Cannot access remote network by VPN Site to Site ASA

Similar Questions

• Cannot access remote network via VPN

  Hello

  I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
  There is also a public oriented Web server in the office which must be accessible.

  I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

  I'm quite puzzled as to why it does not work. Please could someone help.

  The results of tests and the router configuration are listed below. Please let me know if you need additional information.

  Thank you and best regards,
  Simon

  1. routing on the router table
  Router #sh ip route
  Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
  xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
  C XXX.yyy.zzz.192 is directly connected, Vlan10
  GGG.hhh.125.0/32 is divided into subnets, subnets 1
  C GGG.HHH.125.34 is directly connected, Dialer0
  172.16.0.0/32 is divided into subnets, subnets 1
  S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
  S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

  2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
  > ping 172.16.100.1
  Ping 172.16.100.1 with 32 bytes of data:
  Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

  3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
  > ping 172.16.100.10
  Ping 172.16.100.10 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  4. ping the router to the successful local server
  router #ping 172.16.100.10
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

  5 see the version
  Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
  ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
  the availability of router is 1 hour, 9 minutes
  System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
  Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
  10 FastEthernet interfaces
  1 ISDN basic rate interface
  Configuration register is 0 x 2102

  6. router Config
  AAA authentication login default local
  connection of local AAA VPN authentication.
  AAA authorization exec default local
  local authorization AAA VPN network
  !
  !
  AAA - the id of the joint session
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  Configuration group customer isakmp crypto ASI_Group
  key mykey
  DNS aaa.bbb.cccc.ddd
  domain mydomain.com
  pool VPN_Pool
  ACL VPN_ACL
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
  !
  crypto dynamic-map 10 DYNMAP
  game of transformation-TS1
  market arriere-route
  !
  !
  list of authentication of VPN client VPN crypto card
  card crypto VPN VPN isakmp authorization list
  crypto map VPN client configuration address respond
  card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
  !
  !
  !
  IP cef
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  username admin privilege 15 password mypassword
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface FastEthernet0
  WAN description
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  automatic duplex
  automatic speed
  PPPoE enable global group
  PPPoE-client dial-pool-number 1
  !
  interface FastEthernet2
  Description Public_LAN_Interface
  switchport access vlan 10
  full duplex
  Speed 100
  !
  FastEthernet6 interface
  Description Private_LAN_Interface
  switchport access vlan 100
  full duplex
  Speed 100
  !
  interface Vlan1
  no ip address
  !
  interface Vlan10
  Public description
  IP address xxx.yyy.zzz.193 255.255.255.248
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Vlan100
  172.16.100.1 IP address 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Dialer0
  IP unnumbered Vlan10
  no ip unreachable
  IP mtu 1452
  IP virtual-reassembly
  encapsulation ppp
  no ip mroute-cache
  Dialer pool 1
  Dialer-Group 1
  Authentication callin PPP chap Protocol
  PPP chap hostname myhostname
  PPP chap password mychappassword
  PPP ipcp dns request accept
  failure to track PPP ipcp
  PPP ipcp address accept
  VPN crypto card
  !
  IP pool local VPN_Pool 172.16.100.50 172.16.100.60
  !
  !
  no ip address of the http server
  no ip http secure server
  !
  VPN_ACL extended IP access list
  IP 172.16.100.0 allow 0.0.0.255 any
  !
  Dialer-list 1 ip protocol allow
  not run cdp
  !
  !

  Simon,

  Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

  Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

  Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

  IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

  Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

  I hope this helps.

  Luis Raga

• Cannot ping inner network via VPN site-2-site

  I have the following Setup of the site 2 site VPN.

  

  The pain I feel is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and vice versa. Think I've added static routes and lists ACLs correctly on 3560 switches (acting as an access point) and the two PIX to access internal networks. 172.168.9.3 host can ping 172.168.200.3 very well. All advice is appreciated.

  Thank you very much.

  My configs are as follows:

  PIX HAS

  8.0 (3) version PIX

  !

  PIX - A host name

  activate u18hqwudty78klk9s encrypted password

  names of

  !

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address x.x.x.250 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  IP 172.168.9.1 255.255.255.0

  !

  uh78mklh78yMs encrypted passwd

  connection of the banner it is a private network. Unauthorized access is prohibited!

