Cannot ping client VPN

I have a problem with the software client blocking VPN traffic, for example if the client software is installed I can not ping the client or push installs the client, almost acting like Windows Firewall. On a 50 clients that I have 3 that are affected in this way, they are Windows 2000 Pro, all have the latest service packs and security patches, all are configured identically. It doesn't matter where the client is or even if they are VPN in. If they are physically on the local network the problem is the same. As soon as the software is uninstalled the problem disappears. I have tried 3 different versions of the client and it does not change the situation. Anyone had this happen before or been to a resolution?

Thank you

Matt

I solved an exact problem by:

1. If the PC is on the directly connected network, run the Client VPN software (but do not start a VPN connection), click on the meny Options and uncheck the 'Stateful Firewall '. In this way, you should be able to ping the computer. If not, then you will have to investigate the parameters of local PC Firewall (such as the personal FW, fw XP)

2. If the PC is VPN in and you want to ping, then you will need to allow icmp traffic from the internal network to the VPN clients.

Hope this work for you.

Tags: Cisco Security

Similar Questions

WAG320N - LAN clients cannot ping clients WLAN.

Hi all

I wonder if you can help. I currently have a router WAG320N, which seems to work out for a small problem.

However, the problem I am facing is that my LAN clients cannot ping my clients wireless and vice versa.

I googled this problem which has recommended that the AP isolation is off which is was by default.

Any other ideas?

Thanking in advance.

Sprite

As you are not able to ping customers wireless to wireline customers. Turn on the isolation of the AP.

See if that helps you.

Cannot ping internal VPN network.

I'm trying to understand why my VPN client can't ping my internal network of 192.168.0.X. For example, I can access my server via a \\192.168.0.14\Drive network drive mapping but I can't ping. I am trying to troubleshoot some phones Avaya VPN and want to ensure that I can ping the machines needed.

Thank you

Manny

Here is my config

ASA5505-xxxx # sh run
: Saved
:
ASA Version 8.0 (4)
!
hostname xxxxxx
domain xxxx.com
activate the xxxxxxxx password
passwd xxxxxx
names of
name Roosevelt 192.168.2.0
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 173.x.x.x 255.255.255.240.
!
interface Ethernet0/0
Description link to xx.x.x. Router
switchport access vlan 2
!
interface Ethernet0/1
Description LINK to Linksys SR2024
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa804 - k8.bin
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS server-group DefaultDNS
xxxxx.com domain name
permit same-security-traffic intra-interface
access-list 110 extended permit tcp any host 173.le eq xxxx 3389
access-list 110 extended permit tcp any host 173.le eq www xxxx
access-list 110 extended permit tcp any host 173.le eq smtp xxxx
access-list 110 extended permit tcp any host 173.le eq xxxx area
access-list 110 extended permit tcp any host 173.le eq https xxxx
access-list 110 extended permit tcp any host 173.le eq ftp xxxx
access-list 110 extended allow icmp a whole
access-list 110 extended permit tcp any host 173.le eq xxxx 3389
access-list 110 extended permit tcp any host 173.165.93.164 eq www
access-list 110 extended permit tcp any host 173.165.93.164 eq smtp
access-list 110 extended allow tcp no matter what field of host 173.165.93.164 eq
access-list 110 extended permit tcp any host 173.165.93.164 eq https
access-list 110 extended permit tcp any host 173.165.93.164 eq ftp
access-list 110 extended permit tcp any host 173.165.93.163 eq 3389
access-list 110 extended permit tcp any host 173.165.93.163 eq www
permit access ip 192.168.0.0 scope list Inside_nat0_outbound 255.255.255.0 255.255.255.0 Roosevelt
Inside_nat0_outbound list of allowed ip extended access any 10.10.1.0 255.255.255.0
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 255.255.255.0 Roosevelt
Standard access list CSC_splitTunnelAcl allow a
pager lines 24
Enable logging
exploitation forest-size of the buffer of 1000000
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 10.10.1.1 - 10.10.1.10 255.255.255.0 IP local pool VPNPool
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 613.bin
don't allow no asdm history
ARP timeout 14400
Global interface 5 (external)
NAT (inside) 0-list of access Inside_nat0_outbound
NAT (inside) 5 0.0.0.0 0.0.0.0
public static 173.le (Interior, exterior) xxxx 192.168.0.14 netmask 255.255.255.255
public static 173.le (Interior, exterior) xxxx 192.168.0.17 netmask 255.255.255.255
public static 173.le (Interior, exterior) xxxx 192.168.0.12 netmask 255.255.255.255
public static 173.le (Interior, exterior) xxxx 192.168.0.11 netmask 255.255.255.255
public static 173.le (Interior, exterior) xxxx 192.168.0.13 netmask 255.255.255.255
Access-group 110 in external interface
Route outside 0.0.0.0 0.0.0.0 173.le xxxx 1
Timeout xlate 03:00
Timeout conn 0 half-closed 10:00:10: 00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.0.0 255.255.255.0 inside
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-AES-128-SHA ESP ESP-AES-128-MD5 ESP-AES-192-SHA-AES-192-MD5
ESP-AES-256-SHA SHA-ESP-3DES ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set counterpart 99 xxxxx
card crypto outside_map 1 set of transformation-ESP-DES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life 86400
ISAKMP nat-traversal crypto
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 10
Console timeout 0
dhcpd 192.168.0.14 dns 68.87.77.130
dhcpd wins 192.168.0.14
dhcpd domain xxxx.com
!
dhcpd address 192.168.0.50 - 192.168.0.150 inside
dhcpd allow inside
!

