Cannot ping inner network via VPN site-2-site
I have the following Setup of the site 2 site VPN.
The pain I feel is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and vice versa. Think I've added static routes and lists ACLs correctly on 3560 switches (acting as an access point) and the two PIX to access internal networks. 172.168.9.3 host can ping 172.168.200.3 very well. All advice is appreciated.
Thank you very much.
My configs are as follows:
PIX HAS
8.0 (3) version PIX
!
PIX - A host name
activate u18hqwudty78klk9s encrypted password
names of
!
interface Ethernet0
Speed 100
full duplex
nameif outside
security-level 0
IP address x.x.x.250 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
IP 172.168.9.1 255.255.255.0
!
uh78mklh78yMs encrypted passwd
connection of the banner it is a private network. Unauthorized access is prohibited!
Banner motd this is a private network. Unauthorized access is prohibited!
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BST recurring 1 Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS server-group Ext_DNS
Server name 82.72.6.57
Server name 63.73.82.242
the LOCAL_LAN object-group network
object-network 172.168.9.0 255.255.255.0
object-network 172.168.88.0 255.255.255.0
Internet_Services tcp service object-group
port-object eq www
area of port-object eq
EQ object of the https port
port-object eq ftp
EQ object of port 8080
EQ port ssh object
port-object eq telnet
the WAN_Network object-group network
object-network 172.168.200.0 255.255.255.0
ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq log field
ACLOUT list extended access allow icmp object-group LOCAL_LAN no matter what paper
ACLOUT list extended access permitted tcp object-group LOCAL_LAN connect to any object-group Internet_Services
Access extensive list ip 172.168.88.0 ACLOUT allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
access-list extended ACLIN all permit icmp any what newspaper echo-reply
access-list extended ACLIN all permit icmp any how inaccessible journal
access-list extended ACLIN allowed icmp no matter what newspaper has exceeded the time
IP 172.168.200.0 allow Access - list extended ACLIN 255.255.255.0 172.168.9.0 255.255.255.0 connect
standard access list split_tunnel_list allow 172.168.9.0 255.255.255.0
Access log list split_tunnel_list note LOCAL_LAN
access-list extended SHEEP allowed ip object-group LOCAL_LAN 172.168.100.0 255.255.255.0 connect
access extensive list ip 172.168.9.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
pager lines 24
Enable logging
logging buffered information
logging trap information
host of logging inside the 172.168.88.3
Outside 1500 MTU
Within 1500 MTU
IP local pool testvpn 172.168.100.1 - 192.168.100.99
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image Flash: / pdm
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ACLIN in interface outside
ACLOUT access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.45 1
Route inside 172.168.88.0 255.255.255.0 172.168.88.254 1
Route inside 172.168.199.0 255.255.255.0 172.168.199.254 1
Route outside 172.168.200.0 255.255.255.0 172.168.9.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 172.168.9.1 255.255.255.255 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac Set_1
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto dynamic-map outside_dyn_map 1 set of transformation-Set_1
Crypto dynamic-map outside_dyn_map 1 the value reverse-road
outside_map 1 card crypto ipsec-isakmp dynamic outside_dyn_map
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set x.x.x.253
outside_map crypto 20 card value transform-set ESP-AES-256-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
No encryption isakmp nat-traversal
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
NTP server 130.88.203.12 prefer external source
internal testvpn group policy
attributes of the strategy of group testvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list split_tunnel_list
Viv ZdlkjGlOTGf7dqdb encrypted user name password
type tunnel-group testvpn remote access
tunnel-group testvpn General-attributes
address testvpn pool
Group Policy - by default-testvpn
testvpn group of tunnel ipsec-attributes
pre-shared-key *.
tunnel-group x.x.x.253 type ipsec-l2l
x.x.x.253 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:bb6ead3350227b3745c14b9ba340b84a
: end
B PIX
8.0 (3) version PIX
!
hostname PIX - B
enable password ul; encrypted jk89A89hNC0Ms
names of
!
interface Ethernet0
Speed 100
full duplex
nameif outside
security-level 0
IP address x.x.x.253 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
IP 172.168.200.1 255.255.255.0
!
interface Ethernet2
Shutdown
No nameif
no level of security
no ip address
!
2ljio897hFB.88fU encrypted passwd
Banner motd this is a private network. Unauthorized access is prohibited!
passive FTP mode
DNS domain-lookup outside
DNS server-group Ext_DNS
Server name x.x.x.57
Server name x.x.x.242
the LOCAL_LAN object-group network
object-network 172.168.200.0 255.255.255.0
Internet_Services tcp service object-group
port-object eq www
area of port-object eq
EQ object of the https port
port-object eq ftp
EQ object of port 8080
the WAN_Network object-group network
networks WAN Description
object-network 172.168.88.0 255.255.255.0
ACLOUT list extended access allowed object-group LOCAL_LAN udp any eq field
ACLOUT list extended access allow icmp object-group LOCAL_LAN all
ACLOUT list extended access permitted tcp object-group LOCAL_LAN any Internet_Services object-group
access-list extended ACLIN allow all unreachable icmp
access-list extended ACLIN permit icmp any one time exceed
access-list extended ACLIN permit icmp any any echo response
IP 172.168.88.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0
IP 172.168.9.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0
IP 172.168.199.0 allow Access - list extended ACLIN 255.255.255.0 172.168.200.0 255.255.255.0
access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.9.0 255.255.255.0
access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0
pager lines 24
Enable logging
monitor debug logging
debug logging in buffered memory
logging trap information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group ACLIN in interface outside
ACLOUT access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 x.x.x.253 1
Route outside 172.168.88.0 255.255.255.0 172.168.200.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
card crypto outside_map 20 match address outside_cryptomap_20
card crypto outside_map 20 peers set x.x.x.250
outside_map crypto 20 card value transform-set ESP-AES-256-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
No encryption isakmp nat-traversal
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
tunnel-group x.x.x.250 type ipsec-l2l
x.x.x.250 Group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:ccb8392ce529a21c071b85d9afcfdb30
: end
3560 G/W
version 12.2
no service button
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
hostname 3560_GW
!
enable secret 5 $1$ cOB4$ Uklj8978/jgWv? TSSP
!
No aaa new-model
mtu 1500 routing system
IP subnet zero
IP routing
!
!
!
!