  Banner motd this is a private network. Unauthorized access is prohibited!

  passive FTP mode

  clock timezone GMT/UTC 0

  summer time clock GMT/BST recurring 1 Sun Mar 01:00 last Sun Oct 02:00

  DNS domain-lookup outside

  DNS server-group Ext_DNS

  Server name 82.72.6.57

  Server name 63.73.82.242

  the LOCAL_LAN object-group network

  object-network 172.168.9.0 255.255.255.0

  object-network 172.168.88.0 255.255.255.0

  Internet_Services tcp service object-group

  port-object eq www

  area of port-object eq

  EQ object of the https port

  port-object eq ftp

  EQ object of port 8080

  EQ port ssh object

  port-object eq telnet

  the WAN_Network object-group network

  object-network 172.168.200.0 255.255.255.0

  ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq log field

  ACLOUT list extended access allow icmp object-group LOCAL_LAN no matter what paper

  ACLOUT list extended access permitted tcp object-group LOCAL_LAN connect to any object-group Internet_Services

  Access extensive list ip 172.168.88.0 ACLOUT allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  access-list extended ACLIN all permit icmp any what newspaper echo-reply

  access-list extended ACLIN all permit icmp any how inaccessible journal

  access-list extended ACLIN allowed icmp no matter what newspaper has exceeded the time

  IP 172.168.200.0 allow Access - list extended ACLIN 255.255.255.0 172.168.9.0 255.255.255.0 connect

  standard access list split_tunnel_list allow 172.168.9.0 255.255.255.0

  Access log list split_tunnel_list note LOCAL_LAN

  access-list extended SHEEP allowed ip object-group LOCAL_LAN 172.168.100.0 255.255.255.0 connect

  access extensive list ip 172.168.9.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  pager lines 24

  Enable logging

  logging buffered information

  logging trap information

  host of logging inside the 172.168.88.3

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool testvpn 172.168.100.1 - 192.168.100.99

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image Flash: / pdm

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group ACLIN in interface outside

  ACLOUT access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 x.x.x.45 1

  Route inside 172.168.88.0 255.255.255.0 172.168.88.254 1

  Route inside 172.168.199.0 255.255.255.0 172.168.199.254 1

  Route outside 172.168.200.0 255.255.255.0 172.168.9.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 172.168.9.1 255.255.255.255 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-md5-hmac Set_1

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto dynamic-map outside_dyn_map 1 set of transformation-Set_1

  Crypto dynamic-map outside_dyn_map 1 the value reverse-road

  outside_map 1 card crypto ipsec-isakmp dynamic outside_dyn_map

  card crypto outside_map 20 match address outside_cryptomap_20

  card crypto outside_map 20 peers set x.x.x.253

  outside_map crypto 20 card value transform-set ESP-AES-256-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 1

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  No encryption isakmp nat-traversal

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  NTP server 130.88.203.12 prefer external source

  internal testvpn group policy

  attributes of the strategy of group testvpn

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list split_tunnel_list

  Viv ZdlkjGlOTGf7dqdb encrypted user name password

  type tunnel-group testvpn remote access

  tunnel-group testvpn General-attributes

  address testvpn pool

  Group Policy - by default-testvpn

  testvpn group of tunnel ipsec-attributes

  pre-shared-key *.

  tunnel-group x.x.x.253 type ipsec-l2l

  x.x.x.253 group of tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:bb6ead3350227b3745c14b9ba340b84a

  : end

  B PIX

  8.0 (3) version PIX

  !

  hostname PIX - B

  enable password ul; encrypted jk89A89hNC0Ms

  names of

  !

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address x.x.x.253 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  IP 172.168.200.1 255.255.255.0

  !

  interface Ethernet2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  2ljio897hFB.88fU encrypted passwd

  Banner motd this is a private network. Unauthorized access is prohibited!

  passive FTP mode

  DNS domain-lookup outside

  DNS server-group Ext_DNS

  Server name x.x.x.57

  Server name x.x.x.242

  the LOCAL_LAN object-group network

  object-network 172.168.200.0 255.255.255.0

  Internet_Services tcp service object-group

  port-object eq www

  area of port-object eq

  EQ object of the https port

  port-object eq ftp

  EQ object of port 8080

  the WAN_Network object-group network

  networks WAN Description

  object-network 172.168.88.0 255.255.255.0

  ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq field

  ACLOUT list extended access allow icmp object-group LOCAL_LAN all

  ACLOUT list extended access permitted tcp object-group LOCAL_LAN any Internet_Services object-group

  access-list extended ACLIN allow all unreachable icmp

  access-list extended ACLIN permit icmp any one time exceed

  access-list extended ACLIN permit icmp any any echo response

  IP 172.168.88.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0

  IP 172.168.9.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0

  IP 172.168.199.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0

  access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.9.0 255.255.255.0

  access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0

  pager lines 24

  Enable logging

  monitor debug logging

  debug logging in buffered memory

  logging trap information

  Outside 1500 MTU

  Within 1500 MTU

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group ACLIN in interface outside

