Cannot ping inner network via VPN site-2-site

Similar Questions

• Cannot access remote network by VPN Site to Site ASA

  Hello everyone

  First of all I must say that I have configured the VPN site-to site a million times before.  Stuck with it. First of all I can't ping outside the interface of my ASA remote. Secondly, VPN is in place, but no connectivity between local networks

  ASA local:
  hostname gyd - asa
  domain bct.az
  activate the encrypted password of XeY1QWHKPK75Y48j
  XeY1QWHKPK75Y48j encrypted passwd
  names of
  DNS-guard
  !
  interface GigabitEthernet0/0
  Shutdown
  nameif vpnswc
  security-level 0
  IP 10.254.17.41 255.255.255.248
  !
  interface GigabitEthernet0/1
  Vpn-turan-Baku description
  nameif outside Baku
  security-level 0
  IP 10.254.17.9 255.255.255.248
  !
  interface GigabitEthernet0/2
  Vpn-ganja description
  nameif outside-Ganja
  security-level 0
  IP 10.254.17.17 255.255.255.248
  !
  interface GigabitEthernet0/2.30
  Description remote access
  VLAN 30
  nameif remote access
  security-level 0
  IP 85.*. *. * 255.255.255.0
  !
  interface GigabitEthernet0/3
  Description BCT_Inside
  nameif inside-Bct
  security-level 100
  IP 10.40.50.65 255.255.255.252
  !
  interface Management0/0
  nameif management
  security-level 100
  IP 192.168.251.1 255.255.255.0
  management only
  !
  boot system Disk0: / asa823 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  name-server 192.168.1.3
  domain bct.az
  permit same-security-traffic intra-interface
  object-group network obj - 192.168.121.0
  object-group network obj - 10.40.60.0
  object-group network obj - 10.40.50.0
  object-group network obj - 192.168.0.0
  object-group network obj - 172.26.0.0
  object-group network obj - 10.254.17.0
  object-group network obj - 192.168.122.0
  object-group service obj-tcp-eq-22
  object-group network obj - 10.254.17.18
  object-group network obj - 10.254.17.10
  object-group network obj - 10.254.17.26
  access-list 110 scope ip allow a whole
  NAT list extended access permit tcp any host 10.254.17.10 eq ssh
  NAT list extended access permit tcp any host 10.254.17.26 eq ssh
  access-list extended ip allowed any one sheep
  icmp_inside list extended access permit icmp any one
  icmp_inside of access allowed any ip an extended list
  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
  RDP list extended access permit tcp any host 192.168.45.3 eq 3389
  rdp extended permitted any one ip access list
  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
  NAT-vpn-internet access-list extended ip 192.168.121.0 allow 255.255.255.0 any
  NAT-vpn-internet access-list extended ip 172.26.0.0 allow 255.255.255.0 any
  NAT-vpn-internet access-list extended ip 192.168.122.0 allow 255.255.255.0 any
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.60.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.40.50.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 192.168.0.0 255.255.0.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 172.26.0.0 255.255.255.0
  access-list sheep-vpn-city scope ip 192.168.121.0 allow 255.255.255.0 10.254.17.0 255.255.255.0
  GHC-ganja-internet access-list extended ip 192.168.45.0 allow 255.255.255.0 any
  Standard access list Split_Tunnel_List allow 192.168.16.0 255.255.255.0
  azans 192.168.69.0 ip extended access-list allow 255.255.255.0 any
  permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
  permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
  pager lines 24
  Enable logging
  emblem of logging
  recording of debug console
  recording of debug trap
  asdm of logging of information
  Interior-Bct 192.168.1.27 host connection
  flow-export destination inside-Bct 192.168.1.27 9996
  vpnswc MTU 1500
  outside Baku MTU 1500
  outside-Ganja MTU 1500
  MTU 1500 remote access
  Interior-Bct MTU 1500
  management of MTU 1500
  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
  IP local pool ssl 192.168.121.130 - 192.168.121.200 mask 255.255.255.0
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any outside Baku
  ICMP allow access remotely
  ICMP allow any interior-Bct
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  global (outside-Baku) 1 interface
  global (outside-Ganja) interface 2
  3 overall (RAS) interface
  azans access-list NAT 3 (outside-Ganja)
  NAT (remote access) 0 access-list sheep-vpn-city
  NAT 3 list nat-vpn-internet access (remote access)
  NAT (inside-Bct) 0-list of access inside_nat0_outbound
  NAT (inside-Bct) 2-nat-ganja access list
  NAT (inside-Bct) 1 access list nat
  Access-group rdp on interface outside-Ganja
  !
  Router eigrp 2008
  No Auto-resume
  neighbor 10.254.17.10 interface outside Baku
  neighbor 10.40.50.66 Interior-Bct interface
  Network 10.40.50.64 255.255.255.252
  Network 10.250.25.0 255.255.255.0
  Network 10.254.17.8 255.255.255.248
  Network 10.254.17.16 255.255.255.248
  redistribute static
  !
  Access remote 0.0.0.0 0.0.0.0 85.*. *. * 1
  Outside-Baku route 10.0.11.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.33.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.150.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 10.0.170.0 255.255.255.0 10.254.17.10 1
  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
  Route outside Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 192.168.27.0 255.255.255.0 10.254.17.10 1
  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
  Route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
  Outside-Baku route 192.168.80.0 255.255.255.0 10.254.17.11 1
  Access remote 192.168.121.0 255.255.255.0 85.132.43.1 1
  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
  Route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server protocol Ganymede GANYMEDE +.
  AAA-server GANYMEDE (Interior-Bct) 192.168.1.8
  key *.
  AAA-server GANYMEDE (Interior-Bct) 192.168.22.46
  key *.
  RADIUS protocol AAA-server TACACS1
  AAA-server TACACS1 (Interior-Bct) host 192.168.1.8
  key *.
  AAA-server TACACS1 (Interior-Bct) host 192.168.22.46
  key *.
  authentication AAA ssh console LOCAL GANYMEDE
  Console to enable AAA authentication RADIUS LOCAL
  Console Telnet AAA authentication RADIUS LOCAL
  AAA accounting ssh console GANYMEDE
  Console Telnet accounting AAA GANYMEDE
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 Interior-Bct
  http 192.168.139.0 255.255.255.0 Interior-Bct
  http 192.168.0.0 255.255.255.0 Interior-Bct
  Survey community SNMP-server host inside-Bct 192.168.1.27
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  Crypto ipsec transform-set newset aes - esp esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
  Crypto ipsec transform-set esp-3des esp-sha-hmac vpnclienttrans
  Crypto ipsec transform-set vpnclienttrans transport mode
  life crypto ipsec security association seconds 2147483646
  Crypto ipsec kilobytes of life security-association 2147483646
  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
  correspondence address card crypto mymap 10 110
  card crypto mymap 10 peers set 10.254.17.10
  card crypto mymap 10 transform-set RIGHT
  correspondence address card crypto mymap 20 110
  card crypto mymap 20 peers set 10.254.17.11
  mymap 20 transform-set myset2 crypto card
  card crypto mymap interface outside Baku
  correspondence address card crypto ganja 10 110
  10 ganja crypto map peer set 10.254.17.18
  card crypto ganja 10 transform-set RIGHT
  card crypto interface outside-Ganja ganja
  correspondence address card crypto vpntest 20 110
  peer set card crypto vpntest 20 10.250.25.1
  newset vpntest 20 transform-set card crypto
  card crypto vpntest interface vpnswc
  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
  card crypto interface for remote access vpnclientmap
  Crypto ca trustpoint ASDM_TrustPoint0
  registration auto
  name of the object CN = gyd - asa .az .bct
  sslvpnkeypair key pair
  Configure CRL
  map of crypto DefaultCertificateMap 10 ca certificate