No file verify auto
pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
uplink Description to Cisco_ASA
switchport access vlan 9
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
switchport access vlan 88
switchport mode access
spanning tree portfast
!
interface GigabitEthernet0/24
switchport access vlan 9
switchport mode access
spanning tree portfast
!
interface GigabitEthernet0/25
trunk of the description and the port of A_2950_88 1
switchport trunk encapsulation dot1q
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
trunk of the description and the port of A_2950_112 1
switchport trunk encapsulation dot1q
Shutdown
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan9
IP 172.168.9.2 255.255.255.0
!
interface Vlan88
IP 172.168.88.254 255.255.255.0
!
interface Vlan199
IP 172.168.199.254 255.255.255.0
!
IP classless
IP route 0.0.0.0 0.0.0.0 172.168.9.1
IP route 172.168.88.0 255.255.255.0 172.168.9.1
IP route 172.168.100.0 255.255.255.0 172.168.9.1
IP route 172.168.200.0 255.255.255.0 172.168.9.1
IP http server
!
!
control plan
!
Banner motd ^ C is a private network. ^ C
!
Line con 0
line vty 0 4
opening of session
line vty 5 15
opening of session
!
end
Hi Robert,.
I went through the configuration on both the PIX firewall and see that trafficking is not defined for 172.168.88.0/24-->172.168.200.0/24.
If you check the card crypto a PIX configuration, it says:
address for correspondence outside_map 20 card crypto outside_cryptomap_20<--This acl="" defines="" interesting="">--This>
and the outside_cryptomap_20 of the acl says:
access extensive list ip 172.168.9.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0 connect
Is the same on the PIX B:
address for correspondence outside_map 20 card crypto outside_cryptomap_20
access extensive list ip 172.168.200.0 outside_cryptomap_20 allow 255.255.255.0 172.168.9.0 255.255.255.0
To allow users to talk to each other, apply to these commands:
On the PIX:
access extensive list ip 172.168.88.0 outside_cryptomap_20 allow 255.255.255.0 172.168.200.0 255.255.255.0
access extensive list ip 172.168.88.0 inside_nat0_outbound allow 255.255.255.0 172.168.200.0 255.255.255.0
and PIX B:
IP 172.168.200.0 allow access-list extended outside_cryptomap_20 255.255.255.0 172.168.88.0 255.255.255.0
access extensive list ip 172.168.200.0 inside_nat0_outbound allow 255.255.255.0 172.168.88.0 255.255.255.0
Let me know if it helps.
Thank you
Vishnu Sharma
Tags: Cisco Security
Similar Questions
-
Cannot access remote network by VPN Site to Site ASA
Hello everyone
First of all I must say that I have configured the VPN site-to site a million times before. Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks
ASA local:
hostname gyd - asa
domain bct.az
activate the encrypted password of XeY1QWHKPK75Y48j
XeY1QWHKPK75Y48j encrypted passwd
names of
DNS-guard
!
interface GigabitEthernet0/0
Shutdown
nameif vpnswc
security-level 0
IP 10.254.17.41 255.255.255.248
!
interface GigabitEthernet0/1
Vpn-turan-Baku description
nameif outside Baku
security-level 0
IP 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
Vpn-ganja description
nameif outside-Ganja
security-level 0
IP 10.254.17.17 255.255.255.248
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. * 255.255.255.0
!
interface GigabitEthernet0/3
Description BCT_Inside
nameif inside-Bct
security-level 100
IP 10.40.50.65 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
IP 192.168.251.1 255.255.255.0
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
name-server 192.168.1.3
domain bct.az
permit same-security-traffic intra-interface
object-group network obj - 192.168.121.0
object-group network obj - 10.40.60.0
object-group network obj - 10.40.50.0
object-group network obj - 192.168.0.0
object-group network obj - 172.26.0.0
object-group network obj - 10.254.17.0
object-group network obj - 192.168.122.0
object-group service obj-tcp-eq-22
object-group network obj - 10.254.17.18
object-group network obj - 10.254.17.10
object-group network obj - 10.254.17.26
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
icmp_inside list extended access permit icmp any one
icmp_inside of access allowed any ip an extended list
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
RDP list extended access permit tcp any host 192.168.45.3 eq 3389
rdp extended permitted any one ip access list
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
pager lines 24
Enable logging
emblem of logging
recording of debug console
recording of debug trap
asdm of logging of information
Interior-Bct 192.168.1.27 host connection
flow-export destination inside-Bct 192.168.1.27 9996
vpnswc MTU 1500
outside Baku MTU 1500
outside-Ganja MTU 1500
MTU 1500 remote access
Interior-Bct MTU 1500
management of MTU 1500
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any outside Baku
ICMP allow access remotely
ICMP allow any interior-Bct
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
3 overall (RAS) interface
azans access-list NAT 3 (outside-Ganja)
NAT (remote access) 0 access-list sheep-vpn-city
NAT 3 list nat-vpn-internet access (remote access)
NAT (inside-Bct) 0-list of access inside_nat0_outbound
NAT (inside-Bct) 2-nat-ganja access list
NAT (inside-Bct) 1 access list nat
Access-group rdp on interface outside-Ganja
!
Router eigrp 2008
No Auto-resume
neighbor 10.254.17.10 interface outside Baku
neighbor 10.40.50.66 Interior-Bct interface
Network 10.40.50.64 255.255.255.252
Network 10.250.25.0 255.255.255.0
Network 10.254.17.8 255.255.255.248
Network 10.254.17.16 255.255.255.248
redistribute static
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol Ganymede GANYMEDE +.
AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
key *.
AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
key *.
RADIUS protocol AAA-server TACACS1
AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
key *.
AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
key *.