  ACLOUT access to the interface inside group

  Route outside 0.0.0.0 0.0.0.0 x.x.x.253 1

  Route outside 172.168.88.0 255.255.255.0 172.168.200.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  dynamic-access-policy-registration DfltAccessPolicy

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  card crypto outside_map 20 match address outside_cryptomap_20

  card crypto outside_map 20 peers set x.x.x.250

  outside_map crypto 20 card value transform-set ESP-AES-256-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  No encryption isakmp nat-traversal

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  a basic threat threat detection

  Statistics-list of access threat detection

  tunnel-group x.x.x.250 type ipsec-l2l

  x.x.x.250 Group of tunnel ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:ccb8392ce529a21c071b85d9afcfdb30

  : end

  3560 G/W

  version 12.2

  no service button

  horodateurs service debug uptime

  Log service timestamps uptime

  no password encryption service

  !

  hostname 3560_GW

  !

  enable secret 5 $1$ cOB4$ Uklj8978/jgWv? TSSP

  !

  No aaa new-model

  mtu 1500 routing system

  IP subnet zero

  IP routing

  !

  !

  !

  !

  No file verify auto

  pvst spanning-tree mode

  spanning tree extend id-system

  !

  internal allocation policy of VLAN ascendant

  !

  interface GigabitEthernet0/1

  !

  interface GigabitEthernet0/2

  uplink Description to Cisco_ASA

  switchport access vlan 9

  !

  interface GigabitEthernet0/3

  !

  interface GigabitEthernet0/4

  !

  interface GigabitEthernet0/5

  !

  interface GigabitEthernet0/6

  !

  interface GigabitEthernet0/7

  !

  interface GigabitEthernet0/8

  !

  interface GigabitEthernet0/9

  !

  interface GigabitEthernet0/10

  !

  interface GigabitEthernet0/11

  !

  interface GigabitEthernet0/12

  !

  interface GigabitEthernet0/13

  !

  interface GigabitEthernet0/14

  !

  interface GigabitEthernet0/15

  !

  interface GigabitEthernet0/6

  !

  interface GigabitEthernet0/7

  !

  interface GigabitEthernet0/8

  !

  interface GigabitEthernet0/9

  !

  interface GigabitEthernet0/10

  !

  interface GigabitEthernet0/11

  !

  interface GigabitEthernet0/12

  !

  interface GigabitEthernet0/13

  !

  interface GigabitEthernet0/14

  !

  interface GigabitEthernet0/15

  !

  interface GigabitEthernet0/16

  !

  interface GigabitEthernet0/17

  !

  interface GigabitEthernet0/18

  !

  interface GigabitEthernet0/19

  !

  interface GigabitEthernet0/20

  !

  interface GigabitEthernet0/21

  !

  interface GigabitEthernet0/22

  !

  interface GigabitEthernet0/23

  switchport access vlan 88

  switchport mode access

  spanning tree portfast

  !

  interface GigabitEthernet0/24

  switchport access vlan 9

  switchport mode access

  spanning tree portfast

  !

  interface GigabitEthernet0/25

  trunk of the description and the port of A_2950_88 1

  switchport trunk encapsulation dot1q

  !

  interface GigabitEthernet0/26

  !

  interface GigabitEthernet0/27

  trunk of the description and the port of A_2950_112 1

  switchport trunk encapsulation dot1q

  Shutdown

  !

  interface GigabitEthernet0/28

  !

  interface Vlan1

  no ip address

  Shutdown

  !

  interface Vlan9

  IP 172.168.9.2 255.255.255.0

  !

  interface Vlan88

  IP 172.168.88.254 255.255.255.0

  !

  interface Vlan199

  IP 172.168.199.254 255.255.255.0

  !

  IP classless

  IP route 0.0.0.0 0.0.0.0 172.168.9.1

  IP route 172.168.88.0 255.255.255.0 172.168.9.1

  IP route 172.168.100.0 255.255.255.0 172.168.9.1

  IP route 172.168.200.0 255.255.255.0 172.168.9.1

  IP http server

  !

