Cannot access subnet when VPN would be

When I vpn in our network, it gives me an ip address in the range: 192.168.200.1 - 192.168.200.50.

The following access works when vpn would be: 192.168.200.x-> 10.2.28.x

Made following access does not work when the vpn would be: 192.168.200.x-> 192.168.50.x

Can you get it someone please let me know what I have in the PIX config to make it work?

Thank you

Thomas

1. Add 192.168.50.0 to your acl of split tunnel

remotevpnbhc_splitTunnelAcl 192.168.50.0 ip access list allow 255.255.252.0 all

2. Add the traffic between the client vpn and 192.168.50.0 ACL that is used by NAT 0

vpn_insideacl ip 192.16.50.0 access list allow 255.255.252.0 192.168.200.0 255.255.255.0

Tags: Cisco Security

Similar Questions

1811 VPN - cannot access subnets

Hello

Still trying to get my VPN config finished, but I have problems to access the networks of the VPN.

I can access (ping) devices attached to the VLAN 4 192.168.4.0 but I can not access any device on VLAN2 192.168.0.0, VLAN5 192.168.1.0.

I can ping the IP configuration that is for each VLAN. 192.168.0.249, 192.168.1.249, 192.168.5.249

Since the Cisco 1811 console I can ping devices on the subnet 192.168.0.0, 192.168.1.0, and 192.168.4.0.

VLAN 3 has nothing connected again.

Any help much appreciated

Brad

That's the problem.

Other routers should have a road back to this router when traffic is intended for 192.168.5.x (pool VPN)

Federico.

Users cannot access internet when connected VPN

Hello

I have users located outside the United States than VPN for our system. Once connected, they get an address from the pool designated for them. However, they are unable to connect to internet when connected. I don't want to use split-mining because some of the sites they connect to will not work properly because their address IP is located outside the United States. I tried both without client anyconnect and vpn client version

Hi, this link might help you:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

HTH

Ingo

Cannot access Internet when connected to the VPN

I have mobile users using the Cisco VPN (4.0.5B) connection to a 837 customer. They can connect and access resources network in-house/remote ok. However, they are unable to access the Internet at the same time. I also had this problem where some users were connecting in a PIX, but managed to settle only by using the vpngroup tunnel of splitting and appropriate ACL commands. All I can find on the Cisco site is that it is possible by specifying an ACL, bit I don't know where to specify them this and that. Thank you.

Here are examples of code,

access-list 100 permit ip<837 inside="" net=""><837 inside="" net="" mask="">

ISAKMP crypto client configuration group ciscovpn

key cisco123

pool vpnpool

ACL 100

Apple Watch 2 cannot access Siri when the phone is charging

My iPhone is plugged in my Apple Watch says that it cannot connect to Siri 6 simple feet further. Has anyone else experienced this problem and/or been able to solve it?

Hello

The following steps may help:
- On your iPhone, go to: settings > Siri - disable, pause for a few moments, and then reactivate the Siri.
- If it does not immediately help, then restart both devices.
  - The two put together, and then restart your iPhone first:
  - Restart your iPhone, iPad or iPod touch - Apple Support
  - Restart your Apple Watch - Apple Support
- If the problem persists, then disable the twinning and re - pair your watch:
  - The app shows on your iPhone takes a backup of your watch automatically when the disparity with the app choose to restore from backup during the whole upward. Most of the data and settings will be restored, with a few exceptions (for example cards Pay Apple, access code).
  - Cancel the twinning of your iPhone - Apple and Apple Watch Support
  - Set up your Apple Watch - Apple Support

Cannot access asdm of VPNs

I'm vpn'ing in an ASA, and once I have, I can access everything on the local network. However, I can not connect to the firewall with ASSISTANT Deputy Ministers. Can someone check this config and see if there is something missing?

= ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY log 2012.10.24 10:13 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.

Show u run

: Saved

:

ASA 4,0000 Version 1

!

