:31.623 may 19: ISAKMP: IP4_DNS
* 14:29:31.623 may 19: ISAKMP: IP4_NBNS
* 14:29:31.623 may 19: ISAKMP: ADDRESS_EXPIRY
* 14:29:31.623 may 19: ISAKMP: APPLICATION_VERSION
* 14:29:31.623 may 19: ISAKMP: MODECFG_BANNER
* 14:29:31.623 may 19: ISAKMP: domaine_par_defaut
* 14:29:31.623 may 19: ISAKMP: SPLIT_DNS
* 14:29:31.623 may 19: ISAKMP: SPLIT_INCLUDE
* 14:29:31.623 may 19: ISAKMP: INCLUDE_LOCAL_LAN
* 14:29:31.623 may 19: ISAKMP: PFS
* 14:29:31.623 may 19: ISAKMP: MODECFG_SAVEPWD
* 14:29:31.623 may 19: ISAKMP: FW_RECORD
* 14:29:31.623 may 19: ISAKMP: serveur_sauvegarde
* 14:29:31.623 may 19: ISAKMP: MODECFG_BROWSER_PROXY
* 14:29:31.627 May 19: ISAKMP/author: author asks for CUSTOMER-VPNsuccessfully group AAA
* 14:29:31.627 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
* 14:29:31.627 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_CONFIG_AUTHOR_AAA_AWAIT
* 14:29:31.627 May 19: ISAKMP: (2081): attributes sent in the message:
* 19 May 14:29:31.627: address: 0.2.0.0
* 19 May 14:29:31.627: ISAKMP: (2081):address of 192.168.0.21 assignment
* 14:29:31.627 May 19: ISAKMP: sending private address: 192.168.0.21
* 14:29:31.627 May 19: ISAKMP: send the subnet mask: 255.255.255.0
* 14:29:31.631 May 19: ISAKMP: sending IP4_DNS server address: 192.168.0.1
* 14:29:31.631 May 19: ISAKMP: sending ADDRESS_EXPIRY seconds left to use the address: 3576
* 14:29:31.631 May 19: ISAKMP: string APPLICATION_VERSION sending: Cisco IOS software, software C870 (C870-ADVIPSERVICESK9-M), Version 12.4 (15) T7, VERSION of the SOFTWARE (fc3)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 14 August 08 07:43 by prod_rel_team
* 14:29:31.631 May 19: ISAKMP: split shipment include the name Protocol 120 network 0.0.0.0 mask 0.0.0.0 0 src port 0, port 0 DST
* 14:29:31.631 May 19: ISAKMP: sending save the password answer value 0
* 19 May 14:29:31.631: ISAKMP: (2081): respond to peer 151.38.197.143 config. ID =-851463821
* 19 May 14:29:31.631: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_ADDR
* 14:29:31.631 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:31.631 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason "error no.".
* 14:29:31.631 May 19: ISAKMP: (2081): talking to a customer of the unit
* 14:29:31.631 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
* 14:29:31.631 May 19: ISAKMP: (2081): former State = new State IKE_CONFIG_AUTHOR_AAA_AWAIT = IKE_P1_COMPLETE
* 14:29:31.635 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.635 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
Here the Iphone remains unused for a few seconds...
* 14:29:48.391 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE
* 14:29:48.391 May 19: ISAKMP: node set 1834509506 to QM_IDLE
* 19 May 14:29:48.391: ISAKMP: (2081): HASH payload processing. Message ID = 1834509506
* 19 May 14:29:48.391: ISAKMP: (2081): treatment of payload to DELETE. Message ID = 1834509506
* 14:29:48.391 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.
* 14:29:48.395 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.
* 14:29:48.395 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)
* 14:29:48.395 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'informational (en) State 1.