  !

  control plan

  !

  Banner motd ^ C is a private network. ^ C

  !

  Line con 0

  line vty 0 4

  opening of session

  line vty 5 15

  opening of session

  !

  end

  Hi Robert,.

  I went through the configuration on both the PIX firewall and see that trafficking is not defined for 172.168.88.0/24-->172.168.200.0/24.

  If you check the card crypto a PIX configuration, it says:

  address for correspondence outside_map 20 card crypto outside_cryptomap_20<--This acl="" defines="" interesting="">

  and the outside_cryptomap_20 of the acl says:

  access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect

  Is the same on the PIX B:

  address for correspondence outside_map 20 card crypto outside_cryptomap_20

  access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0

  To allow users to talk to each other, apply to these commands:

  On the PIX:

  access extensive list ip 172.168.88.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0

  access extensive list ip 172.168.88.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0

  and PIX B:

  IP 172.168.200.0 allow access-list extended outside_cryptomap_20 255.255.255.0 172.168.88.0 255.255.255.0

  access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.88.0 255.255.255.0

  Let me know if it helps.

  Thank you

  Vishnu Sharma

• Windows 2003 cannot access remote network via Cisco VPN

  I have two computers at home, an XP Pro SP2 and another is Windows 2003 server SP1. If I set Cisco VPN XP (version 4.6) the Office (ASA 5510), I can access the office network resources. However, if I set the Cisco VPN on 2003, can I? t do the same thing. After studying the two routing tables, I think XP has this road: 192.168.0.0 255.255.0.0 192.168.101.5 192.168.101.5 1, but the 2003 doesn't? t. If I add this route manually (rou? add 192.168.0.0 mask 255.255.255.0 192.168.101.3) 2003, then I can access resources. Why?

  tale of 2003 routing.

  Active routes:

  Network Destination gateway metric Interface subnet mask

  0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.3 40

  x.x.x.37 255.255.255.255 192.168.10.1 192.168.10.3 1

  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

  192.168.10.0 255.255.255.0 192.168.10.3 192.168.10.3 40

  192.168.10.3 255.255.255.255 127.0.0.1 127.0.0.1 40

  192.168.10.255 255.255.255.255 192.168.10.3 192.168.10.3 40

  192.168.101.0 255.255.255.0 192.168.101.3 192.168.101.3 10

  192.168.101.3 255.255.255.255 127.0.0.1 127.0.0.1 10

  192.168.101.255 255.255.255.255 192.168.101.3 192.168.101.3 10

  224.0.0.0 240.0.0.0 192.168.10.3 192.168.10.3 40

  224.0.0.0 240.0.0.0 192.168.101.3 192.168.101.3 10

  255.255.255.255 255.255.255.255 192.168.10.3 192.168.10.3 1

  255.255.255.255 255.255.255.255 192.168.101.3 192.168.101.3 1

  Default gateway: 192.168.10.1

  ===========================================================================

  Persistent routes:

  None

  VPN client has not been tested on Win2003. Customer requirements are described here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/4_6/relnt/4604cln.htm#wp1024664

  and the show to competition of WinXP is supported.

• Cannot access remote resources - Cisco VPN Client

  I'm having a problem with my Cisco VPN Client. I am new to VPN configuration, so this is probably something easy I'm missing. I have a my internet gateway for my LAN 2611XM router and my VPN server. I do all my tests of a society with a high card laptop mobile broadband. VPN connects, but anytime I ping anything in the network Cabinet, he returned with the public IP address of the external interface. I have NAT overload configured so any network can access the internet, inside which it looks like may be causing my problem. I don't know how to fix it. My config running is attatched. No one knows what might happen.

  Oh, almost forgot to add. When I remove the nat overload on my interface fa0/1, the vpn will connect to any resource on the inside.

  Your nat configuration seems to be the origin of the problem. If you are using an ACL to match the source for NAT, then it will be necessary to add the line 1A refuse for the local ip pool for your vpn clients to one only. try that to see how it goes.

  Sent by Cisco Support technique iPhone App

• Help with 1921 SRI Easy VPN remote w / Easy VPN Site-to-Site access

  I have two 1921 ISR routers configured with easy site to site VPN.  I configured VPN each ISR ACL so that all networks on each site can communicate with the private networks of the other site.   I have a 1921 SRI also configured as an easy VPN server.