Bryan - ASA host name

activate the encrypted password of Z77JKH8dh1FhRD4u

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

<--- more="" ---="">

!

interface Vlan1

nameif inside

security-level 100

IP 10.50.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address dhcp setroute

!

boot system Disk0: / asa844-1 - k8.bin

passive FTP mode

permit same-security-traffic intra-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the NETWORK_OBJ_10.50.0.0_24 object

10.50.0.0 subnet 255.255.255.0

network object obj - 10.0.0.0 - 01

subnet 10.0.0.0 255.0.0.0

network object obj - 10.0.0.0

subnet 10.0.0.0 255.0.0.0

network object obj - 10.50.0.0

10.50.0.0 subnet 255.255.255.0

<--- more="" ---="">

network object obj - 10.50.0.90

Home 10.50.0.90

object-group network RFC1918

object-network 192.168.0.0 255.255.0.0

object-network 10.0.0.0 255.0.0.0

object-group network rfc1918

extended permitted inside a whole icmp access list

access inside extended ip permit list an entire

extended permitted outside-acl access list tcp any object obj - 10.50.0.90 eq 41790

allowed IP extended ip access list a whole

allow traffic_for_ips to access extensive ip list a whole

Standard split-acl access-list allowed 10.50.0.0 255.255.255.0

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

10.50.0.225 mask - local 10.50.0.240 pool POOL VPN IP 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-649 - 103.bin

don't allow no asdm history

ARP timeout 14400

NAT dynamic interface of RFC1918 source (indoor, outdoor)

NAT (inside, outside) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 10.0.0.0 obj - 10.0.0.0 - route search

!

<--- more="" ---="">

network obj_any object

NAT dynamic interface (indoor, outdoor)

network object obj - 10.50.0.90

NAT (inside, outside) interface static 41790 41790 tcp service

Access-group acl outside in external interface

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

Enable http server

http 10.50.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set esp-3des esp-md5-hmac CIMCO_MAN_TRANS ikev1

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set CIMCO_MAN_TRANS ikev1

Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road

<--- more="" ---="">

card crypto OUTSIDE_MAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

OUTSIDE_MAP interface card crypto outside

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

name of the object CN = Bryan - ASA

Configure CRL

Crypto ikev1 allow outside

IKEv1 crypto policy 100

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet 10.50.0.0 255.255.255.0 inside

Telnet 0.0.0.0 0.0.0.0 inside

Telnet timeout 30

SSH 0.0.0.0 0.0.0.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

management-access inside

dhcpd outside auto_config

<--- more="" ---="">

!

dhcpd address 10.50.0.10 - 10.50.0.40 inside

interface dns 4.2.2.2 dhcpd inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

SSL-trust outside ASDM_TrustPoint0 point

WebVPN

allow outside

AnyConnect image disk0:/anyconnect-win-2.5.6005-k9.pkg 1

AnyConnect profiles AnyConnect disk0: / anyconnect.xml

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

4.2.2.2 DNS server value

L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split-acl

WebVPN

AnyConnect value AnyConnect user type profiles

internal group VPNCLIENT strategy

attributes VPNCLIENT-group policy

<--- more="" ---="">

4.2.2.2 DNS server value

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split-acl

Randall.local value by default-field

WebVPN

AnyConnect value AnyConnect user type profiles

bryan 9yyVnd5p1Ke6w1Iu of encrypted privilege 15 password username

john nFEF0Xku7smzSs4N of encrypted privilege 15 password username

attributes global-tunnel-group DefaultRAGroup

address VPN-POOL pool

attributes global-tunnel-group DefaultWEBVPNGroup

address VPN-POOL pool

tunnel-group VPNCLIENT type remote access

tunnel-group VPNCLIENT-global attributes

address VPN-POOL pool

Group Policy - by default-VPNCLIENT

tunnel-group VPNCLIENT ipsec-attributes

IKEv1 pre-shared-key *.

authentication of the user IKEv1 no

!

class-map inspection_default

match default-inspection-traffic

!

<--- more="" ---="">

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

<--- more="" ---="">

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:a1ca799b8bae183cc32eeb34ca2272bb

: end

Bryan - ASA # exit

Closure of session

Thanks for the update John!

You did a great job with your ASA and we confirmed that.

Please mark this message as answered and any useful answer

Good day.

Cannot access BIOS when OS disk encrypted w / Bitlocker, starting on the USB key is not unlock disc

Hello

I enabled Bitlocker on my Acer Aspire 5315. The system partition is encrypted and the data partition. My motherboard doesn't have a TPM chip, so I opted for the unlock with a USB key.