authentication AAA ssh console LOCAL GANYMEDE
Console to enable AAA authentication RADIUS LOCAL
Console Telnet AAA authentication RADIUS LOCAL
AAA accounting ssh console GANYMEDE
Console Telnet accounting AAA GANYMEDE
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Interior-Bct
http 192.168.139.0 255.255.255.0 Interior-Bct
http 192.168.0.0 255.255.255.0 Interior-Bct
Survey community SNMP-server host inside-Bct 192.168.1.27
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.10
card crypto mymap 10 transform-set RIGHT
correspondence address card crypto mymap 20 110
card crypto mymap 20 peers set 10.254.17.11
mymap 20 transform-set myset2 crypto card
card crypto mymap interface outside Baku
correspondence address card crypto ganja 10 110
10 ganja crypto map peer set 10.254.17.18
card crypto ganja 10 transform-set RIGHT
card crypto interface outside-Ganja ganja
correspondence address card crypto vpntest 20 110
peer set card crypto vpntest 20 10.250.25.1
newset vpntest 20 transform-set card crypto
card crypto vpntest interface vpnswc
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = gyd - asa .az .bct
sslvpnkeypair key pair
Configure CRL
map of crypto DefaultCertificateMap 10 ca certificatecrypto isakmp identity address
ISAKMP crypto enable vpnswc
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.0.0 255.255.255.0 Interior-Bct
SSH timeout 35
Console timeout 0
priority queue outside Baku
queue-limit 2046
TX-ring-limit 254
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.168.1.3
SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
SSL-trust ASDM_TrustPoint0 remote access point
WebVPN
turn on remote access
SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal group ssl policy
attributes of group ssl policy
banner welcome to SW value
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
group-lock value SSL
WebVPN
value of the SPS URL-list
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the PFS
BCT.AZ value by default-field
ssl VPN-group-strategy
WebVPN
value of the SPS URL-list
IPSec-attributes tunnel-group DefaultL2LGroup
ISAKMP retry threshold 20 keepalive 5
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
IPSec-attributes tunnel-group DefaultWEBVPNGroup
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.10 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.10
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type SSL tunnel-group remote access
attributes global-group-tunnel SSL
ssl address pool
Authentication (remote access) LOCAL servers group
Group Policy - by default-ssl
certificate-use-set-name username
Group-tunnel SSL webvpn-attributes
enable SSL group-alias
Group-url https://85. *. *. * / activate
tunnel-group 10.254.17.18 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.18
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
tunnel-group 10.254.17.11 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.11
pre-shared key *.
ISAKMP retry threshold 20 keepalive 5
type tunnel-group DefaultSWITGroup remote access
attributes global-tunnel-group DefaultSWITGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultSWITGroup
pre-shared key *.
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect the netbios
Review the ip options
class flow_export_cl
flow-export-type of event all the destination 192.168.1.27
class class by default
flow-export-type of event all the destination 192.168.1.27
Policy-map Voicepolicy
class voice
priority
The class data
police release 80000000
!
global service-policy global_policy
service-policy interface outside Baku Voicepolicy
context of prompt hostnameCryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
: end
GYD - asa #.ASA remote:
ASA Version 8.2 (3)
!
ciscoasa hostname
activate the encrypted password of XeY1QWHKPK75Y48j
2KFQnbNIdI.2KYOU encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif inside
security-level 100
IP 192.168.80.14 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP 10.254.17.11 255.255.255.248
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
no ip address
management only
!
boot system Disk0: / asa823 - k8.bin
passive FTP mode
access-list 110 scope ip allow a whole
192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
management of MTU 1500
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside) 0 access-list sheep
Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.80.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
life crypto ipsec security association seconds 2147483646
Crypto ipsec kilobytes of life security-association 2147483646
correspondence address card crypto mymap 10 110
card crypto mymap 10 peers set 10.254.17.9
mymap 10 transform-set myset2 crypto card
mymap outside crypto map interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
aes encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 40
preshared authentication
aes encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPNtunnel-group 10.254.17.9 type ipsec-l2l
IPSec-attributes tunnel-group 10.254.17.9
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostnameCryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
: end
ciscoasa # $Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas
Would appreciate any help. Thank you in advance...
If the tunnel is up (phase 1), but no traffic passing the best test is the following:
Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.
inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside
The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).
Test on both directions.
Please post the results.
Federico.
-
Cannot access remote network via VPN
Hello
I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
There is also a public oriented Web server in the office which must be accessible.I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.
I'm quite puzzled as to why it does not work. Please could someone help.
The results of tests and the router configuration are listed below. Please let me know if you need additional information.
Thank you and best regards,
Simon1. routing on the router table
Router #sh ip route
Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
C XXX.yyy.zzz.192 is directly connected, Vlan10
GGG.hhh.125.0/32 is divided into subnets, subnets 1
C GGG.HHH.125.34 is directly connected, Dialer0
172.16.0.0/32 is divided into subnets, subnets 1
S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
S * 0.0.0.0/0 [1/0] via ggg.hhh.125.342. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
> ping 172.16.100.1
Ping 172.16.100.1 with 32 bytes of data:
Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 2553. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
> ping 172.16.100.10
Ping 172.16.100.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.4. ping the router to the successful local server
router #ping 172.16.100.10
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms5 see the version
Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
the availability of router is 1 hour, 9 minutes
System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN basic rate interface
Configuration register is 0 x 21026. router Config
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto ASI_Group
key mykey
DNS aaa.bbb.cccc.ddd
domain mydomain.com
pool VPN_Pool
ACL VPN_ACL
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
!
crypto dynamic-map 10 DYNMAP
game of transformation-TS1
market arriere-route
!
!
list of authentication of VPN client VPN crypto card
card crypto VPN VPN isakmp authorization list
crypto map VPN client configuration address respond
card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
!
!
!
IP cef
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
username admin privilege 15 password mypassword
Archives
The config log
hidekeys
!
!
!
!
!
interface FastEthernet0
WAN description
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface FastEthernet2
Description Public_LAN_Interface
switchport access vlan 10
full duplex
Speed 100
!
FastEthernet6 interface
Description Private_LAN_Interface
switchport access vlan 100
full duplex
Speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
Public description
IP address xxx.yyy.zzz.193 255.255.255.248
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Vlan100
172.16.100.1 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
no ip mroute-cache
!
interface Dialer0
IP unnumbered Vlan10
no ip unreachable
IP mtu 1452
IP virtual-reassembly
encapsulation ppp
no ip mroute-cache
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname myhostname
PPP chap password mychappassword
PPP ipcp dns request accept
failure to track PPP ipcp
PPP ipcp address accept
VPN crypto card
!
IP pool local VPN_Pool 172.16.100.50 172.16.100.60
!
!
no ip address of the http server
no ip http secure server
!
VPN_ACL extended IP access list
IP 172.16.100.0 allow 0.0.0.255 any
!
Dialer-list 1 ip protocol allow
not run cdp
!
!Simon,
Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.
Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.
Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like
IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255
Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.
I hope this helps.
Luis Raga
-
Use the remote website via VPN site-to-site
Hi all
We have two sites, the site has and B. At site A, we have a Web site we want to share with all of site B. Currently, site B can access the site via the VPN site-to site on X 0, which is their LAN. Nothing outside X 0 cannot access or ping to the address.
We added access rules to allow access from the DMZ to this interface, but again, no ping and no communication at all. The other strange thing is that we see that no trip package for these access rules either.
Any help is appreciated. Thank you.