  crypto isakmp identity address
  ISAKMP crypto enable vpnswc
  ISAKMP crypto enable outside-Baku
  ISAKMP crypto enable outside-Ganja
  crypto ISAKMP enable remote access
  ISAKMP crypto enable Interior-Bct
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  Crypto isakmp nat-traversal 30
  No vpn-addr-assign aaa
  Telnet timeout 5
  SSH 192.168.0.0 255.255.255.0 Interior-Bct
  SSH timeout 35
  Console timeout 0
  priority queue outside Baku
  queue-limit 2046
  TX-ring-limit 254
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  Server NTP 192.168.1.3
  SSL encryption, 3des-sha1 rc4 - md5 aes128-sha1 sha1-aes256
  SSL-trust point ASDM_TrustPoint0 to vpnlb-ip remote access
  SSL-trust ASDM_TrustPoint0 remote access point
  WebVPN
  turn on remote access
  SVC disk0:/anyconnect-win-2.4.1012-k9.pkg 1 image
  enable SVC
  tunnel-group-list activate
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  internal group ssl policy
  attributes of group ssl policy
  banner welcome to SW value
  value of DNS-server 192.168.1.3
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  group-lock value SSL
  WebVPN
  value of the SPS URL-list
  internal vpn group policy
  attributes of vpn group policy
  value of DNS-server 192.168.1.3
  Protocol-tunnel-VPN IPSec l2tp ipsec
  disable the PFS
  BCT.AZ value by default-field
  ssl VPN-group-strategy
  WebVPN
  value of the SPS URL-list
  IPSec-attributes tunnel-group DefaultL2LGroup
  ISAKMP retry threshold 20 keepalive 5
  attributes global-tunnel-group DefaultRAGroup
  raccess address pool
  Group-RADIUS authentication server
  Group Policy - by default-vpn
  IPSec-attributes tunnel-group DefaultRAGroup
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  IPSec-attributes tunnel-group DefaultWEBVPNGroup
  ISAKMP retry threshold 20 keepalive 5
  tunnel-group 10.254.17.10 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.10
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  type SSL tunnel-group remote access
  attributes global-group-tunnel SSL
  ssl address pool
  Authentication (remote access) LOCAL servers group
  Group Policy - by default-ssl
  certificate-use-set-name username
  Group-tunnel SSL webvpn-attributes
  enable SSL group-alias
  Group-url https://85. *. *. * / activate
  tunnel-group 10.254.17.18 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.18
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  tunnel-group 10.254.17.11 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.11
  pre-shared key *.
  ISAKMP retry threshold 20 keepalive 5
  type tunnel-group DefaultSWITGroup remote access
  attributes global-tunnel-group DefaultSWITGroup
  raccess address pool
  Group-RADIUS authentication server
  Group Policy - by default-vpn
  IPSec-attributes tunnel-group DefaultSWITGroup
  pre-shared key *.
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  Review the ip options
  class flow_export_cl
  flow-export-type of event all the destination 192.168.1.27
  class class by default
  flow-export-type of event all the destination 192.168.1.27
  Policy-map Voicepolicy
  class voice
  priority
  The class data
  police release 80000000
  !
  global service-policy global_policy
  service-policy interface outside Baku Voicepolicy
  context of prompt hostname

  Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
  : end
  GYD - asa #.

  ASA remote:
  ASA Version 8.2 (3)
  !
  ciscoasa hostname
  activate the encrypted password of XeY1QWHKPK75Y48j
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  DNS-guard
  !
  interface Ethernet0/0
  nameif inside
  security-level 100
  IP 192.168.80.14 255.255.255.0
  !
  interface Ethernet0/1
  nameif outside
  security-level 0
  IP 10.254.17.11 255.255.255.248
  !
  interface Ethernet0/2
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  Shutdown
  nameif management
  security-level 100
  no ip address
  management only
  !
  boot system Disk0: / asa823 - k8.bin
  passive FTP mode
  access-list 110 scope ip allow a whole
  192.168.80.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  management of MTU 1500
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow all outside
  ICMP allow any inside
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside) 0 access-list sheep
  Route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http 192.168.80.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  Crypto ipsec transform-set newset aes - esp esp-md5-hmac
  Crypto ipsec transform-set esp-3des esp-sha-hmac myset2
  life crypto ipsec security association seconds 2147483646
  Crypto ipsec kilobytes of life security-association 2147483646
  correspondence address card crypto mymap 10 110
  card crypto mymap 10 peers set 10.254.17.9
  mymap 10 transform-set myset2 crypto card
  mymap outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 20
  preshared authentication
  aes encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 40
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN

  tunnel-group 10.254.17.9 type ipsec-l2l
  IPSec-attributes tunnel-group 10.254.17.9
  pre-shared key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname

  Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
  : end
  ciscoasa # $

  Still, I can't ping ASA remote outside from outside of the Local interface. And there is no connectivity between the 192.168.80.0 distance and local don't say 192.168.1.0. I have run out of ideas

  Would appreciate any help. Thank you in advance...

  If the tunnel is up (phase 1), but no traffic passing the best test is the following:

  Add order management-access to the Interior , and then try to PING the intellectual property inside ASA counterpart.

  inside x.x.x.x ping --> x.x.x.x is the IP of the ASA peer inside

  The test above shows if the traffic passes through the tunnel (check encrypted/decrypted packets of sh cry ips its).

  Test on both directions.

  Please post the results.

  Federico.

• Cannot access remote network via VPN

  Hello

  I'm trying to set up a router vpn access to my office network. The router is connected to the Internet through using pppoe vdsl.
  There is also a public oriented Web server in the office which must be accessible.

  I can access the Web server from the Internet and the vpn connects successfully. I can also ping the LAN Gateway, however, I can't access all the local machines.

  I'm quite puzzled as to why it does not work. Please could someone help.

  The results of tests and the router configuration are listed below. Please let me know if you need additional information.

  Thank you and best regards,
  Simon

  1. routing on the router table
  Router #sh ip route
  Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
  xxx.yyy.zzz.0/29 is divided into subnets, subnets 1
  C XXX.yyy.zzz.192 is directly connected, Vlan10
  GGG.hhh.125.0/32 is divided into subnets, subnets 1
  C GGG.HHH.125.34 is directly connected, Dialer0
  172.16.0.0/32 is divided into subnets, subnets 1
  S 172.16.100.50 [1/0] via mmm.nnn.ppp.sss
  S * 0.0.0.0/0 [1/0] via ggg.hhh.125.34

  2. ping PC remotely (172.16.100.50) local GW (172.16.100.1) successful
  > ping 172.16.100.1
  Ping 172.16.100.1 with 32 bytes of data:
  Response to 172.16.100.1: bytes = 32 time = 24ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 10ms TTL = 255
  Response to 172.16.100.1: bytes = 32 time = 11ms TTL = 255

  3. ping PC remotely (172.16.100.50) to the local server (172.16.100.10) failure
  > ping 172.16.100.10
  Ping 172.16.100.10 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.