When I start the PC or wake them from their hibernation, the splashboot (with the logo of Acer) BIOS screen does not display the information below on how to access the BIOS (press F2) or the boot menu (F12). And therefore I can't access those as I used to.

BitLocker does not account for the USB key, then asks for the password to unlock the HARD drive. Then Windows starts very well.

However, restart (by a Windows or after you have entered the wrong password Bitlocker too many times), the BIOS splash screen is normal (with how access BIOS and boot menu), I can access BIOS by pressing F2 AND succesfully Bitlocker unlocks the HARD drive with the USB flash drive without having to ask for the password.

So, my question is how Bitlocker unlock the HARD disk automatically via the USB when the PC starts?

Thank you for reading.

Note: I posted this question on http://social.technet.microsoft.com/Forums/en-US/w8itprosecurity/threads they suggested that I ask the Acer support.

Thank you also get answers in the TechNet forums. I'm sorry that you were unable to get a more complete answer it.

We suggest that you uninstall BitLocker and decrypt the drive to determine if this restores your ability to access the BIOS.

Cannot access Internet on VPN 3005 concentrator

I installed a new concentrator 3005. I am able to connect using the Cisco VPN client. Everything seems to work except the Internet. I am able to access everything in the local network, including local intranet Web pages. If I try to access Web pages on the outside, it does not. Any ideas?

OK, so it seems there is a configuration or a problem with routing somewhere. Concentrator vpn routing table look like? Is there a default route set correctly? You can use ping to ping the default gateway?

NAT is used? Is it possible the problem is that packages are not properly natted out to internet?

Cannot access internet when you configure with internet connection sharing.

INTERNET HELP?

I tried to use the internet connection to my wireless on my PC laptop not wireless using an Ethernet cable. I have connected my pc not wireless to my laptop wireless pc with ethernet cable, I did everything as requested on the site of "Dummies" and the PC says its connected but when I try to go on Internet Explorer, it does not work? HELP! : (PS) my PC is Windows Vista and my laptop Windows 7

Hello

1. While sharing was the Internet works fine before?
2 did you change on your computers before this problem?

I suggest you follow these methods and check.

Method 1: You can follow the Windows Help article below and check that ICS is set up correctly.
Set up a shared Internet connection using ICS (Internet Connection Sharing)
http://Windows.Microsoft.com/en-us/Windows7/set-up-a-shared-Internet-connection-using-ICS-Internet-connection-sharing
If ICS is not configured correctly, then you must post back the result by running the following command
To do this:
a. click the Start button.
b. type cmd in the search box.
(c) in the command prompt, you must type ' ipconfig/all' and check the result.

Take a screenshot of the command prompt and post.
To take a screenshot, you can follow this link below.
Use capture tool to capture screenshots
http://Windows.Microsoft.com/en-us/Windows-Vista/use-Snipping-Tool-to-capture-screen-shots

Method 2: Windows wireless and wired network connection problems
http://Windows.Microsoft.com/en-us/Windows/help/wired-and-wireless-network-connection-problems-in-Windows?T1=Tab03

I hope this helps.

Thank you.

AnyConnect VPN users cannot access remote subnets?

I googled this until blue in the face without result. I don't understand why Cisco this so difficult? When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices. What should I do to allow my anyconnect vpn clients access to my remote sites?

Cisco 5510 8.4

Hello

What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.

In addition to routing, you must have configured for each remote site and the VPN pool NAT0

Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this

object-group network to REMOTE SITES

object-network 10.10.10.0 255.255.255.0

object-network 10.10.20.0 255.255.255.0

object-network 10.10.30.0 255.255.255.0

object-network 10.10.40.0 255.255.255.0

network of the VPN-POOL object

10.10.224.0 subnet 255.255.255.0

NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL

The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.

Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.

My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)

Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?

-Jouni

Cisco ASA 8.4 (3) remote access VPN - client connects but cannot access inside the network

I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well

Thank you

interface Ethernet0/0

Speed 100

full duplex

nameif outside

security-level 0

IP x.x.x.x 255.255.255.240

!

interface Ethernet0/1

Speed 100

full duplex

nameif inside

security-level 100

IP 10.88.10.254 255.255.255.0

!

interface Management0/0

Shutdown

nameif management

security-level 0

no ip address

!

