Cannot access subnet when VPN would be
When I vpn in our network, it gives me an ip address in the range: 192.168.200.1 - 192.168.200.50.
The following access works when vpn would be: 192.168.200.x-> 10.2.28.x
Made following access does not work when the vpn would be: 192.168.200.x-> 192.168.50.x
Can you get it someone please let me know what I have in the PIX config to make it work?
Thank you
Thomas
1. Add 192.168.50.0 to your acl of split tunnel
remotevpnbhc_splitTunnelAcl 192.168.50.0 ip access list allow 255.255.252.0 all
2. Add the traffic between the client vpn and 192.168.50.0 ACL that is used by NAT 0
vpn_insideacl ip 192.16.50.0 access list allow 255.255.252.0 192.168.200.0 255.255.255.0
Tags: Cisco Security
Similar Questions
-
1811 VPN - cannot access subnets
Hello
Still trying to get my VPN config finished, but I have problems to access the networks of the VPN.
I can access (ping) devices attached to the VLAN 4 192.168.4.0 but I can not access any device on VLAN2 192.168.0.0, VLAN5 192.168.1.0.
I can ping the IP configuration that is for each VLAN. 192.168.0.249, 192.168.1.249, 192.168.5.249
Since the Cisco 1811 console I can ping devices on the subnet 192.168.0.0, 192.168.1.0, and 192.168.4.0.
VLAN 3 has nothing connected again.
Any help much appreciated
Brad
That's the problem.
Other routers should have a road back to this router when traffic is intended for 192.168.5.x (pool VPN)
Federico.
-
Users cannot access internet when connected VPN
Hello
I have users located outside the United States than VPN for our system. Once connected, they get an address from the pool designated for them. However, they are unable to connect to internet when connected. I don't want to use split-mining because some of the sites they connect to will not work properly because their address IP is located outside the United States. I tried both without client anyconnect and vpn client version
Hi, this link might help you:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
HTH
Ingo
-
Cannot access Internet when connected to the VPN
I have mobile users using the Cisco VPN (4.0.5B) connection to a 837 customer. They can connect and access resources network in-house/remote ok. However, they are unable to access the Internet at the same time. I also had this problem where some users were connecting in a PIX, but managed to settle only by using the vpngroup
tunnel of splitting and appropriate ACL commands. All I can find on the Cisco site is that it is possible by specifying an ACL, bit I don't know where to specify them this and that. Thank you. Here are examples of code,
access-list 100 permit ip<837 inside="" net=""><837 inside="" net="" mask="">
ISAKMP crypto client configuration group ciscovpn
key cisco123
pool vpnpool
ACL 100
837>837> -
Apple Watch 2 cannot access Siri when the phone is charging
My iPhone is plugged in my Apple Watch says that it cannot connect to Siri 6 simple feet further. Has anyone else experienced this problem and/or been able to solve it?
Hello
The following steps may help:
- On your iPhone, go to: settings > Siri - disable, pause for a few moments, and then reactivate the Siri.
- If it does not immediately help, then restart both devices.
- The two put together, and then restart your iPhone first:
- Restart your iPhone, iPad or iPod touch - Apple Support
- Restart your Apple Watch - Apple Support
- If the problem persists, then disable the twinning and re - pair your watch:
- The app shows on your iPhone takes a backup of your watch automatically when the disparity with the app choose to restore from backup during the whole upward. Most of the data and settings will be restored, with a few exceptions (for example cards Pay Apple, access code).
- Cancel the twinning of your iPhone - Apple and Apple Watch Support
- Set up your Apple Watch - Apple Support
-
I'm vpn'ing in an ASA, and once I have, I can access everything on the local network. However, I can not connect to the firewall with ASSISTANT Deputy Ministers. Can someone check this config and see if there is something missing?
= ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = PuTTY log 2012.10.24 10:13 = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ = ~ =.
Show u run
: Saved
:
ASA 4,0000 Version 1
!