a basic threat threat detection
host of statistical threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal group CSC policy
attributes of group CSC policy
value of 192.168.0.14 WINS server
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec svc
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list CSC_splitTunnelAcl
username lrodriguez password xxxxxx
username lrodriguez attributes
VPN - 10 concurrent connections
username password xxxxx jthomas
username mramirez password xxxxx
tunnel-group 99 xxxx type ipsec-l2l
tunnel-group 99 xxxx ipsec-attributes
pre-shared-key *.
tunnel-group CSC type remote access
attributes global-tunnel-group CSC
address pool VPNPool
Group Policy - by default-CSC
tunnel-group CSC ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
Server SMTP 192.168.0.xx
context of prompt hostname

On the VPN Client PC, see if there is any firewall is activated. Tried to disable the firewall, if it's on.

I suppose also that the Avaya server default gateway is 192.168.0.1?

Cisco ASA 5520 cannot ping between VPN Tunnels

I have the main site and sites A and B. A to connect to the hand and B connects to the main. I can ping from A hand and has for main. I can ping from main to B and B to main. However, I can not ping from A to B. A and B are sonicwall 2040 and main is a 5520. The question should not be with the 5520 none allowing traffic between the two VPN Tunnels, but I can't understand why it does not work. Can someone give an idea on that? Thanks in advance.

Hello

I see that you use ASDM. Always makes my eyes bleed when I need to look at the DM_INLINE of named objects and try to make sense the CLI format

Seems to me that there are problems with the NAT.

If you don't mind a small break between the main Site and remote locations, I'd say changing some follows the NAT configuration

Remove old

no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 non-proxy-arp-search of route static destination

Add a new

object-group network NETWORK-2790

object-network 10.217.0.0 255.255.255.0

object-network 10.217.1.0 255.255.255.0

object-group network NETWORK-3820

object-network 10.216.0.0 255.255.255.0

object-network 10.216.1.0 255.255.255.0

object-group network NETWORK-COLO

object-net 10.8.0.0 255.255.255.0

destination of NETWORK of NETWORK-2790-2790 static NAT (outside, outside) static source NETWORK - 3820 - 3820

NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 2790 - 2790

NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 3820 - 3820

The first new line of configuring NAT manages the NAT0 configuration for traffic between SiteA and SiteB. The following configurations of NAT 2 manage the NAT0 for traffic between the main Site - hand Site SiteA - SiteB

-Jouni

Once the VPN connection is established, cannot ping or you connect other IP devices

Try to get a RV016 installed and work so that people can work from home. You will need to charge customers remote both WIN XP and MAC OS X.