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network of the PAT_to_Outside_ClassA object

10.88.0.0 subnet 255.255.0.0

network of the PAT_to_Outside_ClassB object

subnet 172.16.0.0 255.240.0.0

network of the PAT_to_Outside_ClassC object

Subnet 192.168.0.0 255.255.240.0

network of the LocalNetwork object

10.88.0.0 subnet 255.255.0.0

network of the RemoteNetwork1 object

Subnet 192.168.0.0 255.255.0.0

network of the RemoteNetwork2 object

172.16.10.0 subnet 255.255.255.0

network of the RemoteNetwork3 object

10.86.0.0 subnet 255.255.0.0

network of the RemoteNetwork4 object

10.250.1.0 subnet 255.255.255.0

network of the NatExempt object

10.88.10.0 subnet 255.255.255.0

the Site_to_SiteVPN1 object-group network

object-network 192.168.4.0 255.255.254.0

object-network 172.16.10.0 255.255.255.0

object-network 10.0.0.0 255.0.0.0

outside_access_in deny ip extended access list a whole

inside_access_in of access allowed any ip an extended list

11 extended access-list allow ip 10.250.1.0 255.255.255.0 any

outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1

mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool

NAT static NatExempt NatExempt of the source (indoor, outdoor)

NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2

NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3

NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search

!

network of the PAT_to_Outside_ClassA object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassB object

NAT dynamic interface (indoor, outdoor)

network of the PAT_to_Outside_ClassC object

NAT dynamic interface (indoor, outdoor)

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

dynamic-access-policy-registration DfltAccessPolicy

Sysopt connection timewait

Service resetoutside

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 set pfs

Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1

life together - the association of security crypto dynamic-map dynmap 10 28800 seconds

Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000

Crypto-map dynamic dynmap 10 the value reverse-road

card crypto mymap 1 match address outside_1_cryptomap

card crypto mymap 1 set counterpart x.x.x.x

card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1

card crypto mymap 86400 seconds, 1 lifetime of security association set

map mymap 1 set security-association life crypto kilobytes 4608000

map mymap 100-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto isakmp identity address

Crypto isakmp nat-traversal 30

Crypto ikev1 allow outside

IKEv1 crypto ipsec-over-tcp port 10000

IKEv1 crypto policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 50

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

preshared authentication

aes-256 encryption

sha hash

Group 1

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

Telnet timeout 5

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal BACKDOORVPN group policy

BACKDOORVPN group policy attributes

value of VPN-filter 11

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelall

BH.UK value by default-field

type tunnel-group BACKDOORVPN remote access

attributes global-tunnel-group BACKDOORVPN

address pool Admin_Pool

Group Policy - by default-BACKDOORVPN

IPSec-attributes tunnel-group BACKDOORVPN

IKEv1 pre-shared-key *.

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group ipsec-attributes x.x.x.x

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

Excellent.

Evaluate the useful ticket.

Thank you

Rizwan James

VPN users cannot access Tunnel

Hi all

I have a problem, I have 2 sites both with ASA 5520, they are both connected via a site to site VPN.

It works very well all users in site A can access resources in site B and vice versa.

The problem comes when a user connects to a remote user VPN site has they cannot access or anything in site B same ping if the FW them delivers an ip address in the range for the site.

Im sure there is something simple that I missed.

Thank you

If the VPN Client pool is in the same subnet as the site of A LAN, then you are probably missing just the following:

(1) check if you have divided political tunnel, and site-B LAN is included in the ACL split tunnel.

(2) configure 'same-security-traffic permit intra-interface' on the site A ASA.

If the above has been configured, please share configuration the two ASA to further check where it is.

Cannot access remote network via VPN

Hello

I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
There is also a public oriented Web server in the office which must be accessible.

I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

I'm quite puzzled as to why it does not work. Please could someone help.

The results of tests and the router configuration are listed below. Please let me know if you need additional information.