Bryan - ASA host name
activate the encrypted password of Z77JKH8dh1FhRD4u
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
<--- more="" ---="">
!
interface Vlan1
nameif inside
security-level 100
IP 10.50.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
boot system Disk0: / asa844-1 - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NETWORK_OBJ_10.50.0.0_24 object
10.50.0.0 subnet 255.255.255.0
network object obj - 10.0.0.0 - 01
subnet 10.0.0.0 255.0.0.0
network object obj - 10.0.0.0
subnet 10.0.0.0 255.0.0.0
network object obj - 10.50.0.0
10.50.0.0 subnet 255.255.255.0
<--- more="" ---="">
network object obj - 10.50.0.90
Home 10.50.0.90
object-group network RFC1918
object-network 192.168.0.0 255.255.0.0
object-network 10.0.0.0 255.0.0.0
object-group network rfc1918
extended permitted inside a whole icmp access list
access inside extended ip permit list an entire
extended permitted outside-acl access list tcp any object obj - 10.50.0.90 eq 41790
allowed IP extended ip access list a whole
allow traffic_for_ips to access extensive ip list a whole
Standard split-acl access-list allowed 10.50.0.0 255.255.255.0
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
10.50.0.225 mask - local 10.50.0.240 pool POOL VPN IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-649 - 103.bin
don't allow no asdm history
ARP timeout 14400
NAT dynamic interface of RFC1918 source (indoor, outdoor)
NAT (inside, outside) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 10.0.0.0 obj - 10.0.0.0 - route search
!
<--- more="" ---="">
network obj_any object
NAT dynamic interface (indoor, outdoor)
network object obj - 10.50.0.90
NAT (inside, outside) interface static 41790 41790 tcp service
Access-group acl outside in external interface
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 10.50.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac CIMCO_MAN_TRANS ikev1
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set CIMCO_MAN_TRANS ikev1
Crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 the value reverse-road
<--- more="" ---="">
card crypto OUTSIDE_MAP 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
OUTSIDE_MAP interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = Bryan - ASA
Configure CRL--->--->--->--->
Crypto ikev1 allow outside
IKEv1 crypto policy 100
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 10.50.0.0 255.255.255.0 inside
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside
dhcpd outside auto_config
<--- more="" ---="">
!
dhcpd address 10.50.0.10 - 10.50.0.40 inside
interface dns 4.2.2.2 dhcpd inside--->
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.6005-k9.pkg 1
AnyConnect profiles AnyConnect disk0: / anyconnect.xml
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
4.2.2.2 DNS server value
L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split-acl
WebVPN
AnyConnect value AnyConnect user type profiles
internal group VPNCLIENT strategy
attributes VPNCLIENT-group policy
<--- more="" ---="">
4.2.2.2 DNS server value
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split-acl
Randall.local value by default-field
WebVPN
AnyConnect value AnyConnect user type profiles
bryan 9yyVnd5p1Ke6w1Iu of encrypted privilege 15 password username
john nFEF0Xku7smzSs4N of encrypted privilege 15 password username
attributes global-tunnel-group DefaultRAGroup
address VPN-POOL pool
attributes global-tunnel-group DefaultWEBVPNGroup
address VPN-POOL pool
tunnel-group VPNCLIENT type remote access
tunnel-group VPNCLIENT-global attributes
address VPN-POOL pool
Group Policy - by default-VPNCLIENT
tunnel-group VPNCLIENT ipsec-attributes
IKEv1 pre-shared-key *.
authentication of the user IKEv1 no
!
class-map inspection_default
match default-inspection-traffic
!
<--- more="" ---="">
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
<--- more="" ---="">
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:a1ca799b8bae183cc32eeb34ca2272bb
: end
Bryan - ASA # exit
Closure of session
Thanks for the update John!
You did a great job with your ASA and we confirmed that.
Please mark this message as answered and any useful answer
Good day.
--->--->---> -
Hello
I enabled Bitlocker on my Acer Aspire 5315. The system partition is encrypted and the data partition. My motherboard doesn't have a TPM chip, so I opted for the unlock with a USB key.