  4. ping the router to the successful local server
  router #ping 172.16.100.10
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 172.16.100.10, wait time is 2 seconds:
  !!!!!
  Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/4 ms

  5 see the version
  Cisco IOS software, software of C181X (C181X-ADVIPSERVICESK9-M), Version 12.4 (15) T1, VERSION of the SOFTWARE (fc2)
  ROM: System Bootstrap, Version 12.3 YH6 (8r), RELEASE SOFTWARE (fc1)
  the availability of router is 1 hour, 9 minutes
  System image file is "flash: c181x-advipservicesk9 - mz.124 - 15.T1.bin".
  Cisco 1812-J (MPC8500) processor (revision 0 x 300) with 118784K / 12288K bytes of memory.
  10 FastEthernet interfaces
  1 ISDN basic rate interface
  Configuration register is 0 x 2102

  6. router Config
  AAA authentication login default local
  connection of local AAA VPN authentication.
  AAA authorization exec default local
  local authorization AAA VPN network
  !
  !
  AAA - the id of the joint session
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  Configuration group customer isakmp crypto ASI_Group
  key mykey
  DNS aaa.bbb.cccc.ddd
  domain mydomain.com
  pool VPN_Pool
  ACL VPN_ACL
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac TS1
  !
  crypto dynamic-map 10 DYNMAP
  game of transformation-TS1
  market arriere-route
  !
  !
  list of authentication of VPN client VPN crypto card
  card crypto VPN VPN isakmp authorization list
  crypto map VPN client configuration address respond
  card crypto 10 VPN ipsec-isakmp dynamic DYNMAP
  !
  !
  !
  IP cef
  !
  !
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  username admin privilege 15 password mypassword
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface FastEthernet0
  WAN description
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  automatic duplex
  automatic speed
  PPPoE enable global group
  PPPoE-client dial-pool-number 1
  !
  interface FastEthernet2
  Description Public_LAN_Interface
  switchport access vlan 10
  full duplex
  Speed 100
  !
  FastEthernet6 interface
  Description Private_LAN_Interface
  switchport access vlan 100
  full duplex
  Speed 100
  !
  interface Vlan1
  no ip address
  !
  interface Vlan10
  Public description
  IP address xxx.yyy.zzz.193 255.255.255.248
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Vlan100
  172.16.100.1 IP address 255.255.255.0
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  no ip mroute-cache
  !
  interface Dialer0
  IP unnumbered Vlan10
  no ip unreachable
  IP mtu 1452
  IP virtual-reassembly
  encapsulation ppp
  no ip mroute-cache
  Dialer pool 1
  Dialer-Group 1
  Authentication callin PPP chap Protocol
  PPP chap hostname myhostname
  PPP chap password mychappassword
  PPP ipcp dns request accept
  failure to track PPP ipcp
  PPP ipcp address accept
  VPN crypto card
  !
  IP pool local VPN_Pool 172.16.100.50 172.16.100.60
  !
  !
  no ip address of the http server
  no ip http secure server
  !
  VPN_ACL extended IP access list
  IP 172.16.100.0 allow 0.0.0.255 any
  !
  Dialer-list 1 ip protocol allow
  not run cdp
  !
  !

  Simon,

  Basically when you connect through a VPN Client PC routing table is updated automatically as soon as the connection is established. If you do not need to manually add routes. You can check this by doing a "route print" once you are connected.

  Ideally, you need to put your pool of VPN on subnet that does not exist on your physical network, the router would be to route traffic between the IP pool and internal subnet.

  Now, you said that you have a web server with a public IP address that you need to access through the VPN, that host also as a private IP addresses on the 172.16.100.0? If it isn't then the ACL that I proposed should work. If she only has a public IP then your ACL VPN address must have something like

  IP 172.16.100.0 allow 0.0.0.255 192.168.100.0 0.0.0.255

  219.xxx.yyy.192 ip 0.0.0.7 permit 192.168.100.0 0.0.0.255

  Who says the router and the client to encrypt all traffic between the subnets behind your router and your VPN pool.

  I hope this helps.

  Luis Raga

• Use the remote website via VPN site-to-site

  Hi all

  We have two sites, the site has and B. At site A, we have a Web site we want to share with all of site B. Currently, site B can access the site via the VPN site-to site on X 0, which is their LAN. Nothing outside X 0 cannot access or ping to the address.

  We added access rules to allow access from the DMZ to this interface, but again, no ping and no communication at all. The other strange thing is that we see that no trip package for these access rules either.

  Any help is appreciated. Thank you.

  It seems that the demilitarized zone is not part of the VPN tunnel.

  Can you confirm that the DMZ subnet is part of local destinations on the site B and a part of the local destinations on site?

  Kevin

• RV120W - cannot access static IP via VPN devices

  Hello

  I have a RV120W used to provide VPN access to several industrial devices. Some of these devices are assigned via DHCP from the router IP address. Can not do DHCP, so there a self-determined static IP.

  The VPN works well for all devices that are affected intellectual property. However, it does allow me to connect to the device that has a static IP address. I can connect to it very well when I'm on the LAN or WLAN, but it cannot ping via the VPN.

  Help!

  Thank you-

  Bailey

  Hi Bailey, it seems that the static device has no default gateway are entrusted to him.

  -Tom
  Please mark replied messages useful

• Make the remote web server accessible via VPN Site to website

  We have two test sites that are connected by a tunnel IPSEC VPN site-to-site (hosted on a SAA each site) over the Internet. We are trying to set up an environment to test two web applications running side by side. Two web servers are running on the Site of Test 1. We don't have the same public IP available at each site.

  To address the public site 1 unique IP address restriction, we try to install ACL and NAT rules to have 2 Site accept traffic from the internet and send it on the site to the other tunnel. So 1 Web server would accept the ASA 1 internet traffic and Web Server 2 accept traffic from ASA 2 to the other site. Here's a network diagram:

  

  We have difficulties to get this configuration works correctly. Please note that the network 192.168.3.0/24 clients are able to access the servers Web1 and Web2. This question seems to be due to our NAT configuration. This is the type of error, we see on the two firewalls:

  Asymmetrical NAT rules matched for flows forward and backward; Connection for tcp src outside:4.4.4.4/443 dst outside:192.168.1.10/443 refused due to path failure reverse that of NAT

  Our situation seems similar to this post: https://supportforums.cisco.com/thread/2242230

  Any help would be appreciated.

  Hello

  What Karsten said above is true. While it is possible and works, it also means that the configuration is a little more complex to manage. I have done no such features in a real-life network environment and have always used additional public IP addresses on the local site when a server is hosted.

  If you want to continue to move forward with this so here's a few points to consider and the configurations that you need.