Have the configured router and works fine with the VPN Linksys client for WIN XP users. Can connect, ping, mount the shared disks, print to printers to intellectual property, etc.

Can connect to the router fine with two VPN clients third 3 for Mac: VPN Tracker and IPSecuritas. However, once the connection is established, cannot ping the VPN LinkSYS router or any other IP address on the LAN Office. Turn the firewall on or off makes no difference.

Is there documentation anywhere that describes how the LinksysVPN for Windows Client communicates so these can be replicated in 3rd VPN clients from third parties for the Mac in OS X?

The connection with IPSecuritas and VPN Tracker is performed using a shared key and a domain name. It is not a conflict of IP address network between the client and the VPN 192.168.0.0/24 network.

VPN Tracker and IPSecuritas are able to connect to the routers CISCO easy VPN with no poblem.

Any ideas on how to get the RV016 to work for non-Windows users?

We found and fixed the problem, so using VPN Tracker or current IPSecuritas on OS X people have access to the LAN via the RV016 machines. The "remote networks" in the screen BASE in VPN Tracker has been set on the entire subnet: 192.168.0.0/255.255.255.0 the in the RV016 has been set to the IP of 192.168.0.1 to 192.168.0.254 range. Even if the addresses are essentially the same, without specifying the full subnet in the RV016 has allowed the connection to do but prevented the VPN client machine to connect because the RV016 would pass all traffic to the Remote LAN. Change the setting of 'local group' in RV016 settings in the screen "VPN/summary/GroupVPN', 'Local Group Zone' for the subnet 192.168.0.0/24 full solved the problem.

Cannot ping via the VPN client host when static NAT translations are used

Hello, I have a SRI 3825 configured for Cisco VPN client access.

There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

Any help would be appreciated.

Concerning

!

session of crypto consignment

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group vpnclient

key S3Cu4Ke!

DNS 192.168.1.1 192.168.1.2

domain domain.com

pool dhcppool

ACL 198

Save-password

PFS

netmask 255.255.255.0

!

!

Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

!

Crypto-map dynamic dynmap 10

86400 seconds, life of security association set

game of transformation-3DES-SECURE

market arriere-route

!

card crypto client cryptomap of authentication list drauthen

card crypto isakmp authorization list drauthor cryptomap

client configuration address card crypto cryptomap answer

map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

!

interface GigabitEthernet0/0

NAT outside IP

IP 1.2.3.4 255.255.255.240

cryptomap card crypto

!

interface GigabitEthernet0/1

IP 192.168.1.254 255.255.255.0

IP nat inside

!

IP local pool dhcppool 192.168.2.50 192.168.2.100

!

Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

!

Sheep allowed 10 route map
corresponds to the IP 199

!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload

!

IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6

The problem seems to be that static NAT take your nat exemption.

The solution would be:

IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

HTH

Herbert

Cannot ping vpn client of 1721 cli on the tunnel endpoint

I have a 1721 fortunately supporting ipsec vpn client connections. With one small exception, everything works perfectly fine.

The VPN pool is 10.10.10.1 - 10.10.10.254

The interface internal f0 is attributed to 192.168.1.254/24.

In my example:

Ip address of the VPN client is 10.10.10.5

The host address of an arbitrary machine on the internal lan is 192.168.1.151

I am able to ping 192.168.1.151 10.10.10.5

I'm * not * able to ping 10.10.10.5 192.168.1.254 using the cli on the 1721.

There is a very good reason to want to solve this problem. I would like to be able to access a tftp server on the client vpn directly from the router in order to download the new startup-config files. Is it possible to get the traffic of vpn-/ tunnel-point endpoint client tftp to travel through the tunnel?

When you ping from the CLI on the router, the packet will be from the external interface, not the IP address fa0 interface. The VPN client and the router only built a tunnel from the 10.10.10.5 address the 192.168.1.0 network, then the router not cryptera a package that her origin is outside the IP address.