When I start the PC or wake them from their hibernation, the splashboot (with the logo of Acer) BIOS screen does not display the information below on how to access the BIOS (press F2) or the boot menu (F12). And therefore I can't access those as I used to.
BitLocker does not account for the USB key, then asks for the password to unlock the HARD drive. Then Windows starts very well.
However, restart (by a Windows or after you have entered the wrong password Bitlocker too many times), the BIOS splash screen is normal (with how access BIOS and boot menu), I can access BIOS by pressing F2 AND succesfully Bitlocker unlocks the HARD drive with the USB flash drive without having to ask for the password.
So, my question is how Bitlocker unlock the HARD disk automatically via the USB when the PC starts?
Thank you for reading.
Note: I posted this question on http://social.technet.microsoft.com/Forums/en-US/w8itprosecurity/threads they suggested that I ask the Acer support.
Thank you also get answers in the TechNet forums. I'm sorry that you were unable to get a more complete answer it.
We suggest that you uninstall BitLocker and decrypt the drive to determine if this restores your ability to access the BIOS.
-
Cannot access Internet on VPN 3005 concentrator
I installed a new concentrator 3005. I am able to connect using the Cisco VPN client. Everything seems to work except the Internet. I am able to access everything in the local network, including local intranet Web pages. If I try to access Web pages on the outside, it does not. Any ideas?
OK, so it seems there is a configuration or a problem with routing somewhere. Concentrator vpn routing table look like? Is there a default route set correctly? You can use ping to ping the default gateway?
NAT is used? Is it possible the problem is that packages are not properly natted out to internet?
-
Cannot access internet when you configure with internet connection sharing.
INTERNET HELP?
I tried to use the internet connection to my wireless on my PC laptop not wireless using an Ethernet cable. I have connected my pc not wireless to my laptop wireless pc with ethernet cable, I did everything as requested on the site of "Dummies" and the PC says its connected but when I try to go on Internet Explorer, it does not work? HELP! : (PS) my PC is Windows Vista and my laptop Windows 7Hello
1. While sharing was the Internet works fine before?
2 did you change on your computers before this problem?I suggest you follow these methods and check.
Method 1: You can follow the Windows Help article below and check that ICS is set up correctly.
Set up a shared Internet connection using ICS (Internet Connection Sharing)
http://Windows.Microsoft.com/en-us/Windows7/set-up-a-shared-Internet-connection-using-ICS-Internet-connection-sharing
If ICS is not configured correctly, then you must post back the result by running the following command
To do this:
a. click the Start button.
b. type cmd in the search box.
(c) in the command prompt, you must type ' ipconfig/all' and check the result.Take a screenshot of the command prompt and post.
To take a screenshot, you can follow this link below.
Use capture tool to capture screenshots
http://Windows.Microsoft.com/en-us/Windows-Vista/use-Snipping-Tool-to-capture-screen-shotsMethod 2: Windows wireless and wired network connection problems
http://Windows.Microsoft.com/en-us/Windows/help/wired-and-wireless-network-connection-problems-in-Windows?T1=Tab03I hope this helps.
Thank you.
-
AnyConnect VPN users cannot access remote subnets?
I googled this until blue in the face without result. I don't understand why Cisco this so difficult? When clients connect to the anyconnect vpn, they can access the local subnet, but cannot access the resources in remote offices. What should I do to allow my anyconnect vpn clients access to my remote sites?
Cisco 5510 8.4
Hello
What are remote sites using as Internet gateway? Their default route here leads to the ASA or have their own Internet gateway? If they use this ASA for their Internet connection while they should already have a default route that leads traffic to the VPN to the pool, even if they had no specific route for the VPN itself pool. If they use their own local Internet gateway and the default route is not directed to this ASA then you would naturally have a route on the remote site (and anything in between) indicating the remote site where to join the pool of 10.10.224.0/24 VPN network.