  First off it seems to me that the other server will be organized by the local Site 1 so a simple static PAT (Port Forward) must manage the Site 1.

  network of the WEB-HTTP object

  host 192.168.1.10

  NAT (inside, outside) interface static tcp 443 443 service

  And if you need TCP/80 also then you will need

  network of the HTTPS WEB object

  host 192.168.1.10

  NAT (inside, outside) interface static service tcp 80 80

  Now, 2 Site will naturally a little different that the server is hosted on the Site 1 and Site 2 is the public IP address used to publish the server on the external network.

  Essentially, you will need to configure NAT that both makes dynamic PAT for the addresses of the source of the connection to your server Web 2, but also makes the static PAT (Port Forward) for the IP address of the Web Server 2. Additionally, you have to set the area of encryption on the Site 1 and Site 2 to match this new addition to the L2L VPN connection.

  Unless of course you use an existing IP address on the field of encryption in the dynamic translation of PAT for the source address. In this case, it would take no change VPN L2L. I'll use that in the example below.

  The NAT configuration might look like this

  service object WWW

  destination eq 80 tcp service

  service object HTTPS

  destination eq 443 tcp service

  the object SOURCE-PAT-IP network

  host 192.168.3.254

  network of the WEB-SERVER-2-SITE1 object

  host 192.168.1.11

  NAT (outside, outside) 1 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service WWW WWW

  NAT (outdoors, outdoor), 2 dynamic source no matter what static SOURCE-PAT-IP destination interface WEB-SERVER-2-SITE1 service HTTPS HTTPS

  So, essentially, NAT configurations above should ake 'all' traffic coming from behind 'outside' interface intended to "outside" "interface" IP address and translate the source to ' SOURCE-PAT-IP ' address and untranslate destination to "WEB-SERVER-2-SITE1".

  Make sure that the IP address chosen (in this case 192.168.3.254) is not used on any device. If she is then replace it with something that is not currently used in the network. Otherwise, configure an IP address of some other subnet and include in the L2L VPN configurations on both sites.

  Unless you already have it, you also have this configuration command to activate the traffic to make a U-turn/pin on the ' outside ' of the Site 2 ASA interface

  permit same-security-traffic intra-interface

  Hope this helps

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary.

  -Jouni

• Customer quick RV042 VPN cannot ping lan network

  Hi guys,.

  I just created a client2gateway on RV042 IPSec tunnel and use the remote PC quick VPN client tries to connect to this router.

  Fast VPN showed that the tunnel has been established. But I couldn't ping the LAN behind the router RV042.

  Can someone help me?

  Thank you.

  Hello

  Yes, you are right. To use the fast with RV042 VPN, it is necessary to configure the user name and a password for access to the VPN Client page. As this router does not support VLANs, you can only connect the VPN client to the LAN subnet (you cannot connect the client to any beach IP configured with multiple subnets)

  Kind regards

  Bismuth

• Remote VPN cannot ping any host on remote site

  Hi all!

  I tried to deploy remote vpn on my asa 5515-x. And my VPN client properly connected, but I can't ping any host on a remote network.

  Here is my configuration:

  ASA 1.0000 Version 2

  !

  names of

  !

  interface GigabitEthernet0/0

  nameif inside

  security-level 100

  IP 192.168.10.252 255.255.255.0

  !

  interface GigabitEthernet0/1

  nameif outside

  security-level 0

  IP x.x.x.x 255.255.255.252

  !

  interface GigabitEthernet0/2

  DMZ description

  nameif dmz

  security-level 50

  IP 192.168.20.252 255.255.255.0

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.2.40 255.255.255.0

  management only

  !

  boot system Disk0: / asa861-2-smp - k8.bin

  passive FTP mode

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  internal subnet object-

  192.168.10.0 subnet 255.255.255.0

  network dmz subnet object

  subnet 192.168.20.0 255.255.255.0

  Note to access-list LAN_VLAN_10 split_tunnel

  split_tunnel list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  management of MTU 1500

  MTU 1500 dmz

  IP local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ASDM image disk0: / asdm - 714.bin

  don't allow no asdm history

  ARP timeout 14400

  !

  internal subnet object-

  NAT dynamic interface (indoor, outdoor)

  network dmz subnet object

  NAT (dmz, outside) dynamic interface

  Route outside 0.0.0.0 0.0.0.0 93.174.55.181 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  AAA authentication LOCAL telnet console

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.0.0 255.255.0.0 management

  http 192.168.10.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec transform-set esp - esp-md5-hmac ikev1 firstset

  Crypto-map dynamic dyn1 ikev1 transform-set firstset 1 set

  dynamic mymap 1 dyn1 ipsec-isakmp crypto map

  mymap outside crypto map interface

  Crypto ikev1 allow outside

  IKEv1 crypto policy 1

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  life 43200

  Telnet 0.0.0.0 0.0.0.0 inside

  Telnet 0.0.0.0 0.0.0.0 management

  Telnet timeout 5

  SSH 0.0.0.0 0.0.0.0 management

  SSH timeout 5

  Console timeout 0

  interface ID client DHCP-client to the outside

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal group testgroup strategy

  testgroup group policy attributes

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list split_tunnel

  user1 fvosA8L1anfyxTw3 encrypted password username

  tunnel-group testgroup type remote access

  tunnel-group testgroup General attributes

  address testpool pool

  strategy-group-by default testgroup

  testgroup group tunnel ipsec-attributes

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  What's wrong?

  TNX!

  Hello

  I would like to change the current reserve of VPN to something overlapping to the LAN.

  You're also missing NAT0 for the VPN Client connection that is your problem more likely.

  You can try these changes

  mask of 192.168.100.1 - local 192.168.100.254 pool POOL VPN IP 255.255.255.0

  tunnel-group testgroup General attributes

  No address testpool pool

  address VPN-POOL pool

  no ip local pool testpool 192.168.10.240 - 192.168.10.250 mask 255.255.255.0

  the object of the LAN network

  192.168.10.0 subnet 255.255.255.0

  network of the VPN-POOL object

  255.255.255.0 subnet 192.168.100.0

  NAT static destination LAN LAN (indoor, outdoor) static source VPN-VPN-POOL

  You can also change your settings for encryption for anything other than a. You can use AES.

  Hope this helps

  Let us know if this helped.

  Don't forget to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary

  -Jouni

• Cannot print to a network via vpn printer

  Installed an EnGenius ESR750H router and configure the L2TP VPN server and Win 7 SP1 VPN client.   The client connects and implements the VPN.

  I can access the drives mapped to WHS v1 (Windows Home Server) and NAS (Network attached storage() and I can access the NAS login screen.

  I can't access screen for the old DLink DIR-655 Router now used as a WAP only [wireless access point] connection.

  I can't print the two printers on network at the office. LaserJets HP4000 & HP4050 with SNMP disabled in the configuration of printer Win7 - if on, they show offline.

  And I can't RDC (Remote Desktop connection) the ESM.

  A computer on the LAN Office can do anything, so everything works.

  Some time back, I have all work by the VPN ESR750H - all this - and I was so happy to finally access.  At that time there I had not yet removed on the WHS VPN configuration.

  Then the next day, a fool to UNRWA [the boss] decided to move things on a network segment and everything, including internet access, went to-well, you know where.  During the frenetic fray next I took the VPN of the WHS, but left the remote control to connect to.  More I have him help locate the bad wiring and bad switch causing the problem.