Try to ping extended to 10.10.10.5 and source of 192.168.1.254 package and see if it works. If it does, you will have also to the source of your TFTP packets from inside interface, you can do with:

IP tftp source interface fa0

Connected to the ASA via the "VPN Client" software, but cannot ping devices.

I have a network that looks like this:

I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.

I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).

On the SAA, including the "logging console notifications" value, I notice the following message is displayed:

"% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.

I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?

Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac

Hello

You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"

You would probably need

NAT (inside) 0-list of access inside_nat0_outside

He must manage the NAT0

Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.

I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.

-Jouni

cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

some help me

(Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

Note - I can ping PC but not the same subnet ip on ASA2 L3

PC---> > ASA1 - ASA2<>

Hi Matt,

Let me answer your question in two points:
- You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.
For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside
- Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.
We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

Customer remote VPN cannot ping certain IP

My Cisco VPN client can establish the tunnel with my successful ASA5505 Office vpn but cannot ping some IP such as an internal server (10.100.194.6).

FIREWALL-1 # ping 10.100.194.6
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.100.194.6, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

Why I can't ping certain IP?

Help, please.

Thank you.

Hey Kevin,

Check out the capture, it is obvious that there is a problem of internal routing as we can see packets from the VPN client requests, but there is no response from the server package.

Please ensure that the server has pointing on the Firewall VPN subnet route.
HTH.

Kind regards

Dinesh Moudgil

PS: Please check the useful messages.

Inside the server can't ping remote vpn client

My simple vpn client can accumulate the tunnel vpn with my Office ASA5510 success and my vpn client can ping the internal server. But my internal server cannot ping the remote vpn client. Even the firewall vpn client windows is disable.

1. in-house server can ping Internet through ASA.

2 internal server cannot ping vpn client.

3 Vpn client can ping the internal server.

Why interal Server ping vpn client? ASA only does support vpn in direction to go?

Thank you.

Hello

Enable inspect ICMP, this should work for you.

Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the icmp
inspect the icmp error

inspect the icmp

To configure the ICMP inspection engine, use the command of icmp inspection in class configuration mode. Class configuration mode is accessible from policy map configuration mode.

inspect the icmp

HTH

Sandy

Peer AnyConnect VPN cannot ping, RDP each other

I have an ASA5505 running ASA 8.3 (1) and ASDM 7.1 (1). I have a remote access VPN set up and remote access users are able to connect and access to network resources. I can ping the VPN peers between the Remote LAN. My problem counterparts VPN cannot ping (RDP, CDR) between them. Ping a VPN peer of reveals another the following error in the log of the SAA.

Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp outside CBC: 10.10.10.8 outside dst: 10.10.10.9 (type 8, code 0) rejected due to the failure of reverse NAT.

Here's my ASA running-config:

ASA Version 8.3 (1)

!

ciscoasa hostname

domain dental.local

activate 9ddwXcOYB3k84G8Q encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

clock timezone CST - 6

clock to summer time recurring CDT

DNS lookup field inside

DNS server-group DefaultDNS

192.168.1.128 server name

domain dental.local

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the RAVPN object

10.10.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_10.10.10.0_28 object

subnet 10.10.10.0 255.255.255.240

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

access-list Local_LAN_Access note VPN Customer local LAN access

Local_LAN_Access list standard access allowed host 0.0.0.0

DefaultRAGroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

Note VpnPeers access list allow peer vpn ping on the other

permit access list extended ip object NETWORK_OBJ_10.10.10.0_28 object NETWORK_OBJ_10.10.10.0_28 VpnPeers

pager lines 24

Enable logging

asdm of logging of information

logging of information letter

address record [email protected] / * /

exploitation forest-address recipient [email protected] / * / level of information

record level of 1 600 6 rate-limit

Outside 1500 MTU

Within 1500 MTU

mask 10.10.10.5 - 10.10.10.10 255.255.255.0 IP local pool VPNPool

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 711.bin

don't allow no asdm history

ARP timeout 14400

NAT (inside, all) static source all electricity static destination RAVPN RAVPN

NAT (inside, outside) static static source NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