  Problem: when a remote user connects to the easy VPN server, the user can only access private networks on the site of the VPN server.  I added the IP network that is used for remote users (i.e. the Easy VPN Server IP pool) to each VPN ACL 1921, but the remote user still cannot access other sites private network via the VPN site to another and vice versa.

  Problem: I also have a problem with the easy VPN server, do not place a static host route in its routing table when he established a remote connection to the remote user and provides the remote user with an IP address of the VPN server's IP pool.  The VPN server does not perform this task the first time the user connects.  If the user disconnects and reconnects the router VPN Server does not have the static host route in its routing table for the new IP address given on the later connection.

  Any help is appreciated.

  THX,

  Greg

  Hello Greg,.

  The ASAs require the "same-security-traffic intra-interface permits" to allow through traffic but routers allow traversed by default (is there no need for equivalent command).

  Therefore, VPN clients can access A LAN but can't access the Remote LAN B on the Site to Site.

  You have added the pool of the VPN client to the ACL for the interesting site to Site traffic.

  You must also add the Remote LAN B to the ACL of tunneling split for VPN clients (assuming you are using split tunneling).

  In other words, the VPN router configuration has for customers VPN should allow remote control B LAN in the traffic that is allowed for the VPN clients.

  You can check the above and do the following test:

  1. try to connect to the remote VPN the B. LAN client

  2. check the "sh cry ips his" for the connection of the VPN client and check if there is a surveillance society being built between the pool and Remote LAN B.

  Federico.

• Access to a remote network through VPN remote access

  Hello

  I'm having a problem with users who access VPN from home.  We currently have 3 offices facility, as shown below.  When I VPN in the Philadelphia office, I am unable to access the resources of Connecticut offices or North Carolina.

  The VPN subnet is 192.168.10.0.  Inside the office of the PA, I have no problem with NC or CT.  I have to add a static route from the Pennsylvania Treasury and NC?  If so, could you give me a hand with the correct syntax?

  Office <-----------IPSecVPN---------->Office <------------IPSecVPN------------->Office of Connecticut from Pennsylvania, North Carolina

  192.168.5.0                                                            192.168.1.0                                                        192.168.2.0

  Hello

  Yes, basically the ASA accommodation the customer VPN service in this case well enough is the same configuration related to two sites with the exception of course which is obvious

  • Networks/subnets
  • Different ACL for each VPN L2L

  Although naturally the problem for me is the WRVS4400N configuration.

  Basically, you do the same things on this unit than the other remote site.

  You add the VPN pool as another remote network for VPN L2L configurations. You also confirm that there is operation NAT0 for this network also. I don't know I can help you there as I do not know the device.

  Can you please mark it as answered and evaluate other useful answers

  Naturally ask for more and I'll try to help you if I can

  -Jouni

• Cannot access the network ERR_NETWORK_ACCESS_DENIED

  I have Windows 7.  Nothing works, I tried chrome (which will not even load) and Firefox (it has been a constant problem with gmail for well over a year).

  Cannot access the network

  ERR_NETWORK_ACCESS_DENIED
  Google Chrome has access to the network.

  Maybe it's because your firewall or antivirus software wrongly think that Google Chrome is an intruder on your computer and it blocks to connect to Internet.

  Chrome allow access to the network in your firewall or anti-virus settings.

  If it is already listed as a program allowed to access the network, try to remove from the list and Add again.

  I tried the above, but can't seem to solve the problem.  Thank you.

  Hello Paul,

  Thanks for posting your question on the Microsoft Community.

  I would like to know some information about the problem so that we can help you better.

  The same problem occurs when you use Internet explorer?

  Thank you for details on the question and your efforts to resolve.

  If the problem also occurs when you use Internet explorer, I suggest you use the steps in this article and check if it helps.
  Reference:
  Can't access some Web sites in Internet Explorer
  https://support.Microsoft.com/en-us/KB/967897

  Note: The feature reset the Internet Explorer settings can reset security settings or privacy settings that you have added to the list of Trusted Sites. Reset the Internet Explorer settings can also reset parental control settings. We recommend that you note these sites before you use the reset Internet Explorer settings. Reset Internet Explorer is not reversible, and all the previous settings are lost after reset.