  I could not even get it all back to what I had it one evening.  There must be something stupid.

  The DRC to the WHS says the server error is not on, not available on the network, or is not remote connect lit, but the boss can rdc to the MSS on the local network.

  Printers and the DIR-655 all come with the same message of troubleshooting when I go to IP addresses through the browser with the connected VPN.

  (device) is detected and online but does not - does not not to connections on port 80, possibly firewall or do security policy issues - no problems with the firewall on my computer.

  I tried port forwarding 80 printing - no joy.

  Thanks in advance.

  Bob

  Hello Rafisher,

  Thanks for posting the question on the Microsoft Community.

  The question you posted would be better suited in TechNet community support. I suggest you to check with TechNet support to solve the problem.

  http://social.technet.Microsoft.com/forums/en-us/newThread

  I hope that helps you find the solution for your problem. If you have other problems with Windows in the future, please post in the Windows community. We would be happy to help you.

• Windows 2003 cannot access remote network via Cisco VPN

  I have two computers at home, an XP Pro SP2 and another is Windows 2003 server SP1. If I set Cisco VPN XP (version 4.6) the Office (ASA 5510), I can access the office network resources. However, if I set the Cisco VPN on 2003, can I? t do the same thing. After studying the two routing tables, I think XP has this road: 192.168.0.0 255.255.0.0 192.168.101.5 192.168.101.5 1, but the 2003 doesn't? t. If I add this route manually (rou? add 192.168.0.0 mask 255.255.255.0 192.168.101.3) 2003, then I can access resources. Why?

  tale of 2003 routing.

  Active routes:

  Network Destination gateway metric Interface subnet mask

  0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.3 40

  x.x.x.37 255.255.255.255 192.168.10.1 192.168.10.3 1

  127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

  192.168.10.0 255.255.255.0 192.168.10.3 192.168.10.3 40

  192.168.10.3 255.255.255.255 127.0.0.1 127.0.0.1 40

  192.168.10.255 255.255.255.255 192.168.10.3 192.168.10.3 40

  192.168.101.0 255.255.255.0 192.168.101.3 192.168.101.3 10

  192.168.101.3 255.255.255.255 127.0.0.1 127.0.0.1 10

  192.168.101.255 255.255.255.255 192.168.101.3 192.168.101.3 10

  224.0.0.0 240.0.0.0 192.168.10.3 192.168.10.3 40

  224.0.0.0 240.0.0.0 192.168.101.3 192.168.101.3 10

  255.255.255.255 255.255.255.255 192.168.10.3 192.168.10.3 1

  255.255.255.255 255.255.255.255 192.168.101.3 192.168.101.3 1

  Default gateway: 192.168.10.1

  ===========================================================================

  Persistent routes:

  None

  VPN client has not been tested on Win2003. Customer requirements are described here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/4_6/relnt/4604cln.htm#wp1024664

  and the show to competition of WinXP is supported.

• ESXi hosts SBS 2011, clients lose network via VPN

  Greetings,

  We have an ESXi Server (in a lab environment) who perform a SBS 2011 and a Windows 2003 (Terminal Server).

  We have two locations, connected via a VPN IPSec (2 boxes of ClearOS).

  The ESXi host is located in building r. customers in the construction of an experience no problem at all.

  Customers in the building B often lose connectivity to network share. We also failed when copying data. Do not forget that the servers are located in the building and issues affecting only users in the B building.

  We noticed the event ID 2012 on the VM SBS 2011 event viewer.

  The two buildings are connected to a cable broadband 10 mb / 1 mb ISP.

  NOD32 Antivirus is installed on the two virtual machines

  Any help would be appreciated!

  Thank you

  Fred9777

  Hello

  There are a few things to look out for more such links. The following steps were made on W2K and W2K3, so that they are still applicable for you.

  (1) is the VPN capable to manage the packet being sent by site B MTU size, sometimes the MTU on VPN size must be less than the default value of 1500 set LAN. You can check this scathing your server with a command like

  ping f-l 1500

  If you get a message like "packet needs to be fragmented but DF parameter.

  You will need to reduce the size of the MTU TCP/IP in the client registry. Try to ping the server with a size of 500 bytes and see how it goes.

  (2) setting the server TCP/IP stack

  In the registry HKLM \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, create or modify value DWORD of TcpMaxDataRetransmissions. By default, it is set to 5, but I recommend double this value to 10. The TcpMaxDataRetransmissions value is the number of retransmissions of TCP of a data segment without acknowledgement of receipt on an existing connection. TCP retransmits data segments until they are acknowledged or until the expiry of this value. Basically, when a client does not meet a package from the server, the server will attempt to retransmit the packet until TcpMaxDataRetransmissions many times. By increasing this value, you give the customer more time to answer on the server, which will help improve the flaky connections or connections with latency or higher than normal packet loss.

  HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval and HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime.

  Both entered DWORD.
  KeepAliveInterval determines the interval between retransmissions keep until a response is received. If a response is received, the delay until the next keep alive transmission is again controlled by the value of KeepAliveTime.
  The connection will be broken once the number of retransmissions specified by TcpMaxDataRetransmissions is remained. KeepAliveInterval is set by default at 1000, which is one second.
  KeepAliveTime controls how many times TCP attempts to verify that an idle connection is still intact by sending a living package of the Dungeon. If the remote system is still reachable and running, he will acknowledge receipt of the living transmission to keep. KeepAliveTime is set by default to 7 200 000, or 2 hours.

  I hope this helps.

• Traffic of Client VPN routing via VPN Site to Site

  Hello

  We have the following scenario:

  • Office (192.168.2.x)
  • Data Center (212.64.x.x)
  • Home workers (192.168.2.x) (scope DHCP is in the office subnet)

  Connections:

  • Desktop to Data Center traffic is routed through a Site at IPSec VPN, which works very well.
  • Welcome to the office is routed through a Site IPSec VPN Client.

  The question we have right now, is the Client VPN works, and we have implemented a split tunnel which includes only the subnet of the Office for a list of network.

  What I have to do, is to route all traffic to home' to 'Data Center' by site to Site VPN is configured.

  I tried to add the ranges of IP data center to the list of Client VPN Split tunnel, but when I do that and try to connect at home, I just get a "connection timed out" or denied, as if she was protected by a firewall?

  Could you please let me know what I missed?