NAT (inside, outside) static source all all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

!

network obj_any object

NAT dynamic interface (indoor, outdoor)

network of the RAVPN object

dynamic NAT (all, outside) interface

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Community SNMP-server

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transit

Crypto ipsec transform-set ESP-DES-SHA-TRANS esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-SHA-TRANS mode transit

Crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transit

Crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transit

Crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transit

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP ESP-AES-128-SHA ESP - AES - 192 - SHA ESP - AES - 256 - SHA ESP - 3DES - SHA - OF - SHA ESP - AES - 128 - SHA - TRANS ESP - AES - 192 - SHA - TRANS ESP - AES - 256 - SHA - ESP ESP - 3DES - SHA - TRANS TRANS-DES - SHA - TRANS

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

trustpoint crypto ca-CA-SERVER ROOM

LOCAL-CA-SERVER key pair

Configure CRL

Crypto ca trustpoint ASDM_TrustPoint0

registration auto

name of the object CN = ciscoasa

billvpnkey key pair

Proxy-loc-transmitter

Configure CRL

crypto ca server

CDP - url http://ciscoasa/+CSCOCA+/asa_ca.crl

name of the issuer CN = ciscoasa

SMTP address [email protected] / * /

crypto certificate chain ca-CA-SERVER ROOM

certificate ca 01

* hidden *.

quit smoking

string encryption ca ASDM_TrustPoint0 certificates

certificate 10bdec50

* hidden *.

quit smoking

crypto ISAKMP allow outside

crypto ISAKMP policy 10

authentication crack

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 120

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

enable client-implementation to date

Telnet 192.168.1.1 255.255.255.255 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd outside auto_config

!

dhcpd address 192.168.1.50 - 192.168.1.99 inside

dhcpd allow inside

!

a basic threat threat detection

threat detection statistics

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

SSL-trust outside ASDM_TrustPoint0 point

WebVPN

allow outside

SVC disk0:/anyconnect-win-3.1.04072-k9.pkg 1 image

SVC profiles DellStudioClientProfile disk0: / dellstudioclientprofile.xml

enable SVC

tunnel-group-list activate

internal-password enable

chip-tunnel list SmartTunnelList RDP mstsc.exe windows platform

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

Server DNS 192.168.1.128 value

Protocol-tunnel-VPN l2tp ipsec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl

Dental.local value by default-field

WebVPN

SVC value vpngina modules

internal DefaultRAGroup_1 group strategy

attributes of Group Policy DefaultRAGroup_1

Server DNS 192.168.1.128 value

Protocol-tunnel-VPN l2tp ipsec

Dental.local value by default-field

attributes of Group Policy DfltGrpPolicy

Server DNS 192.168.1.128 value

VPN - 4 concurrent connections

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

value of group-lock RAVPN

value of Split-tunnel-network-list Local_LAN_Access

Dental.local value by default-field

WebVPN

the value of the URL - list DentalMarks

SVC value vpngina modules

SVC value dellstudio type user profiles

SVC request to enable default webvpn

chip-tunnel enable SmartTunnelList

wketchel1 5c5OoeNtCiX6lGih encrypted password username

username wketchel1 attributes

VPN-group-policy DfltGrpPolicy

WebVPN

SVC value DellStudioClientProfile type user profiles

username privilege 15 encrypted password 5c5OoeNtCiX6lGih wketchel

username wketchel attributes

VPN-group-policy DfltGrpPolicy

WebVPN

modules of SVC no

SVC value DellStudioClientProfile type user profiles

jenniferk 5.TcqIFN/4yw0Vq1 of encrypted password privilege 0 username

jenniferk username attributes

VPN-group-policy DfltGrpPolicy

WebVPN

SVC value DellStudioClientProfile type user profiles

attributes global-tunnel-group DefaultRAGroup

address pool VPNPool

LOCAL authority-server-group

IPSec-attributes tunnel-group DefaultRAGroup

pre-shared key *.