It seems that the demilitarized zone is not part of the VPN tunnel.
Can you confirm that the DMZ subnet is part of local destinations on the site B and a part of the local destinations on site?
Kevin
-
RV120W - cannot access static IP via VPN devices
Hello
I have a RV120W used to provide VPN access to several industrial devices. Some of these devices are assigned via DHCP from the router IP address. Can not do DHCP, so there a self-determined static IP.
The VPN works well for all devices that are affected intellectual property. However, it does allow me to connect to the device that has a static IP address. I can connect to it very well when I'm on the LAN or WLAN, but it cannot ping via the VPN.
Help!
Thank you-
Bailey
Hi Bailey, it seems that the static device has no default gateway are entrusted to him.
-Tom
Please mark replied messages useful -
Make the remote web server accessible via VPN Site to website
We have two test sites that are connected by a tunnel IPSEC VPN site-to-site (hosted on a SAA each site) over the Internet. We are trying to set up an environment to test two web applications running side by side. Two web servers are running on the Site of Test 1. We don't have the same public IP available at each site.
To address the public site 1 unique IP address restriction, we try to install ACL and NAT rules to have 2 Site accept traffic from the internet and send it on the site to the other tunnel. So 1 Web server would accept the ASA 1 internet traffic and Web Server 2 accept traffic from ASA 2 to the other site. Here's a network diagram:
We have difficulties to get this configuration works correctly. Please note that the network 192.168.3.0/24 clients are able to access the servers Web1 and Web2. This question seems to be due to our NAT configuration. This is the type of error, we see on the two firewalls:
Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:4.4.4.4/443 dst outside:192.168.1.10/443 refused due to path failure reverse that of NAT
Our situation seems similar to this post: https://supportforums.cisco.com/thread/2242230
Any help would be appreciated.
Hello
What Karsten said above is true. While it is possible and works, it also means that the configuration is a little more complex to manage. I have done no such features in a real-life network environment and have always used additional public IP addresses on the local site when a server is hosted.
If you want to continue to move forward with this so here's a few points to consider and the configurations that you need.
First off it seems to me that the other server will be organized by the local Site 1 so a simple static PAT (Port Forward) must manage the Site 1.
network of the WEB-HTTP object
host 192.168.1.10
NAT (inside, outside) interface static tcp 443 443 service
And if you need TCP/80 also then you will need
network of the HTTPS WEB object
host 192.168.1.10
NAT (inside, outside) interface static service tcp 80 80
Now, 2 Site will naturally a little different that the server is hosted on the Site 1 and Site 2 is the public IP address used to publish the server on the external network.
Essentially, you will need to configure NAT that both makes dynamic PAT for the addresses of the source of the connection to your server Web 2, but also makes the static PAT (Port Forward) for the IP address of the Web Server 2. Additionally, you have to set the area of encryption on the Site 1 and Site 2 to match this new addition to the L2L VPN connection.
Unless of course you use an existing IP address on the field of encryption in the dynamic translation of PAT for the source address. In this case, it would take no change VPN L2L. I'll use that in the example below.
The NAT configuration might look like this
service object WWW
destination eq 80 tcp service
service object HTTPS
destination eq 443 tcp service
the object SOURCE-PAT-IP network
host 192.168.3.254
network of the WEB-SERVER-2-SITE1 object
host 192.168.1.11
NAT (outside, outside) 1 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service WWW WWW
NAT (outdoors, outdoor), 2 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service HTTPS HTTPS
So, essentially, NAT configurations above should ake 'all' traffic coming from behind 'outside' interface intended to "outside" "interface" IP address and translate the source to ' SOURCE-PAT-IP ' address and untranslate destination to "WEB-SERVER-2-SITE1".
Make sure that the IP address chosen (in this case 192.168.3.254) is not used on any device. If she is then replace it with something that is not currently used in the network. Otherwise, configure an IP address of some other subnet and include in the L2L VPN configurations on both sites.
Unless you already have it, you also have this configuration command to activate the traffic to make a U-turn/pin on the ' outside ' of the Site 2 ASA interface
permit same-security-traffic intra-interface
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary.
-Jouni
-
Customer quick RV042 VPN cannot ping lan network
Hi guys,.
I just created a client2gateway on RV042 IPSec tunnel and use the remote PC quick VPN client tries to connect to this router.
Fast VPN showed that the tunnel has been established. But I couldn't ping the LAN behind the router RV042.
Can someone help me?
Thank you.
Hello
Yes, you are right. To use the fast with RV042 VPN, it is necessary to configure the user name and a password for access to the VPN Client page. As this router does not support VLANs, you can only connect the VPN client to the LAN subnet (you cannot connect the client to any beach IP configured with multiple subnets)
Kind regards
Bismuth
-
Remote VPN cannot ping any host on remote site
Hi all!
I tried to deploy remote vpn on my asa 5515-x. And my VPN client properly connected, but I can't ping any host on a remote network.
Here is my configuration:
ASA 1.0000 Version 2
!
names of
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.10.252 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/2
DMZ description
nameif dmz
security-level 50
IP 192.168.20.252 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.2.40 255.255.255.0
management only
!
boot system Disk0: / asa861-2-smp - k8.bin
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
internal subnet object-
192.168.10.0 subnet 255.255.255.0
network dmz subnet object
subnet 192.168.20.0 255.255.255.0
Note to access-list LAN_VLAN_10 split_tunnel
split_tunnel list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
MTU 1500 dmz
IP local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 714.bin
don't allow no asdm history
ARP timeout 14400
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
network dmz subnet object
NAT (dmz, outside) dynamic interface
Route outside 0.0.0.0 0.0.0.0 93.174.55.181 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.0.0 255.255.0.0 management
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set esp - esp-md5-hmac ikev1 firstset
Crypto-map dynamic dyn1 ikev1 transform-set firstset 1 set
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
the Encryption
md5 hash
Group 2
life 43200
Telnet 0.0.0.0 0.0.0.0 inside
Telnet 0.0.0.0 0.0.0.0 management
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 management
SSH timeout 5
Console timeout 0
interface ID client DHCP-client to the outside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal group testgroup strategy
testgroup group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list split_tunnel
user1 fvosA8L1anfyxTw3 encrypted password username
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
address testpool pool
strategy-group-by default testgroup
testgroup group tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
What's wrong?
TNX!
Hello
I would like to change the current reserve of VPN to something overlapping to the LAN.
You're also missing NAT0 for the VPN Client connection that is your problem more likely.