* 19 May 14:29:48.395: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): rec would notify of ISAKMP
* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): remove all SAs shared with peer 151.38.197.143
* 14:29:48.395 May 19: ISAKMP: node set-1711408233 to QM_IDLE
* 19 May 14:29:48.395: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) QM_IDLE
* 14:29:48.395 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:48.399 May 19: ISAKMP: (2081): purge the node-1711408233
* 14:29:48.399 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 14:29:48.399 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
* 14:29:48.399 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)
* 14:29:48.399 May 19: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 14:29:48.399 May 19: ISAKMP (0:2081): return address 192.168.0.21 to pool
* 14:29:48.399 May 19: ISAKMP: Unlocking counterpart struct 0 x 84084990 for isadb_mark_sa_deleted(), count 0
* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool
* 14:29:48.399 May 19: ISAKMP: delete peer node by peer_reap for 151.38.197.143: 84084990
* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool
* 14:29:48.403 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 14:29:48.403 May 19: ISAKMP: (2081): former State = new State IKE_DEST_SA = IKE_DEST_SA
* 19 May 14:29:48.403: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
It seems 877 comes even to assign a local ip address of LAN for Iphone (192.168.0.21) but then something goes wrong...
Any idea or suggestion on this?
Thank you very much
Hi Federico,.
Please let us know.
Please mark this message as answered while others will be able to learn the lessons.
Thank you.
Portu.
-
Cisco vpn client 5.0.07 no internet access
I am trying to configure access remote vpn for the ASA 5505 in my office.
The config is configured on my ASA, and I have cisco vpn client 5.0.07 installed on my laptop (64 bit) to Windows 7. I can start the vpn, put in my references and it seems that everything goes through, but once I'm connected, I lose access to the internet, and I cannot ping anything (4.2.2.2, 192.168.1.1 (gateway), etc...)
I keep seeing something uncheck the "use default gateway on remote network", but this option is available in the TCP/IP properties. Any suggestions?
Eric,
This should be the last change. Looks like you don't have inside the network split tunnel.
Here is the entry you need to do
TunnelSplit1 list standard access allowed 192.168.1.0 255.255.255.0
disconnect and reconnect. It should work like a charm.
Thank you
Bad Boy
-
Dear all,
I have cisco vpn client v5.0.05.
1 / when I lunch the customer, it connect to the asa, so I can't reach the network behind my ASA
2 / when connected to the vpn client, I can not use my access to the internet, I configured splitunnel, but does not.
3 / sometimes, cisco vpn client disable my network ip of the gateway card.
Please, can someone help me?
Concerning
Can you please share the configuration of the SAA. There is no specific configuration that must be done on the vpn client.
-
PIX: Cisco VPN Client connects but no routing
Hello
We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:
2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)
2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout
2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30
We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.
I enclose the training concerned in order to understand the problem:
interface Ethernet0
Speed 100
full duplex
nameif outside
security-level 0
IP address xx.yy.zz.tt 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
172.16.0.1 IP address 255.255.255.0
!
access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248
!
access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248
!
VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0
!
IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248
!
NAT-control
Global xx.yy.zz.tt 12 (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 12 172.16.0.12 255.255.255.255
!
internal VPN_clientes group strategy
attributes of Group Policy VPN_clientes
xxyyzz.NET value by default-field
internal VPN_client_group group strategy
attributes of Group Policy VPN_client_group
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl
xxyyzz.local value by default-field
!
I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.
Thank you very much.
can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.
PIX / ASA 7.1 and earlier versions
PIX (config) #isakmp nat-traversal 20
PIX / ASA 7.2 (1) and later versions
PIX (config) #crypto isakmp nat-traversal 20
-
Routing issue of Cisco VPN Client ASA
Hi, I use a Barracuda NG for firewalls and I would use a Cisco ASA 5505 for VPN Client connections. But I have the problem that I can't get a connection to the VPN PC connected to the internal network. But I can reach the VPN connected PC from the inside. Here is a diagram of my network:
Here the IP Configuration and the routing of the Barracuda firewall table:
I have a route on the Barracuda NG to the 10.10.10.0/24 network VPN Client on eth0.
The 192.168.1.0/24 LAN I ping the Client comes with Client VPN 10.10.10.11 as it should. But I can't ping or access network resources in the local network for AnyConnected customer's PC that connected through the VPN.