tunnel-group DefaultRAGroup ppp-attributes

PAP Authentication

ms-chap-v2 authentication

eap-proxy authentication

type tunnel-group RAVPN remote access

attributes global-tunnel-group RAVPN

address pool VPNPool

LOCAL authority-server-group

tunnel-group RAVPN webvpn-attributes

enable RAVPN group-alias

IPSec-attributes tunnel-group RAVPN

pre-shared key *.

tunnel-group RAVPN ppp-attributes

PAP Authentication

ms-chap-v2 authentication

eap-proxy authentication

type tunnel-group WebSSLVPN remote access

tunnel-group WebSSLVPN webvpn-attributes

enable WebSSLVPN group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

173.194.64.108 SMTP server

context of prompt hostname

HPM topN enable

Cryptochecksum:3304bf6dcf6af5804a21e9024da3a6f8

: end

Hello

Seems to me that you can clean the current NAT configuration a bit and make it a little clearer.

I suggest the following changes

network of the VPN-POOL object

10.10.10.0 subnet 255.255.255.0

the object of the LAN network

subnet 192.168.1.0 255.255.255.0

PAT-SOURCE network object-group

object-network 192.168.1.0 255.255.255.0

object-network 10.10.10.0 255.255.255.0

NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

The above should allow
- Dynamic PAT for LAN and VPN users
- NAT0 for traffic between the VPN and LAN
- NAT0 for traffic between the VPN users
You can then delete the previous NAT configurations. Naturally, please save the configuration before you make the change, if you want to revert to the original configuration.

no static source nat (inside, everything) all electricity static destination RAVPN RAVPN

No source (indoor, outdoor) nat static static NETWORK_OBJ_10.10.10.0_28 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_10.10.10.0_28

No source (indoor, outdoor) nat static everything all NETWORK_OBJ_10.10.10.0_28 of NETWORK_OBJ_10.10.10.0_28 static destination

No network obj_any object

No network object RAVPN

In case you do not want to change the settings a lot you might be right by adding this

network of the VPN-POOL object

10.10.10.0 subnet 255.255.255.0

destination VPN VPN-POOL POOL static NAT (outside, outside) 1 static source VPN-VPN-POOL

But the other above configurations changes would make NAT configurations currently simpler and clearer to see every goal of "nat" configurations.

-Jouni

Site to site between ASA 8.2 VPN, cannot ping

Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

Here is my setup for both.

Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

...

Each attempt to ping responds with "Request timed out" on the computer of ping.

Why clients cannot mutually ping on the VPN tunnel?

Hello

Create a NAT0 ACL at both ends.

ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

NAT (inside) 0 access-list SHEEP

THX

Edit: at the beginning, I mentioned ACL #, it may not work.

ASA VPN cannot ping ip local pool

Hello

We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

Thanks in advance

Keith

Hi Keith,

I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

Can you add "same-security-traffic intra-interface permits" and try again?

Federico.

VPN - cannot ping the next hop

Then some advice... I have configured a server VPN - pptp on my router, create a vpn for the customer at the site. For the moment, the client computer can connect and a connection to the router. I can ping from client to the router (192.168.5.1) but cannot ping 192.168.5.2 (switch) or 192.168.10.X (workstations)

What I try to achieve is to access the internal network (192.168.10.X), which is the end of the layer 3 switch. Any help/extra eyes would be good.

Here is my design of the network and the config below:

Client computer---> Internet---> (1.1.1.1) Cisco router (192.168.5.1) 881---> switch Dell Powerconnect 6248 (192.168.5.2)--> Workstation (192.168.10.x)

Router Cisco 881

AAA new-model

!

AAA of authentication ppp default local

!

VPDN enable

!

!