You can try these changes
mask of 192.168.100.1 - local 192.168.100.254 pool POOL VPN IP 255.255.255.0
tunnel-group testgroup General attributes
No address testpool pool
address VPN-POOL pool
no ip local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
network of the VPN-POOL object
255.255.255.0 subnet 192.168.100.0
NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL
You can also change your settings for encryption for anything other than a. You can use AES.
Hope this helps
Let us know if this helped.
Don't forget to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Cannot print to a network via vpn printer
Installed an EnGenius ESR750H router and configure the L2TP VPN server and Win 7 SP1 VPN client. The client connects and implements the VPN.
I can access the drives mapped to WHS v1 (Windows Home Server) and NAS (Network attached storage() and I can access the NAS login screen.
I can't access screen for the old DLink DIR-655 Router now used as a WAP only [wireless access point] connection.
I can't print the two printers on network at the office. LaserJets HP4000 & HP4050 with SNMP disabled in the configuration of printer Win7 - if on, they show offline.
And I can't RDC (Remote Desktop connection) the ESM.
A computer on the LAN Office can do anything, so everything works.
Some time back, I have all work by the VPN ESR750H - all this - and I was so happy to finally access. At that time there I had not yet removed on the WHS VPN configuration.
Then the next day, a fool to UNRWA [the boss] decided to move things on a network segment and everything, including internet access, went to-well, you know where. During the frenetic fray next I took the VPN of the WHS, but left the remote control to connect to. More I have him help locate the bad wiring and bad switch causing the problem.
I could not even get it all back to what I had it one evening. There must be something stupid.
The DRC to the WHS says the server error is not on, not available on the network, or is not remote connect lit, but the boss can rdc to the MSS on the local network.
Printers and the DIR-655 all come with the same message of troubleshooting when I go to IP addresses through the browser with the connected VPN.
(device) is detected and online but does not - does not not to connections on port 80, possibly firewall or do security policy issues - no problems with the firewall on my computer.
I tried port forwarding 80 printing - no joy.
Thanks in advance.
Bob
Hello Rafisher,
Thanks for posting the question on the Microsoft Community.
The question you posted would be better suited in TechNet community support. I suggest you to check with TechNet support to solve the problem.
http://social.technet.Microsoft.com/forums/en-us/newThread
I hope that helps you find the solution for your problem. If you have other problems with Windows in the future, please post in the Windows community. We would be happy to help you.
-
Windows 2003 cannot access remote network via Cisco VPN
I have two computers at home, an XP Pro SP2 and another is Windows 2003 server SP1. If I set Cisco VPN XP (version 4.6) the Office (ASA 5510), I can access the office network resources. However, if I set the Cisco VPN on 2003, can I? t do the same thing. After studying the two routing tables, I think XP has this road: 192.168.0.0 255.255.0.0 192.168.101.5 192.168.101.5 1, but the 2003 doesn't? t. If I add this route manually (rou? add 192.168.0.0 mask 255.255.255.0 192.168.101.3) 2003, then I can access resources. Why?
tale of 2003 routing.
Active routes:
Network Destination gateway metric Interface subnet mask
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.3 40
x.x.x.37 255.255.255.255 192.168.10.1 192.168.10.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.3 192.168.10.3 40
192.168.10.3 255.255.255.255 127.0.0.1 127.0.0.1 40
192.168.10.255 255.255.255.255 192.168.10.3 192.168.10.3 40
192.168.101.0 255.255.255.0 192.168.101.3 192.168.101.3 10
192.168.101.3 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.101.255 255.255.255.255 192.168.101.3 192.168.101.3 10
224.0.0.0 240.0.0.0 192.168.10.3 192.168.10.3 40
224.0.0.0 240.0.0.0 192.168.101.3 192.168.101.3 10
255.255.255.255 255.255.255.255 192.168.10.3 192.168.10.3 1
255.255.255.255 255.255.255.255 192.168.101.3 192.168.101.3 1
Default gateway: 192.168.10.1
===========================================================================
Persistent routes:
None
VPN client has not been tested on Win2003. Customer requirements are described here:
http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/4_6/relnt/4604cln.htm#wp1024664
and the show to competition of WinXP is supported.
-
ESXi hosts SBS 2011, clients lose network via VPN
Greetings,
We have an ESXi Server (in a lab environment) who perform a SBS 2011 and a Windows 2003 (Terminal Server).
We have two locations, connected via a VPN IPSec (2 boxes of ClearOS).
The ESXi host is located in building r. customers in the construction of an experience no problem at all.
Customers in the building B often lose connectivity to network share. We also failed when copying data. Do not forget that the servers are located in the building and issues affecting only users in the B building.
We noticed the event ID 2012 on the VM SBS 2011 event viewer.
The two buildings are connected to a cable broadband 10 mb / 1 mb ISP.
NOD32 Antivirus is installed on the two virtual machines
Any help would be appreciated!
Thank you
Fred9777
Hello
There are a few things to look out for more such links. The following steps were made on W2K and W2K3, so that they are still applicable for you.
(1) is the VPN capable to manage the packet being sent by site B MTU size, sometimes the MTU on VPN size must be less than the default value of 1500 set LAN. You can check this scathing your server with a command like
ping f-l 1500
If you get a message like "packet needs to be fragmented but DF parameter.
You will need to reduce the size of the MTU TCP/IP in the client registry. Try to ping the server with a size of 500 bytes and see how it goes.
(2) setting the server TCP/IP stack
In the registry HKLM \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, create or modify value DWORD of TcpMaxDataRetransmissions. By default, it is set to 5, but I recommend double this value to 10. The TcpMaxDataRetransmissions value is the number of retransmissions of TCP of a data segment without acknowledgement of receipt on an existing connection. TCP retransmits data segments until they are acknowledged or until the expiry of this value. Basically, when a client does not meet a package from the server, the server will attempt to retransmit the packet until TcpMaxDataRetransmissions many times. By increasing this value, you give the customer more time to answer on the server, which will help improve the flaky connections or connections with latency or higher than normal packet loss.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval and HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime.
Both entered DWORD.KeepAliveInterval determines the interval between retransmissions keep until a response is received. If a response is received, the delay until the next keep alive transmission is again controlled by the value of KeepAliveTime.The connection will be broken once the number of retransmissions specified by TcpMaxDataRetransmissions is remained. KeepAliveInterval is set by default at 1000, which is one second.KeepAliveTime controls how many times TCP attempts to verify that an idle connection is still intact by sending a living package of the Dungeon. If the remote system is still reachable and running, he will acknowledge receipt of the living transmission to keep. KeepAliveTime is set by default to 7 200 000, or 2 hours.I hope this helps.