Thank you and best regards,
Simon

1. routing on the router table
Router #sh ip route
Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
C XXX.yyy.zzz.192 is directly connected, Vlan10
GGG.hhh.125.0/32 is divided into subnets, subnets 1
C GGG.HHH.125.34 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
> ping 172.16.100.1
Ping 172.16.100.1 with 32 bytes of data:
Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
> ping 172.16.100.10
Ping 172.16.100.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

4. ping the router to the successful local server
router #ping 172.16.100.10
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

5 see the version
Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
the availability of router is 1 hour, 9 minutes
System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN basic rate interface
Configuration register is 0 x 2102

6. router Config
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto ASI_Group
key mykey
DNS aaa.bbb.cccc.ddd
domain mydomain.com
pool VPN_Pool
ACL VPN_ACL
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
!
crypto dynamic-map 10 DYNMAP
game of transformation-TS1
market arriere-route
!
!
list of authentication of VPN client VPN crypto card
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
!
!
!
IP cef
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
username admin privilege 15 password mypassword
Archives
The config log
hidekeys
!
!
!
!
!
interface FastEthernet0
WAN description
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface FastEthernet2
Description Public_LAN_Interface
switchport access vlan 10
full duplex
Speed 100
!
FastEthernet6 interface
Description Private_LAN_Interface
switchport access vlan 100
full duplex
Speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
Public description
IP address xxx.yyy.zzz.193 255.255.255.248
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Vlan100
172.16.100.1 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Dialer0
IP unnumbered Vlan10
no ip unreachable
IP mtu 1452
IP virtual-reassembly
encapsulation ppp
no ip mroute-cache
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname myhostname
PPP chap password mychappassword
PPP ipcp dns request accept
failure to track PPP ipcp
PPP ipcp address accept
VPN crypto card
!
IP pool local VPN_Pool 172.16.100.50 172.16.100.60
!
!
no ip address of the http server
no ip http secure server
!
VPN_ACL extended IP access list
IP 172.16.100.0 allow 0.0.0.255 any
!
Dialer-list 1 ip protocol allow
not run cdp
!
!

Simon,

Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

I hope this helps.

Luis Raga

When I connect to Windows Live Hotmail, I see my emails but cannot access that everything is frozen. A message appears while Live does not and asks me to refresh.

When I connect to Hotmail, I see my emails but cannot access that everything is frozen. A message then appears that direct does not and asks me to refresh. Windows looking for a solution and after a new wait everything is accessible. Very annoying, how to cure it?

Hi techcnophobe1,

Thank you for visiting the Microsoft answers community.

The question you have posted is bound using Windows Live and would be better suited in the Center of Windows Live Help solutions. Please visit this link to find a community that will support what ask you

Cannot access my public folder when my firewall is on

I can't access my public folder when my firewall is turned on. But can access it when my firewall is disabled. I already activated the public folder sharing and file sharing.

Also, I don't see computers connected to my computer when their firewall is enabled and can see when their firewall is disabled. Why is this?

You must configure your firewall properly instead of turning market.

Excellent, comprehensive, but easy to understand article on sharing files/printer under Vista. Contains information about sharing printers and files, and the folders:

http://TechNet.Microsoft.com/en-us/library/bb727037.aspx

Configure the firewall on all machines to allow traffic to local area network (LAN) as being approved. With the Windows Firewall, it means which allows file sharing / print on the Exceptions tab normally run the XP Network Setup Wizard will take care of this for these machines. The only "witch hunt", it will turn on the XPSP2 Windows Firewall. If you are not running a third-party firewall or you have an antivirus/security with its own firewall component program, then you're fine. With a third-party firewall, I usually set up the allocation of LAN with an IP address range. E.g. would be 192.168.1.0 - 192.168.1.254. Obviously you would substitute your correct subnet. Refer to the safety of any third party program or the user forums for how to correctly configure its firewall. Do not run more than one firewall. DON'T STOP FIREWALLS; CONFIGURE THEM CORRECTLY.

If you would like more information, please provide these details:

1 levels systems operation/versions/Service Pack of all machines.
2. name of antivirus/security software used.
MS - MVP - Elephant Boy computers - don't panic!

Cannot access subnet when VPN would be

Similar Questions

Maybe you are looking for