VPDN-group VPDN PPTP

!

accept-dialin

Pptp Protocol

virtual-model 1

!

interface FastEthernet0

Description link to switch

switchport access vlan 5

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

switchport access vlan 70

no ip address

!

interface FastEthernet4

Description INTERNET WAN PORT

IP [IP EXTERNAL address]

NAT outside IP

IP virtual-reassembly in

full duplex

Speed 100

card crypto VPN1

!

interface Vlan1

no ip address

!

interface Vlan5

Description $ES_LAN$

IP 192.168.5.1 255.255.255.248

no ip redirection

no ip unreachable

IP nat inside

IP virtual-reassembly in

!

interface Vlan70

IP [IP EXTERNAL address]

IP virtual-reassembly in

IP tcp adjust-mss 1452

!

!

!

interface virtual-Template1

IP unnumbered FastEthernet4

encapsulation ppp

peer default ip address pool defaultpool

Ms-chap PPP chap authentication protocol

!

IP local pool defaultpool 192.168.10.200 192.168.10.210

IP forward-Protocol ND

IP http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy inactive 600 life 86400 request 10000

!

overload of IP nat inside source list no. - NAT interface FastEthernet4

IP route 0.0.0.0 0.0.0.0 [address IP EXTERNAL]

Route IP 192.168.0.0 255.255.0.0 192.168.5.2

!

No. - NAT extended IP access list

deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255

IP 192.168.0.0 allow 0.0.255.255 everything

VLAN70 extended IP access list

ip [IP EXTERNAL] 0.0.0.15 permit 192.168.10.0 0.0.1.255

permit tcp [IP EXTERNAL] 0.0.0.15 any eq smtp

permit tcp [IP EXTERNAL] 0.0.0.15 any eq www

permit any eq 443 tcp [IP EXTERNAL] 0.0.0.15

permit tcp [IP EXTERNAL] 0.0.0.15 any eq field

permits any udp [IP EXTERNAL] 0.0.0.15 eq field

list of IP - VPN access scope

IP 192.168.10.0 allow 0.0.1.255 10.1.0.0 0.0.1.255

Licensing ip [IP EXTERNAL] 0.0.0.15 10.1.0.0 0.0.1.255

WAN extended IP access list

!

Layer 3 switch - Dell Powerconnect 6224

!

IP routing

IP route 0.0.0.0 0.0.0.0 192.168.5.1

interface vlan 5

name "to connect to the Cisco router.

Routing

IP 192.168.5.2 255.255.255.248

output

!

interface vlan 10

"internal network" name

Routing

IP 192.168.10.1 255.255.255.0

output

!

interface ethernet 1/g12

switchport mode acesss vlan 5

output

!

interface ethernet 1/g29

switchport mode access vlan 10

output

!

Hi Samuel,.

I went through your configuration and picked up a few problematic lines...

First of all, you can't have your vpn-pool to be in the range of 192.168.10.x/24, because you already have this subnet used behind the switch (this would be possible if you had 192.168.10.x range connected directly to the router). In addition, you may not link your virtual model to the WAN ip address, it must be bound to an interface with a subnet that includes your IP vpn-pool range.

The cleaner for this is,

Create a new interface of back of loop with a new subnet

!

loopback interface 0

192.168.99.1 IP address 255.255.255.0

!

New vpn set up, pool

!

IP local pool defaultpool 192.168.99.200 192.168.99.210

!

Change your template to point the new loopback interface,

!

interface virtual-Template1

IP unnumbered loopback0

encapsulation ppp

peer default ip address pool defaultpool

Ms-chap PPP chap authentication protocol

!

All vpn clients will get an IP address of 192.168.99.200 192.168.99.210 range. And they will be able to get the router and up to the desired range 192.168.10.x/24 behind the router. Packages get the switch, then to the host. Host will respond through the gateway (switch)-> router-> Client.

PS: Sooner, even if your packages arrive at the host, the host will never try to send the response back through the gateway (switch) packets because STI (hosts) point of view, the package came from the same local network, so the host will simply try to "arp" for shippers MAC and eventually will expire)

I hope this helps.

Please don't forget to rate/brand of useful messages

Shamal

Cannot ping client VPN

Similar Questions

inspect the icmp

Maybe you are looking for