-
Traffic of Client VPN routing via VPN Site to Site
Hello
We have the following scenario:
- Office (192.168.2.x)
- Data Center (212.64.x.x)
- Home workers (192.168.2.x) (scope DHCP is in the office subnet)
Connections:
- Desktop to Data Center traffic is routed through a Site at IPSec VPN, which works very well.
- Welcome to the office is routed through a Site IPSec VPN Client.
The question we have right now, is the Client VPN works, and we have implemented a split tunnel which includes only the subnet of the Office for a list of network.
What I have to do, is to route all traffic to home' to 'Data Center' by site to Site VPN is configured.
I tried to add the ranges of IP data center to the list of Client VPN Split tunnel, but when I do that and try to connect at home, I just get a "connection timed out" or denied, as if she was protected by a firewall?
Could you please let me know what I missed?
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name skiddle.internal
enable password xxx encrypted
passwd xxx encrypted
names
name 188.39.51.101 dev.skiddle.com description Dev External
name 192.168.2.201 dev.skiddle.internal description Internal Dev server
name 164.177.128.202 www-1.skiddle.com description Skiddle web server
name 192.168.2.200 Newserver
name 217.150.106.82 Holly
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.3.250 255.255.255.0
!
!
time-range Workingtime
periodic weekdays 9:00 to 18:00
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server Newserver
domain-name skiddle.internal
same-security-traffic permit inter-interface
object-group service Mysql tcp
port-object eq 3306
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network rackspace-public-ips
description Rackspace Public IPs
network-object 164.177.132.16 255.255.255.252
network-object 164.177.132.72 255.255.255.252
network-object 212.64.147.184 255.255.255.248
network-object 164.177.128.200 255.255.255.252
object-group network Cuervo
description Test access for cuervo
network-object host Holly
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip any any
access-list outside_access_in remark ENABLES Watermark Wifi ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp 188.39.51.0 255.255.255.0 interface outside object-group DM_INLINE_TCP_4 time-range Workingtime
access-list outside_access_in remark ENABLES OUTSDIE ACCESS TO DEV SERVER!
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_3
access-list outside_access_in remark Public Skiddle Network > Dev server
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 interface outside eq www
access-list outside_access_in extended permit tcp object-group rackspace-public-ips interface outside eq ssh
access-list outside_access_in remark OUTSIDE ACCESS TO DEV SERVER
access-list outside_access_in extended permit tcp object-group Cuervo interface outside object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 host dev.skiddle.internal object-group DM_INLINE_TCP_2 inactive
access-list inside_access_in_1 remark HTTP OUT
access-list inside_access_in_1 extended permit tcp any any eq www
access-list inside_access_in_1 remark HTTPS OUT
access-list inside_access_in_1 extended permit tcp any any eq https
access-list inside_access_in_1 remark SSH OUT
access-list inside_access_in_1 extended permit tcp any any eq ssh
access-list inside_access_in_1 remark MYSQL OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 object-group Mysql
access-list inside_access_in_1 remark SPHINX OUT
access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 eq 3312
access-list inside_access_in_1 remark DNS OUT
access-list inside_access_in_1 extended permit object-group TCPUDP host Newserver any eq domain
access-list inside_access_in_1 remark PING OUT
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 remark Draytek Admin
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 4433
access-list inside_access_in_1 remark Phone System
access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 35300 log disable
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq 4500
access-list inside_access_in_1 remark IPSEC VPN OUT
access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq isakmp
access-list inside_access_in_1 remark Office to Rackspace OUT
access-list inside_access_in_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_access_in_1 remark IMAP OUT
access-list inside_access_in_1 extended permit tcp any any eq imap4
access-list inside_access_in_1 remark FTP OUT
access-list inside_access_in_1 extended permit tcp any any eq ftp
access-list inside_access_in_1 remark FTP DATA out
access-list inside_access_in_1 extended permit tcp any any eq ftp-data
access-list inside_access_in_1 remark SMTP Out
access-list inside_access_in_1 extended permit tcp any any eq smtp
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list inside_nat0_outbound extended permit ip any 192.168.2.128 255.255.255.224
access-list inside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list outside_1_cryptomap_1 extended permit tcp 192.168.2.0 255.255.255.0 object-group rackspace-public-ips eq ssh
access-list RACKSPACE-cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
access-list RACKSPACE-TEST extended permit ip host 94.236.41.227 any
access-list RACKSPACE-TEST extended permit ip any host 94.236.41.227
access-list InternalForClientVPNSplitTunnel remark Inside for VPN
access-list InternalForClientVPNSplitTunnel standard permit 192.168.2.0 255.255.255.0
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.128.200 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.16 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.72 255.255.255.252
access-list InternalForClientVPNSplitTunnel remark Rackspace
access-list InternalForClientVPNSplitTunnel standard permit 212.64.147.184 255.255.255.248
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm warnings
logging from-address [email protected]/* */
logging recipient-address [email protected]/* */ level errors
mtu inside 1500
mtu outside 1500
ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ipv6 access-list inside_access_ipv6_in permit tcp any any eq www
ipv6 access-list inside_access_ipv6_in permit tcp any any eq https
ipv6 access-list inside_access_ipv6_in permit tcp any any eq ssh
ipv6 access-list inside_access_ipv6_in permit icmp6 any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www dev.skiddle.internal www netmask 255.255.255.255
static (inside,outside) tcp interface ssh dev.skiddle.internal ssh netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.254 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable 4433
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map outside_map 1 match address RACKSPACE-cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 94.236.41.227
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxx
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcprelay server 192.68.2.200 inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source outside prefer
webvpn
port 444
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 regex "Intel Mac OS X"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy skiddlevpn internal
group-policy skiddlevpn attributes
dns-server value 192.168.2.200
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternalForClientVPNSplitTunnel
default-domain value skiddle.internal
username bensebborn password *** encrypted privilege 0
username bensebborn attributes
vpn-group-policy skiddlevpn
username benseb password gXdOhaMts7w/KavS encrypted privilege 15
tunnel-group 94.236.41.227 type ipsec-l2l
tunnel-group 94.236.41.227 ipsec-attributes
pre-shared-key *****
tunnel-group skiddlevpn type remote-access
tunnel-group skiddlevpn general-attributes
address-pool CiscoVPNDHCPPool
default-group-policy skiddlevpn
tunnel-group skiddlevpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
inspect ftp
!
service-policy global_policy global
smtp-server 164.177.128.203
prompt hostname context
call-home reporting anonymous
Cryptochecksum:6c2eb43fa1150f9a5bb178c716d8fe2b
: end
You must even-Security-enabled traffic intra-interface to allow communication between vpn VPN.