In addition to routing, you must have configured for each remote site and the VPN pool NAT0
Just a simple example of NAT0 configuration for 4 networks behind the ASA and simple VPN field might look like this
object-group network to REMOTE SITES
object-network 10.10.10.0 255.255.255.0
object-network 10.10.20.0 255.255.255.0
object-network 10.10.30.0 255.255.255.0
object-network 10.10.40.0 255.255.255.0
network of the VPN-POOL object
10.10.224.0 subnet 255.255.255.0
NAT static destination DISTANCE-SITES SITES source (indoor, outdoor) REMOTE static VPN-VPN-POOL
The above of course assumes that the remote site are located behind the interface 'inside' (although some networks, MPLS) and naturally also the remote site networks are made for the sake of examples.
Since you are using Full Tunnel VPN should be no problem to the user VPN transfer traffic to this ASA in question.
My first things to check would be configuring NAT0 on the ASA and routing between remote sites and this ASA (regarding to reach the VPN pool, not the ASA network IP address)
Are you sure that the configuration above is related to this? Its my understanding that AnyConnect uses only IKEv2 and the foregoing is strictly defined for IKEv1?
-Jouni
-
I have problems to access the resources within the network when connecting with the Cisco VPN client for a version of 8.4 (3) operation of the IOS Cisco ASA 5510. I tried all new NAT 8.4 orders but cannot access the network interior. I can see traffic in newspapers when ping. I can only assume I have NAT evil or it's because the inside interface of the ASA is on the 24th of the same subnet as the network interior? Please see config below, any suggestion would be appreciated. I configured a VPN site to another in this same 5510 and it works well
Thank you
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP x.x.x.x 255.255.255.240
!
interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 10.88.10.254 255.255.255.0
!
interface Management0/0
Shutdown
nameif management
security-level 0
no ip address
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the PAT_to_Outside_ClassA object
10.88.0.0 subnet 255.255.0.0
network of the PAT_to_Outside_ClassB object
subnet 172.16.0.0 255.240.0.0
network of the PAT_to_Outside_ClassC object
Subnet 192.168.0.0 255.255.240.0
network of the LocalNetwork object
10.88.0.0 subnet 255.255.0.0
network of the RemoteNetwork1 object
Subnet 192.168.0.0 255.255.0.0
network of the RemoteNetwork2 object
172.16.10.0 subnet 255.255.255.0
network of the RemoteNetwork3 object
10.86.0.0 subnet 255.255.0.0
network of the RemoteNetwork4 object
10.250.1.0 subnet 255.255.255.0
network of the NatExempt object
10.88.10.0 subnet 255.255.255.0
the Site_to_SiteVPN1 object-group network
object-network 192.168.4.0 255.255.254.0
object-network 172.16.10.0 255.255.255.0
object-network 10.0.0.0 255.0.0.0
outside_access_in deny ip extended access list a whole
inside_access_in of access allowed any ip an extended list
11 extended access-list allow ip 10.250.1.0 255.255.255.0 any
outside_1_cryptomap to access extended list ip 10.88.0.0 255.255.0.0 allow object-group Site_to_SiteVPN1
mask 10.250.1.1 - 10.250.1.254 255.255.255.0 IP local pool Admin_Pool
NAT static NatExempt NatExempt of the source (indoor, outdoor)
NAT (inside, outside) static source any any static destination RemoteNetwork4 RemoteNetwork4-route search
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork1 RemoteNetwork1
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork2 RemoteNetwork2
NAT static LocalNetwork LocalNetwork destination (indoor, outdoor) static source RemoteNetwork3 RemoteNetwork3
NAT (inside, outside) static source LocalNetwork LocalNetwork static destination RemoteNetwork4 RemoteNetwork4-route search
!