  Result of the command: "show running-config"
  : Saved
  :
  ASA Version 8.2(5)
  !
  hostname ciscoasa
  domain-name skiddle.internal
  enable password xxx encrypted
  passwd xxx encrypted
  names
  name 188.39.51.101 dev.skiddle.com description Dev External
  name 192.168.2.201 dev.skiddle.internal description Internal Dev server
  name 164.177.128.202 www-1.skiddle.com description Skiddle web server
  name 192.168.2.200 Newserver
  name 217.150.106.82 Holly
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  shutdown
  !
  interface Ethernet0/4
  shutdown
  !
  interface Ethernet0/5
  shutdown
  !
  interface Ethernet0/6
  shutdown
  !
  interface Ethernet0/7
  shutdown
  !
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.254 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.3.250 255.255.255.0
  !
  !
  time-range Workingtime
  periodic weekdays 9:00 to 18:00
  !
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server Newserver
  domain-name skiddle.internal
  same-security-traffic permit inter-interface
  object-group service Mysql tcp
  port-object eq 3306
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network rackspace-public-ips
  description Rackspace Public IPs
  network-object 164.177.132.16 255.255.255.252
  network-object 164.177.132.72 255.255.255.252
  network-object 212.64.147.184 255.255.255.248
  network-object 164.177.128.200 255.255.255.252
  object-group network Cuervo
  description Test access for cuervo
  network-object host Holly
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_2 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_3 tcp
  port-object eq www
  port-object eq https
  object-group service DM_INLINE_TCP_4 tcp
  port-object eq www
  port-object eq https
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in remark ENABLES Watermark Wifi ACCESS TO DEV SERVER!
  access-list outside_access_in extended permit tcp 188.39.51.0 255.255.255.0 interface outside object-group DM_INLINE_TCP_4 time-range Workingtime
  access-list outside_access_in remark ENABLES OUTSDIE ACCESS TO DEV SERVER!
  access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_3
  access-list outside_access_in remark Public Skiddle Network > Dev server
  access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 interface outside eq www
  access-list outside_access_in extended permit tcp object-group rackspace-public-ips interface outside eq ssh
  access-list outside_access_in remark OUTSIDE ACCESS TO DEV SERVER
  access-list outside_access_in extended permit tcp object-group Cuervo interface outside object-group DM_INLINE_TCP_1 inactive
  access-list outside_access_in extended permit tcp 192.168.3.0 255.255.255.0 host dev.skiddle.internal object-group DM_INLINE_TCP_2 inactive
  access-list inside_access_in_1 remark HTTP OUT
  access-list inside_access_in_1 extended permit tcp any any eq www
  access-list inside_access_in_1 remark HTTPS OUT
  access-list inside_access_in_1 extended permit tcp any any eq https
  access-list inside_access_in_1 remark SSH OUT
  access-list inside_access_in_1 extended permit tcp any any eq ssh
  access-list inside_access_in_1 remark MYSQL OUT
  access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 object-group Mysql
  access-list inside_access_in_1 remark SPHINX OUT
  access-list inside_access_in_1 extended permit tcp any host 164.177.128.200 eq 3312
  access-list inside_access_in_1 remark DNS OUT
  access-list inside_access_in_1 extended permit object-group TCPUDP host Newserver any eq domain
  access-list inside_access_in_1 remark PING OUT
  access-list inside_access_in_1 extended permit icmp any any
  access-list inside_access_in_1 remark Draytek Admin
  access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 4433
  access-list inside_access_in_1 remark Phone System
  access-list inside_access_in_1 extended permit tcp any 192.168.3.0 255.255.255.0 eq 35300 log disable
  access-list inside_access_in_1 remark IPSEC VPN OUT
  access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq 4500
  access-list inside_access_in_1 remark IPSEC VPN OUT
  access-list inside_access_in_1 extended permit udp any host 94.236.41.227 eq isakmp
  access-list inside_access_in_1 remark Office to Rackspace OUT
  access-list inside_access_in_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
  access-list inside_access_in_1 remark IMAP OUT
  access-list inside_access_in_1 extended permit tcp any any eq imap4
  access-list inside_access_in_1 remark FTP OUT
  access-list inside_access_in_1 extended permit tcp any any eq ftp
  access-list inside_access_in_1 remark FTP DATA out
  access-list inside_access_in_1 extended permit tcp any any eq ftp-data
  access-list inside_access_in_1 remark SMTP Out
  access-list inside_access_in_1 extended permit tcp any any eq smtp
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
  access-list inside_nat0_outbound extended permit ip any 192.168.2.128 255.255.255.224
  access-list inside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
  access-list outside_1_cryptomap_1 extended permit tcp 192.168.2.0 255.255.255.0 object-group rackspace-public-ips eq ssh
  access-list RACKSPACE-cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object-group rackspace-public-ips
  access-list RACKSPACE-TEST extended permit ip host 94.236.41.227 any
  access-list RACKSPACE-TEST extended permit ip any host 94.236.41.227
  access-list InternalForClientVPNSplitTunnel remark Inside for VPN
  access-list InternalForClientVPNSplitTunnel standard permit 192.168.2.0 255.255.255.0
  access-list InternalForClientVPNSplitTunnel remark Rackspace
  access-list InternalForClientVPNSplitTunnel standard permit 164.177.128.200 255.255.255.252
  access-list InternalForClientVPNSplitTunnel remark Rackspace
  access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.16 255.255.255.252
  access-list InternalForClientVPNSplitTunnel remark Rackspace
  access-list InternalForClientVPNSplitTunnel standard permit 164.177.132.72 255.255.255.252
  access-list InternalForClientVPNSplitTunnel remark Rackspace
  access-list InternalForClientVPNSplitTunnel standard permit 212.64.147.184 255.255.255.248
  pager lines 24
  logging enable
  logging console debugging
  logging monitor debugging
  logging buffered debugging
  logging trap debugging
  logging asdm warnings
  logging from-address [email protected]/* */
  logging recipient-address [email protected]/* */ level errors
  mtu inside 1500
  mtu outside 1500
  ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0
  ip verify reverse-path interface inside
  ip verify reverse-path interface outside
  ipv6 access-list inside_access_ipv6_in permit tcp any any eq www
  ipv6 access-list inside_access_ipv6_in permit tcp any any eq https
  ipv6 access-list inside_access_ipv6_in permit tcp any any eq ssh
  ipv6 access-list inside_access_ipv6_in permit icmp6 any any
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface www dev.skiddle.internal www netmask 255.255.255.255
  static (inside,outside) tcp interface ssh dev.skiddle.internal ssh netmask 255.255.255.255
  access-group inside_access_in in interface inside control-plane
  access-group inside_access_in_1 in interface inside
  access-group inside_access_ipv6_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.3.254 10
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication telnet console LOCAL
  aaa authentication enable console LOCAL
  http server enable 4433
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
  crypto map outside_map 1 match address RACKSPACE-cryptomap_1
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 94.236.41.227
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA
  crypto map outside_map 1 set security-association lifetime seconds 86400
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca xxx
  quit
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 inside
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  !
  dhcprelay server 192.68.2.200 inside
  threat-detection basic-threat
  threat-detection scanning-threat
  threat-detection statistics host
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 194.35.252.7 source outside prefer
  webvpn
  port 444
  svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 regex "Intel Mac OS X"
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec webvpn
  group-policy skiddlevpn internal
  group-policy skiddlevpn attributes
  dns-server value 192.168.2.200
  vpn-tunnel-protocol IPSec l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value InternalForClientVPNSplitTunnel
  default-domain value skiddle.internal
  username bensebborn password *** encrypted privilege 0
  username bensebborn attributes
  vpn-group-policy skiddlevpn
  username benseb password gXdOhaMts7w/KavS encrypted privilege 15
  tunnel-group 94.236.41.227 type ipsec-l2l
  tunnel-group 94.236.41.227 ipsec-attributes
  pre-shared-key *****
  tunnel-group skiddlevpn type remote-access
  tunnel-group skiddlevpn general-attributes
  address-pool CiscoVPNDHCPPool
  default-group-policy skiddlevpn
  tunnel-group skiddlevpn ipsec-attributes
  pre-shared-key *****
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  policy-map global-policy
  class inspection_default
  inspect icmp
  inspect icmp error
  inspect ipsec-pass-thru
  inspect ftp
  !
  service-policy global_policy global
  smtp-server 164.177.128.203
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:6c2eb43fa1150f9a5bb178c716d8fe2b
  : end
  

  You must even-Security-enabled traffic intra-interface to allow communication between vpn VPN.