  Also see this article:
  Understanding Windows Firewall settings
  http://Windows.Microsoft.com/en-us/Windows/understanding-firewall-settings#1TC=Windows-7

  Note: Firewall and Antivirus software can help protect your computer against viruses and other security threats. In most cases, you should not turn off your antivirus software and firewalls. If you need to disable temporarily to install other software, you should reactivate as soon as you are finished. If you are connected to the Internet or a network, while your antivirus software and firewall are disabled, your computer is vulnerable to attacks.

  To get help on Google chrome, I suggest you post your question on Google chrome forums.
  http://productforums.Google.com/d/Forum/chrome

  I hope this information helps.

  Please let us know if you need more help.

  Thank you

• VPN clients cannot access remote sites - PIX, routing problem?

  I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

  Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

  Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

  Very good and works very well.

  When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

  However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

  On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

  Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

  (Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

  with pix v6, no traffic is allowed to redirect to the same interface.

  for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

  with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• AnyConnect VPN users cannot access remote subnets?

  I googled this until blue in the face without result.  I don't understand why Cisco this so difficult?  When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices.  What should I do to allow my anyconnect vpn clients access to my remote sites?

  Cisco 5510 8.4

  Hello

  What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

  In addition to routing, you must have configured for each remote site and the VPN pool NAT0

  Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

  object-group network to REMOTE SITES

  object-network 10.10.10.0 255.255.255.0

  object-network 10.10.20.0 255.255.255.0

  object-network 10.10.30.0 255.255.255.0

  object-network 10.10.40.0 255.255.255.0

  network of the VPN-POOL object

  10.10.224.0 subnet 255.255.255.0

  NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

  The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

  Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

  My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

  Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

  -Jouni

• Urgent! Users of remote access VPN connects but cannot access remote LAN (ping, folder,...)

  Hello

  I am setting up a VPN on a Cisco ASA 5510 version 8.4 remote access (4) 1.

  When I try to connect via the Cisco VPN client software, I am able to connect however I am unable to access network resources.

  However, I can ping the servers in the other site that is connected through the VPN site-to site to the main site!

  VPN client--> main site (ping times on)--> Site connected with the main site with VPN S2S (successful ping)

  Please help me I need to find a solution as soon as POSSIBLE!

  Thank you in advance.

  Hello

  Please remove the NAT exemption and the re - issue the command but with #1, so it will place the NAT as first line:

  No nat (SERVERS, external) static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  NAT (SERVERS, external) 1 static source SERVERS_LAN SERVERS_LAN NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 non-proxy-arp-search of route static destination

  After re-configured this way, make sure that this command is also available:

  Sysopt connection permit VPN

  This sysopt will allow traffic regardles any ACL a fall, just in case. Please continue to run a package tracer and post it here,

  Packet-trace entry Server icmp XXXXXX 8 0 detailed YYYYY

  XXXX--> server IP

  AAAA--> VPN IP of the user

  Don't forget to do the two steps and a just in case, capture Please note and mark it as correct the useful message!

  Thank you

  David Castro,

• ASA Site, Remote Site cannot access DMZ to the Hub site

  So I've been scratching my head and I just can't visualize what I what and how I want to do.

  Here is the overview of my network:

  Headquarters: ASA 5505

  Site1: ASA 5505

  Site2: ASA 5505

  Training3: ASA 5505

  All Sites are connected L2L to the location of the Headquarters with VPN Site to Site.

  Since the HQ site I can ping each location by satellite, and each satellite location I can ping the HQ site. I will also mention that all other traffic is also correctly.

  Here's my number: HQ site, I have a DMZ set up with a web/mail server. This mail/web server is accessible from my HQ LAN, but not from the satellite location. I need allow that.

  What should I do?

  My second question is that I want for satellite sites to see networks of eachother. I should create a VPN network between sites, or can this be solved in the same way that the question of the DMZ?

  I enclose the show run from my ASA HQ

  See the race HQ ASA

  For the mail/web server that requires access on the remote site VPN tunnels, you must add the servers to the acl crypto, similar to the way you have it for network access. Make sure that both parties have the ACL in mirror. If you're natting from the DMZ to the outside, make sure you create an exemption from nat from the dmz to the outside for VPN traffic.

  For the second question, because you have only three sites, I would recommend creating a tunnel from site to site between two satellite sites.

  HTH

  PS. If you found this post useful, please note it.

• Client VPN cannot access anything at the main Site

  I am sure that this problem has been resolved in a million times more, but I can't get this to work.  Can someone take a look at this quick config and tell me what is the problem?