With respect,
Safwan
Remember messages useful rate.
-
Need help to access the internal network via VPN on ASA5505 8.4 (1)
Recently, I upgraded my ASA5055 from 8.02 to 8.4 and since I have updated to the new version I can access my home network is no longer through the VPN. I can connect to the VPN with no problems however I can no longer ping or you connect to my network of 10.0. Someone would be kind enough to look at my config and tell me what needs to be added to make it work? In my old config, I had a statement of NAT for VPN that is no longer here.
I also wanted to configure WebVPN to work as well, and this is something that I've never been able to understand. Is it also possible that I can be on my 20.0 network and connect to the VPN and access 10.0 as well? When it is connected to my network of 20.0 I'm not received credentials to connect to the VPN. I would be grateful if someone can help out me. The major part of this is the first part of this question.
My configuration:
ASA Version 8.4 (1)
!
ASA5505 hostname
domain xxxxxxxx.dyndns.org
enable encrypted password xxxxxxxxxxxx
xxxxxxxxxxxxxxx encrypted passwd
names of
nameserver 192.168.10.2
Office of name 192.168.10.3
name Canon 192.168.10.5
name 192.168.10.6 mvix
name 192.168.10.7 xbox
name 192.168.10.8 dvr
name 192.168.10.9 bluray
name 192.168.10.10 lcd
name 192.168.10.11 mp620
name 192.168.10.12 kayla
name 192.168.1.1 asa5505
name 192.168.1.2 ap1
name 192.168.10.4 mvix2
name 192.168.10.13 lcd2
name 192.168.10.14 dvr2
!
interface Vlan1
nameif management
security-level 100
IP address asa5505 255.255.255.248
management only
!
interface Vlan2
0050.8db6.8287 Mac address
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan10
nameif private
security-level 100
IP 192.168.10.1 255.255.255.224
!
interface Vlan20
nameif Public
security-level 100
IP 192.168.20.1 255.255.255.224
!
interface Ethernet0/0
Description pointing to WAN
switchport access vlan 2
!
interface Ethernet0/1
Uplink port Linksys 12 description
switchport access vlan 10
!
interface Ethernet0/2
Description Server 192.168.10.2/27
switchport access vlan 10
!
interface Ethernet0/3
Uplink Eth1 management description
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
switchport access vlan 30
!
interface Ethernet0/6
switchport access vlan 30
!
interface Ethernet0/7
Description of Cisco 1200 Access Point
switchport trunk allowed vlan 1,10,20
switchport trunk vlan 1 native
switchport mode trunk
!
Banner motd users only, all others must disconnect now!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS server-group DefaultDNS
domain xxxxxxx.dyndns.org
network object obj - 192.168.50.0
192.168.50.0 subnet 255.255.255.0
Server network objects
host 192.168.10.2
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.224
network object obj - 192.168.20.0
subnet 192.168.20.0 255.255.255.224
network server-01 object
host 192.168.10.2
network server-02 object
host 192.168.10.2
xbox network object
Home 192.168.10.7
xbox-01 network object
Home 192.168.10.7
xbox-02 network object
Home 192.168.10.7
xbox-03 network object
Home 192.168.10.7
xbox-04 network object
Home 192.168.10.7
network server-03 object
host 192.168.10.2
network server-04 object
host 192.168.10.2
network server-05 object
host 192.168.10.2
Desktop Network object
host 192.168.10.3
kayla network object
Home 192.168.10.12
Home_VPN_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
outside_access_in list extended access permit tcp any any eq 3389
outside_access_in list extended access permit tcp any any eq 2325
outside_access_in list extended access permit tcp any eq ftp server object
outside_access_in list extended access permit tcp any any eq 5851
outside_access_in list extended access udp allowed any any eq 5850
outside_access_in list extended access permit tcp any any eq pptp
outside_access_in list extended access udp allowed any any eq syslog
outside_access_in list extended access udp allowed any any eq 88
outside_access_in list extended access udp allowed any any eq 3074
outside_access_in list extended access permit tcp any any eq 3074
outside_access_in list extended access permit tcp any any eq field
outside_access_in list extended access udp allowed any any eq field
outside_access_in list extended access permitted tcp everything any https eq
outside_access_in list extended access permit tcp any eq ssh server object
outside_access_in list extended access permit tcp any any eq 2322
outside_access_in list extended access permit tcp any any eq 5900
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access permit icmp any any source-quench
outside_access_in list extended access allow all unreachable icmp
outside_access_in list extended access permit icmp any one time exceed
outside_access_in list extended access udp allowed any any eq 5852
KaileY_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224
pager lines 24
Enable logging
timestamp of the record
exploitation forest-size of the buffer of 36000
logging warnings put in buffered memory
recording of debug trap
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
Management Server host forest
MTU 1500 management
Outside 1500 MTU
MTU 1500 private
MTU 1500 Public
local pool IPPOOL 192.168.50.2 - 192.168.50.10 255.255.255.0 IP mask
local pool VPN_POOL 192.168.100.2 - 192.168.100.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ASDM image disk0: / asdm - 641.bin
don't allow no asdm history
ARP timeout 14400
!
Server network objects
NAT (private, foreign) static tcp ftp 5851 service interface
network object obj - 192.168.10.0
NAT (private, foreign) dynamic interface
network object obj - 192.168.20.0
NAT (outside) dynamic public interface
network server-01 object
NAT (private, outside) interface static 2325 2325 tcp service
network server-02 object
NAT (private, outside) interface static udp syslog syslog service
xbox network object
NAT (private, outside) interface static service udp 88 88
xbox-01 network object
NAT (private, outside) interface static service udp 3074-3074
xbox-02 network object
NAT (private, outside) interface static service tcp 3074-3074
xbox-03 network object
NAT (private, outside) interface static tcp domain domain service
xbox-04 network object
field of the udp NAT (private, foreign) of the static interface function
network server-03 object
NAT (private, outside) interface static tcp https https service
network server-04 object
Static NAT (private, outside) interface service tcp ssh 2322
network server-05 object
NAT (private, outside) interface static 5900 5900 tcp service
Desktop Network object
NAT (private, outside) interface static service tcp 3389 3389
kayla network object
NAT (private, outside) interface static service udp 5852 5852
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.248 management
redirect http outside 80
location of SNMP server on the Office floor
SNMP Server contact [email protected] / * /
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds
Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.248 management
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 30
access to administration management
dhcpd dns 24.205.1.14 66.215.64.14
dhcpd ping_timeout 750
dhcpd field xxxxxxxx.dyndns.org
dhcpd outside auto_config
!
dhcpd manage 192.168.1.4 - 192.168.1.5
dhcpd enable management
!
dhcpd address private 192.168.10.20 - 192.168.10.30
enable private dhcpd
!
dhcpd 192.168.20.2 public address - 192.168.20.30
dhcpd enable Public
!