  With respect,

  Safwan

  Remember messages useful rate.

• Need help to access the internal network via VPN on ASA5505 8.4 (1)

  Recently, I upgraded my ASA5055 from 8.02 to 8.4 and since I have updated to the new version I can access my home network is no longer through the VPN. I can connect to the VPN with no problems however I can no longer ping or you connect to my network of 10.0. Someone would be kind enough to look at my config and tell me what needs to be added to make it work? In my old config, I had a statement of NAT for VPN that is no longer here.

  I also wanted to configure WebVPN to work as well, and this is something that I've never been able to understand. Is it also possible that I can be on my 20.0 network and connect to the VPN and access 10.0 as well? When it is connected to my network of 20.0 I'm not received credentials to connect to the VPN. I would be grateful if someone can help out me. The major part of this is the first part of this question.

  My configuration:

  ASA Version 8.4 (1)

  !

  ASA5505 hostname

  domain xxxxxxxx.dyndns.org

  enable encrypted password xxxxxxxxxxxx

  xxxxxxxxxxxxxxx encrypted passwd

  names of

  nameserver 192.168.10.2

  Office of name 192.168.10.3

  name Canon 192.168.10.5

  name 192.168.10.6 mvix

  name 192.168.10.7 xbox

  name 192.168.10.8 dvr

  name 192.168.10.9 bluray

  name 192.168.10.10 lcd

  name 192.168.10.11 mp620

  name 192.168.10.12 kayla

  name 192.168.1.1 asa5505

  name 192.168.1.2 ap1

  name 192.168.10.4 mvix2

  name 192.168.10.13 lcd2

  name 192.168.10.14 dvr2

  !

  interface Vlan1

  nameif management

  security-level 100

  IP address asa5505 255.255.255.248

  management only

  !

  interface Vlan2

  0050.8db6.8287 Mac address

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  interface Vlan10

  nameif private

  security-level 100

  IP 192.168.10.1 255.255.255.224

  !

  interface Vlan20

  nameif Public

  security-level 100

  IP 192.168.20.1 255.255.255.224

  !

  interface Ethernet0/0

  Description pointing to WAN

  switchport access vlan 2

  !

  interface Ethernet0/1

  Uplink port Linksys 12 description

  switchport access vlan 10

  !

  interface Ethernet0/2

  Description Server 192.168.10.2/27

  switchport access vlan 10

  !

  interface Ethernet0/3

  Uplink Eth1 management description

  !

  interface Ethernet0/4

  switchport access vlan 30

  !

  interface Ethernet0/5

  switchport access vlan 30

  !

  interface Ethernet0/6

  switchport access vlan 30

  !

  interface Ethernet0/7

  Description of Cisco 1200 Access Point

  switchport trunk allowed vlan 1,10,20

  switchport trunk vlan 1 native

  switchport mode trunk

  !

  Banner motd users only, all others must disconnect now!

  boot system Disk0: / asa841 - k8.bin

  passive FTP mode

  clock timezone PST - 8

  clock summer-time recurring PDT

  DNS server-group DefaultDNS

  domain xxxxxxx.dyndns.org

  network object obj - 192.168.50.0

  192.168.50.0 subnet 255.255.255.0

  Server network objects

  host 192.168.10.2

  network object obj - 192.168.10.0

  192.168.10.0 subnet 255.255.255.224

  network object obj - 192.168.20.0

  subnet 192.168.20.0 255.255.255.224

  network server-01 object

  host 192.168.10.2

  network server-02 object

  host 192.168.10.2

  xbox network object

  Home 192.168.10.7

  xbox-01 network object

  Home 192.168.10.7

  xbox-02 network object

  Home 192.168.10.7

  xbox-03 network object

  Home 192.168.10.7

  xbox-04 network object

  Home 192.168.10.7

  network server-03 object

  host 192.168.10.2

  network server-04 object

  host 192.168.10.2

  network server-05 object

  host 192.168.10.2

  Desktop Network object

  host 192.168.10.3

  kayla network object

  Home 192.168.10.12

  Home_VPN_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224

  outside_access_in list extended access permit tcp any any eq 3389

  outside_access_in list extended access permit tcp any any eq 2325

  outside_access_in list extended access permit tcp any eq ftp server object

  outside_access_in list extended access permit tcp any any eq 5851

  outside_access_in list extended access udp allowed any any eq 5850

  outside_access_in list extended access permit tcp any any eq pptp

  outside_access_in list extended access udp allowed any any eq syslog

  outside_access_in list extended access udp allowed any any eq 88

  outside_access_in list extended access udp allowed any any eq 3074

  outside_access_in list extended access permit tcp any any eq 3074

  outside_access_in list extended access permit tcp any any eq field

  outside_access_in list extended access udp allowed any any eq field

  outside_access_in list extended access permitted tcp everything any https eq

  outside_access_in list extended access permit tcp any eq ssh server object

  outside_access_in list extended access permit tcp any any eq 2322

  outside_access_in list extended access permit tcp any any eq 5900

  outside_access_in list extended access permit icmp any any echo response

  outside_access_in list extended access permit icmp any any source-quench

  outside_access_in list extended access allow all unreachable icmp

  outside_access_in list extended access permit icmp any one time exceed

  outside_access_in list extended access udp allowed any any eq 5852

  KaileY_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.224

  pager lines 24

  Enable logging

  timestamp of the record

  exploitation forest-size of the buffer of 36000

  logging warnings put in buffered memory

  recording of debug trap

  asdm of logging of information

  address record [email protected] / * /

  exploitation forest-address recipient [email protected] / * / level of errors

  Management Server host forest

  MTU 1500 management

  Outside 1500 MTU

  MTU 1500 private

  MTU 1500 Public

  local pool IPPOOL 192.168.50.2 - 192.168.50.10 255.255.255.0 IP mask

  local pool VPN_POOL 192.168.100.2 - 192.168.100.10 255.255.255.0 IP mask

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow all outside

  ASDM image disk0: / asdm - 641.bin

  don't allow no asdm history

  ARP timeout 14400

  !