network of the PAT_to_Outside_ClassA object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassB object
NAT dynamic interface (indoor, outdoor)
network of the PAT_to_Outside_ClassC object
NAT dynamic interface (indoor, outdoor)
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
dynamic-access-policy-registration DfltAccessPolicy
Sysopt connection timewait
Service resetoutside
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-ikev1 esp-md5-hmac bh-series
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic dynmap 10 set pfs
Crypto-map dynamic dynmap 10 set transform-set bh - set ikev1
life together - the association of security crypto dynamic-map dynmap 10 28800 seconds
Crypto-map dynamic dynmap 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic dynmap 10 the value reverse-road
card crypto mymap 1 match address outside_1_cryptomap
card crypto mymap 1 set counterpart x.x.x.x
card crypto mymap 1 set transform-set ESP-AES-256-SHA ikev1
card crypto mymap 86400 seconds, 1 lifetime of security association set
map mymap 1 set security-association life crypto kilobytes 4608000
map mymap 100-isakmp ipsec crypto dynamic dynmap
mymap outside crypto map interface
crypto isakmp identity address
Crypto isakmp nat-traversal 30
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 50
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
preshared authentication
aes-256 encryption
sha hash
Group 1
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal BACKDOORVPN group policy
BACKDOORVPN group policy attributes
value of VPN-filter 11
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelall
BH.UK value by default-field
type tunnel-group BACKDOORVPN remote access
attributes global-tunnel-group BACKDOORVPN
address pool Admin_Pool
Group Policy - by default-BACKDOORVPN
IPSec-attributes tunnel-group BACKDOORVPN
IKEv1 pre-shared-key *.
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
Excellent.
Evaluate the useful ticket.
Thank you
Rizwan James
-
VPN users cannot access Tunnel
Hi all
I have a problem, I have 2 sites both with ASA 5520, they are both connected via a site to site VPN.
It works very well all users in site A can access resources in site B and vice versa.
The problem comes when a user connects to a remote user VPN site has they cannot access or anything in site B same ping if the FW them delivers an ip address in the range for the site.
Im sure there is something simple that I missed.
Thank you
If the VPN Client pool is in the same subnet as the site of A LAN, then you are probably missing just the following:
(1) check if you have divided political tunnel, and site-B LAN is included in the ACL split tunnel.
(2) configure 'same-security-traffic permit intra-interface' on the site A ASA.
If the above has been configured, please share configuration the two ASA to further check where it is.
-
Cannot access remote network via VPN
Hello
I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
There is also a public oriented Web server in the office which must be accessible.I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.
I'm quite puzzled as to why it does not work. Please could someone help.
The results of tests and the router configuration are listed below. Please let me know if you need additional information.
Thank you and best regards,
Simon1. routing on the router table
Router #sh ip route
Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
C XXX.yyy.zzz.192 is directly connected, Vlan10
GGG.hhh.125.0/32 is divided into subnets, subnets 1
C GGG.HHH.125.34 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
S * 0.0.0.0/0 [1/0] via ggg.hhh.125.342. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
> ping 172.16.100.1
Ping 172.16.100.1 with 32 bytes of data:
Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 2553. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
> ping 172.16.100.10
Ping 172.16.100.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.4. ping the router to the successful local server
router #ping 172.16.100.10
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms5 see the version
Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
the availability of router is 1 hour, 9 minutes
System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN basic rate interface
Configuration register is 0 x 21026. router Config
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto ASI_Group
key mykey
DNS aaa.bbb.cccc.ddd
domain mydomain.com
pool VPN_Pool
ACL VPN_ACL
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
!
crypto dynamic-map 10 DYNMAP
game of transformation-TS1
market arriere-route
!
!
list of authentication of VPN client VPN crypto card
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
!
!
!
IP cef
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
username admin privilege 15 password mypassword
Archives
The config log
hidekeys
!
!
!
!
!
interface FastEthernet0
WAN description
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface FastEthernet2
Description Public_LAN_Interface
switchport access vlan 10
full duplex
Speed 100
!