  The Cisco VPN client connects without problems but I can't access anything whatsoever.

  ASA Version 8.4 (4)

  !

  ciscoasa hostname

  activate 8Ry2YjIyt7RRXU24 encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  switchport access vlan 15

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.43.254 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address a.a.a.a 255.255.255.248

  !

  interface Vlan15

  prior to interface Vlan1

  nameif IPOffice

  security-level 100

  IP 192.168.42.254 255.255.255.0

  !

  boot system Disk0: / asa844 - k8.bin

  passive FTP mode

  network object obj - 192.168.43.0

  192.168.43.0 subnet 255.255.255.0

  network obj_any object

  subnet 0.0.0.0 0.0.0.0

  network of the NETWORK_OBJ_10.11.12.0_24 object

  10.11.12.0 subnet 255.255.255.0

  network of the NETWORK_OBJ_192.168.43.160_28 object

  subnet 192.168.43.160 255.255.255.240

  network of the IPOffice object

  subnet 0.0.0.0 0.0.0.0

  outside_access_in list extended access permit icmp any 192.168.42.0 255.255.255.0

  Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel

  standard access list vpn_SplitTunnel allow 192.168.43.0 255.255.255.0

  AnyConnect_Client_Local_Print deny ip extended access list a whole

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd

  Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631

  print the access-list AnyConnect_Client_Local_Print Note Windows port

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100

  access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

  AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353

  AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

  AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355

  Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

  AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137

  AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 IPOffice

  IP local pool newvpnpool 10.11.12.100 - 10.11.12.150 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 649.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 non-proxy-arp-search to itinerary

  NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary

  NAT (IPOffice, outside) static source any any static destination NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 non-proxy-arp-search to itinerary

  !

  network obj_any object

  NAT dynamic interface (indoor, outdoor)

  network of the IPOffice object

  NAT (IPOffice, outside) dynamic interface

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 b.b.b.b 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  AAA authentication http LOCAL console

  AAA authentication LOCAL telnet console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  http 0.0.0.0 0.0.0.0 outdoors

  http 192.168.43.0 255.255.255.0 inside

  http 192.168.42.0 255.255.255.0 IPOffice

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  IKEv1 crypto ipsec transform-set high - esp-3des esp-md5-hmac

  crypto ipsec transform-set encrypt method 1 IKEv1 esp-3des esp-sha-hmac

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  Crypto-map dynamic dynmap pfs set 30 Group1

  Crypto-map dynmap 30 set transform-set ikev1 strong dynamic - a

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  map rpVPN 65535-isakmp ipsec crypto dynamic dynmap

  rpVPN interface card crypto outside

  crypto isakmp identity address

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 2

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  SSH group dh-Group1-sha1 key exchange

  Console timeout 0

  dhcpd outside auto_config

  !

  dhcpd address 192.168.43.5 - 192.168.43.36 inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  AnyConnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  internal RPVPN group policy

  RPVPN group policy attributes

  value of server DNS 8.8.8.8

  Ikev1 VPN-tunnel-Protocol

  username admin privilege 15 encrypted password gP3lHsTOEfvj7Z3g

  username password encrypted blPoPZBKFYhjYewF privilege 0 mark

  type tunnel-group RPVPN remote access

  attributes global-tunnel-group RPVPN

  address newvpnpool pool

  Group Policy - by default-RPVPN

  IPSec-attributes tunnel-group RPVPN

  IKEv1 pre-shared-key *.

  !

  !

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2

  : end

  Well Yes, you are quite right on site!

  Asymmetric routing is not supported on the firewall, such as trafficking and out should be via the interfaces of same, in the contrary case, it think it's an attack and drop the package.

  Default gateway on the subnet devices IPOffice should be the interface IPOffice ASA (192.168.42.254), not the switch, if it is a switch shared with your home network. Similarly for devices inside subnet, default gateway must be ASA 192.168.43.254.

  In regards to the switch, you can get a default gateway or the ASA inside or IP interface IPOffice ASA and the needs of return traffic to route through the same path

• Win 7 VPN client cannot access remote resources beyond the VPN server

  I have a Win 7 laptop with work and customer Win 7 VPN set up, and through it that I can access everything allowed resources on the remote network.

  I built a new computer, set up the Win 7 client with the exact same parameters everywhere, connected to the VPN with success, but can not access any of the resources on the remote network that I can on my laptop.