  Server network objects

  NAT (private, foreign) static tcp ftp 5851 service interface

  network object obj - 192.168.10.0

  NAT (private, foreign) dynamic interface

  network object obj - 192.168.20.0

  NAT (outside) dynamic public interface

  network server-01 object

  NAT (private, outside) interface static 2325 2325 tcp service

  network server-02 object

  NAT (private, outside) interface static udp syslog syslog service

  xbox network object

  NAT (private, outside) interface static service udp 88 88

  xbox-01 network object

  NAT (private, outside) interface static service udp 3074-3074

  xbox-02 network object

  NAT (private, outside) interface static service tcp 3074-3074

  xbox-03 network object

  NAT (private, outside) interface static tcp domain domain service

  xbox-04 network object

  field of the udp NAT (private, foreign) of the static interface function

  network server-03 object

  NAT (private, outside) interface static tcp https https service

  network server-04 object

  Static NAT (private, outside) interface service tcp ssh 2322

  network server-05 object

  NAT (private, outside) interface static 5900 5900 tcp service

  Desktop Network object

  NAT (private, outside) interface static service tcp 3389 3389

  kayla network object

  NAT (private, outside) interface static service udp 5852 5852

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA authentication enable LOCAL console

  AAA authentication http LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication LOCAL telnet console

  Enable http server

  http 192.168.1.0 255.255.255.248 management

  redirect http outside 80

  location of SNMP server on the Office floor

  SNMP Server contact [email protected] / * /

  Community SNMP-server

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  No vpn sysopt connection permit

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map pfs set 20 Group1

  Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1

  life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

  Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.248 management

  SSH 0.0.0.0 0.0.0.0 outdoors

  SSH timeout 30

  Console timeout 30

  access to administration management

  dhcpd dns 24.205.1.14 66.215.64.14

  dhcpd ping_timeout 750

  dhcpd field xxxxxxxx.dyndns.org

  dhcpd outside auto_config

  !

  dhcpd manage 192.168.1.4 - 192.168.1.5

  dhcpd enable management

  !

  dhcpd address private 192.168.10.20 - 192.168.10.30

  enable private dhcpd

  !

  dhcpd 192.168.20.2 public address - 192.168.20.30

  dhcpd enable Public

  !

  a basic threat threat detection

  statistical threat detection port

  Statistical threat detection Protocol

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  Server NTP 192.43.244.18

  Server NTP 129.6.15.28

  WebVPN

  internal Home_VPN group strategy

  attributes of Group Policy Home_VPN

  value of 8.8.8.8 DNS Server 4.2.2.2

  Ikev1 VPN-tunnel-Protocol without ssl-client

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Home_VPN_splitTunnelAcl

  value by default-field www.xxxxxx.com

  the address value IPPOOL pools

  WebVPN

  the value of the URL - list ClientlessBookmark

  political group internal kikou

  group attributes political kikou

  value of 8.8.8.8 DNS Server 4.2.2.2

  Ikev1 VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list KaileY_splitTunnelAcl

  XXXXXXX.dyndns.org value by default-field

  username scottrog encrypted password privilege 0 xxxxxxxxxxxxxx

  user_name john encrypted password privilege 0 xxxxxxxxxxxxxxx

  username joek encrypted password privilege 0 xxxxxxxxxxxx

  eostrike encrypted xxxxxxxxxxxx privilege 15 password username

  username almostsi encrypted password privilege 0 xxxxxxxxxxxxxx

  username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0

  type tunnel-group Home_VPN remote access

  attributes global-tunnel-group Home_VPN

  IPPOOL address pool

  LOCAL authority-server-group

  authorization-server-group (outside LOCAL)

  Group Policy - by default-Home_VPN

  authorization required

  IPSec-attributes tunnel-group Home_VPN

  IKEv1 pre-shared-key *.

  type tunnel-group SSLClientProfile remote access

  tunnel-group SSLClientProfile webvpn-attributes

  enable SSLVPNClient group-alias

  tunnel-group type ClientLESS remote access

  tunnel-group kanazoé type remote access

  attributes global-tunnel-group kanazoé

  address VPN_POOL pool

  by default-group-policy kikou

  tunnel-group KaileY ipsec-attributes

  IKEv1 pre-shared-key *.

  by default-group Home_VPN tunnel-Group-map

  !

  !

  context of prompt hostname

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86

  : end

  ASA5505 #.

  Here are the declarations of NAT for your first question:

  network object obj - 192.168.100.0

  255.255.255.0 subnet 192.168.100.0

  NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.50.0 obj - 192.168.50.0

  NAT (private, foreign) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

  And 'clear xlate' after the above and that should fix your first question.

  I would check your second question and get back to you shortly.

• cannot ping between remote vpn site?

  vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well.  I can ping from central office for two remote sites, but I cannot ping between these two vpn sites?  Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next?  Help, please...

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  !
  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0
  !
  extended OUTSIDE allowed a whole icmp access list
  HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
  !
  destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
  !
  address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
  card crypto VPN-card 50 peers set *. *.56.250
  card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
  VPN-card interface card crypto outside
  !
  internal strategy group to DISTANCE-NETEXTENSION
  Remote CONTROL-NETEXTENSION group policy attributes
  value of DNS server *. *. *. *
  VPN-idle-timeout no
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value REMOTE-NET2
  value by default-field *.org
  allow to NEM
  !
  remote access of type tunnel-group to DISTANCE-NETEXTENSION
  Global DISTANCE-NETEXTENSION-attributes tunnel-group
  authentication-server-group (inside) LOCAL
  Group Policy - by default-remote CONTROL-NETEXTENSION
  IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
  IKEv1 pre-shared-key *.
  tunnel-group *. *.56.250 type ipsec-l2l
  tunnel-group *. *.56.250 ipsec-attributes
  IKEv1 pre-shared-key *.
  !

  !

  ASA - 5510 # display route. include the 192.168.42
  S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA - 5510 # display route. include the 192.168.46
  S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA-5510.

  !
  Username: Laporte-don't Index: 10
  Assigned IP: 192.168.46.0 public IP address: *. *.65.201
  Protocol: IKEv1 IPsecOverNatT
  License: Another VPN
  Encryption: 3DES hash: SHA1
  TX Bytes: bytes 11667685 Rx: 1604235
  Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
  Opening time: 08:19:12 IS Thursday, February 12, 2015
  Duration: 6 h: 53 m: 29 s
  Inactivity: 0 h: 00 m: 00s
  Result of the NAC: unknown
  Map VLANS: VLAN n/a: no
  !
  ASA - 5510 # display l2l vpn-sessiondb

  Session type: LAN-to-LAN

  Connection: *. *.56.250
  Index: 6 IP Addr: *. *.56.250
  Protocol: IPsec IKEv1
  Encryption: AES256 3DES hash: SHA1
  TX Bytes: bytes 2931026707 Rx: 256715895
  Connect time: 02:00:41 GMT Thursday, February 12, 2015
  Duration: 13: 00: 10:00

  Hi Rico,

  You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

  example:

  Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0

  dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
  public static SITE SITE-B-B

  destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
  SITE static-SITE a

  Hope this helps

  Thank you

  Rizwan James

• Site to site between ASA 8.2 VPN, cannot ping

  Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

  

  Here is my setup for both.

  Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

  When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  %ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02
  %ASA-7-609001: Built local-host outside:10.30.7.2
  %ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512
  ...
  

  Each attempt to ping responds with "Request timed out" on the computer of ping.

  Why clients cannot mutually ping on the VPN tunnel?

  Hello

  Create a NAT0 ACL at both ends.

  ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

  NAT (inside) 0 access-list SHEEP

  THX

  MS

  Edit: at the beginning, I mentioned ACL #, it may not work.