FastEthernet6 interface
Description Private_LAN_Interface
switchport access vlan 100
full duplex
Speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
Public description
IP address xxx.yyy.zzz.193 255.255.255.248
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Vlan100
172.16.100.1 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Dialer0
IP unnumbered Vlan10
no ip unreachable
IP mtu 1452
IP virtual-reassembly
encapsulation ppp
no ip mroute-cache
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname myhostname
PPP chap password mychappassword
PPP ipcp dns request accept
failure to track PPP ipcp
PPP ipcp address accept
VPN crypto card
!
IP pool local VPN_Pool 172.16.100.50 172.16.100.60
!
!
no ip address of the http server
no ip http secure server
!
VPN_ACL extended IP access list
IP 172.16.100.0 allow 0.0.0.255 any
!
Dialer-list 1 ip protocol allow
not run cdp
!
!Simon,
Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.
Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.
Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like
IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255
Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.
I hope this helps.
Luis Raga
-
When I connect to Hotmail, I see my emails but cannot access that everything is frozen. A message then appears that direct does not and asks me to refresh. Windows looking for a solution and after a new wait everything is accessible. Very annoying, how to cure it?
Hi techcnophobe1,
Thank you for visiting the Microsoft answers community.
The question you have posted is bound using Windows Live and would be better suited in the Center of Windows Live Help solutions. Please visit this link to find a community that will support what ask you
-
Cannot access my public folder when my firewall is on
I can't access my public folder when my firewall is turned on. But can access it when my firewall is disabled. I already activated the public folder sharing and file sharing.
Also, I don't see computers connected to my computer when their firewall is enabled and can see when their firewall is disabled. Why is this?
You must configure your firewall properly instead of turning market.
Excellent, comprehensive, but easy to understand article on sharing files/printer under Vista. Contains information about sharing printers and files, and the folders:
http://TechNet.Microsoft.com/en-us/library/bb727037.aspx
Configure the firewall on all machines to allow traffic to local area network (LAN) as being approved. With the Windows Firewall, it means which allows file sharing / print on the Exceptions tab normally run the XP Network Setup Wizard will take care of this for these machines. The only "witch hunt", it will turn on the XPSP2 Windows Firewall. If you are not running a third-party firewall or you have an antivirus/security with its own firewall component program, then you're fine. With a third-party firewall, I usually set up the allocation of LAN with an IP address range. E.g. would be 192.168.1.0 - 192.168.1.254. Obviously you would substitute your correct subnet. Refer to the safety of any third party program or the user forums for how to correctly configure its firewall. Do not run more than one firewall. DON'T STOP FIREWALLS; CONFIGURE THEM CORRECTLY.
If you would like more information, please provide these details:
1 levels systems operation/versions/Service Pack of all machines.
2. name of antivirus/security software used.
MS - MVP - Elephant Boy computers - don't panic!
Maybe you are looking for
-
I want to be able to select the recipients of a new mail from a mail sent. I want to be able to copy some of the recipients of those previous mail, but not all. Is there a simple way to copy all the old recipients in a single operation, and then sele
-
I need to find the download to Thunderbird 24.7.0.
I use Windows 7 Home Premium. My PC has not, even if I saved the hard drive. The PC was, I think that using Thunderbird 24.7.0/. (Helped my son who is literate AND warned, but the problem we have is beyond his expertise, and I'm 71 years). Until I ha
-
Toshiba e-Studio 167: printing documents ODT LibreOffice 4 Linux problem
Hello I'm trying to solve a problem when I try to print some documents ODT of LibreOffice 4 (13.04 Ubuntu operating system) on a Toshiba e-Studio 167 printer. I have not received any response from my service technical so I hope someone can help me he
-
Best wireless mice for users of Excel?
My role requires me to use MS Excel on very large spreadsheets (6 000 lines), where the characteristic is the ability to jump to the bottom of a column by double-clicking on the bottom edge of a cell. Do the conversion and correction of data, this f
-
Could not find user.lib screws
Hi there and thank you in advance for any response. I'll take a semi-manufactured project for an outside contractor in India who did some LabVIEW Development. Everything was left on a desktop computer. The computer has an executable and a screw with