  Win 7 64 bit SP 1

  I did research online and suggestions have already had reason of my new set up.  In addition, I have a second computer that I've set up the VPN client, and I'm having the same problem.  VPN connects successfully, but is unable to access the resources.

  Tested with firewall off the coast.

  Troubleshooting Diagnostic reports: your computer seems to be configured correctly, distance resources detected, but not answered do not.

  I created another VPN client on the new computer to another remote network and everything works perfectly.

  Remember the old VPN connection to the remote network that does not work on the new computer works perfectly on Win 7 64 bit laptop computer.

  So, what do I find also different between identical configurations "should be" where we work and two new machines is not?

  It must be something stupid.

  Hello

  This question is more suited for a TechNet audience. I suggest you send the query to the Microsoft TechNet forum. See the link below to do so:
  https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking

  Please let us know if you have more queries on Windows.

• Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)

  Hello Cisco community support,

  I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.

  ISP network gateway: 10.1.10.0/24

  ASA to the router network: 10.1.40.0/30

  Pool DHCP VPN: 10.1.30.0/24

  Network of the range: 10.1.20.0/24

  Development network: 10.1.10.0/24

  : Saved
  :
  : Serial number: FCH18477CPT
  : Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
  :
  ASA 6,0000 Version 1
  !
  hostname ctcndasa01
  activate bcn1WtX5vuf3YzS3 encrypted password
  names of
  cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
  !
  interface GigabitEthernet0/0
  nameif inside
  security-level 100
  IP 10.1.40.1 255.255.255.252
  !
  interface GigabitEthernet0/1
  nameif outside
  security-level 0
  address IP X.X.X.237 255.255.255.248
  !
  interface GigabitEthernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/4
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface GigabitEthernet0/5
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  management only
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  boot system Disk0: / asa916-1-smp - k8.bin
  boot system Disk0: / asa912-smp - k8.bin
  passive FTP mode
  permit same-security-traffic intra-interface
  network of the NETWORK_OBJ_10.1.30.0_24 object
  10.1.30.0 subnet 255.255.255.0
  network obj_any object
  network obj_10.1.40.0 object
  10.1.40.0 subnet 255.255.255.0
  network obj_10.1.30.0 object
  10.1.30.0 subnet 255.255.255.0
  outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
  FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
  access-list 101 extended allow any4 any4-answer icmp echo
  access-list standard split allow 10.1.40.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  management of MTU 1500
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
  NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
  Access-group outside_access_in in interface outside
  !
  Router eigrp 1
  Network 10.1.10.0 255.255.255.0
  Network 10.1.20.0 255.255.255.0
  Network 10.1.30.0 255.255.255.0
  Network 10.1.40.0 255.255.255.252
  !
  Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  without activating the user identity
  identity of the user by default-domain LOCAL
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  http X.X.X.238 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec pmtu aging infinite - the security association
  Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
  registration auto
  full domain name no
  name of the object CN = 10.1.30.254, CN = ctcndasa01
  ASDM_LAUNCHER key pair
  Configure CRL
  trustpool crypto ca policy
  string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
  certificate c902a155
  308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
  0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
  0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
  170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
  64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
  0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
  9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
  705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
  4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
  3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
  06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
  42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
  fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
  59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
  d8966b50 917a88bb f4f30d82 6f8b58ba 61
  quit smoking
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  VPN-addr-assign local reuse / 360 time
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
  SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
  WebVPN
  allow outside
  AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
  AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
  AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
  AnyConnect enable
  tunnel-group-list activate
  internal GroupPolicy_cnd-vpn group policy
  GroupPolicy_cnd-vpn group policy attributes
  WINS server no
  value of server DNS 8.8.8.8
  client ssl-VPN-tunnel-Protocol
  by default no
  xxxx GCOh1bma8K1tKZHa username encrypted password
  type tunnel-group cnd - vpn remote access
  tunnel-group global cnd-vpn-attributes
  address-cnd-vpn-dhcp-pool
  strategy-group-by default GroupPolicy_cnd-vpn
  tunnel-group cnd - vpn webvpn-attributes
  activation of the alias group cnd - vpn
  !
  ICMP-class class-map
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map icmp_policy
  icmp category
  inspect the icmp
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  !
  global service-policy global_policy
  service-policy icmp_policy outside interface
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
  : end
  ASDM image disk0: / asdm - 743.bin
  don't allow no asdm history

  Can you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?