Here is the config Cisco ASA:
: Saved : : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(2) ! hostname leela names ip local pool VPN-Pool 10.10.10.10-10.10.10.200 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 5 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! interface Vlan5 nameif dmz security-level 50 ip address 172.16.0.250 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.10 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network VPN-Pool subnet 10.10.10.0 255.255.255.0 description VPN-Pool object network NETWORK_OBJ_10.10.10.0_24 subnet 10.10.10.0 255.255.255.0 access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip object VPN-Pool any access-list dmz_access_in extended permit ip any any access-list global_access extended permit ip any any access-list outside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,dmz) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup inactive access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz access-group global_access global route dmz 0.0.0.0 0.0.0.0 172.16.0.254 1 route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy server-type microsoft user-identity default-domain LOCAL aaa authentication enable console LDAP_SRV_GRP LOCAL aaa authentication http console LDAP_SRV_GRP LOCAL aaa authentication ssh console LDAP_SRV_GRP LOCAL aaa authentication serial console LOCAL http server enable 444 http 192.168.1.0 255.255.255.0 inside snmp-server location Vienna crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map dmz_map interface dmz crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=leela proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable dmz client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.1.0 255.255.255.0 inside ssh timeout 30 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.254-192.168.1.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-filter updater-client enable dynamic-filter use-database ntp server 192.168.1.10 source inside ssl trust-point ASDM_TrustPoint0 dmz ssl trust-point ASDM_TrustPoint0 inside webvpn enable dmz no anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 1 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 4 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes default-domain value group-policy GroupPolicy_AnyConnect internal group-policy GroupPolicy_AnyConnect attributes wins-server none dns-server value 192.168.1.10 vpn-tunnel-protocol ikev2 ssl-client webvpn anyconnect profiles value AnyConnect_client_profile type user group-policy portal internal group-policy portal attributes vpn-tunnel-protocol ssl-clientless webvpn url-list none username tunnel-group AnyConnect type remote-access tunnel-group AnyConnect general-attributes address-pool VPN-Pool authentication-server-group LDAP_SRV_GRP default-group-policy GroupPolicy_AnyConnect tunnel-group AnyConnect webvpn-attributes group-alias AnyConnect enable tunnel-group Portal type remote-access tunnel-group Portal general-attributes authentication-server-group LDAP_SRV_GRP default-group-policy portal tunnel-group Portal webvpn-attributes group-alias portal enable! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 ! prompt hostname context no call-home reporting anonymous hpm topN enable : end no asdm history enable
Can someone please help me solve this problem?
When I tried to solve this I didn't choose which interface the Packet Tracer?
The interface inside or DMZ interface? Inside, he says it will not work with the dmz but the error did not help me
Anyone here knows why it does not work?
Hello
Inside LAN is directly connected to the right firewall VPN... then I don't think you have to have the itinerary tunnele... can you try to remove the road tunnel mode and check.
entrance to the road that is static to achieve 10.10.10.11 as its display is correct...
Route by tunnel watch also with 255 administrative distance. I've never used that in my scenarios... lets see...
Concerning
Knockaert
Maybe you are looking for
-
Why CarPlay icon does not? Chevrolet Spark 2016
I connected my iPhone 6 s more for my new car. Siri works fine, but no CarPlay icon. In addition, it is said failed to read, connect the device. What continues? Thank you
-
What is the meaning that I can send a proposal of improvement to iTunes U?
Please, everyone knows the direction to send an idea for improving iTunes U, I mean a proposal for improvement. Thank you Iñaki
-
Cannot make touchpad to scroll on a Tecra A10
Recently I upgraded my Windows 7 64 bit OS. I installed all the drivers available from www.toshiba-tro.de and the only problem is that my touchpad doesn't scroll.It works very well for the movement of the cursor, but does not scroll upwards or downwa
-
NOR-DAQmx Base 2.0 and Win Mobile 5
Hello Can someone tell me if NEITHER-DAQmx Base 2.0 is compatible with Win Mobile 5 devices? I try to capture analog voltages and my app very well builds and the charges for the PDA and the PDA does not see the DAQ (6062E) PCMCIA card that I use. I r
-
HP 15g 007 to the win 7 driver wifi lan please help me
HP 15g 007 to the win 7 driver wifi lan please help me