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Server NTP 192.43.244.18
Server NTP 129.6.15.28
WebVPN
internal Home_VPN group strategy
attributes of Group Policy Home_VPN
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol without ssl-client
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Home_VPN_splitTunnelAcl
value by default-field www.xxxxxx.com
the address value IPPOOL pools
WebVPN
the value of the URL - list ClientlessBookmark
political group internal kikou
group attributes political kikou
value of 8.8.8.8 DNS Server 4.2.2.2
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list KaileY_splitTunnelAcl
XXXXXXX.dyndns.org value by default-field
username scottrog encrypted password privilege 0 xxxxxxxxxxxxxx
user_name john encrypted password privilege 0 xxxxxxxxxxxxxxx
username joek encrypted password privilege 0 xxxxxxxxxxxx
eostrike encrypted xxxxxxxxxxxx privilege 15 password username
username almostsi encrypted password privilege 0 xxxxxxxxxxxxxx
username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0
type tunnel-group Home_VPN remote access
attributes global-tunnel-group Home_VPN
IPPOOL address pool
LOCAL authority-server-group
authorization-server-group (outside LOCAL)
Group Policy - by default-Home_VPN
authorization required
IPSec-attributes tunnel-group Home_VPN
IKEv1 pre-shared-key *.
type tunnel-group SSLClientProfile remote access
tunnel-group SSLClientProfile webvpn-attributes
enable SSLVPNClient group-alias
tunnel-group type ClientLESS remote access
tunnel-group kanazoé type remote access
attributes global-tunnel-group kanazoé
address VPN_POOL pool
by default-group-policy kikou
tunnel-group KaileY ipsec-attributes
IKEv1 pre-shared-key *.
by default-group Home_VPN tunnel-Group-map
!
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86
: end
ASA5505 #.
Here are the declarations of NAT for your first question:
network object obj - 192.168.100.0
255.255.255.0 subnet 192.168.100.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.50.0 obj - 192.168.50.0
NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
And 'clear xlate' after the above and that should fix your first question.
I would check your second question and get back to you shortly.
-
cannot ping between remote vpn site?
vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well. I can ping from central office for two remote sites, but I cannot ping between these two vpn sites? Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next? Help, please...
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
!
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0
!
extended OUTSIDE allowed a whole icmp access list
HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
!
destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
!
address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
card crypto VPN-card 50 peers set *. *.56.250
card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
VPN-card interface card crypto outside
!
internal strategy group to DISTANCE-NETEXTENSION
Remote CONTROL-NETEXTENSION group policy attributes
value of DNS server *. *. *. *
VPN-idle-timeout no
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value REMOTE-NET2
value by default-field *.org
allow to NEM
!
remote access of type tunnel-group to DISTANCE-NETEXTENSION
Global DISTANCE-NETEXTENSION-attributes tunnel-group
authentication-server-group (inside) LOCAL
Group Policy - by default-remote CONTROL-NETEXTENSION
IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
IKEv1 pre-shared-key *.
tunnel-group *. *.56.250 type ipsec-l2l
tunnel-group *. *.56.250 ipsec-attributes
IKEv1 pre-shared-key *.
!!
ASA - 5510 # display route. include the 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA - 5510 # display route. include the 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA-5510.!
Username: Laporte-don't Index: 10
Assigned IP: 192.168.46.0 public IP address: *. *.65.201
Protocol: IKEv1 IPsecOverNatT
License: Another VPN
Encryption: 3DES hash: SHA1
TX Bytes: bytes 11667685 Rx: 1604235
Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
Opening time: 08:19:12 IS Thursday, February 12, 2015
Duration: 6 h: 53 m: 29 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no
!
ASA - 5510 # display l2l vpn-sessiondbSession type: LAN-to-LAN
Connection: *. *.56.250
Index: 6 IP Addr: *. *.56.250
Protocol: IPsec IKEv1
Encryption: AES256 3DES hash: SHA1
TX Bytes: bytes 2931026707 Rx: 256715895
Connect time: 02:00:41 GMT Thursday, February 12, 2015
Duration: 13: 00: 10:00Hi Rico,
You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.
example:
Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
public static SITE SITE-B-Bdestination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
SITE static-SITE aHope this helps
Thank you
Rizwan James
-
Site to site between ASA 8.2 VPN, cannot ping
Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:
Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?
When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:
%ASA-7-609001: Built local-host outside:10.30.7.2
%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
%ASA-7-609001: Built local-host outside:10.30.7.2
%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
%ASA-7-609001: Built local-host outside:10.30.7.2
%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
...
Each attempt to ping responds with "Request timed out" on the computer of ping.
Why clients cannot mutually ping on the VPN tunnel?
Hello
Create a NAT0 ACL at both ends.
ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0
NAT (inside) 0 access-list SHEEP
THX
MS
Edit: at the beginning, I mentioned ACL #, it may not work.
Maybe you are looking for
-
Used to install Vista SP2 / error 800f081f
I saw various suggestions for this problem, but I tried them all, with no luck. I installed SP1, I use webroot anti-virus/malware, and I am running Vista 32 bit. I have tried to install this 50 times since last year at least! Help!
-
Cannot use the USSD codes after updated to 5.1.1 rom Algeria
-
How can I change the height of a button in QML
Photo we can see, the 'equal' button could not fill the empty space below, in the code, I already have the three right-click in a container and the value layoutProperties: {StackLayoutProperties} spaceQuota: 1 } for the key 'c' and 'back' button, so
-
ListField using the hash table
Hi guys, new here so please, be gentle. I was wondering if there is way to a ListField (or something similar) but using a hash instead of a vector table. I searched through the forums without success. And if it is would it be possible to display the
-
I currently have a creative cloud on my desktop Mac account. I buy the new iPad Pro. Can I use the iPad Pro as my secondary computer? or do I need a separate account for mobile applications? If same account, what programs can (you can't), I use withi